Essay: Report On InfoSec Management For Univ. Of Sanford - Risk Assessment & Mitigation Strategies.

Analysis of Risks

Diascuss about a Report on Information security management for The university of Sanford information security management?

Risk can be defined as the probability or the chances that the result or the outcome of an investment made would be different from that expected. Thus it becomes important on the part of the business organizations to identify the potential risks that might hamper the process and the outcomes so that appropriate strategies can be implemented for effective risk mitigation which leads to the development of the concept of risk management (Agrawal, 2009).  Risk management can be defined as the process that is used by the management of the business organizations to identify, analyze and either accept or mitigate the uncertainty that exist in the decision making process while making any investments. Moreover it is also a process of identifying the risk, assessing the identified risk and prioritizing the risks together while applying the available resources in an economical and coordinated manner. This will in turn be used for minimizing, monitoring and controlling the chances of occurrence of the risk so that the benefits and opportunities can be reached to the maximum level (Das and Das, 2006).

Thus taking into consideration the above aspects the report would emphasize on conducting an information security risk assessment of the University of Sanford and develop a strategy for mitigation of the identified risks. The identified risks would be analyzed with the help of the TVA (Threat, Vulnerability and Asset) together with providing the SLE (Single Loss Expectancy) and ALE (Annualized Loss Expectancy) (Krause, 2006).

Analysis of the risks in the context of the Salford University and its results together with TVA analysis and ALE which is presented with the help of the following table:

taken as a whole risks within university	Threats	Vulnerabilities	Assets	Annualized Loss expectancy (£)	Controls
The most important significant risks within a university are loss of information about the student, its details, information about the admission and data.	The most important threat is that an intruder is knowing and gaining access of employee’s computer database.	Taking leaving computer on by means of unlocking database (store most important data and information related to student records as well as staffs records) left unattended.	Data and information is one of the most important assets in organization or university perspective.		Implementation of better security and information management polices
Decrease in brand image or reputation of the university	A hacker is hacking data and information with the help of implementing of spear phishing and stealing student dissertation or research paper. In addition hacking computer network and taking workforce information.	Workers or staffs security ethics	Impact on organization  brand reputation		prevention
Decrease in confidentiality related with question paper used for  examination	The most significant threat is that the students of the university are gaining access to the exam question papers and the outcome is they are getting higher marks at the same time not attending classes which is hampering their career in the long term. This is affecting the reputation of the university as well as the organization which is a cycle in itself.	Workers or staffs security ethics	University exam papers		prevention

Topics: - The most important significant risks within the university are loss of availability of student data and information which includes loss of data of student’s admission and their information.

Thus from first risk, it can be said that assets of risk are address, name, student records related to admission, research paper as well as status of the undergraduate, graduate students. In addition to it is also identified that university lose their valuable data and information before payment process which impacts on their reputation as well as their brand values.                 

Within the university vulnerability has been identified with the computer administrator is having dreadful security polices and ethics. The employees are leaving their computer logged on which result is in organization losing their effective data and database stored in it.         

Risk 1

In an organization it is well known that data and information are the most important elements for protecting of any kind of information therefore the threats which have been discovered within an organization are:

A hacker can gain access to the data through organizations computer as all records are stored in database related to student data, admission records as well as staffs records are stored, thus taking into the account all this. The university has the authority to access data, modify data, edit data and retrieve data and information from computer system and the threats which can be assumed as  that hacker can access all data and record form database.

It is considered that there are 15,000 students in a university and the total number of students have been multiplied by 1/4taking into the center of attention is that ¼ schools are in an university. Aging it multiply by ¼ taking into the estimated that approximately number of graduate and undergraduate student will be appearing in the university in next intake. Thus to finding the calculation, an average amount of college tuition fee is multiplied by it and the costs of all graduate and undergraduate student will be identified.

