Management Emergency & Homeland Security: Risk Assessment & Information Security Management Essay.

Applicable Policy

Discuss About The Management Emergency And Homeland Security?

Following report aims at proving guidance on the information security and assessment management for the organization A4A considering the storage of data and the way of keeping them safer. The scope of this report is to present an information security management system for the organization in manner to maintain the confidentiality, availability, and integrity of the data about the operational activities and sensitive information about the employees working in the same organization including the safety measures for the stakeholders too.

According to the case study, A4A is Non-Governmental Organization, which is going to transform the existing system into a technology based system and about to set up information systems to keep those data saved into the database of the systems. For this transformation assumptions can be made that there will be need of outsourcing of Information and Communication technology (ICT) and computers.

The guidelines provided in this report can be much efficient for the risk assessment management and better protecting the information that is being store into the systems or in the cloud. This is the most important aspect for all the organization, which is migrating data or information into systems or in cloud.

Australian Government policy promotes the PSPF and ISM for the policy related to the information security. A4A can manage the information security with better efficiency through the mandatory requirements that has been already stated in the PSPF. For A4A it is a very important factor for its growth to establish a better and effective risk management for the information security regarding the stored information. Risk management process can be achieved only if these processes and systems becomes the integral part of A4A’s culture, operational, and practices plans (Sylves 2014). There should be governance processes in manner to mitigate these risks rather than building a proactive security system to manage the information security. The risks should be identified at its very early stage and proper precautions should be taken regarding elimination of the identified risks.

Regulation and handling of data and information of the A4A can be managed through the set thirteen Australian Privacy Principles (APPs) those have been introduced within the Privacy Act 1988. It emphasis on the privacy of the information of employees of the organization that are very sensitive and personal to them (Arregui, Maynard and Ahmad 2016). Very personal information should be determined by the A4A and that information should be handled according to the principles of the APPs.

Australian Privacy Law

Pieces of legislations applicable to this privacy legislations policy are: Firstly, Archives Act 1983, secondly, Freedom of Information Act 1982, and lastly, Privacy Act 1988 (Zetler 2015).

Framework for the risk assessment can be referred to the set of guidelines that can be applicable in assessing the risks based on the existing framework defined by the Australian Standards AS/NZS ISO 31000:2009 Risk management and HB 167:2006 Security Risk Management, and principles, and guidelines (Saint-Germain 2015). This is a subjective process for all the organizations and in this case A4A should make sure that the process that is about to be defined for the risk management should be justifiable, transparent, and documented. Assessing risks on the basis of framework can be helpful in many objectives like risk tolerance identification, identifying particular risk with each employee, and managing the risks as per the priority of the types of information and about the information related to the assets those are being stored in the system. Another beneficial aspect is that appropriate decision making can be made based on the type of risk.

The risk assessment process should be consistent with the standard for the successful management of the risk assessment. The whole process can be divided in to five steps and should be executed accordingly after each step that can be listed as:

 Under this step the external and internal influences should be addressed those could have the potential to impact the implementation of this management system in the existing system directly or indirectly (Draper and Ritchie 2014).

After the completion of the first step there should be proper development of the robust list for the risks that has been identified that could have the potential to affect the working of the organization as that of in the first strep. Risks identifying could be first step towards arranging mitigation processes in context with the risks.

This is the third step that discusses the main objective but can only be achieved successfully after the completion of first two steps. This includes assessing the risks comparing it with the impact, tolerances, and likelihood of the identified risks on the performance of the organization.

 Selection of the proper treatments for the risks should be given the same priority as the above steps that includes providing control to the identified risk assessment strategies those been collected through the above steps.

 Development of overall risk assessment is the final step in addressing the risks and mitigating the threats through summarizing the identified risks in accordance with the control on the steps mentioned above. Following is a diagram that can be better explainable for the risk assessment processes.

Control risks

Evaluate Risks

Analyze risk

Identify risk

Established Context

Consultation and communication

Monitor and Review

Privacy Legislation

Figure 1: Risk Assessment Process

(Source: Created by Author)

Establishing context puts emphasis on the addressing the assessment processes that needs to be implemented with the system of A4A in manner to address the security, strategic and organizational risk management contexts for eliminating the risks that are going to be identified throughout the whole risk management system (Whittman and Mattord 2013). The security risk assessment will be covering all the facets of the activities or functions of the organization during these processes. The risk assessment management processes should be according to the prevailing and emerging environment for the risks. This will provide platform for the whole managerial processes for the risk assessment that makes it a very critical objective for its successful execution.

