Information System Security Management Report 2022
VerifiedAdded on 2022/10/15
|18
|4538
|10
AI Summary
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Information System Security Management 1
Information Security Management
Student
Tutor
Institutional Affiliation
State
Date
Information Security Management
Student
Tutor
Institutional Affiliation
State
Date
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Information System Security Management 2
Table of Contents
Table of Contents.......................................................................................................................................2
Executive summary...................................................................................................................................3
Introduction...............................................................................................................................................4
Information security risk management....................................................................................................4
Identification..........................................................................................................................................5
Identification of assets.......................................................................................................................5
Identification of vulnerabilities.........................................................................................................5
Identification of threats.....................................................................................................................6
Identification of controls...................................................................................................................7
Assessment.............................................................................................................................................7
Treatment of risk...................................................................................................................................8
Mitigation...........................................................................................................................................8
Remediation.......................................................................................................................................8
Transference......................................................................................................................................8
Risk acceptance..................................................................................................................................9
Risk avoidance...................................................................................................................................9
Communication and awareness............................................................................................................9
Rinse and repeat....................................................................................................................................9
Information security certification and accreditation............................................................................10
Initiation...............................................................................................................................................11
Security certification...........................................................................................................................12
Security accreditation..........................................................................................................................13
Continuous monitoring.......................................................................................................................14
Conclusion................................................................................................................................................15
Table of Contents
Table of Contents.......................................................................................................................................2
Executive summary...................................................................................................................................3
Introduction...............................................................................................................................................4
Information security risk management....................................................................................................4
Identification..........................................................................................................................................5
Identification of assets.......................................................................................................................5
Identification of vulnerabilities.........................................................................................................5
Identification of threats.....................................................................................................................6
Identification of controls...................................................................................................................7
Assessment.............................................................................................................................................7
Treatment of risk...................................................................................................................................8
Mitigation...........................................................................................................................................8
Remediation.......................................................................................................................................8
Transference......................................................................................................................................8
Risk acceptance..................................................................................................................................9
Risk avoidance...................................................................................................................................9
Communication and awareness............................................................................................................9
Rinse and repeat....................................................................................................................................9
Information security certification and accreditation............................................................................10
Initiation...............................................................................................................................................11
Security certification...........................................................................................................................12
Security accreditation..........................................................................................................................13
Continuous monitoring.......................................................................................................................14
Conclusion................................................................................................................................................15
Information System Security Management 3
Executive summary
System security management is a factor of fundamental relevance in every business. Its
main goal is to protect an organization’s sensitive data. FuturePlus is a start-up charity
organization. The organization wants to expand in future and will be serving many clients.
Additionally, FuturePlus hold sensitive data for its contributors. Due to this, the organization is
likely to face cyber-attack. Hence it is imperative to come up with a robust security management
strategies that will ensure safety of the sensitive data in the organization system. And it is for this
purpose that we have come up with this report.
In this report, we have discussed some guidelines for ensuring information security risk
management. We have also presented the guidelines for security certification and accreditation.
For a robust security, the organization must first of all identify the assets, vulnerabilities and
threats as well as appropriate controls. After identification of the mentioned areas, the next step
should be mitigation strategies. This process should be practiced on a continuous basis to ensure
that the system is free from any kind of security breach. This should protect the organization’s
customer details from breach.
Executive summary
System security management is a factor of fundamental relevance in every business. Its
main goal is to protect an organization’s sensitive data. FuturePlus is a start-up charity
organization. The organization wants to expand in future and will be serving many clients.
Additionally, FuturePlus hold sensitive data for its contributors. Due to this, the organization is
likely to face cyber-attack. Hence it is imperative to come up with a robust security management
strategies that will ensure safety of the sensitive data in the organization system. And it is for this
purpose that we have come up with this report.
In this report, we have discussed some guidelines for ensuring information security risk
management. We have also presented the guidelines for security certification and accreditation.
For a robust security, the organization must first of all identify the assets, vulnerabilities and
threats as well as appropriate controls. After identification of the mentioned areas, the next step
should be mitigation strategies. This process should be practiced on a continuous basis to ensure
that the system is free from any kind of security breach. This should protect the organization’s
customer details from breach.
Information System Security Management 4
Introduction
Information security is an integral part of every organization in the modern days.
Information systems are used in every organization irrespective of the size of the business.
Although it may promise significant benefits to organizations, it is associated with security
issues. Hence it is imperative to consider security management strategies (Whitman and Mattord,
2013, pp.13). Following this rationale this article seek to document some information security
risk management and information security certification and accreditation guidelines for
FuturePlus organization.
Information security risk management
This involves the process of managing risks related to information technology (Spears
and Barki, 2010, pp.503-522; Poolsappasit, Dewri, and Ray, 2011, pp.61-74). It requires
processes such as identification, assessment and treatment of risks to the highest expectations of
the organization. The whole process aims at dealing with risks in accordance to the
organization’s general risk profile (Peltier, 2010, pp.08-12). Therefore, for the FuturePlus, it will
possibly help the disadvantaged students in terms of secured fee payments, accommodations in
addition to obtaining their educational goals. Eliminating risks in a business should not be
intended for just identification and achievement of moderate level of risk for an organization.
