Hasan Almomani
Security Self-Assessment Report
Introduction
This report is a derivative of security self-assessment based on the National Institute of Standards and Technology (NIST) special publication 800-26 (SP 800-26) (Swanson). The organization being assessed is an electronics and computer manufacturer’s technical support division technical and physical controls to support the information technology security. We will refer to this organization as Tech Inc., which is a fictitious name for this company. The support facility is one of three facilities. One located in Canada, another in India, and the chief facility located within the state of Florida. It employs approximately 700 personnel. The …show more content…
Employees answer customer’s questions and solve their software problems based on information from Expert Solution (ES), which is proprietary software that saves solutions in a database. The importance of ES is that if the employee does not have access to the database or it is corrupted, and then customer’s computer must be shipped to be repaired at a facility in California. This process cost much more than if the customer could perform the simple repair on their own, other costs are the inconvenience of the time for repair to the customer and the organization’s …show more content…
It all starts at the hiring point, where every employee’s background is checked as well as substance abuse. Then is the training period, where new employees must take thirty-day training, the training includes the usual job training but also includes security briefings, as what to do and what not to do, finally the policy is reviewed with new hires, and they must sign it to acknowledge policy. Policy is enforced all the time and there is a full investigation for any employee who violates policy and procedure, which may or may not lead to disciplinary action or dismissal from the organization.
There is not any periodic security training for employees other than the initial training at the time of hire; some employees have been working at the same facility for a year, which may indicate a problem that needs to be addressed. This lack of employee security updates might be the highest vulnerability and threat at same time I could identify.
There are periodical meetings about one every ninety days to remind employees about ethical and unethical behavior, and they are encouraged to report any illegal or unethical