Determination of context for the A4A can be for improving and promoting security of the internal environment in which the organization is willing to achieve its goals. Objectives for the successful completion of this section can be listed as:

• Extent and contractual relationships’ nature.
• The organizational structure, accountabilities, governance, roles and responsibilities of the designated employees of the A4A.
• Overall working culture and security culture of the A4A.
• Values, relationship, and Perception with the internal stakeholders.
• Consideration of proper Policies and objectives and the strategies that are being made to achieve the assessments successfully (Wensveen 2016).
• Information system and flows including the processes of decision-making
• Standards, guidelines, and models adopted by the organization for the betterment in the security of the information.
• The Strategic Context of Outsourcing

The strategic contexts relevant to the situation should be considered by the A4A in manner to implement a successful risk assessment management processes. Other than above stated objectives it should include the Australian regulation, Australian legislation and Australian policies in manner to increase the information security and make the system list risk affected system (Peppard and Ward 2016).

This section explains the comprehensively determination of the sources of risks that have the potential to impact the information that are being stored in the system and alternatively affect the performance of the organization. The identified issues should be well described for the heads or the executives who are going to take decisions for this management system. The information or data should be categorized on the basis of integrity, availability, and confidentiality and the A4A risk management team should give priority to the risks on this determination or classification (Webet al. 2014). In the AS/NZS 4360:2004, definition of the risk is “The chance of something happening that will have an impact on the objectives”.

Intolerable risk Scope for A4A

Tolerable risk

Increasing risk

Figure 2: Risk Tolerance

(Source: Created by author)

The risk tolerance can be identified during the execution of ‘Establishing the context’ step at its very early stage as it fully dependent on the context of the organization and the heads of the organizational structure. Risk Tolerance is nothing but the sum of risk appetite of A4A that is based on the principle of risk management to the extent level (Boyens et al. 2014). The risk tolerance determination can allow the organization to raise scope of innovative and flexible business practices. The risk tolerance can be manipulated or affected through changing the evolution criteria that results in variable factors for the risk management by the heads of the A4A and that will depend upon: First political expectations and sensitivities, and prevailing, Second factor is the incident security nature like terrorist attack etc. Third factor is the existence or emergence of trends in security like data breaches, trusted insider, cyber-attacks etc.

Risk Assessment Framework

While integrating Cloud storage system within the existing system of the organization, it is important to establish context regarding the cloud implementation. This can be helpful in understanding the nature of the criticality, vulnerabilities and other potential threats or risks related to the information that is being stored in the cloud (Rebello et al. 2015). Following are some of the considerable facts while determining the Cloud integration risks but not limited to: firstly, the impact on the availability, integrity, and confidentiality of the data or information of the A4A.  The picture of the unintended disclosure or the incident or event can be stated as second aspect. Third aspect is the impact of the risks that will occur due to the outsourcing of technologies and introducing third party. Another fact can be the types of threats and risk related to the information or data that is being saved into the system. Lastly the impact of losing data should also be considered while identifying the risk. An individual plan can also be considered as they focuses only on the information security related issues and their management. 1669

Following are the threats that might affect the proper functionality of the organization:    

Data Breaches: This could affect the saved data in all the aspect as data breaches put all the information and data at the sake by allowing access to an unauthorized user (Peltier 2016).

Data Loss: Due to some technical glitches and bugs there are chances of losing the whole data that is being saved into the systems.

Service traffic or Account Hijacking: All the operational activity is being transferred into the information technology that will be accessible through different accounts for different level staffs and this could be hijacked by an attempt of any intruder that could access to the data and manipulate them without having any authority (Dhillong, Syed and Sa-Soares 2017).

API (Application Programming Interface) and Interfaces Insecure: For circumventing the vulnerable interfaces or security processes may be exploited through malicious attacks or accidentally.

DOS (Denial of service): This type of risk will block the access for a user to enter the network of the organization and do the desired work.

Insufficient Due Diligence: There should be proper consideration of the advantages and disadvantages of implementing the new technology within the organizational infrastructure such as Cloud storage or Cloud computing and many more.

