IFSM 201 Professional Memo

IFSM 201 Professional Memo

Before you begin this assignment, be sure you have read the Small Merchant Guide to Safe Payments documentation from the Payment Card Industry Data Security Standards (PCI DSS) organization. PCI Data Security Standards are established to protect payment account data throughout the payment lifecycle, and to protect individuals and entities from the criminals who attempt to steal sensitive data. The PCI Data Security Standard (PCI DSS) applies to all entities that store, process, and/or transmit cardholder data, including merchants, service providers, and financial institutions.

Purpose of this Assignment

You work as an Information Technology Consultant for the Greater Washington Risk Associates (GWRA) and have been asked to write a professional memo to one of your clients as a follow-up to their recent risk assessment (RA). GWRA specializes in enterprise risk management for state agencies and municipalities. The county of Anne Arundel, Maryland (the client) hired GWRA to conduct a risk assessment of Odenton, Maryland (a community within the Anne Arundel County), with a focus on business operations within the municipality.

This assignment specifically addresses the following course outcome to enable you to:

• Identify ethical, security, and privacy considerations in conducting data and information

analysis and selecting and using information technology.

Assignment

Your supervisor has asked that the memo focus on Odenton’s information systems, and specifically, securing the processes for payments of services. Currently, the Odenton Township offices accept cash or credit card payment for the services of sanitation (sewer and refuse), water, and property taxes. Residents can pay either in-person at township offices or over the phone with a major credit card (American Express, Discover, MasterCard and Visa). Over the phone payment involves with speaking to an employee and giving the credit card information. Once payment is received, the Accounting Department is responsible for manually entering it into the township database system and making daily deposits to the bank.

The purpose of the professional memo is to identify a minimum of three current controls (e.g., tools, practices, policies) in Odenton Township (either a control specific to Odenton Township or a control provided by Anne Arundel county) that can be considered best practices in safe payment/data protection. Furthermore, beyond what measures are currently in place, you should highlight the need to focus on insider threats and provide a minimum of three additional recommendations. Below are the findings from the Risk Assessment:

• The IT department for Anne Arundel County requires strong passwords for users to access and use information systems.

Professional Memo 1

• The IT department for Anne Arundel County is meticulous about keeping payment terminal software, operating systems and other software (including anti-virus software) updated.

• Assessment of protection from remote access and breaches to the Anne Arundel network: Odenton Township accesses the database system for the County when updating resident’s accounts for services. It is not clear whether a secure remote connection (VPN) is standard policy.

• Assessment of physical security at the Odenton Township hall: the only current form of physical security are locks on the two outer doors; however, the facility is unlocked Monday-Friday, 8am-5pm (EST), excluding federal holidays.

• Employee awareness training on data security and secure practices for handling sensitive data (e.g., credit card information) are not in place.

• The overarching conclusion of the risk assessment was that Odenton Township is not fully compliant with the PCI Data Security Standards (v3.2).

Note: The Chief Executive for Anne Arundel County has asked for specific attention be paid to insider threats, citing a recent article about an administrator from San Francisco (see Resources). Anne Arundel County wants to understand insider threats and ways to mitigate so that they protect their resident’s personal data as well as the County’s sensitive information. These are threats to information systems, including malware and insider threats (negligent or inadvertent users, criminal or malicious insiders, and user credential theft).

Expectations and Format

Using the resources listed below, you are to write a 2-page Professional Informational Memo to the Chief Executive for Anne Arundel County that addresses the following:

• Risk Assessment Summary: Provide an overview of your concerns from the risk assessment report. Include broad ‘goal’ of the memo, as a result of the risk assessment, the broad recommendations. Specific Action Steps will come later. The summary should be no more than one paragraph.

• Background: Provide a background for your concerns. Briefly highlight why the concerns are critical to the County of Anne Arundel and Odenton Township. Clearly state the importance of data security and insider threats when dealing with personal credit cards. Be sure to establish the magnitude of the problem of insider threats.

• Concerns, Standards, Best Practices: The body of the memo needs to justify your concerns and clarify standards, based on the resources listed below, at minimum. The PCI DSS standards are well respected and used globally to protect entities and individual’s sensitive data. The body of the memo should also highlight three current controls that are considered best practice; that is, you should highlight the positive, what is currently in place, based on the risk assessment.

• Action Steps: Provide a conclusion establishing why it is important for Anne Arundel County to take steps to protect residents and county infrastructure from insider threats based on your concerns. Recommend a minimum of three (3) practical action steps, including new security controls, best practices and/or user policies that will mitigate the concerns in this memo. Be sure to include cost considerations so that the County is

Professional Memo 2

getting the biggest bang for the buck. The expectations are not for you to research and quote actual costs, but to generalize potential costs. For instance, under the category of physical security, door locks are typically less expensive than CCTV cameras.

