Provide introduction of the case company keeping in view the above scenario.
1. Understand risks to IT security
Identify and evaluate different types of security risks to this organisation.
Valuate the security procedures of the case organisation.
2. Understand mechanisms to control organisational IT security
Discuss what security risk assessment procedures have been implemented by this organisation.
Evaluate data protection processes and regulations (e.g. Data protection Act 1998, Computer Misuse Act 1990, etc.) as applicable to this organisation.
Analyse applicable physical security issues for this organisation.
3. Be able to manage organisational Security
Design and implement security policy for this organisation.
Note: You should make logical assumptions about the security requirements of this case organisation.
Based on the developed security policy for the case organisation, evaluate the appropriateness of the tools used in that organisation’s policy.
As an IT security manager of the case company you have assigned the task to conduct security audit. Discuss what human resource issues you would consider whilst carrying out security audit of that company.
The set of some policies and rules which are concerned with the security management and the risk related to the security is said to be the Information Security Management which is also short formed as ISMS. Now days IT security is the important and the vital things to get concern about.
Here it tells to describe the role of the IT security manager of the online company and also to describe what are the necessary steps required to taken by the security manager to perform the necessary steps, procedures and the norms to secure the company.
1. Understand risks to IT security
Security risk is the event or action which causes the loss and the damage of the computer hardware and software of the system, data and information stored in the system and also the processing system of the computer. Some types of the security risks are discussed below:
Unauthorized access of the network: in the unauthorized access hackers break into the network through which they can view, change and also delete the personal files and the information of the computer. To do this unauthorized access of the network, hackers use some of the software through which they can break into the others computer and also get the full control of the computer and do the work of modification, alteration and deletion and also stole the information stored into the computer.
Denial of Service (DoS) attack: DoS attack includes some of the attacks which includes LAND attack, Ping of Death, etc. In this attack the hackers do not have the tendency to steal the information of the computer but they disable the computer and the network in such a way that there is no longer possibility to access the resources of the network. To do the DoS attack the hackers use the Trojan horse, malware and also the various malicious attacks through which they can permanently destroy the computer so that it cannot be able access the computer in future.
Viruses: virus attack is also the other attack of the computer which is also comes under the internet risk of the computer. Virus is actually the programs which are destructive in nature. To get into the users computers they attach themselves to the downloaded files, emails and applications so that they can intrude tot the computers and after that they do the damage and crash the computers. At the time of downloading the viruses are automatically get downloaded to the computer unknowingly to the users of the computer. Some of the powerful viruses can attacks to the computer even if the firewall is also installed.
Capture of the private data going over the internet: Private data is the one type of the data which moves all over the internet. Hackers using some of the software capture the data from the network at the time passing from one computer to the other computer at the time of sending or receiving the information using the internet and then transform it to the readable format so that they can read and also use the confidential information of the users for their purpose.
Offensive content: Some of the internet content is not in the proper manner which can create some of the legal issues of the potentiality of the business. The users of the network risk the viewing the content which is not appropriate and useful in any nature, decrease the productivity of the data and also abuse the useful resources of the company with the maximum number of the web browsing.
Backdoor: It is one of the techniques to access the computer program which is used to bypasses the mechanism of the security. Backdoor is also known as trapdoor (Evan, 2012).
Spoofing: spoofing attack is the one of the situation of the attack of the network security where any person can easily acts as the other by doing the false data and through it they can also gain the illegitimate advantages. Spoofing attack is of different types: IP address spoofing, ARP spoofing attack and the DNS server spoofing attack (Joshi, 2012).
The security procedure from the internet attack is also known as the cyber security. The basis security precautions which all the users should be taken are:
Always to get the backup of all the important files. So that if any time the computer gets failure it cannot do the effect to a large extent of losing all the files. After recovering of the attack it is possible to reinstall the software but it is not possible recovery the data most of the time and the data get permanently lost which often cause the severe loss.
Always keep install the powerful virus scanner or anti-virus to the computer and also needs to do the update of the anti – virus. So that the basic attack of the computer virus can be prevented. It also can scan the attachment of the emails and also prevent the automatic download of the attachments
The other security of the internet risk is the use of the password which should include the numbers of the different characters to make it strong in nature and also needs to change the password in the time to time interval. To gain the unauthorized access of the network is known as brute force attack. In this type of the attack the hacker guesses the password of the users and makes the continuous attempt of the password.
