Information Security Management Assignment On Risk Supervision Of Futureplus
Question
Task:
Objectives:
This assessment task relates to the Unit Learning Outcomes 3 and 4 and can be undertaken in a group
of up to 4 members or individually. Distance students can form groups with on-campus students as well.
In this assessment task, you will analyse the scenario given on page 3 and discuss in a report as to how
you apply the principles of information security risk management as well as information security
certification and accreditation to the organisation in the given scenario.
Assessment Task: You are required to analyse and write a report on
a) guidelines for information security risk management
b) guidelines for information security certification and accreditation
You should ensure that you support your discussion with references and justify the content of your discussion.
Answer
Executive summary
This information security management assignment deals with risk in information security management. Different sources through which risk can be inculcated were been discussed. Insider threats which are one of the most risked aspects of information security are been discussed in detail. Another management system that ensures confidentiality and integrity of data is been highlighted. The FuturePlus charitable organisation is taken as a point of reference. Certification and accreditation processes for the management of information were introduced. Their key factors including major benefits were highlighted. All the steps suggested in the discussion can enhance the policy management of Futureplus. It needs to establish this procedure for all-round security of data.
Introduction
FuturePlus which is a charitable organisation has been taken as a point of reference in this information security management assignment. Information is a valuable asset to any organisation. It is important to protect internal controls, operations, and security management to ensure the confidentiality and integrity of data. An increasing amount of users leads to a need for advancement in an information system. Unspecified individuals or unauthorized used is a threat to confidential data. Unprecedented challenges are being faced by an organisation in the management of effective information. Here it is been discussed about flaws in the information security management system. FuturePlus which is a charitable organisation has been taken as a point of reference. Five theories that are interconnected to each other possess the requirements in the security system. Risk management, information policy, management system, control and audit, and the contact theory are the five theories. Suggestions associated with overcoming procedure of this problem is also been provided.
Along with information security management certification and accreditation is also a very important part. Certification provides confidential between stakeholders and clients. It also inherits a third-party audit system. Certification also meets with all the security requirements of security management. The need for certification is also important because it protects confidential data. Security policy, organisational security, and personal security are important in information security management. Any organisation which secures certification is said to be ISO certified. Different factors were responsible for the successful implementation of a certification procedure. Security accreditation is another important concept which deals with security risk management. Certification and accreditation are developing at a rapid pace. The incharge authority issues written recognition regarding the capability of implementation. It also certified that particular training organisation can regulate or implement activities or work processes. Certification responds to the needs like professional safety, fire security and information security system. All these important factors associated with risk management can be effective use in designing information risk management policy of FuturePlus charitable organization.
Discussion
(A)
“Information security risk management” is a very important aspect to keep the data safe. Since years implementation of IT security is crucial. Security management evolved around 1919. Substantial progress has been made which results in its higher development. Security standard is been used by thousands of organisations. FuturePlus needs to understand the problem of internal threats (Ahmad et al., 2015). This discussion is based on highlighting different aspects of security threats that can help in solving organisational security-related problems.
Insider threats inculcate a different viewpoint. These are the threats which had been initiated by employees or staff of the organisation. It is done to satisfy personal advantages.
Insider threats are often used for fraud and scams. As the organisation has sensitive data and an enormous amount of money involved.
Sometimes a malicious damage has been done. This is to engage an organisation in unwanted chaos. It does not intend to cause harm at the operational, corporate or IT level.
An insider can be anybody right from CEO to any employee. As it is noted in the provided scenario of information security management assignment the FuturePlus employees are temporary as well as permanent staff. It must be noticed that those staff do not have personal benefits involved. It involves specialties of technique, administrators of these systems or any other non-specialists. In an organisation, each candidate plays the role of a potential candidate. If they get motivated to take advantage they can easily do that because they are insiders. Anyone going through grudge regarding uneven behavior can cause this casualty. Studies have shown that around 35 percent of these incidents are based on inside threats (Dhillon et al., 2016).
