Security

Scenario: Harry and Mae’s Inc. Case Study- Customer Feedback

black and gray laptop computer on brown leather couch

Dear Tekzor Inc.,

We, Harry & Mae’s Inc., have reviewed your company’s recommendations for the risk analysis and mitigation project and wanted to provide valuable feedback regarding each found threat and its solution. We want to thank you for your thorough and professional approach in helping our organization predict and prevent the various dangers out there. As you will see, I require additional information on many of the tasks and your proposed changes to our network infrastructure and data policies.

Please let us know if you have any further questions.

Thank you,

Harry & Mae’s, Inc.

AssetDescriptionVulnerabilitiesControl(s)RecommendationsCustomer Comments
InternetComcast Business Services: Fully redundant fiber (100Mbps down and 50Mbps up)While there is a fully redundant dual-fiber ring consisting of two fiber pairs, the entire system and security software/hardware will be inaccessible if the network does indeed go down.Preventative, detective, correctiveWhile the dual-fiber ring is generally sufficient, I would recommend having a backup I.S.P. (even with a slower speed) to ensure the continued operation of the network due to the failure of the primary I.S.P.; this change doesn’t have to be necessarily implemented, but if it does, it can wait. Proper procedures should be created and followed for what to do if an outage occurs, how to switch to the second I.S.P., and what needs to be documented (such as a disaster recovery plan). A UPS (or multiple) should be added to the network infrastructure.While I appreciate this recommendation’s thoroughness, we feel as the dual-fiber redundant ring will provide enough redundancy to thwart the necessity for an additional backup I.S.P. However, I believe, with your assistance, we can figure out another option to provide internet to mission-critical assets in the case of an emergency, such as a mobile/cellular hotspot of sorts. I would love to discuss this further with you in the future.
Nexus Core 700 SwitchesNX-OS 5.0No policy on system updates. Various reported issues. Running NX-OS 5.0.Preventative, detective, corrective, technical, proceduralA policy on system updates and general maintenance should be implemented. NX-OS 5.0 should be updated to the most current version (9.2); this should be immediately addressed. A UPS (or multiple) should be added to the network infrastructure.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create a update policy for this and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, defining their day-to-day activities, and possibly find a method of automating these sorts of tasks. NX-OS will be updated as soon as possible to the most recent version. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified.
Cisco ME 3600X Switches2nd layer, located in each building on campusPoor password policy. Open access possible with a breach.  Preventative, technical, proceduralEach Cisco ME 3600X switch should be replaced with a Cisco ASR 920 and Cisco 2960-X pair to take advantage of updated security settings and redundancy (using two switches instead of one); this should be immediately addressed. Furthermore, the password policies for each device needs to be improved. A UPS (or multiple) should be added to the network infrastructure.While the suggestion to upgrade each of our switches is something we do intend to do eventually, the cost is something we haven’t been able to accept. The idea of having redundant switches is something necessary, though, would you be able to provide some suggestions for cost-effective solutions? Regarding the password policies, we thoroughly agree with your statement and will do this as soon as possible. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified.
Aruba W.A.P.sAruba Networks GridAccessible access to Wi-Fi, allowing the possibility of an attack.  Preventative, technical, proceduralEach Aruba W.A.P. should be reconfigured with improved password and encryption policies, as well as be wired through the Barracuda Spam & Virus Firewall); this should be immediately addressed. A UPS (or multiple) should be added to the network infrastructure.We find this risk to be of top priority in solving, regarding the password and encryption policies. For the Barracuda Spam & Virus Firewall, we would need some additional suggestions for low-cost alternatives. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified.
Dell SonicWall NSA 4600Connect Comcast Internet to the core network(External Threat) Default policy and settings are allowing for the possibility of a breach. (Internal Threat) Default policy and settings allow for the possibility of a breach/error due to no policy for updates. Reported issues.Preventative, detective, corrective, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure); this should be immediately addressed.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified.
Aruba 6000 Mod ControllersServes Aruba W.A.P.s(External Threat) Default policy and settings are allowing for the possibility of a breach or downed network. (Internal Threat) Guest account. Reported issues.Preventative, detective, corrective, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained). The controllers should be connected to the Barracuda Firewalls; this should be immediately addressed.   Guest account needs to be disabled); this should be immediately addressed.  A UPS (or multiple) should be added to the network infrastructure.  This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified. For the Barracuda Spam & Virus Firewall, we would need some additional suggestions for low-cost alternatives. The guest account will be disabled immediately.