To prevent the data losses while sending or receiving the data through the internet the hackers steal the data at the time of sending or receiving the data from one user to the other. To prevent this type of attack the sender encrypt the messages into the coded form so that any one cannot understand the subject of the messages and then after reaching the messages to the receiver they decrypt the messages to the human acceptable form. By this the stolen of the data from the emails can be prevented.
To also get prevented from the attack of the intruders the users always needs to clear the browsing history because by giving the look to the browsing history the intruders can get some of the information of the users which they can use for their use for the illegal work.
Another technique of the security risk is the installation of the firewall. Actually firewall is the software programming which helps in screening the hackers, viruses, worms and also the various types of the intruders which try to reach the user’s computer through the internet. It also check all the incoming and the outgoing files to and from the computer.
2. Understand mechanisms to control organizational IT security
To do the assessment of the risk the security manager first need to understand the existing system which are already in use and identify the risks by doing the proper analysis of all the data and the information which are being collected. They need to do the following steps which mentioned below:
Conduct the threat assessment: Doing the assessment of the threats first of all they need to identify the threats and also have to do the proper assessment of the threat by considering all the sides of the threats. After all the proper assessment of the threat they also have to find out the prevention of the threat and also do the overall assessment of all the prevention which is taken for the threat and then select the best possible prevention from all the prevention.
Conduct the vulnerability assessment: In the vulnerability assessment it is needed to identify the process through which they can perform the task, verify the entire applicable partner on the basis of the security issues and also have to find the security criteria of the application on the basis of the problem which can be low, medium and high.
Prepare an action plan: After doing all the assessment of the threats they need to prepare the corrective action plan in which all the gaps and the disadvantages of the existing plan is properly discussed and also the necessary action regarding the disadvantages are also mentioned so that it becomes very easy to implement the action plan.
Document the process of the risk assessment: In the above assessment of the plan they need to document all the process from the first to last how they document the disadvantages, how to prepare the corrective action plan and also how to implement the plan in a suitable way.
To protect the data of the organization there are some of the points which needs to consider to give the protection of the data privacy as first of all they needs to prepare a proper legal frame work which helps to processing the personal information and also have to protect the personal information of the users so that no one can access the information in any illegal purpose and also cannot do the misuse of the data and the information. They also need to do the processing of the collection of the data, also the usage of the user’s personal data. Under the protection process it comes to the both technical and the organizational security issues which also needs to be solved in a proper way. They also do the check the data on the preliminary basis through which it becomes easy to provide the preliminary base of the security, automated the process of the decision making and the procedures of the reporting.
Under the data protection act, 1998 there comes some of the principles of the data protection which are listed below:
- The personal data needs to process in a fair way and also have to maintain the law of the data protection act.
- The data which is act as personal data can only be obtained for the one or more than one of the specified purposes and after that it cannot be processed for the further issues in any condition.
- Personal data needs to be more accurate in nature according to the necessity of the use and needs to be kept up to data always to carry out the proper study.
- Personal also cannot be transferred to any of the country or the territory if the country does not ensure the needed maximum level of the protection of the rights and the freedom.
Under the computer misuse act 1990 here it comes:
- Protection from the unauthorized accession of the computer materials
- Unauthorized access of the other computers should be considered as offences which will be punishable the minimum 6 months.
- Modification of the computer material which will be unauthorized.
The protection of the hardware, software, programs, networks etc from the any of the physical events which can cause the serious types of the damages and losses of the enterprise or the agency is known to as the physical security. In the assessment of the physical security there are four phases. The first phase is the pre engagement of the interaction. The second phase includes the gathering of the remote intelligence, the third phase includes the guided walk through and the last or the fourth phase it includes the analysis of the vulnerability. To access the physical security control here are the some process which needs to be done:
- Needs to deter all the potential intruders
- There should be the differences between all the authorized accesses from the unauthorized people.
- It requires preventing the intrusion attempts.
- Needs to detect the intrusion and also needs to record the intruders.
- Trigger all the responses of the appropriate incidents.
As most of the time physical security is overlooked due to the more technical issues for instance hacking, virus attacks, Trojan attacks, malware attacks etc. there are three main parts of the physical security. In the first components there needs to be place the barriers from the potential attackers and the websites. These types of the attacks include by providing the multiple security attacks, fireproof and the sprinkling of the water. In the second components the surveillance and the notification of the problem needs to be put in the suitable place by avoiding the heat sensor, alarms, camera etc. thirdly some of methods needs to be implemented to protect the attackers so that it becomes easy to do the quick recovery from such of the accidents, natural disasters etc.
