In my audit of Dalton, Walton, & Carlton, Inc.’s IT infrastructure, I have uncovered several factors that could cause potential future harm to the organization. I will first share my thoughts on the IT infrastructure going in order of appearance in the provided case study.
First, the main office’s lack of concern for its physical security is quite troubling; due to the recent event involving the theft of a number of PCs and office equipment, I would recommend enhancing security protocols and systems. Included in the updates to security would be a sophisticated video surveillance system that covers all entries and exits to the building, as well as internal high-traffic and sensitive areas. Each building’s access points need to be secured with guards who check each individual’s access to the building using an ID-card system. To solve the issue with vendor access, each visitor should be assigned a temporary ID card and escorted while on-premises.
Next, I will discuss the IT infrastructure. For system updates and patches, a new policy needs to be created to ensure each update is performed in a timely fashion, as well as essential maintenance and testing. The updates should ideally be run on a test server first before rolling them out to the entire company. A policy should be created for third-party products as well, including Adobe PDF and Flash. Flash, being phased out, should be replaced with something like Adobe Shockwave Player. Any programs or services that are currently running Flash should be tested using the new program before Flash is officially disabled. Per the PCI Security Standards Council’s article, “Payment Data Security Essential: Patching,” all vendor patches need to be authenticated and identified, as well as thoroughly discussed to ensure compliance.
While each satellite office contains its own servers, IT should maintain all servers in the same group; this will ensure that updates are made in a timely fashion, and all processes share a uniform security and maintenance policy. As Windows 7 is not being supported by Microsoft anymore, the switch to Windows 10 should be made immediately to avoid any configuration issues with other software, as well as ensure security is always a top priority. HR laptops need to be updated as well and signed-in/out when being used. The firewall’s updates are concerning due to the lack of uniform updates in a timely fashion; a new policy should be enforced to fix this. Per the PCI Security Standards Council’s article, “Payment Data Security Essential: Secure Remote Access,” due to the organization’s use of remote employees, the use of remote access should be limited, require the use of multi-factor authentication, as well as require unique credentials (PCI Security Standards Council, 2018).
The part-time security employee should be promoted to full-time, as security needs to be a top priority. Due to the lack of data storage security, a policy should be created to ensure the security of files without the owner’s input. Security staff should be in charge of what to secure and how to do it. Per The SANS Institute’s article, “Security Information/Event Management Security Development Life Cycle Version 5,” several questions need to be answered to determine proper data storage protocols, including what data needs to be stored, how long the data should be kept for (online and offline), and how the data should be accessed. Due to the employees who left and went to your competitor, a contract should be created and signed by each employee that discusses intellectual property, as well as include a non-compete clause.
Onsite staff, who also provide IT support along with their other responsibilities, should be immediately stopped and replaced with full-time IT staff. Only IT staff should be able to perform IT-related functions, including password resets. The generic password, Chiefs2017, should be replaced with a sophisticated password, which included over ten special characters. Per the PCI Security Standards Council’s article, “Payment Data Security Essential: Strong Passwords,” the use of default and weak passwords lead to 81% of hacking-related breaches. Furthermore, passwords should be changed regularly, not shared, and made to be difficult to guess (PCI Security Standards Council, 2018).
With the abovementioned changes, I feel that Dalton, Walton, & Carlton, Inc.’s IT infrastructure will be significantly improved, leading to increased sales and reduced security risk. Both IT and security staff will need to be adequately trained on all the updates, so that they can, in turn, prepare the rest of Dalton, Walton, & Carlton Inc.’s employees. While this audit is somewhat lacking in situation-specific recommendations due to not being able to physically inspect your organization’s infrastructure, as well as the limited data I have been provided, I would greatly recommend we schedule a visit to your company’s locations to further develop this audit. I hope you take my suggestions seriously, as due to COVID-19, there has been a large rise in cybercrime; with your security and policies in their current state, you are extremely susceptible to them. Please contact me with any questions.
William Donaldson, IT Auditor
PCI Security Standards Council. (2020). 8 Tips to Help Small Merchants Protect Payment Card Data During COVID-19. Retrieved May 25, 2020, from https://www.pcisecuritystandards.org/documents/PCI_COVID-19_Resource_Guide.pdf?agreement=true&time=1590421275592.
PCI Security Standards Council. (2018). Payment Data Security Essential: Strong Passwords. Retrieved May 25, 2020, from https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Strong-Passwords.pdf?agreement=true&time=1590431308523.
PCI Security Standards Council. (2018). Payment Data Security Essential: Secure Remote Access. Retrieved May 25, 2020, from https://www.pcisecuritystandards.org/document_library?category=educational_resources&document=pci_dss_large_org.
PCI Security Standards Council. (2018). Payment Data Security Essential: Patching. Retrieved May 25, 2020, from https://www.pcisecuritystandards.org/document_library?category=educational_resources&document=pci_dss_large_org.
The SANS Institute. (2006). Security Information/Event Management Security Development Life Cycle Version 5. Retrieved May 25, 2020, from https://www.sans.org/media/score/esa-current.pdf.
Stallings, W. (2017). Network Security Essentials: Applications and Standards (Sixth). Pearson.