Your supervisor has asked that the memo focus on Odenton’s information systems, and specifically, securing the processes for payments of services. Currently, the Odenton Township offices accept cash or credit card
- The IT department for Anne Arundel County is meticulous about keeping payment terminalsoftware,operatingsystemsandothersoftware(includinganti-virussoftware)updated.
- Assessmentofprotection fromremoteaccessandbreachestotheAnneArundelnetwork: OdentonTownshipaccessesthedatabasesystemfortheCountywhenupdatingresident’s accounts for services.It is not clear whether a secure remote connection (VPN) is standard policy.
- AssessmentofphysicalsecurityattheOdentonTownshiphall:theonlycurrentformof physical security are locks on the two outer doors; however, the facility is unlocked Monday-Friday, 8am-5pm (EST), excluding federal holidays.
- Employeeawarenesstrainingondatasecurityandsecurepracticesforhandlingsensitive data (e.g., credit card information) are not in place.
- TheoverarchingconclusionoftheriskassessmentwasthatOdentonTownshipisnot fully compliant with thePCI Data Security Standards(v3.2).
Note: The Chief Executive for Anne Arundel County has asked for specific attention be paid to insider threats, citing a recent article about an administrator from San Francisco (see Resources). Anne Arundel County wants to understand insider threats and ways to mitigate so that they protect their resident’s personal data as well as the County’s sensitive information. These are threats to information systems, including malware and insider threats (negligent or inadvertent users, criminal or malicious insiders, and user credential theft).
Expectations and Format
Using the resources listed below, you are to write a 2-page Professional Informational Memo to the Chief Executive for Anne Arundel County that addresses the following:
- Risk Assessment Summary:Provide an overview of your concerns from the risk assessment report.Include broad ‘goal’ of the memo, as a result of the risk assessment, thebroadrecommendations.SpecificActionStepswillcomelater.Thesummaryshould be no more than one paragraph.
- Background: Provide a background for your concerns. Briefly highlight why the concerns are critical to the County of Anne Arundel and Odenton Township.Clearly statetheimportanceofdatasecurityandinsiderthreatswhendealingwithpersonalcredit cards.Be sure to establish the magnitude of the problem of insider threats.
- Concerns, Standards, Best Practices:The body of the memo needs tojustify your concerns and clarify standards, based on the resources listed below, at minimum.The PCI DSS standards are well respected and used globally to protect entities and individual’ssensitivedata.Thebodyofthememoshouldalsohighlightthreecurrent controls that are considered best practice; that is, you should highlight the positive, what is currently in place, based on the risk assessment.
- Action Steps:Provide a conclusion establishing why it is important for Anne Arundel County to take steps to protect residents and county infrastructure from insider threats based on your concerns.Recommenda minimum of three (3)practical action steps, includingnewsecuritycontrols,bestpracticesand/oruserpoliciesthatwillmitigatethe concerns in this memo.Be sure to include cost considerations so that the County is
getting the biggest bang for the buck. The expectations are not for you to research and quote actual costs, but to generalize potential costs. For instance, under the category of physical security, door locks are typically less expensive than CCTV cameras.
- BesuretoreviewthePowerPointpresentation(inpdfformat)EffectiveProfessional Memo Writingthat accompanies these instructions.
- UsetheProfessionalMemotemplatethataccompaniestheseinstructions.
- Usefoursection subtitles, inbold.
- RiskAssessmentSummary
- Background
- Concerns,Standards,BestPractices
- ActionSteps
- Donot changethefont sizeor typeor pagemargins.
- Donotincludeanygraphics,imagesor‘snips’ofanycontentfromcopyrighted sources.The PCI Standards (PCI DSS) document is copyrighted material.
- ParagraphtextshouldbesinglespacedwithONE‘hardreturn’(Enter)aftereach paragraphand after each section subtitle.Note:Donotcreate anew ‘paragraph’ after each sentence.A single sentence is not a paragraph.
