Ethics in Information Technology Professional Memorandum

MEMORANDUM Risk Assessment Summary A risk assessment conducted by the Greater Washington Risk Associates (GWRA) has found multiple security threats linked to the county of Odenton, Maryland. Odenton Township's current procedures for combating security threats are not up to PCI Data Security Standards. Currently the physical protective barriers are insufficient for the RA facility as there are 2 locks present on the outer doors of the facility but not on the inner doors. System login and usage has no indication of a secure connection such as a VPN. Payment services are simple and straightforward, yet private information is unsecured and at high risk of a data breach. Another significant issue is worker knowledge on data management and data security. Procedure revisions and additional training for workers is advised to uphold the security of the citizens of Anne Arundel county Background Payments are currently accepted information provided in-person or over the phone by ethier reciting delicate credit card information or physically handing the credit over for payment. Although this method is simple and quick, it poses many security issues. When delicate information is freely given, there is no guarantee of security as information can be easily mimicked or stolen for malicious use. When payments are given over the phone, credit card information can be easily stolen by reciting the credit card information necessary for the transaction. Therefore, Payment staff must be trained on proper data security measures to prevent sensitive information from being disclosed to malicious third parties. Credit card payments should also be encrypted with secure payment terminals. Concerns, Standards, Best Practices A significant issue that must be addressed is the lack of data security. Remote access to data is currently unsecured, it is currently unknown how manufacturers and approved employees access sensitive information when not in office. For remote access, it is highly recommended that a secured VPN connection is established. The physical security of the facility is faulty as well. There are only two locked doors that secure the entire building and all other facility entrances remain unlocked from 8am - 5pm Monday - Friday. Locks should be installed on all entrances of Odenton Township, only authorized individuals should have access to these locks. Employees have also not been provided with data management and security training. Transactions must be done electronically on a secured website where information could be encrypted or in-person at a payment terminal. Anne Arundel County currently utilizes secured passwords and security software to protect sensitive credit card data. Password security is particularly crucial to ensure data breaches. Although there are security risks that have been detected, the IT department has been meticulous at upholding antivirus and security software efficiency by keeping it routinely updated. Hackers and cyber-criminals have a track record of creating new viruses and malware that may infect multiple computer networks to access and obtain sensitive information. It is crucial that anti-malware and security software is constantly upgraded to prevent unauthorized access. Action Steps To uphold the security of the citizens of Anne Arundel county, additional measures and revisions to the procedures at Odenton Township must be implemented. Remote access to sensitive data should be avoided, a secured VPN connection should be implemented when accessing the database through a wireless connection. This will deter cyber attacks, data breaches and additional security threats. Additionally, during office hours at Odenton Township, the facility must be guarded with secured locking systems that utilize pins and keypads that only authorized staff in the Financial Department have access to. Mandatory data management and security training will equip staff with the skills and knowledge to properly handle confidential information. Upon hiring, new staff must be required to complete this training. A regular re-training course should also be implemented on a routine basis. The re-training course should be conducted semi-annually or as often as needed. To ensure complete security it is highly recommended that Odenton Township moves forward with these procedures. 2