SlideShare a Scribd company logo

IYeste - Nova - ISEC695 - Final

Ivonne Yeste
Ivonne Yeste
1 of 1
Download to read offline
Mitigating PII Leakage at a Federal Gun Store and Pawn Shop Team/Students: Ivonne Yeste and Thomas Krawczyk | Business Advisor: Lou Jones | Professor: Dr. Yair Levy, Professor of IS & Cybersecurity Introduction Risk Management Analysis (RMA) Anticipated Results Problem Definition Fact Gathering Project Scope, Goals, and Objectives Recommended Solution and Action Plan Proposed Costs Conclusion Federal Gun Store and Pawn Shop has no formal information technology (IT) policies or procedures in place. Employees are not trained regarding PII risks and proper handling. Hardware and software resources are not appropriately secured against a PII breach. There is no regular risk assessment or ongoing monitoring and auditing of IT resources to ensure risks are appropriately identified and mitigated. Federal Gun Store and Pawn Shop employs up to five full-time employees and several part-time employees seasonally. The existing IT infrastructure consists of five computers in the gun store and two computers in the pawnshop. There is no firewall. The wireless network has a password but does not use encryption. Updates are set to auto-download. There is no audit process in place to ensure these are applied successfully. Anti-virus is in use; however, the subscription has expired. Accordingly, updates are not applied in a regular fashion. In addition, anti-malware and spyware detection software is not in use. During transactions, PII is collected manually, faxed or emailed without encryption. Center for Information Protection, Education, and Research (CIPhER) http://InfoSec.nova.edu/ College of Engineering And Computing (CEC) The scope of this project is to propose a solution that will identify and mitigate the security risks at Federal Gun Store and Pawn Shop. The goals are to assess the security environment and deliver a solution including creation and implementation of policies, procedures, security training and physical improvements to reduce the risk of PII data loss. The overall objective is to reduce the risk through immediate improvements, continuous ongoing review, and the mitigation of security risks. The risk management analysis used by this team is a hybrid approach between the NIST Cybersecurity Framework and a Microsoft security risk management (Microsoft Security Center of Excellence, 2006). This hybrid approach was selected to offer the business owner a simplified process for ongoing security assessment and mitigation after the initial engagement. The NIST Cybersecurity Framework (2014) is a set of industry standards and best practices to help organizations manage cybersecurity risks; it focuses on the use of business drivers to guide cybersecurity activities and consideration of cybersecurity risks as part of the organization’s risk management processes. While the framework has three distinct sections, this risk analysis will utilize two of the three sections, the Core and Profile. The Core is a set of cybersecurity activities, outcomes, and informative references common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align cybersecurity activities with business requirements, risk tolerances, and resources (NIST, 2014). In order to be effective, this process must be ongoing. The Microsoft security risk management guide describes three distinct tasks for conducting summary level risk prioritization (Microsoft Security Center of Excellence, 2006): Determine Impact Level, Estimate Summary Level Probability, and Complete the Summary Level Risk List. The recommended solution is a consulting engagement for policy and procedure development, security training, implementation of Secure Open PII, and automated system and software updates. Additionally, physical IT improvements include installation of a comprehensive Next Generation Firewall (NGFW) solution incorporating antivirus, antimalware, antispyware, intrusion detection and prevention and other advanced features as well as an encrypted wireless network. Also included is post-implementation monthly monitoring and quarterly ongoing security reviews and risk mitigation. After implementation of the recommended solution, the anticipated results will include: the delivery of a solution including creation and implementation of policies, procedures, security training for both the management as well as the employees. It will also include implementation of physical IT improvements to reduce the risk of PII data loss. Also, included is post-implementation monthly monitoring and quarterly ongoing security reviews, along with risk mitigation. This is anticipated to have the biggest impact on lowering internal risks, and implementation of appropriate technology, which is expected to reduce the risk of external breaches.. The solution includes initial assessment, policy and procedure creation, training, and