It was traditionally regarded as an IT function with the organization’s IT planning
strategy. It has recently revolved to a profound essential part of supportive activities to the
business organizations. The strategy provides most effective recognizable outcomes of high
value. An information security risk management strategy offers a framework information
infrastructure protection which aims at ensuring that the business goals and risk profile of the
organization are openly highlighted (Purdy, 2010, pp.881-886). The process requires three
Introduction
Information security is an integral part of every organization in the modern days.
Information systems are used in every organization irrespective of the size of the business.
Although it may promise significant benefits to organizations, it is associated with security
issues. Hence it is imperative to consider security management strategies (Whitman and Mattord,
2013, pp.13). Following this rationale this article seek to document some information security
risk management and information security certification and accreditation guidelines for
FuturePlus organization.
Information security risk management
This involves the process of managing risks related to information technology (Spears
and Barki, 2010, pp.503-522; Poolsappasit, Dewri, and Ray, 2011, pp.61-74). It requires
processes such as identification, assessment and treatment of risks to the highest expectations of
the organization. The whole process aims at dealing with risks in accordance to the
organization’s general risk profile (Peltier, 2010, pp.08-12). Therefore, for the FuturePlus, it will
possibly help the disadvantaged students in terms of secured fee payments, accommodations in
addition to obtaining their educational goals. Eliminating risks in a business should not be
intended for just identification and achievement of moderate level of risk for an organization.
It was traditionally regarded as an IT function with the organization’s IT planning
strategy. It has recently revolved to a profound essential part of supportive activities to the
business organizations. The strategy provides most effective recognizable outcomes of high
value. An information security risk management strategy offers a framework information
infrastructure protection which aims at ensuring that the business goals and risk profile of the
organization are openly highlighted (Purdy, 2010, pp.881-886). The process requires three
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Information System Security Management 5
necessary stages, that is; identification, assessment and treatment of risk that can be used to
design an information security risk management for FuturePlus as discussed below.
Identification
There are many necessary elements within an organization which calls for attention
during the identification process such as assets, vulnerabilities, threats and controls. For the
FuturePlus, a lot of research needs to be done on these elements before the process is
implemented.
Identification of assets
The data and system approaches that could be most effective are looked for at the initial
point before citing the organization. Having a view of FuturePlus, they are supposed to have an
idea on the current business condition of the organization before executing the ability of the
information security risk management strategy in a defined manner. Identifying main assets
which could be most effective and came up with data on their fee and accommodation
difficulties among others (Paquette, Jaeger and Wilson, 2010, pp.245-253). They aimed at
reforming these students to access early intervention and tutorial programs. They also considered
the organization’s risk profile and appetite as one of the most misinterpreted data point.
FuturePlus must ensure that it has a staff and budget based on the available assets with an aim of
implementing effective capabilities at moderate level of security and risk management for its
data as well (Da Veiga and Eloff, 2010, pp.196-207).
Identification of vulnerabilities
This aims at finding the software or the level of system’s proneness to viral that might
lead to altering the confidentiality and integrity of assets. The FuturePlus should ensure that it
has staffs well equipped with the necessary skills to implement the strategy. A better and
necessary stages, that is; identification, assessment and treatment of risk that can be used to
design an information security risk management for FuturePlus as discussed below.
Identification
There are many necessary elements within an organization which calls for attention
during the identification process such as assets, vulnerabilities, threats and controls. For the
FuturePlus, a lot of research needs to be done on these elements before the process is
implemented.
Identification of assets
The data and system approaches that could be most effective are looked for at the initial
point before citing the organization. Having a view of FuturePlus, they are supposed to have an
idea on the current business condition of the organization before executing the ability of the
information security risk management strategy in a defined manner. Identifying main assets
which could be most effective and came up with data on their fee and accommodation
difficulties among others (Paquette, Jaeger and Wilson, 2010, pp.245-253). They aimed at
reforming these students to access early intervention and tutorial programs. They also considered
the organization’s risk profile and appetite as one of the most misinterpreted data point.
FuturePlus must ensure that it has a staff and budget based on the available assets with an aim of
implementing effective capabilities at moderate level of security and risk management for its
data as well (Da Veiga and Eloff, 2010, pp.196-207).
Identification of vulnerabilities
This aims at finding the software or the level of system’s proneness to viral that might
lead to altering the confidentiality and integrity of assets. The FuturePlus should ensure that it
has staffs well equipped with the necessary skills to implement the strategy. A better and
Information System Security Management 6
elaborate understanding of the culture of the organization is as well important for faster adoption
of the strategy. FuturePlus should also ensure that they include annual plan followed by a
continuous five year plan. This is mainly for the purpose of identifying unidirectional goals that
should be met annually while considering the ongoing operation of information security risk
management activity (Bulgurcu, Cavusoglu and Benbasat, 2010, pp.523-548; Stallings, Brown,
Bauer and Bhattacharjee, 2012, pp. 978). This will also help FuturePlus to understand the
capability of the strategy as well as the requirements for the future. This calls for the FuturePlus
to continue with the donation process through social media, that is; their websites and national
televisions after which e-mails and short messages are sent to the potential donor database. The
FuturePlus has to ensure that capable staff are availed for strategy execution.
Identification of threats.
