ProductsLogo
LogoStudy Documents
LogoAI Grader
LogoAI Answer
LogoAI Code Checker
LogoPlagiarism Checker
LogoAI Paraphraser
LogoAI Quiz
LogoAI Detector
PricingBlogAbout Us
logo

Information Security Management for CloudXYZ: Risk Assessment and Mitigation

Verified

Added on  2023/06/13

|18
|3419
|275
AI Summary
This report focuses on the development of a security system for Cloud XYZ, UK, for securing the storage and virtual service for customers connected with the organization. It includes risk assessment, owner specification, assets, threats, vulnerability, risk likelihood, and impact table.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.
Document Page
Running head: INFORMATION SECURITY MANAGEMENT
Information Security Management
Name of the Student
Name of the University
Author’s Note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
1
INFORMATION SECURITY MANAGEMENT
Abstract
The report is prepared for the development of the security system for the Cloud XYZ, UK for securing
the storage and the virtual service for the customer connected with the organization. The loss of the
organization should be mitigated with the prevention of the malfunction and modification of the
data for prevention of the illegal user to access the resources of the organization. The personnel
responsible with the risk should be identified for the identification of the roles and responsibility for
the assessment of the risk. The network diagram of the organization is used for the analysis of the
risk and vulnerability such that the risk can be mitigated for the improvement of the security of the
current network framework. The security of the server and the demilitarized zone is analysed for
protecting the resources of the organization. The network resources are categorized as primary and
secondary assets and the threats for each of the asset are analysed for the identification of its
impact on the security of the organizational network.
Document Page
2
INFORMATION SECURITY MANAGEMENT
Table of Contents
Introduction...........................................................................................................................................3
Risk Assessment....................................................................................................................................4
Owner Specification...........................................................................................................................5
Assets................................................................................................................................................6
Threats for each assets......................................................................................................................8
Vulnerability for each assets............................................................................................................11
Risk Likelihood.................................................................................................................................12
Risk Impact table.............................................................................................................................12
Risk Identification with level............................................................................................................13
Summary and Recommendations........................................................................................................15
Bibliography.........................................................................................................................................16
Document Page
3
INFORMATION SECURITY MANAGEMENT
Introduction
There are different ISO standards that are used as a baseline for the security of the
information in an organization. The ISO standards is used for avoiding breaches in the network,
reassuring the customers, gaining an edge and access new market opportunities. It is internationally
recognized and applied for management of the safety practices and used as a systematic approach
for increasing reliability and enforcement of the security controls. There are different standards of
IOS such as ISO/IEC 17025, ISO 9001, ISO/IEC 27001 and ISO 50001. The standards are used for
different purpose such as ISO/IEC 17025 is used for testing and calibration, ISO 9001 is used for
management of the quality, ISO/IEC 27001 is used for management of the information security and
ISO 50001 is used for the management of energy.
Thus for the analysis of the security of the CloudXYZ ISO/IEC 27001 is applied and it helps the
organization to securely store the information. The use if the ISO standard helps in increase the
security of the data residing in the cloud platform. For the development of the network framework
an authentication server should be used for permitting the user to connect with the database. The
user needs to authenticate with the system for the management of the virtual server and ISO/IEC
27001 is used for the identification of the potential risk associated with the system. The privacy
policy is assessed and the risk associated with it is eliminated for meeting the standard of the
information security management. For analysis of the risk the following steps are performed and are
given below:
Step#1: Analysis of the risk associated with the system
Step#2: Evaluation of the risk management system
Step#3: Selection of the risk management methodology
Step#4: Implementation of the risk management strategy and techniques
Step#5: Monitoring the current system and eliminate the errors for reducing the risk

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
4
INFORMATION SECURITY MANAGEMENT
Figure 1: Steps involved in risk assessment
Risk Assessment
The risk assessment is done for analysing the impact of the risk and monitoring and
eliminating the performance of the network. The performance of the network should not be
affected with the implementation of the system. The following figure is used for defining the security
of the system and identification of the failure point of the network.
Figure 2: Overview of the network security solution
Document Page
5
INFORMATION SECURITY MANAGEMENT
The confidentiality, availability and integrity of the system is the main factor for the
management of the information security and the following framework is used for the management
of the risk. The risk is assessed for prioritizing the security risks and prevention of the loss of the
organizational policy and implementing a technical control on the network.
Owner Specification
The HR manager is responsible for the management of the human resources of the organization and
the network administrator is responsible for the management of the servers and the information
residing in the database. The server manager is also responsible for the management of the
configuration of the server. The owner of the system identified for the development of the system
are given below:
Employees
Human Resource
Development team
Administration Department
Management team
Visitors /guests
Maintenance Team
Client
Document Page
6
INFORMATION SECURITY MANAGEMENT
Assets
Primary Assets – The primary assets identified for the development of the risk management plan are
listed below:
Authentication Server
Database server
Firewall
Web Server
Mail Server
Virtual Server, and
Pc
Secondary Assets –
Intranet
DMZ network
Customer Phone and
Visitor Pc
A table is created for recording the details of the assets and is given below:
ID Name of Asset Asset type Remarks
A_1 Mail Server Primary Asset Mail accounts are
created for the
employees for
management of the
internal
communication
securely.
A_2 Firewall Secondary Asset It is used for the
management of the
network traffic and
filtering the unwanted
traffic in the network.
A_3 Authentication Server Primary Asset It is used for
authenticating the
user to connect with

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
7
INFORMATION SECURITY MANAGEMENT
the database and
store the log details
for the user accessing
the resources of the
organization.
A_4 Web Server Primary Asset It is used for hosting
the website of the
organization and
storing the details of
the organization.
A_5 Admin PC Primary Asset The Admin Pc is used
for the management
of the server and the
service used for the
configuration of the
network solution.
A_6 Customer DB Primary Asset The customer
database is used for
recording the details
of the customer and
use it for
improvement of the
current business
process.
A_7 HR PC Primary Asset It is used for the
management of the
employees and the
customer information.
A_8 Virtual Server Secondary Asset It is used for the
management of the
loads and serve more
request from the
users.
A_9 Cloud Storage Primary Asset The cloud storage is
Document Page
8
INFORMATION SECURITY MANAGEMENT
used for uploading the
data in the cloud
servers and provide
access to the users to
access the data from
remote location.
A_10 Visitor PC Secondary Asset It is used for allowing
the visitors to give
access to the core
network and
recording the details.
A_11 Mobile Device Secondary Device It is used for
connecting with the
wireless network of
the organization and
access the information
stored in the server of
the organization.
A_12 Staff PC Primary Asset The staff PC are used
for the management
of the technical works,
data of the enterprise
and management of
the information.
Threats for each assets
Name of the Asset Threat Level Source
Mail Server Malware High level Receiving malicious
emails from unknown
sources
Spam Medium level Outside source is used
for implementation of
the spam mails
Social Engineering Low level It is used for getting
Document Page
9
INFORMATION SECURITY MANAGEMENT
the login credentials
of the user by the
hackers
Firewall Shared secret High level The system can be
hacked from outside
sources
Phishing attack Medium level It can occur from
hacker for duplicating
the identity of the
user
Domain Hijacking Low level It is used for getting
the access of the data
traffic by the
outsiders.
Authentication Server Dictionary attack High level It is used by the
hacker for trying
different combination
of password
Password
authentication
Medium level Outsiders accessing
the server from
remote location.
Brute force attack Medium level Outsider from remote
location
Web Server Open relay attacks High level Outsider from any
place
Cross Site Scripting Medium level Outsider from any
place
SQL injection attacks Low level Outsider from any
place
Admin PC Ransomware High level From external device
and internet
Malware Medium level From external device
and internet
Spam Low level From external device