Barracuda Spam and Virus FirewallCore network, forwards mail traffic(External Threat) Network settings/location. (Internal Threat) No policy for updates. Reported issues.Preventative, detective, corrective, technical, procedural  The default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A plan for updates needs to be introduced. The device itself needs to be placed in front of the Cisco Nexus switches, allowing the Dell SonicWall’s to secure incoming and outgoing traffic on mail and web servers. A UPS (or multiple) should be added to the network infrastructure); this all should be immediately addressed.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified. Regarding the positioning of the firewall, we would like additional information on the possible benefits and risks with this solution and what it entails (shutting down the network, possibly losing data, etc.?
Cisco 2960-S P.O.E. Switches3rd layer connects Desktop P.C.s and P.O.E. phones with Gigabit copper LANsPower outage would cripple the network.Preventative, technical, proceduralA Cisco ASR 920 should be added to each Cisco 2960-X switch to increase security and redundancy. A UPS (or multiple) should be added to the network infrastructure); this all should be immediately addressed.The idea of having redundant switches is something we would love to do, but the price seems high for that model. Would you be able to provide some suggestions for cost-effective solutions? We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified.
FTP ServerEnabled for both internal/external networks and remote situations. Also used as a staging serverEncryption/Authentication issues increase the possibility of compromised data.Preventative, technical, proceduralFTP should be replaced with S.F.T.P. and secured with T.L.S. encryption within a DMZ); this should be immediately addressed.While I know a little about your suggestions, I must admit, I would require more information regarding this solution. Furthermore, I would like to know the costs involved, possible strengths and benefits of the solution, and any changes that would have to be made to normal business operations. Finally, if we chose to follow this suggestion, would your team be able to handle it? I am unsure if our team is skilled enough for this transition.
H.P. StorageWorks Server (SAN)200TByte, provides storage for the H.P. ProLiant DL380 G7 ServersLack of antivirus, updates, policies. The last firmware/driver update was in 2013. Reported concerns.Preventative, detective, corrective, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure. The SAN needs to be encrypted with an updated version of vSphere (6.7); this all should be immediately addressed.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified. For the updated vSphere, while we want to follow your suggestion, will there be any impact on our normal business operations?
Email Server (Microsoft Exchange Server 2010 SP3Internal and external (with public I.P. address) connections(External Threat) Lack of firewall and inadequate authentication protocols preventing unauthorized access. (Internal Threat) Lack of policy for updates. Not maintained. Reported Exchange vulnerabilities.Preventative, detective, corrective, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure. For external Exchange, the system should be encrypted with S.P.X. and routed through the Dell SonicWall. For internal Exchange, the system should be encrypted with vSphere v6.7 and routed through the domain controllers and the other Dell SonicWall); this all should be immediately addressed.   The default policy and settings need to be reconfigured to new, custom settings for the specific situation. Policies and settings need to be regularly audited and maintained); this should be immediately addressed.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified. For the encryption changes and updated vSphere, while we want to follow your suggestion, will there be any impact on our normal business operations?
Web Server (IIS)Internal and external (with public I.P. address) connectionsPoor authentication measures allow for unauthorized external access.Preventative, technical, proceduralThe Internal web server should be reconfigured with strong authentication measures and routed to the Barracuda Firewall with T.L.S. encryption. A UPS (or multiple) should be added to the network infrastructure); this all should be immediately addressed.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified. For the Barracuda Spam & Virus Firewall, we would need some additional suggestions for low-cost alternatives.
H.P. ProLiant DL380 G7 ServersVersion 5.1 of VMWare vSphereThe last firmware/driver update was in 2013. Version 5.1 of VMWare vSphere needs to be updated to the current 6.7 version. Many reported vulnerabilities.Preventative, detective, corrective technical, proceduralEach server needs to be updated to vSphere v6.7, as well as continually-audited, maintained, and updated using new policies. The G7 servers will be routed through each Cisco Nexus switch, in line with the Dell SonicWall and Barracuda firewalls. A UPS (or multiple) should be added to the network infrastructure); this all should be immediately addressed.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified. For the encryption changes and updated vSphere, while we want to follow your suggestion, will there be any impact on our normal business operations? Regarding the G7 servers new routing, can you further explain what you mean?
