IT 253 Project One Memo
IT 253 Project One Memo
IT 253 Project One Memo
Complete this template by replacing the bracketed text with the relevant information.
Introduction: Securing our information assets is vital for driving the company's business agenda
forward. By mitigating the identified information security risks, we not only shield our data but also
demonstrate our dedication to preserving customer information and complying with applicable
regulations.
Laws and Regulations: Conforming to legal mandates and regulatory frameworks, notably Sarbanes-
Oxley (SOX) regulations, is essential for the successful functioning of our company. SOX imposes strict
guidelines regarding access, change management, backups, and security to safeguard shareholder assets
and prevent fraudulent activities.
Technical Controls: In response to the identified information security risks, I propose the
implementation of the following technical measures:
1. Deploy multi-factor authentication (MFA) for building access and sensitive systems to prevent
unauthorized entry, addressing the vulnerability identified by the consultant's finding of
unauthorized access to the headquarters building.
2. Implement encryption for all onsite backups to bolster data security and address the risk of
potential exposure highlighted by the consultant's findings of unencrypted backups onsite.
1. Immediately update the information security policy to reflect current best practices and address
emerging threats. This addresses the risk highlighted by the consultant that the current policy
has not been updated in four years. Regular policy updates ensure its relevance and
effectiveness in mitigating evolving security risks.
2. Develop and regularly test a business continuity and disaster recovery plan to minimize
disruptions to operations during emergencies. This directly addresses the consultant's finding of
1
the absence of such plans, ensuring the company's preparedness to respond effectively to
unforeseen incidents.
3. Enforce the use of individual user accounts for system administration tasks to enhance
accountability and traceability, as recommended by the consultant. This measure reduces the
risk associated with shared accounts for high-level system administrator functions, improving
overall security posture and minimizing the potential for unauthorized access.
Physical Controls: To mitigate the identified information security risks, I suggest implementing the
following physical measures:
1. Strengthened Access Controls: Conduct a thorough assessment and upgrade of access controls
across all facilities, with a focus on restricting entry to sensitive areas such as the headquarters
building and the data center. This proactive step directly mitigates the risks highlighted by the
consultant's findings, ensuring that unauthorized access is minimized, and overall physical
security is enhanced.
2. Installation of Backup Power Systems: Deploy backup power systems, such as generators, in
critical locations such as the data center to mitigate the impact of power outages. This
preventative measure directly tackles the consultant's finding of the data center's lack of backup
or generator power, ensuring continuous operations.
Business Impact: The recommended controls outlined in this proposal significantly impact the current
information security policies and practices within our company. Through the implementation of multi-
factor authentication, encryption of onsite backups, and regular antivirus updates, we reinforce our
technical defenses. Additionally, updates to policies and the development of disaster recovery plans
underscore our commitment to adaptability and preparedness. The introduction of physical controls
such as enhanced access procedures and backup power systems serves to heighten employee
awareness of security practices, reducing the risk of unauthorized access and ensuring continuous
operations. Together, these actions contribute to a rich security framework, protecting our data,
maintaining customer confidence, and upholding regulatory compliance in accordance with our strategic
goals.