Along with the growing problem of insider threats did dual problems regarding insider vulnerabilities are also raising. Policies regarding awareness of employees must be built to deal with the problems which may arise in the future. These types of casualties intend to threaten the information assets of organisations. Common human error or mistakes while handling data, causes these vulnerabilities. Awareness is necessary regarding reverse engineering attacks before unsuspecting any employee or disclosing confidential information of the company. Insider vulnerabilities can be caused by accidents as well as exploitation.
Directorial board is the main authority responsible for the protection of company assets. Correct governance must be ensured inside the organisation. Deployment of a perfect process associated with risk management complemented with effective internal control is important. Stiff penalties must be imposed if they fail in accomplishing these tasks (Hoffmann et al., 2016). This whole procedure involves identification and assessment of information security risk, implementation of effective measures of controls, and regular improvement must be made.
Organisational Security
Information security must be an integral responsibility of all the staff. From the CEO to the lowest grade employee everyone must be responsible for information security management. Directors of the company must say policy along with direction for the management of information security. Availability to adequate resources must be ensured while implementing information security. Senior management needs to provide additional support to enhance an enforced direction initiated by the board. If things get followed like this it will lead to effective implementation of information security (Kauspadiene et al., 2017). Most of the incidents happen because of gaps, flaws, or vulnerabilities in the framework of management.
The different process of overcoming this problem has been introduced and hence excuse cannot be accepted.
Risk management by ISMS in information security management assignment
If any organisation is not aware of the risk it faces, proper implementation along with effective protection can never be ensured. Assessment of risks involves identification of assets, vulnerabilities threats and other calculations.
Risk of exposure: An insider who can exploit the vulnerabilities of different organisations asset.
Level of risk: It is the product of the consequences of the impacts on organisation and risk of exposure.
The impact can be variable like financial loss, information damage, theft, disruption of reputation and so on. Risk registered must be made after the identification of risks that record risks based on the severity and estimate over on impact caused on organisations. Decisions regarding the treatment of risks depend on the procedure of identification (Miloslavskaya, 2016).
ISO/ISE 27001 suggested four possible treatment options:
- Retainment of the risks objectively
- Modification of planned activity can help in avoiding the risk.
- Risk can be transferred by contracting out of Igor by insurance.
- Implication of internal control can reduce the risk
FIG 1: Risk treatment option
(Source: Self-Created)
All these steps involve decision making by the management to decide the best possible treatment. Management must select measures based on the comparison between risk and cost. There is a general principle according to which an abandoned amount of money must be spent on information security risk management. As FuturePlus is an NGO it needs not to spend too much money on additional securities (Safa et al., 2015). Too much money spent leads to diminishing returns after a certain period. Information security management discuissed in this information security management assignment is all about minimizing the risks along with maximization of organizations profits. Another state of risk management involves monitoring and reviewing the risks at a regular interval of time. This is necessary as incurred changes may lead to altering security profile. Improvements, when needed, must be made.
Monitoring and reviewing
Different aspects must be regularly monitored and reviewed.
- Network services and system users must be recorded.
- Reports must be reassessed.
- Changing procedures used by staff must be noticed.
- Reports regarding incident handling.
- Measurements of results
- Feedback provided by employees, customers and services providers such as, faults, security weaknesses or complains are suggestions which leads improvement
- Regular internal audit
Monitoring employees and organisations need a regular check of websites and emails. Students who were benefited by this charity organisation form a group and monitor this internal policy. It can help in finding out whether a threat is rising or not. Employees must be fully aware of the fact that these controls are on ride place and can be used when appropriate. Employees when sign “acceptable use policy” then monitoring method can be implemented more effectively (Safa et al., 2016).
Administrators
Administrators often have extra controls for different services and communicating facilities. These controls provide them opportunities to initiate inside their attack. The control must be in the right place and in the hands of the right authority to avoid any leakage in organisations information systems. Several controls of deployment suggested in this information security management assignment are:
- Configured administrators account which is exclusively lead with another individual administers
- Default modes from account must be removed.