implementation. Also included is post-implementation monthly monitoring and quarterly ongoing security reviews and risk mitigation. This proposal for Federal Gun Store and Pawn Shop addresses the need for a solution for policies, procedures, training, and infrastructure improvements in order to reduce the risk of breaches. This proposal incorporates solutions to mitigate internal risks in the handling of PII data as well as minimizing exposure to external risks. In addition, it also recommends a process of evaluating the security on a quarterly basis to provide a continuous process for reviewing the stores security posture. References Department of Homeland Security (DHS). (2012). Handbook for Safeguarding Sensitive PII. Washington, D.C: DHS. Department of Justice, Federal Bureau of Investigation. (2011). NICS Section Federal Firearms Licensee Users Manual. Retrieved from Department of Justice, Federal Bureau of Investigation. Fowler, G., & Worthen, B. (2011, July 21). Hackers Shift Attacks to Small Firms. Retrieved Fenruary 20, 2016, from www.wsj.com: http://www.wsj.com/articles/SB10001424052702304567604576454173706460768 Microsoft Security Center of Excellence. (2006). Security Risk Management Guide. Retrieved January 28, 2016, from Microsoft: https://technet.microsoft.com/en-us/library/cc163143.aspx Milliken, B. (2016, January 24). It’s True! Your Small Business Is A Perfect Target For Hackers. Retrieved from LinkedIn: https://www.linkedin.com/pulse/its-true-your-small-business-perfect-target-hackers-bob- milliken?articleId=6008827995698057216 National Cyber Security Alliance and Symantec. (2016, January 24). 2012 NCSA/Symantec Small Business Study Fact Sheet. Retrieved from Stay Safe Online: http://www.staysafeonline.org/stay-safe-online/resources National Institute of Standards and Technology. (2014, February 12). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved January 28, 2016, from NIST: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf PricewaterhouseCoopers LLP. (2010). Protect your organization’s sensitive information and reputation with high- risk data discovery. Retrieved January 30, 2016, from http://www.pwc.com/us/en/it-risk-security/assets/high- risk-data-discovery.pdf U.S. Department of Homeland Security. (2011, May). How to Safeguard Personally Identifiable Information. Retrieved February 20, 2016, from Department of Homeland Security: https://www.dhs.gov/xlibrary/assets/privacy/privacy_safeguarding_pii_fact_sheet.pdf University of Texas at Austin Center for Identity. (2016, January). Top Threats & Responsibilities for Small Businesses. Retrieved January 30, 2016, from https://identity.utexas.edu/small-businesses/top-threats- responses-for-small-businesses Small businesses are increasingly becoming a target for criminals where personally identifiable information (PII) best practices are not followed (University of Texas, 2016, ¶1). Examples of PII include Social Security number (SSN), alien registration number (A-Number), driver's license number, financial information, citizenship, immigration status, or medical information in conjunction with the identity of an individual (Department of Homeland Security (DHS), 2012). Because of the lack of controls around PII, hackers are targeting easier and more profitable thefts from small businesses. These small businesses have generally lax to non-existent security systems making it easy for quick money (Milliken, 2016). A result of these breaches is failure of the business due to loss of data and customer confidence (National Cyber Security Alliance and Symantec, 2016). Federal Gun Store and Pawn Shop, is a popular retail gun store with an adjacent high traffic pawnshop. Due to the volume of PII collected, there is special interest in securing this information to minimize the risk of a breach. Figure 1: NIST Cybersecurity Framework Function/Category Subcategory Description Likelihood Impact Risk Protect/Access Control/PR.AC-1 Employees do not have unique system logins Medium Moderate Medium Identify/Governance/ID .GV-1 Lack of written policies High Moderate High Protect/Protective Technology/PR.PT-3 Limit access to any system resources High Moderate High Protect/Protective Technology/PR.PT-4 No firewall, intrusion detection, active antivirus, anti-malware, encryption High Critical Critical Protect/Information Protection/PR.IP-5 Open access to PII High Critical Critical Protect/Information Protection/PR.IP-12 No Patch Management High Moderate High Protect/Awareness and raining/PR.AT-1 Users not trained on security best practices High Moderate High Table 1: Risk Analysis Matrix Table 2: Proposal Cost Analysis Description Initial One Time Costs Ongoing Costs SonicWALL NGFW & WAP $1,700 $300 - Yearly Consulting services 40 hours @ $150/hour 4 hour quarterly update @ $150/hour $6,000 $2,400 (Four hour security review every quarter) Managed Services @ $75/hour - Eight hours monthly $7,200 Total $7,700 $9,900

