5/7/2014

North Lawndale Employment Network (NLEN)Information Security Risk Assessment

Completed by:Phillip LaiJoseph MarchisTaishaun OwensMichelle Witcher

1

Table of Contents

Executive Summary ….…………………………………………………………………………. 2

Body of Report

Sections

A. Payment Card Industry (PCI) Data Security Standard (DSS) Standards …….…………… 7

B. Internet Protocol Cameras (IP Cameras) ...…………………………………………...…..8

C. Server Equipment Security …………………………………………………….…...……8

D. Access Controls ………………………………………………………………..……….10

E. Wi-Fi Access ……………………………………………………………….….……….11

F. Copier Machine ………………………………………………………….……………..12

G. Inventory ...…………………………………….……………………….………………12

H. Disaster Recovery ...………………………….…………………………..……………..14

I. Device (Checkout Program) ...…………………………………………..……………….15

J. Record Files (Paper Documents) ………………………………...……..………………15

References ………………………………………………...…………………………………….17

Appendices ….…………………………………………………………………………………………….18

2

EXECUTIVE SUMMARY

May 7, 2014The team’s task was to identify security at North Lawndale Employment Network (NLEN) to reduce vulnerability of a possible breach in client information. The areas of focus in particular are: access control, access security, and training controls. Identifying current risks that may ex-pose NLEN and to propose solutions that will ensure NLEN’s business purpose and safety of its clients, employees, and volunteers was another area of focus. A few questions presented by NLEN regarding their current practices involving staff who access client sensitive information. Are NLEN employees currently following the policies and procedures that have been put in place to ensure protection of the client’s data? This initial risk assessment is based on the team’s finding of security vulnerabilities found at NLEN. The visits were conducted on April 3rd and 10th, 2014 each in duration of approximately 90 minutes in length. Upon the visit there was a walk through tour of NLEN, brief introductions, following a session of questions and answers with Daniel Rossi, NLEN; Brian Franklin and Bashir Muhammad, of Net-Intelligence Group (NTG); and team members.

Currently, NLEN accepts credit card payment upon purchase of items in person and from the “Sweet Beginnings” website (SBW). It was brought to our attention that NLEN was unsure if they met Payment Card Industry (PCI) Data Security Standard (DSS) standards.1 In accordance with the PCI DSS standards, all organizations should implemented PCI DSS into business as usual (BAU) activities as part of an entity’s overall security strategy. The Qualitative Value to establish this recommended control is Very High, and without this standard it could lead to possible lawsuits, insurance claims, cancelled accounts, payment card issuing fines and/or government fines. More specific details found on Section A, page 7.

NLEN accepts credit card payments for items from the SBW or in-person transactions it is required to monitor those areas where credit cardholder data devices are used. As indicated above NLEN is unsure of PCI DSS standards. The Team noticed there were no Internet Protocol (IP) cameras or closed circuit television (CCTV) cameras present in the facility when the walk through was conducted. The Qualitative Value to establish this recommended control is High, due to cardholder devices in use at NLEN facility. More specific details found on Section B, page 8.

Currently NLEN does not have a Disaster Recovery Plan (DRP). Disaster planning is crucial in determining if a company can still function after serious disruptions to the organizations connectivity. One can never predict a natural or man-made disaster, so it is imperative that a DRP is created.2 We recommend implementing a DRP, upon completion the plan should ensure correctness of procedures allowing all staff members to know their designated roles for protection with-in the facility. The Qualitative Value to establish this recommended control is High due to possible loss of the entire network by cause of an outbreak of a fire, and or natural

1 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 132 NIST 800-30, Appendix F: Vulnerabilities and Predisposing Conditions

3

disaster. The cost to implement a DRP is dependent on the required items to support your facility. More specific details found on page Section H, page 14.

The basement floor contains a room where the server equipment is located. It was noticed that the door to the server room is often kept unlocked for simplicity sake of having to constantly open and close the doors since the room contains various other items. A multi-use room where the network server is located left unlocked is not good practice. Due to the lack of available space in the facility, a recommended solution would to better protect the key and never allow it unattended for good practice. Access should be granted to Daniel and another responsible staff member who would be available during Daniel’s absence. The Qualitative Value to establish this recommended control is Very High due to possible compromise of the entire network. There is no additional cost to implement this policy to the existing operating system in use. Furthermore, since this room is for multi-use room, the server equipment should be enclosed in a secure cabinet to prevent unauthorized access to the equipment. The cost for a server cabinet is $351.00 at Staples. More details found on page Section C, page 8.