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
10
INFORMATION SECURITY MANAGEMENT
and emails
Customer DB Rainbow table High level
Passphrase, and Medium level
Ownership factor Low level
HR PC Ransomware High level From external device
and internet
Malware High level From external device
and internet
Spam Low level From external device
and emails
Virtual Server Lack of integration of
application
High level Internal sources and
hackers
Inadequate recovery
point
Low level Internal sources and
hackers
Restoring granularity Low level Internal sources and
hackers
Cloud Storage Hacking High level Outside hackers for
accessing the sensitive
information
Visitor PC Ransomware Low level From external device
and internet
Malware Low level From external device
and internet
Spam High level From external device
and emails
Mobile Device System hacking High level hackers
Virus High level Internet and external
sources
Spoofing attack High level Hacker and external
sources
Staff PC Ransomware High level From external device
and internet
Malware Medium level From external device
and internet
Document Page
11
INFORMATION SECURITY MANAGEMENT
Spam Low level From external device
and emails
Vulnerability for each assets
Virtual Server
CVE-Modified – The JSON vulnerability and the XML vulnerability are analysed for analysing the
security flaws that are used as a link for the reference and identification of the weakness of the
network configuration.
Mail server
CVE-Recent – It is used for interaction with the security standard practice and it differs from the
traditional attacks for the exploitation of the system and the software. The social engineering attacks
are used by the hackers to gain the access of the confidential information. It consists of baiting,
phasing, pretexting and spear phasing. False communication is created with the victim using chats,
phone calls, spoofed website for gathering personal information and using it for illegal use.
PC
CVE-2018 – The dictionary attacks can be used by the attacker to determine the decryption or the
passphrase key and gain the access of the computer. The brute force attack are used for searching
password systematically and rainbow table are used for reducing the preparation time by analysing
the pre computerised dictionary and reducing the storage requirement.
Web server
CVE-2017 – cross site scripting are used for identification of the flaws in the network and
identification of the web application uses. The cookies can be accessed by the malicious codes for
rewriting the content and using sql injection attacks for modification of the content of the servers.
Firewall
CVE-2016 – It is used as a cryptography for securing the communication and establishing the
communication between the different users. The key agreement protocol and the use of the
symmetric key cryptography are used for authentication. Unique session should be used for the
authentication and responding against the challenges for derivation of the unique key for each of the
transaction. The domain hijacking are used for the changing the permission and abusing the
privileged for the domain hosting. The hijacker can use the domain name for implementing illegal
activity and gain the access of the private information for logging into the servers.
Document Page
12
INFORMATION SECURITY MANAGEMENT
Database server
CVE-2015 – The cost of the ownership should be identified for finding the inheritance factor and the
device or information affected with the compromising the security. The loss of the resources and the
information should be analysed for management of the elements and reducing the effect on the
network information system. The rainbow table are used for listing the plaintext by permutation of
the password that is specified from the hash table. It is used as a cracking software for the network
security attacks.
Authentication Server
CVE-2014 – The brute force attacks are used for the guessing the possible password configuration
and checking the password and passphrase for finding the correct one. This can be used as an
exhaustive key search and also known as cryptanalytic attack. The dictionary attack are used for the
harvesting the email and the pre computed tables are used for analysis of the issues and the major
cost for storage of the disk storage. A refined approach should be used for the reducing the storage
and lookup the hash values and matching with the existing password for getting the feasible salt
values. The common password should be stored in the table and different combination can eb tried
for getting the access of the server.
Risk Likelihood
The main risk that the system would be facing are:
The risk likelihood of the risk level is provided in the table below:
Colours Frequency Relative Frequency
Red 9 36%
Yellow 8 32%
Green 8 32%
Total 25 100%
Risk Impact table
The specification of the impact table is provided below:
Impact Definitions
Rating --> Very Low Low Moderate High Very High
Cost Impact
of Threat
Insignificant
cost increase
<5% cost
increase
5-10% cost
increase
10-20% cost
increase
>20% cost
increase

