Information Security Assignment Sample

• Subject Name : IT Computer Science

Security Evaluation Assignment

Adaption of AS 27002

Overview

ISO/IEC 27002 is the international standard that outlines best practices for implementing in-formation security controls. ISO/ IEC 27002 is the companion standard for ISO/IEC 27001, the international standard that outlines the specifications for an information security manage-ment system (ISMS). ISO/IEC 27002:2013 has been updated to reflect the many changes which have taken effect in ISO/IEC27001 and is fully aligned to the new 2013 version of ISO 27001 (Missaoui et al., 2017).

This standard covers the controls that are an important part of information security manage-ment for all organizations. Any organization that stores and manages information should have controls in place to address information security risks. Although the specific requirements for handling information security may be different, there are a lot of similar controls organiza-tions can put in place to secure their data and comply with legal standards.

These policies, standards and procedures apply to all ACME data, information systems, activ-ities and assets owned, leased, controlled, or used by ACME, its agents, contractors, or other business partners on behalf of ACME (Missaoui et al., 2017). These policies, standards and procedures apply to all ACME employees, contractors, sub-contractors and their respective facilities supporting ACME business operations, wherever ACME data is stored or processed, including any third-party contracted by ACME to handle, process, transmit, store, or dispose of ACME data. Some policies are explicitly stated for persons with a specific job function (e.g., a System Administrator); otherwise, all personnel supporting ACME business functions shall comply with the policies (Öğütçü et al., 2016).

ACME departments shall use these poli-cies or may create a more restrictive policy, but not one that is less restrictive, less compre-hensive, or less compliant than this policy. These policies do not supersede any other applica-ble law, higher-level company directive or existing labour management agreement in effect as of the effective date of this policy. ACME’s documented cybersecurity roles & responsi-bilities provides a detailed description of ACME user roles and responsibilities, in regards to cybersecurity. ACME reserves the right to revoke, change, or supplement these policies, pro-cedures, standards and guidelines at any time without prior notice. Such changes shall be ef-fective immediately upon approval by management, unless otherwise stated.

Normative Model

The purpose of the Written Information Security Program (WISP) is to prescribe a compre-hensive framework for:

1. Creating an Information Security Management System (ISMS) in accordance with ISO 27001.

2. Protecting the confidentiality, integrity and availability of ACME data and information systems.

3. Protecting ACME, its employees and its clients from illicit use of ACME information sys-tems and data.

4. Ensuring the effectiveness of security controls over data and information systems that sup-port ACME’s operations.

5. Recognizing the highly networked nature of the current computing environment and pro-vide effective company-wide management and oversight of those related Information Se-curity risks.

6. Providing for development, review and maintenance of minimum-security controls re-quired to protect ACME’s data and information systems.

The formation of the policies is driven by many factors, with the key factor being a risk. These policies set the ground rules under which ACME operates and safeguards its data and information systems to both reduce risk and minimize the effect of potential incidents.

These policies, including their related standards, procedures and guidelines, are necessary to support the management of information risks in daily operations (Safa et al., 2016). The de-velopment of policies provides due care to ensure ACME users understand their day-today security responsibilities and the threats that could impact the company.

Commensurate with risk, cybersecurity and privacy measures must be implemented to guard against unauthorized access to, alteration, disclosure or destruction of data and systems. This also includes protection against accidental loss or destruction (Soomro et al., 2016). The se-curity of systems must include controls and safeguards to offset possible threats, as well as controls to ensure confidentiality, integrity, availability and safety:

1. Confidentiality – Confidentiality addresses preserving restrictions on information access and disclosure so that access is limited to only authorized users and services.

2. Integrity – Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.

3. Availability – Availability addresses ensuring timely and reliable access to and use of information.

4. Safety – Safety addresses reducing risk associated with embedded technologies that could fail or be manipulated by nefarious actors.

Security measures must be taken to guard against unauthorized access to, alteration, disclo-sure or destruction of data and systems (Safa et al., 2016). This also includes against acci-dental loss or destruction.

