There are three crucial components that make up the elements of the CIA triad, the widely-used model designed to guide IT security. Those components are confidentiality, integrity, and availability.
The set of rules which limits access to information. It is important to protect confidentiality by restricting access to those who are authorized to view that data. This is one reason data and system classification is so important. Some risks associated with lack of confidentiality are loss of privacy, unauthorized access to information, and identity theft.
The assurance that the information is trustworthy and accurate. Data must not change in transit and must be protected from alteration by unauthorized parties. User access controls must be in place and backups must be available for restoring affected data. Some risks involved with not protecting the integrity of data are fraud and information that is no longer reliable or accurate.
The guarantee that information can be accessed by authorized personnel. Availability is ensured by maintaining hardware and software, as well as having data backups and a good disaster recovery plan for the worst case scenario. Risks associated with lack of availability are business disruption, loss of revenue, and loss of reputation.
Identification is a unique identifier. It is what a user – (person, client, software application, hardware, or network) uses to differentiate itself from other objects. A user presents identification to show who he/she is. Identifiers that are created for users should not be shared with any other users or groups. Once a user has an identifier the next step taken to access a resource is authentication.
Authentication is the process of validating the identity of a user. When a user presents its identifier, prior to gaining access, the identifier (identification) must be authenticated. Authentication verifies identities thereby providing a level of trust. There are three basic factors used to authenticate an identity. They are:
Authorization is the process of allowing users who have been identified and authenticated to use certain resources. Limiting access to resources by establishing permission rules provides for better control over users actions. Authorization should be granted on the principle of least privilege. Least privilege is granting no more privilege than is required to perform a task/job, and the privilege should not extend beyond the minimum time required to complete the task. This restrictive process limits access, creates a separation of duties and increases accountability.
The final piece in the puzzle is about accountability. Imagine where a user has been given certain privileges to work. What happens when he/she decides to misuse those privileges? If the audit logs are available, then you’ll be able to investigate and make the subject who has misused those privileges accountable on the basis of those logs. The subject needs to be held accountable for the actions taken within a system or domain. The only way to ensure accountability is if the subject is uniquely identified and the subject’s actions are recorded. Auditing capabilities ensure users are accountable for their actions, verify that the security policies are enforced, and can be used as investigation tools.
Three challenges in shaping the security policy:
It sets the strategic direction, scope, and tone for all internal security efforts.
It provides detailed guidance to instruct all members of the organisation in the use of its resources.
An effective ISSP accomplishes the following:
ISSP has three characteristics:
It functions as standards/procedures to be used when configuring or maintaining systems.
SysSP is needed for any technology that affects confidentiality, integrity or availability of information.
SysSPs can be separated into two general groups:
In the PDCA cycle this is where the focus moves to “check” and “act”. To maintain the ISMS effectiveness requires security controls that have measurable outputs. Implementation of controls with no output as a “just in case” approach to information security are often wasteful and expensive. Taking the information assets, as well as the way that they are hosted (e.g. networks) and accessed (e.g. applications, file shares, databases etc.), ISMS stakeholders should reasonably expect to be able to identify:
ISMS maintenance requires being able to audit activity as a minimum. Better still, being able to monitor assets, access and activities as they occur offers real opportunity to ensure that systems, services, users and data are operating as you expect and as required, and are promptly fixed when they do not.
In the context of information security, critically discuss the differences between policies, standards, guidelines and procedures.
Clearly, there are a lot of risks when it comes to establishing information security in project management. Although these could be hazardous to your project, the good news is you can easily avoid them. You just need to clearly define information security throughout the entire project life cycle. Risk management is the ultimate tool to pinpoint what you need to change in your project to avoid problems and execute it securely.
Some might wonder whether it was possible to execute a project without considering information security. Obviously, one can manage a project without establishing proper infosec, but there will be a much higher probability of failure.
From a professional viewpoint, and since information security should be of the highest importance to any project manager, the main benefit of secure project management is painstakingly clear: avoidance of any potential breaches of information security within a project.
Fortunately, ISO 27001 is specifically designed to establish proper information security while having a specific control regarding the treatment of information security in project management. Therefore, ISO 27001 can be an excellent tool for executing secure projects within your organization.
Once you have clearly understood what was going on, people active in the economy are able to realistically assess the potential business risks. These threats must be identified in an ongoing business, the annual cycle of the analysis of areas of concern that a. these threats can plan, usually identified in the small business plan and objectives and the initiatives they have written. An example would be succession planning. The ability to identify these risks before it is the ideal way to reduce the incidence of risks that may arise.
The determination of risks associated with a process that prioritizes the risks and the measures of their severity and probability. Once the overall risk profile has been articulated, the measures taken to address them. Every successful company uses these processes and analysis tools in the hands of all employees to ensure that threats are addressed and action plans drawn up.
Once a course of action has been identified, should be adopted with the responsibilities assigned correctly, responsibilities and deadlines for completion.
The possible actions for risk management include:
Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. A BIA is an essential component of an organization's business continuance plan; it includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk. The result is a business impact analysis report, which describes the potential risks specific to the organization studied.
One of the basic assumptions behind BIA is that every component of the organization is reliant upon the continued functioning of every other component, but that some are more crucial than others and require a greater allocation of funds in the wake of a disaster. For example, a business may be able to continue more or less normally if the cafeteria has to close, but would come to a complete halt if the information system crashes.
An incident response plan is a set of instructions to help IT staff detect, respond to, and recover from network security incidents. These types of plans address issues like cybercrime, data loss, and service outages that threaten daily work.
A sufficient incident response plan offers a course of action for all significant incidents. Some incidents lead to massive network or data breaches that can impact your organization for days or even months. When a significant disruption occurs, your organization needs a thorough, detailed incident response plan to help IT staff stop, contain, and control the incident quickly. For physical disruptors, such as natural disasters and flooding, create a disaster recovery plan.
f your network hasn’t been threatened yet, it will be. If it has, then you know the chaos that can follow a cyber attack. Whether a threat is virtual (security breaches) or physical (power outages or natural disasters), losing data or functionality can be crippling. An incident response plan and a disaster recovery plan help you mitigate risk and prepare for a range of events.
Businesses use information technology to quickly and effectively process information. Employees use electronic mail and Voice Over Internet Protocol (VOIP) telephone systems to communicate. Electronic data interchange (EDI) is used to transmit data including orders and payments from one company to another. Servers process information and store large amounts of data. Desktop computers, laptops and wireless devices are used by employees to create, process, manage and communicate information. What do you when your information technology stops working?
An information technology disaster recovery plan (IT DRP) should be developed in conjunction with the business continuity plan. Priorities and recovery time objectives for information technology should be developed during the business impact analysis. Technology recovery strategies should be developed to restore hardware, applications and data in time to meet the needs of the business recovery.
The objective of the planning and risk assessment domain is to monitor the entire information security program. This main objective is attained by identifying and addressing information security measures that will reduce risk. In addition, a risk assessment group finds and records security risks inherent in IT and Information Security projects and also risks inherent in the existing environment. Included in this domain is the establishment of a formal review process that integrates with IT and planning, a formal project follow-up process to identify, select, plan and manage the way information security follow-up activities function.
This domain also requires coordination with IT projects for risk assessment of those projects, to ensure that risks introduced by each project are understood, recorded, and have bearing on project planning. Risk assessment activities such as those mentioned above should encourage all entities of an organization to perform risk assessments when technology systems are changed or introduced. This domain is important because it enables the organization as a whole to identify project risks so that they can then take countermeasures to reduce those risks inherent in a project.
Remember, at the center of any academic work, lies clarity and evidence. Should you need further assistance, do look up to our Management Assignment Help
Proofreading and Editing$9.00Per Page
Consultation with Expert$35.00Per Hour
Live Session 1-on-1$40.00Per 30 min.
Doing your Assignment with our resources is simple, take Expert assistance to ensure HD Grades. Here you Go....