Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Principles of Information Security

Verified

Added on 2023/06/11

AI Summary

The report suggests an execution plan to deploy an information security model and demonstrates a strategic analysis to implement the policy for the given company. It also evaluates attack trees to secure data against destruction and losses. The report includes policy statements, strategic and execution plans, and an attack tree diagram. The subject is Information Security and the course code is not mentioned. The course name and university are also not mentioned.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: PRINCIPLES OF INFORMATION SECURITY
Principles of Information Security
Name of the student:
Name of the university:
Author Note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

1PRINCIPLES OF INFORMATION SECURITY
Executive summary
The following report suggests an execution plan to deploy an information security model. It has also
demonstrated a strategic analysis to implement the policy for the given company. An Attack Tree
has been shown to secure data against destruction and losses. Further, from the diagram, two of the
attacks are discussed.

2PRINCIPLES OF INFORMATION SECURITY
Table of Contents
1. Introduction:......................................................................................................................................3
2. Analyzing the Information Security Foundation:..............................................................................3
2.1. Selecting the sub-domain and area of controls from SOGP 2011:.............................................3
2.2. Policy statements for capturing the above controls:...................................................................4
2.3. Strategic and execution plans to deploy the policies for an organization:.................................4
3. Evaluation of Attack Trees:...............................................................................................................6
4. Conclusion:........................................................................................................................................9
5. References:......................................................................................................................................10
6. Appendix:........................................................................................................................................13

3PRINCIPLES OF INFORMATION SECURITY
1. Introduction:
The information security model supports organizations to design the approach to address
information security. Attack trees, on the other hand, are used to understand vulnerabilities and
security risks.
The report has selected the sector of controls from SOGP 2011. Here, policy statements are
developed for capturing above chosen controls. An execution and strategic plan are suggested here
for deploying the policy for the organization.
Further, an attack tree is drawn here for securing data against destruction and stealing. Here
two possible attacks are explained from the depicted Attack Tree.
2. Analyzing the Information Security Foundation:
The Information Security Foundation has created Standards of Good Practice or SOGP. The
model of Information Security has been supporting various companies to design the approach
towards the denoting information security and provide the basis to identify the primary aspects of
programs of information security (Safa, Von Solms & Furnell, 2016). Moreover, it has been
providing insights and various practices if tools and standards are addressing every issue of the
model to aid the business. This is to enhance the environment of information security.
2.1. Selecting the sub-domain and area of controls from SOGP 2011:
SOGP 2011 helps to identify, manage, record and analyze the threats or incidents of
securities in real-time. This has been seeking to provide the comprehensive and robust view of
security issues under IT infrastructure. This has been ranging from identifying active threats to
attempted intrusion and successful compromise or various data breaches (Moody, Siponen &

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

4PRINCIPLES OF INFORMATION SECURITY
Pahnila, 2018). The unauthorized access and policy violations to data like socials security numbers,
financial, health and personally recognizable records the instances of security incidents. For the
current task two sub-domains are selected. They are as follows.
 Security Awareness Messages
 Security Education / Training
2.2. Policy statements for capturing the above controls:
Policy statements Principles Objectives
Security Awareness
Messages
Here, the systems and
individuals of the organization must be
tailored and proper security messages
should be communicated with them
regularly
This is meant to make
the people aware of needs and
necessities for data security
regularly and control security-
positive culture across the
company.
Security Education /
Training
The staff must be trained and
educated to run systems properly. This
must also include the development and
application of information security
controls
The staffs are to be
provided with skills for
protecting systems and fulfill
the roles of information
security.
2.3. Strategic and execution plans to deploy the policies for an organization:
Security Awareness Messages:
The communications of security awareness has been including primary messages. This must
include definition of information life-cycle. Instances of this include destruction, transmission,
storages, processing and creation. This must also include risks to handle of various formats of data at

