country
$20 Bonus + 25% OFF
Securing Higher Grades Costing Your Pocket? Book Your Assignment at The Lowest Price Now!

CO4512 Information Security Management

tag 0 Download12 Pages / 2,768 Words tag Add in library Click this icon and make it bookmark in your library to refer it later. GOT IT
  • Course Code: CO4512
  • University: University Of Central Lancashire
  • Country: United Kingdom

Question:

This assignment requires you to plan, conduct and document a risk assessment based on the scenario. You should carefully read the marking scheme) to have a clear perception of what is the expected content of the risk assessment report you have to deliver and how it will be evaluated.

Scenario Description

A cloud service provider in UK, CloudXYZ, hired your team to set up their IT network/system. The company provides (i) secure storage and (ii) virtual server services for both individual customers and organizations. The goal of the security system is to prevent or minimize the business loss caused by possible incidents, such as malfunction, information stealing, data modification, deletion or destruction, etc. Your colleagues in the team have proposed the first version of the security network architecture depicted in Figure 1. As a person responsible for risk assessment your task is to conduct a risk assessment on this system.

 

In Figure 1 the internal network of CloudXYZ is denoted by the dashed box, and all the assets in this dashed box are located in the company premise in UK.

In Figure 1 the internal network of CloudXYZ is denoted by the dashed box. The authentication server is responsible for authenticating the credentials (usually account names and passwords) of the customers. When performing authentication tasks the authentication server may communicate with the customer database which stores information about the customers. After successful authentication, the customers will be able to access to their data stored in the cloud storage (one of the machine denoted by S) or log into their hired virtual servers (hosted by one of the servers denoted by V). Company employees, such as HR can use their computers to download customers’ information, while administrators can use their computer to maintain/improve and monitor the operation of the servers and storages.

The communications among the servers and employee computers take place within the intranet (i.e., private network) of the company. The web and mail servers are placed in the DMZ (Demilitarized Zone) of the bank network to provide web interface to customers and visitors, as well as email services to the employees and customers. The communication between the untrusted outside world (such as Internet) and the DMZ is filtered and protected by a firewall and/or an intrusion detection system (IDS). In addition, the communication between the DMZ and the intranet is also protected by another firewall and/or IDS. Individual visitors/customers and organizations can browse the website of CloudXYZ and register/login with their PCs or smart phones via Internet.

Task

The management board of the service provider would like to be sure if the proposed network system (in Figure 1) meets their goal, and hence, hired you, a security expert, to perform a risk assessment on this network. In this assignment you have to:

  1. Conduct a risk assessment on the network in Figure 1, based on the ISO standard.
  2. Write a detailed risk assessment report (see Section 4 for the required structure). 
  • Flexibility of the software/hardware/firmware parameters

As you can see, there are no specific hardware and software given in the Figure 1. To avoid working in the entirely same network (and hence copying from each other), before doing the risk assessment, you have to specify the system parameters and the system boundaries, including the used operating systems, hardware, software/applications and firmware. Ideally, each of you will work with different sets of system parameters/scope that you chose or specified.  

 

Answer:

Introduction

There are different ISO standards that are used as a baseline for the security of the information in an organization. The ISO standards is used for avoiding breaches in the network, reassuring the customers, gaining an edge and access new market opportunities. It is internationally recognized and applied for management of the safety practices and used as a systematic approach for increasing reliability and enforcement of the security controls. There are different standards of IOS such as ISO/IEC 17025, ISO 9001, ISO/IEC 27001 and ISO 50001. The standards are used for different purpose such as ISO/IEC 17025 is used for testing and calibration, ISO 9001 is used for management of the quality, ISO/IEC 27001 is used for management of the information security and ISO 50001 is used for the management of energy.

Thus for the analysis of the security of the CloudXYZ ISO/IEC 27001 is applied and it helps the organization to securely store the information. The use if the ISO standard helps in increase the security of the data residing in the cloud platform. For the development of the network framework an authentication server should be used for permitting the user to connect with the database. The user needs to authenticate with the system for the management of the virtual server and ISO/IEC 27001 is used for the identification of the potential risk associated with the system. The privacy policy is assessed and the risk associated with it is eliminated for meeting the standard of the information security management. For analysis of the risk the following steps are performed and are given below:

Step#1:  Analysis of the risk associated with the system

Step#2:  Evaluation of the risk management system

Step#3: Selection of the risk management methodology

Step#4: Implementation of the risk management strategy and techniques

Step#5: Monitoring the current system and eliminate the errors for reducing the risk

 

Figure 1: Steps involved in risk assessment

Risk Assessment

The risk assessment is done for analysing the impact of the risk and monitoring and eliminating the performance of the network. The performance of the network should not be affected with the implementation of the system. The following figure is used for defining the security of the system and identification of the failure point of the network.

 

Figure 2: Overview of the network security solution

The confidentiality, availability and integrity of the system is the main factor for the management of the information security and the following framework is used for the management of the risk. The risk is assessed for prioritizing the security risks and prevention of the loss of the organizational policy and implementing a technical control on the network.

Owner Specification

The HR manager is responsible for the management of the human resources of the organization and the network administrator is responsible for the management of the servers and the information residing in the database. The server manager is also responsible for the management of the configuration of the server. The owner of the system identified for the development of the system are given below:

  • Employees
  • Human Resource
  • Development team
  • Administration Department
  • Management team
  • Visitors /guests
  • Maintenance Team
  • Client
 

Assets

Primary Assets – The primary assets identified for the development of the risk management plan are listed below:

  • Authentication Server
  • Database server
  • Firewall
  • Web Server
  • Mail Server
  • Virtual Server, and
  • Pc

Secondary Assets –

  • Intranet
  • DMZ network
  • Customer Phone and
  • Visitor Pc

A table is created for recording the details of the assets and is given below:

ID

Name of Asset

Asset type

Remarks

A_1

Mail Server

Primary Asset

Mail accounts are created for the employees for management of the internal communication securely.

A_2

Firewall

Secondary Asset

It is used for the management of the network traffic and filtering the unwanted traffic in the network.

A_3

Authentication Server

Primary Asset

It is used for authenticating the user to connect with the database and store the log details for the user accessing the resources of the organization.

A_4

Web Server

Primary Asset

It is used for hosting the website of the organization and storing the details of the organization.

A_5

Admin PC

Primary Asset

The Admin Pc is used for the management of the server and the service used for the configuration of the network solution.

A_6

Customer DB

Primary Asset

The customer database is used for recording the details of the customer and use it for improvement of the current business process.

A_7

HR PC

Primary Asset

It is used for the management of the employees and the customer information.

A_8

Virtual Server

Secondary Asset

It is used for the management of the loads and serve more request from the users.

A_9

Cloud Storage

Primary Asset

The cloud storage is used for uploading the data in the cloud servers and provide access to the users to access the data from remote location.

A_10

Visitor PC

Secondary Asset

It is used for allowing the visitors to give access to the core network and recording the details.

A_11

Mobile Device

Secondary Device

It is used for connecting with the wireless network of the organization and access the information stored in the server of the organization.

A_12

Staff PC

Primary Asset

The staff PC are used for the management of the technical works, data of the enterprise and management of the information.

 
 

Threats for each assets

Name of the Asset

Threat

Level

Source

Mail Server

Malware

High level

Receiving malicious emails from unknown sources

Spam

Medium level

Outside source is used for implementation of the spam mails

Social Engineering

Low level

It is used for getting the login credentials of the user by the hackers

Firewall

Shared secret

High level

The system can be hacked from outside sources

Phishing attack

Medium level

It can occur from hacker for duplicating the identity of the user

Domain Hijacking

Low level

It is used for getting the access of the data traffic by the outsiders.

Authentication Server

Dictionary attack

High level

It is used by the hacker for trying different combination of password

Password authentication

Medium level

Outsiders accessing the server from remote location.

