In this report, the end user security policy is examined, and areas where new policies or modifications would be beneficial are noted.

LAN Security/Password Policy

While the LAN Security policy section does mention some policy parameters regarding password security, certain aspects are left entirely up to the IT Officers discretion. Password policy guidelines such as the complexity, length, and frequency of use should be detailed for increased security. Many organizations follow a password standard such as NIST

Antivirus

According to the 10.1 Detailed Policy Requirements section, BYOD devices must have antivirus software, however company-owned laptops and other devices are not obliged to have antivirus software. All company-owned devices should come with antivirus software installed, and only IT administrators should be allowed to turn it off. Any software installation should be subject to prior authorization and IT administrative rights. By enabling antivirus and carefully examining software before it is loaded, end device security will be much improved.

Acceptable Use

There is no definition of acceptable use of an organization resource. Implementing firewall rules to ban specific websites and website categories that are regarded inappropriate for the workplace is a good idea. Policies that outline acceptable and undesirable workplace browsing activity should be made available to employees.

This report finds there are several critical issues with the current security policyand recommends the above actions be implemented to increase the overallsecurity of the organization.

Following these recommendations, new policies ought to be developed and included in the upcoming version of the end user information security policy.

The undersigned acknowledge they have reviewed the and agree with the approach it presents. Changes to this will be coordinated with and approved by the undersigned or their designated representatives.