5PRINCIPLES OF INFORMATION SECURITY
various stages of the lifecycle. Further differences of various crucial data that requires integrity and
availability must only be disclosed to different authorized individuals (Jouini & Rabai 2016). Apart
from this threats related to users and the technologies and physical locations are included here. This
also comprises of leakage of information, attacks of social engineering and corrupting of
applications of information in desktop. Different behaviors and actions needed for users to address
those threats has included rules of using blogging and social networking sites and becoming of social
engineering attacks is a motive in this strategy.
Security Education / Training:
The training and education must be providing business users having skills required to be used
correctly. The business applications have included enterprise software, commercial-off-shelf
software and various desktop applications. The computer equipments and special necessities must
include scanning devices, bar code readers, data capture appliances and monitoring tools. This must
also include conferencing and telephony tools including videoconference and teleconference
facilities along with online web-based collaboration (Andress, 2014).
The training and education to be provided to business users with skills require applying
information security controls related to protecting. This has also included protection and creation of
electronic files, classification and labeling data, eradicating unnecessary metadata from electronic
documents, deleting unneeded information as not needed and separating personal data and business
data. Various business applications like using templates apart from current documents for creating
electronic documents and using validation routines to develop application related to spread-sheet are
also included here. This has also included equipments and various access control mechanisms. This
is also helpful to understand business environment, run projects that are security related, make
communication effectively and undergo specialist security activities.

6PRINCIPLES OF INFORMATION SECURITY
3. Evaluation of Attack Trees:
Attack Trees are useful in understanding the security risk and vulnerabilities. Attack Tree is
the graphical representation of possible security attacks. Assuming that you are designing your
security infrastructure, draw the Attack Tree for securing your data against both stealing and
destruction. Briefly explain two possible attacks you have depicted in your Attack Tree. The
following diagram of Attack Tree provides a methodical process to describe the system security,
from varying attacks (Al-Anzi, Yadav & Soni, 2014). Here, one primarily represents attacks against
the system under a tree structure having their goals as the root node and various ways to achieve
goals as the leaf nodes.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

7PRINCIPLES OF INFORMATION SECURITY
Figure 1: “Attack model to understand information security as virus attacks a file”
(Source: Chechulin & Kotenko, 2015, page no: 701-704)
In the above tree diagram, two distinct attacks are identified. The first one is the risk the virus
has been running as the administrator. Under this two circumstances can take place. The virus can
exploit the root hole, or an admin can run this. As an administrator executes the virus, it can infect
various programs. Besides, it can affect the install package. Apart from this the admin can download
and run the infected coding (Shameli-Sendi, Aghababaei-Barzegar & Cheriet, 2016).
The virus can block the rights of administrators, managing user accounts, disabling system
restores and different kinds of misconfigurations and many more. For this reason, the antivirus
becomes unable to run. This can happen in safe mode also. Moreover, the DDS utility cannot even
be run. Here, the pop-ups can be absent. However, one can switch from guest account, and here all
the changes get ignored or get denied. For this various symptoms can be there. The multiple
windows services, internet sharing firewall security essentials, resorting of system and windows

8PRINCIPLES OF INFORMATION SECURITY
update can stop working. This can be seen as the user account is the only administrator account no
more widespread access to administrative service is found (Shropshire, Warkentin & Sharma, 2015).
Moreover, the users become unable to download the files through internet browsers such as Firefox,
Chrome, IE10. Here the virus check fails and then the file gets deleted. More the signing in option
gets been unable to online accounts into YouTube, webmail, Facebook, Twitter. Moreover, the
cookies are not accepted. The Google Chrome has been detecting malware and suggesting cleaning
with essentials of Microsoft security (Kim, Yang & Park, 2014). Besides, one cannot burn their
DVD error messages, and the windows might be unable to get completely formatted.
However, the solutions tried are through scanning of a virus with Malwarebytes, Kaspersky
and AVG antivirus that never avail. Each of them has been detecting and finding issues that are
discussed above. Besides, the RDSSkiller scanned and seemed fixed cookies that are issued
currently. Apart from this, the system restore has always been failing to replace those files
(Gadyatskaya et al., 2016).
Secondly, as the virus is run as a regular user, it can be included in various infected programs
and the user downloads and executes the infected open binary. As any bug occurs, in operating
system and browser this kind of incident to takes place. Here the vulnerabilities never allow any
non-admin processes for gaining rights of an admin (Pieters & Davarynejad, 2015). This is also
assumed that the browser is a complicated part and not obtaining any reasons for the admin.
Moreover, here the only right for the user has been for the user running the browser.
Further, as the user never root that in more profound, they might tick people through
bypassing User Account Control or UAC or can use various exploits enabling them to break out of
the attack vector of choice like OS, Java or Flash vulnerability (Chechulin & Kotenko, 2015). This is
to run the shellcode having admin rights. Besides, a buffer overflow might also take place or any