Brute force attack

Medium level

Outsider from remote location

Web Server

Open relay attacks

High level

Outsider from any place

Cross Site Scripting  

Medium level

Outsider from any place

SQL injection attacks  

Low level

Outsider from any place

Admin PC

Ransomware

High level

From external device and internet

Malware

Medium level

From external device and internet

Spam

Low level

From external device and emails

Customer DB

Rainbow table

High level

 

Passphrase, and

Medium level

 

Ownership factor

Low level

 

HR PC

Ransomware

High level

From external device and internet

Malware

High level

From external device and internet

Spam

Low level

From external device and emails

Virtual Server

Lack of integration of application

High level

Internal sources and hackers  

Inadequate recovery point

Low level

Internal sources and hackers  

Restoring granularity

Low level

Internal sources and hackers  

Cloud Storage

Hacking

High level

Outside hackers for accessing the sensitive information

Visitor PC

Ransomware

Low level

From external device and internet

Malware

Low level

From external device and internet

Spam

High level

From external device and emails

Mobile Device

System hacking

High level

hackers

Virus

High level

Internet and external sources

Spoofing attack

High level

Hacker and external sources

Staff PC

Ransomware

High level

From external device and internet

Malware

Medium level

From external device and internet

Spam

Low level

From external device and emails

 
 

Vulnerability for each assets

Virtual Server

CVE-Modified – The JSON vulnerability and the XML vulnerability are analysed for analysing the security flaws that are used as a link for the reference and identification of the weakness of the network configuration.

Mail server

CVE-Recent – It is used for interaction with the security standard practice and it differs from the traditional attacks for the exploitation of the system and the software. The social engineering attacks are used by the hackers to gain the access of the confidential information. It consists of baiting, phasing, pretexting and spear phasing. False communication is created with the victim using chats, phone calls, spoofed website for gathering personal information and using it for illegal use.

PC

CVE-2018 – The dictionary attacks can be used by the attacker to determine the decryption or the passphrase key and gain the access of the computer. The brute force attack are used for searching password systematically and rainbow table are used for reducing the preparation time by analysing the pre computerised dictionary and reducing the storage requirement.  

Web server

CVE-2017 – cross site scripting are used for identification of the flaws in the network and identification of the web application uses. The cookies can be accessed by the malicious codes for rewriting the content and using sql injection attacks for modification of the content of the servers.

Firewall

CVE-2016 – It is used as a cryptography for securing the communication and establishing the communication between the different users. The key agreement protocol and the use of the symmetric key cryptography are used for authentication. Unique session should be used for the authentication and responding against the challenges for derivation of the unique key for each of the transaction. The domain hijacking are used for the changing the permission and abusing the privileged for the domain hosting. The hijacker can use the domain name for implementing illegal activity and gain the access of the private information for logging into the servers.

Database server

CVE-2015 – The cost of the ownership should be identified for finding the inheritance factor and the device or information affected with the compromising the security. The loss of the resources and the information should be analysed for management of the elements and reducing the effect on the network information system. The rainbow table are used for listing the plaintext by permutation of the password that is specified from the hash table. It is used as a cracking software for the network security attacks.

Authentication Server

CVE-2014 – The brute force attacks are used for the guessing the possible password configuration and checking the password and passphrase for finding the correct one. This can be used as an exhaustive key search and also known as cryptanalytic attack. The dictionary attack are used for the harvesting the email and the pre computed tables are used for analysis of the issues and the major cost for storage of the disk storage. A refined approach should be used for the reducing the storage and lookup the hash values and matching with the existing password for getting the feasible salt values. The common password should be stored in the table and different combination can eb tried for getting the access of the server.