Controlling procedure

Single Loss Expectancy (SLE)=£3,768,884

Annual Rate of Occurrence (ARO)=20%

Annualized Loss Expectancy (ALE)=£753,777

Control 1 prevention

Appointing a security guard within university   = £15,000. Therefore it is considered that it decreases the ARO by 75% .thus it is said that hiring of security grads will secure 75%, thus it is a most effective steps. On the other hand it is to be considered that   25% uncertainty

ALE1

0.2 X0.25 = 0.05 753,777 x 0.05x 1.25 = £47,111, Reduces ALE by (£753,777-£47,111) £706,666

Implementation of control

£15,000 + £47,111 =£62,111

Cost benefit analysis

Therefore as per the Cost benefit analysis  it is said that  control is worth organizing  if Annualized Loss Expectancy with control + implementation of cost < Annualized Loss Expectancy without control £15,000 + £47,111 =£62,111< £ £753,777

Control 2 improvement

Backing-up the computer database system in everyday will enhance Information technology  service, managers salary by 5%  is to be calculated that  £38,643 X 0.05 = £1,932. Therefore form above calculation it is clear that it will be effective 99% and approximately one percent it is to be contained uncertainty.

ALE1

Annual Rate of Occurrence = 0.2  (it is to be considered it remains same) Single Loss Expectancy  = 0.1% X £3,768,884 = £376,888 Annualized Loss Expectancy = 376,888 x 0.1 X 0.2 x 1.01 = £7,613 ALE1= £7,613 Thus form calculation is to be observed that it Reduces Annualized Loss Expectancy by £360,275

Implementation of control

£1,932 paying information technology service  manager to back-up everyday five percentage enhance in salary

Cost benefit analysis

Therefore according to the Cost benefit analysis it is to be said that control is worth deploying if Annualized Loss Expectancy with control + cost of implementation < Annualized Loss Expectancy without control£  £1,932 + £7,613 = £9545< £ £753,777

Utilize both controls

Annualized Loss Expectancy =£ 376,888 x 0.05x 1.25x1.01 Annualized Loss Expectancy = £22, 791

Therefore from above facts and figures it is to be observed that appointing security guards within the organization will enhance their security performance and cost of the Annualized Loss Expectancy with the control can be observed with less Annualized Loss Expectancy without the control.  Moreover utilizing this strategy the organization can improve its performance and solve the problems relating to stealing of data and information from computer because security guard will entertain only those students who have ID cards.               

Another consideration is that organization need to take cost effective as Annualized Loss Expectancy that will help them to improve and control their costs. On the other hand it is to be said that utilizing this control process organization can migrate the risks in an cost effective manner whole having decreased financial loss.

Thus from the above analysis it can be considered that implementing the control procedure 2 organization will manage it cost more effective manner and achieved better profits.

An effective plan i.e. internal audit must be attended by the authority in every one week

On the other hand it is to be seen that most of the irrelevant information and data to be stored in a university database; thus organization or computer administrator needs to delete such data and then to be again perform restore process.

ALE, SLE and ARO

In order to provide an effective solution and implement better security polices within the organization back up polices should be implemented and created.

The policy contents will include storage, timing etc.

The main propose of the polices in present case is to order the most efficient back up process that helps them to secure their student admission records and data which helps to organized their valuable in a more organized manner.

It will include in information technology service as well as admission departments

To backup the most effective and valuable data that helps the organization to archive and attain better security and increase better student satisfaction.

In order to store huge amount of data and information, organization needs to implement huge amount of database i.e. external hard disk etc.

Data will be taken through database in 6 pm and age of external database is approximately 5 years.

Data administrator must be insured that data must be stored in particular location. In storage location, it must be ensued that data stored in particular location.

(ISO/IEC 27035-1: principles of incident management)

Thus as per the above represented issues it is to be said that incident responses team is to be consisted with the help of the information management service department  and one of the admission member departments. In addition it must be sure that the incident department has a better knowledge about the data accessing and storing process.

In a potential incident is to be said that staffs members have no authority to access and modify the student records without administration permission. On the other hand it is to be also considered that in payment polices, staffs are not involved i.e. staffs members are not to take payment form students.       

In an initial response it is to be said that, if any students face any difficulties then the admission authority has to be informed. After that ITS members are restore the data and find who is responsible for this at last it is to be said that staffs members should be implement security policies.        

