Guidelines For Managing Information Security Risks At Academics (A4A) Essay.

Academics for Academics

Each student/group is required to analyse the scenario given on page 2 and produce a report that discusses the guidelines for managing the information security risks of the organisation. Your report should have the Executive Summary, Table of Contents, Introduction, Discussion (the guidelines), Assumptions and References sections.

Check the unit website at least once a week for further information relating to this assessment task. Please ensure that you write your answers in your own words to avoid possible plagiarism and copyright violation. You can understand the Plagiarism Procedures by following the corresponding link in the CQUniversity Policies section of the Unit Profile. Late assessments will be penalised as per the university policies and guidelines.

Academics for Academics (A4A) is a Non-Governmental Organisation (NGO) that has its head office and the branch office in Sydney and Singapore respectively. Being a NGO, A4A funds all of its projects and activities from public donations. A4A has a team of 10 staff members, and 6 of them are located in Sydney office and the remaining four are located in the Singapore office.

A4A was established to help small public and private universities and colleges in Australia and Southeast Asia. The private universities and colleges that are interested in receiving the service of A4A need to register with A4A and become its member institutions. The academics and experienced professionals who like to provide a voluntary service such as teaching a subject, supervising a research project or development of curricula for a member institution, can register their interests with A4A. After a recruiting process, they can become members of A4A.  A4A then recruit them to short term assignments at its member institutions. The members that are recruited to various projects will be provided with accommodation, meals, medical and travel expenses.

Once recruited to a project, the A4A member will work at the member institution but the information produced by the member, except the emails, marked assignments and exams will remain the property of A4A and the member. As such, all those information should be handled and stored by the information system of A4A irrespective of the location where the member works. A4A needs the guarantee that the various data and information in their information system are secured.

As A4A was established last year, the information security policies have not yet been developed. It is now in the process of developing a comprehensive set of information security policies for its information system.

A recognized and popular Non-Governmental Organization or NGO namely Academics For Academics or A4A has the head office in Sydney and its branch office in Singapore. The funds of all the activities projects of this particular organization mainly come from public donations (Fleischmann et al. 2014). They do not sponsor any money from themselves. This non-governmental organization has a team of total ten staff members. The Sydney office has six staff members amongst the ten and the rest four members are present in the office of Singapore. In spite of working in two different locations, which are Sydney and Singapore, all the ten staff members’ together work as a team to obtain the organizational goals and objectives. This Academics For Academic was established for helping all the small private and public colleges and universities in Southeast Asia and Australia (Awadh and Alyahya 2013). These universities, who want to receive the services of A4A have to register themselves and become members of A4A. This organization has to store their confidential information in the information system. However, this information system can have many security risks and data breaches.

The following report outlines a brief description on the case study of Academics For Academics or A4A. This non-governmental organization has all the confidential data and information stored and kept in their information security system. This information security system helps them to manipulate, retrieve and store information easily and quickly (Vaccaro et al. 2012). The report provides a discussion on the probable security risks and the ways to mitigate or manage these risks. These risks can be extremely harmful for any organization and their information security system. However, these risks can be controlled by certain measures. The report also gives suitable assumptions on the management of data breaches. The description of the above discussion is given in the following paragraphs.

