Information Security Plan for Redacted Tax Service

The Cybersecurity Master of Science Program at California State University San Marcos requires all students to participate in a Semester-In-Residence with a local business. I chose Redacted Tax Service (RTS), a small tax preparation company that has been in business in the San Diego area for more than 30 years. My final deliverables are a Risk Assessment and an Information Security Plan, detailing current security practices and providing recommendations for future improvements. Over the course of the Semester-In-Residence I became the company’s Chief Information Security Officer and, as my coworkers liked to call me, the IT Department. I ensured that all software was up-to-date, researched and installed a new antivirus software, ensured Payment Card Industry (PCI) compliance when RTS began accepting credit cards, and mitigated any incidents. The most potentially serious incident occurred when the owner clicked on a link in a fraudulent email. The concern was that the entire computer, and potentially the network, could become encrypted. I was able to check log files, run an application to detect rogue software, and run a virus scanner on all network machines. In the end, I could determine that the malicious intent of the email hadn’t infected the network. Another large concern was physical security. The company had just moved into an office in a local downtown area and foot traffic increased dramatically. I coordinated the installation of a new alarm system, set-up a motion sensor by the front door, as well as a camera in the front office that could be viewed on a computer, tablet or cell phone. I also recommended the purchase of steel file cabinets with locks, which better protected sensitive client information. Some of the previous concerns were documented in the Risk Assessment I performed, including PCI compliance and physical security. Once the Risk Assessment was completed, I was able to determine the controls I felt were necessary using the General Services Administration’s (GSA) Federal Risk and Authorization Management Program’s (FedRAMP) Information Security Plan Template. I also documented the company’s system information, network configuration, and software applications used. I believe this may prove to be even more useful than the security controls, since it had never been documented before. Overall, I was able to complete a Risk Assessment, an Information Security Plan, and ensure a secure and maintainable network. There will always be work to be done but I am confident that Redacted Tax Service is much more secure, in both network and physical security, since I became involved.