Risk Analysis, IT Security Standards, And Network Protocols For An Organizational Network Essay.

OSI model

Question:

Discuss about the Safety and Risk Management Analysis.

Safety measures cannot give guarantee 100% insurance against all dangers in an organization. Thus, risk analysis is the way toward assessing system vulnerabilities and the threats confronting it. Risk management is the procedure of actualizing and keeping up countermeasures that lessen the impacts of hazard to a worthy level. The present study deals with related models, security standards as well as network protocols in an organization. In addition, threat, vulnerabilities and tools are discussed in the present study.

OSI model:   It is a open system interconnection model that characterizes as well as standardizes functions of communication.

IT Security policy: It can be defined as securing the system or organization. It identifies constraints on  behavior of the system elements.

Security models for control are utilized in order to decide the process of deploying security and the subjects can get to the system, and what objects can be approached. The approach can formalize security policy (Webb et al. 2014). Security models of control can be implemented by upholding integrity, confidentiality as well as different controls. It is essential that models’ lays out expansive rules will be utilized as well as in specific nature.

State Machine level: The model is usually based on finite state machine. The machine is generally used to the complicated model systems as well as deals with acceptors, recognizer and state variables.  In addition, state machine has ability to define behavior of finite number of states.  The transactions between the states as well as actions can occur.

One of the most common representations of the sate machine is through the state machine level.  A state machine level can monitor status of the particular system in order to prevent the system from slipping into the state of insecure. The model is valued through understanding the state of system.

The extension model of the state machine is level concept and serves based on the design. In addition, the flow model includes the objects, state transactions as well as lattice of   states. On the other hand, goal of information level is preventing unauthorized and insecure information flow in any of the directions (Rittinghouss & Ransome, 2016). The particular model can develop the use of guards, and allow exchange of data between several systems. However, guards allow exchanging of data between several systems.

IT security or cyber security standards are recognized as techniques that are usually set forth in the published formats, which can attempt in order to protect IT environment of users in an organization. The environment consists of the users and networks, devices as well as services and system. The principal objective is reducing risks consisting of prevention or migration of the cyber attacks. ISO/IEC 27002 is one of the well-known codes of practice for managing information technology in an organization. The standard refers to a code of practice for managing information security (DeAngelo & Stulz, 2015). It is a common basis as well as practical guideline in order to develop organization and standards for business security and the process of managing the standard. The standard includes the guidelines as well as the best practices along with recommendations for various information security domains like followed.

• Information security management policy
• Human resources security
• Organization for information security of asset management
• Physical and environmental security
• Incident management as well as
• Business continuity and compliance

IT Security Policy

IT security risk assessment is a document, which reviews possible threats the faces of organization, naturals or man-made. The threats are usually weighted through likelihood of occurrences as well as used for determining to protect threats. Enterprise risk management is one of the fundamental approaches in order to manage an organization. Based on the landmark work of the committee, it can be achieved (Wu et al. 2014). IT enterprise security evaluation is required to perform for allowing the organizations assessing, identifying as well as modifying the overall security posture of the organization. The procedure is required to achieve through making commitment in organizational management and commitment for allocating the resources as well as deploy security solutions Depending on the size as well as complexity of the organization; it is needed for determining in-depth evaluation. Security risk assessment needs to include continuous activity. In this perspective, comprehensive enterprise security management needs to be conducted for exploring security risks management

 A sequence of the operations ensuring protection of data is known as security protocols in an organization. The communication protocol provides secured delivery of data between two parties (Nkonya et al. 2015). For an instance, 802.11i standard policy provides the functions of wireless LANs. In addition, for the Web, SSL as well as TLS that is widely utilized for providing authentication as well as encryption for sending sensitive data like numbers of credit cards to a vendor. The basic elements of security protocol such as cryptography, security for information, TLS, SSL and HTTPS. Access control authenticates identity of users. It access specific resources based on the level of permissions along with policies. On the other hand, the cryptographic algorithm helps the cryptographic cipher combine with several methods in order to encrypt the methods for encryption. The key management helps creating, distributing as well as maintaining the keys.