Review Process

Security review process involved

1. Intake- A meeting between the organization's management or information security team as well as a senior consultant decided the priorities, scope, methodology and timetable for the study.

2. Preparation- The information management department gathered and reviewed information security policy documents and details, and sent them (safely) to the review committee. The analysis team evaluated the documents and answered questions

3. Site visit- The analysis team (composed of two specialists in information security) visited the company on site, examined the information security department, inspected relevant docu-ments / evidence and asked management or personnel control questions while an office audit (Steinbart et al., 2018).

4. Issue resolution- The analysis team discussed the initial results with the information man-agement department, and suggested changes. In two weeks the information management team handled each finding and reported on how each problem has been addressed. Ways of coping with problems handled were either to take immediate action, schedule an action, change a procedure, or move the problem to a queue so that it can be addressed within a fair amount of time from an already defined method of progress.

5. Report creation- The research team prepared the report for final analysis. Each analysis ex-pert critically filled out guidelines in the checklist, based on their own findings. When all conditions were met, the company concluded that it applies for a certificate.

6. Final results and possibly certification- The organisation's final evaluation report had been issued. When the company applied as per the evaluation report, it also issued a 'Safety Checked' certificate.

Utilized the collaborative process to define security-related problems, assessed the risk level associated with all of those problems thus made informed risk reduction or acceptance deci-sions. Four security concerns (Access to Data systems, Protected Communication, Safety Management, Designing Secure Information Systems) have been established and analyzed to what degree current research programs have addressed these security issues. Despite the im-portance of protecting customer data, breaches and hacks seem to be more and more common (Rajesh, 2018). This might be the result of inadequate security measures on the part of the businesses, or the hackers that get better at accessing the secure networks.

Analysis findings were examined in relation to these four security problems from three viewpoints which in-cluded a meta-model for information systems. It emerged that the majority of information se-curity concentrated on the technological context, access to IS and safe communication issues. The organization's records and processes applied have been evaluated. With the consumer trust the company is doing well (Öğütçü et al., 2016). Information Protection ensures this by safeguarding the privacy and integrity of organizational and company data. Classification of risk, data and systems, possible detection of intrusion, and rendering of the importance of the data that could be leaked was evaluated. The teams cover over ten countries across the world, working on areas involving security analysis, protection of software, response to incidents, intelligence operations, risk and enforcement, transactions and acquisitions, and protection of external partners.

Its mission is to instill knowledge to safeguard all data, software, services and assets of customers and employees. The company has developed security activities into enterprise wide structures to accomplish this. The leadership and guidance deploy the part-ners to achieve high safety standards. The study of the continued suitability, appropriateness, and efficacy of information security management was examined. Evaluated the potential for progress and the requirement for improvements to the security strategy, such as the priorities of policy and control. It was conducted by autonomous individuals of the IT Group, assisted by the Internal Audit Office (Missaoui et al., 2017). The findings have been registered and submitted to the management that started the analysis and the Data Protection.

The record has been preserved. It checked the shortcomings in the information security strategy or imple-mentation, e.g. reported priorities and criteria are not achieved and therefore do not comply with the information security direction specified in the data security policies, administration was considered corrective measures. The tests included enhancing incident response to infor-mation protection, the CSO maps the path to effective tests and evaluations of the backup method (Johnston et al., 2016). Through carefully checking and ensuring that copies function and can be retrieved when data catastrophe rears its gruesome head, the company has been able to relax in the awareness that information security issues which could steal the data and disrupt its use left the company without the data.

Via regular, consistent testing of the com-plete backup and process of recovery for all in-play backup solutions, company took ad-vantage of significant warnings that it is not equipped to deal with data loss and disruptions. Organization then resolved the problems before removing IP and PPI data hoards from data gremlins like hard drive crashes, natural disasters, or malware. This helped companies escape regulatory inquiries, future lawsuits, and loss of business through harm to their products.