- Allocation of management rights and administrators privilege having an appropriate procedure of reviewing it removing must be suspended (Soomro et al., 2016).
- Encryption in databases can prevent administrator’s access to viewing sensible data.
Properly managed backup is crucial. It can help in avoiding blackmails regarding corruption of data. When backups are not protected and managed effectively it become an easy target for insiders. Encryption if backup is an important way of protecting sensitive and confidential information.
Electronic devices like mobile phones, laptops, USB sticks or MP3 players make it easy to store huge amounts of sensitive data. It can act as a sure route for data theft. Organizations must be fully aware of the situation regarding the implementation of the company-wide framework. This can ensure the protection of assets associated with information. Security and insecurity mentioned in this information security management assignment possessed by insider threats are bilateral like a coin which shows in uncertainty. Amount of security or the amount of insecurity gained through it depends upon the management (Tot et al., 2015). It can be highlighted by waking up costs and benefits. To get a perfect balance, information security will always have some residually associated risks. Management must establish regular contact with users or operators to achieve perfect balance. An organisation must make sure that
Electronic devices like mobile phones, laptops, USB sticks or MP3 players make it easy to store huge amounts of sensitive data. It can act as a sure route for data theft.
Organizations must be fully aware of the situation regarding the implementation of the company-wide framework. This can ensure the protection of assets associated with information. Security and insecurity mentioned in this information security management assignment possessed by insider threats are bilateral like a coin which shows in uncertainty. Amount of security or the amount of insecurity gained through it depends upon the management (Tot et al., 2015). It can be highlighted by waking up costs and benefits. To get a perfect balance, information security will always have some residually associated risks. Management must establish regular contact with users or operators to achieve perfect balance. An organisation must make sure that
- Update risk assessment
- Effective sets of controls must be in place
- The process of appropriate measurements must keep in place.
- Abandoned amount of training along with awareness needs to provide
- Regular monitoring of activities helps in checking the effectiveness of information security.
- Regular improvement must be initiated.
5g cellular network along with e devices can play the role of pros as well as cons. As it is handy it can also cause theft activities in the system via mobile phones. Technology along with the information is a big deal of attention nowadays. Different organisations are completely reliant on information technology. Management system integrates different perspectives associated with auditing, control, and risk management (Tu et al., 2018). Rich information security us provided by strategies and theoretical approaches towards research procedures. Via combining these factors better understanding of information security can be inculcated. Organisational behavior associated with the security management of information is also explained by these strategies. By relating through the above provided context FuturePlus can effectively manage their charitable organisation
Information security certification
Security management certification is one of the very important parts of any organisation security management. With the enactment of different corporate governance based laws, business was seeking assurance. Security management certification discussed in this information security management assignment provides a guarantee which increases confidence between partner and client. Framework for the best practice helps the organisations in accessing security-based risks. Most appropriate step among the frameworks is available in the implementation of international information “security management standard’’. This also allows a third-party audit. With an increase in businesses, organisations were obtaining certification from a third party (Ab Rahman and Choo, 2015). Certifications promise to meet with security requirements. It also an inbuilt source of trust in organisations through which management of confidential business information and clients is done. Control objectives regarding information and the technologies related are among best practices that can facilitate implementation.
Standard of an information security management
The preservation of information confidentially is defined as “information security management”. The important goals are to provide security and ensure continuity in business. To draft a policy of security and to implement security controls which are appropriate organisations need legal requirements. They can demonstrate information needs to be protected confidential. This also provides greater confidence between clients and partners. Security when implemented with almost significance results in minimised damaged businesses. Major domains which can define controls of implementation risks identified are
- Security policy: Commitment if management must be demonstrated and proves support towards information security
- Organisational security: A framework for the management and coordination of information security must be developed in an organisation. Allocation of responsibility in information security is necessary.
- Control and classification of assets: Appropriate level of maintenance must be provided to sensitive or critical assets
- Personal security: User training can help in the reduction of risks like fraud, theft or any misuse of resources.
