Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Information Security Management Systems

Verified

Added on 2020/04/01

AI Summary

The provided document delves into the crucial aspects of Information Security Management Systems (ISMS). It examines the fundamental concepts of ISMS design, implementation, and the significance they hold across diverse industries. The text emphasizes the role of robust ISMS frameworks in mitigating security risks and ensuring the protection of sensitive information.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: INFORMATION SECURITY MANAGEMENT GUIDELINES
Information Security Management Guidelines
Name of the Student
Name of the University
Author Note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

1
INFORMATION SECURITY MANAGEMENT GUIDELINES
Executive Summary
The purpose of this report is to put emphasis on the guidelines that are suitable for the A4A
organization that is transforming its existing system into an information technology system in
order to enhance the performance. The risk assessment management of information security
includes various stages and steps that are mentioned in this report. First of all the Applicable
policy and legislations have been explained in order to specify the standard of information
security management. The whole risk assessment management process is comprised of overview
of the risk assessment management for information security has been introduced including risk
assessment framework, context establishment, risk identification, questions related to what
should be considered during risk identification, mapping risks and many more. A final comment
has also been introduced before the conclusion that states documentation and approval processes.
The whole report has been properly referenced in order to support the statements. A
recommendation has also been proposed in the conclusion part in order to enhance the security
of the information system for the A4A.

2
INFORMATION SECURITY MANAGEMENT GUIDELINES
Table of Contents
Introduction......................................................................................................................................4
Applicable Policy and Legislation...................................................................................................4
Applicable Policy.........................................................................................................................4
Australian Privacy Law...............................................................................................................5
Privacy Legislation......................................................................................................................5
Overview of Risk Management for Information Security 624........................................................5
Risk Assessment Framework.......................................................................................................5
Applying ISO 31000....................................................................................................................6
Establish the Context...................................................................................................................7
How to Determine A4A Context.................................................................................................8
The Strategic Context of Outsourcing.........................................................................................8
Identifying Risk...........................................................................................................................8
How to Determine Agency Risk Tolerance.................................................................................9
Questions To Consider When Determining Risks within Cloud Context.................................10
Potential Threats When Outsourcing Information.....................................................................11
Mapping Risks...........................................................................................................................12
Assessing Risk...........................................................................................................................12
Guidance on Determining Potential Consequences...................................................................13
Evaluating the Risks..................................................................................................................13

3
INFORMATION SECURITY MANAGEMENT GUIDELINES
How to Consider Potential Risk Treatment Options.................................................................14
Communication and Consultation.............................................................................................14
Risk Monitoring and Review.....................................................................................................15
Finalizing the Risk Assessment.....................................................................................................15
Documenting the Risk Assessment and Risk Treatment...........................................................15
Approval Process.......................................................................................................................15
Conclusion.................................................................................................................................16
References:....................................................................................................................................17

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

4
INFORMATION SECURITY MANAGEMENT GUIDELINES
Introduction
The aim of this report is to provide guidance to the A4A organization considering the
processing and storage of data that is about to store in the information systems. The scope of this
report is to provide a security risk management approach for the organization to the integrity,
confidentiality, and availability of information that are being stored in the information systems of
the organization.
A4A is Non-Governmental Organization that is about to transform its existing system
into the information system that means various data and information are about to be uploaded
into the database. This will be vast transformation that will include outsourcing of the systems
for other organizations and for larger space, they will need cloud storage that could result in
various security issues related to the organizational operational activities and all the data related
to the employees that are looking forward to join the organization.
This report focuses on the guidelines that could help in achieving information security in
better and efficient way for the data and information related to the organization. Risk assessment
process have several step and these steps have been explained in the below report.
Applicable Policy and Legislation
Applicable Policy
The policy for security of information by the Australian Government policy has been
promulgated through the ISM and the PSPF. Several requirements those are mandatory within
the PSPF that can be helpful to relate the handling of A4A information (Sylves 2014). A4A can
only be able to achieve effective information security for the information that is about to save in