Academics For Academics or A4A is a popular and recognized non-governmental organization or commonly known as NGO. This was established in the previous year. This non-governmental organization has its head office in Sydney and its branch office in Singapore. The projects and the activities of this organization are sponsored by the donations that come from public. A4A has a team of total ten members (Andres et al. 2012). Out of these six members are present in Sydney office, whereas, the rest four members are present in the Singapore office. This organization was established for helping all the smaller public and private colleges and universities that are present in Southeast Asia and Australia. The private colleges and universities, who are interested in getting the services of A4A, have to register themselves and thus become the member colleges and universities of A4A (Awadh and Alyahya 2013). Moreover, the experienced professionals, who are interested in giving voluntary services for any member college or university, they can also register themselves with Academics For Academics. The voluntary services include supervision of any research project or development of curriculum or simply teaching any subject to the students. The organization will hire these people and they become the members of A4A (Kotlar and De Massis 2013). The organization will then give short term and interim assignments for a given period of time. The members get several advantages or benefits from the organization like meals, accommodation, travel and medical expenses. Since, this is a globally recognized organization; all the members should get these benefits from it. The moment the members are recruited, they will do their jobs at the particular institution. However, there is one major condition for this job (Fleischmann et al. 2014). All the confidential information, excluding the examinations, marked assignments and the personal emails will the property of the member institutions and Academics For Academics. All the confidential information will be stored and managed by the organization’s security information system irrespective of the location the member is working (Sessa and London 2015). It is verified and guaranteed that all the information is secured in their system.

Information Security Risks

The information security system of Academics For Academics or A4A stores all the confidential data and information regarding their projects and activities (Ackermann et al., 2012). The information security is the practice of detecting and protecting all the unauthorized access, modification, alteration, utilization, inspection, disclosure, recording and destruction of all the information. This information should be secured so that any information security risks or data breaches do not attack the system (He 2012). The Academics For Academics can have several information security risks. The probable security risks of information system are as follows:

i) Malicious Code or Software: This is one of the most dangerous and common security threat or risk for an information system (Creese et al. 2012). This type of threat is nothing but a code or software that is injected in a system by an intruder or hacker for infecting the system. The code or software is malicious in nature and it can easily replicate itself once present in the system. This code or software is commonly known as virus. The main problem of this software or code is that it completely formats the entire system and all the confidential data and information is absolutely lost (Zissis and Lekkas 2012). This sometimes turns out to be risky as if the data and information is lost, the organization can be in serious trouble.

ii) Denial of Service Attacks: The DoS or Denial of Service attack is the second most important and significant risk or threat for any information system (Creese et al. 2012). This particular type of security threat occurs when the hacker or the intruder intrudes or hacks into a system and denies the entire service. The main problem of this type of attack is that the owner of the system has absolutely no idea about the intrusion and the hacker does his job with ease. The hacker obtains the full access of the affected system and the moment the user tries to enter into the system, the service is denied (Chou 2013). The other disadvantage of this type of attack is that the entire server or system is slowed down. These attacks are also done over a multiple number of computers, known as the distributed denial of service or DDoS attacks.

iii) Information Leakage: The information is the most important and confidential part of any organization. It should not be lost or intercepted at any cost. However, there is always a risk or threat of leakage of information in an information system. This can occur in two ways (Rakes, Deane and Rees 2012). The first way is that there is a technical problem in the system and the information is leaked and the other way is through any employee. The technical problem of any system can be mitigated by taking certain measures. The employee can leak the information either unintentionally or intentionally that is for having wrong intentions.

iv) Receiving Unsolicited Emails: This is another significant and dangerous threat or risk, where the victim gets or receives a hoax or fake email from fake email ids that claims to belong to an authorized institution (Peltier 2013). The moment this hoax email is opened, the information system is hacked and corrupted and nothing can be done about it.

v) Identity Theft: In this type of security risk, the identity of the user is stolen. The hacker or the intruder gets into a system to get all the confidential data (Berghel 2012). The most surprising feature of this threat is that the hacker acts as the user and the person sitting opposite to the system, has no idea about this.

vi) Unauthorized Installation of Software: Software in a system plays the most important role for the functions of the system. Any type of unauthorized software plays the opposite role. (Sawik 2013) The victim invites the hackers as soon as he installs or updates unauthorized software. This type of software is extremely harmful for the information system.

v) Unintentional Damage: Not all security risks are caused with wrong intentions or intentionally. Some are even caused unintentionally. Often the employees or the staff members of an organization do any type of damage to the information system of the organization either for lack of training or for carelessness (Oriyano 2016). This type of damage can be caused either by losing any confidential information or by damaging any of the information technology assets.

