Discuss about the IT Risk Management of Information Systems Security Policy.
Forum Post 1
Information Security Basics
The Information Technology landscape in terms of the Information Security is changing day by day due to the evolution of the cyber threats (Boehm, 2012). The Information Technology in regards to the threat landscape have been evolved with a range of devices as well as the sophisticated targeted attacks that need the legitimate access towards the cooperate network. In previous days, people used to deal with viruses, which are designed for several purposes in order to allow the attackers for controlling PCs. At present, people deal with the viruses those act as extortion tools and cyber-weapons.
As per the CNSS model, confidentiality, integrity, availability, privacy and identification are the major threats or risks in regards to the information security. Confidentiality only permits the users for viewing information (Peltier, 2013). With the help of integrity, virus can be designed for corrupting data. Privacy is that information would be utilized only in ways approved by an individual. Through identification, information system is capable of recognizing individual users.
Due to the presence of the threats or the risks in the Information System, data on the computer of a particular user are corrupted as well as computer security become weaken and the other computers can also be infected (Peltier, 2016). These security risks seriously can impair computer performance, network use and business operations while performing several tasks, which are not known to the users of an infected computer.
The information System’s extended characteristics are known as the “Six Ps”. This “Six Ps” is comprised of Planning, Policy, Programs, Protection, People as well as Projects. The information security threats or risks can be minimized as well as mitigated by improvising and by making the Six Ps stricter (Von Solms & Van Niekerk, 2013). The IT Management Team should ensure the effective as well as efficient information processing with the help of the six factors. Each of the mechanisms represents few of the management aspects of particular controls in the entire InfoSec Plan.
Forum Post 2
Information Security Planning
Patching is a problematic activity as upgrades as well as the patches are required for improving software, however, they also may disrupt a running system if these are not examined properly as well as may have some unintended issues on the patched system or a system that depends on the patched or upgraded system. Nevertheless, the patches or upgrades in regards to security always should be installed unless the risk of the patch application is higher than the risk of being compromised (Vacca, 2012). As per the research made by the security researchers, the software updates as well as the installing system is the best defence against the most common malware and the viruses as well, specifically for the windows run by the computers (Ifinedo, 2012). The software makers release often updates for addressing few particular threats in terms of security those have come to their attention. With the help of the installation as well as the download of the software and system updates, users can make a patch of the vulnerabilities that the virus writers can rely on for infecting user’s PCs.
In order to develop a better approach, patch management should be done. There are six steps those are significant develop such approach. These are as follows:
- Step 1: Development of an up-to-date inventory of all the systems of production incorporating the types and version of OS, custodian, physical location, function as well as IP addresses.
- Step 2: Devising a plan to standardize the systems of production to the similar OS version and application software (Boehm, 2012).
- Step 3: Making a list of all the controls of security that a particular user has in place like AV, IDSes, firewalls, routers and others.
- Step 4: Comparing the reported vulnerabilities or risks against the control list or the inventory list.
- Step 5: Clarifying the risks or threats as well as assessing the vulnerabilities and an attack’s likelihood (Peltier, 2013).
- Step 6: The application of the Patch as well as the deployment of the patch without disrupting production or uptime.
Information Security Policy and Program
Figure 1: Flowchart to outline slides of a presentation on Security to the NSW
(Source: Created by Author)
This particular flowchart has mainly portrayed the outline of a presentation that was given on Security to the NSW. This flowchart has outlined the topics those would be covered in the presentation through its individual slides. Each slide is related to another slide or the very next slide. Therefore, this flowchart has also demonstrated that relationship in a pictorial manner as well as in a hierarchical manner.
Slide 1: Importance of Information Security – This particular slide has been shown as a process in the flowchart. However, with the help of this slide, brief, clear and concise information have been given regarding the importance of the information security in every field of operation.
