To complete this assignment, you will need the attached files and the the Small Merchant Guide to Safe Payments documentation (click link to download) from the Payment Card Industry Data Security Standards (PCI DSS) organization.
Please read the instructions carefully and ask questions if anything is unclear. You must use the attached template to complete this assignment. The PowerPoint presentation (PDF) Effective Professional Memo Writing provides other essential information to help guide your work on this assignment.
The ability to communicate effectively is a critical skill for all students and is required for success in the workplace. UMGC has a variety of resources to help students. The Effective Writing Center is available through the "Resources" link on the Navigation bar. You are strongly encouraged to avail yourself of these resources. Your writing abilities will be graded as part of the assignment.
Professional Memo 1
IFSM 201 Professional Memo
Before you begin this assignment, be sure you have read the Small Merchant Guide to Safe
Payments documentation from the Payment Card Industry Data Security Standards (PCI DSS)
organization. PCI Data Security Standards are established to protect payment account data
throughout the payment lifecycle, and to protect individuals and entities from the criminals who
attempt to steal sensitive data. The PCI Data Security Standard (PCI DSS) applies to all entities
that store, process, and/or transmit cardholder data, including merchants, service providers, and
financial institutions.
Purpose of this Assignment
You work as an Information Technology Consultant for the Greater Washington Risk Associates
(GWRA) and have been asked to write a professional memo to one of your clients as a follow-up
to their recent risk assessment (RA). GWRA specializes in enterprise risk management for state
agencies and municipalities. The county of Anne Arundel, Maryland (the client) hired GWRA to
conduct a risk assessment of Odenton, Maryland (a community within the Anne Arundel
County), with a focus on business operations within the municipality.
This assignment specifically addresses the following course outcome to enable you to:
• Identify ethical, security, and privacy considerations in conducting data and information
analysis and selecting and using information technology.
Assignment
Your supervisor has asked that the memo focus on Odenton’s information systems, and
specifically, securing the processes for payments of services. Currently, the Odenton Township
offices accept cash or credit card payment for the services of sanitation (sewer and refuse),
water, and property taxes. Residents can pay either in-person at township offices or over the
phone with a major credit card (American Express, Discover, MasterCard and Visa). Over the
phone payment involves with speaking to an employee and giving the credit card information.
Once payment is received, the Accounting Department is responsible for manually entering it
into the township database system and making daily deposits to the bank.
The purpose of the professional memo is to identify a minimum of three current controls
(e.g., tools, practices, policies) in Odenton Township (either a control specific to Odenton
Township or a control provided by Anne Arundel county) that can be considered best
practices in safe payment/data protection. Furthermore, beyond what measures are
currently in place, you should highlight the need to focus on insider threats and provide a
minimum of three additional recommendations. Below are the findings from the Risk
Assessment:
• The IT department for Anne Arundel County requires strong passwords for users to
access and use information systems.
Professional Memo 2
• The IT department for Anne Arundel County is meticulous about keeping payment
terminal software, operating systems and other software (including anti-virus software)
updated.
• Assessment of protection from remote access and breaches to the Anne Arundel network:
Odenton Township accesses the database system for the County when updating resident’s
accounts for services. It is not clear whether a secure remote connection (VPN) is
standard policy.
• Assessment of physical security at the Odenton Township hall: the only current form of
physical security are locks on the two outer doors; however, the facility is unlocked
Monday-Friday, 8am-5pm (EST), excluding federal holidays.
• Employee awareness training on data security and secure practices for handling sensitive
data (e.g., credit card information) are not in place.
• The overarching conclusion of the risk assessment was that Odenton Township is not
fully compliant with the PCI Data Security Standards (v3.2).
Note: The Chief Executive for Anne Arundel County has asked for specific attention be paid
to insider threats, citing a recent article about an administrator from San Francisco (see
Resources). Anne Arundel County wants to understand insider threats and ways to mitigate
so that they protect their resident’s personal data as well as the County’s sensitive
information. These are threats to information systems, including malware and insider threats
(negligent or inadvertent users, criminal or malicious insiders, and user credential theft).
Expectations and Format
Using the resources listed below, you are to write a 2-page Professional Informational Memo to
the Chief Executive for Anne Arundel County that addresses the following:
• Risk Assessment Summary: Provide an overview of your concerns from the risk
assessment report. Include broad ‘goal’ of the memo, as a result of the risk assessment,
the broad recommendations. Specific Action Steps will come later. The summary should
be no more than one paragraph.
• Background: Provide a background for your concerns. Briefly highlight why the
concerns are critical to the County of Anne Arundel and Odenton Township. Clearly
state the importance of data security and insider threats when dealing with personal credit
cards. Be sure to establish the magnitude of the problem of insider threats.
