Professional Memo 1
IFSM 201 Professional Memo
Before you begin this assignment, be sure you have read the Small Merchant Guide to Safe
Payments documentation from the Payment Card Industry Data Security Standards (PCI DSS)
organization. PCI Data Security Standards are established to protect payment account data
throughout the payment lifecycle, and to protect individuals and entities from the criminals who
attempt to steal sensitive data. The PCI Data Security Standard (PCI DSS) applies to all entities
that store, process, and/or transmit cardholder data, including merchants, service providers, and
financial institutions.
Purpose of this Assignment
You work as an Information Technology Consultant for the Greater Washington Risk Associates
(GWRA) and have been asked to write a professional memo to one of your clients as a follow-up
to their recent risk assessment (RA). GWRA specializes in enterprise risk management for state
agencies and municipalities. The county of Anne Arundel, Maryland (the client) hired GWRA to
conduct a risk assessment of Odenton, Maryland (a community within the Anne Arundel
County), with a focus on business operations within the municipality.
This assignment specifically addresses the following course outcome to enable you to:
• Identify ethical, security, and privacy considerations in conducting data and information
analysis and selecting and using information technology.
Assignment
Your supervisor has asked that the memo focus on Odenton’s information systems, and
specifically, securing the processes for payments of services. Currently, the Odenton Township
offices accept cash or credit card payment for the services of sanitation (sewer and refuse),
water, and property taxes. Residents can pay either in-person at township offices or over the
phone with a major credit card (American Express, Discover, MasterCard and Visa). Over the
phone payment involves with speaking to an employee and giving the credit card information.
Once payment is received, the Accounting Department is responsible for manually entering it
into the township database system and making daily deposits to the bank.
The purpose of the professional memo is to identify a minimum of three current controls
(e.g., tools, practices, policies) in Odenton Township (either a control specific to Odenton
Township or a control provided by Anne Arundel county) that can be considered best
practices in safe payment/data protection. Furthermore, beyond what measures are
currently in place, you should highlight the need to focus on insider threats and provide a
minimum of three additional recommendations. Below are the findings from the Risk
Assessment:
• The IT department for Anne Arundel County requires strong passwords for users to
access and use information systems.
https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Guide_to_Safe_Payments.pdf
https://www.pcisec.
Professional Memo 1 IFSM 201 Professional Memo .docx
1. Professional Memo 1
IFSM 201 Professional Memo
Before you begin this assignment, be sure you have read the
Small Merchant Guide to Safe
Payments documentation from the Payment Card Industry Data
Security Standards (PCI DSS)
organization. PCI Data Security Standards are established to
protect payment account data
throughout the payment lifecycle, and to protect individuals and
entities from the criminals who
attempt to steal sensitive data. The PCI Data Security Standard
(PCI DSS) applies to all entities
that store, process, and/or transmit cardholder data, including
merchants, service providers, and
financial institutions.
Purpose of this Assignment
You work as an Information Technology Consultant for the
Greater Washington Risk Associates
2. (GWRA) and have been asked to write a professional memo to
one of your clients as a follow-up
to their recent risk assessment (RA). GWRA specializes in
enterprise risk management for state
agencies and municipalities. The county of Anne Arundel,
Maryland (the client) hired GWRA to
conduct a risk assessment of Odenton, Maryland (a community
within the Anne Arundel
County), with a focus on business operations within the
municipality.
This assignment specifically addresses the following course
outcome to enable you to:
• Identify ethical, security, and privacy considerations in
conducting data and information
analysis and selecting and using information technology.
Assignment
Your supervisor has asked that the memo focus on Odenton’s
information systems, and
specifically, securing the processes for payments of services.
Currently, the Odenton Township
offices accept cash or credit card payment for the services of
3. sanitation (sewer and refuse),
water, and property taxes. Residents can pay either in-person at
township offices or over the
phone with a major credit card (American Express, Discover,
MasterCard and Visa). Over the
phone payment involves with speaking to an employee and
giving the credit card information.
Once payment is received, the Accounting Department is
responsible for manually entering it
into the township database system and making daily deposits to
the bank.