vi) Destruction of Records: This is another important and significant security risk for any information system. The records cannot be destructed or destroyed at any cost for any information system (Biham and Shamir 2012). This type of risk is caused by intentional or unintentional motive of an employee.

vii) Modification in Data: Information or data modification or alteration is another major and significant threat for any organization. The modified information often does not reveal the originality of the message and the receiver is unable to get the right message (Kamara, Papamanthou and Roeder 2012). The information system has a high chance of modification or alteration of information.

viii) Eavesdropping: This is again a dangerous security threat. Eavesdropping in general terms means hearing or sneaking into a system. The hacker or the intruder sneaks into the system of the victim and gets all the necessary and confidential information (Dong, Liao and Li 2012). However, in most of the cases, the hacker only checks the information and does not modify or alter the information.

ix) Interception of Information: In this type of security threat, the hacker intercepts or changes the entire content of the information present in the system and the receiver gets the intercepted or modified version of information (Romanosky, Hoffman and Acquisti 2014). This often turns out to be extremely dangerous as the information loses its confidentiality and integrity.

x) Network Traffic Manipulation: Another most significant security threat for any information system. The intruder manipulates the network traffic and the network becomes slow. During this time, the hacker gets the chance to steal all the confidential information.

xi) Man in the Middle: In this of security risk, the hacker stays in between the victim and the network and collects all the confidential information. He can even change or intercept the entire information by this risk.

 xii) Phishing: This is another significant security threat for any information system. The hacker or the intruder collects all the information of the system. This is mostly done by receiving fake and hoax emails. The moment the email is clicked to open, all the details are stolen and money is theft. Phishing has become extremely common for any type of information system in modern world.

The above-mentioned security risks and data breaches are common and applicable for the information system of Academics For Academics or A4A. These security threats can lead the non-governmental organization to a very serious position. These are needed to be mitigated and reduced on immediate basis. The description of how to reduce the security risks is given in the following paragraphs.

The information system of Academics For Academics has the tendency and chance of having several risks, which can be extremely harmful for the organizational information (Ghosh, Gajar and Rai 2013). However, there are ways and guidelines or mitigating or reducing these risks or threats. The mitigation or reduction plans of the security risks are as follows:

i) Antivirus: The most basic and simple way of mitigating the malicious code and software is the installation of antivirus in any system. This type of software helps to detect and prevent the virus attacks and malicious codes or software from entering into the system.

ii) Firewalls: The second most significant way of preventing any security risk is the installation of firewalls. As the name suggests this type of security acts as a wall for any system and thus detects and prevents any type of information security risk. Firewalls can be implemented in any information system for the security purpose with utmost ease. The user will only have to install the firewall software in his system.

iii) Encryption: The third most simple and basic way of protecting confidential information is by the procedure of encryption. It is the process of encrypting or encoding confidential information or message into an encrypted version known as the cipher text. This is done in such a way that only the authorized sender and receiver are able to access the information. This process is highly recommended for any organization for the reduction for their interception in messages. The encryption algorithm has two basic algorithms within it. They are the symmetric key algorithm and the asymmetric key algorithm. The symmetric key algorithm has only one key for encoding and decoding a message. It means the sender and the receiver of the message uses the same key for encryption and decryption of messages. The main advantage of this particular type of algorithm is that it is extremely simple to implement and use. The second algorithm is the asymmetric key algorithm. This is somewhat different from the symmetric key algorithm. Here, the keys for encoding and decoding of messages are different and this particular feature makes this algorithm little complicated than symmetric.

iv) Digital Authentication: This is another very popular and secured way of securing any type of information (Ghosh, Gajar and Rai 2013). Digital authentication is the process of sanctioning or authenticating an individual or person digitally. The main examples of digital authentication are the fingerprint recognition, face recognition, digital signatures and voice recognition. The implementation of this security policy is done by implementing biometric entry to any organization or information system (Hashizume et al. 2013). Only the authorized and authenticated employees or individuals are allowed to enter or access the system.

v) Passwords: This is the most basic way of securing any information in an information system. The identity thefts are reduced or mitigated by this procedure (Berghel 2012). Presence of passwords protects the entire system and no hackers or intruders are able to enter into the system easily. Moreover, passwords secure the system in such a way that the physical access to the system is controlled (Layton and Watters 2014). Biometric passwords are the best solutions for any security related problems as it only allows the authorized and authenticated employees or individuals to access the information.

