Information Security Risk Management Assignment On NTN
Question
Task Description : You will analyse the scenario given on page 3, and write a report that discusses how you apply the principles of information security risk management as well as information security certification and accreditation to the organisation in the given scenario. You should ensure that you support your discussion with references and justify the content of your discussion.
Answer
Executive Summary
This information security risk management assignment presents a summary of the need for internet and information security for an Australia based institute that provides nursing training to students. The need for the institute to safeguard their intellectual property has been discussed in the initial sections of the information security risk management assignment. Further, a detailed analysis of the measures that NTN needs to take in order to protect their data and information have been discussed.
The final sections of the information security risk management assignment discusses the importance of these measures for the institute and the long term changes that they can experience in the working of their organization and their market performance after getting the safety certification that they seek to get.
Introduction
NTN is an institute that provides training and education to students who wish to develop a career in the medical areas. Apart from this, the institute also employees the students into various door to door medical care providing services that they call mobile hospitals along with the video lectures that they deliver into their branch institutes through live streaming from Sydney to their branches in Darwin and Cairns. Due to this dependence on the connectivity services, there is a need for the institute to implement internet security measures into their system (Peltier, 2016).
The organization has decided to take up Information Security Risk Management and Information Security Certification and Accreditation methods in order to evaluate the potential risks to the intellectual property of the organization and for the protection of the same. This information security risk management assignment aims to analyze the various aspects of these systems and the way in which employing these measures can benefit the operations and services that NTN provides to their patients and students.
Discussion
As stated by Soomro, Shah and Ahmed (2016), in the present times, technology plays a very important role in our everyday lives. There are personal as well as industrial uses to internet and all other associated technical advancements that has completely revolutionized the lives of people of all age groups living anywhere across the globe.
Internet Usage for NTN: Internet is the life line for operations in a number of industries. For institutes like NTN, internet based technological advancements play the role of the central nervous system of the institute. The institute has around five locations connected with the headquarters. Out of which the main branch of the institute located in Sydney is connected with two other branches of the institute that are located in Darwin and Cairns. Apart from this, the institute has associated with two major nursing homes where they recruit their students to perform field work. These students are also connected with and guided by the Sydney headquarters of the institution through internet (Cavusoglu et al. 2015).
Apart from this, a number of mobile vans that take students associated with the institute to the homes of a number of patients who cannot come to hospitals for conducting regular check ups on them. These vans store and transfer data to the main head office of the institute located at Sydney as well.
Need for Internet Security in NTN: According to Tu and Yuan (2014), internet has made the life of many people easier and many industries have also adopted it for making sure that a smooth, advanced and continuous work flow is managed. Internet has revolutionized the hospital and nursing industry by allowing a number of patients and doctors to stay in touch all through the day even remotely. This has made the best medical service accessible to the patients located at far off places.
However, it has also been seen that hospital and medical industry is the one that is affected by data breaches all across the globe more than what one can expect. With one out of every seven data breaches that happened in the past year in the world, the need for providing security to the internet based operations of medical institutes and hospital has been felt.
It has been seen that data breaches in the hospital and medical industry are attempted because of the valuable information that is stored in these databases. The hackers are often looking for data like passwords, phone numbers, addresses, payment information and other very sensitive data. Apart from this, education sector is also a primary target of the hackers because of the valuable research and other information that is usually stored in the databases of educational institutes (Siponen, Mahmood and Pahnila, 2014).
Security Threats to NTN: Due to the increasing threats and reports of data breach in the hospital and education industry, NTN can be classified as an institute that is highly vulnerable. With the increasing dependency of NTN on internet, the need for security of the data has risen remarkably. As the institute is expanding their business with the help of more and more technologies that make use of internet for establishing communication and sharing data, the concern for security has become primary in the present scenario.
The threats to the databases of the institute are because of two major types of information that can be found with them.
- Medical and payment details of patients: There are a number of patients that have taken advantage of the increasing facilities in the health care sector to provide themselves with the best of medical care. However, it is also worth noticing that this care is still at a stage where it is very costly. Because patients have access to this kind of services, it is a common notion that they will be people who have great monetary reserves and as these people use internet to make payments of their medical bills, the information like card numbers and passwords is stored with the data bases of hospitals (Narain Singh, Gupta, and Ojha, 2014). This can be one of the most targeting information in case a data breach happens in NTN.