- Environmental and physical security: Unauthorised access to any information must be prevented to avoid damage in any kind of informal sector.
FIG 2: Major domains for defining control
(Source: Self-Created)
Certification process
Organisations which are based on information "security management system" can be certified. Any organisation which secures certification is said to be ISO certified. Implementation, maintenance, developments along with continues improvements of ISMS documentation are basics of certification. It is stated in this information security management assignment that when organisations complete the procedure of ISMS certification a third party body carries an audit. This audit verifies whether the organisation has implemented its security policies effectively or not. Several critical factors that were responsible for the successful implementation of the certification process (Choi, 2016). Among major factors, key success factors play an important role. It is consistently based on organisational trends.
(B) Importance of information security accreditation: Information “security management accreditation’’ is not new and in a digital society. It was established in Salisbury England. It is an essential component regarding information security risk management. Under usual circumstances, security incident risks create a monetary as well as production loss. It causes risk to every asset and threat in all big points and sums up in embarrassment for organisations. Relations of information security with any operational functions, activity, and the process can be brought under threat in different ways. Four specific threats inculcated by studying different relevant cases in this information security management assignment are:
- Leaking or corruption information or unauthorised changes: This threat is the outcome of no intentional or maybe an intentional leak of information. It also compiles intentional changes that were being made to corrupt the data.
- Carelessness causes corruption of data or information: this threat compiles the information loss which is being initiated by carelessness are unintentional actions. Hardware and software malware of any kind of communication failures can also cause this threat
- Improper delivery or non-delivery or relevant information: Thai threats consist of unintentional deletion of information or improper delivery due to digital formats or paper. This also includes software, hardware or any kind of information failures (Zammani, M. and Razali, 2016).
- Retrogation: This is a threat related to insufficient usability which can result in an unplanned long term or short term interrogation. Certification is important for recognizing professional safety
Mechanism of certification and accreditation associated with “information security management system’’ Certification and accreditation are developing at a rapid pace. The incharge authority issues official written recognition regarding the capability of implementation or certified that the particular training organisation can regulate or implement activities or work processes. On the other hand, certification organisations provide a written guarantee. That the particular organisations product, inspector, procedures are specified are based in the regulation. Certification responds to needs like professional safety, fire security, health and management of information security systems.
Security demands of different organisations depend upon their working conditions. The main goal associated with certification and accreditation is to promote following functions in any organisations.
- Quality along with reliability and conquer once in the product price.
- Users security in been promoted by the method of resource recycling.
- Technology, service and goods interpretability and mutual continuity sequence.
- Simplification in complex infrastructure to create better understanding.
- Convenience in repairing and improving distribution efficiency.
FIG 3: Promotional functions
(Source: Self-Created)
These standards illustrated in this information security management assignment are simplified conditions which are necessary and unified regulations. This whole process helps in providing better functions, installation, auctions, measuring objects, work procedures, control procedures. These standards of certification were proposed in Taiwan regarding the introduction of improvement in information “security management system”. Certification specifications are introduced to meet international demands. Still, a few inclusion regarding its structure needs to be implemented (Miloslavskaya, 2016). It is introduced with the concept of simplified relationships between clients and stakeholders.
FuturePlus which is a charitable organisation needs to implement certification and accreditation to help donors in gaining confidence regarding their donations. As it removes the threats associated with leakage of identity. Though it is a charitable organisation it involves lots of money. Due to a lack of volunteer and or full-time employees, it can be targeted easily. Certification provides guidelines. Accreditation simplifies complex structures. It must be noted that with the implementation of these two very important guidelines associated with “Information security risk management” then risks can be minimized.
Conclusion
Different methods have been proposed to minimize information security risk in the above discussion of information security management assignment. The methods were proposed based on a quantitative approach which is the result of different surveys and analyses. It was mentioned earlier that quantitative tools always provide subjective results. ISRAM which is also a quantitative tool provides objective results. Different measures were suggested to conquer the threats from insiders. Most of the attacks were initiated by insiders as it satisfies their grudges. Flaws gaps or vulnerabilities are major reasons behind these attacks. Proper implementation along with effective protection of security system can cause a decline in these vulnerable threats. The attacks may lead to financial loss, information damage, theft or a description of reputation. All the steps suggested regarding protection of organisation including retainment, modification, and implication of policies can be used in enhancing Futureplus policy management. Organisation security policy, control of classification of assets and personal security are important factors in inculcating maximum protection against security threats.
