Information security management consists of set of policies and rules that are used to secure all the confidential and sensitive information. This security system is used to minimize the risk and assure that business continuity is maintained by making sure that security breach does not occur. In this report, smart software Pvt lmt. Is considered it is one of the leading software company situated in Melbourne. The risk plans are developed so that sensitive information about the company remains integrated, confidential and available. The company builds software in a customized way and each team as their defined role. The security management system is important for this organisation as there are large files and documents that need to be protected. To resolve all the security consequences, various strategic planning needs to be developed so that security parameters are met and information remains protected.
There are numerous principles of information security risk management which are described below:
Accept that there will always be uncertainty: risks associated with information security are not always predictable and cannot be eradicated. Such kind of principle will help consumers to know that they can ask for help, admit and seek advice from trusted resources.
Make the security risk management system: managing security risks are not easy and simple for which company should develop the risk management system to manage all the time, process and data.
Understand the types of risks: it is very important to understand and identify the risks and issues associated with information security. It involves the impact of risks on security, key factors that increase the risk and issues and many more.
Appreciate full how risks and issues are being managed: once IT team has a clear view of the risk that faced by the smart software, management team require to decide how they are going to deal with risks and issues. It is very crucial to evaluate how they are doing in order to manage the risks associated with information security.
Identify and recognize the limitations of risk management strategies and approaches: smart software company should evaluate the limitations of the security policies and technology and adopt the solutions that can help them to manage risks and issues.
Control and direct the thing IT team do to manage risk: the action team takes in response to determined risks require to be governed to ensure they are consistent with the thing, objectives, and priorities.
Check security tools and technologies used to manage security risks: management team needs to have confidence that the technologies and tools they used which are working properly and manage all risks and issues associated with the information security.
A framework need to be designed so that risk faced in Smart software Pvt. Lmt. could be reduced. A frame work can be defined that can mitigate the risk and offer security of data. ORM framework is one that can be used for reducing the risk (Pawlak anf Miko?aj, 2016). The first step of this framework is to identify the risk and make sure that it does not penetrate deep in the system (Marhold, Hartmut, 2016). The aim of this framework is to make sure that privacy is maintained (Dimensiondata, 2016). The security channels are also controlled by keeping an eye that only authorised and valid user access the information. The data packets are transmitted over a network that is secure.
The framework works in a step by step manner. The first step is establishing the context and designing the framework in a way by understanding organisational as well as risk management behaviour. The next step is identifying the risk and understanding how and why this happened. The last step is accessing the risk by determining the control parameters and then determining the consequences (Pawlak anf Miko?aj, 2016). If the risk is not found it is monitored and then reviewed again regularly. If the risk is identified the treatment and evaluation options are created so that proper implantation and treatment plans are generated (Mawdsley and Jocelyn, 2017). The risk is monitored on regular basis so that it doesn’t affect other operations and processes.
Ethical issues due to mishandling of information resources
If considering the case study of Smart software pvt. ltd. if the information is not handled correctly by the staff it can cause security breach. It is important to handle the resources correctly so that personal information does not get leaked. The loss of information or sensitive data can be a loss of the organisation in terms of financial condition and brand image. From the case study it was found that development team is responsible for designing codes and software’s thus it is important to protect theses codes from hacking (Braun, Aurel, 2018). The IT team as the access to all the files and documents thus a proper access control list should be defined so that only valid user can access the information. It was found that few of the team members work from home thus a proper tracking system and firewalls need to be downloaded so that information remain secure (Ab Rahman and Choo, 2015). Various engineering tools and licenced software’s should be used so that security management practices can be developed.
Steps that need to be taken to prevent security breach
Smart software Pvt. Ltd. face various issue that can cause security breaches, thus some of the step that should be taken by the organisation to ensure that information is secure that is not mishandled.
Some of the steps that should be taken so that prevents unethical issues are:
- The information should be stored at a protected network.
- The information should be downloaded from certified networks only and unauthorised users should be restricted to access the data (Harbeson and John, 2015).
- Smart software use open source software, but all the software’s should be licenced so that risk of hacking could be reduced.
- The passwords should be strong so that it can’t be leaked and data is not misused or modified.
- IT team should be hired for the company so that attacks could be identified and steps should be taken accordingly (Haufe, Colomo-Palacios, Dzombeta, Brandis and Stantchev, 2016). It is the responsibility of IT team to keep an eye on all the suspicious activities so that measures could be taken.
- Apart from that, security policies should also be designed so that access control list could be prepared accordingly.