The purpose of the professional memo is to identify a minimum
of three current controls
(e.g., tools, practices, policies) in Odenton Township (either a
control specific to Odenton
Township or a control provided by Anne Arundel county) that
can be considered best
practices in safe payment/data protection. Furthermore, beyond
what measures are
currently in place, you should highlight the need to focus on
insider threats and provide a
minimum of three additional recommendations. Below are the
findings from the Risk
4. Assessment:
• The IT department for Anne Arundel County requires strong
passwords for users to
access and use information systems.
https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Gui
de_to_Safe_Payments.pdf
https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Gui
de_to_Safe_Payments.pdf
https://www.pcisecuritystandards.org/
https://www.pcisecuritystandards.org/
Professional Memo 2
• The IT department for Anne Arundel County is meticulous
about keeping payment
terminal software, operating systems and other software
(including anti-virus software)
updated.
• Assessment of protection from remote access and breaches to
the Anne Arundel network:
Odenton Township accesses the database system for the County
when updating resident’s
accounts for services. It is not clear whether a secure remote
connection (VPN) is
5. standard policy.
• Assessment of physical security at the Odenton Township hall:
the only current form of
physical security are locks on the two outer doors; however, the
facility is unlocked
Monday-Friday, 8am-5pm (EST), excluding federal holidays.
• Employee awareness training on data security and secure
practices for handling sensitive
data (e.g., credit card information) are not in place.
• The overarching conclusion of the risk assessment was that
Odenton Township is not
fully compliant with the PCI Data Security Standards (v3.2).
Note: The Chief Executive for Anne Arundel County has asked
for specific attention be paid
to insider threats, citing a recent article about an administrator
from San Francisco (see
Resources). Anne Arundel County wants to understand insider
threats and ways to mitigate
so that they protect their resident’s personal data as well as the
County’s sensitive
information. These are threats to information systems, including
malware and insider threats
6. (negligent or inadvertent users, criminal or malicious insiders,
and user credential theft).
Expectations and Format
Using the resources listed below, you are to write a 2-page
Professional Informational Memo to
the Chief Executive for Anne Arundel County that addresses the
following:
• Risk Assessment Summary: Provide an overview of your
concerns from the risk
assessment report. Include broad ‘goal’ of the memo, as a
result of the risk assessment,
the broad recommendations. Specific Action Steps will come
later. The summary should
be no more than one paragraph.
• Background: Provide a background for your concerns. Briefly
highlight why the
concerns are critical to the County of Anne Arundel and
Odenton Township. Clearly
state the importance of data security and insider threats when
dealing with personal credit
cards. Be sure to establish the magnitude of the problem of
insider threats.
7. • Concerns, Standards, Best Practices: The body of the memo
needs to justify your
concerns and clarify standards, based on the resources listed
below, at minimum. The
PCI DSS standards are well respected and used globally to
protect entities and
individual’s sensitive data. The body of the memo should also
highlight three current
controls that are considered best practice; that is, you should
highlight the positive,
what is currently in place, based on the risk assessment.
• Action Steps: Provide a conclusion establishing why it is
important for Anne Arundel
County to take steps to protect residents and county
infrastructure from insider threats
based on your concerns. Recommend a minimum of three (3)
practical action steps,
including new security controls, best practices and/or user
policies that will mitigate the
concerns in this memo. Be sure to include cost considerations
so that the County is
Professional Memo 3
8. getting the biggest bang for the buck. The expectations are not
for you to research and
quote actual costs, but to generalize potential costs. For
instance, under the category of
physical security, door locks are typically less expensive than
CCTV cameras.
• Be sure to review the PowerPoint presentation (in pdf format)
Effective Professional
Memo Writing that accompanies these instructions.
• Use the Professional Memo template that accompanies these
instructions.
o Use four section subtitles, in bold.
▪ Risk Assessment Summary
▪ Background
▪ Concerns, Standards, Best Practices
▪ Action Steps
o Do not change the font size or type or page margins.
o Do not include any graphics, images or ‘snips’ of any content
from copyrighted
sources. The PCI Standards (PCI DSS) document is copyrighted
material.
