1. 5/30/2014
North Lawndale Employment Network (NLEN)
Information Security Risk Assessment
Completed by:
Phillip Lai
Joseph Marchis
Taishaun Owens
MichelleWitcher

2. 1
Table of Contents
Information Security Risk Assessment ……………………………………………………….............................3
Executive Summary ………………………………………………………………………………………………………..……..4
Body of Report
A. Payment Card Industry (PCI) Data Security Standard (DSS) Standards ………...………8
B. Internet Protocol Cameras (IP Cameras)………………………………………………………………….…….9
C. Server Equipment Security …………………………………………………………………9
D. Access Controls ………………………………………………………………..………11
E. Wi-Fi Access……………………………………………………………………..….…..12
F. Copier Machine ………………………………………………………….………….....12
G. Inventory ...…………………………………….……………………….…………….13
H. Disaster Recovery ...………………………….……………………………...………...15
I. Temporary Use of Equipment….…………………………………………………………...16
J. Record Files (Paper Documents) ………………………………...……..……….…….16
References ………………………………………………...……………………………….……18
Appendices ….…………………………………………………………………………………………...19
Information Security Safeguard Design……………………………………………………...25
Summary……………………………………………………………………………………..….26
Sections
Access Controls………………………………………………………………………………29
Record Files…………………………………………………………………………………..39
Server Equipment…………………………………………………………………………….40
Copier Machine………………………………………………………………………………42
Inventory……………………………………………………………………………………..45
Temporary Use of Equipment…………………………………………………………………………………………….48
Training………………………………………………………………………………………50
Disaster Recovery Plan………………………………………………………………………50

3. 2

4. 3
Information Security Risk Assessment

5. 4
EXECUTIVE SUMMARY
May 30, 2014
The team’s task was to identify security at North Lawndale Employment Network (NLEN) to
reduce vulnerability of a possible breach in client information. The areas of focus in particular
are: access control, access security, and training controls. Identifying current risks that may
expose NLEN to propose solutions that will ensure NLEN business purpose and safety of its
clients, employees, and volunteers are key areas of focus. A few questions presented by NLEN
regarding their current practices involving staff who access client sensitive information. Are
NLEN employees currently following the policies and procedures that have been put in place to
ensure protection of the client’s data? This initial risk assessment is based on the team’s finding
of security vulnerabilities found at NLEN. The visits were conducted on April 3rd and 10th,
2014 each in duration of approximately 90 minutes in length. Upon the visit there was a walk
through tour of NLEN, brief introductions, following a session of questions and answers with
Daniel Rossi, NLEN; Brian Franklin and Bashir Muhammad, of Net-Intelligence Group (NTG);
and team members.
Currently, NLEN accepts credit card payment upon purchase of items in person and from the
“Sweet Beginnings” website (SBW). It was brought to the team attention that NLEN was unsure
if they met Payment Card Industry (PCI) Data Security Standard (DSS) standards.1 In
accordance with the PCI DSS standards, all organizations should implemented PCI DSS into
business as usual (BAU) activities as part of an entity’s overall security strategy. The Qualitative
Value to establish this recommended control is Very High, and without this standard it could
lead to possible lawsuits, insurance claims, cancelled accounts, payment card issuing fines and/or
government fines. More specific details found on Section A, page 7.
NLEN accepts credit card payments for items from the SBW or in-person transactions. The PCI
DSS requires monitoring those areas where credit cardholder data devices are used. As indicated
above NLEN is unsure of PCI DSS standards. The Team noticed there were no Internet Protocol
(IP) cameras or closed circuit television (CCTV) cameras present in the facility when the walk
through was conducted. The Qualitative Value to establish this recommended control is High,
due to cardholder devices in use at NLEN facility. More specific details found on Section B,
page 8.
Currently NLEN does not have a Disaster Recovery Plan (DRP). Disaster planning is crucial in
determining if a company can still function after serious disruptions to the organizations
connectivity. One can never predict a natural or man-made disaster, so it is imperative that a
DRP is created.2 We recommend implementing a DRP, upon completion the plan should ensure
correctness of procedures allowing all staff members to know their designated roles for
protection with-in the facility. The Qualitative Value to establish this recommended control is
High due to possible loss of the entire network by cause of an outbreak of a fire, and or natural
1 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page
13
2 NIST 800-30, Appendix F: Vulnerabilities and Predisposing Conditions

6. 5
disaster. The cost to implement a DRP is dependent on the required items to support your
facility. More specific details found on page Section H, page 14.
The basement floor contains a room where the server equipment is located. It was noticed that
the door to the server room is often kept unlocked for simplicity sake of having to constantly
open and close the doors since the room contains various other items. A multi-use room where
the network server is located left unlocked is not good practice. Due to the lack of available
space in the facility, a recommended solution to better protect the key and never allow it
unattended is good practice. Access should be granted to Daniel and another responsible staff
member who would be available during Daniel’s absence. The Qualitative Value to establish
this recommended control is Very High due to possible compromise of the entire network. There
is no additional cost to implement this policy to the existing operating system in use.
Furthermore, since this room is for multi-use room, the server equipment should be enclosed in a
secure cabinet to prevent unauthorized access to the equipment. The cost for a server cabinet is
$351.00 at Staples. More details found on page Section C, page 8.
Staff members when walking away from computers, and or on break are not locking or logging
off their computers. With uncontrolled access throughout the facility anyone may access the
network and or sensitive data from an unlocked computer when not in use. This practice is not
in accordance with the NLEN policy as indicated by the Director of NLEN, NIST Special
Publication 800-66 Revision 1, and HIPAA Security Awareness and Training (§ 164.308(a)(5)).3
To remedy this problem is to add an auto lock on the user’s computers after 5 minutes of non-
use. Also a policy and training can be implemented to ensure that users are locking their
computers when they are not in use. Although this does not completely prevent unauthorized
access it does however minimize the risk of unauthorized access. This recommendation should
also be implemented with laptops as well. Additionally periodic training regarding safe practices
and security for all staff members is recommended. The Qualitative Value to establish this
recommended control is Very High due to possible compromise of sensitive data by an
unauthorized user. There is no additional cost to implement this policy to the existing operating
system in use. More specific details found on page Section D, page 10.
Official visitors and volunteer who require computer use have shared staff computers and login.
This is not in accordance with the NLEN policy as indicated by the Director of NLEN, and as
indicated by PCI DSS4 it is required that all users are assigned a unique ID before allowing them
to access system components. All visitors who require computer use should have a specific
logon with internet access use only. Logons for the visitor(s) can be created on computers
designated for client use only through the control panel with restricted use for internet only; as
opposed to using staff computers and having access to sensitive data. Additionally clients all
share one logon; this is an unsafe practice. If there are issues with a user it is difficult to
determine who may have caused the issue. Each client should have their own individual logon
3 NIST SP 800-66 – An Introductory Resource Guide for Implementing the Health Insurance Portability and
Accountability Act (HIPAA) Security Rule
4 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page
64

