Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Information Security Management: Guidelines for Risk Management and Certification

Verified

Added on 2022/11/13

AI Summary

This report discusses about the guidelines for information security risk management and certification and accreditation of information security. A discussion on how to build an effective information security risk management program is also done through this report. The report elaborates the possible risks and vulnerability issues and the Information Security Management Systems is defined properly so that it helps the OZ dispatch to build a proper program and manage that program effectively.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running Head: INFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENT
Name of the Student:
Name of the University:
Author Note:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

1INFORMATION SECURITY MANAGEMENT
Table of Contents
1. Executive Summary...............................................................................................................3
2. Introduction............................................................................................................................4
3. Discussion..............................................................................................................................4
3.1. Guidelines for information security risk management....................................................4
3.2. Guidelines for information security certifications and accreditation..............................8
ISO Certification................................................................................................................9
PCI Compliance.................................................................................................................9
ISM (Information Security Manual)..................................................................................9
IRAP (Information Security Registered Assessors Program)..........................................10
Australian Privacy Principles (APP)................................................................................10
Australian Prudential Regulation Authority (APRA) Standards.....................................10
SOC 2...............................................................................................................................10
SSAE 16 / ISAE 3402 Type II.........................................................................................10
4. Conclusion............................................................................................................................11
5. References............................................................................................................................12
1.

2INFORMATION SECURITY MANAGEMENT
1. Executive Summary
Security of the information is an essential part of any organization. Information security also
known as infosec, is a process for protecting the information through reducing the detected
information risks. Information security a part of information risk management, where the
information risks are identified and if not totally eradicated, the information is at least
protected from unauthorized access or any modification or deletion of the data. The aim of
information security is to create balance in protection of the information in terms of
confidentiality, integrity and availability, popularly known as CIA triad, of the institutional
data (Andress 2014). Information security management means the level of control an
organization needs to have on their system to protect the privacy, availability, and
incorruptibility of their useful assets from threats and susceptibilities. Information security
management systems (ISMS) are set of policies to methodically manage an organization’s
data. These systems aim to protect and manage the enormous amount of data collected by the
organization online as well as offline. This report discusses about the Information system of
OZ dispatch and what are the possible ways of improving their present system. After
estimating the risks some measures were suggested to ensure the proper functioning of the
organization.

3INFORMATION SECURITY MANAGEMENT
2. Introduction
With the advancement of technology and internet globally, security and privacy of
data is an important factor for every individual and for any organization. Data piracy and data
breaches are increasing at an alarming rate. Protecting these personal data is becoming hard
everyday and technologist strive to provide security and risk management guidelines to avoid
these challenges. Organizations deal with enormous amount of data including personal details
of customers and other organizational data. It is very important to protect this information
from any security threat. Information security management system is an efficient way to
manage sensitive organizational data and to secure them from vulnerable cyberattacks
(Peltier, 2013). ISO 27000 is a set of rules put forward by ISO (International Organization for
Standardization) that if followed by organizations, can gain a certification of trust for the
customers, showing that their systems are with compliance with these rules and their system
is capable of protecting the critical data of the user (ISO 2019). Moreover, only information
security management is not enough to protect the organizational data. Having a strong
encrypted internet network is very important to reduce the risks of cyber attacks. Firewalls
and trusted anti-viruses should be used to reduce the effects of any external threat. Strong Wi-
Fi security like the WAP2 (PSK)-AES (Wi-Fi Protected Access II with pre-shared key and
Advanced Encryption Standard) standards should be maintained and all the systems should
be up to date with the latest version of operating system (Alblwi and Shujaee 2017). This
report discusses about the guidelines for information security risk management and
certification and accreditation of information security. A discussion on how to build an
effective information security risk management program is also done through this report.
Lastly, some recommendations were made to decrease the level of data breach.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