Organization needs to implement data protection acts as well as computer misuse acts.       

Another risk associated with the security of information that has been identified can have a negative influence on the brand image and reputation of the university taken under consideration i.e. the Salford University. It has been observed that in the recent times the case of hacking has increased and thus there is a potential risk that the hackers can attack the system of a lecturer of the university which may result in the loss of the research work of the students which have been stored on the server. So this incident take place, then the students would directly sue the university in the court of law which would hamper its brand image and reputation. So this would have an adverse impact on its business since the number of students who would be joining the university in the succeeding year would decrease. Thus taking into consideration the above risk, the situation can be described as follows:

Controlling Procedure

Suppose, number of students = 15,000 (aprox.) and if it is estimated that around 3,000 student take admission for the master degree course in each year. Thus, due to loss of reputation, the university would experience a loss i.e. reduce in the admission = 10%.

3,000*10% = 300 students i.e. number of students taking admission would reduce to 300 from 3,000. 

Again if it is considered that the average fees that is paid by the students every year = £4,000

Then if the risk event that has been described above occurs then total fees earned by the university = 300*4000 = £1,200,000

Therefore, Single Loss Expectancy (SLE) = £1,200,000

Again if it observed that Annual Rate of Occurrence of the risk event is 40% then it can be said that that the event can take place 2 times within 5 years. 

Therefore, Annualized Loss Expectancy (ALE) = £1,200,000*40% = £480,000

So, taking into consideration the above figures and aspects, it becomes important on the part of the university to organize various training programs to make the individuals familiar with the practices that need to be followed and the ethics that need to be maintained by the lecturers.

The number of trainees i.e. the lecturers = 60 and 20 employees

Number of days = 2

Amount spent on each trainee for 2 days training = £600

Again it is expected that the above strategy would be helpful in reducing the Annual rate of Occurrence (ARO) by around 40% and the management is around 90% sure regarding the effectiveness of the above mentioned strategy So the percentage of uncertainty =  10%

So, ARO = 40%*0.6

ALE = £1,200,000*(40%*0.6)*1.10 = £316,800

Moreover the cost of implementation of the strategy can be calculated as follows:

£600*80 = £48,000

However it is important to analyze the benefit against the cost

i.e. if the present ALE + Cost involved in implementing the control   is less than the previous ALE, then it can be inferred that the strategy is effective and efficient.

Present ALE + Cost = £316,800 + £48,000 = £364,800

Previous ALE = £480,000

So it is observed from the above calculation that the present ALE + cost (£364,800) is less than the previous ALE (£480,000), thus it can be inferred that the strategy that has been implemented is effective.

Again even though the strategy has been proved to be effective in financial terns, it is important on the part of the management of the University to conduct an audit and this would be conducted in two phases.

Cost Benefit Analysis

A phishing test would be courted to identify whether the lecturers and the employees have efficiently learnt from the training sessions. 

A survey would be conducted with the help of the questionnaire method to evaluate the ethics of the employees in the context of security.

Moreover for successful implementation of the above strategy, the university needs to implement certain policies in relation to the maintenance of the ethics. The policy would put forward certain codes of control for the staff members that would guide them in terms of good practices and security that need to be maintained and would also provide provisions for the training sessions. The main purpose of the policy would be to establish such an organizational culture that would promote the consciousness and awareness regarding the security of the information and data. The formulated policy would be applicable for the ITS department of the university, the lecturers and the other individuals who has the right to access the information which are sensitive in nature.

The policy would guide the management to organize training programs so the staff members and the lecturers remain updated of the threats related to security and it would be mandatory on the part of the new employees to undergo this training. Moreover the fact that policy is complied within the university would be the responsibility of the ITS department.

This would be controlled and maintained under the Principles of Incident Management mentioned in the ISO/IEC 27035 – 1.

The team would consist of all the members of the ITS apartment, members from the Board of the University. They would have efficiently trained so that they are capable of identifying the incidences of unauthorized access, malware threats and damage of the IT equipments, abnormal traffic in the server, disability of the protective mechanisms.

