Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

You have been hired by an organization as cyber-security Engineer to protect the

ID: 3680615 • Letter: Y

Question

You have been hired by an organization as cyber-security Engineer to protect their information system (data, intranet, computers or employee’s workstation, wireless network) located in their main and only building against any cyber-attacks that can come either from the inside (insider threats) or from outside (cyber-criminals) of the organization since the organization has an external IP address that provide an internet access to all employees. Talk about what you will do to properly secure the information systems of this organization. PS: Your solution has to be a combination of policy, people and technology.

Explanation / Answer

Following are 10 safety tips to help you guard against high-tech failure:

1. Protect with passwords. This may seem like a no-brainer, but many cyber attacks succeed precisely because of weak password protocols. Access to all equipment, wireless networks and sensitive data should be guarded with unique user names and passwords keyed to specific individuals. The strongest passwords contain numbers, letters and symbols, and aren’t based on commonplace words, standard dictionary terms or easy-to-guess dates such as birthdays. Each user should further have a unique password wherever it appears on a device or network. If you create a master document containing all user passcodes, be sure to encrypt it with its own passcode and store it in a secure place.

2. Design safe systems. Reduce exposure to hackers and thieves by limiting access to your technology infrastructure. Minimize points of failure by eliminating unnecessary access to hardware and software, and restricting individual users’ and systems’ privileges only to needed equipment and programs. Whenever possible, minimize the scope of potential damage to your networks by using a unique set of email addresses, logins, servers and domain names for each user, work group or department as well.

3. Conduct screening and background checks. While rogue hackers get most of the press, the majority of unauthorized intrusions occur from inside network firewalls. Screen all prospective employees from the mailroom to the executive suite. Beyond simply calling references, be certain to research their credibility as well. An initial trial period, during which access to sensitive data is either prohibited or limited, is also recommended. And it wouldn’t hurt to monitor new employees for suspicious network activity.

4. Provide basic training. Countless security breaches occur as a result of human error or carelessness. You can help build a corporate culture that emphasizes computer security through training programs that warn of the risks of sloppy password practices and the careless use of networks, programs and devices. All security measures, from basic document-disposal procedures to protocols for handling lost passwords, should be second-nature to members of your organization.

5. Avoid unknown email attachments. Never, ever click on unsolicited email attachments, which can contain viruses, Trojan programs or computer worms. Before opening them, always contact the sender to confirm message contents. If you’re unfamiliar with the source, it’s always best to err on the side of caution by deleting the message, then potentially blocking the sender’s account and warning others to do the same.

6. Hang up and call back. So-called "social engineers," or cons with a gift for gab, often prey on unsuspecting victims by pretending to be someone they’re not. If a purported representative from the bank or strategic partner seeking sensitive data calls, always end the call and hang up. Then dial your direct contact at that organization, or one of its public numbers to confirm the call was legitimate. Never try to verify suspicious calls with a number provided by the caller.

7. Think before clicking. Phishing scams operate by sending innocent-looking emails from apparently trusted sources asking for usernames, passwords or personal information. Some scam artists even create fake Web sites that encourage potential victims from inputting the data themselves. Always go directly to a company’s known Internet address or pick up the phone before providing such info or clicking on suspicious links.

8. Use a virus scanner, and keep all software up-to-date. Whether working at home or on an office network, it pays to install basic virus scanning capability on your PC. Many network providers now offer such applications for free. Keeping software of all types up to date is also imperative, including scheduling regular downloads of security updates, which help guard against new viruses and variations of old threats.

9. Keep sensitive data out of the cloud. Cloud computing offers businesses many benefits and cost savings. But such services also could pose additional threats as data are housed on remote servers operated by third parties who may have their own security issues. With many cloud-based services still in their infancy, it’s prudent to keep your most confidential data on your own networks.

10. Stay paranoid. Shred everything, including documents with corporate names, addresses and other information, including the logos of vendors and banks you deal with. Never leave sensitive reports out on your desk or otherwise accessible for any sustained period of time, let alone overnight. Change passwords regularly and often, especially if you’ve shared them with an associate. It may seem obsessive, but a healthy dose of paranoia could prevent a major data breach.

The average cost to an organization to recover from such a breach is $6.75 million, according to Javelin Strategy & Research. And that doesn’t count damage to your reputation or relationships. So be proactive and diligent about prevention. An ounce far outweighs a pound of cure.

The basic five steps to avoid a security breach in the organization:

Step 1: Identify and prioritize confidential information

The vast majority of organizations don't know how to start protecting confidential information. By categorizing types of information by value and confidentiality, companies can prioritize what data to secure first. In my experience, customer information systems or employee record systems are the easiest places to start because only a few specific systems typically own the ability to update that information. Social Security numbers, account numbers, personal identification numbers, credit card numbers and other types of structured information are finite areas that need to be protected. Securing unstructured information such as contracts, financial releases and customer correspondence is an important next step that should be rolled out on a departmental basis.

Step 2: Study current information flows and perform risk assessment

It's essential to understand current workflows, both procedurally and in practice, to see how confidential information flows around an organization. Identifying the major business processes that involve confidential information is a straightforward exercise, but determining the risk of leakage requires a more in-depth examination. Organizations need to ask themselves the following questions of each major business process:

·         Which participants touch these information assets?

·         How are these assets created, modified, processed or distributed by these participants?

·         What is the chain of events?

·         Is there a gap between stated policies/procedures and actual behavior?

By analyzing information flows with these questions in mind, companies can quickly identify vulnerabilities in their handling of sensitive information.

Step 3: Determine appropriate access, usage and information-distribution policies

Based on the risk assessment, an organization can quickly craft distribution policies for various types of confidential information. These policies govern exactly who can access, use or receive which type of content and when, as well as oversee enforcement actions for violations of those policies.

In my experience, four types of distribution policies typically emerge for the following:

1.    Customer information

2.    Executive communications

3.    Intellectual property

4.    Employee records

Once these distribution policies are defined, it's essential to implement monitoring and enforcement points along communication paths.

Step 4: Implement a monitoring and enforcement system

The ability to monitor and enforce policy adherence is crucial to the protection of confidential information assets. Control points must be established to monitor information usage and traffic, verifying compliance with distribution policies and performing enforcement actions for violation of those policies. Like airport security checkpoints, monitoring systems must be able to accurately identify threats and prevent them from passing those control points.

Due to the immense amount of digital information in modern organizational workflows, these monitoring systems should have powerful identification abilities to avoid false alarms and have the ability to stop unauthorized traffic. A variety of software products can provide the means to monitor electronic communication channels for sensitive information.

Step 5: Review progress periodically

Lather, rinse and repeat. For maximum effectiveness, organizations need to regularly review their systems, policies and training. By using the visibility provided by monitoring systems, organizations can improve employee training, expand deployment and systematically eliminate vulnerabilities. In addition, systems should be reviewed extensively in the event of a breach to analyze system failures and to flag suspicious activity. External audits can also prove useful in checking for vulnerabilities and threats.

Companies often implement security systems but either fail to review incident reports that arise or to extend coverage beyond the parameters of the initial implementation. Through regular system benchmarking, organizations can protect other types of confidential information; extend security to different communication channels such as e-mail, Web posts, instant messaging, peer-to-peer and more; and expand protection to additional departments or fun

Related Questions

You have been hired as the new hospital administrator for a rural hospital locat
Question #379127
You have been hired at ConnectSpree, a small, but growing Internet service provi
Question #3627604
You have been hired at ConnectSpree, a small, but growing Internet service provi
Question #3639576
You have been hired by Bullseye Buys to write a Java console application that pr
Question #3817042
You have been hired by Drs. Dewey, Cheetham and Howe to help with NPY analysis t
Question #2724070
You have been hired by Drs. Dewey. Cheetham and Howe to help with NPV analysis f
Question #2755323
You have been hired by Kinder Morgan to develop a new marketing plan that includ
Question #425340
You have been hired by Music Magicians to write a Java console application that
Question #3811058
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
You have been hired by an international coffee and tea retailer with hundreds of
Next
You have been hired by an unnamed agency to devise a program which serves as a c

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.