5
INFORMATION SECURITY MANAGEMENT GUIDELINES
the system regarding its members and operational activities. This can only be achieved if it
becomes the part of the culture, operation and practices plans of the A4A. This implies that the
A4A should not build protective security as an afterthought rather it should build it into the
governance processes. The organization should proactively mitigate and manage the identified
security risks at its early stages that are associated with the information storage system.
Australian Privacy Law
Set of thirteen APPs (Australian Privacy Principles) has been included within the Privacy
Act 1988 (Cth) that can be helpful in regulating the handling of personal information by the A4A
(Arregui, Maynard and Ahmad 2016). The information those have been remarked as “personal”
should be determined by the A4A and handling of these information should be done according to
the principles of the APPs.
Privacy Legislation
The pieces of legislations that are applicable to this policy can be listed as: Firstly,
Freedom of Information Act 1982, secondly, Privacy Act 1988 and Archives Act 1983 (Zetler
2015).
Overview of Risk Management for Information Security
Risk Assessment Framework
This can be stated as the set of guidelines for the risk assessment process on the basis of
existing frameworks that is being defined in the Australian Standards AS/NZS ISO 31000:2009
Risk management that includes HB 167:2006 Security Risk Management, and guidelines and
principles. Risk assessment can be referred as the subjective process and A4A should ensure that
the defined process is justifiable, documented, and transparent (Saint-Germain 2015). It is the

6
INFORMATION SECURITY MANAGEMENT GUIDELINES
best option for many objectives like firstly, identifying the level of risk tolerance, secondly,
identifying the specific risks to the employees, assets, and information that are being stored in
the system. Third benefit is that identifying the appropriate protection in order to mitigate the
risks that have been identified previously.
Applying ISO 31000
The process of risk assessment process should be consistent within the existing standards.
In order to successfully manage the risk assessment, the whole process can be sub-divided into
five key points that can be stated as (Draper and Ritchie 2014):
Establishment of the Context: This step states to define the external and internal influences that
can have impact on the implementation of the arrangement directly or indirectly.
Identification of the Risks: Developing a robust list of the identified risks, this might have the
capability to affect the success in implementing this arrangement.
Assessment of the identified Risks: After the first two steps it states to analysing the list of
identified risks in contrast with the organisations likelihood, impact, and the tolerances.
Selection of Proper Treatments: This step includes choosing risk assessing strategies that are
appropriate for A4A including the controls for those identified risks.
Development of overall Risk Assessment: This is the last and final step that includes
summarization of the output of identified risks in accordance with the mitigating measures or control into
all the categorized risks.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

7
Control risksEvaluate RisksAnalyze riskIdentify riskEstablished Context
Consultation and communication
Monitor and Review
INFORMATION SECURITY MANAGEMENT GUIDELINES
Figure 1: Risk Assessment Process
(Source: Created by Author)
Establish the Context
The assessment process that is going to be implemented with the system of A4A must
address the security, organizational and strategic risk management contexts in order to eliminate
all the existing risks. All facets of the functions or activities of the organization will be covered
by the security risk assessment (Whittman and Mattord 2013). For a successful risk management
system it is necessary that the risk management is appropriate to be prevailing and emerging risk
environment. Establishment of the context is a very critical objective as it provides a platform on
which all the respective activities of the risk assessment are being conducted.