Malicious Insider: This is related to the formal stakeholders either the employee or contractor or any other individual who might have access to the organizational network even after leaving the bond with the organization. There might be misused of those accounts for the personal benefits (Luthra et al. 2014).

Applying ISO 31000

Shared Technology Vulnerabilities: Cloud infrastructure has been offering share the stored data between more than one user that implies some risks related to the multi-tenant architecture that will become the ‘must’ factor for the organization.

Mapping risk can be helpful in managing the risks separately through dividing them according to the priority of the risks that are identified in the above steps. Emphasis should be made on the impact of the risks that may hamper the functionality of the organization (Beckers et al. 2013). The facts that are considerable during mapping the risks includes: identifying the areas and the level of impacts on those sectors, frequency of the risk occurrence, the stakeholders who will be impacted by the risks that had been identified. These are the facts but not limited to this only that must be considered while mapping the risk related to the information security of the A4A.

Assessing risk process can be executed after identifying relevance risks those have been identified and thereafter categorizing them based on the priority. This section describes that there should be holistic evaluation for likelihood of the identified risks through the acceptable level of the tolerance and there responding consequences. For addressing these consequences and levels of likelihood an individual should consider the effectiveness of control and source of the risks (Oppliger, Pernul and Katsikas 2017). There are levels of controls and oversights in the processes of risk assessment for the risks related to the use of information technology within the premises of the organization for performing the operational activities. For example, the information that is confidential and sensitive for the A4A should be assessed on the basis of confidentiality, availability and integrity of the type of information (Soomro, Shah and Ahmed 2016). This section should only be executed after the completion of above steps mentioned in this report.

Guidance on determining the potential consequences is dependent on the type of information that is being saved into the database of the system of A4A. Information that is being stored in the A4A systems’ are sensitive information related to the employees, transactional details made between the organization and its partners, operational activities details and many more (Albakri et al. 2014). The expose of this information to an unauthorized user could lead to many serious issues such as los of data, compromising data, manipulation of data, and many more.

The unintended or unauthorized expose or access of the information related to the employees and other activities related to the organization should be evaluated properly that involves considering the risks within the context of the risk tolerance and potential treatment for A4A (Feng, Weng and Li 2014). It could be resulted in the matter of financial calculation for the cases in which the expose of information those are quantified in the terms of finance. For such cases or situations A4A can consider the factors such as: impact on the reputation and business output because of the expose or loss of such sensitive information and data related to the organizational operations (Yang, Shieh and Tzeng 2013). The facts mentioned above increases the complexity in identifying and assessing the risks related to the information security and the acceptance resides within the head of the organization.

Establishing Context

Due the fact that the risks related to the information security cannot be eliminated rather it could be minimized at the extent level, security of information becomes absolute. This results in focusing to reducing the risks rather than eliminating them. Selections should be on the basis of: the rating level of identified risks while making selections for the risk treatments (Raghupati and Raghupati 2014). This could be divided into six step processes

• Prioritise the intolerable risks
• Establishment of the treatment options
• Identification and development of treatment options
• Evaluating the treatment options (Haufe, Dzombeta and Brandis 2014)
• Detailing the review and design the selected options also considering the management of residual risks
• Communication and implementation

Consultation and communication plan management should be established at the early stage while paving the platform for the risk assessment management to determine the processes that need to be communicated or informed to the internal and external stakeholders. This could be helpful in communicating effective processes of the risk assessment among the stakeholders and other individuals related to the organization (Itradat et al. 2014). It will be helpful in them successful implementation of the risk assessment processes and listening to the employees could result in some more innovative ideas that could be applied within the system ion manner to enhance the performance of the organization. Priority should be given to the perceptions of the stakeholders in response to the identified risk and type of the information that should be saved into the systems.

This guideline has the same priority as that of the guidelines stated above for assessing the risks related to the information security. While monitoring and reviewing the risks following are the considerable facts:

• The strategies and controls of the implementation play an important and effective role and for this case tokenization and encryption of the files should be done before uploading to the Cloud.
• Cloud services and outsourcing should have continuous program and cloud vendors are whether applicable to provide it or not.
• The changes that are being introduced comply with the existing regulations or not. For example the cloud services should fulfil criteria of the Australian legislations (Layton 2016).
• Do the processes and controls that are being practiced in the risk assessment management are cost effective or not regarding the budget of the whole project (Baskerville, Spangnoletti, and Kim 2014).

Conclusion

Considering the above facts it can be concluded that for enhancing the performance and increasing the output there should be proper information security risk assessment. For A4A assumptions had been made that there will be need of outsourcing the ICT for the better implementation of information technology and third party can be introduced for the cloud storage and cloud computing. These are related to the information security as they could also raise several issues related to the information security during the transformation of all the operational activities into computerized manner. The use of these technologies will no doubt enhance the performance of each employee and alternatively enhance the performance of the organization but also raises many concerns. For eliminating these concerns or risks, a proper and successful risk assessment system should be implemented within the system in manner to fight back or stop these threats from affecting the performance of the organization. The guidelines mentioned in the above report can be very helpful in mitigating the threats that are related to the information security within the organization and A4A should follow the above guidelines for the betterment in securing the information and data that is about to be stored into the system.

Identifying Risks

References:

Albakri, S.H., Shanmugam, B., Samy, G.N., Idris, N.B. and Ahmed, A., 2014. Security risk assessment framework for cloud computing environments. Security and Communication Networks, 7(11), pp.2114-2124.

Arregui, D.A., Maynard, S.B. and Ahmad, A., 2016. Mitigating BYOD Information Security Risks.

Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), pp.138-151.

Beckers, K., Côté, I., Faßbender, S., Heisel, M. and Hofbauer, S., 2013. A pattern-based method for establishing a cloud-specific information security management system. Requirements Engineering, 18(4), pp.343-395.

Boyens, J., Paulsen, C., Moorthy, R., Bartol, N. and Shankles, S.A., 2014. Supply chain risk management practices for federal information systems and organizations. NIST Special Publication, 800(161), p.1.

Dhillon, G., Syed, R. and de Sá-Soares, F., 2017. Information security concerns in IT outsourcing: Identifying (in) congruence between clients and vendors. Information & Management, 54(4), pp.452-464.

Draper, R. and Ritchie, J., 2014. Principles of security management: Applying the lessons from crime prevention science. Professional Practice in Crime Prevention and Security Management, p.91.

Feng, N., Wang, H.J. and Li, M., 2014. A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Information sciences, 256, pp.57-73.

Haufe, K., Dzombeta, S. and Brandis, K., 2014. Proposal for a security management in cloud computing for health care. The Scientific World Journal, 2014.

Itradat, A., Sultan, S., Al-Junaidi, M., Qaffaf, R., Mashal, F. and Daas, F., 2014. Developing an ISO27001 Information Security Management System for an Educational Institute: Hashemite University as a Case Study. Jordan Journal of Mechanical & Industrial Engineering, 8(2).

Layton, T.P., 2016. Information Security: Design, implementation, measurement, and compliance. CRC Press.

Luthra, R., Lombardo, J.A., Wang, T.Y., Gresh, M. and Brusowankin, D., Citibank and NA, 2014. Corporate infrastructure management system. U.S. Patent 8,706,692.

Oppliger, R., Pernul, G. and Katsikas, S., 2017. New Frontiers: Assessing and Managing Security Risks. Computer, 50(4), pp.48-51.

Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.

Peppard, J. and Ward, J., 2016. The strategic management of information systems: Building a digital strategy. John Wiley & Sons.

Raghupathi, W. and Raghupathi, V., 2014. Big data analytics in healthcare: promise and potential. Health information science and systems, 2(1), p.3.

Rebollo, O., Mellado, D., Fernández-Medina, E. and Mouratidis, H., 2015. Empirical evaluation of a cloud computing information security governance framework. Information and Software Technology, 58, pp.44-57.

Saint-Germain, R., 2005. Information security management best practice based on ISO/IEC 17799. Information Management, 39(4), p.60.

Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp.215-225.

Sylves, R., 2014. Disaster policy and politics: Emergency management and homeland security. CQ Press.

Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management. Computers & security, 44, pp.1-15.

Wensveen, J.G., 2016. Air transportation: A management perspective. Routledge.

Whitman, M. and Mattord, H., 2013. Management of information security. Nelson Education.

Yang, Y.P.O., Shieh, H.M. and Tzeng, G.H., 2013. A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Information Sciences, 232, pp.482-500.

Zetler, J.A., 2015. The legal and ethical implications of electronic patient health records and e-health on Australian privacy and confidentiality law.