Running head: GOODWILL SECURITY
Section 1 – Company Overview
The company, Goodwill of North Georgia deals with the operation of stores, donation
centers, career centers and also offers diverse employment and job training services across North
Georgia. It has also another organization called Goodwill Industries of North Georgia, that has
speciality in managing facilities and protective services.
Goodwill of North Georgia seeks to provide employability services to the unemployed
struggling to find work, people who want a change of careers and ones who seek to start in
entrepreneurship. With the it’s support, the people are empowered for employment challenges that
come as a result of physical, emotional and developmental limitations, among other challenges.
Goodwill donates household goods, clothes and even books in stores across North Georgia and the
proceeds are used to support the mission of employing people.
Goodwill has an integrated security infrastructure that consists of video cameras, monitored
alarms, access control systems, endpoint protection devices that include mobile devises, web
filtering, email protection, remote access solutions and training on end-user security awareness
Video cameras(CCTV) are installed in every corner of a room and outside the premises all
round used to stream in live feeds to the security team’s smartphone, desktop or tablet to
help them keep track of everyone’s activities including any suspicious activity in any part
of the company.
The monitored alarms are used to detect and identify specific areas breached in the
organization. They do this by emitting audible noises that can be heard by anyone in the
organization especially the security personnel.
The access control systems are used to restrict entry to special areas in the organization.
The company uses photo identification systems and access cards depending on the areas or
sections being accessed. The security team ensures that they are well placed and working
to ensure the employees and clients are protected from such tragedies.
Section 2 – Federal and State Regulations, Directives, and Acts on Security Compliance
The laws and regulations of the federal government give industry guidelines on the
significant security and privacy impact guidelines.
The Sarbanes Oxley Act
It requires companies a seven-year maintenance of financial records by companies.
Enacted in 2002, after the Enron and WorldCom scandals as a preventive law. The Sarbanes-Oxley
Act protects investors and the public through the increase of the reliability and accuracy of
corporate disclosures. The Securities and Exchange Commission is mandated to implement it by
defining what records and audits businesses should keep and the period. This act affects U.S. public
company boards, management and public accounting firms which Goodwill falls under.
This act has the following requirements and is organized in 11 key titles which are; Public
Company Accounting Oversight, Auditor Independence, Corporate Responsibility, Enhanced
Financial Disclosures, Analyst Conflicts of Interest, Commission Resources and Authority,
Studies and Reports, Corporate and Criminal Fraud Accountability, White-Collar Crime Penalty
Enhancements, Corporate Tax Returns and Corporate Fraud Accountability.
The Gramm-Leach-Bliley Act (GLB) Act of 1999
Also the Financial Modernization Act of 1999. This act has guidelines protecting the
personal financial information of users that financial entities hold. It has three basic parts that
include; Safeguards Rule, the pretexting provisions and Financial Privacy Rule. This act covers
financial institutions and organizations that provide financial services and products to consumers
such as financial advice or settlement services as Goodwill does.
Goodwill handles job seekers and advises entrepreneurs on the best way forward and
provides financial advice to its clients, therefore, knowledge of this act is critical to its operations.
Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS covers the requirements needed to enhance the security of the data of a
customer account. It was developed to help in the facilitation of a global adoption of data security
measures consistently. Its founders include; American Express, MasterCard Worldwide and Visa,
JCB International, Discover Financial Services who form the PCI Security Standards Council. It
focuses on areas of policies in security management , procedures in software design, and network
architecture. Its regulations are geared towards the reduction of fraud and protection of the
information on consumer credit cards. This is quite appropriate to retailers, and companies that
handle credit card data such as credit card companies.
Since the company sells clothes to other clients through thrift shops and other avenues and
the customers may use credit cards to purchase these clothes.
The Electronic Fund Transfer Act, Regulation E
This was implemented in 1978 and is implemented to ensure the protection of any
consumer who engages in electronic fund transfer against fraud or any errors. It helps in
establishing the rights, responsibilities, and liabilities of consumers and financial institutions that
use and offer EFT services. These transfers include ATM services, direct deposits, the point of
sale transfers among others.
The use of electronic funds transfer is inevitable for shoppers at Goodwill, therefore due
diligence is required to ensure the protection of their data by the organization.
The Children's Online Privacy Protection Act
This act addresses the collection of data on children below the age of thirteen online. Federal
Trade Commission (FTC) monitors this act and dictates the limits on collection and the disclosure
process of receiving consent from parents and the operator’s responsibility.