8
INFORMATION SECURITY MANAGEMENT GUIDELINES
How to Determine A4A Context
Internal environment in which the organization is willing in order to achieve its goals can
be stated as the context of the A4A. Following are the objectives that can be included in this
topic:
 A4A Organizational structure, governance, accountabilities or responsibilities, and roles.
 Extent and nature of the contractual relationships (Wensveen 2016).
 Culture of the A4A including its security culture
 Policies and objectives including the strategies that are being made to achieve them.
 Perception, values of, and relationships with the internal stakeholders
 Models, guidelines, and standards that are being adopted by the organisation
 Lastly, information flows, decision making processes, and information systems
The Strategic Context of Outsourcing
A4A must consider the aspects of the strategic contexts that are relevant according to the
situation that will be the factors which will be implemented in the risk assessment management
process. These include, firstly, relevant Australian regulation, policy, and legislation considering
the facts that are responsible for safeguarding the information related to the operational activities
of the A4A (Peppard and Ward 2016). Secondly, it includes potential jurisdictional and foreign
laws access to information, and third objective that is being included in this is the potential
benefits of off shoring or outsourcing arrangements that is being arranged to manage the systems
that needs to be installed.

9
Intolerable risk
Scope for A4A
Tolerable risk
Increasing risk
Incapacity to manage
INFORMATION SECURITY MANAGEMENT GUIDELINES
Identifying Risk
Identifying risk can be used in manner to comprehensively determine the sources of risk
that are applicable and the events that have potential to impact the business of A4A organization.
There should be full description on the issues that is being identified in manner to make the
decision makers completely understand the facts that is all about. A4A risk management team
should determine the risks that are related to the availability, integrity, and the confidentiality of
the types of data that is being saved in the information system considering the personal
information of the employees and the operational data or information (Webet al. 2014). As
mentioned in the AS/NZS 4360:2004 risks can be defined as “The chance of something
happening that will have an impact on the objectives”.
How to Determine Agency Risk Tolerance
Figure 2: Risk Tolerance
(Source: Created by author)
This determination can be made during the ‘Establishing the context’ phase during the
risk assessment processes. Risk tolerance is completely dependent on the organizational context

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

10
INFORMATION SECURITY MANAGEMENT GUIDELINES
of the A4A and Heads of the A4A. Tolerance level can be stated as the sum of risk appetite of
A4A. The risk tolerance will be based on the the principle of managing risk to the reasonably
practicable low level, while it still allows the scope for the innovation and flexibility in business
practices. Boyens et al. (2014) stated that it can be affected or changed changing the evaluation
criteria, which implies that appetite risk of the head of the A4A for the risk can be variable that
can depends upon: Firstly, prevailing community and political expectations and sensitivities.
Secondly, incident security nature such as hacking terrorist attack etc., thirdly, emergence or
existence of security trends such as cyber-attacks, data breaches, trusted insider etc. Another
factors may be business or strategic priorities, ability of the government, individual or the
organization to compensate losses and lastly but not least availability of the resources for
treatment.
Questions To Consider When Determining Risks within Cloud Context
In order to establishing context in a risk management it is very necessary to understand
the nature of the vulnerabilities, criticality, and potential or relevant threat. The questionnaire
that can be included in this section in order to facilitate it can be listed as (Rebello et al. 2015):
• The aggregated value of the information holdings to the A4A
• How the integrity, availability, and confidentiality of A4A will be affected
• What would be the look of an unintended disclosure? What would be the look of an event
or incident
• How outsourcing might affect the information of the A4A including the sources of risks
and related threats
• How much impact on losing information can affect the A4A

11
INFORMATION SECURITY MANAGEMENT GUIDELINES
A4A can take into account the individual security plans while searching for the information
that are related to the risk identification process due to the existing presence of information on
security of the information.
Potential Threats When Outsourcing Information
Data Loss: There may be the permanent deletion or loss of data, which could be a result
of malicious activity or by any accident.
Data Breaches: The information those are very sensitive for the organization could be
leaked or stolen or might be manipulated by an unauthorized user (Peltier 2016).
Service traffic or Account Hijacking: this another potential threat that might lead the
external entities eavesdropping on the operational activities such as manipulating data,
transactions, through phishing, fraud, and return falsified information.
DOS (Denial of service): this threat or attack can block the user from accessing their
application or data that will affect the organization and its consumers too.
API (Application Programming Interface) and Interfaces Insecure: In manner to circumvent the
security processes, vulnerable interfaces may be exploited maliciously and accidentally both.
Malicious Insider: The insider formal stakeholders like contractor, former employee, or
any of the other business partners can be threat who had or has the access authority to the
network of the A4A organization (Dhillong, Syed and Sa-Soares 2017). This access authority
can be misused for personal gain or profit by impacting negatively to the organization.