- ‘Subject’isthesubject of yourmemo,notthecoursenameornumber.
- Besuretoremoveanyremaining‘placeholder’textinthetemplatefilebeforesubmitting.
- ThelengthofthetemplatewhenyoudownloaditisNOTtheintendedlengthof the entire memo.Your completed memo should be between 1.5 pages and 2 pages (total document, including the To:/From:/Re:/Subject header).
- Usefoursection subtitles, inbold.
*Note: the Professional Memo is to be in a MS Word file and all work is to be in the student’s own words (no direct quotes from external sources or the instructions) *
APAdocumentationrequirements:
- Asthisisaprofessionalmemo,aslongasyouuseresourcesprovidedwithorlinked from these instructions,APA documentation is NOT required.
- Citingmaterialorresourcesbeyondwhat isprovidedhereisNOTrequired.
- However, you should usebasic attributionand mention the source of any data, ideas orpoliciesthatyoumention,whichwillhelpestablishthecredibilityandauthorityof the memo.
- For example, mentioning that thePayment Card Industry Data Security Standards(PCIDSS)identifyacertaincontrolasbestpracticeholdsmore weight than simply stating the control is a best practice without basicattribution.
- Mentioning thatWired Magazine reportedthat a City of San Francisco IT technicianeffectivelyhijackedandlocked60%ofthecity’snetworkcapacity, is more effective than saying “I read somewhere that…”
Resources
Examples of Security Breaches Due to Insider Threats
SanFranciscoAdminChargedWithHijackingCity'sNetwork
Microsoftdatabaseleakedbecauseofemployeenegligence
GeneralElectricemployeesstoletradesecretstogainabusinessadvantage Former Cisco employee purposely damaged cloud infrastructure
Twitterusersscammedbecauseofphishedemployees
- PCIDSSGoals:
(source:https://www.pcisecuritystandards.org/merchants/process)
References
FBI.(2021).TheInsiderThreat:AnIntroductiontoDetectingandDeterringanInsiderSpy. https://www.fbi.gov/file-repository/insider_threat_brochure.pdf/view
PCIDSS.(2021,Feb.12).PaymentCardIndustrySecurityStandards. https://www.pcisecuritystandards.org/
JingguoWang,Gupta,M.,&Rao,H.R.(2015).Insider threatsinafinancialinstitution:Analysis of attack-proneness of information systems applications.MIS Quarterly,39(1), 91-A7. https://search-ebscohost- com.ezproxy.umgc.edu/login.aspx?direct=true&db=bth&AN=100717560&site=ehost- live&scope=site
ProfessorMesser.(2014).Authorizationandaccesscontrol[Videofile].YouTube. https://www.youtube.com/watch?v=6aXMuJPkuiU
U.S.DHS.(2021).InsiderThreat.https://www.dhs.gov/science-and-technology/cybersecurity- insider-threat
Wizuda.(2017).Dataanonymisationsimplified[Videofile].YouTube. https://www.youtube.com/watch?v=m9UxV4XaXwg
Yuan,S.,&Wu,X.(2021).Deeplearningforinsiderthreatdetection:Review,challengesand opportunities.Computers & Security. https://doi- org.ezproxy.umgc.edu/10.1016/j.cose.2021.102221
Keywords: risk assessment, insider threats, data security
SubmittingYourAssignment
SubmityourdocumentviayourAssignmentFolderasMicrosoftWorddocument,oradocumentthatcan bereadyusingMSWord,withyourlastnameincludedinthefilename.UsetheGradingRubricbelowto be sure you have covered all aspects of the assignment.
GRADINGRUBRIC:
Criteria |
Far Above Standards |
Above Standards |
Meets Standards |
Below Standards |
Well Below Standards |
Possible Points |
Summary of Risk Assessment |
15 Points
Summary is highly effective, thorough and professional. |
12.75 Points
Summary is effective, thorough and professional. |
10.5 Points
Summary is somewhat effective, thorough and professional. |
9 Points
Summary is lacking. |
0-8 Points Stated requirements for this section are severely lacking or absent. |
15 |
Background and Importance (to the Client) of Data Security and Insider Threats |
10 Points
Discussion of ba5ckground, data security and insider threats is highly effective, thorough, and professional. |
8.5 Points
Discussion of background, data security and insider threats is effective, thorough, and professional. |
7 Points
Discussion of background, data security and insider threats is somewhat effective, thorough, and professional. |
6 Points
Discussion of background, data security and insider threats is lacking. |
0-5 Points
Stated requirements for this section are severely lacking or absent. |
10 |
Concerns, Standards, Best Practices: Justify Concerns and Clarify Standards |
15 Points
Discussion of concerns and standards is highly effective, thorough, and professional. |
12.75 Points
Discussion of concerns and standards is effective, thorough, and professional. |
10.5 Points
Discussion of concerns and standards is somewhat effective, thorough, and professional. |
9 Points
Discussion of concerns or standards is lacking. |
0-8 Points
Stated requirements for this section are severely lacking or absent. |
15 |
Concerns, Standards, Best Practices: Three current practices identified and justified as best practice |
15 Points
Three highly relevant current practices are offered and justified as best practices. Overall presentation is clear, concise, and professional. |
12.75 Points
Section may be lacking in number of recommendations or relevancy or justification or overall presentation. |
10.5 Points
Section is lacking in number of recommendations or relevancy or justification or overall presentation. |
9 Points
Section is lacking in two or more of the following: number of recommendations or relevancy or justification or overall presentation. |
0-8 Points
Stated requirements for this section are severely lacking or absent. |
15 |
Action Steps: Three recommendati ons minimum identified and justified including some discussion of cost considerations |
20 Points
Three highly relevant recommendations are offered and justified, with effective discussion of cost considerations. Overall presentation is clear, concise, and professional. |
17 Points
Section may be lacking in number of recommendations or relevancy or justification or a discussion of cost considerations or overall presentation. |
14 Points
Section is lacking in number of recommendations or relevancy or justification or a discussion of cost considerations or overall presentation. |
12 Points
Section is lacking in two or more of the following: number of recommendations or relevancy or justification or a discussion of cost considerations or overall presentation. |
0-11 Points
Stated requirements for this section are severely lacking or absent. |
20 |
Basic Attribution (overall) |
10 Points
Overall use of basic attribution is highly effective in establishing credibility and authority. |
8.5 Points
Overall use of basic attribution is effective in establishing credibility and authority. |
7 Points
Overall use of basic attribution is partially effective in establishing credibility and authority. |
6 Points
Overall use of basic attribution is partially effective in establishing credibility and authority. Additional basic attribution may have been needed. |
0-5 Points
Overall use of basic attribution was minimally effective or not used. |
10 |
Overall Format: APA documentatio n needed only if sources external to the assignment are introduced |
15 Points
Submission reflects effective organization and sophisticated writing; follows instructions provided; uses correct structure, grammar, and spelling; presented in a professional format; any references used are appropriately incorporated and cited using APA style. |
12.75 Points
Submission reflects effective organization and clear writing; follows instructions provided; uses correct structure, grammar, and spelling; presented in a professional format; any references used are appropriately incorporated and cited using APA style. |
10.5 Points
Submission is adequate, is somewhat organized, follows instructions provided; contains minimal grammar and/or spelling errors; and follows APA style for any references and citations. |
9 Points
Submission is not well organized, and/or does not follow instructions provided; and/or contains grammar and/or spelling errors; and/or does not follow APA style for any references and citations. May demonstrate inadequate level of writing. |
0-8 Points
Document is poorly written and does not convey the necessary information. |
15 |
|
|
|
|
|
TOTAL Points Possible |
100 |
100