• Concerns, Standards, Best Practices: The body of the memo needs to justify your
concerns and clarify standards, based on the resources listed below, at minimum. The
PCI DSS standards are well respected and used globally to protect entities and
individual’s sensitive data. The body of the memo should also highlight three current
controls that are considered best practice; that is, you should highlight the positive,
what is currently in place, based on the risk assessment.
• Action Steps: Provide a conclusion establishing why it is important for Anne Arundel
County to take steps to protect residents and county infrastructure from insider threats
based on your concerns. Recommend a minimum of three (3) practical action steps,
including new security controls, best practices and/or user policies that will mitigate the
concerns in this memo. Be sure to include cost considerations so that the County is
Professional Memo 3
getting the biggest bang for the buck. The expectations are not for you to research and
quote actual costs, but to generalize potential costs. For instance, under the category of
physical security, door locks are typically less expensive than CCTV cameras.
• Be sure to review the PowerPoint presentation (in pdf format) Effective Professional
Memo Writing that accompanies these instructions.
• Use the Professional Memo template that accompanies these instructions.
o Use four section subtitles, in bold.
▪ Risk Assessment Summary
▪ Background
▪ Concerns, Standards, Best Practices
▪ Action Steps
o Do not change the font size or type or page margins.
o Do not include any graphics, images or ‘snips’ of any content from copyrighted
sources. The PCI Standards (PCI DSS) document is copyrighted material.
o Paragraph text should be single spaced with ONE ‘hard return’ (Enter) after each
paragraph and after each section subtitle. Note: Do not create a new ‘paragraph’
after each sentence. A single sentence is not a paragraph.
o ‘Subject’ is the subject of your memo, not the course name or number.
o Be sure to remove any remaining ‘placeholder’ text in the template file before
submitting.
o The length of the template when you download it is NOT the intended length of
the entire memo. Your completed memo should be between 1.5 pages and 2
pages (total document, including the To:/From:/Re:/Subject header).
*Note: the Professional Memo is to be in a MS Word file and all work is to be in the
student’s own words (no direct quotes from external sources or the instructions) *
APA documentation requirements:
• As this is a professional memo, as long as you use resources provided with or linked
from these instructions, APA documentation is NOT required.
• Citing material or resources beyond what is provided here is NOT required.
• However, you should use basic attribution and mention the source of any data, ideas
or policies that you mention, which will help establish the credibility and authority of
the memo.
o For example, mentioning that the Payment Card Industry Data Security
Standards (PCI DSS) identify a certain control as best practice holds more
weight than simply stating the control is a best practice without basic
attribution.
o Mentioning that Wired Magazine reported that a City of San Francisco IT
technician effectively hijacked and locked 60% of the city’s network capacity,
is more effective than saying “I read somewhere that…”
Professional Memo 4
Resources
1. Examples of Security Breaches Due to Insider Threats
San Francisco Admin Charged With Hijacking City's Network Microsoft database leaked because of employee negligence
General Electric employees stole trade secrets to gain a business advantage
Former Cisco employee purposely damaged cloud infrastructure
Twitter users scammed because of phished employees
2. PCI DSS Goals:
(source: https://www.pcisecuritystandards.org/merchants/process)
Professional Memo 5
3. References
FBI. (2021). The Insider Threat: An Introduction to Detecting and Deterring an Insider Spy.
https://www.fbi.gov/file-repository/insider_threat_brochure.pdf/view
PCI DSS. (2021, Feb. 12). Payment Card Industry Security Standards.
Jingguo Wang, Gupta, M., & Rao, H. R. (2015). Insider threats in a financial institution: Analysis
of attack-proneness of information systems applications. MIS Quarterly, 39(1), 91-A7.
https://search-ebscohost-
com.ezproxy.umgc.edu/login.aspx?direct=true&db=bth&AN=100717560&site=ehost-
live&scope=site
Professor Messer. (2014). Authorization and access control [Video file]. YouTube.
U.S. DHS. (2021). Insider Threat. https://www.dhs.gov/science-and-technology/cybersecurity-
insider-threat
Wizuda. (2017). Data anonymisation simplified [Video file]. YouTube.
Yuan, S., & Wu, X. (2021). Deep learning for insider threat detection: Review, challenges and
opportunities. Computers & Security. https://doi-
org.ezproxy.umgc.edu/10.1016/j.cose.2021.102221
Keywords: risk assessment, insider threats, data security
Submitting Your Assignment
Submit your document via your Assignment Folder as Microsoft Word document, or a document that can
be ready using MS Word, with your last name included in the filename. Use the Grading Rubric below to be sure you have covered all aspects of the assignment.