The organization also has to ensure that unknown individuals, industrial or government
sponsored entity do not easily access their databases. Threats may as well come from the cultural
practices of the organization which calls for understanding. FuturePlus has to ensure that
members support the implementation of the strategy for easy adoption to take place. FuturePlus
should also ensure that any message in form of a donation list is sent to the chief risk officer. An
information risk management frameworks should be used in identification of information risk
such as fraud, credit, market and any other risk (Takabi, Joshi and Ahn, 2010, pp.24-31).
FuturePlus should identify the type of operational components they tend to have. For instance,
direct management is very much essential since it can control the whole cycle though providing
advisory and consultative capabilities to support business operations is better.
elaborate understanding of the culture of the organization is as well important for faster adoption
of the strategy. FuturePlus should also ensure that they include annual plan followed by a
continuous five year plan. This is mainly for the purpose of identifying unidirectional goals that
should be met annually while considering the ongoing operation of information security risk
management activity (Bulgurcu, Cavusoglu and Benbasat, 2010, pp.523-548; Stallings, Brown,
Bauer and Bhattacharjee, 2012, pp. 978). This will also help FuturePlus to understand the
capability of the strategy as well as the requirements for the future. This calls for the FuturePlus
to continue with the donation process through social media, that is; their websites and national
televisions after which e-mails and short messages are sent to the potential donor database. The
FuturePlus has to ensure that capable staff are availed for strategy execution.
Identification of threats.
The organization also has to ensure that unknown individuals, industrial or government
sponsored entity do not easily access their databases. Threats may as well come from the cultural
practices of the organization which calls for understanding. FuturePlus has to ensure that
members support the implementation of the strategy for easy adoption to take place. FuturePlus
should also ensure that any message in form of a donation list is sent to the chief risk officer. An
information risk management frameworks should be used in identification of information risk
such as fraud, credit, market and any other risk (Takabi, Joshi and Ahn, 2010, pp.24-31).
FuturePlus should identify the type of operational components they tend to have. For instance,
direct management is very much essential since it can control the whole cycle though providing
advisory and consultative capabilities to support business operations is better.
Information System Security Management 7
Identification of controls
It is very vital for an organization to have in place what they can use to protect their
assets. This should aim at mitigating, remediating or lessening the likelihood of risk to be
experienced. When you think that a given application can easily get accessed, a control should be
inculcated to automatically do away with the risk. FuturePlus has offices that are connected to
internet via 5G cellular wireless technology and therefore creating a secured control database to
restrict the payments made for the needy students. FuturePlus also use portable devices that
secure communications and payment details being made on the visits they do make. All these are
defined to staff availability which has to ensure that the set objectives are met based on their
capabilities. Competency models are also important since they will not only describe the jobs of
specific positions but also relevant skills and knowledge to the organization. Finally, the
FuturePlus must ensure that the sourcing plans used are effective. This will ensure that the
operational and implementation capabilities are accelerated though third party won’t assume the
risks.
Assessment
It involves bringing together the gathered information about the assets, vulnerabilities and
controls with a purpose of defining a risk (Yang, Shieh and Tzeng, 2013, pp.482-500).
Mathematically, it is obtained by subtracting security controls from the product of threat,
vulnerability, likelihood, asset value and exploit impact. The current FuturePlus organization
should identify functions and capabilities provided by the information security risk management
group and expose them to the ratings and rules of the industry (Von Solms, and Van Niekerk,
2013, pp.97-102). This takes place through industry standard alignment which does not restrict
the organization from identifying its effectiveness.
Identification of controls
It is very vital for an organization to have in place what they can use to protect their
assets. This should aim at mitigating, remediating or lessening the likelihood of risk to be
experienced. When you think that a given application can easily get accessed, a control should be
inculcated to automatically do away with the risk. FuturePlus has offices that are connected to
internet via 5G cellular wireless technology and therefore creating a secured control database to
restrict the payments made for the needy students. FuturePlus also use portable devices that
secure communications and payment details being made on the visits they do make. All these are
defined to staff availability which has to ensure that the set objectives are met based on their
capabilities. Competency models are also important since they will not only describe the jobs of
specific positions but also relevant skills and knowledge to the organization. Finally, the
FuturePlus must ensure that the sourcing plans used are effective. This will ensure that the
operational and implementation capabilities are accelerated though third party won’t assume the
risks.
Assessment
It involves bringing together the gathered information about the assets, vulnerabilities and
controls with a purpose of defining a risk (Yang, Shieh and Tzeng, 2013, pp.482-500).
Mathematically, it is obtained by subtracting security controls from the product of threat,
vulnerability, likelihood, asset value and exploit impact. The current FuturePlus organization
should identify functions and capabilities provided by the information security risk management
group and expose them to the ratings and rules of the industry (Von Solms, and Van Niekerk,
2013, pp.97-102). This takes place through industry standard alignment which does not restrict
the organization from identifying its effectiveness.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Information System Security Management 8
FuturePlus should use a capability maturity model assessment methodology where two
main questions of how capable they are and how they would know if they have reached their
point of arrival will be answered. They will be capable to identify the improvements needed to
raise efficiency, reduce operational costs and increase the organization’s value.
