Running head: CYBERSECURITY HEALTH SELF-ASSESSMENT 1

Cybersecurity Health Self-Assessment

Name of Student

Institutional Affiliation
CYBERSECURITY HEALTH SELF-ASSESSMENT 2

Cybersecurity Health Self-Assessment

Introduction

Cybersecurity is a question of much debate among the chief stakeholders of a company.

Sources of these threats continue to multiply. It has taken IT professionals who focus on

cybersecurity to implement ways that will put an end to hackers who seek to disrupt the activities

of an organization (Collier et al., 2014). Among these organizations which frequently face cyber

attacks are government offices. Much security focus is kept on the central government

organizations leaving small offices on the brink of attacks. Many of these local government

offices and agencies lack the resources required to establish good cybersecurity practices. This

project is to designed to assist government special service districts (SSD) in understanding their

risks in the form of a simple assessment. SSD’s may include fire districts, water districts,

recreational districts or other government offices working to serve the public. These districts

have few full-time employees; therefore no dedicated staff for technology or security. Free

assessment tools provided by NIST and NCCIC like CSET are simply too complicated for

SSD’s. A simple assessment tool is needed to perform basic evaluations of protections with easy

to understand results.

Today government agencies are under siege from cybercriminals just as normal

businesses are but also face targeted attacks due to their government status. Foreign nation-state

actors are targeting government agencies to create havoc by disrupting US government

operations. One of the easiest ways to begin by understanding your environment. This sounds

like a simple task, but most government leaders responsible for the operations of their agency

know little about their technology environment. This creates a barrier for them to be able to use a

complex assessment tool from NIST or NCCIC. With this tool, an in-depth understanding of the
CYBERSECURITY HEALTH SELF-ASSESSMENT 3

technology is not necessary; however, it can be linked to the industry-accepted standards or

goals.

The assessment helps quickly collate the key things you know about your environment or

don’t know. It may identify some topics you may not know but need too. The assessment is

organized into four sections to help with the consumption of the results. The assessment provides

four scored areas that the SSD may choose to focus its limited resources on over time. These four

areas of focus include protection of identities in an online environment, ensuring the security of

applications and data of the organization, use of device management tools, and protection and

security of the industrial infrastructure.

Results of the assessment will provide basic results scored on the strength in each area.

Reassessments can be performed to track progress.

CYBERSECURITY HEALTH SELF-ASSESSMENT 4

Protecting Identities

Identity protection is the main objective of cybersecurity. The internet not only provide

information. It also acts as a medium through which some businesses interact. Online businesses

have customers who store their data on the business servers. Therefore, the business in question

has the duty of providing security, not only to the customers but also itself to protect itself from

probable cyberattacks. To successfully achieve this, the business, organization, or any other

entity that has an online presence needs to come up with strategies that will protect it from

possible attacks (Claypoole & Payton, 2016).

Use of Access Policies

Cybercrimes that usually happen target the weak online identities that are easy to crack

by modular tools created by hackers. These tools look for weak points in the identity established

by the organization. Many attacks are usually targeted towards organizations which have a

weaker identity system which is easier to compromise. Once identity credentials are obtained,

the organization falls on the brink of experiencing a potential security threat. In this case, it is

essential that the SSD establish a privileged access management system that will only recognize

approved users and eliminate future risks of potential damage that can happen in case of an

attack. When a company has established an access policy system, it reduces risks of being

targeted. A stable password identity management system protects the organization, its

employees, and its customers from a potential risk of a cyber attack (Foster et al., 2015).

Dual Sign in and Multi-Factor Authentication

It is also essential that the SSD in question adopts a multi-factor authentication system.

The common multi-factor authentication system is two-factor authentication (2FA). This system
CYBERSECURITY HEALTH SELF-ASSESSMENT 5

works by asking a user to prove if he or she is the person that he or she claims to be by asking for

the user to provide another authentication identity. When using this system, the SSD

administration and approved individuals should be the only ones who know the second factor of

authentication. Therefore, it is not recommended for users to use single sign in options when

using the internet, especially when doing activities which are hotbeds for hacks such as online

banking and storing confidential information (Clark et al., 2017).

