CPU6004 Network Security Is A Crucial Topic Covered In The Essay.

In preparation for this task you will prepare a report including:

Discuss risk assessment procedures faced by the company. 

How data protection processes and regulations along with a summarisation of ISO 31000 risk management methodology and its application in IT Security.

The potential impact that an IT security audit might have on the security of the organisational policy. 

Discuss the roles of stakeholders in the organisation to implement security audit recommendations.

Following your report, you will now design and implement a security policy for Bolton College, while considering the main components of an organisational disaster recovery plan to be included and a justification for their inclusion.

Within your report, evaluate the suitability of tools used within security policies and how they would align with IT security.

Continuing with your report, consider how IT security can be aligned with organisational policy, detailing the security impact of any misalignment

Information technology has allowed every sector to be innovative and much efficient in delivering their outputs or productions. Technological advancement allows individuals to be proactive and deliver their sector of the operational activities in an efficient way. However, there are certain risks associated with the application of information technology. Consideration and management of these risks are vital for increasing the efficiency of the technology being used for delivering the operational activities.

Bolton College has adopted the information technology as an integral part for supporting the students, staffs on campus, faculty, and researchers. The technology has become the key component for the institute to manage and support the academic demand of the institution, quality and learning improvements for the students, and the safety and well-being of the entire community.

The purpose of this report is to analyze and evaluate the risks associated to the adoption of the technology as the key component for the management of the above operational activities the facts proposed in this report will based on the consideration of the stakeholders involved in this project along with the alignment of the organizational policy and the security policy.

The risk management related to the data security and privacy of the customers is the commitment of the Bolton College as mentioned in the “Data Protection Policy” version vG1 launched by Bolton College at 12/05/2018 (BoltonCollege 2018). The institution focuses on the enhancement of the network and data infrastructure in addition to the security policies based on the needs and requirements. There are three major pillars in the risk management section including privacy, security, and protection against data breach and intrusion. They have adopted Data Protection Impact Assessment (“DPIA”) security standard for developing the information security management and infrastructure practices considering the needs and requirements of the University. The institution focuses on increasing the awareness among the stakeholders through delivering campaign and training programs. They are focusing on implementing the security awareness and education programs across the campus emphasizing on increasing the knowledge related to potential and current risks, and the security compliance issues.

In 2009, ISO 31000 was originally published and the updated version was launched in February 2018 with same overall purpose with certain additional changes. The latest version of ISO 31000 include the following changes as compared to the previous version:

• The risk management principles are the major components for the successful and efficient deployment of the risk management and it must be reviewed on regular basis.
• The new version highlights on the importance of leadership by top management explaining that the risk management starts from the organizational governance.
• The revised version greatly emphasizes on the iterative nature of the risk management focusing on the regular audit and regulation for managing and developing new strategies as per the current needs and requirement of the organization.
• The ISO 31000 comment that “the content is streamlined with greater focus on sustaining an open systems model to fit multiple needs and contexts.”

This standard is applicable for all size of the organization and supports the management of the risks those could possibly influence the management and delivery of the operational activities. The Bolton College can gain competitive advantage through enhancing the customer satisfaction of the students. The globally accepted standard will always be acceptable to all the stakeholders associated with the institution and hence, the more students can have better satisfaction on the proposed risk management strategies. The impact of the risks could be minimized to the extent level through adopting the 31000 risk management standard.

This regular update can be helpful for the Bolton College to manage the compliance programs updated and allow them to aim in the right direction. It allows the organization to manage and manipulate the existing policies as per the need and requirement of the stakeholders through identifying and fixing the glitches or issues those could possibly influence the security. The IT security Audit is also helpful in analysing and evaluating the standards, procedures, and policies those could be helpful in managing the security of the network and technology being used for the management and delivery of the operational activities.

Successful security auditing program emphasizes on the regular evaluation of the policies, standards, and regulation compliance with the organizational and human resource policies. The stakeholders need to understand that it could be time taking process and thus, the stakeholders need to allow the IT specialists to monitor and look after the sections those are considerable for the efficient delivery of the audit program that can be helpful in improving the security of the institutional infrastructure. The project manager or institutional head should assure that there is proper and effective strategy or timeline developed for the delivery and management of the audit program. The network administrators should thoroughly monitor the ongoing access over the network and identify the suspicious codes or messages those could possibly impact the network in future.