A.D. Domain ControllerOne account for the entire campusDefault settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege.Preventative, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure. The domain controllers need to have vSphere v6.7 encryption); this all should be immediately addressed.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create a update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified. For the encryption changes and updated vSphere, while we want to follow your suggestion, will there be any impact on our normal business operations?
First AD Organizational UnitCampusDefault settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege.Preventative, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure. The domain controllers need to have vSphere v6.7 encryption); this all should be immediately addressed.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified. For your suggestion for the updated version of vSphere, while we want to follow your suggestion, will there be any impact on our normal business operations?
Second A.D. Organizational UnitAccounting and Finance GroupDefault settings. Access between departments is allowed. Basic/Admin user privileges are not separated for all users using least-privilege.Preventative, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. A UPS (or multiple) should be added to the network infrastructure. The domain controllers need to have vSphere v6.7 encryption); this all should be immediately addressed.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified. For your suggestion for the updated version of vSphere, while we want to follow your suggestion, will there be any impact on our normal business operations?
Dell OptiPlex 3020 WorkstationsWindows 7, joined to A.D.(Internal Threat) Unrestricted access for unauthorized users. Windows 7 needs to be updated to Windows 10 due to Windows 7’s now ended support. Improper virus network settings/software. Policies and procedures. (External Threat) Flaws and concerns with the system. Authentication issues. Windows 7 usage and requirement to upgrade to Windows 10.Preventative, detective, corrective technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. Unauthorized access should be prevented using new security settings. Windows 10 should be installed on all devices; due to the complexity and length of time it would take to perform a full Windows 10 rollout; this can be postponed until the measures I have listed as immediate have been completed. Uniform virus software shall be installed, maintained, and updated. A UPS (or multiple) should be added to the network infrastructure. The Workstations will need to be routed through the Cisco 2960 switch, which then routes through a Cisco ASR 920; this can be postponed till the immediate changes are made.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified. The Windows 10 upgrade is something we have been pushing off, but I agree that it is not imperative to accomplish it. Due to the sheer amount of work involved, we would require your assistance, as the project will have to be done during off-hours. For the Cisco switch changes, I agree that this can be postponed, but would you please provide some other cost-effective solutions for us to review?
P.O.S. SystemHosted as a virtual server on VMware vSphere Hypervisor (ESXi) version 5.1Poor system policy and authentication settings and lack of encryption and training can enable unauthorized access to customer data.  Preventative, technical, proceduralThe default policy and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. Unauthorized access should be prevented using new security settings. Uniform virus software shall be installed, maintained, and updated. A UPS (or multiple) should be added to the network infrastructure. Each P.O.S. system will be secured with a N.A.T. device with new security settings. Wi-Fi users will be isolated from the network (especially guests); while these issues are critical, they can be postponed until the immediate changes I have outlined have been completed.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified. Regarding N.A.T. and the Wi-Fi changes, we would require additional information on how to properly train our employees on the new methods and changes to accessing the P.O.S. system.
Off Campus-NAT FirewallNo further dataPoor access/authentication measures.Preventative, technical, proceduralPolicies and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. Unauthorized access should be prevented using new security settings. Uniform virus software shall be installed, maintained, and updated. A UPS (or multiple) should be added to the network infrastructure. Wi-Fi users will be isolated from the network (especially guests); all of these changes should be performed immediately.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified. Regarding the uniform virus software, what would you recommend we use?
Off Campus-WAPSetup by franchise ownerPoor access/authentication measures.Preventative, technical, proceduralPolicies and settings need to be reconfigured to new, custom settings for the specific situation; these policies and settings need to be regularly audited and maintained. Unauthorized access should be prevented using new security settings. Uniform virus software shall be installed, maintained, and updated. A UPS (or multiple) should be added to the network infrastructure. Wi-Fi users will be isolated from the network (especially guests); all of these changes should be performed immediately, but the campus should come first.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks. We do, however, do not believe a U.P.S. is needed at the present moment, at least until we solve the majority of the many threats you have identified. Regarding the Wi-Fi changes, we would require some additional information on how to properly train our employees on the new methods and changes to accessing the system.