Treatment of risk
This is the last stage of developing information security risk management after the risk
has been assessed and analyzed. This may involve mitigation, remediation, transference, risk
acceptance and risk avoidance. Threats and risks do alternate depending on geography. Physical
threats are less since many intend to steal data and not infrastructure.
Mitigation
Risks cannot not be entirely fixed but should be lessen in order to reduce the likelihood or
impact of the risk (Feng, Wang and Li, 2014, pp.57-73). FuturePlus must be ready to face risks
and reduce their impacts in a lively and conducive order. Some of the mitigation strategies may
be implementation of security management policies as well as software.
Remediation
Control that fully fixes the underlying risk is implemented. FuturePlus is advised to
ensure that any risk that causes a lot of loss to the organization is completely done away with.
Transference
FuturePlus try to recover from the realized costs that it incurred by transferring the risks
associated to it to another entity. It should order for insurance purposely to cover all losses that
could still be incurred in case of exploitation of vulnerable systems.
FuturePlus should use a capability maturity model assessment methodology where two
main questions of how capable they are and how they would know if they have reached their
point of arrival will be answered. They will be capable to identify the improvements needed to
raise efficiency, reduce operational costs and increase the organization’s value.
Treatment of risk
This is the last stage of developing information security risk management after the risk
has been assessed and analyzed. This may involve mitigation, remediation, transference, risk
acceptance and risk avoidance. Threats and risks do alternate depending on geography. Physical
threats are less since many intend to steal data and not infrastructure.
Mitigation
Risks cannot not be entirely fixed but should be lessen in order to reduce the likelihood or
impact of the risk (Feng, Wang and Li, 2014, pp.57-73). FuturePlus must be ready to face risks
and reduce their impacts in a lively and conducive order. Some of the mitigation strategies may
be implementation of security management policies as well as software.
Remediation
Control that fully fixes the underlying risk is implemented. FuturePlus is advised to
ensure that any risk that causes a lot of loss to the organization is completely done away with.
Transference
FuturePlus try to recover from the realized costs that it incurred by transferring the risks
associated to it to another entity. It should order for insurance purposely to cover all losses that
could still be incurred in case of exploitation of vulnerable systems.
Information System Security Management 9
Risk acceptance
When the cost of fixing the risk is higher than the cost that could be incurred when the
risk is realized, the organization is advised to rather accept than fixing the risk.
Risk avoidance
This involves doing away with all that is exposed to the identified risk. WhenFuture plus
realizes that the information sent to the so believed to be secured database is accessed by some
unknown individuals, it is advised to avoid the risk of the sensitive data by transferring it to a
newer server.
Communication and awareness
All decisions made on the management of risk should be communicated just within the
organization (Ray, Harnoor and Hentea, 2010, pp. 276-285). This means that a more secured
electronic media as mode of communication should be identified and put into used in the
organization to influence both the positive and proactive change just as FuturePlus has. Formal
communication capabilities should be implemented to ensure that all parties are successfully
communicating with each other with the intention of supporting the information security risk
management strategy.
Rinse and repeat
The treatment plan that needs continuous implementation of control should always be
monitored. This is due to the fact that the system may be changing over time which may cause
the control to fracture over time.
To keep the FuturePlus information system from security breach, the organization should
have a defined and more proficient information security risk management. During the
Risk acceptance
When the cost of fixing the risk is higher than the cost that could be incurred when the
risk is realized, the organization is advised to rather accept than fixing the risk.
Risk avoidance
This involves doing away with all that is exposed to the identified risk. WhenFuture plus
realizes that the information sent to the so believed to be secured database is accessed by some
unknown individuals, it is advised to avoid the risk of the sensitive data by transferring it to a
newer server.
Communication and awareness
All decisions made on the management of risk should be communicated just within the
organization (Ray, Harnoor and Hentea, 2010, pp. 276-285). This means that a more secured
electronic media as mode of communication should be identified and put into used in the
organization to influence both the positive and proactive change just as FuturePlus has. Formal
communication capabilities should be implemented to ensure that all parties are successfully
communicating with each other with the intention of supporting the information security risk
management strategy.
Rinse and repeat
The treatment plan that needs continuous implementation of control should always be
monitored. This is due to the fact that the system may be changing over time which may cause
the control to fracture over time.
To keep the FuturePlus information system from security breach, the organization should
have a defined and more proficient information security risk management. During the
Information System Security Management 10
development of the system, the business goals of the organization should never be forgotten. The
system will change to be a key benefit to FuturePlus if effective strategies are laid down. The
organization will have to be successful in case they will utilize the information security risk
management capabilities during their decision making processes. This implies that the true
measure of the achievements of a well developed and implemented strategy is evidenced by the
purposes it serves consistently. In case FuturePlus fears and attempt to run away from
information security risk management, the organization’s information system would face
security issues until that time they will view security management to be of great significance.
Information security certification and accreditation
Information security certification and accreditation seem to be close but indeed very
distinct. The two are related in the sense that the former avails important information to the
authorizing officials to make informed decision. It involves comprehensive evaluation process of
technical security policies for information system documenting effectiveness of the operational
surrounding and recommendations for the new controls to reduce vulnerabilities. They can be of
great significance to FuturePlus organization since its end results are later used to assess risks
incurred in the system and then strengthen system security.