Moreover they would be responsible for carrying out the following procedures i.e. reviewing the logs f the system, deterring the rights of the individuals towards authorized access to the information, analyzing the impact of identified risk on the university and formulating strategies to mitigate the impact of risk.

In addition to the above mentioned risks, it is also possibility that students of the university might gain an access to the exam papers if the papers are being printed in the absence of the lecturer or any staff members or has not been collected immediately after they have been printed. Thus taking into consideration the above scenario, the TVA analysis is as follows:

It might happen that the student is present at the time when the exam papers are being printed or it might also happen that the exam papers have been left at the printing house and has not been collected at the right time. So this would allow an access to the exam papers on the part of the student.

The vulnerability can be related to the ethics related to staff security. This refers to the lack of responsibility on the part of the staff members to remain physically present at the printing house where the papers are getting printed. On the other hand it might also happen that the staff member lacks the seriousness and thus has left the paper at the printing house instead of the collecting it at the right time.

The asset in this particular scenario is the exam papers formulated by the lectures of the University.

Thus taking into consideration the above risk, the situation can be described as follows:

Suppose the number of pages in the question booklet = 10 pages

Cost of printing the paper for each student = 40p

Number of students appearing for the exam = 2,000

Total cost incurred = 2000*0.40 = £800

Number papers that would be appeared by each student = 4papers

Therefore cost = £800*4 = £3,200

Therefore, SLE = 2000*4*0.40 = £3,200

Again if it is assumed that that probability of occurrence of the event is 400%, thus it can be inferred that the event can occur 4 times in a year.

Therefore Average rate of Occurrence (ARO) = 400%

There ALE = £3,200*2 = £6,400

Moreover, it becomes important on the part of the management of the University to implement certain control measures in order to avoid the risks.  So in this context, the management should emphasize upon printing the papers of the exam on the day on which the exam is going to be conducted rather than printing the papers beforehand. So, if this strategy is implemented, then it is expected that it would reduce the ARO by 380%. Moreover the control would increase to 85% which reveals the fact that there would be an uncertainty of 15%. So it would lead to an increase in Ale BY 15%.

Therefore present ALE = 3,200*(4*0.2)*1.15 = £2,944

So in such case it is observed that the ALE id reduced by (£6,400-£2,944) = £3,456

Again it is also important to take into consideration the control implementation. So if the strategy is implemented then it becomes important on the part of the staff member responsible for the printing of the exam papers to arrive at the University premise at an earlier time than usual.

So if it is assumed that if the exams are expected to start by 10 am, the staff members should be present by 7 am. So, in this case if the per hour wage = £7. So in this case if 4 staff members have been appointed and they have to work for 3 hours extra then they have to be paid for that.

Therefore hourly wage rate = £7

Total wage for extra 4 hours = (£7*4) = £28

Again since there are 4 teachers need to be appointed and the exam would be conducted for 4 days.

Therefore extra cost on the part of the University would be = £28*4*4 = £448

Moreover analyzing the benefits of the University against the costs incurred it was observed that present ALE + the cost of control remains less than the previous ALE then the strategy would be considered as effective.

Thus, £2,944 + £448 = £3,392 < £6,400

Therefore the strategy that would be implemented can be considered as effective and efficient.

Finally, it is observed that the above mentioned strategy can be implemented for conducting the exam in an efficient manner, the risks involved in the exams include delay in the exam, the exam rescheduling and cancellation and if these risks are not mitigated and controlled and managed then it would add to the cost of the University.

So if the above strategy would be implemented then it would enhance the control to 85%. Under this strategy, the students need to be seated for the exam by 9 am and with the help of the strategy implementation; the ARO of the event would also be reduced.

On the other hand it is also important that the above formulated stagey need to be audited in order to identify the staff members to identify the number of staff members present at the printing house while the question papers are being printed and the evaluate the time taken to print the question papers.

Moreover certain polices need also to be implemented which would put forward certain rules and regulations regarding the conduct of the exam. Moreover it would also emphasize upon ensuring the fact that the exams are conducted efficiently and risks associated can be effetely identified and treated. The policy also puts forward the fact three set of question papers should be prepared by the lecturers and the papers would be printed on the day on which the exam is going to be held.