Risk Likelihood

The main risk that the system would be facing are:

The risk likelihood of the risk level is provided in the table below:

Colours

Frequency

Relative Frequency

Red

9

36%

Yellow

8

32%

Green

8

32%

Total

25

100%

Risk Impact table

The specification of the impact table is provided below:

Impact Definitions

Rating -->

Very Low

Low

Moderate

High

Very High

Cost Impact of Threat

Insignificant cost increase

<5% cost increase

5-10% cost increase

10-20% cost increase

>20% cost increase

Cost Impact of Opportunity

Insignificant cost reduction

<1% cost decrease

1-3% cost decrease

3-5% cost decrease

>5% cost decrease

Schedule Impact of Threat

Insignificant slippage

<1 month slippage

1-3 months slippage

3-6 months slippage

>6 months slippage

Schedule Impact of Opportunity

Insignificant improvement

<1 month improvement

1-2 months improvement

2-3 months improvement

>3 months improvement

Probability

1–9%

10–19%

20–39%

40–59%

60–99%

 

 

Impact Rating

 

1

2

4

7

10

 

Very Low

Low

Moderate

High

Very High

Risk Matrix

5 - Very High

5

10

20

35

50

4 – High

4

8

16

28

40

3 – Moderate

3

6

12

21

30

2 – Low

2

4

8

14

20

1 - Very Low

1

2

4

7

10

 
 

Risk Identification with level

The risk identification level is provided below:

Risks

level

Description

Number

Mitigation

Domain Hijacked

High

The domain of the network is hijacked and the hackers able to extract the data from the servers and updates the data with errors in them.

CVE-2018

The for the mitigation all the access points to the network must be sealed off and the direct access to the servers from the client should also be restricted.

SQL injection attacks

Medium

The SQL injection attacks hampers the database server and make invalid updates in the database which increase the time for the processor to fetch the data.

CVE-2017

To stop this type of attacks in the network the access level in the database are required to be specified. It should also be ensured that the access grants are not revoked without prior restriction of the administrator.

No recovery and data loss

Very High

The data of the servers lost when there are no options to save and backup the data and important data of the server is lost

CVE-2016

The data is to be backed up regularly and data storage facilities are to be maintained efficiently.

Data Loss by Phishing

High

The phishing attack is the one where the hackers hacks the password

CVE-2015

For the phishing attack to be avoided the network should be installing an efficient firewall and use a well-protected  

Malware

Low

The malware is inserted into the network by a file or a software and the malware then the data in the network is distraught

CVE-2014

To avoid this type of threat the network is to the protected with the firewalls.

Spam

Low

The spam file is inserted into the network and these files keep on providing irrelevant data to the user

CVE-2013

To protect the system from spam the server access should  be restricted.

Summary and Recommendations

The risk identified for the development of the secure network solution is important for the success of the network. The network should be flexible and all the servers should be installed in the DMZ zone. The In the current network solution the cloud storage, authentication server, customer database and the virtual servers are connected with the intranet and is exposed to the vulnerability of different kind of attacks that can rise from the internal users. The server needs to be secured from the internal as well as the external users connected with the network. The installation of the server in the DMZ network helps in controlling the network traffic and secure the data residing in the cloud and the customer database from illegal usage. The customer and the visitor network device should be provided the access of the resources of the organization and ISO standards should be followed for the configuration of the network. Following the standard helps in reducing the errors in the configuration and increase the flexibility of the network.

 

Bibliography

AlHogail, A., 2015. Design and validation of information security culture framework. Computers in Human Behavior, 49, pp.567-575.

Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), pp.138-151.

De Lange, J., Von Solms, R. and Gerber, M., 2016, May. Information security management in local government. In IST-Africa Week Conference, 2016 (pp. 1-11). IEEE.

Dotcenko, S., Vladyko, A. and Letenko, I., 2014, February. A fuzzy logic-based information security management for software-defined networks. In Advanced Communication Technology (ICACT), 2014 16th International Conference on(pp. 167-171). IEEE.

Laudon, K.C. and Laudon, J.P., 2016. Management information system. Pearson Education India.

Narain Singh, A., Gupta, M.P. and Ojha, A., 2014. Identifying factors of “organizational information security management”. Journal of Enterprise Information Management, 27(5), pp.644-667.

Oppliger, R., 2015. Quantitative risk analysis in information security management: a modern fairy tale. IEEE Security & Privacy, 13(6), pp.18-21.

Pathan, A.S.K. ed., 2016. Security of self-organizing networks: MANET, WSN, WMN, VANET. CRC press.

Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.

Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A. and Herawan, T., 2015. Information security conscious care behaviour formation in organizations. Computers & Security, 53, pp.65-78.

Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), pp.217-224.

Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp.215-225.

Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management. Computers & security, 44, pp.1-15.

Zammani, M. and Razali, R., 2016. An empirical study of information security management success factors. International Journal on Advanced Science, Engineering and Information Technology, 6(6), pp.904-913.

Download Sample

Get 100% money back after download, simply upload your unique content* of similar no. of pages or more. We verify your content and once successfully verified 100% value credited to your wallet within 7 days.

Upload Unique Document

Document Under Evaluation

Get Credits into Your Wallet

*The content must not be available online or in our existing Database to qualify as unique.

Cite This Work

To export a reference to this article please select a referencing stye below:

My Assignment Help. (2020). Information Security Management. Retrieved from https://myassignmenthelp.com/free-samples/co4512-information-security-management.

"Information Security Management." My Assignment Help, 2020, https://myassignmenthelp.com/free-samples/co4512-information-security-management.

My Assignment Help (2020) Information Security Management [Online]. Available from: https://myassignmenthelp.com/free-samples/co4512-information-security-management
[Accessed 10 July 2020].

My Assignment Help. 'Information Security Management' (My Assignment Help, 2020) <https://myassignmenthelp.com/free-samples/co4512-information-security-management> accessed 10 July 2020.

My Assignment Help. Information Security Management [Internet]. My Assignment Help. 2020 [cited 10 July 2020]. Available from: https://myassignmenthelp.com/free-samples/co4512-information-security-management.


Students fail to cope up with the word count that is required in each section of an essay, dissertation or reports. If you are having sleepless nights wondering how to construct the essay, avail our expert service at MyAssignmenthelp.com. The academic writers use the word count tool to keep track. Most online word count tool does not provide valuable insights into the number of characters or punctuations. Word count online tools might not be authentic also, providing erroneous results. However, we use an efficient word counter tool to accommodate the essential details in each segment of the assignment.

Latest It Write Up Samples

HI5019 Strategic Information Systems For Business And Enterprise 3

Download : 0 | Pages : 18

Answer: Introduction  Cybersecurity issues can have a direct influence on both business sakes as well as on the reputation of the business (Chhetri, Canedo and Al Faruque 2016). There are numerous Information Systems (IS) which are deployed across commercial establishments to optimize their business operations (Perlroth, Scott and Frenkel 2017). The role of the accountants of the system development projects is very much crucial to mainta...

Read More arrow Tags: Australia Brisbane 7 Strategic Information Systems for Business and Enterprise Holmes Institute 

ICT710 ICT Professional Practice And Ethics

Download : 0 | Pages : 13

Answer: Introduction Information and communications technology or ICT could be referred to as the extension term form information technology, which majorly focuses on the role of different unified communication and overall integration of the telecommunication or telephone lines and wireless signals or computers (Dutta, Geiger and Lanvin 2015, p. 1). Large economic incentives are required for merging different telephone networks with the respe...

Read More arrow Tags: Australia Rochedale 7 ict profesional practice and ethics University of the Sunshine Coast 

BUS5WB Data Warehousing And Big Data 2

Download : 0 | Pages : 2
  • Course Code: BUS5WB
  • University: La Trobe University
  • Country: Australia

Answer: Agile Data Warehouse Development Creation of data warehouse is multi quarter, monolithic and large effort subject to waterfall process. In modern age, that is no longer norm as several organizations are selecting to adopt more iterative and flexible design approach. With needs of business changing faster as well as new businesses requiring to adapt as well as leverage the inputs rapidly and concisely. Agile development approach is the...

Read More arrow Tags: Australia Bundoora 7 Data Warehousing and Big Data La Trobe University 

ITECH7401 Leadership In IT Project Management

Download : 0 | Pages : 3
  • Course Code: ITECH7401
  • University: Federation University
  • Country: Australia

Answer: Budget Estimate and Financial Analysis The Return on Investment (ROI) is 125.10%, which is higher than the required ROI of twenty-five per cent. Thus, the report concludes that this project will be beneficial Port Fairy Caravan and Camping Park Pty Ltd. Year 0 1 2 3 Total Inflows (Income) 0 90000 130000 150000 370000 Outflows (Expenses) -90000 -2000...