Recommended

How to Audit Your Incident Response Plan
How to Audit Your Incident Response PlanHow to Audit Your Incident Response Plan
How to Audit Your Incident Response PlanResilient Systems
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessmentHappiest Minds Technologies
 
The state of incident response
The state of incident responseThe state of incident response
The state of incident responseAbhishek Sood
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
2016 Top Security Threats
2016 Top Security Threats2016 Top Security Threats
2016 Top Security ThreatsGail Essen, CPP, PSP
 
Information risk management
Information risk managementInformation risk management
Information risk managementAkash Saraswat
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performanceAbhishek Sood
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 

Recommended

How to Audit Your Incident Response Plan
How to Audit Your Incident Response PlanHow to Audit Your Incident Response Plan
How to Audit Your Incident Response PlanResilient Systems
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessmentHappiest Minds Technologies
 
The state of incident response
The state of incident responseThe state of incident response
The state of incident responseAbhishek Sood
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
2016 Top Security Threats
2016 Top Security Threats2016 Top Security Threats
2016 Top Security ThreatsGail Essen, CPP, PSP
 
Information risk management
Information risk managementInformation risk management
Information risk managementAkash Saraswat
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performanceAbhishek Sood
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk ManagementGoutama Bachtiar
 
IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligencethinkASG
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security RisksChris Ross
 
Insider Threat_BAH_Turner
Insider Threat_BAH_TurnerInsider Threat_BAH_Turner
Insider Threat_BAH_TurnerBob Turner
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksTripwire
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
Creating And Enforcing Anti Malware Practices
Creating And Enforcing Anti Malware PracticesCreating And Enforcing Anti Malware Practices
Creating And Enforcing Anti Malware PracticesDiane M. Metcalf
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsColleen Beck-Domanico
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Tammy Clark
 
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docx
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docxRunning Head STATEMENT OF WORKSTATEMENT OF WORK .docx
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docxtoltonkendal
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 

More Related Content

What's hot

Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk ManagementGoutama Bachtiar
 
IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligencethinkASG
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security RisksChris Ross
 
Insider Threat_BAH_Turner
Insider Threat_BAH_TurnerInsider Threat_BAH_Turner
Insider Threat_BAH_TurnerBob Turner
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksTripwire
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
Creating And Enforcing Anti Malware Practices
Creating And Enforcing Anti Malware PracticesCreating And Enforcing Anti Malware Practices
Creating And Enforcing Anti Malware PracticesDiane M. Metcalf
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsColleen Beck-Domanico
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Tammy Clark
 

What's hot (20)

Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
Information technology risks
Information technology risksInformation technology risks
Information technology risks
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
 
IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security Intelligence
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
 
Insider Threat_BAH_Turner
Insider Threat_BAH_TurnerInsider Threat_BAH_Turner
Insider Threat_BAH_Turner
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security Attacks
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
Creating And Enforcing Anti Malware Practices
Creating And Enforcing Anti Malware PracticesCreating And Enforcing Anti Malware Practices
Creating And Enforcing Anti Malware Practices
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial Institutions
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
 

Similar to IYeste - Nova - ISEC695 - Final

Running Head STATEMENT OF WORKSTATEMENT OF WORK .docx
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docxRunning Head STATEMENT OF WORKSTATEMENT OF WORK .docx
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docxtoltonkendal
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise WorldKey Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise WorldTEWMAGAZINE
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxRisk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxSUBHI7
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloJohn Intindolo
 
Information AssuranceChaston Carter041717 Target Corpora.docx
Information AssuranceChaston Carter041717 Target Corpora.docxInformation AssuranceChaston Carter041717 Target Corpora.docx
Information AssuranceChaston Carter041717 Target Corpora.docxjaggernaoma
 
IT 552 Milestone One Guidelines and Rubric The fina.docx
IT 552 Milestone One Guidelines and Rubric The fina.docx IT 552 Milestone One Guidelines and Rubric The fina.docx
IT 552 Milestone One Guidelines and Rubric The fina.docxShiraPrater50
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolioKaloyan Krastev
 
Steps to Consider When Conducting IT Risk Assessment
Steps to Consider When Conducting IT Risk AssessmentSteps to Consider When Conducting IT Risk Assessment
Steps to Consider When Conducting IT Risk Assessment360factors
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...IJNSA Journal
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxMargenePurnell14
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxbagotjesusa
 
CIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfCIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfLBagger1
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowRoger Hagedorn
 

Similar to IYeste - Nova - ISEC695 - Final (20)

Running Head STATEMENT OF WORKSTATEMENT OF WORK .docx
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docxRunning Head STATEMENT OF WORKSTATEMENT OF WORK .docx
Running Head STATEMENT OF WORKSTATEMENT OF WORK .docx
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise WorldKey Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxRisk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docx
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_Intindolo
 
Information AssuranceChaston Carter041717 Target Corpora.docx
Information AssuranceChaston Carter041717 Target Corpora.docxInformation AssuranceChaston Carter041717 Target Corpora.docx
Information AssuranceChaston Carter041717 Target Corpora.docx
 