• Be sure to review the PowerPoint presentation (in pdf format) Effective Professional Memo Writing that accompanies these instructions.

• Use the Professional Memo template that accompanies these instructions.

o Use four section subtitles, in bold.

▪ Risk Assessment Summary

▪ Background

▪ Concerns, Standards, Best Practices ▪ Action Steps

o Do not change the font size or type or page margins.

o Do not include any graphics, images or ‘snips’ of any content from copyrighted

sources. The PCI Standards (PCI DSS) document is copyrighted material.

o Paragraph text should be single spaced with ONE ‘hard return’ (Enter) after each paragraph and after each section subtitle. Note: Do not create a new ‘paragraph’

after each sentence. A single sentence is not a paragraph.

o ‘Subject’ is the subject of your memo, not the course name or number.

o Be sure to remove any remaining ‘placeholder’ text in the template file before

submitting.

o The length of the template when you download it is NOT the intended length of

the entire memo. Your completed memo should be between 1.5 pages and 2 pages (total document, including the To:/From:/Re:/Subject header).

*Note: the Professional Memo is to be in a MS Word file and all work is to be in the student’s own words (no direct quotes from external sources or the instructions) *

APA documentation requirements:

• As this is a professional memo, as long as you use resources provided with or linked from these instructions, APA documentation is NOT required.

• Citing material or resources beyond what is provided here is NOT required.

• However, you should use basic attribution and mention the source of any data, ideas

or policies that you mention, which will help establish the credibility and authority of the memo.

o For example, mentioning that the Payment Card Industry Data Security Standards (PCI DSS) identify a certain control as best practice holds more weight than simply stating the control is a best practice without basic attribution.

Professional Memo

3

  • Professional Memo 1

    IFSM 201 Professional Memo

     

    Before you begin this assignment, be sure you have read the Small Merchant Guide to Safe

    Payments documentation from the Payment Card Industry Data Security Standards (PCI DSS)

    organization. PCI Data Security Standards are established to protect payment account data

    throughout the payment lifecycle, and to protect individuals and entities from the criminals who

    attempt to steal sensitive data. The PCI Data Security Standard (PCI DSS) applies to all entities

    that store, process, and/or transmit cardholder data, including merchants, service providers, and

    financial institutions.

     

    Purpose of this Assignment

    You work as an Information Technology Consultant for the Greater Washington Risk Associates

    (GWRA) and have been asked to write a professional memo to one of your clients as a follow-up

    to their recent risk assessment (RA). GWRA specializes in enterprise risk management for state

    agencies and municipalities. The county of Anne Arundel, Maryland (the client) hired GWRA to

    conduct a risk assessment of Odenton, Maryland (a community within the Anne Arundel

    County), with a focus on business operations within the municipality.

     

    This assignment specifically addresses the following course outcome to enable you to:

    • Identify ethical, security, and privacy considerations in conducting data and information analysis and selecting and using information technology.

     

     

    Assignment

     

    Your supervisor has asked that the memo focus on Odenton’s information systems, and

    specifically, securing the processes for payments of services. Currently, the Odenton Township

    offices accept cash or credit card payment for the services of sanitation (sewer and refuse),

    water, and property taxes. Residents can pay either in-person at township offices or over the

    phone with a major credit card (American Express, Discover, MasterCard and Visa). Over the

    phone payment involves with speaking to an employee and giving the credit card information.

    Once payment is received, the Accounting Department is responsible for manually entering it

    into the township database system and making daily deposits to the bank.

     

    The purpose of the professional memo is to identify a minimum of three current controls

    (e.g., tools, practices, policies) in Odenton Township (either a control specific to Odenton

    Township or a control provided by Anne Arundel county) that can be considered best

    practices in safe payment/data protection. Furthermore, beyond what measures are

    currently in place, you should highlight the need to focus on insider threats and provide a

    minimum of three additional recommendations. Below are the findings from the Risk

    Assessment:

     

    • The IT department for Anne Arundel County requires strong passwords for users to access and use information systems.

     

    https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Guide_to_Safe_Payments.pdf
    https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Guide_to_Safe_Payments.pdf
    https://www.pcisecuritystandards.org/
    https://www.pcisecuritystandards.org/

     

    Professional Memo 2

    • The IT department for Anne Arundel County is meticulous about keeping payment terminal software, operating systems and other software (including anti-virus software)

    updated.