Read More arrow Tags: Australia Riverwood 7 Leadership in IT Project Management Federation University 

MAN6910 Business Process Management

Download : 0 | Pages : 5
  • Course Code: MAN6910
  • University: Edith Cowan University
  • Country: Australia

Answer: Issue register Name of issue Patient waiting too long to register Priority 2 Description When the patients visits the hospital, the new patients are required to be registered first for gaining the treatment in the hospital. Data and assumption Over 20% of the patients who are visiting the hospital are raising the issue of extensive waiting time and longer duration for which treatmen...

Read More arrow Tags: Australia Ashgrove 7 business process management Edith Cowan University 
Next
watch

Save Time & improve Grade

Just share Requriment and get customize Solution.

question
We will use e-mail only for:

arrow Communication regarding your orders

arrow To send you invoices, and other billing info

arrow To provide you with information of offers and other benefits

1,359,015

Orders

4.9/5

Overall Rating

5,081

Experts

Our Amazing Features

delivery

On Time Delivery

Our writers make sure that all orders are submitted, prior to the deadline.

work

Plagiarism Free Work

Using reliable plagiarism detection software, Turnitin.com.We only provide customized 100 percent original papers.

time

24 X 7 Live Help

Feel free to contact our assignment writing services any time via phone, email or live chat.

subject

Services For All Subjects

Our writers can provide you professional writing assistance on any subject at any level.

price

Best Price Guarantee

Our best price guarantee ensures that the features we offer cannot be matched by any of the competitors.

Our Experts

Assignment writing guide
student rating student rating student rating student rating student rating 5/5

2109 Order Completed

99% Response Time

Emma Zhong

Ph.D in Project Management with Specialization in Project Communications Management

Singapore, Singapore

Hire Me
Assignment writing guide
student rating student rating student rating student rating student rating 5/5

453 Order Completed

98% Response Time

Howard Asuncion

LLM in Criminal Law

London, United Kingdom

Hire Me
Assignment writing guide
student rating student rating student rating student rating student rating 5/5

230 Order Completed

97% Response Time

Liya Han

Master Of Science in Geotechnical Engineering (MSc Geotec)

Singapore, Singapore

Hire Me
Assignment writing guide
student rating student rating student rating student rating student rating 5/5

2279 Order Completed

97% Response Time

Zachary Perez

PhD in Computer Science and Information System

Washington, United States

Hire Me

FREE Tools

plagiarism

Plagiarism Checker

Get all your documents checked for plagiarism or duplicacy with us.

essay

Essay Typer

Get different kinds of essays typed in minutes with clicks.

edit

GPA Calculator

Calculate your semester grades and cumulative GPa with our GPA Calculator.

referencing

Chemical Equation Balancer

Balance any chemical equation in minutes just by entering the formula.

calculator

Word Counter & Page Calculator

Calculate the number of words and number of pages of all your academic documents.

Refer Just 5 Friends to Earn More than $2000

Check your estimated earning as per your ability

1

1

1

Your Approx Earning

Live Review

Our Mission Client Satisfaction

Great work from expert! All good just missing one 1 reference, feedback and get it within a few hours.

flag

User Id: 254651 - 10 Jul 2020

Australia

student rating student rating student rating student rating student rating

Amazing work, thank you very much I have achieved amazing results. Thank you for your hard work

flag

User Id: 261191 - 10 Jul 2020

Australia

student rating student rating student rating student rating student rating

Really good work on the code. It ran perfectly and there were no mistakes in the code. All of the instructions were followed and there were no syntax errors at all.

flag

User Id: 457776 - 10 Jul 2020

Australia

student rating student rating student rating student rating student rating

very clear answers, full of information. The doctor was very happy with the answers. Thank you.

flag

User Id: 391476 - 10 Jul 2020

Australia

student rating student rating student rating student rating student rating
callback request mobile
Have any Query?