On the other hand, security accreditation involves risk acceptance and management, its
agency and assets. It is also the management’s official idea to give mandate for the information
system to operate (Kissel, 2011, pp. 43). When this happens, FuturePlus will become ready to
face negative impacts of the documented risk level of the new system. System accreditation is
possible for as long as four years. It continuous monitoring to find out the effectiveness of the
security controls in the information system.
development of the system, the business goals of the organization should never be forgotten. The
system will change to be a key benefit to FuturePlus if effective strategies are laid down. The
organization will have to be successful in case they will utilize the information security risk
management capabilities during their decision making processes. This implies that the true
measure of the achievements of a well developed and implemented strategy is evidenced by the
purposes it serves consistently. In case FuturePlus fears and attempt to run away from
information security risk management, the organization’s information system would face
security issues until that time they will view security management to be of great significance.
Information security certification and accreditation
Information security certification and accreditation seem to be close but indeed very
distinct. The two are related in the sense that the former avails important information to the
authorizing officials to make informed decision. It involves comprehensive evaluation process of
technical security policies for information system documenting effectiveness of the operational
surrounding and recommendations for the new controls to reduce vulnerabilities. They can be of
great significance to FuturePlus organization since its end results are later used to assess risks
incurred in the system and then strengthen system security.
On the other hand, security accreditation involves risk acceptance and management, its
agency and assets. It is also the management’s official idea to give mandate for the information
system to operate (Kissel, 2011, pp. 43). When this happens, FuturePlus will become ready to
face negative impacts of the documented risk level of the new system. System accreditation is
possible for as long as four years. It continuous monitoring to find out the effectiveness of the
security controls in the information system.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Information System Security Management 11
The two processes have got guidelines though which they can be obtained to obtain more
secured systems for FuturePlus through various ways such as creating reliable and trustworthy
information, encouraging proper understanding of agency related to risk as well as providing
consistent assessments of security controls. It is the result of security certification that are used to
continuously asses risk at various levels to provide a nice ground for highly rated officials to
provide security accreditation decision (Humphreys, 2011, pp.7-11). The interrelated processes
requires four crucial phases namely; execution, certification and accreditation as well as
continuous assessment phases, each with its specific task carried out by responsible individuals
as shown below.
Initiation
The main tasks performed here include; preparation, identification of assets and system
security plan, acceptance and updates. FuturePlus must first ensure that their system is well
planned. Description process should include; name, unique identifier and status of the
information system. It should also include identity of the local organization, contact of the
information system management, purposes and responsibilities of the information system,
boundaries, functional needs, experts of the system, software for application, network connection
with its guidelines, encryption techniques and physical environment where FuturePlus system is
intended to operate among others. FuturePlus must have enough security category, fully
documented in the security system plan that would otherwise store and send various information
to multiple types of information system. Potential threats that may as well cause flaws and any
detected vulnerabilities should as well be identified and documented in the risk assessment plan
(Talib, Khelifi and Ugurlu, 2012, pp. 3149-3153).
The two processes have got guidelines though which they can be obtained to obtain more
secured systems for FuturePlus through various ways such as creating reliable and trustworthy
information, encouraging proper understanding of agency related to risk as well as providing
consistent assessments of security controls. It is the result of security certification that are used to
continuously asses risk at various levels to provide a nice ground for highly rated officials to
provide security accreditation decision (Humphreys, 2011, pp.7-11). The interrelated processes
requires four crucial phases namely; execution, certification and accreditation as well as
continuous assessment phases, each with its specific task carried out by responsible individuals
as shown below.
Initiation
The main tasks performed here include; preparation, identification of assets and system
security plan, acceptance and updates. FuturePlus must first ensure that their system is well
planned. Description process should include; name, unique identifier and status of the
information system. It should also include identity of the local organization, contact of the
information system management, purposes and responsibilities of the information system,
boundaries, functional needs, experts of the system, software for application, network connection
with its guidelines, encryption techniques and physical environment where FuturePlus system is
intended to operate among others. FuturePlus must have enough security category, fully
documented in the security system plan that would otherwise store and send various information
to multiple types of information system. Potential threats that may as well cause flaws and any
detected vulnerabilities should as well be identified and documented in the risk assessment plan
(Talib, Khelifi and Ugurlu, 2012, pp. 3149-3153).
Information System Security Management 12
Vulnerabilities can be identified in forms of document reviews or automated scanning
tools which is capable of finding them audited reports or software among other sources. Planned
or implemented security controls for FuturePlus are identified and documented. Any adjustments
needed can as well be analyzed and stored after which risk to agency operators or agency
individuals are included along with the ongoing or proposed effective security controls. Once all
those steps are done, the information system management ensure that notification and resource
identifications are documented. The level of effort and resources required by FuturePlus is
determined by the authorizing official which depends on the nature of the information system.
Security categorization review, system plan analysis, update and acceptance are later confirmed
at the final point of this phase.
Security certification
It aims at verifying the implementation of security control levels within the
organization’s system. It should also ensure that FuturePlus operates as expected and provides
expected outcome with regards to the security needs. Necessary actions or procedures taken to
deal with the security deficiencies and vulnerabilities to the information system should as well be
elaborated at this phase.
