5/30/2014North Lawndale Employment Network (NLEN)Information Security Risk Assessment

Completed by:Phillip LaiJoseph MarchisTaishaun OwensMichelle Witcher

1

Table of Contents

Information Security Risk Assessment ……………………………………………………….............................3 Executive Summary ………………………………………………………………………………………………………..……..4Body of Report

A. Payment Card Industry (PCI) Data Security Standard (DSS) Standards ………...………8

B. Internet Protocol Cameras (IP Cameras)………………………………………………………………….…….9

C. Server Equipment Security …………………………………………………………………9

D. Access Controls ………………………………………………………………..………11

E. Wi-Fi Access……………………………………………………………………..….…..12

F. Copier Machine ………………………………………………………….………….....12

G. Inventory ...…………………………………….……………………….…………….13

H. Disaster Recovery ...………………………….……………………………...………...15

I. Temporary Use of Equipment….…………………………………………………………...16

J. Record Files (Paper Documents) ………………………………...……..……….…….16

References ………………………………………………...……………………………….……18

Appendices ….…………………………………………………………………………………………...19

Information Security Safeguard Design ……………………………………………………...25Summary……………………………………………………………………………………..….26Sections Access Controls………………………………………………………………………………29 Record Files…………………………………………………………………………………..39 Server Equipment…………………………………………………………………………….40 Copier Machine………………………………………………………………………………42 Inventory……………………………………………………………………………………..45

2

Temporary Use of Equipment…………………………………………………………………………………………….48 Training………………………………………………………………………………………50 Disaster Recovery Plan………………………………………………………………………50

3

Information Security Risk Assessment

4

EXECUTIVE SUMMARY

May 30, 2014The team’s task was to identify security at North Lawndale Employment Network (NLEN) to reduce vulnerability of a possible breach in client information. The areas of focus in particular are: access control, access security, and training controls. Identifying current risks that may expose NLEN to propose solutions that will ensure NLEN business purpose and safety of its clients, employees, and volunteers are key areas of focus. A few questions presented by NLEN regarding their current practices involving staff who access client sensitive information. Are NLEN employees currently following the policies and procedures that have been put in place to ensure protection of the client’s data? This initial risk assessment is based on the team’s finding of security vulnerabilities found at NLEN. The visits were conducted on April 3rd and 10th, 2014 each in duration of approximately 90 minutes in length. Upon the visit there was a walk through tour of NLEN, brief introductions, following a session of questions and answers with Daniel Rossi, NLEN; Brian Franklin and Bashir Muhammad, of Net-Intelligence Group (NTG); and team members.

Currently, NLEN accepts credit card payment upon purchase of items in person and from the “Sweet Beginnings” website (SBW). It was brought to the team attention that NLEN was unsure if they met Payment Card Industry (PCI) Data Security Standard (DSS) standards.1 In accordance with the PCI DSS standards, all organizations should implemented PCI DSS into business as usual (BAU) activities as part of an entity’s overall security strategy. The Qualitative Value to establish this recommended control is Very High, and without this standard it could lead to possible lawsuits, insurance claims, cancelled accounts, payment card issuing fines and/or government fines. More specific details found on Section A, page 7.

NLEN accepts credit card payments for items from the SBW or in-person transactions. The PCI DSS requires monitoring those areas where credit cardholder data devices are used. As indicated above NLEN is unsure of PCI DSS standards. The Team noticed there were no Internet Protocol (IP) cameras or closed circuit television (CCTV) cameras present in the facility when the walk through was conducted. The Qualitative Value to establish this recommended control is High, due to cardholder devices in use at NLEN facility. More specific details found on Section B, page 8.

Currently NLEN does not have a Disaster Recovery Plan (DRP). Disaster planning is crucial in determining if a company can still function after serious disruptions to the organizations connectivity. One can never predict a natural or man-made disaster, so it is imperative that a DRP is created.2 We recommend implementing a DRP, upon completion the plan should ensure correctness of procedures allowing all staff members to know their designated roles for protection with-in the facility. The Qualitative Value to establish this recommended control is High due to possible loss of the entire network by cause of an outbreak of a fire, and or natural

1 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 132 NIST 800-30, Appendix F: Vulnerabilities and Predisposing Conditions

5

disaster. The cost to implement a DRP is dependent on the required items to support your facility. More specific details found on page Section H, page 14.

The basement floor contains a room where the server equipment is located. It was noticed that the door to the server room is often kept unlocked for simplicity sake of having to constantly open and close the doors since the room contains various other items. A multi-use room where the network server is located left unlocked is not good practice. Due to the lack of available space in the facility, a recommended solution to better protect the key and never allow it unattended is good practice. Access should be granted to Daniel and another responsible staff member who would be available during Daniel’s absence. The Qualitative Value to establish this recommended control is Very High due to possible compromise of the entire network. There is no additional cost to implement this policy to the existing operating system in use. Furthermore, since this room is for multi-use room, the server equipment should be enclosed in a secure cabinet to prevent unauthorized access to the equipment. The cost for a server cabinet is $351.00 at Staples. More details found on page Section C, page 8.

Staff members when walking away from computers, and or on break are not locking or logging off their computers. With uncontrolled access throughout the facility anyone may access the network and or sensitive data from an unlocked computer when not in use. This practice is not in accordance with the NLEN policy as indicated by the Director of NLEN, NIST Special Publication 800-66 Revision 1, and HIPAA Security Awareness and Training (§ 164.308(a)(5)).3

To remedy this problem is to add an auto lock on the user’s computers after 5 minutes of non-use. Also a policy and training can be implemented to ensure that users are locking their computers when they are not in use. Although this does not completely prevent unauthorized access it does however minimize the risk of unauthorized access. This recommendation should also be implemented with laptops as well. Additionally periodic training regarding safe practices and security for all staff members is recommended. The Qualitative Value to establish this recommended control is Very High due to possible compromise of sensitive data by an unauthorized user. There is no additional cost to implement this policy to the existing operating system in use. More specific details found on page Section D, page 10.

Official visitors and volunteer who require computer use have shared staff computers and login. This is not in accordance with the NLEN policy as indicated by the Director of NLEN, and as indicated by PCI DSS4 it is required that all users are assigned a unique ID before allowing them to access system components. All visitors who require computer use should have a specific logon with internet access use only. Logons for the visitor(s) can be created on computers designated for client use only through the control panel with restricted use for internet only; as opposed to using staff computers and having access to sensitive data. Additionally clients all share one logon; this is an unsafe practice. If there are issues with a user it is difficult to determine who may have caused the issue. Each client should have their own individual logon which can be created through the existing Windows Server 2003, active directory. The

3 NIST SP 800-66 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule4 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 64

6

Qualitative Value to establish this recommended control is Very High due to possible compromise of sensitive data by an unauthorized access. There is no additional cost to implement this policy to the existing operating system in use. More details found on page Section D, page 10.

NLEN Network is connected via Wi-Fi throughout the facility. This Wi-Fi connectivity is accessible to staff, clients, and visitors who visit the NLEN facility. This makes the network vulnerable to vulnerabilities that may exist on the various devices such as malware. The recommended action is to disable USB access on all computers to eliminate unauthorized extraction of data and possible infection of the network. The Qualitative Value to establish this recommended control is High. If USB access is required it should be available on one designated computer (Daniel) to control upload and or download of data. There is no additional cost to implement this policy to the existing operating system in use. More details found on page Section E, p.11.

Organizational devices (laptops and tablets) which are available for use outside the facility may contain sensitive data. The devices are then returned after use to allow checkout again. The procedures taken when the device is returned is unclear. The recommended solution for the devices, upon return should be checked for functional capabilities. The user should not be given full access on devices, user level access only. This prevents loading of unauthorized software on the laptops or tablets. Maintenance of the devices should be the same as the desktop computers i.e. updates, patches, and virus protection. If the need occurs that a laptop is to replace a desktop this can be completed without delay. The Qualitative Value to establish this recommended control is Very High. There is no additional cost to implement this policy to the existing operating system in use. More details found on page Section I, page 15.

The observance of several boxes located throughout the facility contains files which NLEN must retain for period of seven years. The boxes are not secure and do not prevent unauthorized access and/or removal from the facility. To secure the files the best recommended option is to secure them in lockable file cabinets. With the tight layout of the facility and no available space to support new equipment an alternate method is recommended. All boxes should be secured with wide packaging tape along all seams and the top. Affix a signature along the top which would require a break to open the box. A log should be created for each box which will be attached to each box to manage access to the box. The Qualitative Value to establish this recommended control is High. The cost varies depending on the option selected. Best recommended option cost is $300.00 for a four drawer vertical file cabinet at staples. The alternate recommended option cost for wide packaging tape is $11.00 for a pack of 6 rolls at Staples. More details found on page Section J, page 15.

The copier machine is maintained by vendor. Most copiers built since 2002 contains a hard drive in the machine. Just as the hard drive in a computer stores data the hard drive in a copier also stores images of documents copied on the machine. The hard drives should be recycled by the vendor. This is a HIPAA5 requirement, when storing sensitive data to remain confidential

5 Health Insurance Portability and Accountability Act

7

within an organization. Ensure the copier vendor has a strict HDD6 recycling policy in place and recommend that they review the policy with you. The Qualitative Value to establish this recommended control is Very High. If the vendor currently has this procedure in place there is no cost. More details found on page Section F, page 12.

The last risk is inventory of desktops, laptops, and tablets in the facility. When the question asked “how is the equipment recorded physically” there was no answer. Currently there is no inventory of the make, model, serial number, etc., of equipment. Recommend starting an inventory of all desktops, laptops, and tablets in the facility. The inventory list identifies the location and responsible users which aids in conducting maintenance and upgrading of equipment. The Qualitative Value to establish this recommended control is High. More details found on page Section G, page 12.

This is an initial risk assessment report of NLEN facility. The overall level of the risks is Very High, due to PCI DSS standards not found. “The PCI DSS security requirement applies to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications.”7 Examples of system components are:

Server room network equipmentSweet Beginnings WebsiteData Center ServersConnectivity to NTGWifi access pointsNetwork operating system

Once NLEN has established PCI DSS standards many other risks will also be resolved.

6 Hard Disk Drive - a data storage device used for storing and retrieving digital information 7 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 10.

8

Body of Report

A. Payment Card Industry Data Security Standard Standards

Payment Card Industry (PCI) Data Security Standard (DSS) standards is a requirement which all organizations that are making credit card transactions are thereby required to implement PCI in business as usual within their organization. Currently NLEN accepts payment via credit card for item(s) from their Sweet Beginnings Website (SBW). Upon the visit a team member made an in-person purchase from SBW with a credit card. The team noticed no cameras present in the location where the transaction took place. The Team also noticed that SBW is not a secure site which is reflected by “https” in the browser window. The SBW reflects “http” which indicates a non-secure site.

An organization without PCI DSS standards is vulnerable in many ways. To ensure that NLEN meets the scope of requirements, identifying all locations, flows of cardholder data, and ensuring they are included in the PCI DSS scope. The following should be considered to ensure accuracy and appropriateness of PCI DSS scope:

Identify and document the locations of where all cardholder(s) within the NLEN Facilitywill be used which is the NLEN cardholder device environment (CDE). Ensure no other cardholders exist outside of NLEN CDE designated areas.

After identifying the location(s) where cardholders will be used, verify if the area is appropriate for PCI DSS use.

All cardholder data should be in the scope of the PCI DSS assessment, and part of the CDE.

Retain all documentation that supports the determination for assessor review and/or for reference for the next annual confirmation and continuity purposes.8

The Qualitative Value for this risk is Very High, due to NLEN is not meeting the PCI DSS standards at this time. The Team has determined that once NLEN has met the PCI DSS standards many other risks which are identified in this report will also be met such as:

Internet Protocol CamerasServer RoomServer EquipmentAccess controlDisaster Recovery PlanCopier Machine

8 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 10.

9

B. Internet Protocol (IP) Cameras

The PCI DSS standards is imperative to all businesses that accept credit cards. The facility is vulnerable to someone skimming off the credit card machine. Sections9 in PCI DSS manual states in multiple parts that there be some monitoring control in sensitive areas, this can be any-thing from the server room, locations where credit cardholders are used, (where data travels through, very critical parts of the infrastructure) to anything that processes sensitive information. Similarly their guidance is informative explaining how culprits avoid detection by avoiding various ways of incriminating themselves. The areas of concern in the NLEN Facility are the server room and the designated location(s) where cardholder transaction will take place. The Qualitative Value to establish this recommended control is Very High. The Team recommends installing cameras as the monitoring medium to minimize the risk.

Utilizing video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. NLEN should focus on the long term effect of monitoring for vulnerabilities.10

The ease of access of the credit card machine and the server room should not be taken lightly. When cameras are monitoring it helps prevent someone from exploiting other means like gaining access to the server room and installing a backdoor to the network. With video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas it minimize the risk of vulnerability. It is good practice to conduct frequent network monitoring when possible.11 This risk is a recommended PCI DSS standard action. The Qualitative Value to establish this recommended control is High.