Continued Use of Unsigned Applications

A cyber attack can also occur when an unaware victim is just using his or her device

(smartphone or computer). This can be due to the installation of applications that have not met

the licensing of an approved application store. In other words, unsigned apps are those

applications that are not available in the various device-specific application stores. Many of these

unsigned applications are usually deceptive applications which bear malware that can leave a

device vulnerable. To curb this risk, device manufacturers have devised a system of protecting

devices from malicious applications. Android OS hinders the installation of applications from

outside the Google Play Store at default security settings. Windows OS also does the same using

the SmartScreen feature. However, these precautions are not very efficient as the user will go

ahead and ignore the warnings therein and install the application anyway. The iOS environment,

on the other hand, does not approve the installation of unsigned applications. The device’s

security system is complex and not easy to jailbreak. Therefore, the organization can opt to stop

the usage of unsigned applications in the working environment by securing the computers with

administrator access which will not allow the ordinary employees from installing malicious

applications (Claypoole & Payton, 2016).

Syncing Identities Between Service Providers

CYBERSECURITY HEALTH SELF-ASSESSMENT 6

A data breach can also be as a result of absence or missing communication of the SSD

servers to service providers. Although service providers get access to all information going on

through the server, it is essential to have a proper synchronization of the organization’s servers to

the service provider to ensure security. This is because the service provider, which has full

access to the organization’s server, can easily identify and eliminate unrecognized activities

going on in the server.

Use of Security Systems with Auditing Capabilities

The SSD in question should adopt a security device which is capable of providing a

comprehensive report (log) of all the activities that occurred during a specific time. This allows

the IT department of an organization to look at areas where the server would have been

compromised and take action accordingly. This log should show what happened during a given

time and what is happening at the current time. In case of an emanating threat, the system should

warn the IT team in time so that they can act accordingly. When there is no monitoring

mechanism in the security service being used, the organization is left blind to an impending

threat. This system should be able to create and evaluate security metrics, perform a benchmark

on vulnerability and penetration to check how strong the system is, and finally, initiate and

complete an internal audit that will provide options for security (McDonald et al., 2016).
CYBERSECURITY HEALTH SELF-ASSESSMENT 7

Securing Applications and Data

Another area that the SSD should focus on is the security of applications and data. This

occurs when the company needs developing software to perform some of its tasks. In this case,

the application being developed should complete all integrity processes and be licensed across all

platforms. Before implementing the apps to be used, the IT department and the software

development team should find, fix, and enhance the security of all applications during the

development phase of the applications. The organization, through the IT department, should also

ensure that all the applications have tools like DRM to protect the apps when they are deployed.

DRM protection selected should be able to provide the highest security possible to hinder

hackers from breaking into the system (Porras et al., 2015).

Encryption of Data at Rest and Data in Transit

There is a need for ensuring that the data stored on the cloud is encrypted with a security

algorithm that is harder to break. A good security algorithm that has never been penetrated

before is the Advanced Encryption Standard (AES) algorithm. This system uses double-

encryption which only allows the data owner and approved users who possess the security key

access to the data. Data is; therefore, the organization should look for a cloud storage solution

which offers an encryption system that is tougher to break, therefore, protecting data on the

cloud. Data in motion or data in transit should also be protected to provide security. Data in

transit is the data that is actively moving from a given area to another through the internet or

local network. Therefore, this data should be protected as it is being moved from one end to the

other since there is less security when data is in motion. This should involve the use of Secure

Socket Layer (SSL) that is the efficient online security technology capable of encrypting data

which is being moved between two points.

CYBERSECURITY HEALTH SELF-ASSESSMENT 8

Compliance with Privacy Regulations

Compliance with privacy regulations is also essential when an organization wants to

ensure the safety of its data. Normally, the data in an organization includes records of various

users. Some of this information is confidential and should not be breached. Privacy regulations,

for example, the Health Insurance Portability and Accountability Act (HIPAA) should be

followed so that the question of user data privacy and security is upheld. The HIPAA regulations

require that the organizations which deal with protected health information should possess

physical, network, and security systems to protect patients with sensitive data (Todeschini et al.,

2017).

Availability of Information Access Policies

Information access policies are the rules and regulations that apply to all the employees

and staff of an organization when they utilize technology assets within the organization’s

premises or its networks. These policies suggest that the employee or staff member complies

with the laid down rules. Some of the policies available in the information access docket include

the Access Use Policy (AUP) which offers the limits of use that an individual who wants to use

the firm’s IT assets to access the internet must comply to. Normally, the individual is given the

AUP to read and sign before being given a network ID. Another policy is the policy of access

control or ACP. This policy explains the type of access to the firm’s data and information

systems that are available to employees of different ranks. This means that an employee of the

lower caliber will have limited access to the company’s data while the higher ranking employee

will have more access. This helps the company to preserve sensitive information by restricting

access.
CYBERSECURITY HEALTH SELF-ASSESSMENT 9

Therefore, it is critical that the organization has a well-structured information access

policy guideline that is visible to all employees of the company. Failure to adhere to these

guidelines may make an employee gain access to restricted, sensitive data that may have

unwanted consequences to the company once it gets out.

Device Management

Device management plays an essential role in ensuring that an organization is safer from

cyber attacks. An organization should rely on devices which have extensive capabilities. The IT

team in an organization should oversee the acquirement of devices which that provide a friendly

configuration interface that can be easy to set up during complex operations and that both real-

time and preventative measures are taken into considerations during maintenance of these

devices. This will make many of the company’s staff easily get familiar with the basic operations

of the devices and know how to act in case there is an impending cyber attack (Von Bokern et

al., 2015).

Establishment of Device Compliance Policy

An organization also needs to establish a device compliance policy that will apply to all

the employees and staff of the organization when it comes to the use of devices in the

organization. The policy should maintain that the devices connected to the organization should

comply with the security measures set by the organization’s IT department and that each of the

devices conform to those security regulations (Von Bokern et al., 2015). To further strengthen

the security, the organization should have the right to deny access to its resources by devices that

do does not meet the security standards. This policy is critical as it not only protects one device

but all of the devices that are connected to the same network. This policy also helps the
CYBERSECURITY HEALTH SELF-ASSESSMENT 10

organization to prevent access to the organization's resources by unauthorized people (Caballero,

2015).

Adopting the Use of Device Management Tools

Device management tools help the organization’s IT department to manage, and secure

devices used employees in the premises of the organization. These tools monitor and secure the

devices across multiple providers and operating systems used in the organization. The IT

department has to ensure that the devices are fit to run in the organization’s environment by

observing that the devices are secure. The department should also limit access to the

organization’s information only to authorized individuals. The department should also ensure

that employees do not download questionable third-party software on the devices. Finally, the IT

department should ensure that the devices are easy to recover when they get lost. If the devices

cannot be recovered, the device management tools should offer a way of deleting the data

available in the lost device.

Keeping Up-to-date with Software and OS Updates

Software and OS updates come with improved security features that make the software or

OS run smoothly. Ignoring these updates leaves the device vulnerable since security gaps

frequently develop in the software and operating systems. Therefore, it is important that the

organization’s IT department observe frequent software updates are considered every time a new

version or patch of the software is released. A software update usually attempts to fix bugs that

were present in the early version, address security issues in the software used by the

organization, adds an extra layer of security and reduces the risk of an attack in the operating

system (Von Bokern et al., 2015).

CYBERSECURITY HEALTH SELF-ASSESSMENT 11

Enforcing Mobile Device Encryption

When the staff of an organization is using mobile devices that are not encrypted, it means

that the data in those devices can be accessed by anyone who comes across to it. Sometimes the

data in the mobile devices are sensitive to the company and should be kept confidential. When

this information gets on the hands of the wrong people, there is a risk of a potential threat. This

information may include account details of staff and customers that when leaked to the wrong

hands, the individual may face issues of his or her account that in some cases may deny him or

her access. This also applies to an organization which can be locked from the services of an

online provider once its information has been compromised. Although this feature is not set to

default in the settings of a device, it should be implemented to enhance the security of not only

the organization but also the staff and the customers.