7. 6
which can be created through the existing Windows Server 2003, active directory. The
Qualitative Value to establish this recommended control is Very High due to possible
compromise of sensitive data by an unauthorized access. There is no additional cost to
implement this policy to the existing operating system in use. More details found on page
Section D, page 10.
NLEN Network is connected via Wi-Fi throughout the facility. This Wi-Fi connectivity is
accessible to staff, clients, and visitors who visit the NLEN facility. This makes the network
vulnerable to vulnerabilities that may exist on the various devices such as malware. The
recommended action is to disable USB access on all computers to eliminate unauthorized
extraction of data and possible infection of the network. The Qualitative Value to establish this
recommended control is High. If USB access is required it should be available on one
designated computer (Daniel) to control upload and or download of data. There is no additional
cost to implement this policy to the existing operating system in use. More details found on page
Section E, p.11.
Organizational devices (laptops and tablets) which are available for use outside the facility may
contain sensitive data. The devices are then returned after use to allow checkout again. The
procedures taken when the device is returned is unclear. The recommended solution for the
devices, upon return should be checked for functional capabilities. The user should not be given
full access on devices, user level access only. This prevents loading of unauthorized software on
the laptops or tablets. Maintenance of the devices should be the same as the desktop computers
i.e. updates, patches, and virus protection. If the need occurs that a laptop is to replace a desktop
this can be completed without delay. The Qualitative Value to establish this recommended
control is Very High. There is no additional cost to implement this policy to the existing
operating system in use. More details found on page Section I, page 15.
The observance of several boxes located throughout the facility contains files which NLEN must
retain for period of seven years. The boxes are not secure and do not prevent unauthorized
access and/or removal from the facility. To secure the files the best recommended option is to
secure them in lockable file cabinets. With the tight layout of the facility and no available space
to support new equipment an alternate method is recommended. All boxes should be secured
with wide packaging tape along all seams and the top. Affix a signature along the top which
would require a break to open the box. A log should be created for each box which will be
attached to each box to manage access to the box. The Qualitative Value to establish this
recommended control is High. The cost varies depending on the option selected. Best
recommended option cost is $300.00 for a four drawer vertical file cabinet at staples. The
alternate recommended option cost for wide packaging tape is $11.00 for a pack of 6 rolls at
Staples. More details found on page Section J, page 15.
The copier machine is maintained by vendor. Most copiers built since 2002 contains a hard
drive in the machine. Just as the hard drive in a computer stores data the hard drive in a copier
also stores images of documents copied on the machine. The hard drives should be recycled by

8. 7
the vendor. This is a HIPAA5 requirement, when storing sensitive data to remain confidential
within an organization. Ensure the copier vendor has a strict HDD6 recycling policy in place and
recommend that they review the policy with you. The Qualitative Value to establish this
recommended control is Very High. If the vendor currently has this procedure in place there is
no cost. More details found on page Section F, page 12.
The last risk is inventory of desktops, laptops, and tablets in the facility. When the question
asked “how is the equipment recorded physically” there was no answer. Currently there is no
inventory of the make, model, serial number, etc., of equipment. Recommend starting an
inventory of all desktops, laptops, and tablets in the facility. The inventory list identifies the
location and responsible users which aids in conducting maintenance and upgrading of
equipment. The Qualitative Value to establish this recommended control is High. More details
found on page Section G, page 12.
This is an initial risk assessment report of NLEN facility. The overall level of the risks is Very
High, due to PCI DSS standards not found. “The PCI DSS security requirement applies to all
system components included in or connected to the cardholder data environment. The
cardholder data environment (CDE) is comprised of people, processes and technologies that
store, process, or transmit cardholder data or sensitive authentication data. “System components”
include network devices, servers, computing devices, and applications.”7 Examples of system
components are:
Server room network equipment
Sweet Beginnings Website
Data Center Servers
Connectivity to NTG
Wifi access points
Network operating system
Once NLEN has established PCI DSS standards many other risks will also be resolved.
5 Health Insurance Portability and Accountability Act
6 Hard Disk Drive - a data storage device used for storing and retrieving digital information
7 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page
10.

9. 8
Body of Report
A. Payment Card Industry Data Security Standard Standards
Payment Card Industry (PCI) Data Security Standard (DSS) standards is a requirement which all
organizations that are making credit card transactions are thereby required to implement PCI in
business as usual within their organization. Currently NLEN accepts payment via credit card for
item(s) from their Sweet Beginnings Website (SBW). Upon the visit a team member made an
in-person purchase from SBW with a credit card. The team noticed no cameras present in the
location where the transaction took place. The Team also noticed that SBW is not a secure site
which is reflected by “https” in the browser window. The SBW reflects “http” which indicates a
non-secure site.
An organization without PCI DSS standards is vulnerable in many ways. To ensure that NLEN
meets the scope of requirements, identifying all locations, flows of cardholder data, and ensuring
they are included in the PCI DSS scope. The following should be considered to ensure accuracy
and appropriateness of PCI DSS scope:
Identify and document the locations of where all cardholder(s) within the NLEN Facility
will be used which is the NLEN cardholder device environment (CDE). Ensure no other
cardholders exist outside of NLEN CDE designated areas.
After identifying the location(s) where cardholders will be used, verify if the area is
appropriate for PCI DSS use.
All cardholder data should be in the scope of the PCI DSS assessment, and part of the
CDE.
Retain all documentation that supports the determination for assessor review and/or for
reference for the next annual confirmation and continuity purposes.8
The Qualitative Value for this risk is Very High, due to NLEN is not meeting the PCI DSS
standards at this time. The Team has determined that once NLEN has met the PCI DSS
standards many other risks which are identified in this report will also be met such as:
Internet Protocol Cameras
Server Room
Server Equipment
Access control
Disaster Recovery Plan
Copier Machine
8 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page
10.

10. 9
B. Internet Protocol (IP) Cameras
The PCI DSS standards is imperative to all businesses that accept credit cards. The facility is
vulnerable to someone skimming off the credit card machine. Sections9 in PCI DSS manual
states in multiple parts that there be some monitoring control in sensitive areas, this can be any-
thing from the server room, locations where credit cardholders are used, (where data travels
through, very critical parts of the infrastructure) to anything that processes sensitive information.
Similarly their guidance is informative explaining how culprits avoid detection by avoiding
various ways of incriminating themselves. The areas of concern in the NLEN Facility are the
server room and the designated location(s) where cardholder transaction will take place. The
Qualitative Value to establish this recommended control is Very High. The Team recommends
installing cameras as the monitoring medium to minimize the risk.
Utilizing video cameras and/or access control mechanisms to monitor individual physical access
to sensitive areas. NLEN should focus on the long term effect of monitoring for
vulnerabilities.10 The ease of access of the credit card machine and the server room should not be
taken lightly. When cameras are monitoring it helps prevent someone from exploiting other
means like gaining access to the server room and installing a backdoor to the network. With
video cameras and/or access control mechanisms to monitor individual physical access to
sensitive areas it minimize the risk of vulnerability. It is good practice to conduct frequent
network monitoring when possible.11 This risk is a recommended PCI DSS standard action. The
Qualitative Value to establish this recommended control is High.
C. Server Equipment
The server room houses materials and equipment that are used daily for staff members and
clients who work with Sweet Beginnings. It contains equipment for the internet connection from
NLEN to the Data Center along with coffee supplies and various other items. Given the
constraint of unavailable space this room should remain locked at all times. There are two
issues, one is the key to this room is maintained in an office on the main floor, (Daniel’s office).
The key is left unattended when this office is empty, which anyone may enter and remove the
key thus accessing the server room. The Team was advised the door is often left open for
simplicity sake of having to constantly open and close the door because others may need entry at
any given time. The Qualitative Value to establish this recommended control is High.
9 PCI DSS; Section 9.1 and 9.1.1.
10 PCI DSS; Section 11.2.1.
11 PCI DSS; Section 11.2.1.