4INFORMATION SECURITY MANAGEMENT
3. Discussion
3.1. Guidelines for information security risk management
Security together with data protection plays a big role in every organization. Security events
cost a lot and any organization could be a victim. There are measures that can be taken to
reduce the effects only but cyberattacks are not totally inevitable. With the advancement in
technology there are increased rate of data breach also. The point of study of this report, OZ
dispatch, is a home delivery management organization with 20 distribution centre and 20
employees working there including the manager and delivery staff. A detailed analysis of the
information security system was made and guidelines to build an effective system were
suggested through this report.
Firstly, to build strong and secure ISMS (Information Security Management System),
there should be an implementation of a proper program (Beckers et al. 2013). Information
security management program has seven control factors that lead an organization in the
successful implementation of their ISMS. The seven factors to success are:
1. Management responsibility of the executive level of the organization- The senior
manager or the management is responsible to execute this plan effectively (Stahl and
A. Pease 2007).
2. Policies for the Information Security- The organization must have a documented
security policy, updated with the present security changes (Siponen, Mahmood and
Pahnila 2014).
3. Training and awareness of users of the system- Users of information security system
should be trained properly beforehand to avoid any risk in future (McIlwraith 2016).
4. Network, computer and device security- The internet network security should be very
strong and encrypted and should be checked regularly for any vulnerability (Pathan

5INFORMATION SECURITY MANAGEMENT
2016). The computer systems should have proper anti-virus with updated database
and the operating systems should always be up to date as there might exist some
security hole.
5. Physical and staff security- Physical guards and surveillance cameras should be
installed in every place of high security risk (Peltier 2016).
6. Third party information sharing security assurance- Every organization shares the
sensitive data with some third parties to ensure the swift working of the organization
but, these third parties should be verified and ensured before sharing these highly
personal data (Conger, Pratt and Loch 2013).
7. Continuous assessment of the information program- A routine check of the program is
must as that will ensure the integrity of the program and the organization (Chen,
Ramamurthy and Wen 2015).
Despite all these programs and security measure there are still organizations that are
becoming victims of cyber-attack. In July 2017, it was reported that Equifax, a credit service
faced a cyber-attack which is exposed the 143 million sensitive user data and 200,000 credit
card details (Bernard et al. 2017).
Now, coming towards the guidelines of Information security risk management, ISRM
is the process for identifying security risks which includes computer security risks and
managing the risks related to information technology (Webb et al. 2014). The stages in ISRM
are:
1. Identification.
2. Assessment.
3. Treatment.
4. Communication.

6INFORMATION SECURITY MANAGEMENT
5. Rinse and Repeat.
1. Identification- This stage identifies important assets, vulnerabilities, threats and identifies
the control measures to reduce these risks within the organization.
Identifying assets- Identifying the important assets of the organization is very
important as these assets would be the most precious things the organization acquires
and needs special protection. For example, for any online video or audio streaming
system their database or the library of video or audio would be the most valuable
asset. In case of OZ dispatch, their most valuable assets would be the customer
delivery information and the customer database as they operate online and offline
also. There would be physical data also which will need digitization.
Identifying vulnerabilities- This step is critical as this will help to identify the risks
and vulnerability issues regarding the systems that might result in data breach.
Identifying threats- The possible threats like natural calamities and active hacker
zone that can compromise data are detected in this step.
Identifying the control methods that already exists- If there are possible data risks
then they should be controlled or eliminated totally from the system. One example
would be if one employee still has access to the organizational systems and is not a
part of the system anymore. That person should be removed from the system to
control the data piracy risk.
2. Assessment- With all the vulnerabilities, assets and controls identified the combined risk is
calculated using some formula. Generally, the simplified version of the formula is:
Risk = (Threats*Vulnerabilities)/Control measures

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

7INFORMATION SECURITY MANAGEMENT
3. Treatment- After the risks is calculated or identified the next step is to treat them and
reduce the risks. This step includes remediation, mitigation, transference, risk
acceptance and risk avoidance.
Remediation- This step is meant to control or fully eradicate the problems detected.
If there are some security patches required in the system, that is done in this step.
Mitigation- This step is meant to lessen the impact of the identified risks. If some
security issues are detected in the system the firewall will ensure the protection of the
risk.
Transference- If some vulnerabilities are detected and the system gets affected by
that there should be some insurance policies for the system that will ensure the
recovery cost is reduced.
Risk acceptance- This step suggests that if there are some minor risks that does not
need immediate cleansing and the cost for mending the risk is high then it should be
accepted by the organization.
Risk avoidance- This step suggests that if the organization detects the operating
systems they are using will not release any further updates for any security patch then
the data should be migrated to a different system which ensures future updates.
4. Communication- This step will ensure the proper communication of the risks and the
measures taken within the organization. Stakeholder and higher authorities should be
informed about the risk and what measures were taken to reduce the risk. The organization is
accountable to every user and associate. Oz dispatch should have a proper mode of
communication which ensures the integrity of the organization.

