Information Security Management Systems
Added on 2020-04-01
22 Pages4657 Words37 Views
|
|
|
Running head: INFORMATION SECURITY MANAGEMENT GUIDELINES
Information Security Management Guidelines
Name of the Student
Name of the University
Author Note
Information Security Management Guidelines
Name of the Student
Name of the University
Author Note
1INFORMATION SECURITY MANAGEMENT GUIDELINES
Executive Summary
The purpose of this report is to put emphasis on the guidelines that are suitable for the A4A
organization that is transforming its existing system into an information technology system in
order to enhance the performance. The risk assessment management of information security
includes various stages and steps that are mentioned in this report. First of all the Applicable
policy and legislations have been explained in order to specify the standard of information
security management. The whole risk assessment management process is comprised of overview
of the risk assessment management for information security has been introduced including risk
assessment framework, context establishment, risk identification, questions related to what
should be considered during risk identification, mapping risks and many more. A final comment
has also been introduced before the conclusion that states documentation and approval processes.
The whole report has been properly referenced in order to support the statements. A
recommendation has also been proposed in the conclusion part in order to enhance the security
of the information system for the A4A.
Executive Summary
The purpose of this report is to put emphasis on the guidelines that are suitable for the A4A
organization that is transforming its existing system into an information technology system in
order to enhance the performance. The risk assessment management of information security
includes various stages and steps that are mentioned in this report. First of all the Applicable
policy and legislations have been explained in order to specify the standard of information
security management. The whole risk assessment management process is comprised of overview
of the risk assessment management for information security has been introduced including risk
assessment framework, context establishment, risk identification, questions related to what
should be considered during risk identification, mapping risks and many more. A final comment
has also been introduced before the conclusion that states documentation and approval processes.
The whole report has been properly referenced in order to support the statements. A
recommendation has also been proposed in the conclusion part in order to enhance the security
of the information system for the A4A.
2INFORMATION SECURITY MANAGEMENT GUIDELINES
Table of Contents
Introduction......................................................................................................................................4
Applicable Policy and Legislation...................................................................................................4
Applicable Policy.........................................................................................................................4
Australian Privacy Law...............................................................................................................5
Privacy Legislation......................................................................................................................5
Overview of Risk Management for Information Security 624........................................................5
Risk Assessment Framework.......................................................................................................5
Applying ISO 31000....................................................................................................................6
Establish the Context...................................................................................................................7
How to Determine A4A Context.................................................................................................8
The Strategic Context of Outsourcing.........................................................................................8
Identifying Risk...........................................................................................................................8
How to Determine Agency Risk Tolerance.................................................................................9
Questions To Consider When Determining Risks within Cloud Context.................................10
Potential Threats When Outsourcing Information.....................................................................11
Mapping Risks...........................................................................................................................12
Assessing Risk...........................................................................................................................12
Guidance on Determining Potential Consequences...................................................................13
Evaluating the Risks..................................................................................................................13
Table of Contents
Introduction......................................................................................................................................4
Applicable Policy and Legislation...................................................................................................4
Applicable Policy.........................................................................................................................4
Australian Privacy Law...............................................................................................................5
Privacy Legislation......................................................................................................................5
Overview of Risk Management for Information Security 624........................................................5
Risk Assessment Framework.......................................................................................................5
Applying ISO 31000....................................................................................................................6
Establish the Context...................................................................................................................7
How to Determine A4A Context.................................................................................................8
The Strategic Context of Outsourcing.........................................................................................8
Identifying Risk...........................................................................................................................8
How to Determine Agency Risk Tolerance.................................................................................9
Questions To Consider When Determining Risks within Cloud Context.................................10
Potential Threats When Outsourcing Information.....................................................................11
Mapping Risks...........................................................................................................................12
Assessing Risk...........................................................................................................................12
Guidance on Determining Potential Consequences...................................................................13
Evaluating the Risks..................................................................................................................13
3INFORMATION SECURITY MANAGEMENT GUIDELINES
How to Consider Potential Risk Treatment Options.................................................................14
Communication and Consultation.............................................................................................14
Risk Monitoring and Review.....................................................................................................15
Finalizing the Risk Assessment.....................................................................................................15
Documenting the Risk Assessment and Risk Treatment...........................................................15
Approval Process.......................................................................................................................15
Conclusion.................................................................................................................................16
References:....................................................................................................................................17
How to Consider Potential Risk Treatment Options.................................................................14
Communication and Consultation.............................................................................................14
Risk Monitoring and Review.....................................................................................................15
Finalizing the Risk Assessment.....................................................................................................15
Documenting the Risk Assessment and Risk Treatment...........................................................15
Approval Process.......................................................................................................................15
Conclusion.................................................................................................................................16
References:....................................................................................................................................17
4INFORMATION SECURITY MANAGEMENT GUIDELINES
Introduction
The aim of this report is to provide guidance to the A4A organization considering the
processing and storage of data that is about to store in the information systems. The scope of this
report is to provide a security risk management approach for the organization to the integrity,
confidentiality, and availability of information that are being stored in the information systems of
the organization.