11. 10
The above table details the risk of the server room not having secure access. The recommended
control of how to ensure that access to the server room is limited.
The protection of the network equipment which prevents unauthorized access and in accordance
with PCI DSS standards is an issue as well. The network equipment is the backbone of your
network, it is the flow point of entry and exit to your network, and any disruption to this
equipment will cause loss of the network. This equipment should be secured at all times to
prevent disruptions. Disruptions can be unplugging the equipment, removal of any one item,
fire, water, and tampering by unauthorized person. Tampering can be the connection of a key
logger,12 stealing of internet bandwidth,13 input a virus, and or other malicious action. The
possibilities are endless if one wishes to cause disruption or tampering of the network.
Additionally with the equipment left open in an unrestricted room leaves it open to someone
connecting unauthorized equipment unknowingly or for malicious reasons (tampering). This
unauthorized connection can be done without disruption to the network. The equipment is
generally reliable and does not require changes and therefore may be left unattended for long
periods of time. Without a fulltime IT Technician onsite no one may know if or when there may
have been tampering to the equipment. Again with the constraints of available space in the
facility it is necessary to secure the equipment in a manner which prevents exposure to
unauthorized personnel.
The Team further recommends the following actions be taken to secure the equipment in a PCI
certified server rack/cabinet. This will prevent unauthorized access to the equipment. The
equipment should also be connected to Uninterrupted Power Source (UPS), to prevent loss of the
network if a power outage is experienced. The recommended control of the server room key is
to issue keys only to authorized staff. We recommend issuing a key to Daniel, and two other
designated staff members who would be available when Daniel is not present. The key should
not be left out for display to prevent others from taking it. When access is needed to this room
one of the authorized staff members should escort the individual(s) to the room and remain with
them the entire time the room is open. When the business is finished in the server room it should
be locked and remain so at all times.
Required Items Manufacturer/Model Item Number Cost
12 Key logger, a program commonly stored in a USB that keeps track of all typed information in a system network,
can be used to obtain log-in credentials or users and their passwords,and credit card information.
13 Bandwidth, the speed at which data transfers across the network.

12. 11
Enclosure Server
Cabinet
Tripp Lite/SRW12US IMIY96346 $319
Uninterrupted Power
Source
APC Smart-
ups/SMT1500
849858 $467
Total estimate cost of completion: $786
D. Access Controls
Control of access/movement allows access to the resources throughout the facility. There were
numerous unsafe practices observed on the tour of the facility. Staff members willingly logging
on computers for volunteers. Volunteers accessing clients’ information with staff logons. This
is not in accordance with NLEN policy as indicated by the Director of NLEN, and PCI DSS.14
Staff should not share their logons with anyone. Each staff member should have their own
individual logon for their own use. When staff leaves from their computer they should ensure
they lock the terminal every time. A computer left unlocked gives access to the network which
contains sensitive personal data which should be protected by all means in accordance with
HIPAA Security Awareness and Training (§ 164.308(a)(5)).15
Volunteers and or visitors who require access to a computer should have their own individual
logon. No two people should have the same logon. Staff employees should only have access to
the shared S drive. The access for volunteers/visitors can be restricted for a limited period of
time in addition to restriction to internet use only. Are the volunteers authorized or do they have
a need to know of clients’ personal sensitive information? Currently one logon is assigned to all
clients. With all clients sharing the same logon, if there is malicious action on the network there
is no way to identify who may have committed the action. Just as all others in the facility, each
client should have their own individual logon for in-house internet access. The recommended
control is to create individual logons for all volunteers, visitors, and clients. Volunteers, visitors
and clients may have access to the same in-house internet access. Therefore leaving only staff
with access to the sensitive shared S drive as directed by NLEN Director.
To accomplish individual logons for clients, volunteers, and visitors for the in-house internet
access use Windows 2003 Server R2 currently located in the server room at NLEN facility. A
person who has administrative access will be able to create the logons in active directory for
clients, volunteers, and visitor.
14Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC,
page 64.
15 NIST SP 800-66 – An Introductory Resource Guide for Implementing the Health Insurance Portability and
Accountability Act (HIPAA) Security Rule.

13. 12
To help reduce the unsafe practices further, the Team recommends security training for all staff
members. The training should consist of the following:
Importance of securing the facility for their own physical security.
Importance of safe keeping the clients sensitive data.
Importance of always locking their computers when away.
Importance of network equipment in the server room.
Importance as to who is and is not authorized to access network.
Required reading of the NLEN policy provided at the beginning of employment.
Importance of secure and safe practices overall.
The use of NLEN laptops and tablets requires monitoring and periodic maintenance. These
devices connecting to the NLEN network should meet the same requirements of software
updates, patches, and anti-virus as desktop computer on the network. These devices are
periodically connected via remote access to the NLEN network. Without checking these devices
after use leaves possible vulnerabilities to clients’ sensitive data, virus and or other malicious
actions to the network. These devices should not be issued with sole user access as on the
desktop computers, to prevent download of unauthorized software on the network.
Disabling USB drives on all computers on the NLEN network is good and secure practice. The
USB drives allows unauthorized download of sensitive data, unauthorized upload of
unauthorized software, and connectivity of unprotected devices.
Upon return of a device after use it should be cleared of all data to prevent unauthorized access
to sensitive data. The Team recommends USB drives be disabled for all computers that attach or
may attach to the NLEN network.
E. Wi-Fi Access
The NLEN network is supported with Wi-Fi connectivity throughout the facility. This network
should be secured. The password for this access point should only be given to authorized users
of the NLEN network who are designated administrators. All volunteers, clients, and visitors
should not be given this access. If the availability of this password is known to unauthorized
staff members, clients, volunteers, and visitors the NLEN Network will not be as secure. Those
who access the network with personal devices may cause vulnerabilities that exist on various
devices such as viruses or malware. The Qualitative Value to establish this recommended
control is High. There are no additional costs to implement this policy to the existing operating
system in use.
We recommend the password is changed to the network. Knowledge of the password should
only be known to the NTG Technicians and designated IT Staff members. An alternate network
(guest network) could be created to allow those who wish internet access on their personal
devices. The guest network can be accessible by all staff, clients, volunteers, and visitors.