C. Server Equipment

The server room houses materials and equipment that are used daily for staff members and clients who work with Sweet Beginnings. It contains equipment for the internet connection from NLEN to the Data Center along with coffee supplies and various other items. Given the constraint of unavailable space this room should remain locked at all times. There are two issues, one is the key to this room is maintained in an office on the main floor, (Daniel’s office). The key is left unattended when this office is empty, which anyone may enter and remove the key thus accessing the server room. The Team was advised the door is often left open for simplicity sake of having to constantly open and close the door because others may need entry at any given time. The Qualitative Value to establish this recommended control is High.

The above table details the risk of the server room not having secure access. The recommended control of how to ensure that access to the server room is limited.

9 PCI DSS; Section 9.1 and 9.1.1.10 PCI DSS; Section 11.2.1.11 PCI DSS; Section 11.2.1.

10

The protection of the network equipment which prevents unauthorized access and in accordance with PCI DSS standards is an issue as well. The network equipment is the backbone of your network, it is the flow point of entry and exit to your network, and any disruption to this equipment will cause loss of the network. This equipment should be secured at all times to prevent disruptions. Disruptions can be unplugging the equipment, removal of any one item, fire, water, and tampering by unauthorized person. Tampering can be the connection of a key logger,12 stealing of internet bandwidth,13 input a virus, and or other malicious action. The possibilities are endless if one wishes to cause disruption or tampering of the network. Additionally with the equipment left open in an unrestricted room leaves it open to someone connecting unauthorized equipment unknowingly or for malicious reasons (tampering). This unauthorized connection can be done without disruption to the network. The equipment is generally reliable and does not require changes and therefore may be left unattended for long periods of time. Without a fulltime IT Technician onsite no one may know if or when there may have been tampering to the equipment. Again with the constraints of available space in the facility it is necessary to secure the equipment in a manner which prevents exposure to unauthorized personnel.

The Team further recommends the following actions be taken to secure the equipment in a PCI certified server rack/cabinet. This will prevent unauthorized access to the equipment. The equipment should also be connected to Uninterrupted Power Source (UPS), to prevent loss of the network if a power outage is experienced. The recommended control of the server room key is to issue keys only to authorized staff. We recommend issuing a key to Daniel, and two other designated staff members who would be available when Daniel is not present. The key should not be left out for display to prevent others from taking it. When access is needed to this room one of the authorized staff members should escort the individual(s) to the room and remain with them the entire time the room is open. When the business is finished in the server room it should be locked and remain so at all times.

Required Items Manufacturer/Model Item Number Cost

Enclosure Server Cabinet

Tripp Lite/SRW12US IMIY96346 $319

Uninterrupted Power Source

APC Smart-ups/SMT1500

849858 $467

Total estimate cost of completion: $786

D. Access Controls

12 Key logger, a program commonly stored in a USB that keeps track of all typed information in a system network, can be used to obtain log-in credentials or users and their passwords, and credit card information.13 Bandwidth, the speed at which data transfers across the network.

11

Control of access/movement allows access to the resources throughout the facility. There were numerous unsafe practices observed on the tour of the facility. Staff members willingly logging on computers for volunteers. Volunteers accessing clients’ information with staff logons. This is not in accordance with NLEN policy as indicated by the Director of NLEN, and PCI DSS.14 Staff should not share their logons with anyone. Each staff member should have their own individual logon for their own use. When staff leaves from their computer they should ensure they lock the terminal every time. A computer left unlocked gives access to the network which contains sensitive personal data which should be protected by all means in accordance with HIPAA Security Awareness and Training (§ 164.308(a)(5)).15

Volunteers and or visitors who require access to a computer should have their own individual logon. No two people should have the same logon. Staff employees should only have access to the shared S drive. The access for volunteers/visitors can be restricted for a limited period of time in addition to restriction to internet use only. Are the volunteers authorized or do they have a need to know of clients’ personal sensitive information? Currently one logon is assigned to all clients. With all clients sharing the same logon, if there is malicious action on the network there is no way to identify who may have committed the action. Just as all others in the facility, each client should have their own individual logon for in-house internet access. The recommended control is to create individual logons for all volunteers, visitors, and clients. Volunteers, visitors and clients may have access to the same in-house internet access. Therefore leaving only staff with access to the sensitive shared S drive as directed by NLEN Director.

To accomplish individual logons for clients, volunteers, and visitors for the in-house internet access use Windows 2003 Server R2 currently located in the server room at NLEN facility. A person who has administrative access will be able to create the logons in active directory for clients, volunteers, and visitor.

To help reduce the unsafe practices further, the Team recommends security training for all staff members. The training should consist of the following:

Importance of securing the facility for their own physical security.Importance of safe keeping the clients sensitive data.Importance of always locking their computers when away.Importance of network equipment in the server room.Importance as to who is and is not authorized to access network.Required reading of the NLEN policy provided at the beginning of employment.Importance of secure and safe practices overall.

The use of NLEN laptops and tablets requires monitoring and periodic maintenance. These devices connecting to the NLEN network should meet the same requirements of software

14Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 64.15 NIST SP 800-66 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

12

updates, patches, and anti-virus as desktop computer on the network. These devices are periodically connected via remote access to the NLEN network. Without checking these devices after use leaves possible vulnerabilities to clients’ sensitive data, virus and or other malicious actions to the network. These devices should not be issued with sole user access as on the desktop computers, to prevent download of unauthorized software on the network.

Disabling USB drives on all computers on the NLEN network is good and secure practice. The USB drives allows unauthorized download of sensitive data, unauthorized upload of unauthorized software, and connectivity of unprotected devices.

Upon return of a device after use it should be cleared of all data to prevent unauthorized access to sensitive data. The Team recommends USB drives be disabled for all computers that attach or may attach to the NLEN network.

E. Wi-Fi Access

The NLEN network is supported with Wi-Fi connectivity throughout the facility. This network should be secured. The password for this access point should only be given to authorized users of the NLEN network who are designated administrators. All volunteers, clients, and visitors should not be given this access. If the availability of this password is known to unauthorized staff members, clients, volunteers, and visitors the NLEN Network will not be as secure. Those who access the network with personal devices may cause vulnerabilities that exist on various devices such as viruses or malware. The Qualitative Value to establish this recommended control is High. There are no additional costs to implement this policy to the existing operating system in use.

We recommend the password is changed to the network. Knowledge of the password should only be known to the NTG Technicians and designated IT Staff members. An alternate network (guest network) could be created to allow those who wish internet access on their personal devices. The guest network can be accessible by all staff, clients, volunteers, and visitors.

F. Copier Machine

The copier machine is maintained by a vendor. Most copiers built since 2002 contains a hard drive (HDD) in the machine. The HDD is capable of storing many images duplicated by the copier. Again more sensitive data is accessible by unauthorized access. During the questioning session it was unknown of the current practices of the vendor. The Team recommends checking with the vendor and inquire the security measures taken by the vendor to keep NLEN information secure. The Qualitative Value to establish this recommended control is High.

13

The table above details the risk regarding the copier machine duplicating sensitive data may not be secure and the recommended control to ensure that the data being retained in the copier is secure.

G. Inventory

The accountability of equipment is unknown. Daniel advised us he is unaware of an inventory of the network equipment. If there is loss of equipment or burglary in the facility how will you know how many and what items were taken? The Team recommend creating a small property inventory of all network equipment. This inventory should be updated when there is a change of equipment and or staff. The Qualitative Value to establish this recommended control is High, due to no accountability of NLEN network equipment within the facility. There is no additional cost to implement this policy. Recommended log example on next page.

14

Room ________________________________________________________________________

ITEM MANUFACTURE MODEL

MACHINE NAME

SERIAL#MAC ADDR

USER DATEISSUED

Signature of Supervisor/Manager: _________________________________________________Date Signed: __________________________________________________________________

Example of small property inventory log.

15

H. Disaster Recovery Plan

Disaster planning plays a crucial role in determining if a company may still function after serious disruptions to the organizations connectivity. One can never predict a fire or water disaster, so it is imperative that a Disaster Recovery Plan (DRP) is developed.

NIST 800-30 Appendix F page F-2 would define this vulnerability as high based on the exposure and ease of exploitation. Note that a contingency plan such as DRP is a HIPAA Standard Contingency Plan (§ 164.308(a)(7))45. All organization must meet the standards or face penalties for various violations. The following table below, which can be found in NIST SP 800-66r1, is a standard table for implementing policies responding to an occurrence such as fire, water, natural disaster, and vandalism.

The implementation of this standard can range from a couple of weeks to about a month or two. Using the table questions below as samples are a good place to start as any. It is important to ask these questions to one self to see where there is a lack of information. From there you can add preemptive measures in the areas NLEN lacks.

HIPAA Table 4.7 Contingency Plan

HIPAA recommended steps aid in developing a Disaster Recovery Plan.

16

I. Temporary Use of Equipment

A laptop loaner program is available to staff members and clients to accomplish their work off-site. It was noted there has been loss of control of devices from this program which cannot be accounted for. This program is vital and necessary to the clients and staff alike. Although it is a necessary program there are measures which should be made to secure the safe keeping of the equipment or it will cease if all equipment is lost. The Qualitative Value risk is rated High due to possibility of device(s) not being returned.

It is understood this program exist for the clients and vital for success in the U-Turn program. To eliminate this program could be critical to both clients and staff. The Team recommend re-evaluate the program with procedures to support the clients and maintain the safe keeping of the devices.

J. Record Files (Paper Documents)

On a daily work day new and existing clients that come into NLEN hoping to enroll in the U-turn program, placing their information on a document sheet. The document contains sensitive information such as their Social Security Number (SSN), address, family members, background history, education, status, etc. These documented files are then placed into storage boxes for accessibility. Of course, the files later get placed into a computer by volunteers and staff members where they can be reviewed for further use. This is concerning because it’s a red flag16 due to the vulnerability17 of missing files being a likelihood of occurrence.18 The issue of keeping client information in stored boxes tends to be accessible to anyone on the work site (possibly including the clients), and could be harmful to clients and assets. The method of storing information must be changed or altered for privacy and protection purposes.

A proposed solution would be securing the files in containers such as locking file cabinets to minimize access. The alternate method would be to simply sealing the box files with wide tape on the top and all seams. Both solutions would require someone to administrate a log file with a sign out process of what files are being checked out. Thus records would be dated, recorded, and guarded by who last accessed a file. This would mitigate the vulnerability of an I.D. theft (red flag) in the work environment. The option of having locked file cabinets makes it easy to store and set up previous records and files of clients by dating each file by year, since each year varies the amount of client records in each file; it would be ideal to have an efficient process of obtaining information on a certain clients. With an organized method in place when shredding is required documents are easily identified.

16 The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or red flags – of identity theft in their day-to-day operations. (http://www.business.ftc.gov/privacy-and-security/red-flags-rule).17 An existing weakness based on the work flow of internal controls, or implementations that could be exploited by a threat source. (refer: NIST SP 800-30 p. 9 Chapter 2, Vulnerabilities and Predisposing Conditions).18 Likelihood of occurrence - Weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability (or a set of vulnerabilities). (refer: NIST SP 800-30 p. 10 Chapter 2, Likelihood).

17

This Qualitative Value risk is rated High, due to the possible loss of sensitive information. The Team recommend either option to minimize the risk. The first option being the file cabinet(s) which is ideal, cost of $200~$450 each for a 4 drawer vertical file cabinet. This method is more secure because it grants the possibility of safe storage with a locking mechanism and key. The alternate method is more cost effective; purchase of wide packaging tape priced $11 for a pack of 6 at Staples. Although this method is not the most secure it is a way to minimize unauthorized access.

18

Appendices and References

References

1)NIST SP 800-30 Revision 1

Banks, Rebecca M., and Patrick D. Gallagher. NIST SP 8000-30: Guide for Conducting Risk Assessments. N.p.: U.S. Department of Commerce, Sept. 2012. PDF.

2) PCI DSS

Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures, V3.0, Nov 2013

3)PCI DSS

Payment Card Industry (PCI) Data Security Standard: Business-as-Usual Processes, V3.0. N.p.: n.p., Nov. 2013. PDF.

4)HIPAA – NIST SP 800-66 Revision 1

Scholl, Matthew, Joan Hash, Kevin Stine, Joan Hash, Pauline Bowen, Arnold Johnson, Carla D. Smith, and Daniel I. Steinberg. NIST Special Publication 800-66 Revision 1. Digital image. U.S. Department of Commerce, n.d. Web. Oct. 2008.

19

Appendices

NIST SP 800-30 Table F-2: Assessment Scale – Vulnerability Severity

The above table identifies the assessment scale, and a brief description of the various values used to determine the qualitative values throughout this report.

20

NIST SP 800-30 Table H-2: Examples of Adverse Impacts

The above table identifies the various risk and their respective impacts.

21

PCI DSS: Section 11.2.1

The above table states the importance of monitoring the network from time to time. Verifying that high risk vulnerabilities are at a minimum.

22

Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures

Requirement 8:

The table above details the requirements for Identify and authenticate access to system components. This is a requirement that NLEN would use when assigning users to clients, volunteers, and visitors. PCI DSS requirements column states the requirements of identifying and authenticating access to system components. The requirement NLEN can focus on is 8.1.1 assigning all users a unique ID before allowing them to access system components. The Testing Procedures columns are procedures NLEN can use when ensuring that all users are assigned a unique ID. The Guidance column helps NLEN enforce individual responsibility and actions and an effective audit trail per user.