- The access control list of Smart Soft Pvt. Lmt. contains the list of users who can access the information in an authorised way so that information is not leaked. The files should be encrypted so that even if data is leaked the information is not accessed.
- The files should be encrypted so that it is not in a readable form (Chen, Ramamurthy and Wen, 2015).
- The other step that could be taken is keeping a separation between personal work and professional work. This might increase the chance of information leakage.
- Apart from that, the software’s as well as desktops should be updated regularly so that viruses do not hit the system (Ho, Hsu and Yen, 2015). Keeping a track and updating the system decreases the chances of bugs in the system.
- The information should also be backed up so even if system failure occurs the information is not lost (Günther, 2017). Firewalls and anti-virus software should be installed so that every data file remains protected.
Ways to identify information asset
The company uses many assets to meet the objective, it is important to identify these assets so that communication could be empowered. One of the important information assets of Smart Software Pvt. Lmt is the files that are prepared by development team as they contain code for software development. Other information assets are the documents that are prepared by financial manager. The plans that need to be followed by the employees and the work plan are also considered as an important information asset. If this information is leaked it can cause loss (Kong and You, 2015). All the information assets should be kept securely so that unauthorised user cannot access the information (Elmaghraby and Losavio, 2014).
If considering the case of Smart Software Pvt. Lmt. all eh software and the information set should be protected as it can be hacked b other companies offering same service. The other important information is the database that covers a large amount of data that is past and future plans. These assets need to be protected so that privacy and integrity is maintained. The data centre is another important asset for an organisation, the data centre should be protected otherwise it can cause financial loss for the company (Kong and You, 2015). If information is leaked it can cause false branding of the company by breaking the trust.
Risks associated with leakage of information asset
The issue linked with information asset is security breach that causes loss of privacy. If the data is accessed by unauthorised user can cause security breach and loss of sensitive data. The risks should be monitored and tracked by top managers so that no bugs enter the system. Monitoring all the processes increases the effectiveness and reduces the risk. The risk that will be seen if information is leaked is financial loss for the organisation as well as reputation of organisation (Elmaghraby and Losavio, 2014). The risk associated with information leakage is that if criminals try to access the data then they can modify it and might use it in wrong manner. It can cause incorrect data processing and careless data disposal of data (Eling, 2018).
Information security-Risk control strategies
The risk control strategies is a step by step process that is defend, transfer, mitigate, accept and terminate. The risk can be prevented by exploiting the vulnerabilities. The threats are identified and access is limited to authorised user (Rawat and Bajracharya, 2015). The three common methods that can be used for mitigating the risk are by training and application policy.
Incident response plan defines the actions that need to be taken to mitigate the risk. Business continuity plan encompasses continuity of business operations even if the system fails. Risk need to be predicated so that proper steps could be taken at time of unpredictability (Simpson, 2017). Information security risk management is a process of managing the risk that is linked with information technology (Safa, Sookhak, Von Solms, Furnell, Ghani and Herawan, 2015). The steps that are taken are identifying, accessing and threating the risk so that integrity, confidentiality and availability are maintained.
Briefly analysing the stages of information security risk management:
- The first step is identifying the assets and checking the requirements so that integrity problem can be resolved. The vulnerabilities need to be identified so that it does not penetrate in the system.
- The threats need to be identified so that all the threats can be addressed. The management plan assures that unauthorised user is not able to access the information. Defining access control list assures that only valid user access the information.
The purpose of this security risk management is to remove the threats by identifying the threats and controlling them. Once the risk has been analysed it can be mitigated by making use of firewalls and anti-virus software (Safa, Sookhak, Von Solms, Furnell, Ghani and Herawan, 2015). Apart from that, all the information of Smart soft limited should be protected that is it should remain encrypted so that even if it is accessed by unauthorised user the sensitive information remains secure. Some of the information security policy that should be used by the company is:
- An acceptable user policy needs to be designed so that unauthorised users are prohibited to access the information and allow keeping the resources secure.
- A confidential data policy should also be used by the company so that only members of team are able to access the data.
- The other policy that needs to be designed is authentication policy that helps in making sure that only valid users have made the changes (Sadeghi, Wachsmann and Waidner, 2015).
- The other policy is a network security policy that is important policy as it make sure that all the communication that take place between employees are secure and is not read by any third party user (Sadeghi, Wachsmann and Waidner, 2015).