The purpose of this security policy is to make sure the efficient and effective use of the information resources and technology and have an alternative disaster recovery option for certain uncertainties.

This policy will be applicable to all the stakeholders those are directly or indirectly connected to the Bolton College and will majorly focus on the faculty, students, researchers, and staffs of the institution. It will monitor and regularly audit the network and storage for assuring the identification and management of the data security.

Every user of the Bolton College’s information resources and technologies is applicable to be connected with the institute’s network and database for the management and delivery of the operational activities for every stakeholder. The policy will be applied to all types of the information resources being used for the administration, teaching, research, or any other purpose within the campus. The illegal activities not complying with the government laws will be considered illegal and legal actions will be made on them as per the court or government policies.

1. Data Security Principles

It aims at managing the data security and protection of the information resources being utilized and used within the college campus. It focuses on the following major principles:

1. Availability of the information resources
2. Integrity of the information
3. Confidentiality of the information
4. Academic pursuits support
5. Information access
6. Security Controls

ISO 31000 risk management methodology standard will be adopted for the management and delivery of the security controls those could allow enhancement in the security of the entire environment. It is being adopted considering the welfare and benefits of the data security and infrastructure required for the management and delivery of the operational activities. The data security will be managed as per the following classification of the data considering its priority and sensitiveness:

1. High risk data
2. Moderate risk data, and
3. Low risk data

Based on the above priorities, the data management will be proceeded considering its security and privacy.

There will be different responsibilities for different personals involved in the project including the following:

ISO (Information Security Officer): ISO will be responsible for the implementation of the policies and the procedures those could be helpful in governing and managing the privacy and security of the data saved in the database of the college.

Data Custodians: their responsibility will be to take care of the application being used, system data policies, and other information resources those are in their control.

System Developers: Their responsibility will be to manage the role of the network administrator, integration, and development, related to the application of the information resources as per the policies and regulations developed for the application of the information resources.

Users: The every user connected to the institution needs to understand their sector of authorization and access of data and information and use the resources in efficient and effective manner.

Third-party affiliates: the vendors, consultants, and partners need to abide the developed policies and make sure that they follow them in an efficient and effective way without hampering the developed information and organization infrastructure.

Accessing the information or data other than the authority of the individuals will be considered as the violation of the policy and will be treated accordingly. The charges for such unwanted activities will have financial punishment or could lead to dis-attachment with the institution. Using the information for personal benefits in any way will also be considered as the violation of the policy and the user will have to face punishment as applicable. Criminal activities will have legal actions as per the government and will be managed by the local or national federals as appropriate for the government, the institution will not interfere nor take the responsibility of any of the criminal activities.  

Dual factor authentication, different level of authentication, a monitoring system, and alarm system, and encryption can be used as the appropriate tools for allowing the successful and efficient deployment of the security policy. The mentioned tools are highly recommended considering the proper and regular monitoring and audit of the network and the database of the Bolton College information resources. It would be helpful in identifying the severity of the threat and identify the victim or the individuals responsible for violating the policies and hence, punishing accordingly.  

The Bolton College’s IT team is managing the IT infrastructure that is capable of handling and supporting the files, databases, and applications across the VMware environment and is managing the strength of 500 staffs and 12000 students. Major emphasis is provided on the storage of the institutional database for assuring the functioning of the web portals and Information System functioning. The organizational policy emphasizes on the proper delivery of the educational services to the college’s stakeholders and hence the developed policy should must align with the organizational policy in manner to manage the operational activities in an effective and efficient way. The organizational policy also emphasizes on the secured use of the information resources and technology for assuring the effectiveness of the security arrangements. It is necessary that the organizational policy align with the IT security considering the application and benefits of the information resources and technologies being used for boosting the academic activities.

It can be concluded that the above report discusses the IT security and management considering the pace in the application of the information technology and resources. The first section described the background of the Bolton College in addition to the adoption being made for improvising the way of operation deliveries within the campus. Thereafter a conclusion being presented stated the current risk management strategies adopted by the College considering the usage of the information resources and technologies. It can be concluded that the existing policies of the college lags in delivering necessary security and audit processes and hence, the improvisation is necessary considering the delivery and management of the security and privacy of the individuals. The next phases of the project describes the adoption of the best strategies and policies those are considerable for the improvement of the security aspects of the Bolton College.