    • Assessment of protection from remote access and breaches to the Anne Arundel network: Odenton Township accesses the database system for the County when updating resident’s

    accounts for services. It is not clear whether a secure remote connection (VPN) is

    standard policy.

    • Assessment of physical security at the Odenton Township hall: the only current form of physical security are locks on the two outer doors; however, the facility is unlocked

    Monday-Friday, 8am-5pm (EST), excluding federal holidays.

    • Employee awareness training on data security and secure practices for handling sensitive

    data (e.g., credit card information) are not in place.

    • The overarching conclusion of the risk assessment was that Odenton Township is not

    fully compliant with the PCI Data Security Standards (v3.2).

     

    Note: The Chief Executive for Anne Arundel County has asked for specific attention be paid

    to insider threats, citing a recent article about an administrator from San Francisco (see

    Resources). Anne Arundel County wants to understand insider threats and ways to mitigate

    so that they protect their resident’s personal data as well as the County’s sensitive

    information. These are threats to information systems, including malware and insider threats

    (negligent or inadvertent users, criminal or malicious insiders, and user credential theft).

     

    Expectations and Format

     

    Using the resources listed below, you are to write a 2-page Professional Informational Memo to

    the Chief Executive for Anne Arundel County that addresses the following:

    • Risk Assessment Summary: Provide an overview of your concerns from the risk

    assessment report. Include broad ‘goal’ of the memo, as a result of the risk assessment,

    the broad recommendations. Specific Action Steps will come later. The summary should

    be no more than one paragraph.

    • Background: Provide a background for your concerns. Briefly highlight why the

    concerns are critical to the County of Anne Arundel and Odenton Township. Clearly

    state the importance of data security and insider threats when dealing with personal credit

    cards. Be sure to establish the magnitude of the problem of insider threats.

    • Concerns, Standards, Best Practices: The body of the memo needs to justify your

    concerns and clarify standards, based on the resources listed below, at minimum. The

    PCI DSS standards are well respected and used globally to protect entities and

    individual’s sensitive data. The body of the memo should also highlight three current

    controls that are considered best practice; that is, you should highlight the positive,

    what is currently in place, based on the risk assessment.

    • Action Steps: Provide a conclusion establishing why it is important for Anne Arundel

    County to take steps to protect residents and county infrastructure from insider threats

    based on your concerns. Recommend a minimum of three (3) practical action steps,

    including new security controls, best practices and/or user policies that will mitigate the

    concerns in this memo. Be sure to include cost considerations so that the County is

     

     

    Professional Memo 3

    getting the biggest bang for the buck. The expectations are not for you to research and

    quote actual costs, but to generalize potential costs. For instance, under the category of

    physical security, door locks are typically less expensive than CCTV cameras.

    • Be sure to review the PowerPoint presentation (in pdf format) Effective Professional

    Memo Writing that accompanies these instructions.

    • Use the Professional Memo template that accompanies these instructions.

    o Use four section subtitles, in bold.

    ▪ Risk Assessment Summary

    ▪ Background

    ▪ Concerns, Standards, Best Practices

    ▪ Action Steps

    o Do not change the font size or type or page margins.

    o Do not include any graphics, images or ‘snips’ of any content from copyrighted

    sources. The PCI Standards (PCI DSS) document is copyrighted material.

    o Paragraph text should be single spaced with ONE ‘hard return’ (Enter) after each

    paragraph and after each section subtitle. Note: Do not create a new ‘paragraph’

    after each sentence. A single sentence is not a paragraph.

    o ‘Subject’ is the subject of your memo, not the course name or number.

    o Be sure to remove any remaining ‘placeholder’ text in the template file before

    submitting.

    o The length of the template when you download it is NOT the intended length of

    the entire memo. Your completed memo should be between 1.5 pages and 2

    pages (total document, including the To:/From:/Re:/Subject header).

    *Note: the Professional Memo is to be in a MS Word file and all work is to be in the

    student’s own words (no direct quotes from external sources or the instructions) *

    APA documentation requirements:

    • As this is a professional memo, as long as you use resources provided with or linked

    from these instructions, APA documentation is NOT required.

    • Citing material or resources beyond what is provided here is NOT required.

