WGU C841-Task 2 Final (docx) - CliffsNotes (2024)

Legal Issues in Information Security - C841 - Task 2 Jo Stewart Student ID: 011149689 Western Governors University A.1. Numerous organizations and associations have conduct and ethical policies/codes in place. These policies/codes are set in place to ensure all personnel with the ability and skill set to conduct activities via the cyber realm, conduct their activities in an honest and professional manner. The policies/codes are designed to safeguard businesses and proprietary information critical to a business's success. ISSA code of ethics states, "Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of or is detrimental to employers, the information security profession, or the Association" (ISSA International, 2023). ISACA is an accredited organization which trains and certifies business in auditing, monitoring, and assessing the organization's IT and business systems. ISACA code of ethics states, "Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties" (ISACA, 2024). A.1.a TechFite displayed numerous ethical issues throughout the investigation. On two separate occasions, TechFite signed a Non-Disclosure Agreement (NDA) with two different companies, gained proprietary information from those two companies, and then used proprietary information for their own personal gain by disclosing these competitor's concepts to their current clients. If found guilty of violating the NDAs, those found guilty of the infractions could receive a lawsuit resulting in financial fines or imprisonment (Adobe, 2024). TechFite also lacked limitations on access and control within their employees' permissions to the company computer systems and databases. There was no company training conducted to ensure each employee understood cybersecurity and ethical conduct expected from employee activities. Personal relationships also appear to have contributed to additional access and privileges within the company's system. There was little to no oversight on employee activities and there were no audits conducted to ensure employees were not accessing or misusing sensitive, client information. A.2. Nadia Johnson is the IT Security Analyst in the Business Intelligence (BI) Unit. She is responsible for oversight on gathering public information on various businesses of interest. While protective measures were in place for the company, no actual audits had been conducted to validate and verify the reliability of the precautions implemented. Vague reports were completed as to satisfy audit requirements however, TechFites systems were not properly checked or monitored. No company policy was established to safeguard client information and no use of the least privilege principle was used within TechFite. Carl Jasper signed a NDA and then disclosed gained proprietary information to competitors on two separate occasions. Personal relationship between Nadia Johnson and Carl Jasper allowed for three overlooked companies within TechFite's client database, with two of the account

created by Carl Jasper. The three companies were all collocated in Nevada and under the same individual, Yu Lee. Yu Lee and Carl Jasper are Stanford University colleagues, thus revealing another personal relationship within TechFite. The two shell accounts created by Carl Jasper also have the ability to access and modify legal files, Human Resource (HR) files, and financial statements and accounts. Sarah Miller is the Senior Analyst in the BI Unit, Responsible for the monitoring scanning of external company networks. Authorized surveillance and "dumpster diving" other companies' trash by Analysts Megan Rogers and Jack Hudson. A.3. A lack of company policies and procedures directly contributed to the lax ethical behavior at TechFite. A failure to apply oversight on employee activities allowed employees to access systems and databases which were unnecessary, and they did not have a "need" to access. Additionally, a failure to conduct through and complete audits on user accounts led to an overabundance of permissions and privileges widespread throughout the company. Personal relationship between employees who hold key roles within the monitoring and authorizing access to accounts allowed for the overlooking of account misuses and fraudulent activities. The Principle of Least Privilege was not applied as it should have been throughout TechFite. B.1. Principle of Least Privilege allows companies and corporations to compartmentalize information and databases and necessary. This allows for limited access to sensitive or proprietary information and establishes a series of prerequisites necessary to access this sensitive information. This ensures those who do not need access to systems or information, do not have the ability to view or modify these files. This greatly reduces the ability for individuals to modify company records or use sensitive information for their own personal gain. Audits create the "checks and balance" within a company. Annual, semi-annual, or quarterly audits can be implemented and conducted within the company to ensure accuracy within the company's databases and financial holdings. Audits can also ensure user accounts are reviewed to ensure the Principle of Least Privilege is continuously and appropriately applied. Full and accurate audits allow the company to identify any problematic areas within their security system and allows the company to modify current policies and procedures to ensure the accurate and effective safeguarding of the company and the client information. B.2. The Security Awareness Training and Education (SATE) program is designed to help safeguard companies from cyber-attacks and security breaches. SATE programs allow for on-demand web-based training, training campaigns, training reports, phishing training scenarios, and user action summaries (Cybersafe Solutions, 2023). By properly training TechFite employees, the company will increase their abilities to counter cyberattacks against the company and safeguard sensitive company and client information. This overall increases TechFite's proficiency and reliability in client confidentiality, a desired attribute for current and potential future clients. TechFite can implement annual training for employees using the SATE program. They can also implement Artificial Intelligence (AI) generated phishing campaigns within the company to

assess end user's actions, given controlled scenarios. This will also allow TechFite to generate user action reports and summaries, giving TechFite a large overview of how receptive and understanding their employees are to cybersecurity practices and procedures. Additionally, the SATE program can give the company and its employee's security tips and advice in safeguarding personal and company information against adversaries such as automated security reminders and banners. B.2.a. The SATE program can be communicated to TechFite employees via the Security Manager or chief information security officer (CISO). Additionally, an employee web page with personalized accounts can have features showing annual training required of each employee and the respective due dates. This allows the company to manage the overall program vice managing each individual employee. Additionally, automatic security banners that play during the employees locked screens will also remind employees of the SATE program concepts. B.2.b. The SATE program creates accountability of its employees to always conduct themselves in an ethical manner. The SATE program can clearly outline the responsibilities of the employees, the security manager/CISO, the company leadership, and the company as a whole. This also ensures TechFite maintains an appropriate level of access for its employees and reduces the ability for employees to access information or modify data they should not have access to. The SATE program also creates clear consequences for employees who fail to uphold or violate the established security policies. C. TechFite has displayed numerous ethical issues. A TechFite employee, on two occasions, has signed a Non-Disclosure Agreement with a potential client, then disclosed the proprietary information to a competing company. After further review, the same employee requested creation of two, currently active user accounts within the company database. These two accounts are listed under two former employees who have not worked for TechFite in over a year. Additionally, three client companies under TechFite cannot be verified as legitimate companies and are in association with the same employee. Additionally, oversight on the company's user database and privileges is non-existent. Employees have access and permissions to view, control, edit, and remove files throughout the client databases as well as to the legal department files, the HR department files, and the finance department accounts. Employees are conducting monitoring and "dumpster diving" on competitors. TechFite had not conducted an in-depth and true audit for an unknown period of time. Recommended mitigation strategy for FiteTech is to immediately implement controls and permission restrictions for all users. The Principle of Least Privilege should be applied and those requesting additional access must provide a formal request with clear justification. Additional access should be granted on a "need to know" basis and should fall within the scope of the employee's actual job and job description. Once restrictions on user accounts is enabled, a full audit of the company's user accounts and its client databases should be conducted, this includes a full legal review of all accounts, HR review of all employees, and a full financial audit. TechFite should implement mandatory, annual cyber security and awareness training for all employees in

Because this is a premium document. Subscribe to unlock this document and more.