CYBERSECURITY HEALTH SELF-ASSESSMENT 12

Secure Infrastructure

Infrastructure security focuses on the protection of systems, assets, and resources of an

organization that are connected (Jamie et al., 2016). This protection is made to protect the

organization’s structures from cyber attacks that can make the organization spend many funds to

do away with the attack. When the assets of an organization are compromised, the progress of

the organization will be tampered with. Therefore, an organization should look at ways in which

infrastructure security will be achieved. One of the ways of ensuring infrastructure security is by

creating policies that will secure the assets (Jamie et al., 2016).

Adoption of Modern Firewall Rules

The firewall is the organization’s first form of defense. It acts as the gateway of all

activities that involve the use of the internet such as email sending and receiving. In such a way,

it blocks an impending cyber attack and harmful malware that may get into the system while a

user is online. The older firewall model is usually hardware that constitutes of software that is

responsible for blocking unauthorized network access by the computer. This hardware is

configured to allow or block certain network traffics as defined by the security rules that have

been set. However, a modern firewall, the next generation firewall (NGFW) operates differently

from the predecessor. It provides application awareness which in turn makes security policy

stronger, therefore creating a better platform that is capable of dealing with impending threats

(Biringer, 2016).

Establishment of Disaster Recovery Plans

A disaster recovery plan (DRP) refers to a set of standard guidelines that provide a

systematic approach and instructions to the organization to respond to unplanned events. This
CYBERSECURITY HEALTH SELF-ASSESSMENT 13

plan constitutes of precautions that can be taken to minimize impacts of the disaster on the day-

to-day activities of the organization. It also explains how the organization can continue to resume

its activities quickly. When the organization has implemented an efficient DRP, it can start a

recovery strategy at the business level to determine which software are important in the daily

running of the organization. The recovery strategy shows the organization’s plan for responding

to an incident while the DRPs show how the organization is supposed to respond to the incident.

The strategy focuses on factors such as budget set for recovery, staff, positions that are at risk,

the technology that will be adopted, data that was lost, and suppliers.

Establishment of a Physical Network Design

A physical network design illustrates the primary components such as fiber and ethernet

that build a logic design that forms the network architecture. In other words, physical network

design is the arrangement of computers and other components to the same network. This design

is based on the assumption that it is one piece of the conceptual design in a network and takes a

legitimate role inside the network. The SSD should put up policies that will oversee the

designing of the logical network. These policies will explain how the network resources will be

used by the employees of the organization. The organization can choose to either build the

network from scratch or upgrade from an existing design. Regardless of which is chosen, the

organization should put into consideration some factors. These factors include identifying what

services the organization will offer to its clients, identifying network traffic patterns that may

show up in the design, and whether the internet connection will be only internal (work use) or if

external users (outside domain) will be given access to the network and its resources (Jamie et

al., 2016).
CYBERSECURITY HEALTH SELF-ASSESSMENT 14

Installation of Security Agent for Endpoints

A security endpoint refers to the measures set to protect a business network when it is

accessed by remote devices such as smartphones or laptops. It constitutes a monitoring status,

application software, and activities. The IT department of an organization should ensure that all

network servers and devices used by the organization have the endpoint protection software

installed and functioning. This technique is very useful especially when an organization's device

gets lost or stolen. If the endpoint protection software is not installed, there will be a loss of

sensitive data which the organization relies upon.

Conclusion

This study looks at the measures that an organization can take to ensure that a threat of

cyber attack is well handled in case the organization is attacked. The duty lies in the IT

department which should be the forefront of strengthening the organization’s security system. It

is essential that an organization adopts cybersecurity measures which ensure that their systems,

devices, and networks do not fall on the wrong hands. These techniques should also provide

ways in which the organizations should act in case of the attack. When looking at the first area of

study, identity protection should be upheld. This is only achieved when the organization and its

staff use safety precautions such as establishing an access policy system, multi-factor

authentication, refraining from the use of unsigned applications on the organization’s devices,

ensuring that data is synced with service providers and using protection tools which can provide

detailed logs about the events that occurred during a certain time (Moore et al., 2016).

