For: Director of Internal Audit
Subject: Incident response related to network security
This memo responds to the concerns raised about network security and possible security breach attacks. Our team appreciates the clarifying comments described in the memo. To address the possibility of a security breach and for the protection of the network security, we are focusing on implementing necessary steps that will ease the day to day work. Following are some of the point which provides an overview of our security plan:
- Installation of necessary network security measures: Our network security team will install necessary network protection measures including a firewall and proper access controls. A firewall will help in assessing the ingoing and out-going network traffic based on the set of security rules defined by our network application (McCreadie, Rajput, Soboroff, Macdonald & Ounis, 2019).
- Employee Training: In many cases, external threats to the system are successful because of threats present in the human resource of an organization. The weakest link in data protection can be the lack of employee training in the specific system (Barnes, 2014). Keeping in view this perspective, our team will prepare an elaborated user manual and guide the employees all about network security and the possible threats to it.
- Improved access control system: Since access control is an important part of a system and core part of network security, the password control of the system will be boosted with a strong access control policy.
Our precise network security plan addresses the preventive measures for keeping our network system secured. However, in case of a security breach, a four-step security breach plan will be followed. A brief summary of the steps are:
- Identify the possible cause of security breach
- Assess the impact of the security breach
- Recover and repair data with the help of backup servers
- Evaluate and improve the security response plan
As far as the concern of collecting evidence and contacting the respective law enforcement department, cybercrime investigators will be involved once our IT team identifies the jurisdiction of the network attack (to identify if the attack was done within or outside the country’s border (Densham, 2015)). We are looking forward to a response and possible suggestions on our suggested plan.
For: VP of Human Resources
To: U CISO
Subject: Importance of security training for all employees
This memo responds to the concerns raised about security training for all employees and the possible cost of this training program. Our team appreciates the clarifying comments described in the memo. The reason for training all employees of the company about new security is to prevent possible security breaches and attacks. Lack of knowledge and training among employees is the weakest link in terms of network security (Kedgley, 2015). Hence, security awareness training helps in preventing possible security breaches. With the help of advanced security awareness training programs, the employees can be trained to handle minor issues that might affect the security of the system. This simple training programs can cost millions of dollars of the company with an inexpensive training program.
Another reason for training all the employees of the company is to make technological defenses of the company more robust. Technological defenses are a valuable asset in preventing security breaches. However, the maintenance of technological defenses requires effort and input from the people. Today’s attackers target people who are often viewed as an easy way into protected networks (Densham, 2015). Employees can play their part in keeping the defenses intact by keeping the firewall on, acknowledging the possible software warning and keeping their software updated. Hence, if all the employees are technologically trained in terms of network security, technological defenses can be utilized to their full potential (Kemper, 2019). As far as your concern about costs is concerned, we are planning on keeping the training as precise as possible which will eliminate the risk of exceeding the budget allocated for the purpose of employee training. I hope this memo addresses your concerns. We are looking forward to a response and possible suggestions on our suggested plan.
For VIC Corporate Audit
Subject: Policies regarding email and Internet use
This memo is written as a response to highlight the important points regarding the policies of email and internet usage. With the help of this memo, we will highlight the important policy points for the employees to read and implement practically. Following are some of the points which will be an important part of the policy regarding email and internet usage:
- Employees are expected to keep their use of internet restricted which complies with the current legislation and do not create any possible business risk to the company with unnecessary internet usage (Bai et al., 2017).
- It is unacceptable for the employees to visit internet sites which may contain obscene and hateful content or otherwise termed as illegal material
- Employees will be restrained from perpetrating any form of fraud of software within the premises of the company.
- Employees will be bound to keep the confidential information of the organization safe as it is their ethical duty as well.
Contrary to this, some of the points involved in the acceptable email policy are as follows:
- For the use of email, the employees are expected to keep their email usage restricted in such a way that complies with the current legislation and does not create any possible business risk to the company with unnecessary internet usage.
- Employees are expected to keep their communications strictly professional and concerned with the well-being of the organization (Ravi, Weisong Shi & Cheng-Zhong Xu, 2014).
By releasing the acceptable email and internet usage policy in the organization, the organizational team will ensure a unified culture in the organization. A proper briefing to the employees will help in the development of the organization. We hope this helps in answering your queries. Looking forward to a response from your organization.
For: VP of Risk Management
Subject: Response to mobile device security
This memo is written as a response to address concerns about the possible risks posed by mobile devices to our enterprise. Different studies highlight that mobile devices tend to pose risk to the working of the organization. Some of the risks associated with mobile devices to the enterprise are as follows:
- 24/7 connectivity: Mobile devices are often termed as hyper-connected devices with unsecured access networks. The possible connection to unsecured networks can lead to the possible risk of data loss. Studies suggest that more than 71% of mobile communications are done with the connection established over WiFi. WiFi has inadequate security (Creeger, 2011).
- Theft of mobile devices: Portable devices such as mobile phones are vulnerable to theft. Studies suggest that nearly 3.1 million devices were stolen in 2013 (Creeger, 2011). The stolen devices are often a way of getting access to corporate information.
- Possible data leaks: With the increased number of workers relying on mobile devices for work, IT professionals are getting alarmed about the situation since it increased the concern about mobile data leakage (Creeger, 2014).
Some of the risk mitigation techniques for the possible threats associated with mobile devices are as follows:
- The risk of data loss over the access network, connectivity can be ensured with the help of certification based on network access. Applications and email proxies that block unauthorized access should be installed in the application.
- To protect lost or stolen devices, password policies for applications and devices should be ensured in the organization.
- Possible data leaks from mobile devices can be prevented by controlling access to unapproved applications.
A brief summary of possible risks and mitigation strategies related to mobile devices has been presented in the memo. We hope that this will help your organization in formulating their internet usage accordingly.
Bai, W., Kim, D., Moses, N., Qian, Y., Gage Kelly, P., & Mazurek, M. (2017). “Most of us trust our email provider”: Balancing security and usability in encrypted email. IEEE Internet Computing, 1-1. doi: 10.1109/mic.2017.265103059
Barnes, P. (2014). Using DNS to protect networks from threats within. Journal Of Research Of The National Institute Of Standards And Technology, 2014(3), 9-11. doi: 10.1016/s1353-4858(14)70030-3
Creeger, M. (2011). ACM CTO Roundtable on Mobile Devices in the Enterprise. Queue, 9(8), 10. doi: 10.1145/2016036.2016038
Creeger, M. (2014). Mobile Devices in the Enterprise: CTO Roundtable Overview. NIST JRE, 9(8), 20. doi: 10.1145/2016036.2019556
Densham, B. (2015). Three cyber-security strategies to mitigate the impact of a data breach. Network Security, 2015(1), 5-8. doi: 10.1016/s1353-4858(15)70007-3
Kedgley, M. (2015). If you can’t stop the breach, at least spot the breach. Network Security, 2015(4), 11-12. doi: 10.1016/s1353-4858(15)30027-1
Kemper, G. (2019). Improving employees’ cyber security awareness. NIST JRE, 2019(8), 11-14. doi: 10.1016/s1361-3723(19)30085-5
McCreadie, R., Rajput, S., Soboroff, I., Macdonald, C., & Ounis, I. (2019). On enhancing the robustness of timeline summarization test collections. N SP800 – National Institute Of Standards And Technology, 56(5), 1815-1836. doi: 10.1016/j.ipm.2019.02.006
Ravi, J., Weisong Shi, & Cheng-Zhong Xu. (2014). Personalized Email Management at Network Edges. IEEE Internet Computing, 9(2), 54-60. doi: 10.1109/mic.2005.44