Findings and Recommendations

It was evaluated that a denial-of-service (DoS) incident occurred when server admins due to malicious internet menace actions had been unable to decrypt information systems, devices, or any other database server (Hoffmann et al., 2016). Email, webpages, financial accounts (e.g. banking) and other facilities that depend on the impacted computer or network were af-fected by the services. A condemnation-of-service was accomplished by overflowing the in-tended host or server with traffic till the target is unable to respond or crashes, prohibiting le-gitimate users from accessing it (Gerber et al., 2016). DoS targeted both time and money on an organization's expense because its tools and services are unavailable.

Risks highlighted the need for improved cybersecurity to secure computer systems from theft or harm to their equipment, software, or electronic information, and from interruption or obfuscation of the services organization provides. While the field becomes increasingly important due to rising dependency on computer systems, internet and routers such as bluetooth and wifi, and be-cause of the expansion of smart devices including smartphones, tv, and the various devices that make up the internet. It is one of the major challenges of the contemporary world, due to its complexity both interns of politics and technology. The recommendation involve

1. Establish a protection strategy

A well-designed plan that outlines the computer network-risk management policy of the com-pany and also discusses how the business will recover rapidly if an accident occurs is of ut-most importance. Such a strategy should include identifying potential risks and areas which require protection (Flores & Ekstedt, 2016). This will describe the responsibilities that staff may have in response to various security incidents, as well as checklists of activities which need to be carried out regularly and/or should not be permitted.

2. Carry out an integral risk evaluation

No preparation could be done without a clear comprehension of the cyber threats as well as vulnerabilities which impact the company and individual parts. After recognizing the compa-ny's unique requirements can the right technical approaches be formulated, as well as the ap-propriate policies, what to include in protection plans and employee health awareness educa-tion.

3. Establish related technical control activities for the infrastructure

It is necessary to express the value of implementing the required safety checks to employees. Developing and maintaining security controls in protecting the IT infrastructure will cease an attack prior it takes place. ISO / IEC TS 27008:2019 offers guidelines on evaluating the ap-plication as well as execution of measures, whereas ISO / IEC 27002:2013 takes into account the information security threat infrastructure of the organization and can help small, medium and large enterprises in every sector establish their own information security environment (Felderer et al., 2016).

Methodology

In personal computing I used the normative model as it provided me with rough explanations of judgment and decision-making behaviour. The utilization of normative models as action explanations has led to heuristic frameworks and analytical models, centered on concepts drawn from generations of cognitive science study. Nevertheless, in my judgment and deci-sion-making, normative models, particularly Bayes' theorem, still hold a special status (Cram et al., 2017). The central position of Bayes' theorem in decision-making work is attributable in part to the fact that it constitutes an important criterion of my reasoning, and in part to the belief that my analytical aims are Bayesian inherent. However, given its appeal as a logical model of behaviour, Bayes' theorem lacks essential elements that define real-world behaviour in decision-making.

HyGene was devised to resolve these elements. I adopted a perspective on multi-agent systems, since standards are used to coordinate, organize, direct, regulate or govern interaction between distributed autonomous systems. The model involves four ele-ments: the elite, the public, the anticipatory unit and the supervisory unit. It has supported me with an successful information security strategy focused on awareness, and normative aware-ness should be considered. Even social norms played a major role in shifting actions in infor-mation security. Ultimately it introduced a systematic model for awareness campaigns on cyber security (Burns et al., 2017). The proposed model substituted the normative knowledge component with the information component in the Current model, which is a known model for campaigns.

These regulations, and their associated requirements, procedures and guide-lines, allowed me to assist in day-to-day operations information risk management. Develop-ing policies provided attributable care to make sure that users know their day-to-day protec-tion obligations and the menaces that might affect the business. Measures to protect against access that is unauthorized to, modification, data and systems destruction were implemented in accordance with risk, cybersecurity and privacy (Barton et al., 2016). It often provided safety from accidental failure or damage. Systems protection included controls and protec-tions to counter possible risks, and controls to ensure confidentiality, honesty, availability and protection.