    • However, you should use basic attribution and mention the source of any data, ideas

    or policies that you mention, which will help establish the credibility and authority of

    the memo.

    o For example, mentioning that the Payment Card Industry Data Security

    Standards (PCI DSS) identify a certain control as best practice holds more

    weight than simply stating the control is a best practice without basic

    attribution.

    o Mentioning that Wired Magazine reported that a City of San Francisco IT

    technician effectively hijacked and locked 60% of the city’s network capacity,

    is more effective than saying “I read somewhere that…”

     

     

     

     

     

    Professional Memo 4

     

     

    Resources

    1. Examples of Security Breaches Due to Insider Threats

    San Francisco Admin Charged With Hijacking City’s Network Microsoft database leaked because of employee negligence

    General Electric employees stole trade secrets to gain a business advantage

    Former Cisco employee purposely damaged cloud infrastructure

    Twitter users scammed because of phished employees

    2. PCI DSS Goals:

     

    (source: https://www.pcisecuritystandards.org/merchants/process)

     

     

     

     

    https://www.wired.com/2008/07/sf-city-charged/
    https://www.forbes.com/sites/daveywinder/2020/01/22/microsoft-security-shocker-as-250-million-customer-records-exposed-online/?sh=2465e60e4d1b
    https://www.fbi.gov/news/stories/two-guilty-in-theft-of-trade-secrets-from-ge-072920
    https://www.bankinfosecurity.com/ex-cisco-engineer-pleads-guilty-in-insider-threat-case-a-14917
    https://en.wikipedia.org/wiki/2020_Twitter_bitcoin_scam
    https://www.pcisecuritystandards.org/merchants/process

     

    Professional Memo 5

    3. References

    FBI. (2021). The Insider Threat: An Introduction to Detecting and Deterring an Insider Spy.

    https://www.fbi.gov/file-repository/insider_threat_brochure.pdf/view

     

    PCI DSS. (2021, Feb. 12). Payment Card Industry Security Standards.

    Official PCI Security Standards Council Site

    Jingguo Wang, Gupta, M., & Rao, H. R. (2015). Insider threats in a financial institution: Analysis

    of attack-proneness of information systems applications. MIS Quarterly, 39(1), 91-A7.

    https://search-ebscohost-

    com.ezproxy.umgc.edu/login.aspx?direct=true&db=bth&AN=100717560&site=ehost-

    live&scope=site

    Professor Messer. (2014). Authorization and access control [Video file]. YouTube.

    U.S. DHS. (2021). Insider Threat. https://www.dhs.gov/science-and-technology/cybersecurity-

    insider-threat

    Wizuda. (2017). Data anonymisation simplified [Video file]. YouTube.

    Yuan, S., & Wu, X. (2021). Deep learning for insider threat detection: Review, challenges and

    opportunities. Computers & Security. https://doi-

    org.ezproxy.umgc.edu/10.1016/j.cose.2021.102221

    Keywords: risk assessment, insider threats, data security

     

     

     

     

    Submitting Your Assignment

    Submit your document via your Assignment Folder as Microsoft Word document, or a document that can

    be ready using MS Word, with your last name included in the filename. Use the Grading Rubric below to be sure you have covered all aspects of the assignment.

     

    https://www.fbi.gov/file-repository/insider_threat_brochure.pdf/view
    https://www.pcisecuritystandards.org/
    https://search-ebscohost-com.ezproxy.umgc.edu/login.aspx?direct=true&db=bth&AN=100717560&site=ehost-live&scope=site
    https://search-ebscohost-com.ezproxy.umgc.edu/login.aspx?direct=true&db=bth&AN=100717560&site=ehost-live&scope=site
    https://search-ebscohost-com.ezproxy.umgc.edu/login.aspx?direct=true&db=bth&AN=100717560&site=ehost-live&scope=site
    https://www.youtube.com/watch?v=6aXMuJPkuiU
    https://www.dhs.gov/science-and-technology/cybersecurity-insider-threat
    https://www.dhs.gov/science-and-technology/cybersecurity-insider-threat
    https://www.youtube.com/watch?v=m9UxV4XaXwg
    https://doi-org.ezproxy.umgc.edu/10.1016/j.cose.2021.102221
    https://doi-org.ezproxy.umgc.edu/10.1016/j.cose.2021.102221

     

    Professional Memo 6

     

    GRADING RUBRIC:

     

     

    Criteria

     

    Far Above

    Standards

     

    Above Standards

     

    Meets Standards

     

    Below Standards

     

    Well Below

    Standards

     

    Possible

    Points

    Summary of

    Risk

    Assessment

    15 Points

    Summary is highly

    effective, thorough and professional.

    12.75 Points

    Summary is

    effective, thorough and professional.

    10.5 Points

    Summary is

    somewhat effective, thorough

    and professional.

    9 Points

    Summary is

    lacking.

    0-8 Points

    Stated

    requirements

    for this section

    are severely

    lacking or

    absent.

    15

    Background

    and

    Importance

    (to the Client)

    of Data

    Security and

    Insider

    Threats

    10 Points

    Discussion of

    ba5ckground, data

    security and insider threats is

    highly effective, thorough, and

    professional.