9. o Paragraph text should be single spaced with ONE ‘hard
return’ (Enter) after each
paragraph and after each section subtitle. Note: Do not create a
new ‘paragraph’
after each sentence. A single sentence is not a paragraph.
o ‘Subject’ is the subject of your memo, not the course name or
number.
o Be sure to remove any remaining ‘placeholder’ text in the
template file before
submitting.
o The length of the template when you download it is NOT the
intended length of
the entire memo. Your completed memo should be between 1.5
pages and 2
pages (total document, including the To:/From:/Re:/Subject
header).
*Note: the Professional Memo is to be in a MS Word file and
all work is to be in the
student’s own words (no direct quotes from external sources or
the instructions) *
APA documentation requirements:
• As this is a professional memo, as long as you use resources
provided with or linked
10. from these instructions, APA documentation is NOT required.
• Citing material or resources beyond what is provided here is
NOT required.
• However, you should use basic attribution and mention the
source of any data, ideas
or policies that you mention, which will help establish the
credibility and authority of
the memo.
o For example, mentioning that the Payment Card Industry Data
Security
Standards (PCI DSS) identify a certain control as best practice
holds more
weight than simply stating the control is a best practice without
basic
attribution.
o Mentioning that Wired Magazine reported that a City of San
Francisco IT
technician effectively hijacked and locked 60% of the city’s
network capacity,
is more effective than saying “I read somewhere that…”
11. Professional Memo 4
Resources
1. Examples of Security Breaches Due to Insider Threats
San Francisco Admin Charged With Hijacking City's Network
Microsoft database leaked because of employee negligence
General Electric employees stole trade secrets to gain a business
advantage
Former Cisco employee purposely damaged cloud infrastructure
Twitter users scammed because of phished employees
2. PCI DSS Goals:
(source:
https://www.pcisecuritystandards.org/merchants/process)
https://www.wired.com/2008/07/sf-city-charged/
https://www.forbes.com/sites/daveywinder/2020/01/22/microsof
t-security-shocker-as-250-million-customer-records-exposed-
13. live&scope=site
Professor Messer. (2014). Authorization and access control
[Video file]. YouTube.
https://www.youtube.com/watch?v=6aXMuJPkuiU
U.S. DHS. (2021). Insider Threat.
https://www.dhs.gov/science-and-technology/cybersecurity-
insider-threat
Wizuda. (2017). Data anonymisation simplified [Video file].
YouTube.
https://www.youtube.com/watch?v=m9UxV4XaXwg
Yuan, S., & Wu, X. (2021). Deep learning for insider threat
detection: Review, challenges and
opportunities. Computers & Security. https://doi-
org.ezproxy.umgc.edu/10.1016/j.cose.2021.102221
Keywords: risk assessment, insider threats, data security
Submitting Your Assignment
Submit your document via your Assignment Folder as Microsoft
Word document, or a document that can
14. be ready using MS Word, with your last name included in the
filename. Use the Grading Rubric below to
be sure you have covered all aspects of the assignment.
https://www.fbi.gov/file-
repository/insider_threat_brochure.pdf/view
https://www.pcisecuritystandards.org/
https://search-ebscohost-
com.ezproxy.umgc.edu/login.aspx?direct=true&db=bth&AN=10
0717560&site=ehost-live&scope=site
https://search-ebscohost-
com.ezproxy.umgc.edu/login.aspx?direct=true&db=bth&AN=10
0717560&site=ehost-live&scope=site
https://search-ebscohost-
com.ezproxy.umgc.edu/login.aspx?direct=true&db=bth&AN=10
0717560&site=ehost-live&scope=site
https://www.youtube.com/watch?v=6aXMuJPkuiU
https://www.dhs.gov/science-and-technology/cybersecurity-
insider-threat
https://www.dhs.gov/science-and-technology/cybersecurity-
insider-threat
https://www.youtube.com/watch?v=m9UxV4XaXwg
https://doi-org.ezproxy.umgc.edu/10.1016/j.cose.2021.102221
https://doi-org.ezproxy.umgc.edu/10.1016/j.cose.2021.102221
Professional Memo 6
GRADING RUBRIC:
Criteria
15. Far Above
Standards
Above Standards
Meets Standards
Below Standards
Well Below
Standards
Possible
Points
Summary of
Risk
Assessment
15 Points
Summary is highly
effective, thorough
16. and professional.