EmployeesNo further dataLack of education/trainingPreventative, technical, proceduralI.T. and infosec staff will conduct regular auditing of user access and conduct training classes at the start of the new security plan, as well as periodic sessions after. Emails, handouts, and posters/infographics will be placed around the company outlining proper Internet etiquette and best-practice security measures. Random intrusion tests will be made. I.T. and infosec staff will need to have regular meetings to go over the proposed changes, updated policies, and general maintenance of all new and old strategies, software changes, equipment, and methods to ensure the success of the security of the company; these changes should be performed immediately, but campus employees should come first.This is something that needs to be done immediately to help assist the overall risk management program. We would love to move forward with your suggestions and, with your assistance, develop a training program for both our I.T./cybersecurity employees and the users they administer. Would you be able to set up a meeting to go over this specific area on your list? We have several questions as to how to move forward correctly.
Symantec Endpoint ProtectionAll Campus WorkstationsSymantec Endpoint Protection’s access should not be given to 1/3 of the employees.Preventative, technical, proceduralSymantec Endpoint Protection’s access needs to be restricted to only specific I.T. and security staff, audited, updated, continuously maintained, and enforced company-wide.We are well underway into making this a reality; the threat still exists is the lack of training for our employees on how to properly ask I.T. for assistance in installing programs or changing permissions. Regarding the uniform endpoint protection software, what would you recommend we use?
W.S.U.S.Updates Microsoft applicationsNo update policy.Preventative, technical, proceduralSpecific I.T. and security staff must ensure W.S.U.S. is continuously audited, updated, maintained, and enforced company-wide.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks.
Microsoft Internet Explorer 10Company Standard BrowserLack of company-wide enforced browser and settings.Preventative, technical, proceduralSpecific I.T. and security staff must ensure Microsoft Internet Explorer 10 is switched to Microsoft Edge due to the end of life of the service. Edge must be continuously audited, updated, maintained, and enforced company-wide.The end-of-life for Internet Explorer is something that cannot be postponed. Would you recommend we make the switch to Edge or possible Chrome? Regarding the updates and audits, this, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks.
Norton Antivirus SoftwareOff-CampusLack of a uniform security system; for this system, all employees should not have access, and instead, only I.T. adminsPreventative, technical, proceduralSpecific I.T. and security staff must ensure Norton Antivirus is either working with Symantec Endpoint Protection or chose one of them to enforce company-wide, as well as ensure it is continuously audited, updated, and maintained.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks. Regarding the uniform virus software, what would you recommend we use? We would also require some assistance in enforcing the various company-wide software/policy solutions you have recommended.
Microsoft PPTP VPN Clients(Off-Campus) P.O.S. ProcessingCurrent ability to be minimized, thus allowing malware-infection opportunities.Preventative, technical, proceduralSpecific I.T. and security staff must ensure Microsoft PPTP VPN is continuously audited, updated, maintained, and have its ability to be minimized to be disabled, thus preventing unauthorized usage.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks.
Campus BuildingPhysical LocationPossible outdated security policies, hardware, software, physical structures.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.I would love to share an overview of our physical security via an in-person tour of our facilities. I will begin to compile our security data and policies for you to review and, hopefully, provide you with what you need to improve our access control procedures.
Off-Campus BuildingsPhysical LocationPossible outdated security policies, hardware, software, physical structures.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.I would love to share an overview of our physical security via an in-person tour of our facilities. I will begin to compile our security data and policies for you to review and, hopefully, provide you with what you need to improve our access control procedures.
Perimeter FenceCampusPossible outdated security policies, hardware, software, physical structures.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.I would love to share an overview of our physical security via an in-person tour of our facilities. I will begin to compile our security data and policies for you to review and, hopefully, provide you with what you need to improve our access control procedures.
Surveillance CamerasCampusPossible outdated security policies, hardware, software, physical structures.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.I would love to share an overview of our physical security via an in-person tour of our facilities. I will begin to compile our security data and policies for you to review and, hopefully, provide you with what you need to improve our access control procedures.