12
INFORMATION SECURITY MANAGEMENT GUIDELINES
Insufficient Due Diligence: Implementing cloud services into the system of the A4A
without considering the scope of undertaking the vulnerabilities and weaknesses of this
implementation.
Shared Technology Vulnerabilities: Cloud infrastructure such as GPU, CPU caches etc.
are vulnerable to scalable sharing practices if there is not any design established for the multi-
tenant architecture.
Mapping Risks
In order to completely understand the impact of the risks that are identified, there should
be proper emphasis on the vulnerabilities or causes that the identified risks possibly cause to the
organization. In order to inform the risk assessment, it is essential to gauge the likelihood and the
consequences of the risk events. Mapping risks will help in dividing the risks into categories
according to their priority, which can be helpful in guiding the source allocation in order o
mitigate the identified risks (Beckers et al. 2013). Various objectives are considerable during the
mapping risks system those can be stated as: the sectors where there is the impact of the risks,
the frequency of risk happen, outcome of the risk eventuating, the individuals that will be
affected by the occurrence of the risk event and lastly, the stakeholders that are involved in the
risk assessment including the impact of these risks on the stakeholders and many more.
Assessing Risk
After the relevant identification of the risks the assessment process can be used for the
determination of the level of risks. There should be holistic evaluation of the likelihood of the
risk that might occurred, acceptable level of the tolerances that can be presented by the graph
mentioned in the figure 2, and the consequences of the identified risk events (Oppliger, Pernul

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

13
INFORMATION SECURITY MANAGEMENT GUIDELINES
and Katsikas 2017). In manner to address the consequences and likelihood levels there should be
proper consideration on the effectiveness control and the sources of risk events. Risk assessment
includes the level of control and oversight organizations have on the management of their
information. For better explanation an example can be that the A4A confidential information
related to the employee and the operational activities can be assessed in the relation to the
integrity, availability, and the confidentiality including the aggregation (Soomro, Shah and
Ahmed 2016). The risk assessment should be assessed on the basis of the potential impact of the
risks for the A4A for the sectors mentioned above including all the stakeholders that might be
affected due to these risks.
Guidance on Determining Potential Consequences
This step is completely dependent on the profile of the information that is about to store
in the information system of the A4A. Information related to the donors, employee’s sensitive
information such as bank account number, social security number and many more, all the
transactional informational and much other information are about o store in the information
system of the A4A (Albakri et al. 2014). The expose of such information could relate to the
privacy and security issue of the individuals that are related to the A4A.
Evaluating the Risks
Evaluation of the risks related o the unintended expose of information about the
operational activities and the data about the employees involves the consideration of the risks
within the context of the potential treatment and A4A’s risk tolerance options (Yang, Shieh and
Tzeng 2013). In many of the circumstances the unauthorized expose or access of the information
that is being stored in the system might be quantified almost the whole in financial terms on the
basis of revenue loss that results it in a matter of financial calculation. However, for these

