Risk Assessment Summary
This review provides a risk assessment, background information, best practices, and action steps to enhance ethical, data, and privacy security at Odenton Town Hall, Anne Arundel County, Maryland. The inquiry found that although some IT security measures are in place, they are insufficient to ensure full compliance with the PCI Data Security Standards. Some of the identified issues included a lack of staff training, inadequate physical barriers, the absence of a secure remote connection (VPN), and inefficient channels for transferring sensitive data. The broad recommendation is to modify security measures to ensure compliance with the PCI Data Security Standards, as discussed further in this memo.
Background
Odenton Town Hall is concerned about the state of their cybersecurity, particularly regarding insider threats. According to the Guide to Safe Payments, over 50% of small businesses suffer hacking and information breach attacks within a single year (PCI, 2018). A prime example is the San Francisco IT security crisis, in which a single technician locked out 60% of the city’s network capacity, according to PCI (2018). In light of these potential threats, Greater Washington Risk Associates (GWRA) was hired to assess Odenton Town Hall’s security measures, identify weaknesses, and provide a comprehensive plan of action, with a specific focus on malicious insiders.
Concerns, Standards, Best Practices
The city already implements some of the best practices and recommendations for IT security. Namely, the demands for password complexity are high. Additionally, the software for security and transactions is regularly updated. However, other areas of concern have also been identified.
First, a secure VPN connection is not used when residents’ accounts are being updated, which contradicts the PCI Standards (2018) and best practices. Second, the physical security of the premises against intrusion is suspect – during the working day, all doors are open, and cameras are not widely utilized. Standards and best practices recommend keeping areas containing sensitive information locked at all times and installing cameras to monitor potential threats within. Third, employees themselves have demonstrated a low awareness of potential cybersecurity threats, and no employee training is in place. Such training is necessary to improve security, according to PCI (2018).
Action Steps
Introducing Online Transactions
Several action steps can be taken to enhance data security and increase its resilience against both external and internal threats. First, it must be acknowledged that a telephone-based banking service is a highly vulnerable way of handling data. It requires all sensitive information, such as first and last name, card number, date, PIN code, and so forth, to be spoken aloud, enabling third parties to overhear information being passed on, on both sides.
To address this issue, Odenton Town Hall should explore secure online transactions. While these are, in theory, more vulnerable to hacking attempts, the possibility of sensitive data being overheard is greatly minimized (PCI, 2018). This would be the most expensive security measure of all, since it would require software and hardware integration between the Hall and banking systems.
Enhancing Physical Security
Second, physical security ought to be improved. Individuals receiving people’s credentials are to be isolated in separate rooms, with locked doors during working hours, and cameras are present to observe who enters and exits the rooms (PCI, 2018). That way, if someone unauthorized enters a protected area, it would be easy to identify them. Installing cameras could also be a costly venture, depending on the number of secure rooms that need to be overseen.
Training Employees
The third solution is to engage in employee training. A basic understanding of data protection, email security, and password management is necessary. Personal flashcards should be banned because they pose a security risk (PCI, 2018). This training would require several workdays off for each person trained. Additionally, expenditures for training must also be taken into account. Overall, however, this measure is less costly than the other two. It is estimated that, with the existing Anne Arundel County budget, the proposed measures could be implemented within 3 months.
References
PCI Security Standards Council (PCI). (2018). Guide to safe payments.