Professional Memo 6
GRADING RUBRIC:
Criteria
Far Above
Standards
Above Standards
Meets Standards
Below Standards
Well Below
Standards
Possible
Points
Summary of
Risk
Assessment
15 Points
Summary is highly
effective, thorough and professional.
12.75 Points
Summary is
effective, thorough and professional.
10.5 Points
Summary is
somewhat effective, thorough
and professional.
9 Points
Summary is
lacking.
0-8 Points
Stated
requirements
for this section
are severely
lacking or
absent.
15
Background
and
Importance
(to the Client)
of Data
Security and
Insider
Threats
10 Points
Discussion of
ba5ckground, data
security and insider threats is
highly effective, thorough, and
professional.
8.5 Points
Discussion of
background, data
security and insider threats is effective,
thorough, and professional.
7 Points
Discussion of
background, data
security and insider threats is
somewhat effective,
thorough, and
professional.
6 Points
Discussion of
background, data
security and insider threats is
lacking.
0-5 Points
Stated
requirements
for this section are severely
lacking or absent.
10
Concerns,
Standards,
Best Practices:
Justify
Concerns and
Clarify
Standards
15 Points
Discussion of concerns and
standards is highly effective,
thorough, and professional.
12.75 Points
Discussion of concerns and
standards is effective, thorough,
and professional.
10.5 Points
Discussion of concerns and
standards is somewhat
effective, thorough, and
professional.
9 Points
Discussion of concerns or
standards is lacking.
0-8 Points
Stated requirements
for this section are severely
lacking or absent.
15
Concerns,
Standards,
Best Practices:
Three current
practices
identified and
justified as
best practice
15 Points
Three highly
relevant current practices are
offered and justified as best
practices. Overall
presentation is clear, concise, and
professional.
12.75 Points
Section may be
lacking in number of
recommendations or relevancy or
justification or
overall presentation.
10.5 Points
Section is lacking
in number of recommendations
or relevancy or justification or
overall
presentation.
9 Points
Section is lacking
in two or more of the following:
number of recommendations
or relevancy or
justification or overall
presentation.
0-8 Points
Stated
requirements for this section
are severely lacking or
absent.
15
Professional Memo 7
Action Steps:
Three
recommendati
ons minimum
identified and
justified
including
some
discussion of
cost
considerations
20 Points
Three highly
relevant recommendations
are offered and justified, with
effective
discussion of cost considerations.
Overall presentation is
clear, concise, and
professional.
17 Points
Section may be
lacking in number of
recommendations or relevancy or
justification or a
discussion of cost considerations or
overall presentation.
14 Points
Section is lacking
in number of recommendations
or relevancy or justification or a
discussion of cost
considerations or overall
presentation.
12 Points
Section is lacking
in two or more of the following:
number of recommendations
or relevancy or
justification or a discussion of cost
considerations or overall
presentation.
0-11 Points
Stated
requirements for this section
are severely lacking or
absent.
20
Basic
Attribution
(overall)
10 Points
Overall use of basic attribution is
highly effective in establishing
credibility and authority.
8.5 Points
Overall use of basic attribution is
effective in establishing
credibility and authority.
7 Points
Overall use of basic attribution is
partially effective in establishing
credibility and authority.
6 Points
Overall use of basic attribution
is partially effective in
establishing credibility and
authority.
Additional basic attribution may
have been needed.
0-5 Points
Overall use of basic
attribution was minimally
effective or not used.
10
Overall
Format:
APA
documentatio
n needed only
if sources
external to the
assignment
are introduced
15 Points
Submission
reflects effective
organization and sophisticated
writing; follows instructions
provided; uses
correct structure, grammar, and
spelling; presented in a professional
format; any references used
are appropriately
incorporated and cited using APA
style.
12.75 Points
Submission reflects
effective
organization and clear writing;
follows instructions provided; uses
correct structure,
grammar, and spelling; presented
in a professional format; any
references used are appropriately
incorporated and
cited using APA style.
10.5 Points
Submission is
adequate, is
somewhat organized, follows
instructions provided; contains
minimal grammar
and/or spelling errors; and follows
APA style for any references and citations.
9 Points
Submission is not
well organized,
and/or does not follow
instructions provided; and/or
contains
grammar and/or spelling errors;
and/or does not follow APA style
for any references and
citations. May
demonstrate inadequate level
of writing.
0-8 Points
Document is
poorly written
and does not convey the
necessary information.
15
TOTAL Points
Possible
100