Staff members when walking away from computers, and or on break are not locking or logging off their computers. With uncontrolled access throughout the facility anyone may access the network and or sensitive data from an unlocked computer when not in use. This practice is not in accordance with the NLEN policy as indicated by the Director of NLEN, NIST Special Publication 800-66 Revision 1, and HIPAA Security Awareness and Training (§ 164.308(a)(5)).3

To remedy this problem is to add an auto lock on the user’s computers after 5 minutes of non-use. Also a policy and training can be implemented to ensure that users are locking their computers when they are not in use. Although this does not completely prevent unauthorized access it does however minimize the risk of unauthorized access. This recommendation should also be implemented with laptops as well. Additionally periodic training regarding safe practices and security for all staff members is recommended. The Qualitative Value to establish this recommended control is Very High due to possible compromise of sensitive data by an unauthorized user. There is no additional cost to implement this policy to the existing operating system in use. More specific details found on page Section D, page 10.

Official visitors and volunteer who require computer use have shared staff computers and login. This is not in accordance with the NLEN policy as indicated by the Director of NLEN, and as indicated by PCI DSS4 it is required that all users are assigned a unique ID before allowing them to access system components. All visitors who require computer use should have a specific logon with internet access use only. Logons for the visitor(s) can be created on computers designated for client use only through the control panel with restricted use for internet only; as opposed to using staff computers and having access to sensitive data. Additionally clients all share one logon; this is an unsafe practice. If there are issues with a user it is difficult to determine who may have caused the issue. Each client should have their own individual logon which can be created through the existing Windows Server 2003, active directory. The

3 NIST SP 800-66 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule4 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 64

4

Qualitative Value to establish this recommended control is Very High due to possible compromise of sensitive data by an unauthorized access. There is no additional cost to implement this policy to the existing operating system in use. More details found on page Section D, page 10.

NLEN Network is connected via Wi-Fi throughout the facility. This Wi-Fi connectivity is accessible to staff, clients, and visitors who visit the NLEN facility. This makes the network vulnerable to vulnerabilities that may exist on the various devices such as malware. The recommended action is to disable USB access on all computers to eliminate unauthorized extraction of data and possible infection of the network. The Qualitative Value to establish this recommended control is High. If USB access is required it should be available on one designated computer (Daniel) to control upload and or download of data. There is no additional cost to implement this policy to the existing operating system in use. More details found on page Section E, p.11.

Organizational devices (laptops and tablets) which are available for use outside the facility may contain sensitive data. The devices are then returned after use to allow checkout again. The procedures taken when the device is returned is unclear. The recommended solution for the devices, upon return should be checked for functional capabilities. The user should not be given full access on devices, user level access only. This prevents loading of unauthorized software on the laptops or tablets. Maintenance of the devices should be the same as the desktop computers i.e. updates, patches, and virus protection. If the need occurs that a laptop is to replace a desktop this can be completed without delay. The Qualitative Value to establish this recommended control is Very High. There is no additional cost to implement this policy to the existing operating system in use. More details found on page Section I, page 15.

The observance of several boxes located throughout the facility contains files which NLEN must retain for period of 7 years. The boxes are not secure and do not prevent unauthorized access and/or removal from the facility. To secure the files the best recommended option is to secure them in lockable file cabinets. With the tight layout of the facility and no available space to support new equipment an alternate method is recommended. All boxes should be secured with wide packaging tape along all seams and the top. Affix a signature along the top which would require a break to open the box. A log should be created for each box which will be attached to each box to manage access to the box. The Qualitative Value to establish this recommended control is High. The cost varies depending on the option selected. Best recommended option cost is $300.00 for a four drawer vertical file cabinet at staples. The alternate recommended option cost for wide packaging tape is $11.00 for a pack of 6 rolls at Staples. More details found on page Section J, page 15.

The copier machine is maintained by vendor. Most copiers built since 2002 contains a hard drive in the machine. Just as the hard drive in a computer stores data the hard drive in a copier also stores images of documents copied on the machine. The hard drives should be recycled by the vendor. This is a HIPAA5 requirement, when storing sensitive data to remain confidential

5 Health Insurance Portability and Accountability Act

5

within an organization. Ensure the copier vendor has a strict HDD6 recycling policy in place and recommend that they review the policy with you. The Qualitative Value to establish this recommended control is Very High. If the vendor currently has this procedure in place there is no cost. More details found on page Section F, page 12.