This stage has got two main tasks to play including; security assessment of security
controls and the process of security certifications. The former prepares, conduct and document
the results information system security controls. This first task should begin at the point of
assembling all the necessary supporting materials and documentation for the assessment of
security control by the certification agent (Windhorst and Sunyaev, 2013, pp. 412-417). The
agent has to depict and develop methodologies for assessing the management, operational and
technicality of the security control of systems which are then deeply assessed. A final security
Vulnerabilities can be identified in forms of document reviews or automated scanning
tools which is capable of finding them audited reports or software among other sources. Planned
or implemented security controls for FuturePlus are identified and documented. Any adjustments
needed can as well be analyzed and stored after which risk to agency operators or agency
individuals are included along with the ongoing or proposed effective security controls. Once all
those steps are done, the information system management ensure that notification and resource
identifications are documented. The level of effort and resources required by FuturePlus is
determined by the authorizing official which depends on the nature of the information system.
Security categorization review, system plan analysis, update and acceptance are later confirmed
at the final point of this phase.
Security certification
It aims at verifying the implementation of security control levels within the
organization’s system. It should also ensure that FuturePlus operates as expected and provides
expected outcome with regards to the security needs. Necessary actions or procedures taken to
deal with the security deficiencies and vulnerabilities to the information system should as well be
elaborated at this phase.
This stage has got two main tasks to play including; security assessment of security
controls and the process of security certifications. The former prepares, conduct and document
the results information system security controls. This first task should begin at the point of
assembling all the necessary supporting materials and documentation for the assessment of
security control by the certification agent (Windhorst and Sunyaev, 2013, pp. 412-417). The
agent has to depict and develop methodologies for assessing the management, operational and
technicality of the security control of systems which are then deeply assessed. A final security
Information System Security Management 13
assessment report which entails necessary security assessment findings as well as approvals for
eliminating the realized vulnerabilities in FuturePlus is drafted by the agent.
The organization’s IT management should then provide system security plan updates
along with any other improvements required in the information system. He then provides a plan
of action and stages with regards to the analyzed outcomes. This should include resources
required, duties to be done and a schedule of dates for completion of the milestones (Stewart,
Chapple, and Gibson, 2012, pp. 72). Finally, the information system owner is then expected
finalize the accreditations and forward to the relevant personnel. The package is expected to
determine security assessment report and results as well as action plans and milestones designed
to correct the vulnerabilities and an updated security plan having the final copy of risk
assessment. Before proceeding the next phase, the ratings of the extent of implementation of
security control based on its outcome should be done together with the specific actions planned
to deal with the expected deficiencies. When all these are done, the authorizing individuals of
FuturePlus will now have the mandate based on the success of the whole process to identify the
agency operations and agency resources to give desired system security accreditation decision
(Raggad, 2010, pp. 64).
Security accreditation
This involves the process of decision making and documentation of security
accreditation. The authorizing official does security accreditation decision by determining the
agency risk and its acceptance level based on information system vulnerabilities. Final security
accreditation letter is drafted indicating whether the information system owner of FuturePlus is
mandated to function on temporary basis but in strict terms and conditions or not mandated to
operate. He then returns the accreditation package to the IT management who then updates the
assessment report which entails necessary security assessment findings as well as approvals for
eliminating the realized vulnerabilities in FuturePlus is drafted by the agent.
The organization’s IT management should then provide system security plan updates
along with any other improvements required in the information system. He then provides a plan
of action and stages with regards to the analyzed outcomes. This should include resources
required, duties to be done and a schedule of dates for completion of the milestones (Stewart,
Chapple, and Gibson, 2012, pp. 72). Finally, the information system owner is then expected
finalize the accreditations and forward to the relevant personnel. The package is expected to
determine security assessment report and results as well as action plans and milestones designed
to correct the vulnerabilities and an updated security plan having the final copy of risk
assessment. Before proceeding the next phase, the ratings of the extent of implementation of
security control based on its outcome should be done together with the specific actions planned
to deal with the expected deficiencies. When all these are done, the authorizing individuals of
FuturePlus will now have the mandate based on the success of the whole process to identify the
agency operations and agency resources to give desired system security accreditation decision
(Raggad, 2010, pp. 64).
Security accreditation
This involves the process of decision making and documentation of security
accreditation. The authorizing official does security accreditation decision by determining the
agency risk and its acceptance level based on information system vulnerabilities. Final security
accreditation letter is drafted indicating whether the information system owner of FuturePlus is
mandated to function on temporary basis but in strict terms and conditions or not mandated to
operate. He then returns the accreditation package to the IT management who then updates the
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Information System Security Management 14
system security plan which should have security requirement overview, controls agreed and
supportive security related files like risk assessments FuturePlus will have to ensure that it has
got accrediting authority that will formally assume all the responsibilities of operating the
information system.
He will be accountable for any risk realized in the organization that is associated to
operation of the information system. He will also extensively delegate the operational purpose to
whoever he trusts. The system will need to be procured, integrated, modified and maintained by
an information system owner (Whitman and Mattord, 2012, pp.37). He then makes decision on
who to access the information system as well as receiving the security assessment results from
certification agent. The organization is also required to establish information system boundaries
before the conduction of initial risk assessments and developments of the security system plans.