14
INFORMATION SECURITY MANAGEMENT GUIDELINES
circumstances, A4A can consider a wide range of factors that includes the impact on the
reputation of the organization due to the expose of this sensitive information that includes loss of
data related to the employees and organizational operational activities (Feng, Weng and Li
2014). These objectives results in the complexity for calculating the risks level and the
acceptance resides with the head of the organization
How to Consider Potential Risk Treatment Options
The risks related to the security of the organization cannot be eliminated completely but it
can be minimized to an extent level as the security cannot be absolute. Thus the aim should be
provided in tolerating the threats that includes firstly, for the identified risks rating level while
making selections for the risk treatments for the systems that are being introduced for the storage
of information should be conducted proportionally (Raghupati and Raghupati 2014). This could
be divided into six step processes where A4A: firstly, prioritise the intolerable risks, secondly,
establishment of the treatment options, thirdly, identification and development of treatment
options, fourth, Evaluating the treatment options, fifth, detailing the review and design the
selected options also considering the management of residual risks, sixth, communication and
implementation.
Communication and Consultation
There should be a consultation and communication plan management that should be
established at very early stage during the risk assessment in order to determine the processes that
will be informed or communicated to the stakeholders including external and internal
stakeholders (Itradat et al. 2014). Proper and effective communication and consultation during
the process of the risk assessment can be helpful in ensuring the facts that are responsible or the
successful implementation of the risk assessment process and that are responsible with a stake in

15
INFORMATION SECURITY MANAGEMENT GUIDELINES
the process through understandings that will implies that what decision is need to be made in
order to successfully assess the identified risks and enhance the performance of the organization.
The risk that could potentially affect the organization should be well communicated during the
process of the risk assessment, particularly if it is related to the employees of the A4A. The
perception of the stakeholders is also very important while communicating about the identified
risks during the process of risk management.
Risk Monitoring and Review
This is also one of the important guidelines for risk management processes for the
information security. Following are the considerable facts that could be included in this process:
• Does transforming manual system into technology based operation have a continuous
program or not and the cloud vendors have it or not (Layton 2016).
• The controls and their strategy of implementation can play an effective role or not
such as tokenization and encrypting the files before saving into the cloud or database.
• The controls or the processes that are being introduced are cost effective and efficient
or not that means considering other facts that might be applicable to reduce the threat.
• The introduced controls and changes complying with the legal requirements or not
(Baskerville, Spangnoletti, and Kim 2014). For example “Cloud solution meets the
legislative requirements of Australia.”

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

16
INFORMATION SECURITY MANAGEMENT GUIDELINES
Finalizing the Risk Assessment
Documenting the Risk Assessment and Risk Treatment
At the final stage the A4A management should document all the considerable, acceptable,
and calculated that can be associated with the security risks in the arrangements that is about to
change within the organization (Haufe, Dzombeta and Brandis 2014).
Approval Process
The delegates and the heads of the organization need to consider the risk assessment
before transforming the whole system into technological way. Ultimately this implies that the
head of the A4A will also be responsible for managing risk into the organization, and the
acceptance and understanding of the risks manifested through transformation, outsourcing, and
cloud integration within the system (Luthra et al. 2014).
Conclusion
Based on above report it can be concluded that there should be proper management
process in order to enhance the information security system within an organization. The
guidelines that have stated above can play very important role in managing the information and
data those are being stored into the system and keep it well secured and protected from
unauthorized user that could lead to serious damage through exposing, manipulating or deleting
the saved data. Cybercrimes can be considered as the most important issue regarding the
information security and these guidelines can prevent the organization from being looted by such
intruders and protect the assets of the organization. Other than the above guidelines it can be
recommended that the security levels should be divided into the categories based on the level of
authorization or posts. This could help in two ways the higher post individual will be able to

17
INFORMATION SECURITY MANAGEMENT GUIDELINES
monitor the individuals those are at lower post and the confidential information will be much
safer. Through the guidelines mentioned above, A4A can achieve the highest level of security for
the information related to the organization and be safer from any loss.