Emphasizing upon the response towards the incident it becomes important on the part of the management to follow the principles of incident management as mentioned under ISO/IEC 27035-1.

The response team that would be formulating for the implementation of strategy would consists of lecturers and the examiners and the members need to be trained so that they can efficiently manage the risk. The training would be emphasized upon entering into conversation with the students and remarking of the booklets.

The potential incident would include news among the students regarding the leakage of the question papers, the time taken to complete the exam by the students. 

Critical Analysis of the Strategies impel meted  

From the above assignment, it can be inferred that there are various risks related to information security that the Salford University can encounter while conducting its operations of providing high quality education to the students. So it becomes important on the part of the University to identify the risks efficiently and formulate strategies so that the identified risks can be mitigated and controlled and managed in an effective and efficient manner. From the above it has been observed there is high chances that the University can lose the data of the students who have taken admission in the University for the study. The critical analysis of the incident reveals the fact that this type of incident is expected to occur in the University mainly because of the bad security ethic on the part of the staff members involved in maintaining the record for admission applications and they also lack the seriousness of shutting their machines down while leaving their place which in turn may result in the loss of the data. In this context, it has been observed that the university is planning to employ a security guard together with making provisions for keeping backup of the data on a daily basis by increasing the salary of the ITS service managers and getting the work done by them. So in this context, the review analysis puts forward the fact that both the strategies taken into consideration would be beneficial for the University since the cost benefit analysis reveals the same. But again the most important point is to not that which strategy would be more profitable and would incur low cost. In such situation critical analysis reveals that the increasing the salary of the managers and keeping the data backup on a daily basis would be more profitable since it is considered as cost effective and would provide great benefits. In this situation the University would have to take into consideration the legal aspects, the ethical aspects while implementing the strategy. The ethical aspect would be like whether it would be ethical on the part of the part of the University to get more work done by the managers by paying them more i.e. increasing their time of work and whether the managers can be relied upon that they would not make any mistakes like the staff members of the admission cell. On the other hand the legal aspects would include factor like the University have to operate under the legislations like the Data Protection Act and the Act under which authority can be given to some members on the University to have an access to the relevant information (Determann, 2012).

On the other hand, another risk that would be faced by the University would be risk of hackers which would lead to the leakage of the research papers of the students. So for this they need to implement some security systems and the lecturers and the staff members need to be trained so that they become proficient in identifying the risks of hacking and is well familiar with the preventive systems like Firewall. The critical analysis reveals the fact that the training and forcing a team to look into the hacking risks would be an effective strategy since the benefits would be more against the costs. In this context, ethical consideration is that the University cannot maintain a casual approach towards the career of the students since if their papers are hacked then it would spoil the career of the students and thus proper security need to be maintained. On the legal grounds, leakage of the research papers of the students would provide them the right to sue the University to the court of law against maintaining a casual approach towards the storage and the maintenance of the data (Fu et al., 2010).

Finally on the other hand the University might also face the risk of the question papers getting leaked before the exam because of the lack of ethics and responsibility on the part of the staff members. So the strategy of printing the question papers on the day of the exam would prove to be effective. Analyzing the situation from the ethical point of view it can be inferred that it would be the lack of ethic son the part of the staff members to not remain present at the printing house when the papers are getting printed or making delay in collecting the papers. Moreover in legal terms it is also not lawful that they maintain such a casual approach towards the examination and the printing of the question papers and they can sued by the students in the court of law (Jori, 2015).

