CO4512 Information Security and Risk Management Assignment Sample

• Subject Code : CO4512
• University : University of Central Lancashire My Assignment Services is not sponsored or endorsed by this college or university.
• Subject Name : Information security management

Information Security and Risk Management - Section A 

Question 1- a)Define and explain the three main components of the CIA triad.

Answer: 

There are three crucial components that make up the elements of the CIA triad, the widely-used model designed to guide IT security. Those components are confidentiality, integrity, and availability.

Confidentiality 

The set of rules which limits access to information. It is important to protect confidentiality by restricting access to those who are authorized to view that data. This is one reason data and system classification is so important. Some risks associated with lack of confidentiality are loss of privacy, unauthorized access to information, and identity theft.

Integrity 

The assurance that the information is trustworthy and accurate. Data must not change in transit and must be protected from alteration by unauthorized parties. User access controls must be in place and backups must be available for restoring affected data. Some risks involved with not protecting the integrity of data are fraud and information that is no longer reliable or accurate.

Availability

The guarantee that information can be accessed by authorized personnel. Availability is ensured by maintaining hardware and software, as well as having data backups and a good disaster recovery plan for the worst case scenario. Risks associated with lack of availability are business disruption, loss of revenue, and loss of reputation.

Question 1- b)Critically discuss the information security processes of identification, authentication, authorisation and accountability.

Answer:

Identification

Identification is a unique identifier. It is what a user – (person, client, software application, hardware, or network) uses to differentiate itself from other objects. A user presents identification to show who he/she is. Identifiers that are created for users should not be shared with any other users or groups. Once a user has an identifier the next step taken to access a resource is authentication.

Authentication 

Authentication is the process of validating the identity of a user. When a user presents its identifier, prior to gaining access, the identifier (identification) must be authenticated. Authentication verifies identities thereby providing a level of trust. There are three basic factors used to authenticate an identity. They are:

1. Something you know – The password is the most common form used. However, secret phrases and PIN numbers are also utilized. This is known as one-factor or single authentication. This form is weakened due to poor password selection and storage.
2. Something you have – This authentication factor is something you have, such as an identification card, smartcard or token. Each requiring the user to possess “something” for authentication. A more reliable authentication process would require two factors such as something you know with something you have. This form is known as the two-factor or multilevel authentication.
3. Something you are – The strongest authentication factor is something you are. This is a unique physical characteristic such as a fingerprint, retina pattern or DNA. The measuring of these factors is called biometrics. The strongest authentication process would require all three factors. Facilities or applications that are highly secret or sensitive will utilize all three factors to authenticate a user.

Authorization

Authorization is the process of allowing users who have been identified and authenticated to use certain resources. Limiting access to resources by establishing permission rules provides for better control over users actions. Authorization should be granted on the principle of least privilege. Least privilege is granting no more privilege than is required to perform a task/job, and the privilege should not extend beyond the minimum time required to complete the task. This restrictive process limits access, creates a separation of duties and increases accountability.

Accountability 

The final piece in the puzzle is about accountability. Imagine where a user has been given certain privileges to work. What happens when he/she decides to misuse those privileges? If the audit logs are available, then you’ll be able to investigate and make the subject who has misused those privileges accountable on the basis of those logs. The subject needs to be held accountable for the actions taken within a system or domain. The only way to ensure accountability is if the subject is uniquely identified and the subject’s actions are recorded. Auditing capabilities ensure users are accountable for their actions, verify that the security policies are enforced, and can be used as investigation tools.

Question 1- c)List and critically discuss three challenges in shaping the security policy.

Answer:

Three challenges in shaping the security policy:

• Enterprise Information Security Policy (EISP)
• Issue-Specific Security Policies (ISSP)
• System-Specific Security Policies (SysSP)

Enterprise Information Security Policy (EISP)

It sets the strategic direction, scope, and tone for all internal security efforts.

EISP Elements:

• Overview of the corporate philosophy on security.
• Information about the structure of the InfoSec organisation and individuals who fulfil the InfoSec role.
• Fully articulated responsibilities for security that are shared by all members of the organisation (e.g. employee, contractor)
• Fully articulated responsibilities for security that are unique to each role within the organisation

Issue-Specific Security Policies (ISSP)

It provides detailed guidance to instruct all members of the organisation in the use of its resources.

An effective ISSP accomplishes the following:

• articulating the organisation’s expectation about how its technology-based resources should be used.
• defining how the technology-based resources is controlled.
• indemnifying the organisation against liability for an employee’s inappropriate/illegal use of the resource.

ISSP has three characteristics:

• it addresses specific technology-based resources.
• it requires frequent updates.
• it contains a statement explaining the organisation’s position on a particular issue.

System-Specific Security Policies (SysSP)

It functions as standards/procedures to be used when configuring or maintaining systems.

SysSP is needed for any technology that affects confidentiality, integrity or availability of information.

SysSPs can be separated into two general groups:

• Managerial Guidance
• Technical Specifications

Question 1- d)Critically discuss the importance of the maintenance phase for information security management systems.

Answer:

In the PDCA cycle this is where the focus moves to “check” and “act”. To maintain the ISMS effectiveness requires security controls that have measurable outputs. Implementation of controls with no output as a “just in case” approach to information security are often wasteful and expensive. Taking the information assets, as well as the way that they are hosted (e.g. networks) and accessed (e.g. applications, file shares, databases etc.), ISMS stakeholders should reasonably expect to be able to identify:

• Who has access
• How many accesses have occurred
• How many security incidents have occurred
• How suspected incidents were resolved or loss limited.

ISMS maintenance requires being able to audit activity as a minimum. Better still, being able to monitor assets, access and activities as they occur offers real opportunity to ensure that systems, services, users and data are operating as you expect and as required, and are promptly fixed when they do not.

In the context of information security, critically discuss the differences between policies, standards, guidelines and procedures.

Policy

• A policy is a high-level statement of management intent that formally establishes requirements to guide decisions and achieve rational outcomes.
• Essentially, a policy is a statement of expectation, that is enforced by standards and further implemented by procedures.
• External influencers, such as statutory, regulatory, or contractual obligations, are commonly the root cause for a policy’s existence.

Standard

• Standards are formally-established requirements in regard to processes, actions, and configurations.
• Standards are finite, quantifiable requirements that satisfy Control Objectives.
• Exceptions are always to Standards and never to Policies. If a standard cannot be met, it is generally necessary to implement a compensating control to mitigate the risk associated with that deficiency.

Procedure

• Procedures are a formal method of doing something based on a series of actions conducted in a certain order or manner.
• Procedures are the responsibility of the asset custodian to build and maintain in support of standards and policies.

Guideline

• Unlike Standards, Guidelines allow users to apply discretion or leeway in their interpretation, implementation, or use.
• Guidelines are generally recommended practices that are based on industry-recognized practices or cultural norms within an organization.
• Guidelines help augment Standards when discretion is permissible.

Information Security and Risk Management - Section B

Question 2- a)Critically discuss three benefits of project management in the field of information security.

Answer:

Clearly, there are a lot of risks when it comes to establishing information security in project management. Although these could be hazardous to your project, the good news is you can easily avoid them. You just need to clearly define information security throughout the entire project life cycle. Risk management is the ultimate tool to pinpoint what you need to change in your project to avoid problems and execute it securely.

Some might wonder whether it was possible to execute a project without considering information security. Obviously, one can manage a project without establishing proper infosec, but there will be a much higher probability of failure.

From a professional viewpoint, and since information security should be of the highest importance to any project manager, the main benefit of secure project management is painstakingly clear: avoidance of any potential breaches of information security within a project.

Fortunately, ISO 27001 is specifically designed to establish proper information security while having a specific control regarding the treatment of information security in project management. Therefore, ISO 27001 can be an excellent tool for executing secure projects within your organization.

Question 2- b)List and critically discuss three key areas of concern for risk management.