23

Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures

Requirement 9:

The above table states the importance of assess to the network. To prevent unauthorized use of the network. 9.1.1 is a multi-purpose use 1) Monitor sensitive areas 2) to protect controls from tampering.

24

The above states the security awareness and training that NLEN could use as reference when incorporating training for its employees. Key activities column states the types of training to be held, the Description column explains the description of each Key activity, and the Sample Questions are questions NLEN may want to ask themselves before putting together a training class for its employees.

25

Information Security Safeguard Design

Summary

26

On May 8th the team met with Daniel to present the safeguard controls we believe would help NLEN in the future. During our meeting Daniel informed us that he would be able to provide the team with the safeguard controls NLEN would like assistance with the following week. Daniel advised the team there would be a week delay meeting with his supervisor, which they would then select the safeguard controls for the team to implement. In the meantime the team developed a list of safeguard controls to benefit NLEN: User Access Controls, Server Room Controls, Access Controls and Training, and Small Property Inventory, and Temporary Use of Equipment. These controls were determined based on no cost and achievability for NLEN. On May 21st Daniel sent an email with additional safeguard controls that he would like the team to implement. Daniels selection included those controls already selected by the team with the following additional controls: Disaster Recovery Plan, File Inventory, and Copy Machine Hard Drive.

Each safeguard controls has its own objective to benefit NLEN. The team selected the above safeguard controls in particular due NLEN current unsafe practices of staff and volunteers and the possible compromise sensitive data. The objective for server equipment is minimize access and possible damaged or interruption of the network. The inventory of equipment will help NLEN identify and protect all network equipment. The Temporary Use of Equipment will manage the existing loaner program, maintaining better control and accountability of the equipment. The Disaster Recovery Plan would ensure that if a natural disaster occurred NLEN has a plan of action available for the safety of its employees, volunteers, and clients; and restoral of routine operations or otherwise as deemed by the disaster. Implementing a safer method of storing files would ensure that sensitive data stored in the file boxes is secured at all times. Ensuring the copier machine is safely discarding sensitive information duplicated and properly discarded by a safe and secure method.

Currently NLEN allows volunteers to access client information through an employee login, clients use one designated login to access their resumes, job applications, and credit information. Visitors enter the office and are able to access computers with no login at all. This can lead to the risk of volunteers accessing the shared S drive that is for staff use only. Clients are not aware if others are able to see what they are doing on the computer when sharing the same logon. Staff not locking computers can lead to unauthorized access to their computer and the client sensitive data on the computer while away from their desk. To ensure the clients data on the shared S drive is secured at all times staff should not share their usernames and password with anyone. An individual user account must be created for each volunteer who assist clients. Clients must have their own individual user account created as well. When visitors require access to a computer again an individual user account must be created for the visitor with restriction of internet use only and no other information. Staff are required to lock their computers at all times when they are away from their desk or on break. Implementing user access safeguard controls will ensure that NLEN is keeping the clients information safe at all times.

NLEN’s server room is located in the basement of the facility. The equipment is not secured and there is no way to tell if the network is monitored daily. Currently the key to the server room is left out for anyone to have access to the equipment; there is no way of knowing who is entering

27

the server room. The server room being accessible to anyone can lead to anyone having access to the server equipment and possible damage can occur. The server room key is not secure allowing anyone to be able to unlock the server room for their own personal use causing issues with the equipment. To assure that NLEN is protecting the server equipment and the employees a log should be created reflecting a signature for each person who access the server room. The log should have the name, date, time, and what was accessed in the server room. The server room key should be placed in a secure place where Daniel or designated holder only may access the key. The server room should be monitored daily as a measure to prevent unauthorized access to the network. Implementing server room safeguard control will ensure that NLEN is securing clients information and protecting the safety of its employees and network.

The copier machine NLEN utilizes is provided through a vendor service. NLEN is unsure if the copier is wiped clean of all information that is copied onto the hard drive after use. The copier machine could possibly have client information stored on its hard drive which can be accessible by the vendor when they retrieve the copier machine from NLEN. This can lead to the compromise of client sensitive information. Preventive measure to inquire the safe practice method the vendor has currently in place. The method should be either overwriting or erasure of the data on the hard drive for the copier. If the vendor is not practicing either of these methods recommend that one of the methods be implemented immediately.

Currently NLEN has a wealth of equipment assigned to each staff member, yet NLEN does not have a documented inventory to reflect this. Implementing a small property inventory (SPI) safeguard control will ensure that the equipment at NLEN is accounted for and secured. Implementing a SPI reflecting all network equipment held at NLEN facility will allow the Network Administrator to better monitor and locate equipment within the network. It will also ensure that any equipment that newly installed or discarded is being properly documented with an inventory with specific details such as: make, model, install date, etc... This would be helpful to both NLEN and NTG vendor who manages the network.

The loaner program currently in place at NLEN offers portable equipment for temporary use to staff and clients. The program has minimal accountability and has previously lost accountability of equipment. This program should have a check and balance to better manage the equipment and if there is loss of equipment details of the equipment is readily known and possible measures may be taken to recover the loss equipment. Those users desiring use of temporary equipment should sign for custody of the equipment until it is returned. Implementing this safeguard in place NLEN will better manage the program and minimize the loss of equipment.

Currently there is no Disaster Recovery Plan in place at NLEN. If a natural disaster (fire or water damage) was to occur NLEN would not be able to continue day to day activities, clients would not be able to receive assistance due to no access to the equipment and services NLEN provides. NLEN would not be able to inform staff how to move forward due to lack of a plan in place. In order to ensure the safety of NLEN staff and clients and to regain operations after a natural disaster it is imperative to implement a Disaster Recovery Plan. This safeguard control would ensure that NLEN has a plan to follow if there is an occurrence of a disaster. With a DRP in place NLEN would be able to continue day to day activities, and carry out the organization

28

mission. Additionally, NLEN would also be able to ensure that the information they access is secured throughout the disaster by ensuring backups are conducted regularly. If required staff know in advance actions to take if relocation is required to ensure the safety of all staff and clients.

In the NLEN facility there are storage boxes throughout that contain paper files of clients personal data. These storage boxes contain current and past client information. It is required that NLEN retain these files for seven years before destroying. Access to the files are open to anyone who enters NLEN due to the files are simply place in storage boxes which are not secured in any way. The safeguard control to prevent unauthorized access to the paper files is to secure the boxes with wide tape along all seams and openings. A log should also be created for employees to sign in and out the files that are taken from the storage boxes. Implementing the safeguard control will ensure that the client’s paper files are secure and minimizing unauthorized access.