    8.5 Points

    Discussion of

    background, data

    security and insider threats is effective,

    thorough, and professional.

    7 Points

    Discussion of

    background, data

    security and insider threats is

    somewhat effective,

    thorough, and

    professional.

    6 Points

    Discussion of

    background, data

    security and insider threats is

    lacking.

    0-5 Points

    Stated

    requirements

    for this section are severely

    lacking or absent.

    10

    Concerns,

    Standards,

    Best Practices:

    Justify

    Concerns and

    Clarify

    Standards

    15 Points

    Discussion of concerns and

    standards is highly effective,

    thorough, and professional.

    12.75 Points

    Discussion of concerns and

    standards is effective, thorough,

    and professional.

    10.5 Points

    Discussion of concerns and

    standards is somewhat

    effective, thorough, and

    professional.

    9 Points

    Discussion of concerns or

    standards is lacking.

    0-8 Points

    Stated requirements

    for this section are severely

    lacking or absent.

    15

    Concerns,

    Standards,

    Best Practices:

    Three current

    practices

    identified and

    justified as

    best practice

    15 Points

    Three highly

    relevant current practices are

    offered and justified as best

    practices. Overall

    presentation is clear, concise, and

    professional.

    12.75 Points

    Section may be

    lacking in number of

    recommendations or relevancy or

    justification or

    overall presentation.

    10.5 Points

    Section is lacking

    in number of recommendations

    or relevancy or justification or

    overall

    presentation.

    9 Points

    Section is lacking

    in two or more of the following:

    number of recommendations

    or relevancy or

    justification or overall

    presentation.

    0-8 Points

    Stated

    requirements for this section

    are severely lacking or

    absent.

    15

     

     

    Professional Memo 7

     

     

     

     

    Action Steps:

    Three

    recommendati

    ons minimum

    identified and

    justified

    including

    some

    discussion of

    cost

    considerations

    20 Points

    Three highly

    relevant recommendations

    are offered and justified, with

    effective

    discussion of cost considerations.

    Overall presentation is

    clear, concise, and

    professional.

    17 Points

    Section may be

    lacking in number of

    recommendations or relevancy or

    justification or a

    discussion of cost considerations or

    overall presentation.

    14 Points

    Section is lacking

    in number of recommendations

    or relevancy or justification or a

    discussion of cost

    considerations or overall

    presentation.

    12 Points

    Section is lacking

    in two or more of the following:

    number of recommendations

    or relevancy or

    justification or a discussion of cost

    considerations or overall

    presentation.

    0-11 Points

    Stated

    requirements for this section

    are severely lacking or

    absent.

    20

    Basic

    Attribution

    (overall)

    10 Points

    Overall use of basic attribution is

    highly effective in establishing

    credibility and authority.

    8.5 Points

    Overall use of basic attribution is

    effective in establishing

    credibility and authority.

    7 Points

    Overall use of basic attribution is

    partially effective in establishing

    credibility and authority.

    6 Points

    Overall use of basic attribution

    is partially effective in

    establishing credibility and

    authority.

    Additional basic attribution may

    have been needed.

    0-5 Points

    Overall use of basic

    attribution was minimally

    effective or not used.

    10

    Overall

    Format:

    APA

    documentatio

    n needed only

    if sources

    external to the

    assignment

    are introduced

    15 Points

    Submission

    reflects effective

    organization and sophisticated

    writing; follows instructions

    provided; uses

    correct structure, grammar, and

    spelling; presented in a professional

    format; any references used

    are appropriately

    incorporated and cited using APA

    style.

    12.75 Points

    Submission reflects

    effective

    organization and clear writing;

    follows instructions provided; uses

    correct structure,

    grammar, and spelling; presented

    in a professional format; any

    references used are appropriately

    incorporated and

    cited using APA style.

    10.5 Points

    Submission is

    adequate, is

    somewhat organized, follows

    instructions provided; contains

    minimal grammar

    and/or spelling errors; and follows

    APA style for any references and citations.

     

    9 Points

    Submission is not

    well organized,

    and/or does not follow

    instructions provided; and/or

    contains

    grammar and/or spelling errors;

    and/or does not follow APA style

    for any references and

    citations. May

    demonstrate inadequate level

    of writing.

    0-8 Points

    Document is

    poorly written

    and does not convey the

    necessary information.

     

    15

    TOTAL Points

    Possible

    100

 

“Looking for a Similar Assignment? Get Expert Help at an Amazing Discount!”

The post IFSM 201 Professional Memo appeared first on nursing writers.

 

"Is this question part of your assignment? We Can Help!"

Essay Writing Service