Continuous monitoring
This is regarded as the post accreditation period. Three duties including configuration
management and control, monitoring of the security control together with reporting and
documentation of status of the information system are procedurally necessary at this level.
Configuration management and control documents the changes and impacts of the proposed
changes to the information system’s security. This should be done in an orderly manner to
protect the system. The information system management should then analyze the changes as
proposed or as they happen and determine their security impacts to FuturePlus. He should then
identify the security controls and select them to be monitored on a regular basis. The controls are
then assessed to ensure that its outcomes are effective then documented.
The system management should provide an update of the results of the documented
changes and plans of action. These should give reports on the made progress, briefs on
system security plan which should have security requirement overview, controls agreed and
supportive security related files like risk assessments FuturePlus will have to ensure that it has
got accrediting authority that will formally assume all the responsibilities of operating the
information system.
He will be accountable for any risk realized in the organization that is associated to
operation of the information system. He will also extensively delegate the operational purpose to
whoever he trusts. The system will need to be procured, integrated, modified and maintained by
an information system owner (Whitman and Mattord, 2012, pp.37). He then makes decision on
who to access the information system as well as receiving the security assessment results from
certification agent. The organization is also required to establish information system boundaries
before the conduction of initial risk assessments and developments of the security system plans.
Continuous monitoring
This is regarded as the post accreditation period. Three duties including configuration
management and control, monitoring of the security control together with reporting and
documentation of status of the information system are procedurally necessary at this level.
Configuration management and control documents the changes and impacts of the proposed
changes to the information system’s security. This should be done in an orderly manner to
protect the system. The information system management should then analyze the changes as
proposed or as they happen and determine their security impacts to FuturePlus. He should then
identify the security controls and select them to be monitored on a regular basis. The controls are
then assessed to ensure that its outcomes are effective then documented.
The system management should provide an update of the results of the documented
changes and plans of action. These should give reports on the made progress, briefs on
Information System Security Management 15
vulnerabilities and provide a directive on how the vulnerabilities are to be addressed by system
managers. A status report of the information system is then sent to senior system management
and authorities. The phase avails progressing oversight and thorough monitoring of security
policies within the system in order to signal the authorizing personnel when some changes are
expected to occur that may affect security system. These activities are done on regular basis until
the endpoint of the information system’s life cycle. Going through this phase successfully
ensures that the information system would later be used with a lot of management review
intending to conduct continuous monitoring of security controls and reaccreditation within a
framed time interval for effective change to the operational surrounding FuturePlus organization.
Conclusion
In summary, this document has presented a report on guidelines for implementing
information security at FuturePlus organization. In doing so, we have discussed some guidelines
for ensuring information security management. We have also looked at the guidelines for
information security certification and accreditation for the organization. Based on the analysis, it
must be noted that information security management is of fundamental relevance for the
organization. Information security assures trust which is essential for every successful business.
vulnerabilities and provide a directive on how the vulnerabilities are to be addressed by system
managers. A status report of the information system is then sent to senior system management
and authorities. The phase avails progressing oversight and thorough monitoring of security
policies within the system in order to signal the authorizing personnel when some changes are
expected to occur that may affect security system. These activities are done on regular basis until
the endpoint of the information system’s life cycle. Going through this phase successfully
ensures that the information system would later be used with a lot of management review
intending to conduct continuous monitoring of security controls and reaccreditation within a
framed time interval for effective change to the operational surrounding FuturePlus organization.
Conclusion
In summary, this document has presented a report on guidelines for implementing
information security at FuturePlus organization. In doing so, we have discussed some guidelines
for ensuring information security management. We have also looked at the guidelines for
information security certification and accreditation for the organization. Based on the analysis, it
must be noted that information security management is of fundamental relevance for the
organization. Information security assures trust which is essential for every successful business.
Information System Security Management 16
References
Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010. Information security policy compliance: an
empirical study of rationality-based beliefs and information security awareness. MIS
quarterly, 34(3), pp.523-548.
Da Veiga, A. and Eloff, J.H., 2010. A framework and assessment instrument for information
security culture. Computers & Security, 29(2), pp.196-207.
Feng, N., Wang, H.J. and Li, M., 2014. A security risk analysis model for information systems:
Causal relationships of risk factors and vulnerability propagation analysis. Information
sciences, 256, pp.57-73.
Humphreys, E., 2011. Information security management system standards. Datenschutz und
Datensicherheit-DuD, 35(1), pp.7-11.
Kissel, R. ed., 2011. Glossary of key information security terms, pp. 43. Diane Publishing.
Paquette, S., Jaeger, P.T. and Wilson, S.C., 2010. Identifying the security risks associated with
governmental use of cloud computing. Government information quarterly, 27(3), pp.245-253.
Peltier, T.R., 2010. Information security risk analysis. Auerbach publications, pp.08-12.
Poolsappasit, N., Dewri, R. and Ray, I., 2011. Dynamic security risk management using bayesian
attack graphs. IEEE Transactions on Dependable and Secure Computing, 9(1), pp.61-74.
Purdy, G., 2010. ISO 31000: 2009—setting a new standard for risk management. Risk Analysis:
An International Journal, 30(6), pp.881-886.
References
Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010. Information security policy compliance: an
empirical study of rationality-based beliefs and information security awareness. MIS
quarterly, 34(3), pp.523-548.