8INFORMATION SECURITY MANAGEMENT
6. Rinse and Repeat- A periodic assessment of the program should be there to avoid the
already faced issues. This should be an ongoing process that regularly monitors the risks and
the system requirements.
3.2. Guidelines for information security certifications and accreditation
Certification is a comprehensive study of the overall background of the security
features to establish a required working environment for the system. Accreditation is an
approval by the Designated Approval Authority (DAA) that the system follows all the rules
and regulations by the authority.
ISO Certification
ISO standards 27000, ISO 27001 and 27002 are very important for any information
system to follow as that will ensure the objective and requirements are controlled properly for
the protection of the data (Disterer, 2013). These ISO standards helps in keeping the
organizational assets secure. ISO 27001 is the best know standard in this family (ISO 2019).
PCI Compliance
PCI compliance is meant to protect customer credit card information data which are
highly sensitive. Any company accepting credit cards should maintain the standards of PCI
DSS (Payment Card Industry and Data Security Standards). This ensures credit card data of
the customer is stored securely on the site, and there exist a secure transmission of these data
across all public networks (Clapper and Richmond 2016). Credit card companies made this
PCI standards to protect the information of the card holders. There is no certification for this
however an organization should give proof of their PCI standard compliance. This standard
has an annual cost of around $5000 to $10,000 (Hemphill and Longstreet 2016). There can be
penalties also if the organization fail to prove that they are PCI compliant.

9INFORMATION SECURITY MANAGEMENT
ISM (Information Security Manual)
ISM is published by Australian Signals Directorate (ADS), an organization of the
Australian defence department. This manual regulates the preservation of the information and
communication technology (ICT) systems of the Australian government (Burdon Siganto and
Coles-Kemp 2016). Together with PSPF (Protective Security Policy Framework) ADS
provides the guidelines for implementing and effective management of ICT environment. In
2014, the Australian Department of Finance and Department of Communication released the
Australian Government Cloud Computing Policy 3.0, that must be followed by organizations
if there are cloud services.
IRAP (Information Security Registered Assessors Program)
IRAP provides a framework that determines the implementation together with the
effectiveness of the security controls of an organization as per the security requirements of
the Australian government.
Australian Privacy Principles (APP)
APP helps in protecting the sensitive personal information. Australian privacy
principles are included in Privacy Act 1988 (Cth). The Privacy act regulates how a user data
is collected, managed and used by the organization. Customers are also responsible to
maintain the reqirements under the Privacy Act.
Australian Prudential Regulation Authority (APRA) Standards
APRA standards regulate the financial service industry in Australia. It ensures the
financial promises made by the organization are met with efficient financial systems. Three
standards CPS 231, CPG 234 and CPG 235 three major standards that govern information
outsourcing, security risk management and risk managements regarding the information
technology.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

10INFORMATION SECURITY MANAGEMENT
SOC 2
It is a report based of AICPA’s existing Trust services principles and criteria. This
report helps to evaluate the information system of an institution. This evaluation consists of
the security of system, availability of the data, processing integrity and the privacy protection
by the system.
SSAE 16 / ISAE 3402 Type II
The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) was
created by the Auditing Standards Board of the American Institute of Certified Public
Accountants (AICPA) to keep up with the pace of other globally recognized international
accounting standards. International Standard on Assurance Engagements 3402 (ISAE 3402)
has close coordination with SSAE 16. Both these standards are used to develop reports by the
objective third-party that how the organization asserts their controls. Using the SOC (Service
Organization Control) framework, the control on the financial information are measured.
4. Conclusion
This report elaborates the possible risks and vulnerability issues and the Information
Security Management Systems is defined properly so that it helps the OZ dispatch to build a
proper program and manage that program effectively. The implementation of ISMS will be
easier for OZ dispatch as this report covers every possibility of being attacked. With the team
of only 20 members it will not be a very big challenge to educated the members about the
system. The maintenance cost for the operating systems and network control will also be less.
Moreover, it is suggested to appoint an IT expert to look after these internet systems and to
manage these systems efficiently. Apparently, the systems of OZ dispatch deals with a huge
amount of data so, they should acquire all the certification and accreditation by the
government and the international standards to gain trust of the customers and to assure them