Critical Analysis of the hurdles while applying Strategies and Contingences for forming a Culture of Security

The risks which are estimated are loss of assets, loss of reputation and loss of duplicity in information. The purpose of this analysis it to mention the policy of the university and the model for operating of information security which implies protection of data so that any individual cannot access it and the security rules are also not broken. The information which is shared has to protect by different means so the goals, objectives and the preferences are secure in nature. The information is the electronic and hardcopy of the stored data and files which are formed through its life process from university’s creation while disposing it correctly.  Thus form the above scenario it is to be seen that the organization is suffered from data and information security process (Makulilo, 2012). Thus, form the represented facts and figures is to be said that organization needs to implement better security process as well as back up polices. In addition is to also be observed that some of the student faces problems regarding admission fees i.e. when they wants to submit their fees then they found that their records are not available in organization database. Thus form above problem, in polices it is to be said that organization needs to use back up process, better security and also provide an authority to only one man to access their data that will helps them to protect their data and information also. In addition, the most effective barriers of implementing these stagey within the organization is that, if an organization has not better technical staffs then they are not able to implement these strategy within the organization. In addition these strategy change organization process and polices thus is not easy to implement within the organization or university. In addition another barrier financial i.e. price of computer equipment is higher. In addition another barrier of implementation of these strategies is time consuming and unavailability of better trainer because of without better trainer staffs members cannot perform better work. On the other hand it is to be observed that the organization face problems regarding physical, personnel, policies and technical. Thus in order to provide better student satisfaction and better performance organization requires to implement security in their physical devices including in hardware, network and administered security. On the other hand with the help of using better policy and procedure organization improve and achieve better performance as well as reduce their security in an effective and efficient manner. On the other hand it is to be said that organization needs to implement data protection acts and policies. Moreover, better opportunities of implementation of police and security system within the organization are that improve data security and enhance data protection. On the other hand organization protects their confidential information related to student information, and staffs data records. In addition reduce threats and make a better brand image i.e. better reputation in market and this will help them to increase number of students.  Apart from that, confidential data and information should be kept back more secure and store it in dedicated and practicable storage including file server rather than local computer or local disk that will provide an organization proper level of security related to physical security (Heng, Wright and Goi, 2010).   In a university, it is founded that the organization suffer problem related to loss of student records and their thesis or research paper thus implementing cost effective as the Annualized Loss Expectancy process organization improve their existence  security in well organized manner. In addition, it is said that password techniques facilities them only one person access their data base thus with the help of using this any staffs members are not be able to access and retrieve student record form database. Therefore it is said that implementing polices, security in physical as well as software devices and provide better training organization not only increase better revenue, performance and security but also increase better staffs and students satisfaction with better quality of services.

Thus from above scenario it is inferred that organization must be implemented above strategy and polices, in order to improve performance and provide better security to their database.                          

Reflective report on the process    

This assignment is focused upon the university problems related to data and information not available in a proper manner. Therefore, in this assignment I have to learn how data and information is protected within the organization and their also learn their importance in organization perspective. On the other hand, I learn about the IT rules and regulation including data protection laws, Communications Decency Act 1996 (UK) Companies Act 2006, Computer Misuse Act 1990, Consumer Credit Act 1974, UK Consumer Protection Act 1987 (Product Liability) (Modification), Criminal Justice (Terrorism and Conspiracy) Act 1998, Criminal Justice Act 1988, Criminal Justice and Public Order Act 1994 and electronic commerce regulation 2002 (Fafinski, 2009).  In addition in this assignment I learned importance of backup system and how it will help the organization. On the other hand, in present assignment I learned about how brand and reputation will affects the organization performance. Apart from that, it is also observed that the data and information that is stored in data base needs to more security. At last I learned importance of firewall system and training system in the organization. In addition form this assignment, I learned how firewall techniques helps the organization and also protect network in an effective and efficient manner.

Therefore in this assignment I personally feel that organization should have to implement dual firewall technique process and also need to implement cryptography techniques. On the other hand I suggest that organization needs create their own servers and make their own application program that will help them to secure their data more effective manner. on the  other hand I personally suggest that organization or computer administrator need to implement continuous password changing process that helps them to improve their security related to password. Moreover organization needs to implement fragmentation techniques in its database process that facilities them to secure and store data in appropriate manner and also provide better database storage because of fragmentation data will store in an appropriate manner (Huang, MacCallum and Du, 2010). In addition it is to be said that with the help of better monitoring technique organization secure their system in a better ways. Information management system helps the organization to secure a d filter data and also makes easier to secure their data in effective manner. In addition it is to be said that data and information of student records are theft then in such situation organization needs to implement proxy server that will helps them to secure and not enter any unwanted data or hackers though network (Sarngadharan and Minimol, 2010). At last it is to be said that organization needs to implement and perform routine scanning process that helps them to identify theft and provide security. In addition in present and technology advance market, it is to be observed that most of hackers are hacking data and information though network i.e. via computer networking. Thus, in this scenario it is to be suggested that with the help of implementation of the patching or intrusion prevention system organization secure their data more secure. On the other hand, in present scenario it is to be observed that organization needs to implement disaster recovery process system because in something it is to be seen that if any reason if organization loss their server then they recover their effective data and information through it.     