Goodwill’s services also include settlement services that may need information on
children, thus they must be keen to ensure this act is not broken.
Identify and describe 2 State Regulations
Massachusetts 201 CMR 17 (aka Mass Data Protection Law)
This law implemented in 2010 seeks to protect the Massachusetts residents against fraud
and identity theft cases. It has a requirement that any institution storing personally identifiable
information about any of this state’s resident have a written and a plan that is regularly audited to
protect the information. Its main aim is to mitigate any risk to the security of information.
Businesses such as Goodwill that use information from residents of Massachusetts for
purposes of providing various services or products or employment are affected.
Nevada Personal Information Data Privacy Encryption Law NRS 603A
This law was passed to ensure the data security of any data stored of a consumer’s personal
information through encryption.
Goodwill may sell their services to a resident of Nevada and may need personal data of a
Nevada resident; therefore, it should adhere to this law.
Section 3 - Compliance Plan
For Goodwill Company, the compliance plan seeks to explain the roles and responsibilities
of different personnel in the IT infrastructure security, information classification, marking and
handling, security categorization of the information systems, the security control requirements,
and contingency planning among others.
Describe Policies, Standards, Processes, and Guidelines
The Chief information officer of Goodwill is responsible for the development and
maintenance of the company’s information security program and works with the systems security
officer ensures the operational security posture maintenance for all information systems and
Discuss the relationship between Controls and Audits
Controls refer to all the planning by an organization to safeguard all the assets of an
organization while ensuring that information is reliable and consistent to ensure efficient and
effective operation so as to enable compliance to the set rules and regulations. Audits help in
ensuring controls are executed by assessing and evaluating all the activities in a company or
Section 4 – Acceptable Use Policy
The Goodwill Acceptable Use Policy(AUP) addresses the issues of safeguarding the user’s
access to their services. It entails the description of prohibited activities, responsibility on systems
security, enforcement of the UAP, changes and reporting of any breaches to the UAP
The Goodwill company uses Safe Harbor principles that ensure that the customers are
notified of the purposes of the data collected and used. The company also ensures it discloses to
the client if the data they take will be disclosed to a third party, whether the purposes will be the
same or incompatible. This comes with the choice of the clients, especially when collecting their
data for employability purposes opting out of the agreement if they do not wish that their data be
In case of data breaches, the company already has mechanisms to counter these.
Acceptable Use Policy and Enforcement Ethics
Goodwill of North Georgia has no guarantee for no breach of data. It however believes in
two basic principles; privacy and protection of client data. It is therefore unethical and illegal for
any of its employees to cause breaches of these data.
Section 5 – Certification and Accreditation
The Goodwill of North Georgia looks forward to ensuring that it complies with the
Department of Defense’s(DOD) certification process to ensure it applies risk management to its
information systems through the DoD Information Assurance Certification and Accreditation
The company has already begun the process of ensuring it gets this certification and is
currently at the third phase of the process which is decision-making process of certification
determination and accreditation.
Goodwill Company has the ISO27002 certification and has a clear guideline for its
information security as an organization. This includes guidelines for the controls in selection,
implementation, and management based on its information security risk environment.
The organization has already implemented information security controls that are
commonly accepted. It has also developed its own information security management guidelines.
Section 6 - Preparing for Certification
The organization has already implemented information security controls that are
commonly accepted. It has also developed its own information security management guidelines in
preparation for its certification.
Retrieved from https://www.sans.org/security-resources/policies/general/pdf/acceptable-usepolicy
Retrieved from http://acqnotes.com/acqnote/careerfields/dod-information-assurancecertification-and-accreditation-process-diacap
Information Security Compliance: Which regulations relate to me? (2018, January 18).
Retrieved from https://www.tcdi.com/information-security-compliance-whichregulations/
ISO/IEC 27002:2013 - Information technology -- Security techniques -- Code of practice for
information security controls. (n.d.). Retrieved from
Relationship Between Internal Control, Internal Audit, and Organization Commitment With
Good Governance: Indonesian Case. (2012). China-USA Business Review, 11(09).
Staff, C. (2012, December 19). The security laws, regulations and guidelines directory.
Retrieved from https://www.csoonline.com/article/2126072/compliance/compliance-thesecurity-laws-regulations-and-guidelines-directory.html#Childrens-Online-Privacy
Suyono, Eko & Hariyanto, Eko. (2012). Relationship Between Internal Control, Internal Audit,
and Organization Commitment With Good Governance: Indonesian Case. China-USA Business
Review. 11. 1237-1245
Purchase answer to see full