Peltier (2016) stated that it is commonly used technique for business analysis technique, which captures the procedure of working in a business and individuals from several groups as well as technology that would be helpful in the present context. The changing technology tends to create business procedure model as well as technical detail. Business process model is one of step-by-step explanation of the procedure that helps to accomplish the particular goals. Business process model can cover variations as well as expectations in the procedure. Business process model includes several components that help the organization taking effective steps for the organization. It is not difficult for the procedure in order to get ingrained process about losing the value over the time (Aven & Zio, 2014). Process flow is then activity for primary path that consists of variations. The process flow can presume specific set of the rules that are allowed and enforce the rules. The business rules need specific set that might be helpful for the business. Analysis of workflow diagram could make the sense including visual mode that have primary activity steps as well as exceptions.

Security Models for Control

A contingency plan is required for the organization in order to assist the organization responding effectively to important future event and situation that may not happen.  The plan is referred to plan as it is used as alternative for the organizations expecting results fail to materialize (Yang et al. 2013). The steps are outlined for IT contingency plan described in NISTL. The publication of developing plan would be helpful creating contingency planning policy as authority as well as guides for the contingency plan. Conducting the business impact analysis assists identifying as well as prioritizing the information systems as well as elements that are critical in order to support the functions of business. Developing information system with contingency plan can contain detailed guidance as well as procedures in order to restore damaged system that are unique for the system security and having level of impact  along with the recovery requirements (Ahmed & Matulevi?ius, 2014). Ensuring the testing plan, training as well as exercises help to validate the recovery capabilities. On the other hand, training can prepare recovery personnel in order to plan activation as well as exercising the plan for idea and help the organizations to fulfill the objectives.

The requirements for drawing up the contingency plan are from thorough analysis of the risks. Using the principles in the risk assessment procedure includes addressing the business-critical operations and identifies the risks (Feng, Wang & Li, 2014). It is important to make careful balance over preparation for the happenings.

The vulnerabilities involved in VoIP is not the imperfections inborn including VoIP application, in addition in basic frameworks, applications as well as conventions in VoIP relies upon (Duncan, Zhao, & Whittington, 2017). The many-sided quality of VoIP develops high number of vulnerabilities influencing three great ranges of data security: privacy, respectability, and accessibility (CIA). For reasons for association, we have isolated these vulnerabilities. Analysis in view of the layers of the TCP/IP organizing model (i.e., interface layer, web layer, transport layer, and application layer), in spite of the fact that perceiving that numerous vulnerabilities cross layers. For instance, no repudiation, access, and bookkeeping have been let alone for the vulnerabilities segment notwithstanding their crucial significance of system security. Physical security is one of the important issues in all data frameworks. In addition, VoIP is included in this. On the other hand, it is an extremely problem for the instruments to for evaluating the status of physical security. VoIP implementers need in physical classification dangers (Baskerville, Spagnoletti, & Kim, 2014). While many assaults abuse shortcomings inside at least one of the systems management layers, some are incorporated with physical assault vectors. It exists in the unutilized interfaces on the VoIP hardware. It incorporates with the information jacks, ports of switch as well as remote range, and extra interfaces involved with VoIP telephone (i.e., an inherent center point). These interfaces ought to staying impaired unless they wind up plainly vital for usefulness. 

State Machine Level

The OSI seven layer shows is a grapple regularly utilized for understanding the structure of system design. In any case, there are numerous contemporary system conventions that don't conveniently fit into those seven layers. TCP/IP oversaw by the Internet Engineering Task Force (IETF), goes through the neural connections of the Internet. What's more, IETF has never felt constrained to make TCP/IP fit in with the OSI display. Many observing framework usage address just the lower layers. In many regards this is checking 101 - if the lower layers don't work, nothing else will work (Nicho, Khan & Rahman, 2017). Along with these, in light of the fact that the lower layers are working, it doesn't mean you can maintain the business. Regardless of the possibility that business is running, it doesn't mean the clients are cheerful.