IT 552 Milestone One Guidelines and Rubric The fina.docx
IT 552 Milestone One Guidelines and Rubric The fina.docx IT 552 Milestone One Guidelines and Rubric The fina.docx
IT 552 Milestone One Guidelines and Rubric The fina.docx
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
Steps to Consider When Conducting IT Risk Assessment
Steps to Consider When Conducting IT Risk AssessmentSteps to Consider When Conducting IT Risk Assessment
Steps to Consider When Conducting IT Risk Assessment
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
 
CIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfCIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdf
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to Know
 

IYeste - Nova - ISEC695 - Final

  • 1. Mitigating PII Leakage at a Federal Gun Store and Pawn Shop Team/Students: Ivonne Yeste and Thomas Krawczyk | Business Advisor: Lou Jones | Professor: Dr. Yair Levy, Professor of IS & Cybersecurity Introduction Risk Management Analysis (RMA) Anticipated Results Problem Definition Fact Gathering Project Scope, Goals, and Objectives Recommended Solution and Action Plan Proposed Costs Conclusion Federal Gun Store and Pawn Shop has no formal information technology (IT) policies or procedures in place. Employees are not trained regarding PII risks and proper handling. Hardware and software resources are not appropriately secured against a PII breach. There is no regular risk assessment or ongoing monitoring and auditing of IT resources to ensure risks are appropriately identified and mitigated. Federal Gun Store and Pawn Shop employs up to five full-time employees and several part-time employees seasonally. The existing IT infrastructure consists of five computers in the gun store and two computers in the pawnshop. There is no firewall. The wireless network has a password but does not use encryption. Updates are set to auto-download. There is no audit process in place to ensure these are applied successfully. Anti-virus is in use; however, the subscription has expired. Accordingly, updates are not applied in a regular fashion. In addition, anti-malware and spyware detection software is not in use. During transactions, PII is collected manually, faxed or emailed without encryption. Center for Information Protection, Education, and Research (CIPhER) http://InfoSec.nova.edu/ College of Engineering And Computing (CEC) The scope of this project is to propose a solution that will identify and mitigate the security risks at Federal Gun Store and Pawn Shop. The goals are to assess the security environment and deliver a solution including creation and implementation of policies, procedures, security training and physical improvements to reduce the risk of PII data loss. The overall objective is to reduce the risk through immediate improvements, continuous ongoing review, and the mitigation of security risks. The risk management analysis used by this team is a hybrid approach between the NIST Cybersecurity Framework and a Microsoft security risk management (Microsoft Security Center of Excellence, 2006). This hybrid approach was selected to offer the business owner a simplified process for ongoing security assessment and mitigation after the initial engagement. The NIST Cybersecurity Framework (2014) is a set of industry standards and best practices to help organizations manage cybersecurity risks; it focuses on the use of business drivers to guide cybersecurity activities and consideration of cybersecurity risks as part of the organization’s risk management processes. While the framework has three distinct sections, this risk analysis will utilize two of the three sections, the Core and Profile. The Core is a set of cybersecurity activities, outcomes, and informative references common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align cybersecurity activities with business requirements, risk tolerances, and resources (NIST, 2014). In order to be effective, this process must be ongoing. The Microsoft security risk management guide describes three distinct tasks for conducting summary level risk prioritization (Microsoft Security Center of Excellence, 2006): Determine Impact Level, Estimate Summary Level Probability, and Complete the Summary Level Risk List. The recommended solution is a consulting engagement for policy and procedure development, security training, implementation of Secure Open PII, and automated system and software updates. Additionally, physical IT improvements include installation of a comprehensive Next Generation Firewall (NGFW) solution incorporating antivirus, antimalware, antispyware, intrusion detection and prevention and other advanced features as well as an encrypted wireless network. Also included is post-implementation monthly monitoring and quarterly ongoing security reviews and risk mitigation. After implementation of the recommended solution, the anticipated results will include: the delivery of a solution including creation and implementation of policies, procedures, security training for both the management as well as the employees. It will also include implementation of physical IT improvements to reduce the risk of PII data loss. Also, included is post-implementation monthly monitoring and quarterly