Smart software is a leading software company that develop customized software for clients. Thus, it is important to protect the information. One such way is cryptography that is considered as an important tool as it makes sure that information is not leaked to the third party. It encodes the data and codes in a form that it is not read by the humans. It is also recommended to take proper backups so that information so that it can be recovered at times of system failure. It helps in maintaining integrity, confidentiality and availability. The system might be laden with all the unpatched vulnerabilities (Neumann , 2016). The passwords need to be unsaved from the browser caches and cookies so that company does not face any kind of vulnerabilities.
The in house IT team need to be set up so that they remain aware about all the access. The other step that could be taken is optimum implementation. A secure virtual private network needs to be established to ensure financial status can be tracked. A two-step verification method should be used so that users can be checked (Tsohou, Karyda and Kokolakis, 2015).
Risk management process is a step by step process that is used to identify the risk by analysing all the processes. The risk is identified in the entire department that is development, IT and other. Once the risk is identified it is analysed and solutions are found so that it does not occur. It is also important to prioritize the risk on the basis of their impact. The one that has severe impact on the system is deal on the priority basis (Van den Berg, et. al, 2014). Then the risk is treated by the IT team so that it does not cause longer threat to the project. Effective training and learning is also offered so that resources can be managed efficiently (von Solms, 2015). Risk management process helps in monitoring the threat so that it do not cause harm to the business.
In smart software Pvt. LmT., risk assessment is an important process for analysing the threats. It is important to identify the threats because it can cause harm to an organisation. It helps n managing the revenue and reputation of the organisation. Effectively analysing the risk of the organisation, it protects the assets to improve the decisions so that optimize operational efficient can be achieved. Risk evaluation compares the risk of the organisation with already established criteria (Van den Berg, et. al, 2014). The implementation of these risk evaluation saves the overall cost and legal requirements.
The last step of this information security plan is designing policies so that risk could be minimized. It avoids the extended risk as well as risk financing. Information security plan is implemented in companies to achieve success. The goal of information security start from gets logical security that can be achieved by controlling the paths and avoiding security breaches (Marhold, Hartmut, 2016). Logical controls helps in maintaining authentication and distribution of information. Security audit processes are used to verify access control. Authorization is important in an IT company that is used to design access controls system (Safa and Von Solms, 2016). The rights are given to only valid user so that information is not leaked or changed by unauthorised user. Smart Software Pvt. Lmt. has implemented network security perimeter solutions so that no modifications are made by unauthorized user. Thus, an security implantation plan assures that security is maintained.
Information security certification and accreditation to the smart software organization
There are major four phases of the certification and accreditation to control and manage the information security risks which are described below:
- Initiation and planning
- Continuous monitoring
Initiation and planning
It is the initial stage of the certification and accreditation process where the information system owner (smart software) and the designated information security officer will initiate the C and A process by acknowledging that a C&A is needed to control and monitor the risks of information security. It is very crucial because the C&A process is a huge undertaking and need substantial sources and it also involves completely information about security policies and strategies used to reduce information security risks. It is observed that the C&A process will be responsible for compiling C&A documents like a security plan and developing a risk assessment. Based on the results of the risk management, any risk which cannot be removed will be involved in the plan action which is reviewed by the certifying authority.
In this phase, a group of independent auditor will perform the C&A package and audit the information system with the help of a checklist to control risk and issues. Once the process of the auditor is complete the auditors will assemble a formal package with the outcomes of their evaluation and provide a recommendation to the certification and accreditation on the certification worthiness of the scheme.
In such kind of process, the certifying community will review the completed C&A package to validate that all of the needed information is contained within the system before making an accreditation decision. Once the complete information about policy has reviewed the final C&A package and they will provide a determination to accept any non-remediated issue before granting accreditation.
Continuous monitoring is one of the best processes that can be used for smart software organization in order to control and maintain the process complaint and issues faced by the company during the communication process. The information system security officer use intrusion detection technology, sys logs, and management change process to control and manage the unauthorized change and risks occur in the smart software. With the help of this process, smart software can identify ant configuration change which impacts on the performance of the system. Moreover, an information security system and federal agencies can perform and run the annual audit in order to ensure the information security has controlled its compliance baseline.
It can be concluded from this report that information security plan and risk assessment plan is important for every organisation. In this report, the case study of Smart software Pvt lmt is considered, it is an software company that has many clients all over the world. The information of the company is quiet sensitive and it is important to maintain integrity and confidentiality. There are various issues associated with the company if in case information is not handled correctly. Thus, various steps are discussed so that security breaches can be minimised. The important information asset set are analysed and ways to mitigate the risk are discussed. The information asset of the company are also listed in ways are found through which risk can be mitigated. One of the risk management frameworks is also discussed that describes the how it secures the network. Information security plan can be implemented in many forms. One such policy is encapsulating the information so that it is not visible to everyone. . It can be concluded that this framework is used to identify and fill the gap between objectives. It ensures that proper communication link is established that helps in identifying the potential risks. It also improves the monitoring standards. This framework oversees risk management activities and then defines strategies so that successful execution takes place.