Slide 2: Introduction to Information security program and Policy – This slide has also been shown as a process in the above drawn flowchart. It is an introductory slide. With the help of this slide, introductory as well as concise information regarding the information security program and policy has been portrayed. This information can be proven very helpful to make a concept of the information security policy as well as the programs
Slide 3: Necessity of Information Security Program – Now, after the introductory slide, this presentation has portrayed the necessity of the information program in the very next slide. The above drawn flowchart has illustrated this particular slide as a process. This slide is mainly aimed to demonstrate the reason, why every organization needs to have a particular security program. It is evident that no matter how small or large an organization is, people need to have a plan for ensuring the security of the information assets of that particular company. Therefore, this slide has implemented the fact with the help of a proper definition of Information Security Program.
Slide 4: External Operational Confidentiality OF Terminal Software – This slide is aimed to introduce a specific information security program in this presentation. Therefore, this slide is also considered as a process in the flowchart that has been drawn above. A brief introduction of this particular software has been given in this slide, which would help to create a concept regarding the functionality and the advantage of the software as an information security program.
Slide 5: Categorization – With the help of this slide, the categorization of the External Operational Confidentiality OF Terminal Software has been shown based on the functionalities or operations. In this slide the names of the classifications have been mentioned. The three categorizations are the External Operational Confidentiality OF Terminal Software for Storage, External Operational Confidentiality OF Terminal Software for Download and External Operational Confidentiality OF Terminal Software for Update. These three classifications have been mentioned in the flowchart in a note under this particular process.
Slide 6: Features of EOC_OF Terminal Software for Download – This particular slide has been considered as a process in the flowchart. In this slide the features of EOC_OF Terminal Software for Download have been mentioned as well as discussed. There are mainly three features of EOC_OF Terminal Software for Download. These are the access authorization, limit exposure and encryption as well.
Slide 7: Functionalities of Authentication and Identification - This particular slide, which has been drawn as a process in the flowchart is aimed to demonstrate the functionalities of authentication and identification. Whereas, authentication and identification are the features of access authorization under EOC_OF Terminal Software for Download. Therefore, it has been mentioned in this slide that password authentication, cardkey authentication, biometrics authentication and the digital signature are the major operations under authentication. On the other hand, it has also been mentioned that Mutual ID and One Sided ID are the major operations under identification.
Slide 8: Security attacks, threats and requirements – This slide has been considered as a process in the above drawn flowchart and this slide has demonstrated the security attacks, threats and the requirements. It has several categorizations those have been interpreted in the next slides.
Slide 9: Confidentiality – This particular slide can be considered as a sub process in the flowchart. This slide has demonstrated the features and importance of confidentiality. This slide has shown that confidentiality points listening, interactions and planted in system.
Slide 10: Integrity - This particular slide has been considered as a sub process in the flowchart. This slide has demonstrated the features and importance of Integrity. This slide has shown that integrity points modification, interactions as well as planted in systems.
Slide 11: Availability - This particular slide has been considered as a sub process in the flowchart. This slide has demonstrated the features and importance of Availability. This slide has shown that availability points interactions, planted in systems and denial of service.
Slide 12: Non-Repudiation - This particular slide has been considered as a sub process in the flowchart. This slide has demonstrated the features and importance of Non-Repudiation. This slide has shown that Non-Repudiation points interactions, planted in systems and after-the-fact.
Slide 13: Information Security Policy – This particular slide is aimed to demonstrate detailed information about the information security policy that is needed to be specified along with the information security program.
Slide 14: Policy Education Technology – The detailed information about the policy education technology as well as the importance of this technology has been demonstrated in this particular slide in the presentation.
Boehm, B. (2012). Software risk management. In European Software Engineering Conference (pp. 1-19). Springer Berlin Heidelberg.
Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83-95.
Peltier, T. R. (2013). Information security fundamentals. CRC Press.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.
Vacca, J. R. (2012). Computer and information security handbook. Newnes.
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. computers & security, 38, 97-102.