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
13
INFORMATION SECURITY MANAGEMENT
Cost Impact
of
Opportunity
Insignificant
cost reduction
<1% cost
decrease
1-3% cost
decrease
3-5% cost
decrease
>5% cost
decrease
Schedule
Impact of
Threat
Insignificant
slippage
<1 month
slippage
1-3 months
slippage
3-6 months
slippage
>6 months
slippage
Schedule
Impact of
Opportunity
Insignificant
improvement
<1 month
improvement
1-2 months
improvement
2-3 months
improvement
>3 months
improvement
Probability 1–9% 10–19% 20–39% 40–59% 60–99%
Impact Rating
1 2 4 7 10
Very Low Low Moderate High Very High
Risk Matrix
Probability Rating
5 - Very High 5 10 20 35 50
4 – High 4 8 16 28 40
3 – Moderate 3 6 12 21 30
2 – Low 2 4 8 14 20
1 - Very Low 1 2 4 7 10
Risk Identification with level
The risk identification level is provided below:
Risks level Description Number Mitigation
Domain Hijacked High The domain of the
network is hijacked
and the hackers able
to extract the data
from the servers and
updates the data with
errors in them.
CVE-2018 The for the
mitigation all
the access
points to the
network must
be sealed off
and the direct
access to the
servers from
Document Page
14
INFORMATION SECURITY MANAGEMENT
the client
should also be
restricted.
SQL injection
attacks
Medium The SQL injection
attacks hampers the
database server and
make invalid updates
in the database which
increase the time for
the processor to fetch
the data.
CVE-2017 To stop this
type of attacks
in the network
the access
level in the
database are
required to be
specified. It
should also be
ensured that
the access
grants are not
revoked
without prior
restriction of
the
administrator.
No recovery and
data loss
Very High The data of the
servers lost when
there are no options
to save and backup
the data and
important data of the
server is lost
CVE-2016 The data is to
be backed up
regularly and
data storage
facilities are to
be maintained
efficiently.
Data Loss by
Phishing
High The phishing attack is
the one where the
hackers hacks the
password
CVE-2015 For the
phishing
attack to be
avoided the
network
should be
installing an
Document Page
15
INFORMATION SECURITY MANAGEMENT
efficient
firewall and
use a well-
protected
Malware Low The malware is
inserted into the
network by a file or a
software and the
malware then the data
in the network is
distraught
CVE-2014 To avoid this
type of threat
the network is
to the
protected
with the
firewalls.
Spam Low The spam file is
inserted into the
network and these
files keep on providing
irrelevant data to the
user
CVE-2013 To protect the
system from
spam the
server access
should be
restricted.
Summary and Recommendations
The risk identified for the development of the secure network solution is important for the success
of the network. The network should be flexible and all the servers should be installed in the DMZ
zone. The In the current network solution the cloud storage, authentication server, customer
database and the virtual servers are connected with the intranet and is exposed to the vulnerability
of different kind of attacks that can rise from the internal users. The server needs to be secured from
the internal as well as the external users connected with the network. The installation of the server
in the DMZ network helps in controlling the network traffic and secure the data residing in the cloud
and the customer database from illegal usage. The customer and the visitor network device should
be provided the access of the resources of the organization and ISO standards should be followed for
the configuration of the network. Following the standard helps in reducing the errors in the
configuration and increase the flexibility of the network.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
16
INFORMATION SECURITY MANAGEMENT
Bibliography
AlHogail, A., 2015. Design and validation of information security culture framework. Computers in
Human Behavior, 49, pp.567-575.
Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security: Managing a
strategic balance between prevention and response. Information & Management, 51(1), pp.138-151.
De Lange, J., Von Solms, R. and Gerber, M., 2016, May. Information security management in local
government. In IST-Africa Week Conference, 2016 (pp. 1-11). IEEE.
Dotcenko, S., Vladyko, A. and Letenko, I., 2014, February. A fuzzy logic-based information security
management for software-defined networks. In Advanced Communication Technology (ICACT), 2014
16th International Conference on(pp. 167-171). IEEE.
Laudon, K.C. and Laudon, J.P., 2016. Management information system. Pearson Education India.
Narain Singh, A., Gupta, M.P. and Ojha, A., 2014. Identifying factors of “organizational information
security management”. Journal of Enterprise Information Management, 27(5), pp.644-667.
Oppliger, R., 2015. Quantitative risk analysis in information security management: a modern fairy
tale. IEEE Security & Privacy, 13(6), pp.18-21.
Pathan, A.S.K. ed., 2016. Security of self-organizing networks: MANET, WSN, WMN, VANET. CRC
press.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective
information security management. CRC Press.
Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A. and Herawan, T., 2015. Information
security conscious care behaviour formation in organizations. Computers & Security, 53, pp.65-78.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security
policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more
holistic approach: A literature review. International Journal of Information Management, 36(2),
pp.215-225.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for
information security risk management. Computers & security, 44, pp.1-15.
Document Page
17
INFORMATION SECURITY MANAGEMENT
Zammani, M. and Razali, R., 2016. An empirical study of information security management success
factors. International Journal on Advanced Science, Engineering and Information Technology, 6(6),
pp.904-913.
1 out of 18
[object Object]

Your All-in-One AI-Powered Toolkit for Academic Success.

Available 24*7 on WhatsApp / Email

[object Object]