- Valuable Research data: Most medical and educational institutes have students who are performing continuous researches in order to find the latest technical and medical tools that can be helpful for people. This information is of great value to cyber offenders because of its sensitive and exclusive nature. The information that is stored in form of patented inventions and discoveries along with the new research methods are a prime target of cyber hackers, which makes the databases at NTN highly vulnerable to a cyber attack.
Information Security Risk Management: According to Fakhri, Fahimah and Ibrahim (2015), Information Security Risk Management is a process that is designed to analyze and manage the risks to information security for companies that use internet and similar connectivity services to provide services to their customers. the end objective of risk management systems is not to eliminate all risks for the specific industry of company, but to make risks tolerable and bearable for them.
There are three main stakeholders in case of the information security risk management process:
- Owners of the Process: The process management and audit teams of any institution that manage the information that is stored in the databases of the company is the prime stakeholder. The role of this group is to provide adequate information in order for the experts to understand the exact level of risks that the company is prone to and the methods to deal with that (Lim et al. 2015).
- Owners of the Risk: The risk owners are the people who pay for the risk management program, either directly or indirectly. These people are prone to the maximum losses when it comes o the effect of the risk in case a databreach happens.
- Technical Staff: The technicians and engineers have a very minimal role to play in the risk management but their role is of the most significant value. As the level of risk continues to increase with the technological advancements in the areas of data storage and cloud computing, there is a need for constant evaluation as well. The technicians and engineers need to be updated of the continuous process in which the company is operating so that they can minimize the risk factor for the institution (Silva et al. 2014).
Execution of Information Security Risk Management: There are six major steps that are involved in the process of Information Security Risk Management that NTN needs to follow in order to ensure successful application of the process for them.
1. Identification: Identification od the potential risks and methods to mitigate them is the first step that needs to be accomplished for starting the risk management process. It includes identifying the following major areas:
- Identification of assets: The process identifies and segregates the data that is more important for the institution from the data that is considered of less value (Safa et al. 2015).
- • Identification of vulnerabilities: This process analyzes the potential risks to the organization with respect to the system that they have employed. It also analyzes the organizational structure of the company to check data breach possibilities from the inside.
- Identification of threats: It analyzes the potential threats to the data that the company has stored and owns. It includes not only the risks from cyber attack and hackers but also natural causes like earthquakes, tornados etc. that can cause potential data loss for the company.
- • Identification of controls: According to Safa and Von Solms (2016), this process is the evaluation of the data protection measures that the organization is already putting to use in order to protect the valuable information that they possess.
2. Assessment: This step analyzes the potential risks to the data that is the property of an institution by applying a common formula on the information that has been gathered in the identification process. The basic formula for assessing the risk factor that is used is: Risk = (threat x vulnerability (exploit likelihood x exploit impact) x asset value ) - security controls
3. Treatment: On the basis of the risk analysis and the findings from the process, the organization looks for strategies and methods to deal with this sensitive information and its protection. There are a few areas that organizations take into account while choosing treatment options (Ab Rahman and Choo, 2015).
- Remediation: This process identifies a vulnerability and develops a fix or a patch in order to protect that specific aspect of the data of that organization.
- Mitigation: Mitigation strategies focus on reduction of the impact of the risk that an organization has. The risk factor could be a general threat to the data owned by the organization or for a specific area that is more vulnerable as compared to others.
- Transference: This process is carried out to transfer the potential risk factor to some other entity that can be owned by the organization or any other false body of data.
- Accepting the risk: Some risks that an organization is likely to face are higher in terms of the harm that they can cause as compared to others. The correct approach to deal with less harmful risk factors is to ignore those risks and focus on the bigger problems in hand.
- Avoiding the risk: This process identifies the existing risks to the data that an organization possesses and finding and implementing measures to deal with those known risks in a foolproof manner (Ahmad and Maynard, 2014).
4. Communicating the risks: It is note that after the risks to an organization have been identified and strategies for reducing the effect of the risk has been identified and applied, it id also very important to establish a network within the organization and inform all internal employees of the company about the measures that have been taken. This should be done in order to ensure that internal risk is minimized (Layton, 2016).
5. Repeating management checks: Risk management is not a one time process. With the constantly evolving technologies, the risk factors and areas are also growing at a continuous rate. Hence, after the application of risk management strategy once, the owners and managers of the organization are responsible to keep in touch with the technicians in order to identify all the latest risks and find methods to manage them.
Information Security Certification and Accreditation: As stated by Baskerville, Spagnoletti and Kim (2014), this is a certified process that organizations go through in order to manage the certification and accreditation of the security systems that they are using. Certification and Accreditation is the formal process that a company takes up in order to establish, include or start a process in their organizational and operational routine. The Certification and Accreditation process can be taken up by an organization keeping in mind either the standards of the process set by the state that they are operating on. An alternative to this is the international Certification and Accreditation process that an organization can use in order to make their processes and operations more secure and less prone to risks.
Execution of Information Security Certification and Accreditation process: In a common usage, there are four steps to Certification and Accreditation process that each organization has to take in order to implement the process within their system.
- Initiation and Planning: This is the first step that will need NTN to appoint an Internet System Security Officer who will work along with the owners of the institute in order to identify the need for a certification and accreditation process. In this step, the value of the data that is possessed by the organization is analyzed and on the basis of that value, it is determined if the institute really needs to employ security systems for its intellectual property (Zammani and Razali, 2016).
In case the need for a security system is felt, the planning process begins. This part determines the potential risks to the system and identifies the milestones and requirements for the storage and processing of data in a way that security of the data is maximum in terms of the requirements of the institution. - Certification This step is performed by auditors who are not a part of the institution. The auditors measure the risk factor for the institution and formulate the basic certification processes and measures that the institution can use with reference to the value of their assets and intellectual property and the kind of security measure it can use. The independent audit is done by conducting a series of onsite interviews, visual inspections, vulnerability scans and testing. After the completion of the audit process, the basic level of certification that will be needed by the organization is presented with complete details of the potential risks to the data owned by the institution and the measures that need to be taken by the company to avoid a risk situation or to deal with it (Tøndel, Line and Jaatun, 2014).
- Accreditation: Before the certification standards that have been decided to be appropriate for the institution are accredited with validity from a governing body or a representative of that body, a final accreditation check up is performed. This process revisits the certification standards that have been designed to be ideal for the institution and makes a repeated analysis of the process and of its applications. The accreditation authorities will conduct a review on the suggestions that have been made by the auditors who were a part of the certification authority for the company. Apart from this, all risk factors that have been not considered by the certification department are also studied carefully and the responsibility for those risks is taken by the accreditation team on behalf of the governing body of the state.
As per Laudon and Laudon (2015), after the process is complete, an accreditation certificate is issued to the owner of the organization on behalf of the governing body that takes the complete responsibility of the unknown risks and gives cover to the institution in case of known risk factors. This letter of accreditation is valid for a period of three years in most cases and needs to be upgraded after that time period. - Continuous Monitoring:Continuous monitoring is not a process that is involved in the initial certification and accreditation process. However, once the organization is issued with the accreditation certificate, it is their responsibility to ensure that all processes are monitored continuously and any new kind of risks or threats are reported to the concerned authorities immediately after detection and identification (Ahmad, Maynard and Park, 2014).
This process also allows the Internet Safety Security Officer employed with the institution to have all updates of the systems and processes that the company is using and alerts them in case of any change. This change, if vulnerable to a new kind of risk, is immediately monitored and checked by the authorities and proper mitigation and control measures are provided to the organization to avoid any potential threats.
Impact of Implementing Certification and Accreditation and Risk Management Practices for NTN: When it comes to internet security, the vulnerability of health care institutions has been found out recently. By employing the internet security measures like certification and accreditation along with management of threats, NTN can assure better services to their clients. The clients of the health care institute will be able to conduct their transactions and share the personal and medical data with the medical professionals of the company on a more frequent basis due to the security of the system that they will be using (Ahmad, Maynard and Shanks, 2015).