14. 13
F. Copier Machine
The copier machine is maintained by a vendor. Most copiers built since 2002 contains a hard
drive (HDD) in the machine. The HDD is capable of storing many images duplicated by the
copier. Again more sensitive data is accessible by unauthorized access. During the questioning
session it was unknown of the current practices of the vendor. The Team recommends checking
with the vendor and inquire the security measures taken by the vendor to keep NLEN
information secure. The Qualitative Value to establish this recommended control is High.
The table above details the risk regarding the copier machine duplicating sensitive data may not
be secure and the recommended control to ensure that the data being retained in the copier is
secure.
G. Inventory
The accountability of equipment is unknown. Daniel advised us he is unaware of an inventory of
the network equipment. If there is loss of equipment or burglary in the facility how will you
know how many and what items were taken? The Team recommend creating a small property
inventory of all network equipment. This inventory should be updated when there is a change of
equipment and or staff. The Qualitative Value to establish this recommended control is High,
due to no accountability of NLEN network equipment within the facility. There is no additional
cost to implement this policy. Recommended log example on next page.

15. 14
Room ________________________________________________________________________
ITEM MANUFACTURE
MODEL
MACHINE
NAME
SERIAL#
MAC ADDR
USER DATE
ISSUED
Signature of Supervisor/Manager: _________________________________________________
Date Signed: __________________________________________________________________
Example of small property inventory log.

16. 15
H. DisasterRecovery Plan
Disaster planning plays a crucial role in determining if a company may still function after serious
disruptions to the organizations connectivity. One can never predict a fire or water disaster, so it
is imperative that a Disaster Recovery Plan (DRP) is developed.
NIST 800-30 Appendix F page F-2 would define this vulnerability as high based on the exposure
and ease of exploitation. Note that a contingency plan such as DRP is a HIPAA Standard
Contingency Plan (§ 164.308(a)(7))45. All organization must meet the standards or face
penalties for various violations. The following table below, which can be found in NIST SP 800-
66r1, is a standard table for implementing policies responding to an occurrence such as fire,
water, natural disaster, and vandalism.
The implementation of this standard can range from a couple of weeks to about a month or two.
Using the table questions below as samples are a good place to start as any. It is important to ask
these questions to one self to see where there is a lack of information. From there you can add
preemptive measures in the areas NLEN lacks.
HIPAA Table 4.7 Contingency Plan
HIPAA recommended steps aid in developing a DisasterRecovery Plan.

17. 16
I. Temporary Use of Equipment
A laptop loaner program is available to staff members and clients to accomplish their work off-
site. It was noted there has been loss of control of devices from this program which cannot be
accounted for. This program is vital and necessary to the clients and staff alike. Although it is a
necessary program there are measures which should be made to secure the safe keeping of the
equipment or it will cease if all equipment is lost. The Qualitative Value risk is rated High due
to possibility of device(s) not being returned.
It is understood this program exist for the clients and vital for success in the U-Turn program.
To eliminate this program could be critical to both clients and staff. The Team recommend re-
evaluate the program with procedures to support the clients and maintain the safe keeping of the
devices.
J. Record Files (Paper Documents)
On a daily work day new and existing clients that come into NLEN hoping to enroll in the U-turn
program, placing their information on a document sheet. The document contains sensitive
information such as their Social Security Number (SSN), address, family members, background
history, education, status, etc. These documented files are then placed into storage boxes for
accessibility. Of course, the files later get placed into a computer by volunteers and staff
members where they can be reviewed for further use. This is concerning because it’s a red flag16
due to the vulnerability17 of missing files being a likelihood of occurrence.18 The issue of
keeping client information in stored boxes tends to be accessible to anyone on the work site
(possibly including the clients), and could be harmful to clients and assets. The method of
storing information must be changed or altered for privacy and protection purposes.
A proposed solution would be securing the files in containers such as locking file cabinets to
minimize access. The alternate method would be to simply sealing the box files with wide tape
on the top and all seams. Both solutions would require someone to administrate a log file with a
sign out process of what files are being checked out. Thus records would be dated, recorded, and
guarded by who last accessed a file. This would mitigate the vulnerability of an I.D. theft (red
flag) in the work environment. The option of having locked file cabinets makes it easy to store
and set up previous records and files of clients by dating each file by year, since each year varies
the amount of client records in each file; it would be ideal to have an efficient process of
16 The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention
Program designed to detect the warning signs – or red flags – of identity theft in their day-to-day operations.
(http://www.business.ftc.gov/privacy-and-security/red-flags-rule).
17 An existing weakness based on the work flow of internal controls, or implementations that could be exploited by
a threat source.(refer: NIST SP 800-30 p. 9 Chapter 2, Vulnerabilities and Predisposing Conditions).
18 Likelihood of occurrence - Weighted risk factor based on an analysis of the probability that a given threat is
capable of exploiting a given vulnerability (or a set of vulnerabilities). (refer: NIST SP 800-30 p. 10 Chapter 2,
Likelihood).

18. 17
obtaining information on a certain clients. With an organized method in place when shredding is
required documents are easily identified.
This Qualitative Value risk is rated High, due to the possible loss of sensitive information. The
Team recommend either option to minimize the risk. The first option being the file cabinet(s)
which is ideal, cost of $200~$450 each for a 4 drawer vertical file cabinet. This method is more
secure because it grants the possibility of safe storage with a locking mechanism and key. The
alternate method is more cost effective; purchase of wide packaging tape priced $11 for a pack of
6 at Staples. Although this method is not the most secure it is a way to minimize unauthorized
access.

19. 18
Appendices and References
References
1)NIST SP 800-30 Revision 1
Banks, Rebecca M., and Patrick D. Gallagher. NIST SP 8000-30: Guide for Conducting Risk
Assessments. N.p.: U.S. Department of Commerce, Sept. 2012. PDF.
2) PCI DSS
Payment Card Industry (PCI) Data Security Standard: Requirements and Security
Assessment Procedures, V3.0, Nov 2013
3)PCI DSS
Payment Card Industry (PCI) Data Security Standard: Business-as-Usual Processes, V3.0.
N.p.: n.p., Nov. 2013. PDF.
4)HIPAA – NIST SP 800-66 Revision 1
Scholl, Matthew, Joan Hash, Kevin Stine, Joan Hash, Pauline Bowen, Arnold Johnson, Carla
D. Smith, and Daniel I. Steinberg. NIST Special Publication 800-66 Revision 1. Digital
image. U.S. Department of Commerce, n.d. Web. Oct. 2008.

20. 19
Appendices
NIST SP 800-30 Table F-2: Assessment Scale – Vulnerability Severity
The above table identifies the assessment scale, and a brief description of the various values used to
determine the qualitative values throughout this report.

21. 20
NIST SP 800-30 Table H-2: Examples of Adverse Impacts
The above table identifies the various risk and their respective impacts.

22. 21
PCI DSS: Section 11.2.1
The above table states the importance of monitoring the network from time to time. Verifying
that high risk vulnerabilities are at a minimum.