ongoing security reviews, along with risk mitigation. This is anticipated to have the biggest impact on lowering internal risks, and implementation of appropriate technology, which is expected to reduce the risk of external breaches.. The solution includes initial assessment, policy and procedure creation, training, and implementation. Also included is post-implementation monthly monitoring and quarterly ongoing security reviews and risk mitigation. This proposal for Federal Gun Store and Pawn Shop addresses the need for a solution for policies, procedures, training, and infrastructure improvements in order to reduce the risk of breaches. This proposal incorporates solutions to mitigate internal risks in the handling of PII data as well as minimizing exposure to external risks. In addition, it also recommends a process of evaluating the security on a quarterly basis to provide a continuous process for reviewing the stores security posture. References Department of Homeland Security (DHS). (2012). Handbook for Safeguarding Sensitive PII. Washington, D.C: DHS. Department of Justice, Federal Bureau of Investigation. (2011). NICS Section Federal Firearms Licensee Users Manual. Retrieved from Department of Justice, Federal Bureau of Investigation. Fowler, G., & Worthen, B. (2011, July 21). Hackers Shift Attacks to Small Firms. Retrieved Fenruary 20, 2016, from www.wsj.com: http://www.wsj.com/articles/SB10001424052702304567604576454173706460768 Microsoft Security Center of Excellence. (2006). Security Risk Management Guide. Retrieved January 28, 2016, from Microsoft: https://technet.microsoft.com/en-us/library/cc163143.aspx Milliken, B. (2016, January 24). It’s True! Your Small Business Is A Perfect Target For Hackers. Retrieved from LinkedIn: https://www.linkedin.com/pulse/its-true-your-small-business-perfect-target-hackers-bob- milliken?articleId=6008827995698057216 National Cyber Security Alliance and Symantec. (2016, January 24). 2012 NCSA/Symantec Small Business Study Fact Sheet. Retrieved from Stay Safe Online: http://www.staysafeonline.org/stay-safe-online/resources National Institute of Standards and Technology. (2014, February 12). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved January 28, 2016, from NIST: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf PricewaterhouseCoopers LLP. (2010). Protect your organization’s sensitive information and reputation with high- risk data discovery. Retrieved January 30, 2016, from http://www.pwc.com/us/en/it-risk-security/assets/high- risk-data-discovery.pdf U.S. Department of Homeland Security. (2011, May). How to Safeguard Personally Identifiable Information. Retrieved February 20, 2016, from Department of Homeland Security: https://www.dhs.gov/xlibrary/assets/privacy/privacy_safeguarding_pii_fact_sheet.pdf University of Texas at Austin Center for Identity. (2016, January). Top Threats & Responsibilities for Small Businesses. Retrieved January 30, 2016, from https://identity.utexas.edu/small-businesses/top-threats- responses-for-small-businesses Small businesses are increasingly becoming a target for criminals where personally identifiable information (PII) best practices are not followed (University of Texas, 2016, ¶1). Examples of PII include Social Security number (SSN), alien registration number (A-Number), driver's license number, financial information, citizenship, immigration status, or medical information in conjunction with the identity of an individual (Department of Homeland Security (DHS), 2012). Because of the lack of controls around PII, hackers are targeting easier and more profitable thefts from small businesses. These small businesses have generally lax to non-existent security systems making it easy for quick money (Milliken, 2016). A result of these breaches is failure of the business due to loss of data and customer confidence (National Cyber Security Alliance and Symantec, 2016). Federal Gun Store and Pawn Shop, is a popular retail gun store with an adjacent high traffic pawnshop. Due to the volume of PII collected, there is special interest in securing this information to minimize the risk of a breach. Figure 1: NIST Cybersecurity Framework Function/Category Subcategory Description Likelihood Impact Risk Protect/Access Control/PR.AC-1 Employees do not have unique system logins Medium Moderate Medium Identify/Governance/ID .GV-1 Lack of written policies High Moderate High Protect/Protective Technology/PR.PT-3 Limit access to any system resources High Moderate High Protect/Protective Technology/PR.PT-4 No firewall, intrusion detection, active antivirus, anti-malware, encryption High Critical Critical Protect/Information Protection/PR.IP-5 Open access to PII High Critical Critical Protect/Information Protection/PR.IP-12 No Patch Management High Moderate High Protect/Awareness and raining/PR.AT-1 Users not trained on security best practices High Moderate High Table 1: Risk Analysis Matrix Table 2: Proposal Cost Analysis Description Initial One Time Costs Ongoing Costs SonicWALL NGFW & WAP $1,700 $300 - Yearly Consulting services 40 hours @ $150/hour 4 hour quarterly update @ $150/hour $6,000 $2,400 (Four hour security review every quarter) Managed Services @ $75/hour - Eight hours monthly $7,200 Total $7,700 $9,900