Confidentiality is about maintaining limits on access to and dissemination of in-formation such that access is restricted to only approved users and services. It helped me to establish honesty that addressed the concern not to alter or remove sensitive data in an illegal and unreported manner. Addressed availability preserving my prompt and efficient access and use of data. Security presented the reduction of the risk involved with integrated technol-ogies that nefarious actors may malfunction or be manipulated (Barlow et al., 2018). Security controls have helped me to protect against unauthorized data and systems access, modifica-tion, disclosure or destruction. This includes even against failure or injury by mistake.

Conclusion

It concluded that Many organizations are incompetent to prevent real cyber-related attempts on their infrastructure, mobiles, databases and external entity (IT infrastructure as well as computers) via faults or client issues and hackers would try to manipulate all of them. Thank-fully, there are efficient and inexpensive ways to minimize exposure of the company with a structured protection plan which could have a significant effect on the preparation for infor-mation safety and on ability of staff to deter possible attackers. It's important to train the workforce to protect their environments. As critical as getting all measures of security in line to secure the infrastructures of information systems, operating systems alone can not endure the attacks of cyber criminals which are getting savvier and smarter. There are a variety of other elements which require to be made involving fixing staff preparation shortcomings.

References

Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. (2018). Don’t even think about it! The effects of antineutralization, informational, and normative communication on infor-mation security compliance. Journal of the Association for Information Systems, 19(8), 3.

Barton, K. A., Tejay, G., Lane, M., & Terrell, S. (2016). Information system security com-mitment: A study of external influences on senior management. Computers & Security, 59, 9-25.

Burns, A. J., Posey, C., Roberts, T. L., & Lowry, P. B. (2017). Examining the relationship of organizational insiders' psychological capital with information security threat and coping ap-praisals. Computers in Human Behavior, 68, 190-209.

Cram, W. A., Proudfoot, J. G., & D’Arcy, J. (2017). Organizational information security pol-icies: a review and research framework. European Journal of Information Systems, 26(6), 605-641.

Felderer, M., Zech, P., Breu, R., Büchler, M., & Pretschner, A. (2016). Model‐based security testing: a taxonomy and systematic classification. Software Testing, Verification and Relia-bility, 26(2), 119-148.

Flores, W. R., & Ekstedt, M. (2016). Shaping intention to resist social engineering through transformational leadership, information security culture and awareness. computers & secu-rity, 59, 26-44.

Gerber, N., McDermott, R., Volkamer, M., & Vogt, J. (2016). Understanding Information Se-curity Compliance-Why Goal Setting and Rewards Might be a Bad Idea. In HAISA (pp. 145-155).

Hoffmann, R., Kiedrowicz, M., & Stanik, J. (2016). Risk management system as the basic paradigm of the information security management system in an organization. In MATEC Web of Conferences (Vol. 76, p. 04010). EDP Sciences.

Johnston, A. C., Warkentin, M., McBride, M., & Carter, L. (2016). Dispositional and situa-tional factors: influences on information security policy violations. European Journal of In-formation Systems, 25(3), 231-251.

Missaoui, E., Mazigh, B., Bhiri, S., & Hilaire, V. (2017, November). A Normative Model for Holonic Multi-agent Systems. In 2017 IEEE 29th International Conference on Tools with Ar-tificial Intelligence (ICTAI) (pp. 1251-1258). IEEE.

Öğütçü, G., Testik, Ö. M., & Chouseinoglou, O. (2016). Analysis of personal information se-curity behavior and awareness. Computers & Security, 56, 83-93.

Rajesh, M. (2018). A signature based information security system for vitality proficient infor-mation accumulation in wireless sensor systems. International Journal of Pure and Applied Mathematics, 118(9), 367-387.

Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N. (2018). The influence of a good rela-tionship between the internal audit and information security functions on information security outcomes. Accounting, Organizations and Society, 71, 15-29.

Safa, N. S., & Von Solms, R. (2016). An information security knowledge sharing model in organizations. Computers in Human Behavior, 57, 442-451.

Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Manage-ment, 36(2), 215-225.

Remember, at the center of any academic work, lies clarity and evidence. Should you need further assistance, do look up to our Computer Science Assignment Help