23. 22
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment
Procedures
Requirement 8:
The table above details the requirements for Identify and authenticate access to system components. This
is a requirement that NLEN would use when assigning users to clients, volunteers, and visitors. PCI DSS
requirements column states the requirements of identifying and authenticating access to system
components. The requirement NLEN can focus on is 8.1.1 assigning all users a unique ID before
allowing them to access system components. The Testing Procedures columns are procedures NLEN can
use when ensuring that all users are assigned a unique ID. The Guidance column helps NLEN enforce
individual responsibility and actions and an effective audit trail per user.

24. 23
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment
Procedures
Requirement 9:
The above table states the importance of assess to the network. To prevent unauthorized use of
the network. 9.1.1 is a multi-purpose use 1) Monitor sensitive areas 2) to protect controls from
tampering.

25. 24
The above states the security awareness and training that NLEN could use as reference when
incorporating training for its employees. Key activities column states the types of training to be
held, the Description column explains the description of each Key activity, and the Sample
Questions are questions NLEN may want to ask themselves before putting together a training
class for its employees.

26. 25
Information Security Safeguard Design

27. 26
Summary
On May 8th the team met with Daniel to present the safeguard controls we believe would help
NLEN in the future. During our meeting Daniel informed us that he would be able to provide
the team with the safeguard controls NLEN would like assistance with the following week.
Daniel advised the team there would be a week delay meeting with his supervisor, which they
would then select the safeguard controls for the team to implement. In the meantime the team
developed a list of safeguard controls to benefit NLEN: User Access Controls, Server Room
Controls, Access Controls and Training, and Small Property Inventory, and Temporary Use of
Equipment. These controls were determined based on no cost and achievability for NLEN. On
May 21st Daniel sent an email with additional safeguard controls that he would like the team to
implement. Daniels selection included those controls already selected by the team with the
following additional controls: Disaster Recovery Plan, File Inventory, and Copy Machine Hard
Drive.
Each safeguard controls has its own objective to benefit NLEN. The team selected the above
safeguard controls in particular due NLEN current unsafe practices of staff and volunteers and
the possible compromise sensitive data. The objective for server equipment is minimize access
and possible damaged or interruption of the network. The inventory of equipment will help
NLEN identify and protect all network equipment. The Temporary Use of Equipment will
manage the existing loaner program, maintaining better control and accountability of the
equipment. The Disaster Recovery Plan would ensure that if a natural disaster occurred NLEN
has a plan of action available for the safety of its employees, volunteers, and clients; and restoral
of routine operations or otherwise as deemed by the disaster. Implementing a safer method of
storing files would ensure that sensitive data stored in the file boxes is secured at all times.
Ensuring the copier machine is safely discarding sensitive information duplicated and properly
discarded by a safe and secure method.
Currently NLEN allows volunteers to access client information through an employee login,
clients use one designated login to access their resumes, job applications, and credit information.
Visitors enter the office and are able to access computers with no login at all. This can lead to
the risk of volunteers accessing the shared S drive that is for staff use only. Clients are not aware
if others are able to see what they are doing on the computer when sharing the same logon. Staff
not locking computers can lead to unauthorized access to their computer and the client sensitive
data on the computer while away from their desk. To ensure the clients data on the shared S
drive is secured at all times staff should not share their usernames and password with anyone.
An individual user account must be created for each volunteer who assist clients. Clients must
have their own individual user account created as well. When visitors require access to a
computer again an individual user account must be created for the visitor with restriction of
internet use only and no other information. Staff are required to lock their computers at all times
when they are away from their desk or on break. Implementing user access safeguard controls
will ensure that NLEN is keeping the clients information safe at all times.
NLEN’s server room is located in the basement of the facility. The equipment is not secured and
there is no way to tell if the network is monitored daily. Currently the key to the server room is

28. 27
left out for anyone to have access to the equipment; there is no way of knowing who is entering
the server room. The server room being accessible to anyone can lead to anyone having access
to the server equipment and possible damage can occur. The server room key is not secure
allowing anyone to be able to unlock the server room for their own personal use causing issues
with the equipment. To assure that NLEN is protecting the server equipment and the employees
a log should be created reflecting a signature for each person who access the server room. The
log should have the name, date, time, and what was accessed in the server room. The server
room key should be placed in a secure place where Daniel or designated holder only may access
the key. The server room should be monitored daily as a measure to prevent unauthorized access
to the network. Implementing server room safeguard control will ensure that NLEN is securing
clients information and protecting the safety of its employees and network.
The copier machine NLEN utilizes is provided through a vendor service. NLEN is unsure if the
copier is wiped clean of all information that is copied onto the hard drive after use. The copier
machine could possibly have client information stored on its hard drive which can be accessible
by the vendor when they retrieve the copier machine from NLEN. This can lead to the
compromise of client sensitive information. Preventive measure to inquire the safe practice
method the vendor has currently in place. The method should be either overwriting or erasure of
the data on the hard drive for the copier. If the vendor is not practicing either of these methods
recommend that one of the methods be implemented immediately.
Currently NLEN has a wealth of equipment assigned to each staff member, yet NLEN does not
have a documented inventory to reflect this. Implementing a small property inventory (SPI)
safeguard control will ensure that the equipment at NLEN is accounted for and secured.
Implementing a SPI reflecting all network equipment held at NLEN facility will allow the
Network Administrator to better monitor and locate equipment within the network. It will also
ensure that any equipment that newly installed or discarded is being properly documented with
an inventory with specific details such as: make, model, install date, etc... This would be helpful
to both NLEN and NTG vendor who manages the network.
The loaner program currently in place at NLEN offers portable equipment for temporary use to
staff and clients. The program has minimal accountability and has previously lost accountability
of equipment. This program should have a check and balance to better manage the equipment
and if there is loss of equipment details of the equipment is readily known and possible measures
may be taken to recover the loss equipment. Those users desiring use of temporary equipment
should sign for custody of the equipment until it is returned. Implementing this safeguard in
place NLEN will better manage the program and minimize the loss of equipment.
Currently there is no Disaster Recovery Plan in place at NLEN. If a natural disaster (fire or water
damage) was to occur NLEN would not be able to continue day to day activities, clients would
not be able to receive assistance due to no access to the equipment and services NLEN provides.
NLEN would not be able to inform staff how to move forward due to lack of a plan in place. In
order to ensure the safety of NLEN staff and clients and to regain operations after a natural
disaster it is imperative to implement a Disaster Recovery Plan. This safeguard control would
ensure that NLEN has a plan to follow if there is an occurrence of a disaster. With a DRP in

29. 28
place NLEN would be able to continue day to day activities, and carry out the organization
mission. Additionally, NLEN would also be able to ensure that the information they access is
secured throughout the disaster by ensuring backups are conducted regularly. If required staff
know in advance actions to take if relocation is required to ensure the safety of all staff and
clients.
In the NLEN facility there are storage boxes throughout that contain paper files of clients
personal data. These storage boxes contain current and past client information. It is required
that NLEN retain these files for seven years before destroying. Access to the files are open to
anyone who enters NLEN due to the files are simply place in storage boxes which are not
secured in any way. The safeguard control to prevent unauthorized access to the paper files is to
secure the boxes with wide tape along all seams and openings. A log should also be created for
employees to sign in and out the files that are taken from the storage boxes. Implementing the
safeguard control will ensure that the client’s paper files are secure and minimizing unauthorized
access.
Implementing the recommended safeguard controls protects NLEN staff members, clients,
volunteers in many ways:
Eliminates compromise of sensitive information.
Decrease access to areas of the facility to only those who require access.
Accountability of an inventory of valuable network equipment.
Decrease possible extraction of data from the copier hard drive when recycled regularly.
Heighten awareness of monitoring of the network will be consistent.
Minimize the loss of valuable equipment with accountability.
Provide advance instruction if a disaster occurs, ensuring the safety of staff and clients.
Secure and minimize unauthorized access of stored data.
Heighten daily practices with training securing the environment throughout the facility.