Certification and accreditation management process are also been discussed in this information security management assignment. An organisation with secure certification is said to be ISO certified. Accreditation is not a new term in a digital society. It manages risks associated with security system. Leaking or corruption of information or unauthorised changes, carelessness caused or corruption of data or information is a subject to be treated by accreditation. FuturePlus which is a charitable organisation needs to implement these factors in its working strategy to ensure up to zero percent malware functionalities. The policies discussed when followed and implemented with utmost diligence security risk of maximum extent
Reference List
Different methods have been proposed to minimize information security risk in the above discussion of information security management assignment. The methods were proposed based on a quantitative approach which is the result of different surveys and analyses. It was mentioned earlier that quantitative tools always provide subjective results. ISRAM which is also a quantitative tool provides objective results. Different measures were suggested to conquer the threats from insiders. Most of the attacks were initiated by insiders as it satisfies their grudges. Flaws gaps or vulnerabilities are major reasons behind these attacks. Proper implementation along with effective protection of security system can cause a decline in these vulnerable threats. The attacks may lead to financial loss, information damage, theft or a description of reputation. All the steps suggested regarding protection of organisation including retainment, modification, and implication of policies can be used in enhancing Futureplus policy management. Organisation security policy, control of classification of assets and personal security are important factors in inculcating maximum protection against security threats.
Certification and accreditation management process are also been discussed in this information security management assignment. An organisation with secure certification is said to be ISO certified. Accreditation is not a new term in a digital society. It manages risks associated with security system. Leaking or corruption of information or unauthorised changes, carelessness caused or corruption of data or information is a subject to be treated by accreditation. FuturePlus which is a charitable organisation needs to implement these factors in its working strategy to ensure up to zero percent malware functionalities. The policies discussed when followed and implemented with utmost diligence security risk of maximum extent
Dhillon, G., Syed, R. and Pedron, C., 2016. Interpreting information security culture: An organizational transformation case study. Computers & Security, 56, pp.63-69.
Hoffmann, R., Kiedrowicz, M. and Stanik, J., 2016. Risk management system as the basic paradigm of the information security management system in an organization. In MATEC Web of Conferences (Vol. 76, p. 04010). EDP Sciences.
Kauspadiene, L., Cenys, A., Goranin, N., Tjoa, S. and Ramanauskaite, S., 2017. High-level self-sustaining information security management framework. Baltic Journal of Modern Computing, 5(1), p.107.
Miloslavskaya, N., 2016, August. Security operations centers for information security incident management. In 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud) (pp. 131-136). IEEE.
Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A. and Herawan, T., 2015. Information security conscious care behaviour formation in organizations. Computers & Security, 53, pp.65-78.
Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model in organizations. computers & security, 56, pp.70-82.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. information security management assignment Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp.215-225.
Tot, L., Grubor, G. and Marta, T., 2015. Introducing the information security management system in cloud computing environment. Acta Polytechnica Hungarica, 12(3), pp.147-166.
Tu, C.Z., Yuan, Y., Archer, N. and Connelly, C.E., 2018. Strategic value alignment for information security management: a critical success factor analysis. Information & Computer Security, 26(2), pp.150-170.
Ab Rahman, N.H. and Choo, K.K.R., 2015. A survey of information security incident handling in the cloud. computers & security, 49, pp.45-69.
Choi, M., 2016. Leadership of information security manager on the effectiveness of information systems security for secure sustainable computing. Sustainability, 8(7), p.638
Zammani, M. and Razali, R., 2016. information security management assignment Information security management success factors. Advanced Science Letters, 22(8), pp.1924-1929.