The last risk is inventory of desktops, laptops, and tablets in the facility. When the question asked “how is the equipment recorded physically” there was no answer. Currently there is no inventory of the make, model, serial number, etc., of equipment. We recommend starting an inventory of all desktops, laptops, and tablets in the facility. The inventory list identifies the location and responsible users which aids in conducting maintenance and upgrading of equipment. The Qualitative Value to establish this recommended control is High. More details found on page Section G, page 12.

This is an initial risk assessment report of NLEN facility. The overall level of the risks is Very High, due to PCI DSS standards not found. “The PCI DSS security requirements applies to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications.”7 Examples of system components are:

Server room network equipmentSweet Beginnings WebsiteData Center ServersConnectivity to NTGWifi access pointsNetwork operating system

Once NLEN has established PCI DSS standards many other risk will also be resolved.

6 Hard Disk Drive - a data storage device used for storing and retrieving digital information 7 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 10.

6

Body of Report

A. Payment Card Industry Data Security Standard Standards

Payment Card Industry (PCI) Data Security Standard (DSS) standards is a requirement which all organizations that are making credit card transactions are thereby required to implement PCI in business as usual within their organization. Currently NLEN accepts payment via credit card for item(s) from their Sweet Beginnings Website (SBW). Upon the visit a team member made an in-person purchase from SBW with a credit card. The team noticed no cameras present in the location where the transaction took place. The Team also noticed that SBW is not a secure site which is reflected by https in the browser window. The SBW reflects http which indicates a non-secure site.

An organization without PCI DSS standards is vulnerable in many ways. To ensure that NLEN meets the scope of requirements, identifying all locations, flows of cardholder data, and ensuring they are included in the PCI DSS scope. The following should be considered to ensure accuracy and appropriateness of PCI DSS scope:

Identify and document the locations of where all cardholder(s) within the NLEN Facilitywill be used which is the NLEN CDE. Ensure no other cardholders exist outside of NLEN CDE designated areas.

After identifying the location(s) where cardholders will be used, verify if the area is appropriate for PCI DSS use.

All cardholder data should be in the scope of the PCI DSS assessment, and part of the CDE.

Retain all documentation that supports the determination for assessor review and/or for reference for the next annual confirmation and continuity purposes.8

The Qualitative Value for this risk is Very High, due to NLEN is not meeting the PCI DSS standards at this time. The Team has determined that once NLEN has met the PCI DSS standards many other risks which are identified in this report will also be met such as:

Internet Protocol CamerasServer RoomServer EquipmentAccess controlDisaster Recovery PlanCopier Machine

B. Internet Protocol (IP) Cameras

8 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 10.

7

The PCI DSS standards is imperative to all businesses that accept credit cards. The facility is vulnerable to someone skimming off the credit card machine. Sections9 in PCI DSS manual states in multiple parts that there be some monitoring control in sensitive areas, this can be any-thing from the server room, locations where credit cardholders are used, (where data travels through, very critical parts of the infrastructure) to anything that processes sensitive information. Similarly their guidance is informative explaining how culprits avoid detection by avoiding various ways of incriminating themselves. The areas of concern in the NLEN Facility are the server room and the designated location(s) where cardholder transaction will take place. The Qualitative Value to establish this recommended control is High. The Team recommends installing cameras as the monitoring medium to minimize the risk.

Utilizing video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. NLEN should focus on the long term effect of monitoring for vulnerabilities.10

The ease of access of the credit card machine and the server room should not be taken lightly. When cameras are monitoring it helps prevent someone from exploiting other means like gaining access to the server room and installing a backdoor to the network. With video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas it minimize the risk of vulnerability. It is good practice to conduct frequent network monitoring when possible.11 This risk is a recommended PCI DSS standard action. The Qualitative Value to establish this recommended control is High.

C. Server Equipment

The server room houses materials and equipment that are used daily for staff members and clients who work with Sweet Beginnings. It contains equipment for the internet connection from NLEN to the Data Center along with coffee supplies and various other items. Given the constraint of unavailable space this room should remain locked at all times. There are two issues, one is the key to this room is maintained in an office on the main floor, (Daniel’s office). The key is left unattended when this office is empty, which anyone may enter and remove the key thus accessing the server room. The Team was advised the door is often left open for simplicity sake of having to constantly open and close the door because others may need entry at any given time. The Qualitative Value to establish this recommended control is High.

The above table details the risk of the server room not having secure access. The recommended control of how to ensure that access to the server room is limited.