12.75 Points
Summary is
effective, thorough
and professional.
10.5 Points
Summary is
somewhat
effective, thorough
and professional.
9 Points
Summary is
lacking.
0-8 Points
Stated
requirements
for this section
are severely
lacking or
17. absent.
15
Background
and
Importance
(to the Client)
of Data
Security and
Insider
Threats
10 Points
Discussion of
ba5ckground, data
security and
insider threats is
highly effective,
thorough, and
professional.
8.5 Points
18. Discussion of
background, data
security and insider
threats is effective,
thorough, and
professional.
7 Points
Discussion of
background, data
security and
insider threats is
somewhat
effective,
thorough, and
professional.
6 Points
Discussion of
background, data
security and
insider threats is
lacking.
19. 0-5 Points
Stated
requirements
for this section
are severely
lacking or
absent.
10
Concerns,
Standards,
Best Practices:
Justify
Concerns and
Clarify
Standards
15 Points
Discussion of
concerns and
standards is highly
effective,
20. thorough, and
professional.
12.75 Points
Discussion of
concerns and
standards is
effective, thorough,
and professional.
10.5 Points
Discussion of
concerns and
standards is
somewhat
effective,
thorough, and
professional.
9 Points
Discussion of
concerns or
standards is
lacking.
0-8 Points
21. Stated
requirements
for this section
are severely
lacking or
absent.
15
Concerns,
Standards,
Best Practices:
Three current
practices
identified and
justified as
best practice
15 Points
Three highly
relevant current
practices are
offered and
22. justified as best
practices. Overall
presentation is
clear, concise, and
professional.
12.75 Points
Section may be
lacking in number
of
recommendations
or relevancy or
justification or
overall
presentation.
10.5 Points
Section is lacking
in number of
recommendations
or relevancy or
justification or
overall
23. presentation.
9 Points
Section is lacking
in two or more of
the following:
number of
recommendations
or relevancy or
justification or
overall
presentation.
0-8 Points
Stated
requirements
for this section
are severely
lacking or
absent.
15
Professional Memo 7
25. justified, with
effective
discussion of cost
considerations.
Overall
presentation is
clear, concise, and
professional.
17 Points
Section may be
lacking in number
of
recommendations
or relevancy or
justification or a
discussion of cost
considerations or
overall
presentation.
14 Points
Section is lacking
26. in number of
recommendations
or relevancy or
justification or a
discussion of cost
considerations or
overall
presentation.
12 Points
Section is lacking
in two or more of
the following:
number of
recommendations
or relevancy or
justification or a
discussion of cost
considerations or
overall
presentation.
0-11 Points
Stated
27. requirements
for this section
are severely
lacking or
absent.
20
Basic
Attribution
(overall)
10 Points
Overall use of
basic attribution is
highly effective in
establishing
credibility and
authority.
8.5 Points
Overall use of basic
attribution is
effective in
establishing
28. credibility and
authority.
7 Points
Overall use of
basic attribution is
partially effective
in establishing
credibility and
authority.
6 Points
Overall use of
basic attribution
is partially
effective in
establishing
credibility and
authority.
Additional basic
attribution may
have been
needed.
0-5 Points
Overall use of
29. basic
attribution
was minimally
effective or
not used.
10
Overall
Format:
APA
documentatio
n needed only
if sources
external to the
assignment
are introduced
15 Points
Submission
reflects effective
organization and
sophisticated
30. writing; follows
instructions
provided; uses
correct structure,
grammar, and
spelling; presented
in a professional
format; any
references used
are appropriately
incorporated and
cited using APA
style.
12.75 Points
Submission reflects
effective
organization and
clear writing;
follows instructions
provided; uses
correct structure,
31. grammar, and
spelling; presented
in a professional
format; any
references used are
appropriately
incorporated and
cited using APA
style.
