Security Memo

Security Memo

To: Gray Lewis and Personal Trainer stagg

From: Patterson and Wilder, Consulting Firm

cc: Susan Parks, Cassia Umi

Date: October 25, 2016

Re: Security Controls

Purpose

As we begin to open the new Personal Trainer, Inc. facility and implement the new ERP system. We will implement new input and output security controls to maintain integrity and security of company data.  This will allow information collected in day-to-day business to be protected from malicious attacks and human error.

Threats

As we analyze the business industry as a whole, we have noticed that companies are being threatened by hackers and the mishandling of information. Some of the more recent business cases are:

  • Target
  • Chick-fil-A
  • JP Morgan
  • Yahoo!
  • S Department of Justice

The companies above have been victims to criminal hackers or employees mishandling important information. The stolen data consisted of customer, employee, and business related data material. In today’s world, we have to make protecting all sensitive information and company data a priority to maintain credibility and business operations.

Input security Controls

Input security controls are designed to check the integrity of the data being entered into the system. This refers to the transaction data, customer information, employee information, and company data. There are three basic risk for business application systems:

  1. Confidentiality
  2. Integrity
  3. Availability

In order to combat against the risk presented in business application systems, there will be data validation and controls implemented. The data validation and controls will consist of:

  • Sequence Check
  • Limit Check
  • Range Check
  • Check Digit
  • Completeness Check
  • Duplicate Check
  • Complex passwords
  • Audit Trails
  • Audit Review and Monitoring
  • Transaction logs

The following controls and data validation will apply to all authorized employees. With the correct monitoring and execution, the information entered into the application system can be verified and monitored to ensure protection against the imposed business risks.

Output Security Controls

Output security controls address the hardcopies of data when it has been processed. Reports, customer checks, vendor payments, and customer information are examples of hardcopies of processed data. To limit the use of paper documents, there will be diskless workstation which will limit the printing and copying of data. However, in certain instances hardcopies are unavoidable. To insure the documents will be secure we will apply:

  • All reports will be numbered and reconciled with the input data. Such as data and report number.
  • All checks will be numbered and reconciled with the bank and the accounting documents.
  • Port Authorization in the workstations.
  • Separation of duties when handling check payments, deposits, and reconciliations.
  • All paper copies of customer information will be entered into the application system and then shredded.
  • Company monitoring and walk-thrus

With all paper documents, there will be verification against the inputs in the application system. The outputs and inputs should match in all cases. Important documents will reside in a locked secure area with a reconciliation process at the end of each month. The output controls will protect the data that is processed and printed when needed.

Policies

Each employee will be expected to follow the above controls. If an employee fails to follow the intended controls, then disciplinary actions will take place. An employee should not share any company information with outside sources. The information obtained by the company is the property of the company. If the company shares any customer information or employee information without the correct consent from the parties, then legal actions will take place.

Summary

With the increase threats from outside sources, the company must have the correct controls and security in place to prevent any discrepancy. The controls and security provided in this memo can be expanded or changed as business operations continue. With controls and security in place, the business can run at a high level without major disruptions.