CYB420_Projectonemilestone_SecConImpAss_Adrienne_Johnston
docx
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
420
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
5
Uploaded by johnstondarcy
Project One Milestone: Security Control Implementation Assessment
Cyb 420
Adrienne Johnston
SNHU
Threat Assessment: People
The human factor to any organization can introduce gaping holes in a security infrastructure, leading to risks big and small. People, some may argue, are the largest threat to sound cyber operations, but also the easiest to uncover and straightforward to correct. An example would be a lackluster password policy, allowing threat actors a fairly optimistic chance to gain access to a system with minimal effort. A staff that is unaware of possible social engineering techniques is another example. From phishing attempts to physically tailgating employees, these simple violations of trust can render catastrophic consequences to systems within the organization.
Threat Assessment: Process
A process is, “The defined, repeatable, and improvable steps you document and train on to
perform a function”. The functions are the key component to any organization’s/system’s successful operation. This is relevant to the small corner stores of the world up to the largest corporations. Without a seamless function of processes, even to most sturdy of organizations will
face calamitous ramifications pretty quickly. A process failure could be poor asset security or performance update/patch policies, allowing for stability and/or exploit issues. Another vulnerability looks like poor data backup practices that can allow for simple operational nuisances to permanent loss of data.
Threat Assessment: Technology
Another link in our risk domain chain, technology, is the, in my opinion, the most complex
of the domains, being able to execute actions that enhance an organizations ability to function optimally. The tangible assets that you can manipulate that often work holistically with each
other, and primarily operated by employees. Security cameras, locks, mantraps, alarms, and fire suppression are within the technology domain although not as specialized as some other assets, but equally as important. Perhaps the most recognized technology component, the all-mighty workstation, is the backbone of any system, and the entry point for a well-trained threat actor. Both work hand in hand to secure operations within an organization.
Implementation Approach: Introduction
Its important to keep in mind that, whatever controls that are implemented, they need to be
able to evolve to meet the needs of an impending authorization of becoming a government contractor. To assure the organizations ability to meet those unfolding needs, an “on-boarding” and training team will be in place to meet the needs of employees training levels and company goals.
Implementation Approach: People
Let us start with the employee aspect of the organization and how we can level the playing
field between the agents of the org and threat actors. A thoughtful and stringent password policy
implementation will be immediately rolled out by the on-site training team which will take guidance from NIST 800. This will involve the following:
Character length of minimum of 8 to 64 maximum.
Screen new passwords against a list of commonly used, expected, or compromised passwords.
Password expiration dates.
Well-rounded training of employees to the techniques and pitfalls of social engineering attacks such as:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Email phishing attempts
Shoulder surfing
Tailgating
Baiting
Scareware
Implementation Approach: Process
Security and performance update policy created and mandated by all departmental supervisors to assure all reasonable actions have been taken to protect system assets from potential threats. Reserving time for these updates to take place without reservation to assure system stability and uninterrupted business operations. Just as importantly, a data back-up policy must be introduced to secure organizational data. Recommendation of cloud data stores and an additional offsite, physical data backup servers working in tandem. Execution of above actions will be enforced by on-site training team working with department supervisors.
Implementation Approach: Technology
Lastly, let’s address technology shortcomings. As mentioned above, physical security controls, which do not appear on the provided diagram, are completely absent. After consultation with executives (due to cost of implementation), several security apparatuses will be
installed, including the following:
Security cameras (inside building & outside building)
Mantrap installation attached to 1
st
floor entrance
Customizable proximity credentials for employees to be provided for selective entry
Workstation security is the icing of this security cake. Although a robust password and update policy, and physical security controls will discourage some adverse actions, additional cushioning in necessary, especially if the organization anticipates working as a government contractor. The following changes will be suggested:
Account management (login time restrictions, disabled guest accounts, screen lock, active
directory function management)
Disable USB ports
Encrypt personal files
References
Top 5 Cyber Security Risks For Companies
2020EnglishM. LiebiExtremely Secure
National Institute of Standards and Technology
2021EnglishNIST