As a manager for Lee Incorporated 500 Corporation, you are asked to develop preventive, detective, and/or corrective controls which would best mitigate the following threats?

1. An employees laptop was stolen at the airport. The laptop contained personally identifying information about the companys customers that could potentially be used to commit identity theft.

2. A salesperson successfully logged into the payroll system by guessing the payroll supervisors password.

3. A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters.

4. An employee received an email purporting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger.

5. A companys programming staff wrote custom code for the shopping cart feature on its web site. The code contained a buffer overflow vulnerability that could be exploited when the customer typed in the ship-to address.

6. A company purchased the leading off-the-shelf e-commerce software for linking its electronic storefront to its inventory database. A customer discovered a way to directly access the back-end database by entering appropriate SQL code.

7. Attackers broke into the companys information system through a wireless access point located in one of its retail stores. The wireless access point had been purchased and installed by the store manager without informing central IT or security.

8. Starting at 1:10 PM, Oct. 23, 2016, you were advised to begin monitoring and mitigating a DDoS attack against the corporation. Some customers reported increased DNS query latency and delayed zone propagation during this time.

Part II Requirements: Review the issues items above and decide whether they represent an internal control strength or weakness. Document any assumptions to support your conclusions.

1. For each internal control weakness identified, explain why it is a weakness and recommend a way or ways to correct the weakness.

6 weakness and 6 recommendations for each weakness