Ab Rahman, N.H. and Choo, K.K.R., 2015. A survey of information security incident handling in the cloud. computers & security, 49, pp.45-69.
Braun, Aurel, 2018. The extreme right: freedom and security at risk. Routledge.
Chen, Y.A.N., Ramamurthy, K.R.A.M. and Wen, K.W., 2015. Impacts of comprehensive information security programs on information security culture. Journal of Computer Information Systems, 55(3), pp.11-19.
Dimensiondata, (2016). Inside Security : Top 10 cybersecurity challenges facing organisations?. Available from https://blog.dimensiondata.com/2016/04/top-10-cybersecurity-challenges-companies-face-today/ Accessed on 25 April 2018. utions.aspx Accessed on 14 jan 2019.
Eling, M. (2018) Cyber Risk and Cyber Risk Insurance: Status Quo and Future Research.
Elmaghraby, A.S. and Losavio, M.M. (2014). Cyber security challenges in Smart Cities: Safety, security and privacy. Journal of advanced research, 5(4), pp.491-497.
Günther, K., 2017, World citizens between freedom and security. In Civil Rights and Security (pp. 433-445). Routledge.
Harbeson, John W, 2015, "Post-Millennium US Aid for Africa: Reconciling Freedom and Security, Theirs and Ours." In Foreign Aid and Foreign Policy: Lessons for the Next Half-century, pp. 237-259. Routledge.
Haufe, K., Colomo-Palacios, R., Dzombeta, S., Brandis, K. and Stantchev, V., 2016. Security management standards: a mapping. Procedia Computer Science, 100, pp.755-761.
Ho, L.H., Hsu, M.T. and Yen, T.M., 2015. Identifying core control items of information security management and improvement strategies by applying fuzzy DEMATEL. Information & Computer Security, 23(2), pp.161-177.
Kong, H.S. and You, Y.H., Samsung Electronics Co Ltd, 2015. Security management system and method for location-based mobile device. U.S. Patent 9,071,621.
Marhold, Hartmut, 2016. "The European “Area of Freedom, Security and Justice”–three fundamental dilemmas." In Europe in Trouble, pp. 45-54. Nomos Verlagsgesellschaft mbH & Co. KG.
Mawdsley, Jocelyn, 2017. "External 13 facets of justice, freedom and security." Foreign Policies of EU Member States: Continuity and Europeanisation, 218.
Neumann Jr, R. K, 2016 Academic Freedom, Job Security, and Costs. J. Legal Educ., 66, 595.
Pawlak, Miko?aj, 2016. "Unaccountable: How elite power brokers corrupt our finances, freedom, and security.", 114-116.
Rawat, D.B. and Bajracharya, C. (2015). Cyber security for smart grid systems: Status, challenges and perspectives. In SoutheastCon 2015 (pp. 1-6). IEEE.
Sadeghi, A.R., Wachsmann, C. and Waidner, M. (2015). Security and privacy challenges in industrial internet of things. In Proceedings of the 52nd annual design automation conference (p. 54). ACM.
Safa, N.S. and Von Solms, R., 2016. An information security knowledge sharing model in organizations. Computers in Human Behavior, 57, pp.442-451.
Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A. and Herawan, T., 2015. Information security conscious care behaviour formation in organizations. Computers & Security, 53, pp.65-78.
Simpson, B. (2017). The top 10 cyber security challenges for businesses. Available from https://www.barclaysimpson.com/industrynews/the-top-10-cyber-security-challenges-for-businesses-801833525 Accessed on 16 jan 2019.
Tsohou, A., Karyda, M. and Kokolakis, S., 2015. Analyzing the role of cognitive and cultural biases in the internalization of information security policies: recommendations for information security awareness programs. Computers & security, 52, pp.128-141.
Van den Berg, J., Van Zoggel, J., Snels, M., Van Leeuwen, M., Boeke, S., van de Koppen, L., Van der Lubbe, J., Van den Berg, B. and De Bos, T. (2014). On (the Emergence of) Cyber Security Science and its Challenges for Cyber Security Education. In Proceedings of the NATO IST-122 Cyber Security Science and Engineering Symposium (pp. 13-14).
von Solms, S.B., 2015. Information Security Governance–compliance management vs operational management. Computers & Security, 24(6), pp.443-447.