9 PCI DSS; Section 9.1 and 9.1.1.10 PCI DSS; Section 11.2.1.11 PCI DSS; Section 11.2.1.

8

The protection of the network equipment which prevents unauthorized access and in accordance with PCI DSS standards is an issue as well. The network equipment is the backbone of your network, it is the flow point of entry and exit to your network, and any disruption to this equipment will cause loss of the network. This equipment should be secured at all times to prevent disruptions. Disruptions can be unplugging the equipment, removal of any one item, fire, water, and tampering by an authorized person. Tampering can be the connection of a key logger,12 stealing of internet bandwidth,13 input a virus, and or other malicious action. The possibilities are endless if one wishes to cause disruption or tampering of the network. Additionally with the equipment left open in an unrestricted room leaves it open to someone connecting unauthorized equipment unknowingly or for malicious reasons (tampering). This unauthorized connection can be done without disruption to the network. The equipment is generally reliable and does not require changes and therefore may be left unattended for long periods of time. Without an IT Technician onsite no one may know if or when there may have been tampering to the equipment. Again with the constraints of available space in the facility it is necessary to secure the equipment in a manner which prevents exposure to unauthorized personnel.

The Team further recommends the following actions be taken to secure the equipment in a PCI certified server rack/cabinet. This will prevent unauthorized access to the equipment. The equipment should also be connected to Uninterrupted Power Source (UPS), to prevent loss of the network if a power outage is experienced. The recommended control of the server room key is to issue keys only to authorized staff. We recommend issuing a key to Daniel, and two other designated staff members who would be available when Daniel is not present. The key should not be left out for display to prevent others from taking it. When access is needed to this room one of the authorized staff members should escort the individual(s) to the room and remain with them the entire time the room is open. When the business is finished in the server room it should be locked and remain so at all times.

Required Items Manufacturer/Model Item Number Cost

Enclosure Server Cabinet

Tripp Lite/SRW12US IMIY96346 $319

Uninterrupted Power Source

APC Smart-ups/SMT1500

849858 $467

Total estimate cost of completion: $786

D. Access Controls

Control of access/movement allows access to the resources throughout the facility. There were numerous unsafe practices observed on the tour of the facility. Staff members willingly logging

12 Key logger, a program commonly stored in a USB that keeps track of all typed information in a system network, can be used to obtain log-in credentials or users and their passwords, and credit card information.13 Bandwidth, the speed at which data transfers across the network.

9

on computers for volunteers. Volunteers accessing clients’ information with staff logons. This is not in accordance with NLEN policy as indicated by the Director of NLEN, and PCI DSS.14 Staff should not share their logons with anyone. Each staff member should have their own individual logon for their own use. When staff leaves from their computer they should ensure they lock the terminal every time. A computer left unlocked gives access to the network which contains sensitive personal data which should be protected by all means in accordance with HIPAA Security Awareness and Training (§ 164.308(a)(5)).15

Volunteers and or visitors who require access to a computer should have their own individual logon. No two people should have the same logon. Staff employees should only have access to the shared S drive. The access for volunteers/visitors can be restricted for a limited period of time in addition to restriction to internet use only. Are the volunteers authorized or do they have a need to know of clients’ personal sensitive information? Currently one logon is assigned to all clients. With all clients sharing the same logon, if there is malicious action on the network there is no way to identify who may have committed the action. Just as all others in the facility, each client should have their own individual logon for in-house internet access. The recommended control is to create individual logons for all volunteers, visitors, and clients. Volunteers, visitors and clients may have access to the same in-house internet access. Therefore leaving only staff with access to the sensitive shared S drive as directed by NLEN Director.

To accomplish individual logons for clients, volunteers, and visitors for the in-house internet access use Windows 2003 Server R2 currently located in the server room at NLEN Flournoy office. A person who has administrative access will be able to create the logons in active directory for clients, volunteers, and visitor.

To help reduce the unsafe practices further, the Team recommends security training for all staff members. The training should consist of the following:

Importance of securing the facility for their own physical security.Importance of safe keeping the clients sensitive data.Importance of always locking their computers when away.Importance of network equipment in the server room.Importance as to who is and is not authorized to access network.Required reading of the NLEN policy provided at the beginning of employment.Importance of secure and safe practices overall.

