+1(978)310-4246 credencewriters@gmail.com
  

Description

Hi, I need help creating this memo. After several horrible drafts.

IT 253 Project One Consultant Findings
We were hired to provide an evaluation of the company’s current information security program and
identify high risks that should be addressed by the company. We understand and recognize that
information security function at the company is still in its infancy, but our findings should help you to
prioritize your initial efforts. We were impressed with your leadership’s commitment to support and to
dedicating resources to ensure that these issues are addressed in a timely manner.
Our consultant assessed the existence or absence of technical, physical, and administrative controls. Our
evaluation was not limited only to particular systems, but also evaluated existing people, processes, and
technologies, and how each element impacts the company’s information security posture.
The following high-risk findings were identified by our consultant:
●
●
●
●
●
●
●
●
●
●
●
●
●
Our team was able to access your headquarters building without a valid badge. We simply
waited near a side entrance and followed another employee inside.
Your data center did require badge access, but any employee or visitor with a badge could
access the space.
Backups were being kept on-site and were not encrypted.
When speaking to employees, we found that they were unaware of what to do when they
receive phishing or other suspicious emails.
The current information security policy had not been updated in four years.
Our assessors noticed that many workstations were actively logged on and accessible, but no
employees were using them.
No business continuity plan or disaster recovery plan exists.
When we interviewed your IT staff, they told us that they use a shared account for performing
high-level system administrator functions. They were also unsure of what, if any, security
responsibilities they had.
Your company wireless network is configured to use WEP.
System and security logs are not being stored in a central location.
Mobile devices, such as laptops and phones, are not encrypted.
Your data center did not have backup or generator power.
In a review of user workstations, over 35% had anti-virus definitions over 30 days old.
While we focused on only a subset of high-risk areas initially, addressing multiple risks will dramatically
reduce the company’s exposure to threats. You should have a follow-up evaluation after these issues are
addressed to identify additional areas of opportunity.
1
IT 253 Project One Company Overview
Your company designs, manufactures, and sells custom stereo equipment. It was founded in 1993 as a
small family business with a single store and quickly expanded to over 250 locations due to high demand
for its competitively priced, quality products. The company became publicly traded in 2005, which
means that it is subject to Sarbanes-Oxley (SOX) regulations. It currently has 850 employees and
reported annual revenue of $110 million.
Due to cost pressures from larger retailers, the company decided to close all of its retail stores in 2015
and adopt and implement a fully online sales model. It has found a great niche market in targeting
consumers who want a higher level of support and customized features compared to what its
competitors offer. The company has a robust and easy-to-use e-commerce system that automatically
sends sales order information to other parts of the company’s information systems.
The company headquarters is in Detroit, MI, and contains Human Resources, Finance, Information
Technology, and the Data Center. Two offices in Sacramento, CA, and Austin, TX, support the Customer
Service and Marketing departments. The company’s engineering team is located in Frankfurt, Germany.
The company’s main manufacturing site is located in Beijing, China. The business serves customers from
all around the world, with its highest sales coming from the United States and England.
Business Objectives
In the past year, the company has identified the need to take a stronger stance on protecting its assets
and customer information and data. This is especially important because the company wishes to expand
its market significantly to reach a greater global audience in the coming year. Company leadership has
decided on the following business objectives:
●
●
●
●
Grow the market share by creating an extensive global advertising campaign to reach new
audiences and showcase the company’s product line
Increase revenue by 20% compared to the previous year
Put measures in place to minimize cyberattacks that would affect business operations
â—‹ This includes the availability of the e-commerce website and systems in the
manufacturing supply chain.
â—‹ Ransomware has been a topic of expressed concern.
Ensure alignment between company policies and practices and SOX regulations to maintain
compliance
Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley Act was put into law to protect shareholders (both internal and external) from
accounting problems and purposeful financial fraud by companies. SOX was created to improve
governance and accountability due to the disastrous scandals that happened at Enron, WorldCom, and
Tyco, which caused a combined loss to shareholders of over $280 billion. SOX imposes both financial and
criminal penalties for noncompliance.
While SOX focuses a great deal on accounting and finance controls, there are a number of information
technology and security concerns that must be addressed as well. Among these are:
●
Access—This includes both physical access to facilities and electronic access to systems.
1
●
●
●
Change Control—Processes must be in place to approve and record changes to the
environment.
Backup—Systems must be backed up at regular intervals and must be able to be restored.
Security—Controls must exist to detect and stop data breaches, and tools must be in place to
remediate incidents.
2
Assignment:
Scenario
You recently stepped into the role of information security manager at a medium-sized ecommerce company with roughly 500 to 1,000 employees organization-wide. The company has
hired a third-party consultant to evaluate its information security posture. The consultant has
concluded the evaluation and noted several high security risks. These action items must be
addressed to ensure that the company’s information assets are secure. Your task is to provide
recommendations to address multiple identified security risks and explain your decisions to your
leadership team.
Directions
Memo Template: To communicate the identified information security risks and your
recommendations and explanations, you will generate a memo to your leadership team. Your
recommendations do not have to address all information security risks; however, they must
address multiple risks. Be mindful that your leadership team is considered a nontechnical
audience. You must complete each of the following sections:
•
•
•
•
•
•
•
Introduction: Describe how addressing the evaluated elements of information security
will support the company’s business objectives.
Laws and Regulations: Explain how laws and regulations influence information security
policies and procedures within this company.
Technical Controls: Describe the technical controls that you would recommend to
address the multiple indicated information security risks from the consultant’s findings.
Administrative Controls: Describe the administrative controls that you would
recommend to address the multiple indicated information security risks from the
consultant’s findings.
Physical Controls: Describe the physical controls that you would recommend to address
the multiple indicated information security risks from the consultant’s findings.
Business Impact: Explain how your recommendations impact current information
security policies and practices within this company.
Conclusion: Explain why leadership should act on these control recommendations to
improve the company’s information security posture. Your conclusion can also include a
brief summary, although it is not required.
IT 253 Project One Memo Template
Complete this template by replacing the bracketed text with the relevant information.
DATE: [Insert date]
TO: Company Leadership
FROM: Information Security Manager
SUBJECT: [Insert title]
Introduction: [Insert text to describe how the evaluated elements of information security being
addressed will support the company’s business objectives.]
Laws and Regulations: [Insert text to explain how laws and regulations influence information security
policies and procedures within this company.]
Technical Controls: [Insert text to describe the technical controls that you would recommend to address
at least three indicated information security risks from the consultant’s findings.]
Administrative Controls: [Insert text to describe the administrative controls that you would recommend
to address at least three indicated information security risks from the consultant’s findings.]
Physical Controls: [Insert text to describe the physical controls that you would recommend to address at
least three indicated information security risks from the consultant’s findings.]
Business Impact: [Insert text to explain how your recommendations impact current information security
policies and practices within this company.]
Conclusion: [Insert text to explain why leadership should act on these control recommendations to
improve the company’s information security posture. Your conclusion can also include a brief summary,
although it is not required.]
1

Purchase answer to see full
attachment

  
error: Content is protected !!