Therefore form the above discussion I personally suggest that organization need to implement cloud computing technique and store their effective data in it because in disaster situation organization recovers their effective data and information.

References

Agrawal, R. (2009). Risk management. Jaipur, India: ABD Publishers.

Alexander, P. (2008). Information security. Westport, Conn.: Praeger Security International.

Das, S. and Das, S. (2006). Risk management. Singapore: John Wiley & Sons.

Determann, L. (2012). Determann's field guide to international data privacy law compliance. Cheltenham, UK: Edward Elgar.

Fafinski, S. (2009). Computer Misuse. Uffculme: Willan Pub.

Fu, Y., Chen, Z., Koru, G. and Gangopadhyay, A. (2010). A privacy protection technique for publishing data mining models and research data. ACM Trans. Manage. Inf. Syst., 1(1), pp.1-20.

Heng, S., Wright, R. and Goi, B. (2010). Cryptology and network security. Berlin: Springer.

Huang, S., MacCallum, D. and Du, D. (2010). Network security. New York: Springer.

Jori, A. (2015). Shaping vs applying data protection law: two core functions of data protection authorities. International Data Privacy Law, 5(2), pp.133-143.

Krause, A. (2006). Risk management. Bradford, England: Emerald Group Pub.

Makulilo, A. (2012). Privacy and data protection in Africa: a state of the art. International Data Privacy Law, 2(3), pp.163-178.

Sarngadharan, M. and Minimol, M. (2010). Management information system. Mumbai [India]: Himalaya Pub. House.

Catlett, C. (2013). Cloud computing and big data. Amsterdam: IOS Press.

Christianson, B. (2002). Security protocols. Berlin: Springer.

Czarnecki, K. and Hedin, G. (2013). Software language engineering. Berlin: Springer.

Harrington, J. (2005). Network security. Amsterdam: Elsevier.

Kambayashi, Y., Mohania, M. and Tjoa, A. (2000). Data warehousing and knowledge discovery. Berlin: Springer.

Knipp, E. and Danielyan, E. (2002). Managing Cisco network security. Rockland, MA: Syngress.

Kurose, J. and Ross, K. (2008). Computer networking. Boston: Pearson/Addison Wesley.

MacKinnon, L. (2012). Data security and security data. Berlin: Springer.

Mankell, H. (2002). Firewall. New York: New Press.

McNab, A. (2000). Firewall. New York: Pocket Books.

Pfleeger, C. (1997). Security in computing. Upper Saddle River, NJ: Prentice Hall PTR.

Physical-layer security. (2011). Journal of Communications and Networks, 13(5), pp.545-545.

Pineiro, R. (2002). Firewall. New York: Forge.

Rowe, S. and Schuh, M. (2005). Computer networking. Upper Saddle River, NJ: Pearson/Prentice Hall.

Shinder, D. (2001). Computer networking essentials. Indianapolis, IN: Cisco Press.

Sosinsky, B. (2011). Cloud computing bible. Indianapolis, IN: Wiley.

Taylor, E. (2011). UK schools, CCTV and the Data Protection Act 1998. Journal of Education Policy, 26(1), pp.1-15.

Jayeju-akinsiku, B. (2002). Technology and Electronic Communications Act 2000. Computers & Security, 21(7), pp.624-628.

Highfield, M. (2000). The Computer Misuse Act 1990: Understanding and Applying the Law.Information Security Technical Report, 5(2), pp.51-59.