Implementing the recommended safeguard controls protects NLEN staff members, clients, volunteers in many ways:

Eliminates compromise of sensitive information.Decrease access to areas of the facility to only those who require access.Accountability of an inventory of valuable network equipment.Decrease possible extraction of data from the copier hard drive when recycled regularly.Heighten awareness of monitoring of the network will be consistent.Minimize the loss of valuable equipment with accountability.Provide advance instruction if a disaster occurs, ensuring the safety of staff and clients.Secure and minimize unauthorized access of stored data.Heighten daily practices with training securing the environment throughout the facility.

29

Access Controls

The NLEN volunteers access client sensitive information via staff logon. Clients all have one shared logon to access resumes, apply for jobs, and access credit information. NLEN policy states that only the staff is authorized access to the shared S drive that contains client sensitive data however the unauthorized shared access allows volunteers to access the shared S drive. Clients not having individual logon lead to the inability of tracking who accessed what. If a client was to access unauthorized information NLEN would not be able to track the identity of the individual(s) who accessed the information with one shared logon for all. In order to secure clients sensitive data and ensure that clients are able to access their own files securely individual user accounts must be created for each volunteer and client with internet access only.

Creating user accounts for volunteers would eliminate staff sharing their logon with volunteers and those volunteers will not have access to the S drive. It will also help NLEN track each user activity on the network each time they login. Clients will have their own logon account and will be able to access their resumes, apply for jobs and access credit information without the worry of the next person being able to see what activity was previously done. Once again NLEN will be able to track the clients activity according to their username.

This can be done by Daniel or designated staff member granted administrator access to the Windows 2003 Server R2 located in the server room at NLEN facility. User names will be created in the Active Directory in Windows 2003 Server R2 by the following instructions from the following link: www.sharepointgenius.com/create-user-windows-server/.

30

Creating a New User:

1. Click Start, select Administrative Tools and click Computer Management.

2. In Computer

31

3. Double click the Users folder.

4. Right click in the users list and click New User.

32

5. Fill in the information for the new user and click Create. You can create another user. Click Close when you are done creating users.

Check User must change password at next logon. Password will be set to expire every 2 months. Access will be revoked when staff is no

longer employed or volunteer is no longer assisting NLEN.

33

6. You should now see your newly created user accounts. By default, new user accounts are given limited access permissions.

The NLEN administrator may establish privileges to the usernames once each username has been created to allow proper access. Assigning privileges will ensure that volunteers are only able to access the information that NLEN will allow them to access when assisting a client. Clients will also be limited to what information they can access such as resume building skills, employment, and credit information. They will not be able to access anything that is not related to the program within NLEN. In accordance with http://www.sharepointgenius.com/grant-local-administrator-permissions #local-properties the following instructions will assist NLEN in assigning user privileges to each username created for volunteers and clients:

34

Assigning User Privileges

1. Click

Start, select Administrative Tools and click Computer Management.

2. In Computer Management, click Local Users and Groups.

35

36

3. In Local Users and Groups, navigate to the user you wish to grant local administrator permission.

4. Right click the user and click Properties.

37

38

7. In Select Groups, type in the group employees and volunteers are assigned to and click Check Names. Click OK when you are done. Click OK again to save the changes.

The recommended safeguards can be tested by having the user logon with the newly created username and password. Once logged in the user will be required to change their password and be able to have access to the necessary information specified for each user. Implementing this control would ensure that volunteers do not have access to the shared S drive that is designated for staff use only and clients will have their own personal logon. This allows NLEN to test the safeguard controls by checking monthly users that have been disabled.

39

Currently NLEN allows visitors to logon to computers designated for clients to access the Internet via a client logon. There is no way to limit the amount of access that a visitor will have when logging into the computer designated for clients use when using their logons. Clients routinely access resumes, employment assistance, credit, and other sensitive information. By allowing the visitor to use the same logon as clients, gives the visitors access to client data if the history was not previously deleted. In order to ensure that client data is protected and visitors only have access to the Internet, NLEN can assign a username to each visitor through the control

panel on a computer designated for client use. Creating a user account for all visitors will ensure that all client data is secure and the visitor has their own logon with Internet access only. A designated staff member with Administrator access may create user accounts for visitors by completing the following steps: Step 1: On your Windows button (lower left button), click on the “Control Panel”

40

Step 2: Then under “User Accounts and Family Safety” click on “Add or remove user accounts” Once the visitors user account has been created, they will be able to logon to the computer and browse the Internet and log off when finished.

41

Record FilesPaper files are stored in storage boxes throughout the facility at NLEN. The files contain data for current and past clients. The storage boxes are not secured and anyone may access the paper files that are stored. Currently there is no way to track who is accessing the files and how many and where the boxes exist. In order to ensure that the files are secured and access is limited to only those who are authorized recommend taping to seal the storage boxes. In addition to sealing the boxes with tape, creating a log to better manage the client files from the boxes. For accurate tracking each employee will be required to sign in, indicate date files are accessed and when files are put back into box and sign out. The safeguard control can be tested by having a record of who has access to what information each storage box contains, sealing the boxes will ensure that only authorized staff will have access to open the storage boxes once sealed.

42

Server Equipment

Network monitoring every few months will be useful in finding network breaches and giving time to assess the situation and implement a resolution.

Check for anomalies and discrepancies while monitoring the data.

Check log files, look for network access at irregular times.

Step 1, open Command Prompt

Step 2, run command sfc /scanned

43

As you can see no violations were found. This is a simple method of checking.

• Check if there were huge data transfers.

• Check for illegal network access (those who accessing the network without permission).

These controls should be implemented bi-weekly by a network administrator.

• Any discrepancy in the network should be logged, reported, and resolved in a reasonable amount of time.

• The NTG Vendor should always be aware of the network status, and advise NLEN of status daily, communication is key.

• Implementing a test control is using the command above. There are more options to the command you can use (ask NTG vendor for assistance).

Some implementations that should be put on the network are passwords change in the network. Focus on the important parts of the network such as the firewall, router and the server itself.

• Routinely change passwords on the network.

• The password should be on a need to know basis and entered by administrators.

• Password should be strong passwords requiring one capital letter, one number, and one special character, with a minimum length of 8 characters.

• Advise staff not to share the Wi-Fi password.

The server room should be visited variously throughout the day to ensure the server equipment is all present and not disturbed. Since cameras are currently not cost effective for NLEN, designated staff members should routinely check daily until cameras can be installed.

• Whenever possible have the network administrator check the equipment and advise what to look for. If anything appears missing or disturbed the network administrator should be contacted immediately.

44

• Equipment should be checked twice a day; preferably upon opening and closing of the facility each day.

• Checks should be logged and signed by the staff conducting the check.