On the next area of concern, this study illustrates how application and data security is

essential in avoiding cyber attacks in an organization. This study looks at the techniques that an

organization, through the IT department is capable of achieving the integrity of applications and
CYBERSECURITY HEALTH SELF-ASSESSMENT 15

data. Data encryption algorithms that offer the highest security should be adopted when

encrypting data that will be stored on the cloud. This data, be it at rest or in transit, should be

encrypted since these two areas usually have little security. Data at rest is best encrypted with

AES while SSL is efficient for encrypting data in motion. This study also suggests that the

organization should comply with privacy rules set by different legislative bodies. Failure to

comply means that the organization has not followed the guidelines which will leave the

company vulnerable to cyber attacks. Finally, data security is achieved when the organization

spells out policies regarding information access. Limiting sensitive information to a few

employees of the higher rank ensures data protection and privacy than when every employee

knows the inner details of the organization.

The third area in which this study looks at is the area of device management. This area

focuses on all the gadgets that are used by the employees of the company either at the premises

of the organization or elsewhere. These devices need to stick to some standard requirements that

make them fit for work-related activities. A device compliance policy should emphasize on the

importance of the devices used in the company to comply with the company’s set of security

measures. The IT department should also use device management tools which will assist in

monitoring, managing, and securing devices that are used by employees in the premises of the

organization. The IT department also has the role of ensuring that the company devices all run on

an updated operating system and that all the software receive the latest patch versions. Finally,

mobile device encryption is critical in preserving data in remote mobile devices especially when

these devices get lost.

The final area of focus in this study is infrastructure security. This is looked at in detail

by policies created and frameworks established to secure assets within the organization wherever
CYBERSECURITY HEALTH SELF-ASSESSMENT 16

they are. In this section, the adoption of a modern firewall (NGFW) with improved rules is

essential. Another critical feature is establishing an appropriate disaster recovery plan which

provides a strategy of recovering from an unintended incident. Another important feature is

creating a physical network or upgrading from an existing one. This study also emphasizes the

need for installing security endpoints software both on the network servers and in the

organization's devices.

Once all these strategies are implemented in the organization in question, the security will

be boosted, and there will be little, or no threat of cyber attacks as the systems are secure and

difficult to break into.

CYBERSECURITY HEALTH SELF-ASSESSMENT 17

References

Biringer, B., Vugrin, E., & Warren, D. (2016). Critical infrastructure system security and

resiliency. CRC Press.

Caballero, A. M. (2015). U.S. Patent No. 9,053,055. Washington, DC: U.S. Patent and

Trademark Office.

Clark, A. T., Huebert, J. K., Payton, A. L., & Petri, J. E. (2017). U.S. Patent No. 14,872,954.

Washington, DC: U.S. Patent and Trademark Office.

Claypoole, T., & Payton, T. (2016). Protecting Your Internet Identity: Are You Naked Online?.

Rowman & Littlefield.

Collier, Z. A., DiMase, D., Walters, S., Tehranipoor, M. M., Lambert, J. H., & Linkov, I. (2014).

Cybersecurity standards: Managing risk and creating resilience. Computer, 47(9), 70-76.

Foster, J. C., Cullison, C. B., Francis, R., & Blair, E. (2015). U.S. Patent No. 9,191,411.

Washington, DC: U.S. Patent and Trademark Office.

Jamie, M., Stewart, E., Peisert, S., Scaglione, A., McParland, C., Roberts, C., & McEachern, A.

(2016). Micro synchrophasor-based intrusion detection in automated distribution

systems: Toward critical infrastructure security. IEEE Internet Computing, 20(5), 18-27.

McDonald, P., Thompson, P., O’Connor, P. (2016). Profiling employees online: shifting public-

private boundaries in organizational life. Human Resource Management Journal, 26(4),

541-556.

Moore, T., Dynes, S., & Chang, F. R. (2016). Identifying how firms manage cybersecurity

investment. University of California, Berkeley.

CYBERSECURITY HEALTH SELF-ASSESSMENT 18

Porras, P. A., Cheung, S., Fong, M. W., Skinner, K., & Yegneswaran, V. (2015). Securing the

Software Defines Network Control Layer. In NDSS.

Todeschini, E., Deloge, S. P., & Anderson, D. (2017). U.S. Patent No. 9,800,412. Washington,

DC: U.S. Patent and Trademark Office.

Von Bokern, V. E., Goel, P., Schrecker, S., & Smith, N. M. (2015). U.S. Patent No. 8,955,075.

Washington, DC: U.S. Patent and Trademark Office.