Assignment
Your supervisor has asked that the memo focus on Odenton’s information systems, and specifically, securing the processes for payments of services. Currently, the Odenton Township offices accept cash or credit card payment for the services of sanitation (sewer and refuse), water, and property taxes. Residents can pay either in–person at township offices or over the phone with a major credit card (American Express, Discover, MasterCard and Visa). Over the phone payment involves with speaking to an employee and giving the credit card information.
Once payment is received, the Accounting Department is responsible for manually entering it into the township database system and making daily deposits to the bank.
The purpose of the professional memo is to identify a minimum of three current controls (e.g., tools, practices, policies) in Odenton Township (either a control specific to Odenton Township or a control provided by Anne Arundel county) that can be considered best practices in safe payment/data protection. Furthermore, beyond what measures are currently in place, you should highlight the need to focus on insider threats and provide a minimum of three additional recommendations.
Below are the findings from the Risk Assessment:
The IT department for Anne Arundel County requires strong passwords for users to
access and use information systems.
The IT department for Anne Arundel County is meticulous about keeping payment
terminal software, operating systems and other software (including anti–virus software)updated.
Assessment of protection from remote access and breaches to the Anne Arundel network:
Odenton Township accesses the database system for the County when updating resident’s accounts for services. It is not clear whether a secure remote connection (VPN) is standard policy.
Assessment of physical security at the Odenton Township hall: the only current form of physical security are locks on the two outer doors; however, the facility is unlocked
Monday–Friday, 8am–5pm (EST), excluding federal holidays.
Employee awareness training on data security and secure practices for handling sensitive data (e.g., credit card information) are not in place.
The overarching conclusion of the risk assessment was that Odenton Township is not fully compliant with the PCI Data Security Standards (v3.2).