3. Be able to manage organizational Security
The document or the outline of the rules, laws of the access of the computer network which is meant to be secure the computer from the viruses, intruders, hackers etc is describe about the internet security to some extent. To provide this security there is the implementation the norms, rules regarding the security. To design the appropriate security policy there is the needed of the proper identification of the weakness in the security issues, proper assessment of the risk which is get associated with the weakness in the security measure and lastly to develop the proper plan through which it becomes easy to do the reduction and the elimination of the risk. In the implementation of the proper security policy there some of the points which are needs to be consider which are listed below:
In this proper authentication it confirms the claimed identity should be correct.
In this computer network some of the collection of the computers which acts as host together forms the sub-network or the inter-network through which it becomes able exchange the data from one computer to another.
With the cryptography process of the messages it prevents the data get to be stolen because if anybody try to steal the data they cannot understand the subject of the messages (Transcendental numbers and cryptography, 2014).
With the help of the digital signature it identifies the both sender and the receiver of the messages so that the subject of the messages does not changes at the time of the transmission (Cui and Jiang, 2012).
Domain name system:
Through the DNS system the internet domain name is located and this address is also changed into the internet protocol address. Through the DNS it becomes easier to remember the internet addresses.
Firewall acts as the network security program which tracks and control all the communications and also determine whether to reject or encrypt the data (Zhang, 2014).
In the hijack attack the attackers takes the control of the full communication of the association and also use it as they want.
The security policy which is developed for the organization in the above context needed some of the tools so that it can act effectively. Some of the used tools are described below:
In case of authentication the process of the verification and the validation is needed in which the email address are needed to be used as the user ID and to validate the user ID it has to maintain some of the protocol which checks that there should be the presence of the at least one of the special character, the emails address should be in such a way that it can be able to deliver, needed to maintain the proper length of the password so that the password becomes strong and the password should also be complex with the presence of the some types of the character.
In case of the cryptography the messages is encoded to the some of the coded text which is known as the cipher text. To doing this cryptography some of the special key is used which is only available to the sender and the receiver so that they only can decrypt the data.
To doing this cryptography the function of the digital signature is used which is only possible to the authenticated sender and the receiver. In digital signature there is the presence of the binary data, special character etc which is based on the cryptography standard.
In the security policy of the organization there is the availability of the firewall. Firewall is actually a program which is used to block the unauthorized attack and also the viruses attack. It can be configured on the hardware, software or even the both for the strong security.
Security audit is the systematic type of the evaluation of the security of the company which secured the information of the company which makes some of the set of the established criteria. Human resource audit is the one of the type of the security audit (Carroll, 2012). There are some of the issues needed to be considered in the human resource audit:
- Issues of the age in the process of doing hiring, training etc
- Issues related to the development of the employees, ability to do the work.
- Issues concerning about the disciplinary matters.
- Matters related to the performance management.
- Issues related to the development of the organization.
To conclude the whole study of the management of the IT security it describes all the issues related to the security of the IT which is elaborated in the above study. So as an IT security manager it is needed to get concern about all the issues of the online IT security so that the protection of the all the IT issues are concerned and described.
Carroll, P. (2012). Standards of data protection. Computer Fraud & Security, 2012(2), pp.5-7.
Cui, X. and Jiang, L. (2012). Design and Realization of Digital Signature System. AMR, 562-564, pp.872-875.
Evan, G. (2012). Taking a Back Door to Target Myc. Science, 335(6066), pp.293-294.
Joshi, B. (2012). Tackling Spoofing Attacks Using Broadband AccessConcentrators. IJIEE.
Meyer, H. (1996). Security risk or security solution?. Computers & Security, 15(4), p.317.
Qin, Y. (2014). Computer Network Attack Modeling and Network Attack Graph Study. AMR, 1079-1080, pp.816-819.
The Basics of Information Security. (2014). Network Security, 2014(9), p.4.
The Practice of Network Security Monitoring. (2014). Network Security, 2014(10), p.4.
Transcendental numbers and cryptography. (2014). Applied Mathematical Sciences.
Yu, C. and Lliu, G. (2014). Authentication Methods Based on Digital Fingerprint Random Encryption IBC. Journal of Software, 9(6).
Zhang, W. (2014). Design of Firewall Security Control Program. AMM, 556-562, pp.5999-6002.