30. 29
Access Controls
The NLEN volunteers access client sensitive information via staff logon. Clients all have one
shared logon to access resumes, apply for jobs, and access credit information. NLEN policy
states that only the staff is authorized access to the shared S drive that contains client sensitive
data however the unauthorized shared access allows volunteers to access the shared S drive.
Clients not having individual logon lead to the inability of tracking who accessed what. If a
client was to access unauthorized information NLEN would not be able to track the identity of
the individual(s) who accessed the information with one shared logon for all. In order to secure
clients sensitive data and ensure that clients are able to access their own files securely individual
user accounts must be created for each volunteer and client with internet access only.
Creating user accounts for volunteers would eliminate staff sharing their logon with volunteers
and those volunteers will not have access to the S drive. It will also help NLEN track each user
activity on the network each time they login. Clients will have their own logon account and will
be able to access their resumes, apply for jobs and access credit information without the worry of
the next person being able to see what activity was previously done. Once again NLEN will be
able to track the clients activity according to their username.
This can be done by Daniel or designated staff member granted administrator access to the
Windows 2003 Server R2 located in the server room at NLEN facility. User names will be
created in the Active Directory in Windows 2003 Server R2 by the following instructions from
the following link: www.sharepointgenius.com/create-user-windows-server/.

31. 30
Creating a New User:
1. Click Start, select Administrative Tools and click Computer Management.
2. In Computer
Management, click
Local Users and
Groups.

32. 31
3. Double click the Users folder.
4. Right click in
the users list and
click New User.

33. 32
5. Fill in the information for the new user and click Create. You can create another user.
Click Close when you are done creating users.
 Check User must change password at next logon.
 Password will be set to expire every 2 months. Access will be revoked when staff is no
longer employed or volunteer is no longer assisting NLEN.
6. You should now see your newly created user accounts. By default, new user accounts are
given limited access permissions.

34. 33
The NLEN administrator may establish privileges to the usernames once each username has been
created to allow proper access. Assigning privileges will ensure that volunteers are only able to
access the information that NLEN will allow them to access when assisting a client. Clients will
also be limited to what information they can access such as resume building skills, employment,
and credit information. They will not be able to access anything that is not related to the
program within NLEN. In accordance with http://www.sharepointgenius.com/grant-local-
administrator-permissions#local-properties the following instructions will assist NLEN in
assigning user privileges to each username created for volunteers and clients:

35. 34
Assigning User Privileges
1. Click Start, select Administrative Tools and click Computer
Management.
2. In Computer Management, click Local Users and Groups.

36. 35
3. In Local Users
and Groups,
navigate to the
user you wish to
grant local
administrator
permission.
4. Right click the user and click Properties.

37. 36
5. Click the Member Of tab.
6. In the Member Of tab, click Add

38. 37
7. In Select Groups, type in the group employees and volunteers are assigned to and click
Check Names. Click OK when you are done. Click OK again to save the changes.
The recommended safeguards can be tested by having the user logon with the newly created
username and password. Once logged in the user will be required to change their password and
be able to have access to the necessary information specified for each user. Implementing this
control would ensure that volunteers do not have access to the shared S drive that is designated
for staff use only and clients will have their own personal logon. This allows NLEN to test the
safeguard controls by checking monthly users that have been disabled.
Currently NLEN allows visitors to logon to computers designated for clients to access the
Internet via a client logon. There is no way to limit the amount of access that a visitor will have
when logging into the computer designated for clients use when using their logons. Clients
routinely access resumes, employment assistance, credit, and other sensitive information. By
allowing the visitor to use the same logon as clients, gives the visitors access to client data if the
history was not previously deleted. In order to ensure that client data is protected and visitors
only have access to the Internet, NLEN can assign a username to each visitor through the control
panel on a computer designated for client use. Creating a user account for all visitors will ensure
that all client data is secure and the visitor has their own logon with Internet access only. A
designated staff member with Administrator access may create user accounts for visitors by
completing the following steps:

39. 38
Step 1: On your Windows button (lower left button), click on the “Control Panel”
Step 2: Then under “User Accounts and Family Safety” click on “Add or remove user
accounts” Once the visitors user account has been created, they will be able to logon to the
computer and browse the Internet and log off when finished.

40. 39
Record Files
Paper files are stored in storage boxes throughout the facility at NLEN. The files contain data
for current and past clients. The storage boxes are not secured and anyone may access the paper
files that are stored. Currently there is no way to track who is accessing the files and how many
and where the boxes exist. In order to ensure that the files are secured and access is limited to
only those who are authorized recommend taping to seal the storage boxes. In addition to
sealing the boxes with tape, creating a log to better manage the client files from the boxes. For
accurate tracking each employee will be required to sign in, indicate date files are accessed and
when files are put back into box and sign out. The safeguard control can be tested by having a
record of who has access to what information each storage box contains, sealing the boxes will
ensure that only authorized staff will have access to open the storage boxes once sealed.

41. 40
Server Equipment
Network monitoring every few months will be useful in finding network breaches and giving
time to assess the situation and implement a resolution.
Check for anomalies and discrepancies while monitoring the data.
Check log files, look for network access at irregular times.
Step 1, open Command Prompt
Step 2, run command sfc /scanned

42. 41
As you can see no violations were found. This is a simple method of checking.
• Check if there were huge data transfers.
• Check for illegal network access (those who accessing the network without permission).
These controls should be implemented bi-weekly by a network administrator.
• Any discrepancy in the network should be logged, reported, and resolved in a reasonable
amount of time.
• The NTG Vendor should always be aware of the network status, and advise NLEN of
status daily, communication is key.
• Implementing a test control is using the command above. There are more options to the
command you can use (ask NTG vendor for assistance).
Some implementations that should be put on the network are passwords change in the network.
Focus on the important parts of the network such as the firewall, router and the server itself.
• Routinely change passwords on the network.
• The password should be on a need to know basis and entered by administrators.
• Password should be strong passwords requiring one capital letter, one number, and one
special character, with a minimum length of 8 characters.
• Advise staff not to share the Wi-Fi password.
The server room should be visited variously throughout the day to ensure the server equipment is
all present and not disturbed. Since cameras are currently not cost effective for NLEN,
designated staff members should routinely check daily until cameras can be installed.
• Whenever possible have the network administrator check the equipment and advise what
to look for. If anything appears missing or disturbed the network administrator should be
contacted immediately.
• Equipment should be checked twice a day; preferably upon opening and closing of the
facility each day.
• Checks should be logged and signed by the staff conducting the check.