Copier Machine Currently NLEN keeps sensitive data, social security numbers, credit reports, account numbers, health records, and business secrets. It is a good practice and good business sense, which may also be required by law. According to the Federal Trade Commission (FTC), the national consumer protection agency, information security plans should cover digital copiers within a facility. If the data on the copier gets into the wrong hands, it could lead to fraud and identity theft.

Commercial copiers have come a long way. Today’s generation of networked multifunction devices known as “digital copiers” are “smart” machines that are used to copy, print, scan, fax and email documents. Digital copiers require hard disk drives to manage incoming jobs and workloads, and to increase the speed of production. Although not every copier on the market is considered digital. Generally, copiers intended for business have hard drives, while copiers intended for personal or home office use do not.

The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes or emails. If proper steps are not taken to protect data, it can be stolen from the hard drive, either by remote access or by extracting the data once the drive has been removed. Digital copiers store different types of information in different ways. Example, photocopied images are more difficult to access directly from the hard drive than documents that are faxed, scanned or printed on the copier.

Copiers often are leased, returned, and then leased again or sold. It is important to know how to secure data that may be retained on a copier hard drive, and what to do with a hard drive when you return a leased copier or dispose of one you own. It is wise to include data security for each stage of the digital copier life-cycle: when you plan to acquire a device, when you buy or lease, while you use it, and when you turn it in or dispose of it.

Before you acquire a copier consider the following tips. Make sure it is included in NLEN information security policies. Copiers should be managed and maintained by NLEN vendor or designated staff member. When buying or leasing a copier consider the following tips. Evaluate your options for securing the data on the device. Most manufacturers offer data security features

45

with their copiers, either as standard equipment or as optional add-on kits. Typically, these features involve encryption and overwriting.

Encryption is the scrambling of data using a secret code that can be read only by particular software. Digital copiers that offer encryption encode the data stored on the hard drive so that it cannot be retrieved even if the hard drive is removed from the machine.

Overwriting also known as file wiping or shredding changes the values of the bits on the disk that make up a file by overwriting existing data with random characters. Overwriting the disk space that the file occupied, the traces are removed, and the files can not be reconstructed as easily. This feature is most commonly used on copiers.

Depending on the copier, the overwriting feature may allow a user to overwrite after every job run, periodically to clean out the memory, or on a preset schedule. Administrator may be able to set the number of times data is overwritten generally, the more times the data is overwritten, the safer it is from being retrieved. However, for speed and convenience, some printers let you save documents (for example, leave slip) and print them straight from the printer hard drive without having to retrieve the file from your computer. For copiers that offer this feature, the saved documents are not overwritten with the rest of the memory. Users should be aware that these documents are still available.

Overwriting is different from deleting or reformatting. Deleting data or reformatting the hard drive does not actually alter or remove the data, but rather alters how the hard drive finds the data and combines it to make files. The data remains and may be recovered through a variety of utility software programs.

Yet another layer of security that can be added involves the ability to lock the hard drives using a passcode; this means that the data is protected, even if the drive is removed from the machine.

Finally, think ahead to how you will dispose of the data that accumulates on the copier over time. Check that your lease contract or purchase agreement states that your company will retain ownership of all hard drives at end-of-life, or that the company providing the copier will overwrite the hard drive.

Take advantage of all its security features. Securely overwrite the entire hard drive at least once a month. If the current copier does not have security features, consider how you will integrate the next copier you lease or purchase into NLEN information security plans. Plan now for how you will dispose of the copier securely. For example, you may want to consider placing a sticker or placard on the machine that states “Warning: this copier uses a hard drive that must be physically destroyed before turn-in or disposal.” This will inform users of the security issues, and remind them of the appropriate procedures when the machine reaches the end of its usable life.

At the end of the copier service recommend the follow tips. Check with the manufacturer, dealer, or servicing company for options on securing the hard drive. The company may offer services that will remove the hard drive and return it to you, so you can keep it, dispose of it, or destroy it yourself. Others may overwrite the hard drive for you. Typically, these services

46

involve an additional fee, though you may be able to negotiate for a lower cost if you are leasing or buying a new machine.

One cautionary note about removing a hard drive from a digital copier on your own: hard drives in digital copiers often include required firmware that enables the device to operate. Removing and destroying the hard drive without being able to replace the firmware can render the machine inoperable, which may present problems if you lease the device. Also, hard drives are not always easy to find, and some devices may have more than one. Generally, it is advisable to work with skilled technicians rather than to remove the hard drive on your own.

Protecting Sensitive Information: Your Legal ResponsibilityThe FTC’s standard for information security recognizes that businesses have a variety of needs and emphasizes flexibility: Companies must maintain reasonable procedures to protect sensitive information. Whether your security practices are reasonable depends on the nature and size of your business, the types of information you have, the security tools available to you based on your resources, and the risks you are likely to face.Depending on the information your business stores, transmits, or receives, you also may have more specific compliance obligations. For example, if you receive consumer information, like credit reports or employee background screens, you may be required to follow the Disposal Rule, which requires a company to properly dispose of any such information stored on its digital copier, just as it would properly dispose of paper information or information stored on computers. Similarly, financial institutions may be required to follow the Gramm-Leach-Bliley Safeguards Rule, which requires a security plan to protect the confidentiality and integrity of personal consumer information, including information stored on digital copiers.

Reference: http://www.business.ftc.gov/documents/bus43-copier-data-security

47

InventorySmall Property Inventory (SPI), is an inventory of all office equipment maintained throughout NLEN facility which connect to the NLEN network. Currently equipment inventory is not maintain at the NLEN Facility. Maintaining an inventory of network equipment will serve various purposes, one purpose is to create a ledger documenting all the network equipment held and the location of the equipment. The inventory should be gathered by department and room number. This information will be resourceful for department heads to determine what equipment to replace and upgrade when the need occurs. A primary function of the SPI is to identify equipment by machine name and Media Access Control (MAC) which will aid the Network Administrator with updates and troubleshooting if necessary.

The SPI will reflect the example on the next page. Each staff member will sign as responsible user as the custodian of the equipment which they use. Once staff has signed for custody of the equipment each Department Head or Manager will sign for all those staff members assigned under their management.

All inventory sheets will be maintained by designated staff member(s). When there is a change of staff increase and or decrease it should reflect the SPI. When there is a change of equipment increase and or decrease again it should reflect the SPI. The SPI is useful provided it is maintained. If there are no changes in staff and equipment the SPI should be verified once annually. To be more specific the equipment which this inventory applies to:

ComputersLaptopsPrintersScannersCardholders (Credit Card Reader)Routers (Access Points)ModemsServersSoftware

Not to exclude any additional equipment which the NLEN may purchase in the future which is not listed above that shall connect to the network.