Smart Card Access SystemsCampusPossible outdated security policies, hardware, software, physical structures.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.I would love to share an overview of our physical security via an in-person tour of our facilities. I will begin to compile our security data and policies for you to review and, hopefully, provide you with what you need to improve our access control procedures.
Security StaffCampusPossible outdated security policies, skills, and training.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.I would love to share an overview of our physical security via an in-person tour of our facilities. I will begin to compile our security data and policies for you to review and, hopefully, provide you with what you need to improve our access control procedures.
Security AlarmsCampusPossible outdated security policies, hardware, software, physical structures.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.I would love to share an overview of our physical security via an in-person tour of our facilities. I will begin to compile our security data and policies for you to review and, hopefully, provide you with what you need to improve our access control procedures.
U.P.S.Campus, 36-hoursPossible outdated policies, hardware, and software.Preventative, proceduralRecommend reviewing the U.P.S.’s performance, testing, and creating a continuous plan for ensuring its abilities are adequate for the situation.We will take care of this shortly, as well as review the possibility of adding additional units pending a budget review. If possible, could you provide us with some cost-effective solutions for handling emergency power situations?
Security Fire, Water, etc. SensorsCampusPossible outdated security policies, hardware, software, physical structures.Preventative, Physical, proceduralRecommend full security review, risk analysis, updating, and continuous review of all physical security facets.I would love to share an overview of our physical security via an in-person tour of our facilities. I will begin to compile our security data and policies for you to review and, hopefully, provide you with what you need to improve our access control procedures.
Power GeneratorCampusPossible outdated policies, hardware, and software.Preventative, proceduralRecommend reviewing the power generator’s performance, testing, and creating a continuous plan for ensuring its abilities are adequate for the situation.We will take care of this shortly and review the possibility of adding additional units pending a budget review. If possible, could you provide us with some cost-effective solutions for handling emergency power situations?
(B.Y.O.D.) Employee Mobile DevicesCampusNo enforced regulations, policies, or hardware/software requirements.Preventative, technical, proceduralRecommend full review of current employee device policies and developing and pitching both a method to secure the devices and an alternative company-issued device plan. Ideally, by issuing company-owned devices, security would be significantly improved.We believe that a B.Y.O.D. policy is riddled with risks; however, the cost of purchasing company devices is too great, and the human resources needed to manage them all effectively. Would you be able to provide us some cost-effective solutions to the hardware and software that can assist us in managing such a large userbase?
Website-  http://www.harryandmae.comHosted on the single web server, publicNo enforced regulations, policies, or maintenance and security procedures.Preventative, technical, proceduralSpecific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks.
Website-  http://www.haryandmae.local.Hosted on the single web server, private (pay statements, work performance, vacation time, personal information)No enforced regulations, policies, or maintenance and security procedures.Preventative, technical, proceduralSpecific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks.
Website-  http://www.HandMScranton.comOwned by franchise owner in Scranton, PANo enforced regulations, policies, or maintenance and security procedures.Preventative, technical, proceduralSpecific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks.
Company Facebook AccountOwned by franchise owner in Scranton, PANo enforced regulations, policies, or maintenance and security procedures.Preventative, technical, proceduralSpecific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks.
Company Twitter AccountOwned by franchise owner in Scranton, PANo enforced regulations, policies, or maintenance and security procedures.Preventative, technical, proceduralSpecific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks.
Company Instagram AccountOwned by franchise owner in Scranton, PANo enforced regulations, policies, or maintenance and security procedures.Preventative, technical, proceduralSpecific I.T. and security staff, as well as web dev, must ensure this site is continuously audited, updated, and maintained. This website, and the others, should not be stored on the same web server and instead, hosted on different servers for each, thus increasing redundancy. Offsite storage and backups should be frequently processed and tested.This, in my eyes, is a significant threat and should be remedied immediately. With your assistance, we would like to create an update policy for this, and the other update/software-related risks you have identified. We would need help in selecting/building the team/department, their day-to-day activities, and possibly find a method of automating these sorts of tasks.

References

Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress.

Eppler, M. (2008). Envisioning Risk. A Systematic Framework for Risk Visualization in Risk Management and Communication. Retrieved November 9, 2020, from http://www.knowledge-communication.org/pdf/envisioning-risk.pdf.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s