Based on the information provided above, the following recommendations can be made:

1. The Bolton College should consider the application of tools and technologies those could be helpful in improving the security of the institutional information resources and technologies.
2. There should be regular IT security audit considering the evaluation, management and compliance of the policies.
3. The Bolton College should adopt ISO 31000 risk management methodology within its policies for assuring the development and management of the data security and privacy.
4. The policy recommended in this paper can be adopted for enhancing the data and information security.
5. The network monitoring, alarm system, and encryption should be used within the network for assuring the data security and privacy.

Ahmed, T., Andersen, K., Shaffer, P., Crocker, D., Ghosh, S., Connelly, K., Gummadi, K.P., Crandall, D., Kate, A., Kapadia, A. and Cranor, L.F., 2016. Addressing physical safety, security, and privacy for people with visual impairments. In Twelfth Symposium on Usable Privacy and Security ({SOUPS} 2016)(pp. 341-354).

Alexander, D. et al. (2008) Information Security Management Principles. BSC.

Bennett, C.J. and Raab, C.D., 2017. The governance of privacy: Policy instruments in global perspective. Routledge.

BoltonCollege., 2018. Link: https://www.boltoncollege.ac.uk/assets/Uploads/Attachments/GDPR/Bolton-College-Data-Full-Protection-Policy.pdf. Accessed on [25^th, Nov 2018].

Farooq, A., Kakakhel, S.R.U., Virtanen, S. and Isoaho, J., 2015, December. A taxonomy of perceived information security and privacy threats among IT security students. In Internet Technology and Secured Transactions (ICITST), 2015 10th International Conference for (pp. 280-286). IEEE.

Habib, H., Naeini, P.E., Devlin, S., Oates, M., Swoopes, C., Bauer, L., Christin, N. and Cranor, L.F., 2018. User behaviors and attitudes under password expiration policies. In Fourteenth Symposium on Usable Privacy and Security ({SOUPS} 2018) (pp. 13-30).

Happen to Us – Avoiding Corporate Disaster While Driving Success. Wiley.

Kaunert, C., 2018. European internal security: towards supranational governance in the area of freedom, security and justice.

Lowry, P.B., Dinev, T., Willison, R., Belanger, F., Benbasat, I., Brown, S.A., Culnan, M., Galletta, D., George, J., Pavlou, P. and Rao, H.R., 2015. Call for Papers: European Journal of Information Systems (EJIS) Special Issue on Security and Privacy in 21 st Century Organisations. European Journal of Information Systems.

Martin, Y.S. and Kung, A., 2018, April. Methods and Tools for GDPR Compliance Through Privacy and Data Protection Engineering. In 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 108-111). IEEE.

Nazareth, D.L. and Choi, J., 2015. A system dynamics model for information security management. Information & Management, 52(1), pp.123-134.

Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model in organizations. Computers & Security, 56, pp.70-82.

Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), pp.217-224.

Steinberg, R. (2011) Governance, Risk Management, and Compliance: It Can't

Sunyaev, A., Dehling, T., Taylor, P.L. and Mandl, K.D., 2014. Availability and quality of mobile health app privacy policies. Journal of the American Medical Informatics Association, 22(e1), pp.e28-e33.

Tipton, H. (2010) Information Security Management Handbook. 4th Ed. Auerbach Pubs.

Washizaki, H., Fukumoto, S., Yamamoto, M., Yoshizawa, M., Fukazawa, Y., Kato, T., Ogata, S., Kaiya, H., Fernandez, E.B., Kanuka, H. and Kondo, Y., 2016, June. A metamodel for security and privacy knowledge in cloud services. In 2016 IEEE World Congress on Services (SERVICES) (pp. 142-143). IEEE.

General References

https://www.bc.edu/content/dam/files/offices/its/pdf/ITS-strategic-plan-v1-1-fall15.pdf

www.bcs.org British Computer Society (General Reference)

www.bsa.org.uk Business Software Alliance (General Reference)

www.fast.org.uk Federation Against Software Theft (General Reference)

www.ico.gov.uk Information Commissioners Office (General Reference)