Answer:

Identify Potential Threats

Once you have clearly understood what was going on, people active in the economy are able to realistically assess the potential business risks. These threats must be identified in an ongoing business, the annual cycle of the analysis of areas of concern that a. these threats can plan, usually identified in the small business plan and objectives and the initiatives they have written. An example would be succession planning. The ability to identify these risks before it is the ideal way to reduce the incidence of risks that may arise.

Evaluate Threat Profile

The determination of risks associated with a process that prioritizes the risks and the measures of their severity and probability. Once the overall risk profile has been articulated, the measures taken to address them. Every successful company uses these processes and analysis tools in the hands of all employees to ensure that threats are addressed and action plans drawn up.

Determine what to do

Once a course of action has been identified, should be adopted with the responsibilities assigned correctly, responsibilities and deadlines for completion.

The possible actions for risk management include:

• Avoid the risk of total
• Reduce the probability of risk occurring
• Reduce the impact of risk
• Transfer the risk
• Accept the risk

Question 4- a)List and critically discuss three components of contingency planning.

Answer:

Business impact analysis (BIA)

Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. A BIA is an essential component of an organization's business continuance plan; it includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk. The result is a business impact analysis report, which describes the potential risks specific to the organization studied.

One of the basic assumptions behind BIA is that every component of the organization is reliant upon the continued functioning of every other component, but that some are more crucial than others and require a greater allocation of funds in the wake of a disaster. For example, a business may be able to continue more or less normally if the cafeteria has to close, but would come to a complete halt if the information system crashes.

Incident Response (IR) Plan

An incident response plan is a set of instructions to help IT staff detect, respond to, and recover from network security incidents. These types of plans address issues like cybercrime, data loss, and service outages that threaten daily work.

A sufficient incident response plan offers a course of action for all significant incidents. Some incidents lead to massive network or data breaches that can impact your organization for days or even months. When a significant disruption occurs, your organization needs a thorough, detailed incident response plan to help IT staff stop, contain, and control the incident quickly. For physical disruptors, such as natural disasters and flooding, create a disaster recovery plan.

f your network hasn’t been threatened yet, it will be. If it has, then you know the chaos that can follow a cyber attack. Whether a threat is virtual (security breaches) or physical (power outages or natural disasters), losing data or functionality can be crippling. An incident response plan and a disaster recovery plan help you mitigate risk and prepare for a range of events.

Disaster Recovery (DR) Plan

Businesses use information technology to quickly and effectively process information. Employees use electronic mail and Voice Over Internet Protocol (VOIP) telephone systems to communicate. Electronic data interchange (EDI) is used to transmit data including orders and payments from one company to another. Servers process information and store large amounts of data. Desktop computers, laptops and wireless devices are used by employees to create, process, manage and communicate information. What do you when your information technology stops working?

An information technology disaster recovery plan (IT DRP) should be developed in conjunction with the business continuity plan. Priorities and recovery time objectives for information technology should be developed during the business impact analysis. Technology recovery strategies should be developed to restore hardware, applications and data in time to meet the needs of the business recovery.

Question 4- b)Critically discuss three objectives of the planning and risk assessment domain of the maintenance model.

The objective of the planning and risk assessment domain is to monitor the entire information security program. This main objective is attained by identifying and addressing information security measures that will reduce risk. In addition, a risk assessment group finds and records security risks inherent in IT and Information Security projects and also risks inherent in the existing environment. Included in this domain is the establishment of a formal review process that integrates with IT and planning, a formal project follow-up process to identify, select, plan and manage the way information security follow-up activities function.

This domain also requires coordination with IT projects for risk assessment of those projects, to ensure that risks introduced by each project are understood, recorded, and have bearing on project planning. Risk assessment activities such as those mentioned above should encourage all entities of an organization to perform risk assessments when technology systems are changed or introduced. This domain is important because it enables the organization as a whole to identify project risks so that they can then take countermeasures to reduce those risks inherent in a project.

Remember, at the center of any academic work, lies clarity and evidence. Should you need further assistance, do look up to our Management Assignment Help