A4A is Non-Governmental Organization that is about to transform its existing system
into the information system that means various data and information are about to be uploaded
into the database. This will be vast transformation that will include outsourcing of the systems
for other organizations and for larger space, they will need cloud storage that could result in
various security issues related to the organizational operational activities and all the data related
to the employees that are looking forward to join the organization.
This report focuses on the guidelines that could help in achieving information security in
better and efficient way for the data and information related to the organization. Risk assessment
process have several step and these steps have been explained in the below report.
Applicable Policy and Legislation
Applicable Policy
The policy for security of information by the Australian Government policy has been
promulgated through the ISM and the PSPF. Several requirements those are mandatory within
the PSPF that can be helpful to relate the handling of A4A information (Sylves 2014). A4A can
only be able to achieve effective information security for the information that is about to save in
Introduction
The aim of this report is to provide guidance to the A4A organization considering the
processing and storage of data that is about to store in the information systems. The scope of this
report is to provide a security risk management approach for the organization to the integrity,
confidentiality, and availability of information that are being stored in the information systems of
the organization.
A4A is Non-Governmental Organization that is about to transform its existing system
into the information system that means various data and information are about to be uploaded
into the database. This will be vast transformation that will include outsourcing of the systems
for other organizations and for larger space, they will need cloud storage that could result in
various security issues related to the organizational operational activities and all the data related
to the employees that are looking forward to join the organization.
This report focuses on the guidelines that could help in achieving information security in
better and efficient way for the data and information related to the organization. Risk assessment
process have several step and these steps have been explained in the below report.
Applicable Policy and Legislation
Applicable Policy
The policy for security of information by the Australian Government policy has been
promulgated through the ISM and the PSPF. Several requirements those are mandatory within
the PSPF that can be helpful to relate the handling of A4A information (Sylves 2014). A4A can
only be able to achieve effective information security for the information that is about to save in
5INFORMATION SECURITY MANAGEMENT GUIDELINES
the system regarding its members and operational activities. This can only be achieved if it
becomes the part of the culture, operation and practices plans of the A4A. This implies that the
A4A should not build protective security as an afterthought rather it should build it into the
governance processes. The organization should proactively mitigate and manage the identified
security risks at its early stages that are associated with the information storage system.
Australian Privacy Law
Set of thirteen APPs (Australian Privacy Principles) has been included within the Privacy
Act 1988 (Cth) that can be helpful in regulating the handling of personal information by the A4A
(Arregui, Maynard and Ahmad 2016). The information those have been remarked as “personal”
should be determined by the A4A and handling of these information should be done according to
the principles of the APPs.
Privacy Legislation
The pieces of legislations that are applicable to this policy can be listed as: Firstly,
Freedom of Information Act 1982, secondly, Privacy Act 1988 and Archives Act 1983 (Zetler
2015).
Overview of Risk Management for Information Security
Risk Assessment Framework
This can be stated as the set of guidelines for the risk assessment process on the basis of
existing frameworks that is being defined in the Australian Standards AS/NZS ISO 31000:2009
Risk management that includes HB 167:2006 Security Risk Management, and guidelines and
principles. Risk assessment can be referred as the subjective process and A4A should ensure that
the defined process is justifiable, documented, and transparent (Saint-Germain 2015). It is the
the system regarding its members and operational activities. This can only be achieved if it
becomes the part of the culture, operation and practices plans of the A4A. This implies that the
A4A should not build protective security as an afterthought rather it should build it into the
governance processes. The organization should proactively mitigate and manage the identified
security risks at its early stages that are associated with the information storage system.
Australian Privacy Law
Set of thirteen APPs (Australian Privacy Principles) has been included within the Privacy
Act 1988 (Cth) that can be helpful in regulating the handling of personal information by the A4A
(Arregui, Maynard and Ahmad 2016). The information those have been remarked as “personal”
should be determined by the A4A and handling of these information should be done according to
the principles of the APPs.
Privacy Legislation
The pieces of legislations that are applicable to this policy can be listed as: Firstly,
Freedom of Information Act 1982, secondly, Privacy Act 1988 and Archives Act 1983 (Zetler
2015).
Overview of Risk Management for Information Security
Risk Assessment Framework
This can be stated as the set of guidelines for the risk assessment process on the basis of
existing frameworks that is being defined in the Australian Standards AS/NZS ISO 31000:2009
Risk management that includes HB 167:2006 Security Risk Management, and guidelines and
principles. Risk assessment can be referred as the subjective process and A4A should ensure that
the defined process is justifiable, documented, and transparent (Saint-Germain 2015). It is the
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents