MEMORANDUM

to : CHIEF EXECUTIVE, ANNE ARUNDEL COUNTY

from : YOUR NAME

RE: RISK ASSESSMENT AND ACTION STEPS

DATE: ENTER DATE

Risk Assessment Summary

Weak passwords compromise the security of data systems at Anne Arundel County's IT department.
Additionally, it does not protect against internal and external threats to software such as operating
systems, payment terminal software, and other applications. Since Odenton Township uses the County's
database system to change citizens' accounts, it is vulnerable to attacks. As a result, protecting the system
against Township employees' tampering does not necessitate using a virtual private network. Due to a
lack of proper security measures, sensitive County information is vulnerable in Odenton Township Hall.
No one is trained in safety procedures or data handling at this company. Finally, Odenton Township does
not meet minimum safety requirements. This memorandum aims to provide further context for insider
threats and the critical nature of data security by suggesting strategies, technologies, and policies for
Odenton Township to better protect against and respond to such attacks.

Background

Information technology departments in Odenton Township and Anne Arundel County should stress the
need to use robust passwords since these provide the first defence against unauthorized access by hackers
or dishonest workers. Passwords also stop criminals from accessing a victim's computer to commit crimes
and get them into problems with the authorities. Strong passwords are crucial because they make it harder
for hackers and malicious actors to access your account. To add insult to injury, cybercriminals might
pretend to be their victims by stealing sensitive data, changing passwords, and taking over devices.
Because of the difficulty in breaking such complex passwords, hackers and other unauthorized users will
often move on to easier prey.

Since third-party users may adopt behaviours beyond their control, hackers may exploit VPNs to access
the County's systems. According to the FBI's 2012 report, The Insider Threat: An Introduction to
Detecting and Deterring an Insider Spy, workers may access the company's system remotely while on
vacation or at unusual hours, leaving it vulnerable to viruses and hackers. The first step in protecting data
from internal and external threats is to raise awareness and provide training on security procedures and
data security among employees. Taking a preventative approach against insider threats is crucial.

Concerns, Standards, Best Practices

The best way to prevent social engineering attacks is to keep users aware of the risks they face. Social
engineering is used to get workers to do actions that let the threat actor install tools that make it easier to
exploit vulnerabilities and build new ones so that they can steal cardholder data. Because risk can't be
mitigated just by access control and security monitoring, raising awareness of the importance of
information security is crucial. Requirement 12.6 of the Payment Card Industry Data Security Standard
goes into further detail on establishing a security awareness training program and an efficient
communication channel.

When dealing with customers' credit card information, it is crucial to take precautions to protect
cardholders' privacy. Encryption of sensitive data like credit card numbers and user credentials is needed
to meet PCI DSS requirements. Tokenization is one method for protecting users' financial data by
masking it before storage. Tokenization protects sensitive information by substituting meaningless tokens
for the original data, such as credit card numbers. To maintain the security of the saved data, it is
important to use tokenization and develop a procedure for routinely scanning credit card numbers.

Maintain constant vigilance over security. Control is a crucial first step when setting up a continuous
monitoring system. To keep an eye on how well security measures are working, it's vital to establish
routines for periodic evaluations of all applicable standards. Covering all in-scope sites and facilities,
including back-offices and data centres, is part of the procedures, ensuring the company is in sync with its
security and business objectives. Other procedures include checking that all PCI DSS standards are fully
functional and that IT staff is following up on security procedures. Moreover, the processes should
account for any modifications to the deployed IT infrastructure or operating environment and offer
adequate proof to demonstrate ongoing compliance with security requirements.

Action Steps

An organized approach to embedding security into operational procedures is essential for achieving PCI
DSS compliance. So, Odenton Township will have to allocate ownership to coordinate security efforts.
The compliance manager's responsibilities will include communicating with various departments and
essential employees, keeping tabs on how the controls are being implemented, and gaining the backing of
upper management. Odenton Township's compliance manager will also collect documentation to prove
PCI DSS compliance.

According to PCI Requirement 11.3.4.1, Odenton Township must do penetration testing twice yearly.
Penetration tests are primarily used to verify the efficiency and breadth of the segmentation controls. If a
firewall is already set up, it may be used for segmentation. At the first sign of trouble, Odenton Township
should take immediate action to fix the problem and rescan the system for vulnerabilities.

Biological data that is just as sensitive as digital data has to be monitored and protected similarly. Since
the facility is accessible throughout the week, keeping a diary of the times and dates that individuals
gained access to the building is essential. This will help ensure compliance with PCI DSS. Moreover, a
safe place, cabinet, or drawer should be used to store any typed or written information, including credit
card details.