Every room which contains network equipment should complete an inventory sheet. This should be indicated by the room number or title at the top. The inventory can be completed by any responsible staff member with the exception of the machine name and MAC address. The machine name is a unique name given by the administrator which identifies the machine by department and or location and may not be accessible without administrator access. The MAC address is a unique number assigned to the device when manufactured which may not be located outside the device. In this case it requires administrator access to the device to obtain the machine name and MAC address for the device. The machine name and MAC address are the only exceptions which all staff will not have this access, recommend completing all available fields on the inventory sheet leaving the two fields blank for completions by an administrator.

48

Once the inventory sheets are completed they should be made available for the designated staff member with administrator access or the NTG Vendor on the next site visit for completion.

Instructions for Completing the Inventory Sheet

Room - list the room number or room title if no number given.

Item - list the item as to what kind of device it is, example: computer or printer etc.

Manufacture/Model - list the manufacture that designed or made the device, example: HP or Del. Model - list the model type of the device, example: officejet pro 5500. This information if not labeled in plain sight can be found on the underside of the device. If no model listed write none in the column.

Machine Name - This is a unique name given to the device by the Administrator for identification on the server.

Serial Number/MAC Address - The serial number can usually be found on the bottom of the device. The mac address is the unique identification for the device. Both serial number and mac address are found inside the operating system of the device. To determine this information you must have local administrator access. If you do not have local administrator access leave this field blank.

Once the inventory sheets are completed less the machine name and MAC address recommend the designated staff member(s) with administrator access or the NTG Vendor complete the MAC address field.

User - this should be the primary staff member who uses the equipment. When there is shared equipment such as a printer or scanner, recommend the senior staff member in the room sign as User.

Date Issued - list the current date of completing the inventory for existing devices.

When there is a change of staff increase or decrease to a room a new inventory is required. When there is a change of increase or decrease of network equipment to a room a new inventory is required. If there are no changes of network equipment or staff the inventory should be conducted at least once a year. Periodic spot checks of the inventory should be conducted by managers/supervisors to ensure this safe control is in use and network equipment is properly accounted for and secure within NLEN facility.

49

Room ________________________________________________________________________

ITEM MANUFACTURE MODEL

MACHINE NAME

SERIAL#MAC ADDR

USER DATE ISSUED

Signature of Supervisor/Manager: _________________________________________________Date Signed: __________________________________________________________________

Example of small property inventory log

50

Temporary Use of Equipment

Equipment which is loaned out for temporary use should be properly accounted for with a custody form such as the example found on the next page. This form should be used for all network equipment which is issued for temporary use outside of the NLEN facility. Currently equipment which is being issued for temporary use are laptop computers. The computers used by staff, clients, and or volunteers may contain sensitive data. To prevent unauthorized access of others sensitive data all data should be removed/erase after each return of temporary issue and prior to reissue to another staff member. Once returned to the inventory the laptop should be made available to the NTG vendor for re-imaging of the hard drive for the next site visit.

Weekly spot checks should be conducted to ensure accountability and allow for immediate loss of control of temporary issued equipment by designated staff. They should consult with users who have temporary custody and ensure they still have the device within their control. Monthly checks should be conducted to ensure the safeguard measures are maintained for this safe control by designated Department Head. With the frequent periodic checks this will quickly identify loss control of a device which will enable rapid measures to recover the device.

51

Temporary Issue of Equipment

The equipment listed below is issued to ________________________________ for temporary use. I understand that while the equipment is in my custody I will take responsibility of the equipment until it has been returned to NLEN property control.

Equipment: ___________________________________________________________________

Model Number: _______________________________________________________________

Serial Number: ________________________________________________________________

MAC Address: ________________________________________________________________

Plug/Adapter: _________________________________________________________________

Case: ________________________________________________________________________

Mouse: _______________________________________________________________________

Any Additional Equipment not listed above: _________________________________________

______________________________________________________________________________

The above equipment is issued for temporary use and found to be in good working order, with the following discrepancies listed below. If no discrepancies noted state no discrepancies noted.

______________________________________________________________________________

______________________________________________________________________________

Signature/Date of individual taking custody: _________________________________________

Signature/Date of authorizing Supervisor/Manager: ___________________________________

Re-imaged date/signature: _______________________________________________________

Example of temporary custody form

52

Training

Training: Log Off – this safeguard was highly recommended for implementation due to the risk of unauthorized access of staff computers. By providing a methods of logging off staff computers it ensures a lower rate of unauthorized access, identity role theft, alter changes to client and employee information/account, and prevents threats of implanting bugs, virus, or any malicious software to the computer. (Please refer to the Training PowerPoint titled Security Awareness)

a. Test Plan for Log Off Desktop Icon: If creating a Log Off icon on the desktop of the computers, a simple test of ensuring clients, volunteers, or visitors are using this function is by observing a number of employees (for this sake 10) and examine the number of people using the “Log Off” function. If the results are 7/10 (70%) then this is considered as good practice.

b. Test Plan for Auto Time Interval Log Off: If clients, volunteers, or visitors are leaving the work site, you can test to see how long it takes for a computer/laptop to naturally go into “sleep” mode. This naturally would log off the computer/laptop after a set time limit in which one can simply check if it logs off the device after a given period of time.

c. Test Plan Manual Log Off: similar observations can be made just like in “Log off Desktop Icon,” one can run a simple test of ensuring clients, volunteers, or visitors are manually logging off their devices after they leave their workstation, or work site. If the results are 7/10 (or 70%) then it is consider as good practice.

Training Encryption

Training: Encryption - sensitive data of client information such as the work history, social security number, address, and family ties and other sensitive data are being transferred off-site daily along with other NLEN documents that may be considered valuable information. Many of the employees may continue this work off-site on a personal computer. To counteract this unsafe practice, recommend use program called AxCrypt which encrypt files to provide and ensure work is being done securely off-site. (Please refer to the Training Powerpoint titled Security Awareness)

Test Plan: Given that each client and volunteer have read over the Training Powerpoint, a poll can be taken to see if this methods is considered easy to learn and use, along with a comment section voicing any of their concerns in terms of learning how to encrypt/decrypt sensitive files. (Please refer to the Training Powerpoint titled Security Awareness)

Disaster Recovery Plan (DRP)

Disaster Recovery Plan – was decided upon by the team due for NLEN benefit of having a plan if there is an occurrence of an incident outside of the scope of daily operations. Currently NLEN does not have a DRP in place. This safeguard will provide two aspects: preparedness and response to any incident that may affect NLEN.

53

Test Plan: The DRP should be created in advance. Each step must be taken into consideration, and that information must be updated when changes are made and at least annually. In other words, this form (in terms of contact information, equipment changes, staff changes, other back-up plans, etc.) must be updated yearly. Please refer to the NLEN Disaster Recovery Plan for further information.