The above-mentioned five ways can help Academics For Academics or A4A for managing their probable security risks and threats in the information system (Black 2013). The organization might not be able to stop the risks, however, by following these options, they will be able to mitigate or reduce the security risks or threats to some extent.

Assumptions on any case study or scenario is made by the overall discussion and justifications. The assumptions for the management of security risks and threats in Academics For Academics or A4A are as follows:

i) Academics For Academics is a non-governmental institution that helps the small private and public colleges and universities in Southeast Asia and Australia.

ii) The private colleges and universities who want to receive the services of A4A have to register themselves with A4A.

iii) The professionals who want to provide voluntary services in the field of teaching and research can register themselves with Academics For Academics, which will be a great option for all professionals.

iv) Academics For Academics or A4A is hiring various professionals of various fields and is allowing cultural diversity in the organization.

v) When the professionals will become the members of the organization, they would be getting benefits like travel and medical expenses, meals and accommodation charges.

vi) The organization has only one condition for the members that all the information will be property of A4A.

vii) The non-governmental organization, Academics For Academics stores all their institutional information in a secured information system.

viii) There are several and probable risks in this information system. These risks can be extremely harmful for the information system.

ix) The probable risks of the information system are phishing, information leakage, malicious code, malicious software, spoofing, denial of services, interception of messages, unintentional damage of information and assets and many more.

x) These risks are mitigated by following several steps and by undertaking several measures.

xi) The basic ways of mitigating such risks are antivirus, passwords, digital authentication, encryption and firewalls.

xii) Academics For Academics is supposed to obtain all the organizational goals and objectives by their innovative organizational strategies.

Conclusion

Therefore, from the above discussion it can be concluded that Academics For Academics is a popular and recognized non-governmental organization or an NGO. A4A has its head office in Sydney and its branch office in Singapore. The funds of all the activities projects of this particular organization mainly come from public donations. They do not sponsor any money from themselves. This non-governmental organization has a team of total ten staff members. The Sydney office has six staff members amongst the ten and the rest four members are present in the office of Singapore. In spite of working in two different locations, which are Sydney and Singapore, all the ten staff members together work as a team to obtain the organizational goals and objectives. This Academics For Academic was established for helping all the small private and public colleges and universities in Southeast Asia and Australia. These universities, who want to receive the services of A4A have to register themselves and become members of A4A. This organization has to store their confidential information in the information system. However, this information system can have many security risks and data breaches. The above report provides a brief discussion on the case study of Academics For Academics or A4A. This non-governmental organization has all the confidential data and information stored and kept in their information security system. This information security system helps them to manipulate, retrieve and store information easily and quickly. The report provides a discussion on the probable security risks and the ways to mitigate or manage these risks. The most significant risks of the information system of the organization are the malicious code, malicious software, phishing, denial of services, interception of messages, information leakage, unintentional damage of information and assets. These risks can be extremely harmful for any organization and their information security system. However, these risks can be controlled by certain measures. Suitable assumptions of the case study are also provided in the report.

References

Ackermann, T., Widjaja, T., Benlian, A. and Buxmann, P., 2012. Perceived IT security risks of cloud computing: Conceptualization and scale development.