43. 42
Copier Machine
Currently NLEN keeps sensitive data, social security numbers, credit reports, account numbers,
health records, and business secrets. It is a good practice and good business sense, which may
also be required by law. According to the Federal Trade Commission (FTC), the national
consumer protection agency, information security plans should cover digital copiers within a
facility. If the data on the copier gets into the wrong hands, it could lead to fraud and identity
theft.
Commercial copiers have come a long way. Today’s generation of networked multifunction
devices known as “digital copiers” are “smart” machines that are used to copy, print, scan, fax
and email documents. Digital copiers require hard disk drives to manage incoming jobs and
workloads, and to increase the speed of production. Although not every copier on the market is
considered digital. Generally, copiers intended for business have hard drives, while copiers
intended for personal or home office use do not.
The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes or
emails. If proper steps are not taken to protect data, it can be stolen from the hard drive, either
by remote access or by extracting the data once the drive has been removed. Digital copiers
store different types of information in different ways. Example, photocopied images are more
difficult to access directly from the hard drive than documents that are faxed, scanned or printed
on the copier.
Copiers often are leased, returned, and then leased again or sold. It is important to know how to
secure data that may be retained on a copier hard drive, and what to do with a hard drive when
you return a leased copier or dispose of one you own. It is wise to include data security for each
stage of the digital copier life-cycle: when you plan to acquire a device, when you buy or lease,
while you use it, and when you turn it in or dispose of it.
Before you acquire a copier consider the following tips. Make sure it is included in NLEN
information security policies. Copiers should be managed and maintained by NLEN vendor or
designated staff member. When buying or leasing a copier consider the following tips. Evaluate
your options for securing the data on the device. Most manufacturers offer data security features
with their copiers, either as standard equipment or as optional add-on kits. Typically, these
features involve encryption and overwriting.
Encryption is the scrambling of data using a secret code that can be read only by particular
software. Digital copiers that offer encryption encode the data stored on the hard drive so that it
cannot be retrieved even if the hard drive is removed from the machine.
Overwriting also known as file wiping or shredding changes the values of the bits on the disk
that make up a file by overwriting existing data with random characters. Overwriting the disk
space that the file occupied, the traces are removed, and the files can not be reconstructed as
easily. This feature is most commonly used on copiers.
Depending on the copier, the overwriting feature may allow a user to overwrite after every job
run, periodically to clean out the memory, or on a preset schedule. Administrator may be able to
set the number of times data is overwritten generally, the more times the data is overwritten, the

44. 43
safer it is from being retrieved. However, for speed and convenience, some printers let you save
documents (for example, leave slip) and print them straight from the printer hard drive without
having to retrieve the file from your computer. For copiers that offer this feature, the saved
documents are not overwritten with the rest of the memory. Users should be aware that these
documents are still available.
Overwriting is different from deleting or reformatting. Deleting data or reformatting the hard
drive does not actually alter or remove the data, but rather alters how the hard drive finds the
data and combines it to make files. The data remains and may be recovered through a variety of
utility software programs.
Yet another layer of security that can be added involves the ability to lock the hard drives using a
passcode; this means that the data is protected, even if the drive is removed from the machine.
Finally, think ahead to how you will dispose of the data that accumulates on the copier over time.
Check that your lease contract or purchase agreement states that your company will retain
ownership of all hard drives at end-of-life, or that the company providing the copier will
overwrite the hard drive.
Take advantage of all its security features. Securely overwrite the entire hard drive at least once
a month. If the current copier does not have security features, consider how you will integrate
the next copier you lease or purchase into NLEN information security plans. Plan now for how
you will dispose of the copier securely. For example, you may want to consider placing a sticker
or placard on the machine that states “Warning: this copier uses a hard drive that must be
physically destroyed before turn-in or disposal.” This will inform users of the security issues,
and remind them of the appropriate procedures when the machine reaches the end of its usable
life.
At the end of the copier service recommend the follow tips. Check with the manufacturer,
dealer, or servicing company for options on securing the hard drive. The company may offer
services that will remove the hard drive and return it to you, so you can keep it, dispose of it, or
destroy it yourself. Others may overwrite the hard drive for you. Typically, these services
involve an additional fee, though you may be able to negotiate for a lower cost if you are leasing
or buying a new machine.
One cautionary note about removing a hard drive from a digital copier on your own: hard drives
in digital copiers often include required firmware that enables the device to operate. Removing
and destroying the hard drive without being able to replace the firmware can render the machine
inoperable, which may present problems if you lease the device. Also, hard drives are not
always easy to find, and some devices may have more than one. Generally, it is advisable to
work with skilled technicians rather than to remove the hard drive on your own.

45. 44
Reference: http://www.business.ftc.gov/documents/bus43-copier-data-security
Protecting Sensitive Information: Your Legal Responsibility
The FTC’s standard for information security recognizes that businesses have a variety of
needs and emphasizes flexibility: Companies must maintain reasonable procedures to protect
sensitive information. Whether your security practices are reasonable depends on the nature
and size of your business, the types of information you have, the security tools available to
you based on your resources, and the risks you are likely to face.
Depending on the information your business stores, transmits, or receives, you also may have
more specific compliance obligations. For example, if you receive consumer information, like
credit reports or employee background screens, you may be required to follow the Disposal
Rule, which requires a company to properly dispose of any such information stored on its
digital copier, just as it would properly dispose of paper information or information stored on
computers. Similarly, financial institutions may be required to follow the Gramm-Leach-
Bliley Safeguards Rule, which requires a security plan to protect the confidentiality and
integrity of personal consumer information, including information stored on digital copiers.

46. 45
Inventory
Small Property Inventory (SPI), is an inventory of all office equipment maintained throughout
NLEN facility which connect to the NLEN network. Currently equipment inventory is not
maintain at the NLEN Facility. Maintaining an inventory of network equipment will serve
various purposes, one purpose is to create a ledger documenting all the network equipment held
and the location of the equipment. The inventory should be gathered by department and room
number. This information will be resourceful for department heads to determine what equipment
to replace and upgrade when the need occurs. A primary function of the SPI is to identify
equipment by machine name and Media Access Control (MAC) which will aid the Network
Administrator with updates and troubleshooting if necessary.
The SPI will reflect the example on the next page. Each staff member will sign as responsible
user as the custodian of the equipment which they use. Once staff has signed for custody of the
equipment each Department Head or Manager will sign for all those staff members assigned
under their management.
All inventory sheets will be maintained by designated staff member(s). When there is a change
of staff increase and or decrease it should reflect the SPI. When there is a change of equipment
increase and or decrease again it should reflect the SPI. The SPI is useful provided it is
maintained. If there are no changes in staff and equipment the SPI should be verified once
annually. To be more specific the equipment which this inventory applies to:
Computers
Laptops
Printers
Scanners
Cardholders (Credit Card Reader)
Routers (Access Points)
Modems
Servers
Software
Not to exclude any additional equipment which the NLEN may purchase in the future which is
not listed above that shall connect to the network.
Every room which contains network equipment should complete an inventory sheet. This should
be indicated by the room number or title at the top. The inventory can be completed by any
responsible staff member with the exception of the machine name and MAC address. The
machine name is a unique name given by the administrator which identifies the machine by
department and or location and may not be accessible without administrator access. The MAC
address is a unique number assigned to the device when manufactured which may not be located
outside the device. In this case it requires administrator access to the device to obtain the
machine name and MAC address for the device. The machine name and MAC address are the
only exceptions which all staff will not have this access, recommend completing all available
fields on the inventory sheet leaving the two fields blank for completions by an administrator.

