Assignment: Updated Security Policy Essay

Assignment: Updated Security Policy Essay

Assignment: Updated Security Policy Essay

Updated Security Policy -1

Chronology of The Security Incident

Date/time: 30^th January 2021

Incident reported: malware event

Possible cause of the incident: Phishing activity to the company network system. 

Username:   ITCorps_incidence_response

Department: Information Technology and cyber security systems.

Severity of the incident: Moderate

Policy changes it might have triggered: The user policy including the expect activities and conduct when access the information system.Secondly, the user device policy. Third party vendor policy. 

Status: Pending

Task Description: To investigate the attack’s depth and recommended cyber security system to prevent such incidents in the future.

Task assigned: In an organization that users a cyber-security system, all the persons involved have a responsibility.

Employees should abide by the organization’s set policy using the network system and the company information system.

Who is working on it: The IT personnel of the company in collaboration with the third party vendor under the oversight of the CIO.

Chief Information Officer: manages the affairs operations to the organization IT security. He or she is responsible for planning, coordinating, and directing computer data and networks and the employer’s security needs.

Penetration tester: he or she is authorized to conduct testing procedures on the organization IT system to detect the system flaw.

Security system administrator: he or she is responsible for installing, maintaining, administrating, and troubleshooting the computer network and the data security system.

Information security analysts: analyses the frontline defense of the network such as the firewall and the encryptions.

5D-Water Cooler: Balancing Conflicting Priorities

A Diagnose of the Problem

Security incidents contribute to significant threat in the organization. Security threats can be linked to cyber-attacks or cyber terrorism to the company. The cyber-attacks target is to steal critical data, information among other digital resources for the company (Kuzuno, Inagaki & Magata, 2018). On the other hand, cyber terrorism is aimed at crippling the organization through politically financed cyber-attacks. Therefore, a peculiar analysis of this event shows that the cyber compromised that met the organization was a cyber-attack meant to gain access to the company by deceiving the employees. The attacks posed as a legitimate employee or a senior member in the organization, asking the user to click the link sent to their email to access essential updates. By doing this, the employees exposed their system for the attack. It is also clear that the organization does not have the right cybersecurity system to prevent such attacks. This is seen in the failure to track suspicious activities by the attackers on traffic control, rapid changing of the user passwords, and ineffective alarm or response system. Also, the software and the program used by the company did not update. Therefore, the company needs to have a system audit report to identify the details of the incident.

The security policy failed since it does not have a user policy detailing how program updates are communicated. This is the main reason why the phishing activities that targeted the employees succeed. It is also evident that the company has not established a method of communicating essential updates on the system. Moreover, it has been established that the user policy in the office of the CIO was not being put in good use and was on the shelves gathering dust. Therefore, some policy element might be in place, but it is not put to good use, or the employees are not aware of such policies.  Educating employees on user policy, device use among other is a better way of securing the organization against cyber-attacks (Eaton et al., 2019).

It is also evident that the company has not implemented an effective cybersecurity system. For instance, since clinking on the link in the email leads to downloading the malware, it is clear that anti-virus programs in place are either outdated or ineffective since they did not raise alarm on the nature of traffic (Briggs, Jeske & Coventry, 2017). Secondly, the company should implement a recent cybersecurity program such as UBA to analyze user behavior, monitor traffic and block unnecessarily or suspicious requests (Johnson, 2015). 

Memo

To: Legal Team

From:  Chief Information Officer

Date: 3/10/2021

Subject: Facts of the Recent Attacks

Upon analyzing the recent events from the company cyber-attacks audit reports, I wish to present the following facts. The company does not have an adequate cybersecurity policy on the following area, making communication on the cybersecurity updates or changes. This makes the company susceptible to cyber-attacks since malicious links can target unsuspecting employees. The existing cybersecurity is sketchy, and it is rarely used since it is kept off the shelves gathering dust.

The company needs to invest in a robust cybersecurity system. Although not one system is enough to protect the information system effectively, it is essential to use a combination of various software and system; this is because the organization has proved to lack efficient firewall system, anti-virus software, lack of updating the software in time and lack of software to monitor user behaviour. Moreover, employees need to acquit themselves with the user policy and update the existing policy.

Memo

To: Legal Team

From:  Chief Information Officer

Date: 3/10/2021   

Subject: Facts of the Recent Attacks

Problem Summary

The cyber-attack was meant to gain access to the company through deceiving the employees and posing as a legitimate user to acquire important data and information through phishing.  By giving users information such as login credentials, the system was accessed by the cyber attackers.  The company security system failed to track the unusual traffic and the system’s access from an outside source. This shows that the antivirus and firewall were defecting in identifying the user passwords’ rapid changes, and the alarm system did not respond to this incident appropriately. 

Facts that support the problem

The organization runs on an ineffective user policy that encourages laxity among IT personnel.  The alarm system is ineffective and issues a false signal. The firewall could not detect the unusual traffic. The antivirus program was ineffective and outdated since it did not alert the phishing activities on the IT system. The incidence was not reported in time due to an inefficient communication system. 

A reminder of the legal responsibilities from the perspective of the CIO

The CIO has the legal responsibility of monitoring the IT personnel and the third-party persons working on the organization’s cybersecurity system. He or she should inspire confidence among the stakeholders through provide knowledge and awareness of the potential cybersecurity vulnerabilities facing the organization. The CIO should create business value through technology by maintaining client data and information’s loyalty and confidentiality. The CIO has a responsibility to lead and direct the workforce to specific IT roles and responsibilities, including abiding by user policy and auditing its IT information system. 

The action taken by IT to address the problem.

The IT has taken action to address the incident, including sourcing external auditors to assess the issue.  The IT required the workforce to abide by a set code of conduct and halt third-party access to the system until the incidence is addressed. Another effort to bring the organization to track is through ensuring the antivirus software and programs are updated. However, the status of incidence is still pending and will be addressed in due time. 

A request to address communications to the customers

The communication to the customer should be done in due time. Importantly, all the communication will be done through the established communication channels, including the company social media platform, external memo, website, and the company advert through the established printed media such as the newspaper. The customer’s communication will be done by the CIO but must be approved by the customer relations department. 

Problem Summary

The following facts of the cyber security problem have been established from the case study and the audit report. The existing policy is sketchy and does not address the organization information system security. Secondly, the employees have not comprehended or understood the existing users and workplace policy. The organization lacks a clear communication channel through which changes and updates are passed to the employees. Also, the organization lacks an effective firewall to monitor traffic to the organization.

The alarm system used by the company are defective since it issues false positive and negative alarms (Frank et al., 2019). The company uses an ineffective anti-virus, an anti-spyware program that did not detect suspicious programs’ download and installation.  The company has a legal responsibility to protect user data and information that it collects from its client, including the PHI, names, emails, credit card numbers, and physical address (Frank et al., 2019). The CIO is responsible for informing the organization of the right cybersecurity system it should implement to minimize the security threats it is exposed to (Frank et al., 2019). Further, the CIO should guide the organization toward implementing the cyber security recommendations.

Assignment: Updated Security Policy Essay