In this report, the end user security policy is examined, and areas where new policies or modifications would be beneficial are noted.

LAN Security/Password Policy

While the LAN Security policy section does mention some policy parameters regarding password security, certain aspects are left entirely up to the IT Officers discretion. Password policy guidelines such as the complexity, length, and frequency of use should be detailed for increased security. Many organizations follow a password standard such as NIST

This policy is a bit of a mixed bag when it comes to passwords. It does reference basic parameters about password security such as password complexity, length and frequency of use, but the IT Officers are left entirely on their own in terms of rules regarding components (alphanumeric vs. uppercase vs. lowercase) and rules that may be followed. It's recommended that organizations follow NIST security guidelines such as those outlined in "Guidelines for Developing Security Policies."

The IT Officer in charge will be the primary contact for LAN Security and Password Policy. This can be done by either writing a policy and or delegating this responsibility to an individual or organization. It is recommended that the IT Officer(s) collect information from each employee regarding their password security practices to determine best practices for their organization.

Antivirus

According to the 10.1 Detailed Policy Requirements section, BYOD devices must have antivirus software, however company-owned laptops and other devices are not obliged to have antivirus software. All company-owned devices should come with antivirus software installed, and only IT administrators should be allowed to turn it off. Any software installation should be subject to prior authorization and IT administrative rights. By enabling antivirus and carefully examining software before it is loaded, end device security will be much improved.

Acceptable Use

There is no definition of acceptable use of an organization resource. Implementing firewall rules to ban specific websites and website categories that are regarded inappropriate for the workplace is a good idea. Policies that outline acceptable and undesirable workplace browsing activity should be made available to employees.

This report finds there are several critical issues with the current security policy and recommends the above actions be implemented to increase the overall security of the organization.

· Update LAN security policy- fundamental protections; BitLocker, RAID, Secure Active Directory through monitoring Active connections on internal and external network, leverage encryption across all applications and services, authentication measures, such as hardware tokens or multifactor authentication.

· Update Password policy- requires change every 90-180 days, make minimum of 10 characters in length, include hard-to- Guess factor.

·

Following these recommendations, new policies ought to be developed and included in the upcoming version of the end user information security policy.

· New guideline policy; for the use of operating systems, browsers and other hardware appliances. That includes 1. No sharing of passwords, PINs or other authentication information with anyone else. 2. Regular reporting of security breaches. 3. Regularly back up all of your personal data and keep it in a safe place in case the worst should happen. 4. Log security alerts and report any new risks as soon as possible

· New information security policy with specifications: new organizational requirements, such as GDPR compliance, no one may access or leave the network without permission, everyone must log in using their own computer, only authorized extensions may be added to existing accounts and all private information should be kept secure. The policy also demands that everyone in the organization, including admins and power users, know and abide by the policies detailed in this document. The benefit is that the updated policy prevents data exfiltration and unauthorized data access, while enhancing the confidentiality, integrity and availability of the existing systems.

The undersigned acknowledge they have reviewed the and agree with the approach it presents. Changes to this will be coordinated with and approved by the undersigned or their designated representatives.