47. 46
Once the inventory sheets are completed they should be made available for the designated staff
member with administrator access or the NTG Vendor on the next site visit for completion.
Instructions for Completing the Inventory Sheet
Room - list the room number or room title if no number given.
Item - list the item as to what kind of device it is, example: computer or printer etc.
Manufacture/Model - list the manufacture that designed or made the device, example: HP or
Del. Model - list the model type of the device, example: officejet pro 5500. This information if
not labeled in plain sight can be found on the underside of the device. If no model listed write
none in the column.
Machine Name - This is a unique name given to the device by the Administrator for
identification on the server.
Serial Number/MAC Address - The serial number can usually be found on the bottom of the
device. The mac address is the unique identification for the device. Both serial number and mac
address are found inside the operating system of the device. To determine this information you
must have local administrator access. If you do not have local administrator access leave this
field blank.
Once the inventory sheets are completed less the machine name and MAC address recommend
the designated staff member(s) with administrator access or the NTG Vendor complete the MAC
address field.
User - this should be the primary staff member who uses the equipment. When there is shared
equipment such as a printer or scanner, recommend the senior staff member in the room sign as
User.
Date Issued- list the current date of completing the inventory for existing devices.
When there is a change of staff increase or decrease to a room a new inventory is required.
When there is a change of increase or decrease of network equipment to a room a new inventory
is required. If there are no changes of network equipment or staff the inventory should be
conducted at least once a year. Periodic spot checks of the inventory should be conducted by
managers/supervisors to ensure this safe control is in use and network equipment is properly
accounted for and secure within NLEN facility.

48. 47
Room ________________________________________________________________________
ITEM MANUFACTURE
MODEL
MACHINE
NAME
SERIAL#
MAC ADDR
USER DATE
ISSUED
Signature of Supervisor/Manager: _________________________________________________
Date Signed: __________________________________________________________________
Example of small property inventory log

49. 48
Temporary Use of Equipment
Equipment which is loaned out for temporary use should be properly accounted for with a
custody form such as the example found on the next page. This form should be used for all
network equipment which is issued for temporary use outside of the NLEN facility. Currently
equipment which is being issued for temporary use are laptop computers. The computers used
by staff, clients, and or volunteers may contain sensitive data. To prevent unauthorized access of
others sensitive data all data should be removed/erase after each return of temporary issue and
prior to reissue to another staff member. Once returned to the inventory the laptop should be
made available to the NTG vendor for re-imaging of the hard drive for the next site visit.
Weekly spot checks should be conducted to ensure accountability and allow for immediate loss
of control of temporary issued equipment by designated staff. They should consult with users
who have temporary custody and ensure they still have the device within their control. Monthly
checks should be conducted to ensure the safeguard measures are maintained for this safe control
by designated Department Head. With the frequent periodic checks this will quickly identify
loss control of a device which will enable rapid measures to recover the device.

50. 49
Temporary Issue of Equipment
The equipment listed below is issued to ________________________________ for temporary
use. I understand that while the equipment is in my custody I will take responsibility of the
equipment until it has been returned to NLEN property control.
Equipment: ___________________________________________________________________
Model Number: _______________________________________________________________
Serial Number: ________________________________________________________________
MAC Address: ________________________________________________________________
Plug/Adapter: _________________________________________________________________
Case: ________________________________________________________________________
Mouse: _______________________________________________________________________
Any Additional Equipment not listed above: _________________________________________
______________________________________________________________________________
The above equipment is issued for temporary use and found to be in good working order, with
the following discrepancies listed below. If no discrepancies noted state no discrepancies noted.
______________________________________________________________________________
______________________________________________________________________________
Signature/Date of individual taking custody: _________________________________________
Signature/Date of authorizing Supervisor/Manager: ___________________________________
Re-imaged date/signature: _______________________________________________________
Example of temporary custody form

51. 50
Training
Training: Log Off – this safeguard was highly recommended for implementation due to the risk
of unauthorized access of staff computers. By providing a methods of logging off staff
computers it ensures a lower rate of unauthorized access, identity role theft, alter changes to
client and employee information/account, and prevents threats of implanting bugs, virus, or any
malicious software to the computer. (Please refer to the Training PowerPoint titled Security
Awareness)
a. Test Plan for Log Off Desktop Icon: If creating a Log Off icon on the desktop of the
computers, a simple test of ensuring clients, volunteers, or visitors are using this function
is by observing a number of employees (for this sake 10) and examine the number of
people using the “Log Off” function. If the results are 7/10 (70%) then this is considered
as good practice.
b. Test Plan for Auto Time Interval Log Off: If clients, volunteers, or visitors are leaving
the work site, you can test to see how long it takes for a computer/laptop to naturally go
into “sleep” mode. This naturally would log off the computer/laptop after a set time limit
in which one can simply check if it logs off the device after a given period of time.
c. Test Plan Manual Log Off: similar observations can be made just like in “Log off
Desktop Icon,” one can run a simple test of ensuring clients, volunteers, or visitors are
manually logging off their devices after they leave their workstation, or work site. If the
results are 7/10 (or 70%) then it is consider as good practice.
Training Encryption
Training: Encryption - sensitive data of client information such as the work history, social
security number, address, and family ties and other sensitive data are being transferred off-site
daily along with other NLEN documents that may be considered valuable information. Many of
the employees may continue this work off-site on a personal computer. To counteract this unsafe
practice, recommend use program called AxCrypt which encrypt files to provide and ensure
work is being done securely off-site. (Please refer to the Training Powerpoint titled Security
Awareness)
Test Plan: Given that each client and volunteer have read over the Training Powerpoint, a poll
can be taken to see if this methods is considered easy to learn and use, along with a comment
section voicing any of their concerns in terms of learning how to encrypt/decrypt sensitive files.
(Please refer to the Training Powerpoint titled Security Awareness)
DisasterRecovery Plan (DRP)
DisasterRecovery Plan – was decided upon by the team due for NLEN benefit of having a plan
if there is an occurrence of an incident outside of the scope of daily operations. Currently NLEN
does not have a DRP in place. This safeguard will provide two aspects: preparedness and
response to any incident that may affect NLEN.

52. 51
Test Plan: The DRP should be created in advance. Each step must be taken into consideration,
and that information must be updated when changes are made and at least annually. In other
words, this form (in terms of contact information, equipment changes, staff changes, other back-
up plans, etc.) must be updated yearly. Please refer to the NLEN Disaster Recovery Plan for
further information.