Andres, S.G., Cole, D.M., Cummings, T.G., Garcia, R.R., Kenyon, B.M., Kurtz, G.R., McClure, S.C., Moore, C.W., O'dea, M.J. and Saruwatari, K.D., Mcafee, Inc., 2012. System and method of managing network security risks. U.S. Patent 8,201,257.

Awadh, A.M. and Alyahya, M.S., 2013. Impact of organizational culture on employee performance. International Review of Management and Business Research, 2(1), p.168.

Berghel, H., 2012. Identity theft and financial fraud: Some strangeness in the proportions. Computer, 45(1), pp.86-89.

Biham, E. and Shamir, A., 2012. Differential cryptanalysis of the data encryption standard. Springer Science & Business Media.

Black, J., 2013. Developments in data security breach liability. The Business Lawyer, 69(1), pp.199-207.

Chou, T.S., 2013. Security threats on cloud computing vulnerabilities. International Journal of Computer Science & Information Technology, 5(3), p.79.

Creese, S., Goldsmith, M., Nurse, J.R. and Phillips, E., 2012, June. A data-reachability model for elucidating privacy and security risks related to the use of online social networks. In Trust, Security and Privacy in Computing and Communications (TrustCom), 2012 IEEE 11th International Conference on(pp. 1124-1131). IEEE.

Dong, T., Liao, X. and Li, H., 2012, April. Stability and Hopf bifurcation in a computer virus model with multistate antivirus. In Abstract and Applied Analysis (Vol. 2012). Hindawi Publishing Corporation.

Fleischmann, A., Schmidt, W., Stary, C., Obermeier, S. and Brger, E., 2014. Subject-oriented business process management. Springer Publishing Company, Incorporated.

Ghosh, A., Gajar, P.K. and Rai, S., 2013. Bring your own device (BYOD): Security risks and mitigating strategies. Journal of Global Research in Computer Science, 4(4), pp.62-70.

Hashizume, K., Rosado, D.G., Fernández-Medina, E. and Fernandez, E.B., 2013. An analysis of security issues for cloud computing. Journal of Internet Services and Applications, 4(1), p.5.

He, W., 2012. A review of social media security risks and mitigation techniques. Journal of Systems and Information Technology, 14(2), pp.171-180.

Kamara, S., Papamanthou, C. and Roeder, T., 2012, October. Dynamic searchable symmetric encryption. In Proceedings of the 2012 ACM conference on Computer and communications security (pp. 965-976). ACM.

Kotlar, J. and De Massis, A., 2013. Goal setting in family firms: Goal diversity, social interactions, and collective commitment to family?centered goals. Entrepreneurship Theory and Practice, 37(6), pp.1263-1288.

Layton, R. and Watters, P.A., 2014. A methodology for estimating the tangible cost of data breaches. Journal of Information Security and Applications, 19(6), pp.321-330.

Oriyano, S.P., 2016. Denial of Service. CEH™ v9: Certified Ethical Hacker Version 9 Study Guide, pp.305-329.

Peltier, T.R., 2013. Information security fundamentals. CRC Press.

Rakes, T.R., Deane, J.K. and Rees, L.P., 2012. IT security planning under uncertainty for high-impact events. Omega, 40(1), pp.79-88.

Romanosky, S., Hoffman, D. and Acquisti, A., 2014. Empirical analysis of data breach litigation. Journal of Empirical Legal Studies, 11(1), pp.74-104.

Sawik, T., 2013. Selection of optimal countermeasure portfolio in IT security planning. Decision Support Systems, 55(1), pp.156-164.

Sessa, V.I. and London, M., 2015. Continuous learning in organizations: Individual, group, and organizational perspectives. Psychology Press.

Vaccaro, I.G., Jansen, J.J., Van Den Bosch, F.A. and Volberda, H.W., 2012. Management innovation and leadership: The moderating role of organizational size. Journal of Management Studies, 49(1), pp.28-51.

Zissis, D. and Lekkas, D., 2012. Addressing cloud computing security issues. Future Generation computer systems, 28(3), pp.583-592.