MMT2_Task_3.docx - Aenergy has recently experienced a...

This preview shows page 1 - 3 out of 8 pages.

The preview shows page 1 - 3 out of 8 pages.
Aenergyhas recently experienced a couple security incidents that has warranted a review oftheir security policies. Specifically, the Data Security, Accounting Security and EmployerSecurity Policies. Data security refers to the protective measures taken in regards to preventillegal or unauthorized access information. Measures also typically include provisionsconcerning availability and integrity of such data as well.Accounting security, as referenced byAenergy, refers to the policies that mandate how data is handled on the company website as well ashow billing allocates resource usage and finally how network access is controlled in general. TheEmployer Security policy defines a majority of the physical security controls considering bothproperty as well as locations on the corporate campuses.The purpose of policy is to mitigate security threats. Threats are the possible dangers thatcould exploit vulnerabilities. A vulnerability is a weakness in a system and comprise three parts:the system flaw, the threat actor’s access and the threat actor’s capability. Example, fire is athreat and one that an organization is more susceptible to if the building was built of wood,which is the vulnerability. A prevalent category of threats is unethical behavior of employeeswither intentionally or unintentionally. An audit has been performed against the threeaforementioned policies in regard to general security threats as well as unethical behavior. Inboth cases, both internal and external threat actors were considered.B. Effectiveness of Policies in regards to General Security Threatsa)Data Security: This policy is written in regards to the definition of company data,what the company stores, classification of data, password complexity and rotationas well as ownership of the policy. While it begins to address these topics, it by nomeans gives a full and complete explanation or begins to address other datasecurity topics to include but not limited to encryption (at rest, in transit) and the
security protocols, approved data storage methods, appeals process for dataclassification or declassification. This poses security threats if weaker encryptionalgorithms are chosen, unencrypted transit protocols or cloud applications withminimal or unenforced security controls.b)Accounting Security: This policy is the briefest of the three in regard to theentitled topic. This policy concerns network access, login procedures and trackingas it pertains to accounting and billing for resources. It also discusses the use ofthe data it collects on the website. Again, though not incredibly comprehensiveregarding the material the policy needs to cover. It does not for instance detailhow long network access logs are retained and how the auditing logs are stored. Itcould be on premises or a subscription to cloud storage both of which needs toaddress SOX and PCI compliance. If any health records are maintained, HIPPAcompliance needs to also be spoken to. In regard to general security threats the

Upload your study docs or become a

Course Hero member to access this document

Upload your study docs or become a

Course Hero member to access this document

End of preview. Want to read all 8 pages?

Upload your study docs or become a

Course Hero member to access this document

Term
Summer
Professor
N/A
Tags
Marketing, Computer Security, Security engineering, MMT2

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture