7COM1066 Information Security Management And Compliance

0 Download 10 Pages / 2,470 Words

03-07-2021

Question:

Tasks:

Task 1 will assess essential facts, concepts and principles of security controls and IT security development and management and exercise critical evaluation of information sources. Task 2 will assess your understanding on national and international information security standards, government policies, and compliance legislation. Also, it will enable you to demonstrate detailed knowledge and understanding of information risk assessment and security management as well as confidence and flexibility in security standards, managing security incidents and related IT security problems in systems development and implementation. Task 3 will assess a range of current security management techniques and how the principles of information risk assessment, incident management and information assurance methods are embodied therein.

You are expected to demonstrate an insight into the implications of the problem introduced in each task by using clear and concise arguments. The reports should be well written (and word- processed), showing good skills in creativity and design. Sentences should be of an appropriate length and the writing style should be brief but informative.

Task 1 – The CISO memo

Assume you are a newly employed chief information security officer (CISO) for the School of Computer Science at the University of Hertfordshire. You decide to review and analyse the existing Information Security Policy of the University of Hertfordshire. Then, you want to produce a memo report for your first meeting with your team as a CISO.

You should focus on the topics covered in class and analyse the current status of the Information Security Policy. The report should critically evaluate the Information Security Policy in relation to the School of Computer Science assets. You should use General Data Protection Regulation (GDPR) as your benchmark and recommend modifications to areas that need improvement. It should not exceed 1000 words and follow an appropriate Memo template.

A scheduled formative feedback session with your tutor in the week commencing 23.10.2017 will give you the opportunity to reflect on your activities and improve your work where necessary. You are strongly advised to have a complete draft by then.

Task 2 – Information Security Policy

After the completion of Task 1 you decided your second task as a CISO is to draft an Acceptable Use Policy (AUP) along the lines of the ISO27000 family for the School of Computer Science at the University of Hertfordshire. You should additionally link a Bring Your Own Device Policy (BYOD) to your AUP.

You should take into consideration any confidentiality, integrity, and availability (CIA) issues of the information assets at the School of Computer Science and assess all relevant risks to the School.

You are expected to use appropriate peer reviewed sources for developing your arguments and the Harvard referencing style as per the University regulations.

A class peer assessment session is planned for the week commencing 20.11.2017. You should submit a draft copy of your work on StudyNet by 19.11.17 and bring a printed complete draft of your work to your tutorial session. You will be marked by your peers and you will also mark one of your peers. You will then receive formative feedback on your work from your tutor, allowing you the opportunity to reflect on your activities and improve your work where necessary.

Answer:

Introduction

The report is based on identification and analyzing the risks which are associated in the existing security policies and set up of the University of Hertfordshire. While setting up of the existing system into the university, they are facing of various risks. The internal risks within the organization are caused because of insufficient security policies in the organization. The university is violated the policies when there is use of BYOD (bring your own device), access to non-verified websites from the server of the organization and open of spam emails from the system. These are the main reasons behind the security risks of the information system. Control measures are taken against the risks in the organization to prevent the significant impact on the organization.

As the control statement, firewall is implemented to provide system resistance against malicious files along with viruses. It is also analyzed that restriction over the server is helpful to restrict access in the internet in addition to prevent the students from accessing spam and unverified websites. The University is recruited of system security experts such that it develops the system security by use of firewall as well as antivirus software to connect central server of the university. Risk analysis policies are documented to conduct investigation and take of actions to analyze the risks. The risks are analyzed by the authority of the Chief Security Officer. It is analyzed that risk assessment helps to manage, eliminate in addition to reduce the external and internal risks within the university.

Task 1: CISO Memo

Date:

From: INSERT NAME

Chief Information Security Officer

University of Hertfordshire

To: IS Authorizing Official

School of Computer Science

University of Hertfordshire

Subject: CISO Memo (INSERT System Name)

Finding and Summary:

This memo report is mainly based on the identification and analysis of the risks associated with the existing security policies and set up at the University of Hertfordshire. From the analysis of the existing system, it has been found that there are several security risks associated with the system that cannot be solved or addressed if the present security policies are in place. These policies must be modified as well as several new steps must be taken to address all the associated risks.

Risk Statement:

In information systems, there are generally two types of risks – external and internal. No absolute control can be established for the external risks and the organization only has the option to reinforce information system security in order to prevent such risks for as long as possible. However, internal security risks can be controlled by the organization by implementing various rules and guidelines. Moreover, the organization can take suitable steps to ensure none of the security policies are broken by any individual involved with the organization. In this particular case, it has been found that there are several internal risks that are caused due to lack of sufficient security policies within the organization. Internal activities like BYOD (bring your own device), accessing non-verified websites from the organization server and opening spam emails from the system are the main reasons behind the system security risks.

Impact Statement:

The risks mentioned above will have significant impact on the organization if they are not addressed immediately. In order to reduce the overall operational costs, the university allows the students to use their own laptops during computer practical classes. As a result, the malwares or viruses can easily enter the university server from the students’ systems. Similarly, opening spam websites and links can also insert malicious files into the system. These malwares can steal information from the server and can also destroy the entire data and information stored inside the database.

Risk Level:

Low:_________ Moderate:_________ High:__Yes_______

Justification for Noncompliance or Deviation:

Till now, controls cannot be implemented for several reasons. If BYOD is scrapped, the university has to encounter excess costs to provide systems to each of the students. Moreover, the spam websites cannot be entirely blocked as most of them mask themselves with the domains of other verified sites.

Compensating Controls:

The university can consider alternative practical classes for students in order to scrap BYOD and allow students to work on the provided systems only. For instance, if there are 90 students, there can be alternate classes for 30 students at a time and hence, the university can use only 30 laptops instead of 90. Moreover, specific firewalls can be implemented in order to provide system resistance against malicious files and viruses. Server restriction will also help to restrict access in the internet and will be prevent the students from accessing spam and unverified websites.

Statement of Residual Risk:

Even if sufficient control is applied, there may be some residual risks in the system. The spam websites cannot be entirely blocked and some of them can comprise verified sites and can enter the system even if the user enters a verified website.

Risk Response Request:

As discussed in the previous headers, the identified risks are extremely serious and must be addressed immediately with urgent response. All the risks discussed are internal and hence, they can be controlled and minimized. It is evident that the university policies regarding the BYOD and open access to internet are the root causes behind the risks discussed and hence, these policies must be modified and changed in order to protect the overall information system. Furthermore, the university should also provide active response in raising awareness among the students regarding the use of the systems and accessing unverified websites while browsing through the internet. Finally, the university should recruit system security experts so that they can develop system security using firewalls and antivirus softwares in the systems that are connected to the central server of the university.

Task 2: Information Security Policy

Policy Document on Acceptable Use Policy (AUP)

Background towards developing the policy:

The policy document is the continuation of analysis and identification of the risks regarding the current security policies and set up. It is also found from the analysis of the current system that there have been various risks related to the system that are still needed to be addressed or solved. The policies were needed to be modified, and various new steps are taken to address the related risks.

The policy demonstrated the AUP or Acceptable Use Policy. It also includes the lines of the ISO27000 family. It also links the BYOD, or the “Bring Your Device Policy” to the AUP. The integrity, confidentiality and the availability of the challenges information assets are analyzed here.

Purpose:

The BYOD program involves the students and parents to bring their mobile devices supporting the learning and teaching tasks. For the program, the mobile device indicates the student-owned device like the laptop, iPod touch, suitable phone and tablet. It must be reminded that the personal gaming devices are not permitted in the program.

This risk analysis policy has documented the authority of University of Hertfordshire for conducting the investigations and taking actions as needed to analyze the risks in the university. It intends to mitigate the measures for reducing, eliminating and managing the risks. The document specifies when and how the risk analysis could be done and who have been behind those responsibilities. Further, the policy determines how the risks could be identified for remediating it. It is conducted keeping the authority of the Chief Security Officer.

Scope:

This policy applies to every data and systems on the organizational network operated or owned by the university. The policy is efficient since the date issues never expire till it gets superseded by any other policy. However various risks analysis is particular to the system, the entire risk to the organization is needed to be considered. Moreover, the general risk analysis of the university functions is evaluated periodically like the risks to the network.

Term Definitions:

Risk: The chance of an undesirable outcome along with the harm that could occur.

Risk assessment: This is the analysis of every possible risk with the implemented and non-implemented solutions for managing, eliminating and reducing the risks.

Threat: It could be accidental, deliberate or result from any nature.

Risk Assessment Participants and Skills:

The staff members must perform the risk analysis. They must be familiar with the security and technology. The leader here must be the security officer. The technical support staff and the business owners must supply the information of risk assessment.

The risk assessment method:

The method is defined by the process of risk assessment. The process must be upgraded as needed. This is because of the outcomes of incidents and audits.

The steps of risk analysis:

The management of the university should define the scopes of risk analysis and develop the risk analysis team to guide the process.

As the procedure is not defined, the team must determine them.

The system must be evaluated by determining if the system is critical to the business process of organization and recognizing the security needs and data classification.

The threats must be listed as the exploitation of the vulnerability.

The vulnerabilities must be identified.

Evaluate the security controls.

The identification of probabilities.

The impact of the quality damage.

The risk levels must be determined.

The BYOD Acceptable Use Policy (AUP) Summary:

In the effort to the parents, guardians and students to take part in the BYOD program, the responsibilities and conditions added must be accepted as stated in the BYOD linked to the AUP as shown below. They must first read, then sign and return from this document.

The students wishing to use the personally owned mobile phone must read and sign the AUP.
The guardian/parent must read a sign and submit the AUP to the tutor putting that in the student file.
The students should undertake the roles for the proper use of the personal device at any times.
They are also liable for the devices including the cost of repairs, breakages and replacement.
Further, the school has the right to reserve to monitor or inspect the student mobile devices during the school hours.
The violations of the school rules or policies including any student device might lead to a student not being permitted to use the device during the disciplinary action or school hours.
As the school hours are allowed to use the device to learn the related tasks only.
The students need to comply with the requests from the teachers about the using of devices while the classes are going on.
The mobile devices should be charged with bringing them to school to be usable during the school hours.
The devices must not be used to transmit or post or record the videos or photos.
Every user is responsible for their device and must use that appropriately and with responsibility. The University of Hertfordshire had taken no liability regarding the damaged, lost or stolen devices. This must also include the corrupted or lost data on the devices.
Further, University of Hertfordshire is also not liable for any possible device changes to the account which could be incurred during the approval of the school-related use.
Confidentiality: The privacy and the ability to control or restrict the access must be maintained by the individuals to view the sensitive data.
Integrity: To maintain this security testing is intended to reveal the flaws in the security mechanisms protecting the data and control the functionality as expected.
Availability: An off-site location must be kept ready for restoring the services as anything occurs to the primary data centers.

References

Blaisdell, J., Kelly, M., Lang, M., Muldoon, K. and Toner, J., 2014. Embracing “Bring Your Own Device”: Balancing the Risks of Security Breaches. Impact of Emerging Digital Technologies on Leadership in Global Business, p.113.

Bruder, P., 2014. Gadgets go to school: The benefits and risks of BYOD (bring your own device). The Education Digest, 80(3), p.15.

Cavusoglu, H., Cavusoglu, H., Son, J.Y. and Benbasat, I., 2015. Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources. Information & management, 52(4), pp.385-400.

Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M. and Baskerville, R., 2013. Future directions for behavioral information security research. computers & security, 32, pp.90-101.

Fielder, A., Panaousis, E., Malacaria, P., Hankin, C. and Smeraldi, F., 2014, June. Game theory meets information security management. In IFIP International Information Security Conference (pp. 15-29). Springer, Berlin, Heidelberg.

Gamundani, A.M. and Uuzombala, K.N., 2016. A review of organizational information security acceptable use policy implementation. International Journal of Computer Science and Information Security, 14(9), p.474.

Gkamas, V., Paraskevas, M. and Varvarigos, E., 2016, August. Design of a Secure BYOD Policy for the Greek School Network: A Case Study. In Computational Science and Engineering (CSE) and IEEE Intl Conference on Embedded and Ubiquitous Computing (EUC) and 15th Intl Symposium on Distributed Computing and Applications for Business Engineering (DCABES), 2016 IEEE Intl Conference on (pp. 557-560). IEEE.

Hallett, J. and Aspinall, D., 2017, May. Capturing Policies for BYOD. In IFIP International Conference on ICT Systems Security and Privacy Protection (pp. 310-323). Springer, Cham.

Hinkes, A., 2014. BYOD policies: a litigation perspective. Retrieved, 6(10), p.2014.

Ifinedo, P., 2014. Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), pp.69-79.

Kulkarni, G., Shelke, R., Palwe, R., Solanke, V., Belsare, S. and Mohite, S., 2014, April. Mobile cloud computing-bring your own device. In Communication Systems and Network Technologies (CSNT), 2014 Fourth International Conference on (pp. 565-568). IEEE.

Layton, T.P., 2016. Information Security: Design, implementation, measurement, and compliance. CRC Press.

Narain Singh, A., Gupta, M.P. and Ojha, A., 2014. Identifying factors of “organizational information security management”. Journal of Enterprise Information Management, 27(5), pp.644-667.

Nazareth, D.L. and Choi, J., 2015. A system dynamics model for information security management. Information & Management, 52(1), pp.123-134.

Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.

Rhodes-Ousley, M., 2013. Information security: the complete reference. McGraw Hill Education.

Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A. and Herawan, T., 2015. Information security conscious care behaviour formation in organizations. Computers & Security, 53, pp.65-78.

Sellers, M.R., 2016. Future Privacy and Security Controls. Attack prevention.

Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), pp.217-224.

Tu, Z. and Yuan, Y., 2014. Critical success factors analysis on effective information security management: A literature review.

Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers & security, 38, pp.97-102.