Observing in the upper layers is important to help significant, business-arranged administration level understandings. The best approach is now and again called "end client application observing," in which the activities of a client are recreated by the checking framework, and the reaction time and substance of the objective framework are contrasted with edges. Mistakes, timeouts, or particular substance can trigger messages to the checking framework. There are both business and open source arrangements that venture into the upper layers.

In order to secure devices, it is important to deploy NIDS and HIDS in the organization. IDS remain for interruption discovery framework. Interruption recognition frameworks are intended to analyze data, distinguish assaults, and react to the interruption. They are not quite the same as firewalls in that firewalls control the data that gets in and out of the system, while IDSs can recognize unapproved action (Cole, Giné & Vickery, 2017). IDSs are likewise intended to get assaults in advance inside the system, not simply on the limit amongst private and open systems. The two essential sorts of IDSs are organizing based and have based. As the names recommend, arrange based IDSs (NIDSs) take a gander at the data traded amongst machines, and host-based IDSs (HIDSs) take a gander at data that begins on the individual machines.

Conclusion

From the above discussion, it can be concluded that it is vital to have effective security policy and standard in the enterprise. The process is a fundamental piece of any risk management program. The investigation procedure distinguishes the plausible results or dangers related with the vulnerabilities and give the reason for building up a savvy security program. In this aspect, organization needs to deploy security tools as well as plan for securing the data in the organization.

References

Ahmed, N., & Matulevi?ius, R. (2014). Securing business processes using security risk-oriented patterns. Computer Standards & Interfaces, 36(4), 723-733.

Aven, T., & Zio, E. (2014). Foundational issues in risk assessment and risk management. Risk Analysis, 34(7), 1164-1172.

Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), 138-151.

Cole, S., Giné, X., & Vickery, J. (2017). How does risk management influence production decisions? Evidence from a field experiment. The Review of Financial Studies, 30(6), 1935-1970.

DeAngelo, H., & Stulz, R. M. (2015). Liquid-claim production, risk management, and bank capital structure: Why high leverage is optimal for banks. Journal of Financial Economics, 116(2), 219-236.

Duncan, B., Zhao, Y., & Whittington, M. (2017, February). Corporate Governance, Risk Appetite and Cloud Security Risk: A Little Known Paradox. How Do We Square the Circle?. In Eighth International Conference on Cloud Computing, GRIDs, and Virtualization (CLOUD COMPUTING 2017). IARIA.

Feng, N., Wang, H. J., & Li, M. (2014). A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Information sciences, 256, 57-73.

Nicho, M., Khan, S., & Rahman, M. S. M. K. (2017). Managing information security risk using integrated governance risk and compliance.

Nkonya, E., Place, F., Kato, E., & Mwanjololo, M. (2015). Climate risk management through sustainable land management in Sub-Saharan Africa. In Sustainable Intensification to Advance Food Security and Enhance Climate Resilience in Africa (pp. 75-111). Springer International Publishing.

Olsson, O., Eriksson, A., Sjöström, J., & Anerud, E. (2016). Keep that fire burning: Fuel supply risk management strategies of Swedish district heating plants and implications for energy security. Biomass and Bioenergy, 90, 70-77.

Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.

Rittinghouse, J. W., & Ransome, J. F. (2016). Cloud computing: implementation, management, and security. CRC press.

Webb, J., Ahmad, A., Maynard, S. B., & Shanks, G. (2014). A situation awareness model for information security risk management. Computers & security, 44, 1-15.

Wu, D. D., Chen, S. H., & Olson, D. L. (2014). Business intelligence in risk management: Some recent progresses. Information Sciences, 256, 1-7.

Yang, Y. P. O., Shieh, H. M., & Tzeng, G. H. (2013). A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Information Sciences, 232, 482-500.