IT 253 Project One Memo Template

Complete this template by replacing the bracketed text with the relevant information.

DATE: April 8, 2024

TO: Company Leadership

FROM: Information Security Manager

SUBJECT: Mitigating Security Risks: Essential Control Recommendations and Explanations

Introduction: Securing our information assets is vital for driving the company's business agenda
forward. By mitigating the identified information security risks, we not only shield our data but also
demonstrate our dedication to preserving customer information and complying with applicable
regulations.

Laws and Regulations: Conforming to legal mandates and regulatory frameworks, notably Sarbanes-
Oxley (SOX) regulations, is essential for the successful functioning of our company. SOX imposes strict
guidelines regarding access, change management, backups, and security to safeguard shareholder assets
and prevent fraudulent activities.

Technical Controls: In response to the identified information security risks, I propose the
implementation of the following technical measures:

1. Deploy multi-factor authentication (MFA) for building access and sensitive systems to prevent
unauthorized entry, addressing the vulnerability identified by the consultant's finding of
unauthorized access to the headquarters building.

2. Implement encryption for all onsite backups to bolster data security and address the risk of
potential exposure highlighted by the consultant's findings of unencrypted backups onsite.

3. Ensure regular updates of antivirus definitions on user workstations to maintain robust

protection against malware and cyber threats. This measure addresses the risk identified by the
consultant, where a notable portion of user workstations had outdated antivirus definitions,
minimizing the risk of successful cyberattacks.

Administrative Controls: To address the consultant's findings effectively, I recommend implementing

the following administrative controls:

1. Immediately update the information security policy to reflect current best practices and address
emerging threats. This addresses the risk highlighted by the consultant that the current policy
has not been updated in four years. Regular policy updates ensure its relevance and
effectiveness in mitigating evolving security risks.

2. Develop and regularly test a business continuity and disaster recovery plan to minimize
disruptions to operations during emergencies. This directly addresses the consultant's finding of

1
 the absence of such plans, ensuring the company's preparedness to respond effectively to
unforeseen incidents.

3. Enforce the use of individual user accounts for system administration tasks to enhance
accountability and traceability, as recommended by the consultant. This measure reduces the
risk associated with shared accounts for high-level system administrator functions, improving
overall security posture and minimizing the potential for unauthorized access.

Physical Controls: To mitigate the identified information security risks, I suggest implementing the
following physical measures:

1. Strengthened Access Controls: Conduct a thorough assessment and upgrade of access controls
across all facilities, with a focus on restricting entry to sensitive areas such as the headquarters
building and the data center. This proactive step directly mitigates the risks highlighted by the
consultant's findings, ensuring that unauthorized access is minimized, and overall physical
security is enhanced.

2. Installation of Backup Power Systems: Deploy backup power systems, such as generators, in
critical locations such as the data center to mitigate the impact of power outages. This
preventative measure directly tackles the consultant's finding of the data center's lack of backup
or generator power, ensuring continuous operations.

3. Implementation of Physical Security Training: Provide comprehensive training sessions for

employees on physical security best practices, including procedures for badge access, visitor
management, and recognizing and reporting suspicious activities. This initiative responds to the
consultant's finding that employees lacked awareness of appropriate responses to security
threats such as phishing emails. By enhancing employee knowledge and vigilance, we reduce the
risk of security breaches stemming from human error or oversight.

Business Impact: The recommended controls outlined in this proposal significantly impact the current
information security policies and practices within our company. Through the implementation of multi-
factor authentication, encryption of onsite backups, and regular antivirus updates, we reinforce our
technical defenses. Additionally, updates to policies and the development of disaster recovery plans
underscore our commitment to adaptability and preparedness. The introduction of physical controls
such as enhanced access procedures and backup power systems serves to heighten employee
awareness of security practices, reducing the risk of unauthorized access and ensuring continuous
operations. Together, these actions contribute to a rich security framework, protecting our data,
maintaining customer confidence, and upholding regulatory compliance in accordance with our strategic
goals.

Conclusion: Leadership's commitment to implementing these control recommendations is critical for

elevating the company's information security posture. Through the adoption of technical,
administrative, and physical controls, we enhance our ability to combat cyber threats, maintain
compliance with regulations, and protect our critical data and operations. These measures not only
mitigate present vulnerabilities but also showcase our dedication to adaptability, resilience, and
proactive risk mitigation. Hence, prioritizing these recommendations will safeguard our assets, foster
stakeholder confidence, and secure the enduring prosperity of our business.