11INFORMATION SECURITY MANAGEMENT
that their data is protected. ISO standards and PCI standards are must to follow. In
conclusion, cyber-attacks or data breaches are not inevitable, still with a strong encrypted
network and protected system the security risks can be controlled and can be monitored
properly.

12INFORMATION SECURITY MANAGEMENT
5. References
Alblwi, S. and Shujaee, K., 2017. A Survey on Wireless Security Protocol WPA2.
In Proceedings of the International Conference on Security and Management (SAM) (pp. 12-
17). The Steering Committee of The World Congress in Computer Science, Computer
Engineering and Applied Computing (WorldComp).
Andress, J., 2014. The basics of information security: understanding the fundamentals of
InfoSec in theory and practice. Syngress.
Beckers, K., Côté, I., Faßbender, S., Heisel, M. and Hofbauer, S., 2013. A pattern-based
method for establishing a cloud-specific information security management system.
Requirements Engineering, 18(4), pp.343-395.
Bernard, T.S., Hsu, T., Perlroth, N. and Lieber, R., 2017. Equifax Says Cyberattack May
Have Affected 143 Million in the US https://www. nytimes.
com/2017/09/07/business/equifax-cyberattack. html? mcubz= 3.
Burdon, M., Siganto, J. and Coles-Kemp, L., 2016. The regulatory challenges of Australian
information security practice. Computer Law & Security Review, 32(4), pp.623-633.
Chen, Y.A.N., Ramamurthy, K.R.A.M. and Wen, K.W., 2015. Impacts of comprehensive
information security programs on information security culture. Journal of Computer
Information Systems, 55(3), pp.11-19.
Clapper, D. and Richmond, W., 2016. Small business compliance with PCI DSS. Journal of
Management Information and Decision Sciences, 19(1), p.54.
Conger, S., Pratt, J.H. and Loch, K.D., 2013. Personal information privacy and emerging
technologies. Information Systems Journal, 23(5), pp.401-417.
Disterer, G., 2013. ISO/IEC 27000, 27001 and 27002 for information security management.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

13INFORMATION SECURITY MANAGEMENT
Hemphill, T.A. and Longstreet, P., 2016. Financial data breaches in the US retail economy:
Restoring confidence in information technology security standards. Technology in
Society, 44, pp.30-38.
ISO (2019). ISO/IEC 27001 Information security management. [online] ISO. Available at:
https://www.iso.org/isoiec-27001-information-security.html [Accessed 24 May 2019].
McIlwraith, A., 2016. Information security and employee behaviour: how to reduce risk
through employee education, training and awareness. Routledge.
Pathan, A.S.K. ed., 2016. Security of self-organizing networks: MANET, WSN, WMN,
VANET. CRC press.
Peltier, T.R., 2013. Information security fundamentals. CRC press.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. Auerbach Publications.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information
security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Stahl, S. and A. Pease, K. (2007). Effectively Managing Information Security Risks. Los
Angeles: Citadel Information Group, p.22.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for
information security risk management. Computers & security, 44, pp.1-15.

1 out of 14

+13062052269

info@desklib.com

Information Security Management: Guidelines for Risk Management and Certification

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

Cyber security Planning and Compliance (pdf)

Project Success Factors and Impact

Data Security Standards in Australia and Challenges of AWS Data Security

Strategic Information Security Program Development for Yahoo Inc.

Risk Assessment on Network Infrastructure of CONVXYZ

Managing IT Security and Risk