Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Information Security: Risks and Mitigation

Verified

Added on 2020/04/07

AI Summary

This assignment delves into the critical concepts of information security by examining the interconnectedness of risks, vulnerabilities, threats, and assets. Students are expected to demonstrate a comprehensive understanding of these elements and how they contribute to the overall security posture of an organization. The assignment requires a clear analysis of potential threats, identification of system vulnerabilities, and evaluation of valuable assets that need protection. Furthermore, it emphasizes the importance of implementing effective mitigation strategies to minimize risks and safeguard sensitive information.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: IS SECURITY AND RISK MANAGEMENT
IS Security and Risk Management
Student Name
Institution

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

IS SECURITY AND RISK MANAGEMENT 2
Information system security and Risk Management at Hewlett-Packard Manufacturing
Company
Introduction
Information System has become a very important infrastructure in any company across
the world. The survival of most companies today is based on the security of their information
system. However, there has never been an integrated model that has the capacity to access the
possible security risks and effectively protect the information as well as the assets. Information
systems such as emails, messengers, e-commerce, chatting, and m-commerce via the internet, are
increasingly exposed to cyber security accidents (Bagchi, 2017). In order to ensure effective
performance of any information System, a company must invest in securing the system. In
addition, a proper risk management system must be put in place. This can only be done through
the employment of several distinct measures. It is indisputable that there is a continued need to
secure information systems (IS) (Anton, Anderson, Mesic, & Scheier, 2004).
There have been increased incidences of IS security and risks (Kaschek, Kop, & Claudia,
2008). Information system security and risk management require continuous assessment of any
risk that may be exposed to the system. Discovery of any risk should be prevented within the
shortest time possible. The major component of Information system security is risk management
process (Pfleeger & Pfleeger, 2012). The process should be incorporated alongside risk
assessment. The process of risk management should be done through the installation of
preventive measures of future security problems to the system. SI risk assessment practice is in
compliance with the security standards that have been set by HIPAA as well as CEISP. Risk
assessment enables organizations to determine risk levels that are acceptable to them. They are
then able to set appropriate security requirements.

IS SECURITY AND RISK MANAGEMENT 3
Investigation, tools, and techniques
According to Information System (IS) security experts, one of the main techniques of risk
management process is a risk assessment. The assessment should be done by professionals who
are well trained and can easily identify risks in the information system before the system
becomes vulnerable. Risk management refers to continuous a process that involves analysis,
planning, monitoring and implementation of security measures of an information system
(Kovacich, 2003). The process has since become a policy in most organizations across the world.
Risk assessment which is a type of risk management process is executed in an interval of time. It
can be done on yearly basis or on demand, based on the security requirement of the given
Information System. It is important to note that risk management is a process that entails a
sequence of events and activities.
There are structuring and re-configuration processes that are involved in risk
management. Organizations often tend to generate instantiations that are favorable to them. It is
necessary to conduct an assessment of an organization’s IS the security controls from time to
time. However, the continuous assessment cannot fully secure an information system (Tipton &
Nozaki, 2012). A fully secure system demands for continuous monitoring of the system. A
development life cycle of the system should also be put in place to monitor the effectiveness of
the system over time. One technique that Hewlett-Packard Company uses for securing the system
is through continued monitoring of the systems security details. In addition, all the changes that
are made to the system are documented so that there is a reference whenever there is a security

IS SECURITY AND RISK MANAGEMENT 4
threat to the system. Reference can also be made when a risk is discovered in the information
system (Jones & Ashenden, 2005).
Based on the result of security assessment report, remediation actions would be
conducted at a later stage. The final security status is reported to the officials who are in charge
of the system. HP company management has made effort and ensured that there is periodic
review of the information system’s security status. The security techniques are based on the
guidance of NIST SP800-37. The company has come up with their own approaches that they use
in managing their information systems and the possible changes that may be associated with
them. Responsibilities of an owner of the information system would be greatly reduced if
configuration management is done so that there is only one common security control. However,
HP is a multinational company and has the financial capacity to employ enough personnel who
can effectively manage their systems. In addition, Hewlett-Packard’s information system
administrators have accorded priority to volatile security controls in the system since they have a
greater impact in any organization (Alberts & Dorofee, 2002).
Risk analysis matrix and control
It is almost impossible to develop an integrated security model that can be used to
address all the risks associated with an information system (Bidgoli, 2016). The proposed risk
analysis matrix is through adaptation of software risk management. One of the attributes of
software quality is the software itself. The security risk should, therefore, be investigated in
terms of the software risk. Security risk refers to the damage or attacks that are made towards an
information system. According to the risk analysis matrix, damages that are made on the assets
of any organization as a result of cybersecurity can be categorized according to the vulnerability
and threats to the assets.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

IS SECURITY AND RISK MANAGEMENT 5
The security analysis matrix shows four steps involved in the security risk analysis. In the
first step, assets, vulnerabilities, and threats of a given organization are identified. They are then
evaluated.
The resultant outputs are finally used to carry out security risk analysis. Finally, risk
mitigation measures are put in place to reduce, and where possible eliminate threats that the
assets may be exposed to. The mitigation measures, therefore, play a very crucial role in
minimizing security risks. Domain analysis which is the first step of customizing security risk
analysis is meant to improve the accuracy of the model. The threats, assets, and vulnerabilities
are therefore analyzed based on their domains (Kramer, 2013). For example, information
systems of a financial institution are completely different from those of a financial institution or
a learning institution. The analysis that follows is that of classification of the assets, vulnerability
and the threats. Assets can be classified as data, documents, software, hardware, and
Vulnerability Threats Assets
Risk

IS SECURITY AND RISK MANAGEMENT 6
circumstances. Threats may be classified as human or non-human, network or physical,
accidental or deliberate and technical or environmental (Dacey, 2010). The vulnerability may
also be classified based on administration, personnel, physical circumstances, technical
hardware, and software. Based on these arguments, the product of loss or damage and the
probability is equal to security risk (Dacey, 2010).
Loss x probability = Risk
The risk in this scenario is the reduction in value of an asset when the asset becomes vulnerable.
Probability refers to the chance of occurrence of a threat.
Security risk matrix
Likelihood of risk
Extremely high Medium Generally low
Risk impact
High Failure to secure
the password to
the company’s
server
Failure to audit
the company’s
information
system
Missing security
indicators on the
server
Moderate Failure to secure
the company’s
wireless internet
from unauthorized
use
Usage of un-
updated antivirus
and firewalls
Failure to back
up the
company’s
external servers
Low Failure to
frequently
change the
password to the
server
Failure to secure
the server’s
backup
Provision of
weak passwords
to third parties

IS SECURITY AND RISK MANAGEMENT 7
Analysis of relevant threats and vulnerabilities
The first step of any analysis of threats and vulnerabilities is the identification of threats
that could expose vulnerabilities of an information system. The identification can be done
through consideration of the connections and dependencies of the system. In addition, inherited
risks, software faults, controls, incorrect file permissions and personal changes must also be
closely monitored. Possible vulnerabilities that are associated with every threat are then
considered. There is the possibility of a vulnerability being associated with a series of threats if
not just one threat. Inputs are then collected from past risk assessments, security advisories,
security test results, audits among many others.
Disaster Recovery (DR) plan
The success of any disaster recovery plan is determined by how well the design is. It is,
therefore, necessary to ensure efficient operations during disaster recovery (Kim & Solomon,
2016). The recovery should start with a strong defense that provides border protection. The
defense should be provided by an external firewall that borders the services of VPN and the
router (Velliquette, 2004). Hewlett-Packard has installed an external firewall to their VPN and
all their routers. All the three have configurations that have the capacity to transverse all the
boundaries of the organization or company (Swanson, 2011). Firewall is the main component of
the security infrastructure of any information system. Computer security network should
incorporate firewall that incorporates hardware specifications as well as software specifications.
Issues of redundancy and physical security should also be taken into account. There should then
be an approach plan for fulfilling the primary needs of the organization or company in the course

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

IS SECURITY AND RISK MANAGEMENT 8
of disaster recovery (Velliquette, 2004). Meanwhile, the management of the company should
certain their prioritized services so as to secure their systems further.
In addition, companies should sign against the limited functionalities during disaster
recovery (Velliquette, 2004). The management of HP has equally made that as a rule to be
followed by its staff in charge of information system management. Any recovery approach that
has been agreed upon should be configured with the perimeter defense such that the perimeter
defense would automatically shift to the state of pre-disaster just before any normal operation.
The current policy of the company should be considered during the development of the firewall
contingency plan. Security modules such as A CERT can be used to test the disaster policy of
many firewalls. A method should be implemented to monitor traffic that moves from pre-disaster
state to post-disaster state. The method can be tested with the use of relevant data from the very
company. A border router that has packet filtering can be used in non-application type of
vulnerabilities.
Proposal for a contingency plan
Information System plays a very important role in the world today. It should, therefore,
be in a position to operate without any disruption (Khosrowpour, 1996). A contingency plan is
intended to set back the system back into operation whenever there is a disruption. Most of the
disruptions are as a result of security risks. The plan simply revolves the acronym of the system
and then sets the information system back into operation. A robust contingency plan should
incorporate ISCOs and other disaster recovery plans (Kovacich, 2003). Hewlett-Packard
company has recovery disaster plans which is in accordance with International security
management Acts. The company has incorporated a disaster recovery that can be used to retrieve
its information system’s acronym in the event of any disruption

IS SECURITY AND RISK MANAGEMENT 9
An established plan that consists of the recovery phase, activation phase, and
reconstitution phase should be maximized (Kovacich, 2003). Thereafter, resources and
procedures should be identified. They would assist in maximizing the effectiveness of the
operation. Responsibilities should be assigned to facility personnel. They would provide further
advice that would be of great benefit in the recovery process. Finally, there should be
cooperation among all the persons who are involved in the Contingency planning (Swanson,
2011). There should also be a coordination of external points and associated vendors.
Furthermore, the owners of an Information system must support the development of a proper
ISCPs. The developed ISCOs would be meant for those Information Systems that are ranked
much higher. Hewlett-Packard, being a renowned world leading electronics company, the
company management has taken all these measures in securing and managing their information
systems.
Analysis and report on Controls
How tools are used in the organization with reference to OSI layers
The very first step that should be considered when securing information is the elimination
of any information leakage. The information resources should never be compromised at any cost.
The physical layer of OSI model explains that obvious things should never be considered as
being obvious. In many occasions, technologists have failed to realize that simple measures are
equally very important in life (Pace, 2004). Hewlett-Packard Company for an instant has put in
place stringent measures to secure leakage of information from the company. Simply obtaining a
clue of a resource is enough to declare it as one that has been compromised. There should a
proper plan for recovering information in the event that the information data is compromised. A
good recovery plan is judged based on its success in the event that information resource has been

IS SECURITY AND RISK MANAGEMENT 10
compromised. There are some harmful tools towards OSI model. However, the problem can be
eliminated through an analysis. The network layer of an OSI model is where routers and
firewalls operate. The layer provides the best path that links a destination to the source.
It is also within the layer that IP addresses are provided so that variables or systems can
be uniquely identified. A system that is connected to the internet has an IP address. The address
provides a way such that there is contact between the outside world and the system. In order to
find a system on the internet, it is a requirement that one has to know the specific public IP
address of the system. The same applies to applications. Security of the system is therefore
increased through the configuration of the IP addresses such that one cannot easily compromise.
Just like other world leading companies, Hewlett-Packard Company has configured their IP
address. In addition, they have encrypted all their services to further enhance the security of their
information system. The encryption service symbolizes the presentation layer of OSI layer. The
technique scrambles all the available content. Encryption provides a sophisticated special code.
One must, therefore, reveal the code before he or she can access the system. The application
layer of OSI points towards applications that are based on end-user products. The layer supports
authentication and use of other applications (Pace, 2004). The commonly used authentication at
the level is a password which is assigned to a unique ID.
An individual must key in the unique ID alongside a password in order to access
information data. Failure to present the unique ID and a correct password mean that the
individual would not have access to the system. It, therefore, reinforces the security of the system
since it eliminates people who are not supposed to access the system. An account can be
redesigned so that it adheres to a policy. For example, it can specify the length of the password, a
combination of letters, digits and or even special characters. The duration over which one can

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

IS SECURITY AND RISK MANAGEMENT 11
use a password can equally be altered. Such move would simply increase the security level of the
system network (Pace, 2004).
Organizational units covered by the security policy
The information system has security policies that must be observed in every company. At
Hewlett-Packard Company, there are users who have been assigned appropriate policy rights.
The users are the only ones who are able to modify the security policy of the company. If a new
computer if brought into the company domain, then the security policy of the domain would
apply to the new computer (Brotby, 2009). The policy of the domain overrides any change that
an individual may make to the system at the level of computer desktop (Syngress, 2003).
Security policy is a preserve of computers. There are also security groups which are in use in the
company by many employees.
Security policy enables an individual to apply a given security profile to several
computers that are meant to be secured. On the other hand, security group provides standardized
rights that are to be adhered to by all the members of a given group. Organizational units can be
regrouped to form logical units that are to be used by the users, resource objects and groups as
well. The adjustment is always done through a hierarchy which is nested within a domain
(Johnson, 2014). Organizational units that are based on a given domain operate independently.
Every domain, therefore, has the capacity to fulfill the demands of its own hierarchy. Similarly,
domains that are coordinated from one central authority can employ common organizational unit
hierarchies.
Business Contingency Plan (BCP) based on the risk plan
It is sound superfluous for a company to plan for disaster when all its systems are
smoothly functioning. Despite that, some degree of care must be undertaken. Hewlett-Packard

IS SECURITY AND RISK MANAGEMENT 12
Company uses logic manage and cloud based tools as its business continuity tools. The tools are
able to retrofit all the company’s data in case of disaster and then load it back to the system. All
gaps would hence be eliminated. The business continuity plan hence foster confidence among the
managers of the company’s information system. In addition it increases their efficiency and
encourages them to embrace innovation.
Best practices in security risk management
Best practices are necessary for ensuring that the information system of a company is
completely secured. Some of the best practices include;
(i) Expertise should be considered when choosing the individuals in charge of
managing the company’s information system. The chosen personnel should avoid
access to the company’s security controls. The individuals should also have been
certified by international associations in charge of privacy such as CIPM or CIPP
among others (Brotby, 2009).
(ii) Business associates of the company must adhere to security and privacy
requirements of the same level. They must also comply with HIPAA
(iii) The management of information system of the company must regularly provide
an audit report of the system and recommendations. The report should be detailed
detailing all possible vulnerabilities.
Conclusion
Effectiveness in the performance of a given information system is based on its
management. There are several security risks that Information systems are exposed to. Managers
of organizations and companies must, therefore, invest in securing the information systems. A

IS SECURITY AND RISK MANAGEMENT 13
completely secure system is free from threats and vulnerabilities. There is no process that has the
capacity to shield an information system from all possible security risks. As such, every
organization must employ a contingency plan. In addition, there must be a recovery plan that can
be used in case the information system is attacked.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

IS SECURITY AND RISK MANAGEMENT 14
References
Alberts, C. J., & Dorofee, A. J. (2002). Managing Information Security Risks: The OCTAVE
Approach. Addison-Wesley Professional.
Anton, P. S., Anderson, R. H., Mesic, R., & Scheier, M. (2004). Finding and Fixing
Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation
Methodology. Rand Corporation.
Bagchi, N. (2017). Management Information Systems. Vikas Publishing House,
Bidgoli, H. (2016). Handbook of Information Security, Threats, Vulnerabilities, Prevention,
Detection, and Management. John Wiley & Sons.
Brotby, K. (2009). Information Security Governance: A Practical Development and
Implementation Approach. John Wiley & Sons.
Dacey, R. F. (2010). Federal Information System Controls Audit Manual (FISCAM). DIANE
Publishing.
Johnson, R. (2014). Security Policies and Implementation Issues. Jones & Bartlett Publishers.
Jones, A., & Ashenden, D. (2005). Risk Management for Computer Security: Protecting Your
Network and Information Assets. London, UK: Butterworth-Heinemann.
Kaschek, R., Kop, C., & Claudia, S. (2008). Information Systems and e-Business Technologies:
2nd International United Information Systems Conference, UNISCON 2008, Klagenfurt,
Austria, April 22-25, 2008, Proceedings. New York: Springer Science & Business Media.

IS SECURITY AND RISK MANAGEMENT 15
Khosrowpour, M. (1996). Information Technology Management and Organizational
Innovations: Proceedings of the 1996 Information Resources Management Association
International Conference, Washington. Idea Group Inc (IGI),.
Kim, D., & Solomon, M. G. (2016). Fundamentals of Information Systems Security. Jones &
Bartlett Publishers.
Kovacich, G. L. (2003). The Information Systems Security Officer's Guide: Establishing and
Managing an Information Protection Program. Butterworth-Heinemann.
Kramer, J. (2013). The CISA Prep Guide: Mastering the Certified Information Systems Auditor
Exam. John Wiley & Sons.
Pace, K. A. (2004). Global Information Assurance Certification Paper. SANS Institute.
Pfleeger, C. P., & Pfleeger, S. L. (2012). Analyzing Computer Security: A
Threat/vulnerability/countermeasure Approach. Chicago: Prentice Hall Professional.
Swanson. (2011). Contingency Planning Guide for Federal Information Systems. DIANE
Publishing.
Syngress. (2003). MCSA/MCSE Implementing, Managing and Maintaining a Microsoft Windows
Server 2003 Network Infrastructure (Exam 70-291): Study Guide and DVD Training
System. Syngress.
Tipton, H. F., & Nozaki, M. K. (2012). Information Security Management Handbook, Sixth
Edition, Volume 6. CRC Press.

IS SECURITY AND RISK MANAGEMENT 16
Velliquette, D. (2004). Computer Security Considerations in Disaster Recovery
Planning.Retrieved from
https://www.sans.org/reading-room/whitepapers/recovery/computer-security-
considerations-disaster-recovery-planning-1512. GIAC Security Essentials Certification.
Wilshusen, G. C. (2009). Information Security: Cyber Threats and Vulnerabilities Place Federal
Systems at Risk: Congressional Testimony. DIANE Publishing.

1 out of 16

+13062052269

info@desklib.com

Information Security: Risks and Mitigation

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

Risk Management in Cloud Data Security: Overview, Preventions, and Lessons Learnt from Uber Data Breach

Information Technology and Risk Assessment Report

Cybersecurity Protection Measures

Cyber Security Measures and Data Protection

Risk Management Plan - Assignment Sample

Cybersecurity Threats and Mitigation Strategies