IT Security Begins At The Audit

11-10-2017

Unit 5 Discussion 2 Response 2 Gary

Response from: Miss. Bayo Elizabeth Cary, AA, BA, MLIS

Dear Director of Facilities,

While performing the last physical security audit of your location, we have identified major violations of the current physical security policy. These violations are outlined below with recommendations regarding how to address them. We know that protecting the organization is important to you, and thus, we trust that you will take appropriate actions to address our specific areas of concern. A follow-up to this assessment will take place on November 30 and we are confident that you will ensure our concerns are addressed before that date.

·         We identified passwords written on sticky notes and placed on computer monitors. Passwords should never be written down, and under no circumstances should passwords be displayed. In order to help employees remember all their passwords, you should consider using a digital password vault such as BeyondTrust or CyberArk (“Cyber-ark,” 2006). In the few cases where there may be a valid business justification to actually write a password down, this password should be stored in a physically secure location with a video camera monitoring access to this location.

·         Sensitive information was found written on a dry erase board with the words "Do not erase" written on it. Sensitive information should never be left on a dry erase board after a meeting. Someone should document what was decided in the meeting and all sensitive information should be cleaned off the board. If notes cannot be taken immediately, the room should be locked and no unauthorized individuals should be allowed to enter the room until the board can be adequately documented and cleaned.

·         We also identified sensitive documents on employee desks that were located in an unsecured area. Sensitive documents should always be placed within a locked drawer or filing cabinet when the employee is not present at their desk. If there is a controlled area with limited access (i.e. an employee’s office) then the door should remain locked while the employee is away.

·         We found sensitive documents placed on top of a filing cabinet in an unsecured area. In this regard, a malicious insider could easily steal or read sensitive information that is not appropriately protected (Schluderberg, 2014).  When employees are finished using documents that contain sensitive information, they should place the documents back into the filing cabinet and lock it.

·         We also identified a stack of papers that needed to be shredded that was placed on top of an out-of-order paper shredder. If the paper shredder is out of order, then documents that need shredding should be placed within a secured area (e.g. locked desk drawer) until the shredder is operating again. Also, if the predetermined acceptable process for secure document removal is shredding, then the organization should prioritize making sure shredders are functioning properly and have internal Service Level Agreements (SLAs) in place to ensure these are fixed in a timely manner.

·         As we continued through the office, we identified unattended computer systems in an unsecured area that were not locked. Systems should be locked when employees are not at their desks. There should be policy that states that systems must be locked when left unattended and employees should be trained regarding how to meet this policy. Additionally, there should be a Windows Group Policy Object (GPO) that is applied to user systems that locks the system after 15 minutes of inactivity.

·         We also identified shredded documents that were placed within an open garbage can. Although shredding can be used to slow the recovery of sensitive information, a persistent attacker may take the time to actually reassemble the pieces of these documents together. In this regard, shredded documents should be placed within designated locked disposal containers that are physically fastened to the building so that attackers cannot easily remove these containers. On a periodic basis these documents should be burned at a secure off-site facility that specializes in sensitive document disposal.

·         Of further concern, we identified a door that was labeled "secure" left unlocked. Doors used to protect sensitive areas of the facility should remain locked at all times. Additionally, these areas should have cameras used to monitor who accesses these locations.

·         We identified doors that were left open while conferences were in session. In this regard, anyone near the door would be able to listen to the conversation that was occurring. If sensitive information was disclosed during these meetings, it would be disclosed to unauthorized parties. In order to prevent eavesdropping, doors should remained closed while conferences are taking place.

·         Finally, we identified a door used to control access to a secure area that had been propped open with a chair. Doors to secure areas should always remain shut and locked. Doors serve as access controls and propping these doors open essentially renders these controls worthless.

We thank you for your continued support as we strive to make our organization a more secure place and we know that you play a vital role in facilitating this objective. If you have any questions or concerns regarding these findings, please feel free to reach out to us.

Thank you,

Internal Security Audit

Response from Bayo Elizabeth Cary, AA, BA, MLIS:

    

      This was the best internal IT security audit, that I read. However, in my opinion, when dealing with the most serious issues, regarding temporary IT challenges-the best communication channels, are the: “Richest” ones: “. . .When your message contains potentially sensitive communication, in-face communication is best” (Schurr, 2008, p.1). The email communications, in time, and IT sensitive communications, should only be a validation, that a conversation, has taken place, and not a restatement, of everything, that has been privately discussed.

         You, as the author, utilize, the appropriate vocabulary, for the IT genre, and, speaks in a straight forward, and professional manner, in-regards-to the present issues at hand. The list, of IT compliance infractions, is complete, and the problems are addressed, in a full-sentence, English language format. I found the audit, to be both: informative, and well referenced-with at least two authors, from the academic resources, available at the online Capella library sited-as required. Protecting America’s information, helps to secure, the American economy:

Incidents of economic espionage, in which national governments steal information from other countries' companies, have increased in spite of many US companies' nonchalance about the dangers. Defending against economic espionage is discussed. (Geoff, 1992, p. 1)

I found, that the practice IT auditing activity, was good practice, for the final assignment, for Unit 1. I spent more time, focused, on learning the materials, and reading the research, for this second discussion post-to better prepare, for my final assignment, for Unit 5. Oft times, it can be difficult to see, how an in-class activity, could be applicable to the working environment.

        I found, that the compliance exercise, has given me some valuable insight, into, what I would need to do, in the-real-world, were I hired, for an IT security audit. It is important to remember, that America has enemies, when peoples immigrate to this country, and are hired to work here, that almost never means, that they have chosen to release, all-of-the former obligations, to their homelands:

CIA director Robert Gates says nearly 20 nations are actively involved in intelligence collection activities directed against US businesses. Some foreign intelligence services have the ability to legally tap phone lines a US company uses in their country and intrude into corporate information systems and intercept business messages in commercial and private networks. (Geoff, 1992, p. 1)

I am currently working, as an Intelligence officer. I am a: “free agent.” Because I have not been hired, by any specific agency, or country outside of the US. I have been working my way-up, to a higher-security-level position, with the FBI. This class, the NSA training, MS from Capella, is required-for my pending FBI applications. Prior to this MS program, I took classes, with: US military intelligence, and before that, I had the opportunity, to study: Advanced Accounting-at a: PhD level.

        I am more than pleased, when anything that I learn, in the classroom, can be applied, at the office. The key, to a successful IT risk and management audit, is correction, and then, maintaining compliance: “IS managers and their telecommunications people should closely monitor the progress of the legislation and seek to build and support a more appropriate accommodation between industry and law enforcement” (Geoff, 1992, p. 1).

References

Geoff, Turner. (1992). I Spy. Computerworld. Vol. 26, No. 43. p. 129. Retrieved from http://library.capella.edu/login?url=https://search.proquest.com/docview/215987477?accountid=27965

Schurr, Amy. (2008). IT Leaders Tap Many Communications Channels. Network World (Online). Retrieved from http://library.capella.edu/login?url=https://search.proquest.com/docview/223742717?accountid=27965