The use of NLEN laptops and tablets requires monitoring and periodic maintenance. These devices connecting to the NLEN network should meet the same requirements of software updates, patches, and anti-virus as desktop computer on the network. These devices are periodically connected via remote access to the NLEN network. Without checking these devices after use leaves possible vulnerabilities to clients’ sensitive data, virus and or other malicious

14Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 64.15 NIST SP 800-66 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

10

actions to the network. These devices should not be issued with sole user access as on the desktop computers, to prevent download of unauthorized software on the network.

Disabling USB drives on all computers on the NLEN network is good and secure practice. The USB drives allows unauthorized download of sensitive data, unauthorized upload of unauthorized software, and connectivity of unprotected devices.

Upon return of a device after use it should be cleared of all data to prevent unauthorized access to sensitive data. The Team recommends USB drives be disabled for all computers that attach or may attach to the NLEN network.

E. Wi-Fi Access

The NLEN network is supported with Wi-Fi connectivity throughout the facility. This network should be secured. The password for this access point should only be given to authorized users of the NLEN network (Staff). All volunteers, clients, and visitors should not be given this access. If the availability of this password is known to volunteers and clients the NLEN Network will not be as secure. Those who access the network with personal devices may cause vulnerabilities that exist on various devices such as viruses or malware. The Qualitative Value to establish this recommended control is High. There are no additional costs to implement this policy to the existing operating system in use.

We recommend the password is changed to the network. Knowledge of the password should only be known to the NTG Technicians and designated IT Staff members. An alternate network (guest network) could be created to allow those who wish internet access on their personal devices. The guest network can be accessible by clients, volunteers, and visitors.

F. Copier Machine

The copier machine is maintained by a vendor. Most copiers built since 2002 contains a hard drive (HDD) in the machine. The HDD is capable of storing many images duplicated by the copier. Again more sensitive data is accessible by unauthorized access. During the questioning session it was unknown of the current practices of the vendor. The Team recommends checking with the vendor and inquire the security measures taken by the vendor to keep NLEN’s information secure. The Qualitative Value to establish this recommended control is High.

The table above details the risk regarding the copier machine duplicating sensitive data may not be secure and the recommended control to ensure that the data being retained in the copier is secure.

G. Inventory

11

The accountability of equipment is unknown. Daniel advised us he is unaware of an inventory of the network equipment. If there is loss of equipment or burglary in the facility how will you know how many and what items were taken? The Team recommends creating a small property inventory of all network equipment. This inventory should be updated when there is a change of equipment and or staff. The Qualitative Value to establish this recommended control is High, due to no accountability of NLEN equipment within the facility. There is no additional cost to implement this policy. Recommended log example on next page.

12

Room _______

ITEM MANUFACTURE MODEL SERIAL#MAC ADDR

USER DATE

Signature of Supervisor/Manager: _________________________________________________

Above an example of small property inventory.

13

H. Disaster Recovery Plan

Disaster planning plays a crucial role in determining if ones company can still function after serious disruptions to the organizations connectivity. One can never predict a fire or water disaster, so it is imperative that a Disaster Recovery Plan is developed.

NIST 800-30 Appendix F page F-2 would define this vulnerability as high based on the exposure and ease of exploitation. Note that a contingency plan such as Disaster Recovery is a HIPAA Standard Contingency Plan (§ 164.308(a)(7))45. All organization must meet the standards or face penalties for various violations. The following table below, which can be found in NIST SP 800-66r1, is a standard table for implementing policies responding to an occurrence such as fire, water, natural disaster, and vandalism.

The implementation of this standard can range from a couple of weeks to about a month or two. Using the table questions below as samples are a good place to start as any. It is important to ask these questions to one self to see where there is a lack of information. From there you can add preemptive measures in the areas NLEN lacks.

HIPAA Table 4.7 Contingency Plan

HIPAA recommended steps aid in developing a Disaster Recovery Plan.

14

I. Device (Checkout Program)

A laptop rental program is available to staff members and clients to accomplish their work off-site. It was noted there has been loss of control of devices from this program which cannot be accounted for. This program is vital and necessary to the clients and staff alike. Although it is a necessary program there are measures which should be made to secure the safe keeping of the equipment or it will cease if all equipment is lost. The Qualitative Value risk is rated High due to possibility of device(s) not being returned.

It is understood this program exist for the clients and vital for success in the U-Turn program. To eliminate this program could be critical to both clients and staff. The Team recommend re-evaluate the program with procedures to support the clients and maintain the safe keeping of the devices.