10.5 Points
Submission is
adequate, is
somewhat
organized, follows
instructions
provided; contains
minimal grammar
and/or spelling
errors; and follows
APA style for any
references and
citations.
32. 9 Points
Submission is not
well organized,
and/or does not
follow
instructions
provided; and/or
contains
grammar and/or
spelling errors;
and/or does not
follow APA style
for any
references and
citations. May
demonstrate
inadequate level
of writing.
0-8 Points
Document is
poorly written
33. and does not
convey the
necessary
information.
15
TOTAL
Points
Possible
100
Project 2: Business Obligations
(
Your Name)
BMGT 496 (
section number)
(
Instructor’s Name)
(
34. Please do not use pictures or images on the Title
Page – remove from your final copy)
Memorandum
To:
From:
Date:
Subject:
Introduction
(Write an Introduction paragraph.
The Introduction paragraph is the first paragraph of
the paper and will be used to describe to the reader the intent of
the paper explaining the main points covered in the paper. This
intent should be understood prior to reading the remainder of
the paper so the reader knows exactly what is being covered in
the paper.)
(Write the introduction last to ensure that the main points are
covered.)
Summary of Friedman’s Position
(Remember to layout not just his position, but all the
justifications he gives supporting that position.)
Summary of Contrary Positions
(Explain the position of the Business Roundtable as well as
35. other contrary arguments you find
Demonstrate How Each Position Would Affect the Outcome of
an Ethical Dilemma
(Choose an ethical dilemma you have raised in a class
discussion and illustrate how the resolution would be different
apply Friedman’s or the contrary position.)
Most Compelling Position
(Between the two positions you have discussed, explain the
position that you find most compelling. What are the
weaknesses and strengths of each position?)
Conclusion
(Write a concluding paragraph that is brief and summarizes
the main points. Make a specific recommendation to the CEO
as to the approach she should take.)
References
(The reference page is on a separate page from the report. The
reference page is completed according to APA with each
reference left-justified with hanging indentation for subsequent
lines. References are completed in alphabetical order. Please
see the module, Learn to Use APA to ensure references are in
APA format.)
MEMORANDUMto:
Chief executive, anne arundel Countyfrom:Your NameRe:Enter
SubjectdATE:
ENTER DATE
Risk Assessment Summary
This is only placeholder text, be sure to read the Assignment
Instructions for specific details about what should be included
in this section and the sections that follow. To get started right
away, just select any placeholder text (such as this) and start
36. typing to replace it with your own. Be sure to remove any
placeholder text before submitting your assignment. Do not
change font size, type or page margins. Text should be single
spaced, with one ‘hard return’ at the end of each paragraph
which will add a blank line between paragraphs. There should
also be one hard return after the subtitles.
Background
To get started right away, just select any placeholder text (such
as this) and start typing to replace it with your own. Text
should be single spaced, with one ‘hard return’ at the end of
each paragraph which will add a blank line between paragraphs.
There should also be one hard return after the subtitles.
Concerns, Standards, Best Practices
To get started right away, just select any placeholder text (such
as this) and start typing to replace it with your own.
Example of a second paragraph: Text should be single spaced,
with one ‘hard return’ at the end of each paragraph which will
add a blank line between paragraphs. There should also be one
hard return after the subtitles.
Action Steps
To get started right away, just select any placeholder text (such
as this) and start typing to replace it with your own. Text
should be single spaced, with one ‘hard return’ at the end of
each paragraph which will add a blank line between paragraphs.
There should also be one hard return after the subtitles.
5
2
Effective
Professional
37. Writing: The
Memo
Adapted from a presentation by Xavier de Souza Briggs,
Department of Urban Studies and Planning, MIT
IFSM 201
Licensing Information
This work “Effective Professional Writing: The Memo”, a
derivative of Effective Professional Writing: The
Memo, by the Massachusetts Institute of Technology, is
licensed under a Creative Commons Attribution-
NonCommercial-ShareAlike 4.0 International License.
