Drexel antivirus software

I need help with edit my paper based on my professor's recommendation. The instruction said must be based on facts you discovered in analyzing the policy against respective framework. I need to add a two page analysis section on my paper compare to the sample one. I've attached the example and please write a similar analysis part on my paper. The first attachment is the example and the second one is my paper.Villanova University’s Employee Acceptable Use Policy Team E: Matthew J. Dampf, Felice Walden, Natalie Dorely, Xinyi Mao Executive Summary The policy being audited is Villanova University’s Employee Acceptable Use Policy for their computing environment. We will evaluate the policy based on a risk assessment where we will identify risk to the university, find vulnerabilities that can be exploited, explore root causes and determine some corrective actions that can be taken to mitigate these risks wherever possible. The acceptable use policy governs employee use of technology and does a good job addressing certain high risk areas. It prevents employee sharing of passwords, addresses behavior such as bullying and hate speech and forbids the use of university resources for personal financial gain. Some risk areas are addressed, though inadequately. The policy requires the use and updating of antivirus software, but leaves the updating to the end user. In addition, the policy requires that non-OS software is patched to secure versions, but it leaves the installation and updating to end users. Such policy put into action would require end users to have full administrator access to their PCs. This creates several high risk scenarios that we’ll explore deeper in this report along with controls that can be put into place to mitigate the risk. Other risk areas are not addressed at all. It is common for other universities to include language in their acceptable use policies addressing the ability of one user to cause network performance issues or to sniff traffic, which could cause a loss of confidentiality of data. Villanova’s policy does not address either of these scenarios. It also does not include language forbidding employees to attempt to bypass other controls that are in place. These should be included in future revisions to this policy. The policy was approved by the VP & CIO in November of 2015 along with the University Council for Information Technology. It is currently at version 1.0. It’s not clear what the update and reapproval schedule is, but it is clear that Villanova is already falling behind in this area. Background Villanova University is an institute of higher learning just outside Philadelphia with roughly 11,000 students, 600 faculty and about 2000 administrative staff. Those 2,000 administrative staff are the people who are subject to the policy. This is an important policy to audit because these employees have access to highly confidential personal data, some of which is subjected to FERPA compliance laws. Analysis The policy consists of 11 main points. Most of those points are written in a way that sufficiently addresses the risk described in the policy. However, we did find some gaps in the policy that point to wider control gaps in their computing environment. Point 5 in the policy, says that antivirus must be installed and kept up to date, which is a standard control, but may be implemented in an ineffective way here. And point 6, specifies that while the university will update a user’s operating system, the user is responsible for updating all of their other applications. Above: partial screenshot of policy The second bullet point specifies that IT is responsible for OS patches, which is good, but it doesn’t specify this for the antivirus/anti-malware portion of the policy. This strongly implies that users are responsible for their own antivirus updates. The policy explicitly mentions that users are responsible for their own application updates. This leaves us with two major issues: 1. Having users responsible for their own updates is a control gap because many users will not perform these updates, leading to security vulnerabilities. 2. The installation and updating of applications will require users to have administrative privileges on their PCs. Users having full administrative access creates many risks. Discussion Risk Assessment Risk Rating Impact Introduction of malware onto the network High High Use of illegal/unlicensed software High High Network Insecurity High High Other controls are bypassed High High Network Performance degradation Low Low Policy becomes outdated/irrelevant Low Moderate The first one you see on the chart here is the introduction of malware onto the network. Although the policy says that antivirus must be installed and kept up to date, by leaving this responsibility up to the users this leaves the university open to the possibility that some users don’t update. With 2000 users,