J. Record Files (Paper Documents)

On a daily work day new and existing clients that come into NLEN hoping to enroll for the U-turn program, place their information in a document sheet. The document contains sensitive information such as their Social Security Number (SSN), address, family members, background history, education, status, etc. These documented files are then placed into storage boxes for accessibility. Of course, the files later get placed into a computer by volunteers and staff members where they can be reviewed for further use. This is concerning because it’s a red flag16 due to the vulnerability17 of missing files being a likelihood of occurrence.18 The issue of keeping client information in stored boxes tends to be accessible to anyone on the work site (possibly including the clients), and could be harmful to clients and assets. The method of storing information must be changed or altered for privacy and protection purposes.

A proposed solution would be securing the files in containers such as locking file cabinets to minimize access. The alternate method would be to simply sealing the box files with wide tape on the top and all seams. Both solutions would require someone to administrate a log file with a sign out process of what files are being checked out. Thus records would be dated, recorded, and guarded by who last accessed a file. This would mitigate the vulnerability of an I.D. theft (red flag) in the work environment. The option of having locked file cabinets makes it easy to store and set up previous records and files on clients by dating each file by year, since each year varies the amount of clients’ records in each file; it would be ideal to have an efficient process of obtaining information on a certain client. With an organized method in place when shredding is required documents are easily identified.

16 The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or red flags – of identity theft in their day-to-day operations. (http://www.business.ftc.gov/privacy-and-security/red-flags-rule).17 An existing weakness based on the work flow of internal controls, or implementations that could be exploited by a threat source. (refer: NIST SP 800-30 p. 9 Chapter 2, Vulnerabilities and Predisposing Conditions).18 Likelihood of occurrence - Weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability (or a set of vulnerabilities). (refer: NIST SP 800-30 p. 10 Chapter 2, Likelihood).

15

This Qualitative Value risk is rated High, due to the possible loss of sensitive information. The Team recommends either option to minimize the risk. The first option being the file cabinet(s) which is ideal, cost of $200~$450 each for a 4 drawer vertical file cabinet. This method is more secure because it grants the possibility of safe storage with a locking mechanism and key. The alternate method is more cost effective; purchase of wide packaging tape priced $11 for a pack of 6 at Staples. Although this method is not the most secure it is a way to prevent unauthorized access.

16

Appendices and References

References

1)NIST SP 800-30 Revision 1

Banks, Rebecca M., and Patrick D. Gallagher. NIST SP 8000-30: Guide for Conducting Risk Assessments. N.p.: U.S. Department of Commerce, Sept. 2012. PDF.

2) PCI DSS

Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures, V3.0, Nov 2013

3)PCI DSS

Payment Card Industry (PCI) Data Security Standard: Business-as-Usual Processes, V3.0. N.p.: n.p., Nov. 2013. PDF.

4)HIPAA – NIST SP 800-66 Revision 1

Scholl, Matthew, Joan Hash, Kevin Stine, Joan Hash, Pauline Bowen, Arnold Johnson, Carla D. Smith, and Daniel I. Steinberg. NIST Special Publication 800-66 Revision 1. Digital image. U.S. Department of Commerce, n.d. Web. Oct. 2008.

17

Appendices

NIST SP 800-30 Table F-2: Assessment Scale – Vulnerability Severity

The above table identifies the assessment scale, and a brief description of the various values used to determine the qualitative values throughout this report.

18

NIST SP 800-30 Table H-2: Examples of Adverse Impacts

The above table identifies the various risk and their respective impacts.

19

PCI DSS: Section 11.2.1

The above table states the importance of monitoring the network from time to time. Verifying that high risk vulnerabilities are at a minimum.

20

Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures

Requirement 8:

The table above details the requirements for Identify and authenticate access to system components. This is a requirement that NLEN would use when assigning users to clients, volunteers, and visitors. PCI DSS requirements column states the requirements of identifying and authenticating access to system components. The requirement NLEN can focus on is 8.1.1 assigning all users a unique ID before allowing them to access system components. The Testing Procedures column are procedures NLEN can use when ensuring that all users are assigned a unique ID. The Guidance column helps NLEN enforce individual responsibility and actions and an effective audit trail per user.

21

Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures

Requirement 9:

The above table states the importance of assess to the network. To prevent unauthorized use of the network. 9.1.1 is a multi-purpose use 1) Monitor sensitive areas 2) to protect controls from tampering.

22

The above states the security awareness and training that NLEN could use as reference when incorporating training for its employees. Key activities column states the types of training to be held, the Description column explains the description of each Key activity, and the Sample Questions are questions NLEN may want to ask themselves before putting together a training class for its employees.