18
INFORMATION SECURITY MANAGEMENT GUIDELINES
References:
Albakri, S.H., Shanmugam, B., Samy, G.N., Idris, N.B. and Ahmed, A., 2014. Security risk
assessment framework for cloud computing environments. Security and Communication
Networks, 7(11), pp.2114-2124.
Arregui, D.A., Maynard, S.B. and Ahmad, A., 2016. Mitigating BYOD Information Security
Risks.
Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security:
Managing a strategic balance between prevention and response. Information &
Management, 51(1), pp.138-151.
Beckers, K., Côté, I., Faßbender, S., Heisel, M. and Hofbauer, S., 2013. A pattern-based method
for establishing a cloud-specific information security management system. Requirements
Engineering, 18(4), pp.343-395.
Boyens, J., Paulsen, C., Moorthy, R., Bartol, N. and Shankles, S.A., 2014. Supply chain risk
management practices for federal information systems and organizations. NIST Special
Publication, 800(161), p.1.
Dhillon, G., Syed, R. and de Sá-Soares, F., 2017. Information security concerns in IT
outsourcing: Identifying (in) congruence between clients and vendors. Information &
Management, 54(4), pp.452-464.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

19
INFORMATION SECURITY MANAGEMENT GUIDELINES
Draper, R. and Ritchie, J., 2014. Principles of security management: Applying the lessons from
crime prevention science. Professional Practice in Crime Prevention and Security Management,
p.91.
Feng, N., Wang, H.J. and Li, M., 2014. A security risk analysis model for information systems:
Causal relationships of risk factors and vulnerability propagation analysis. Information
sciences, 256, pp.57-73.
Haufe, K., Dzombeta, S. and Brandis, K., 2014. Proposal for a security management in cloud
computing for health care. The Scientific World Journal, 2014.
Itradat, A., Sultan, S., Al-Junaidi, M., Qaffaf, R., Mashal, F. and Daas, F., 2014. Developing an
ISO27001 Information Security Management System for an Educational Institute: Hashemite
University as a Case Study. Jordan Journal of Mechanical & Industrial Engineering, 8(2).
Layton, T.P., 2016. Information Security: Design, implementation, measurement, and
compliance. CRC Press.
Luthra, R., Lombardo, J.A., Wang, T.Y., Gresh, M. and Brusowankin, D., Citibank and NA,
2014. Corporate infrastructure management system. U.S. Patent 8,706,692.
Oppliger, R., Pernul, G. and Katsikas, S., 2017. New Frontiers: Assessing and Managing
Security Risks. Computer, 50(4), pp.48-51.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. CRC Press.
Peppard, J. and Ward, J., 2016. The strategic management of information systems: Building a
digital strategy. John Wiley & Sons.

20
INFORMATION SECURITY MANAGEMENT GUIDELINES
Raghupathi, W. and Raghupathi, V., 2014. Big data analytics in healthcare: promise and
potential. Health information science and systems, 2(1), p.3.
Rebollo, O., Mellado, D., Fernández-Medina, E. and Mouratidis, H., 2015. Empirical evaluation
of a cloud computing information security governance framework. Information and Software
Technology, 58, pp.44-57.
Saint-Germain, R., 2005. Information security management best practice based on ISO/IEC
17799. Information Management, 39(4), p.60.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more
holistic approach: A literature review. International Journal of Information Management, 36(2),
pp.215-225.
Sylves, R., 2014. Disaster policy and politics: Emergency management and homeland security.
CQ Press.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for
information security risk management. Computers & security, 44, pp.1-15.
Wensveen, J.G., 2016. Air transportation: A management perspective. Routledge.
Whitman, M. and Mattord, H., 2013. Management of information security. Nelson Education.
Yang, Y.P.O., Shieh, H.M. and Tzeng, G.H., 2013. A VIKOR technique based on DEMATEL
and ANP for information security risk control assessment. Information Sciences, 232, pp.482-
500.

21
INFORMATION SECURITY MANAGEMENT GUIDELINES
Zetler, J.A., 2015. The legal and ethical implications of electronic patient health records and e-
health on Australian privacy and confidentiality law.

1 out of 22

+13062052269

info@desklib.com

Information Security Management Systems

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

Information Security in Healthcare Cloud

Information Security Policy Compliance

ICT Scoping Report for Data Analysis

Cloud Security Risk Assessment for Aztec

Cloud Security and Privacy for Land Titles Agency: Threat and Risk Assessment

Cloud Computing Risk Assessment