CYB_200_Project Two

.docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

200

Subject

Information Systems

Date

Feb 20, 2024

Type

docx

Pages

5

Uploaded by ISSIT_Learn

Report
Professor Tharp CYB 200 12 June 2022 6-2 Project Two: Incident Analysis Brief
In this paper, I will be using scenario two as reference for my analysis and recommendation. Scenario two talks about certain security issues within a financial firm that were observed during an on-site visit. One of these issues is the lack of security training concerning the handling and safeguarding of physical sensitive data. Non-authorized personnel were seen taking sensitive paperwork from “destroy bins” unnoticeably. The other is the lack of knowledge and training dealing with the protection of data with information systems. Non- employees were seen shoulder surfing and looking at information that they were not authorized to view. Both of these issues have a great negative impact on the organization, which is a financial organization; and breaks the CONFIDENTIALITY security objective of the CIA triad. According to CompTIA’s CYSA+, “Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information”. Sensitive data is any data that must be protected and cannot be accessed by any outside party unless permission is given. In any organization, the loss of sensitive data is critical. However, in a financial organization such as the one in this scenario; the loss of sensitive data is so much more because of the high-income accounts that are being managed. Financial accounts numbers, credit card numbers, and account balances along with personal identifying information (PII) are at risk in this organization. The loss of confidentiality within this organization has a major impact on the customer who is entrusting this organization with their sensitive information. Loss of their data could mean that someone is wrongfully accessing their accounts and moving money out. Someone could be making purchases fraudulently in the customer’s name. It could even lead to other issues like kidnapping for ransom. A break in data confidentiality also affects the organization as a whole. Being a financial organization that is not able to keep sensitive data secured means that
no one will do business with you. The organization’s reputation would be tarnished, most likely leading to the closure of the business. To remedy the security issues within the financial organization, I would use the layering fundamental design principle. In layering, you use multiple forms of security to ensure the system is secure from multiple perspectives. One thing that I would implement is the fact that sensitive data that needs be destroyed is not easily accessible by anyone. Each employee within this organization has its own clients. No one works the others customer. This being so, I would ensure that data destruction bins are locked and that paper inserted, cannot be pulled out without the key to the bin. I would also have these bins in areas that are either secured (no one without access can access them) or placed in areas where it easily seen if someone is tampering with them. In the organizations security policy, I would ensure that it is written that all sensitive data contained within the bins be disposed of properly every evening. This will reduce the amount of data that is lost if the bin was to be taken completely. I would reduce the risk of shoulder surfing by ensuring each one of my employees has screen protectors for their systems. I would also ensure that personnel such as the cleaning team, who are not authorized access to the data being handled in this organization; are escorted or supervised while conducting their duties on the floor. This may take an employee away from doing their regular role but it will ensure that the data stays secured from being physically stolen which could cause major damage to the company. Another fundamental security principle I would use in this scenario is the least privilege principle. It works in the same aspect as it would if you were accessing a computer system. Being that almost all data within this organization is considered sensitive, I would have to ensure that the proper individuals have the authorized access to work inside the organization. What I am
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help