Da Veiga, A. and Eloff, J.H., 2010. A framework and assessment instrument for information
security culture. Computers & Security, 29(2), pp.196-207.
Feng, N., Wang, H.J. and Li, M., 2014. A security risk analysis model for information systems:
Causal relationships of risk factors and vulnerability propagation analysis. Information
sciences, 256, pp.57-73.
Humphreys, E., 2011. Information security management system standards. Datenschutz und
Datensicherheit-DuD, 35(1), pp.7-11.
Kissel, R. ed., 2011. Glossary of key information security terms, pp. 43. Diane Publishing.
Paquette, S., Jaeger, P.T. and Wilson, S.C., 2010. Identifying the security risks associated with
governmental use of cloud computing. Government information quarterly, 27(3), pp.245-253.
Peltier, T.R., 2010. Information security risk analysis. Auerbach publications, pp.08-12.
Poolsappasit, N., Dewri, R. and Ray, I., 2011. Dynamic security risk management using bayesian
attack graphs. IEEE Transactions on Dependable and Secure Computing, 9(1), pp.61-74.
Purdy, G., 2010. ISO 31000: 2009—setting a new standard for risk management. Risk Analysis:
An International Journal, 30(6), pp.881-886.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Information System Security Management 17
Raggad, B.G., 2010. Information security management: concepts and practice, pp. 64. CRC
Press.
Ray, P.D., Harnoor, R. and Hentea, M., 2010, October. Smart power grid security: A unified risk
management approach. In 44th annual 2010 IEEE international Carnahan conference on
security technology (pp. 276-285). IEEE.
Spears, J.L. and Barki, H., 2010. User participation in information systems security risk
management. MIS quarterly, pp.503-522.
Stallings, W., Brown, L., Bauer, M.D. and Bhattacharjee, A.K., 2012. Computer security:
principles and practice (pp. 978). Upper Saddle River (NJ: Pearson Education.
Stewart, J.M., Chapple, M. and Gibson, D., 2012. CISSP: Certified Information Systems Security
Professional Study Guide, pp. 72. John Wiley & Sons.
Takabi, H., Joshi, J.B. and Ahn, G.J., 2010. Security and privacy challenges in cloud computing
environments. IEEE Security & Privacy, 8(6), pp.24-31.
Talib, M.A., Khelifi, A. and Ugurlu, T., 2012, October. Using ISO 27001 in teaching
information security. In IECON 2012-38th Annual Conference on IEEE Industrial Electronics
Society (pp. 3149-3153). IEEE.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber
security. Computers & security, 38, pp.97-102.
Raggad, B.G., 2010. Information security management: concepts and practice, pp. 64. CRC
Press.
Ray, P.D., Harnoor, R. and Hentea, M., 2010, October. Smart power grid security: A unified risk
management approach. In 44th annual 2010 IEEE international Carnahan conference on
security technology (pp. 276-285). IEEE.
Spears, J.L. and Barki, H., 2010. User participation in information systems security risk
management. MIS quarterly, pp.503-522.
Stallings, W., Brown, L., Bauer, M.D. and Bhattacharjee, A.K., 2012. Computer security:
principles and practice (pp. 978). Upper Saddle River (NJ: Pearson Education.
Stewart, J.M., Chapple, M. and Gibson, D., 2012. CISSP: Certified Information Systems Security
Professional Study Guide, pp. 72. John Wiley & Sons.
Takabi, H., Joshi, J.B. and Ahn, G.J., 2010. Security and privacy challenges in cloud computing
environments. IEEE Security & Privacy, 8(6), pp.24-31.
Talib, M.A., Khelifi, A. and Ugurlu, T., 2012, October. Using ISO 27001 in teaching
information security. In IECON 2012-38th Annual Conference on IEEE Industrial Electronics
Society (pp. 3149-3153). IEEE.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber
security. Computers & security, 38, pp.97-102.
Information System Security Management 18
Whitman, M.E. and Mattord, H.J., 2012. Roadmap to information security: For IT and infosec
managers, pp.37. Cengage Learning.
Whitman, M.E. and Mattord, H.J., 2013. Management of information security, pp.13. Nelson
Education.
Windhorst, I. and Sunyaev, A., 2013, September. Dynamic certification of cloud services.
In 2013 International Conference on Availability, Reliability and Security (pp. 412-417). IEEE.
Yang, Y.P.O., Shieh, H.M. and Tzeng, G.H., 2013. A VIKOR technique based on DEMATEL
and ANP for information security risk control assessment. Information Sciences, 232, pp.482-
500.
Whitman, M.E. and Mattord, H.J., 2012. Roadmap to information security: For IT and infosec
managers, pp.37. Cengage Learning.
Whitman, M.E. and Mattord, H.J., 2013. Management of information security, pp.13. Nelson
Education.
Windhorst, I. and Sunyaev, A., 2013, September. Dynamic certification of cloud services.
In 2013 International Conference on Availability, Reliability and Security (pp. 412-417). IEEE.
Yang, Y.P.O., Shieh, H.M. and Tzeng, G.H., 2013. A VIKOR technique based on DEMATEL
and ANP for information security risk control assessment. Information Sciences, 232, pp.482-
500.
1 out of 18
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.