- The IT department for Anne Arundel County is meticulous about keeping payment terminalsoftware,operatingsystemsandothersoftware(includinganti-virussoftware)updated.
- Assessmentofprotection fromremoteaccessandbreachestotheAnneArundelnetwork: OdentonTownshipaccessesthedatabasesystemfortheCountywhenupdatingresident’s accounts for services.It is not clear whether a secure remote connection (VPN) is standard policy.
- AssessmentofphysicalsecurityattheOdentonTownshiphall:theonlycurrentformof physical security are locks on the two outer doors; however, the facility is unlocked Monday-Friday, 8am-5pm (EST), excluding federal holidays.
- Employeeawarenesstrainingondatasecurityandsecurepracticesforhandlingsensitive data (e.g., credit card information) are not in place.
- TheoverarchingconclusionoftheriskassessmentwasthatOdentonTownshipisnot fully compliant with thePCI Data Security Standards(v3.2).
Note: The Chief Executive for Anne Arundel County has asked for specific attention be paid to insider threats, citing a recent article about an administrator from San Francisco (see Resources). Anne Arundel County wants to understand insider threats and ways to mitigate so that they protect their resident’s personal data as well as the County’s sensitive information. These are threats to information systems, including malware and insider threats (negligent or inadvertent users, criminal or malicious insiders, and user credential theft).
Expectations and Format
Using the resources listed below, you are to write a 2-page Professional Informational Memo to the Chief Executive for Anne Arundel County that addresses the following:
- Risk Assessment Summary:Provide an overview of your concerns from the risk assessment report.Include broad ‘goal’ of the memo, as a result of the risk assessment, thebroadrecommendations.SpecificActionStepswillcomelater.Thesummaryshould be no more than one paragraph.
- Background: Provide a background for your concerns. Briefly highlight why the concerns are critical to the County of Anne Arundel and Odenton Township.Clearly statetheimportanceofdatasecurityandinsiderthreatswhendealingwithpersonalcredit cards.Be sure to establish the magnitude of the problem of insider threats.
- Concerns, Standards, Best Practices:The body of the memo needs tojustify your concerns and clarify standards, based on the resources listed below, at minimum.The PCI DSS standards are well respected and used globally to protect entities and individual’ssensitivedata.Thebodyofthememoshouldalsohighlightthreecurrent controls that are considered best practice; that is, you should highlight the positive, what is currently in place, based on the risk assessment.
- Action Steps:Provide a conclusion establishing why it is important for Anne Arundel County to take steps to protect residents and county infrastructure from insider threats based on your concerns.Recommenda minimum of three (3)practical action steps, includingnewsecuritycontrols,bestpracticesand/oruserpoliciesthatwillmitigatethe concerns in this memo.Be sure to include cost considerations so that the County is
getting the biggest bang for the buck. The expectations are not for you to research and quote actual costs, but to generalize potential costs. For instance, under the category of physical security, door locks are typically less expensive than CCTV cameras.
- BesuretoreviewthePowerPointpresentation(inpdfformat)EffectiveProfessional Memo Writingthat accompanies these instructions.
- UsetheProfessionalMemotemplatethataccompaniestheseinstructions.
- Usefoursection subtitles, inbold.
- RiskAssessmentSummary
- Background
- Concerns,Standards,BestPractices
- ActionSteps
- Donot changethefont sizeor typeor pagemargins.
- Donotincludeanygraphics,imagesor‘snips’ofanycontentfromcopyrighted sources.The PCI Standards (PCI DSS) document is copyrighted material.
- ParagraphtextshouldbesinglespacedwithONE‘hardreturn’(Enter)aftereach paragraphand after each section subtitle.Note:Donotcreate anew ‘paragraph’ after each sentence.A single sentence is not a paragraph.
- ‘Subject’isthesubject of yourmemo,notthecoursenameornumber.
- Besuretoremoveanyremaining‘placeholder’textinthetemplatefilebeforesubmitting.
- ThelengthofthetemplatewhenyoudownloaditisNOTtheintendedlengthof the entire memo.Your completed memo should be between 1.5 pages and 2 pages (total document, including the To:/From:/Re:/Subject header).
- Usefoursection subtitles, inbold.
*Note: the Professional Memo is to be in a MS Word file and all work is to be in the student’s own words (no direct quotes from external sources or the instructions) *
APAdocumentationrequirements:
- Asthisisaprofessionalmemo,aslongasyouuseresourcesprovidedwithorlinked from these instructions,APA documentation is NOT required.
- Citingmaterialorresourcesbeyondwhat isprovidedhereisNOTrequired.
- However, you should usebasic attributionand mention the source of any data, ideas orpoliciesthatyoumention,whichwillhelpestablishthecredibilityandauthorityof the memo.
- For example, mentioning that thePayment Card Industry Data Security Standards(PCIDSS)identifyacertaincontrolasbestpracticeholdsmore weight than simply stating the control is a best practice without basicattribution.
- Mentioning thatWired Magazine reportedthat a City of San Francisco IT technicianeffectivelyhijackedandlocked60%ofthecity’snetworkcapacity, is more effective than saying “I read somewhere that…”
Resources
Examples of Security Breaches Due to Insider Threats
SanFranciscoAdminChargedWithHijackingCity’sNetwork
Microsoftdatabaseleakedbecauseofemployeenegligence
GeneralElectricemployeesstoletradesecretstogainabusinessadvantage Former Cisco employee purposely damaged cloud infrastructure
Twitterusersscammedbecauseofphishedemployees
- PCIDSSGoals:
(source:https://www.pcisecuritystandards.org/merchants/process)
References
FBI.(2021).TheInsiderThreat:AnIntroductiontoDetectingandDeterringanInsiderSpy. https://www.fbi.gov/file-repository/insider_threat_brochure.pdf/view
PCIDSS.(2021,Feb.12).PaymentCardIndustrySecurityStandards. https://www.pcisecuritystandards.org/
JingguoWang,Gupta,M.,&Rao,H.R.(2015).Insider threatsinafinancialinstitution:Analysis of attack-proneness of information systems applications.MIS Quarterly,39(1), 91-A7. https://search-ebscohost- com.ezproxy.umgc.edu/login.aspx?direct=true&db=bth&AN=100717560&site=ehost- live&scope=site
ProfessorMesser.(2014).Authorizationandaccesscontrol[Videofile].YouTube. https://www.youtube.com/watch?v=6aXMuJPkuiU
U.S.DHS.(2021).InsiderThreat.https://www.dhs.gov/science-and-technology/cybersecurity- insider-threat
Wizuda.(2017).Dataanonymisationsimplified[Videofile].YouTube. https://www.youtube.com/watch?v=m9UxV4XaXwg
Yuan,S.,&Wu,X.(2021).Deeplearningforinsiderthreatdetection:Review,challengesand opportunities.Computers & Security. https://doi- org.ezproxy.umgc.edu/10.1016/j.cose.2021.102221
Keywords: risk assessment, insider threats, data security
SubmittingYourAssignment
SubmityourdocumentviayourAssignmentFolderasMicrosoftWorddocument,oradocumentthatcan bereadyusingMSWord,withyourlastnameincludedinthefilename.UsetheGradingRubricbelowto be sure you have covered all aspects of the assignment.
GRADINGRUBRIC:
|
Criteria |
Far |
Above |
Meets |
Below |
Well |
Possible |
|
Summary |
15
Summary |
12.75
Summary |
10.5
Summary |
9
Summary |
0-8
Stated |
15 |
|
Background |
10
Discussion |
8.5
Discussion |
7
Discussion professional. |
6
Discussion |
0-5
Stated |
10 |
|
Concerns, |
15
Discussion |
12.75
Discussion |
10.5
Discussion professional. |
9
Discussion |
0-8
Stated |
15 |
|
Concerns, |
15
Three professional. |
12.75
Section |
10.5
Section |
9
Section presentation. |
0-8
Stated |
15 |
|
Action |
20
Three
Overall professional. |
17
Section |
14
Section |
12
Section |
0-11
Stated |
20 |
|
Basic |
10 Overall |
8.5 Overall |
7 Overall |
6 Overall Additional have |
0-5 Overall |
10 |
|
Overall documentatio |
15 Submission cited |
12.75 Submission |
10.5 Submission |
9 Submission inadequate |
0-8 Document |
15 |
|
|
|
|
|
|
TOTAL Points |
100 |
100