Memo Template: To communicate the identified information security risks and your recommendations and explanations
Scenario:
You recently stepped into the role of information security manager at a medium-sized e-commerce company with roughly 500 to 1,000 employees organization-wide. The company has hired a third-party consultant to evaluate its information security posture. The consultant has concluded the evaluation and noted several high security risks. These action items must be addressed to ensure that the company’s information assets are secure. Your task is to provide recommendations to address multiple identified security risks and explain your decisions to your leadership team.
Directions
Memo Template: To communicate the identified information security risks and your recommendations and explanations, you will generate a memo to your leadership team. Your recommendations do not have to address all information security risks; however, they must address multiple risks. Be mindful that your leadership team is considered a nontechnical audience. You must complete each of the following sections:
Introduction: Describe how addressing the evaluated elements of information security will support the company’s business objectives.
Laws and Regulations: Explain how laws and regulations influence information security policies and procedures within this company.
Technical Controls: Describe the technical controls that you would recommend to address the multiple indicated information security risks from the consultant’s findings.
Administrative Controls: Describe the administrative controls that you would recommend to address the multiple indicated information security risks from the consultant’s findings.
Physical Controls: Describe the physical controls that you would recommend to address the multiple indicated information security risks from the consultant’s findings.
Business Impact: Explain how your recommendations impact current information security policies and practices within this company.
Conclusion: Explain why leadership should act on these control recommendations to improve the company’s information security posture. Your conclusion can also include a brief summary, although it is not required.
Company Overview:
Your company designs, manufactures, and sells custom stereo equipment. It was founded in 1993 as a small family business with a single store and quickly expanded to over 250 locations due to high demand for its competitively priced, quality products. The company became publicly traded in 2005, which means that it is subject to Sarbanes-Oxley (SOX) regulations. It currently has 850 employees and reported annual revenue of $110 million. Due to cost pressures from larger retailers, the company decided to close all of its retail stores in 2015 and adopt and implement a fully online sales model. It has found a great niche market in targeting consumers who want a higher level of support and customized features compared to what its competitors offer. The company has a robust and easy-to-use e-commerce system that automatically sends sales order information to other parts of the company’s information systems. The company headquarters is in Detroit, MI, and contains Human Resources, Finance, Information Technology, and the Data Center. Two offices in Sacramento, CA, and Austin, TX, support the Customer Service and Marketing departments. The company’s engineering team is located in Frankfurt, Germany. The company’s main manufacturing site is located in Beijing, China. The business serves customers from all around the world, with its highest sales coming from the United States and England. Business Objectives In the past year, the company has identified the need to take a stronger stance on protecting its assets and customer information and data. This is especially important because the company wishes to expand its market significantly to reach a greater global audience in the coming year. Company leadership has decided on the following business objectives:
● Grow the market share by creating an extensive global advertising campaign to reach new audiences and showcase the company’s product line
● Increase revenue by 20% compared to the previous year
● Put measures in place to minimize cyberattacks that would affect business operations ○ This includes the availability of the e-commerce website and systems in the manufacturing supply chain. ○ Ransomware has been a topic of expressed concern.
● Ensure alignment between company policies and practices and SOX regulations to maintain compliance
Sarbanes-Oxley Act of 2002 The Sarbanes-Oxley Act was put into law to protect shareholders (both internal and external) from accounting problems and purposeful financial fraud by companies. SOX was created to improve governance and accountability due to the disastrous scandals that happened at Enron, WorldCom, and Tyco, which caused a combined loss to shareholders of over $280 billion. SOX imposes both financial and criminal penalties for noncompliance. While SOX focuses a great deal on accounting and finance controls, there are a number of information technology and security concerns that must be addressed as well. Among these are:
● Access—This includes both physical access to facilities and electronic access to systems. 2
● Change Control—Processes must be in place to approve and record changes to the environment.
● Backup—Systems must be backed up at regular intervals and must be able to be restored.
● Security—Controls must exist to detect and stop data breaches, and tools must be in place to remediate incidents.
Consultant Findings:
We were hired to provide an evaluation of the company’s current information security program and identify high risks that should be addressed by the company. We understand and recognize that information security function at the company is still in its infancy, but our findings should help you to prioritize your initial efforts. We were impressed with your leadership’s commitment to support and to dedicating resources to ensure that these issues are addressed in a timely manner. Our consultant assessed the existence or absence of technical, physical, and administrative controls. Our evaluation was not limited only to particular systems, but also evaluated existing people, processes, and technologies, and how each element impacts the company’s information security posture. The following high-risk findings were identified by our consultant:
● Our team was able to access your headquarters building without a valid badge. We simply waited near a side entrance and followed another employee inside.
● Your data center did require badge access, but any employee or visitor with a badge could access the space.
● Backups were being kept on-site and were not encrypted.
● When speaking to employees, we found that they were unaware of what to do when they receive phishing or other suspicious emails.
● The current information security policy had not been updated in four years.
● Our assessors noticed that many workstations were actively logged on and accessible, but no employees were using them.
● No business continuity plan or disaster recovery plan exists.
● When we interviewed your IT staff, they told us that they use a shared account for performing high-level system administrator functions. They were also unsure of what, if any, security responsibilities they had.
● Your company wireless network is configured to use WEP.
● System and security logs are not being stored in a central location.
● Mobile devices, such as laptops and phones, are not encrypted.
● Your data center did not have backup or generator power.
● In a review of user workstations, over 35% had anti-virus definitions over 30 days old. While we focused on only a subset of high-risk areas initially, addressing multiple risks will dramatically reduce the company’s exposure to threats. You should have a follow-up evaluation after these issues are addressed to identify additional areas of opportunity.