This will also ensure that the services that are provided to the customers of the organization are improved, updated and secure. This will lead to an increase in the satisfaction levels of the customers and hence, will reflect positively on the market value of the institution.
The accreditation criteria that NTN is going to be subjected to after the process is complete will also set certain quality checks and standards for them and will also make sure that these standards are met continuously by the services that are provided by NTN to their patients. It will also ensure an increase in the number of students in the institution that will rely on the security system and will not be afraid to experiment and engage in development of new processes and technologies that can be developed in future for the greater good of mankind and to provide better health care facilities to people in the convenience of their homes (Sommestad et al. 2014).
Conclusion
The report has taken into consideration the two internet security measures that NTN aims to use in their organizational operations and for their data management and security of the intellectual knowledge that they possess. The institute aims to employ Information Security Risk Management and Information Security Certification and Accreditation systems into their processes to make sure that the databases of the organization are safe and secure.
These processes are conducted by various authorities with the aim of analyzing the potential threats to an organization and suggesting measures to deal with them. The Information Security Risk Management system deals with the data that is of more value to the company and suggests measures for its protection. The Information Security Certification and Accreditation system is a government recognized system that provides safety and security solutions for the company and also insures them against unknown risks.
Both these measures can be employed by NTN in order to safeguard their intellectual assets and to protect the sensitive information they possess. This can further help the institution to win the confidence of their students as well as patients and an increased customer satisfaction will be ideal driving force for the market value of the company. Information security risk management assignment are being prepared by our IT management assignment help experts from top universities which let us to provide you a reliable help with assignment online service.
References
Ab Rahman, N.H. and Choo, K.K.R., 2015. A survey of information security incident handling in the cloud. Computers & Security, 49, pp.45-69.
Ahmad, A. and Maynard, S., 2014. Teaching information security management: reflections and experiences. Information Management & Computer Security, 22(5), pp.513-536.
Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), pp.357-370.
Ahmad, A., Maynard, S.B. and Shanks, G., 2015. A case analysis of information systems and security incident responses. International Journal of Information Management, 35(6), pp.717-723.
Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security: Managing a strategic balance between prevention and response. Information & management, 51(1), pp.138-151.
Cavusoglu, H., Cavusoglu, H., Son, J.Y. and Benbasat, I., 2015. Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources. Information & Management, 52(4), pp.385-400.
Fakhri, B., Fahimah, N. and Ibrahim, J., 2015. Information security aligned to enterprise management. Middle East Journal of Business, 10(1), pp.62-66.
Laudon, K.C. and Laudon, J.P., 2015. Management information systems (Vol. 8). Prentice Hall.
Layton, T.P., 2016. Information Security: Design, implementation, measurement, and compliance. Auerbach Publications.
Lim, J.S., Maynard, S.B., Ahmad, A. and Chang, S., 2015. Information security culture: Towards an instrument for assessing security management practices. International Journal of Cyber Warfare and Terrorism (IJCWT), 5(2), pp.31-52.
Narain Singh, A., Gupta, M.P. and Ojha, A., 2014. Identifying factors of “organizational information security management”. Journal of Enterprise Information Management, 27(5), pp.644-667.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.
Safa, N.S. and Von Solms, R., 2016. An information security knowledge sharing model in organizations. Computers in Human Behavior, 57, pp.442-451.
Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A. and Herawan, T., 2015. Information security conscious care behaviour formation in organizations. Computers & Security, 53, pp.65-78.
Silva, M.M., de Gusmão, A.P.H., Poleto, T., e Silva, L.C. and Costa, A.P.C.S., 2014. A multidimensional approach to information security risk management using FMEA and fuzzy theory. International Journal of Information Management, 34(6), pp.733-740.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp.215-225.
Tøndel, I.A., Line, M.B. and Jaatun, M.G., 2014. Information security incident management: Current practice as reported in the literature. Computers & Security, 45, pp.42-57.
Tu, Z. and Yuan, Y., 2014. Critical success factors analysis on effective information security management: A literature review.
Zammani, M. and Razali, R., 2016. An empirical study of information security management success factors. International Journal on Advanced Science, Engineering and Information Technology, 6(6), pp.904-913.