“Effective Professional Writing: The Memo” by
UMGC is licensed under a Creative Commons Attribution-
NonCommercial-
ShareAlike 4.0 International License.
https://ocw.mit.edu/courses/urban-studies-and-planning/11-201-
gateway-planning-action-fall-2007/communication/memo.pdf
https://creativecommons.org/licenses/by-nc-sa/4.0/
https://creativecommons.org/licenses/by-nc-sa/4.0/
https://creativecommons.org/licenses/by-nc-sa/4.0/
“To do our work, we all have to read a mass
of papers. Nearly all of them are far too long.
This wastes time, while energy has to be
spent in looking for the essential points.
I ask my colleagues and their staffs to see to
38. it that their Reports are shorter.”
- WINSTON CHURCHILL, AUGUST 9, 1940
- SOURCE (A ONE PAGE READ): CHURCHILL’S
“BREVITY” MEMO
https://i.insider.com/592828b05a1d1b02b94fb302?width=700&f
ormat=jpeg&auto=webp
Writing Memos
The context of professional writing
Why write memos?
How to write them?
How to make them better?
3
The Context
The workplace or field:
◦ Time is precious.
◦ Information has substantive as well as political implications.
The decision-maker as reader:
39. ◦ Busy and distracted (attention “spread thin”), not necessarily
patient while you get to the point.
◦ Info needs are varied, unpredictable, fluid.
◦ Decision-maker sometimes offers vague instructions.
4
Academic vs. professional writing
Differences (when writing concisely)
◦ The academic reader often demands nuance and relevance to
established lines of thinking, while the
professional reader wants the “so what’s” for their decision
making emphasized (relevance to their
actions).
◦ An academic assignment assumes a small and benevolent
audience, but professional documents can be
“leaked,” end up in the hands of unintended readers.
Similarities
◦ Strong essays and strong memos both start with your main
ideas, but essays usually build toward
conclusion and synthesis. The memo’s conclusions are usually
right up top.
40. ◦ In both, persuasive argument = clear viewpoint + evidence
◦ In both, addressing counter-arguments tends to strengthen
your case.
5
Top mistakes in memos
Content:
◦ off point or off task (major substantive
omissions, given the request);
◦ impolitic (risks political costs if leaked);
◦ inappropriate assumptions as to
background knowledge;
◦ no evidence.
Organization:
◦ important info “buried,”
◦ no summary up top, format confusing,
not “skim-able.”
◦ Sentences long and dense,
◦ headings an after-thought.
Style:
◦ language too academic, too “preachy,”
41. or too casual;
◦ sentences long and/or dense.
6
Why write memos?
Professional communication
◦ Efficient
◦ Persuasive
◦ Focused
Two types of memos:
◦ Informational (provide analytic background)
◦ Decision or “action” (analyze issues and also recommend
actions)
7
Consider Your Message in Context
Purpose Audience
Message
8
42. Use a Clear Structure
Summary:
◦ Summarize the entire memo
◦ Highlight major points to consider
Background:
◦ State the context
Body:
◦ Prove it, analyze it, address counter arguments (if any)
Conclusion:
◦ Outline Next Steps or Next Questions
9
Action Memos: Recommend Decisions
Summary:
◦ Summarize the entire memo, clearly, but more importantly,
concisely
◦ State the broad recommendation(s)
43. ◦ If the decision-maker reads only this section/paragraph, will
he/she know what the situation
is/recommendation(s) is/are (without necessarily knowing
specific action steps)
Background:
◦ Provide the context
Body:
◦ Prove it/Analyze it, perhaps with pros/cons by option (if there
are multiple options)
Conclusion:
◦ Outline next steps, don’t merely restate recommendation(s)
10
Tip: Construct a Clear, Concise,
Coherent Argument
In your opening summary, you may use more than one sentence
to describe overall goals or
recommendations, however, as an exercise it typically helps to
try to state your argument in one
sentence. Expand on the sentence as needed as your construct
your opening summary.
Examples:
44. ◦ In order to recreate the organization’s image and reorganize
our internal structure in the next 6 months,
we should focus on X, Y and Z.
◦ While the company is in compliance with State of California
Privacy laws with respect to X, Y and Z, there
are two areas that still need to be addressed to reach our goal of
100% compliance: A and B.
11