9PRINCIPLES OF INFORMATION SECURITY
stick spray to run codes with system rights. It might be noted that the vulnerable code has been
needed to run as system or service, admin and is merely possessing a vulnerability that never has any
end run across the security.
4. Conclusion:
The business contract of the given organization has possessed confidential information clause
inserted to secure data. This is deemed to be sensitive and proprietary from any disclosure to third
parties, which are unauthorised. The above report demonstrated the way in which information
security can be laid out. It has addressed the complexities of securities. The study helps in
encouraging a balance between business and protection. The attack tree illustrated and described
provides the communication mechanism for analyzing security.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

10PRINCIPLES OF INFORMATION SECURITY
5. References:
Al-Anzi, F. S., Yadav, S. K., & Soni, J. (2014, September). Cloud computing: Security model
comprising governance, risk management and compliance. In Data Mining and Intelligent
Computing (ICDMIC), 2014 International Conference on (pp. 1-6). IEEE.
Andress, J. (2014). The basics of information security: understanding the fundamentals of InfoSec
in theory and practice. Syngress.
Chechulin, A. A., & Kotenko, I. V. (2015). Attack tree-based approach for real-time security event
processing. Automatic Control and Computer Sciences, 49(8), 701-704.
de Gusmão, A. P. H., e Silva, L. C., Silva, M. M., Poleto, T., & Costa, A. P. C. S. (2016).
Information security risk analysis model using fuzzy decision theory. International Journal
of Information Management, 36(1), 25-34.
Gadyatskaya, O., Jhawar, R., Kordy, P., Lounis, K., Mauw, S., & Trujillo-Rasua, R. (2016,
August). Attack trees for practical security assessment: ranking of attack scenarios with
ADTool 2.0. In International Conference on Quantitative Evaluation of Systems (pp. 159-
162). Springer, Cham.
Hong, J. B., & Kim, D. S. (2016). Assessing the effectiveness of moving target defenses using
security models. IEEE Transactions on Dependable and Secure Computing, (1), 1-1.
Hu, J., & Vasilakos, A. V. (2016). Energy big data analytics and security: challenges and
opportunities. IEEE Transactions on Smart Grid, 7(5), 2423-2436.
Jouini, M., & Rabai, L. B. A. (2016). Comparative Study of Information Security Risk Assessment
Models for Cloud Computing systems. Procedia Computer Science, 83, 1084-1089.

11PRINCIPLES OF INFORMATION SECURITY
Kim, S. H., Yang, K. H., & Park, S. (2014). An integrative behavioral model of information
security policy compliance. The Scientific World Journal, 2014.
Law, Y. W., Alpcan, T., & Palaniswami, M. (2015). Security games for risk minimization in
automatic generation control. IEEE Transactions on Power Systems, 30(1), 223-232.
McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., & Pattinson, M. (2017).
Individual differences and information security awareness. Computers in Human
Behavior, 69, 151-156.
Moody, G. D., Siponen, M., & Pahnila, S. (2018). TOWARD A UNIFIED MODEL OF
INFORMATION SECURITY POLICY COMPLIANCE. MIS Quarterly, 42(1).
Pieters, W., & Davarynejad, M. (2015). Calculating adversarial risk from attack trees: Control
strength and probabilistic attackers. In Data Privacy Management, Autonomous
Spontaneous Security, and Security Assurance (pp. 201-215). Springer, Cham.
Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015).
Information security conscious care behaviour formation in organizations. Computers &
Security, 53, 65-78.
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in
organizations. Computers & Security, 56, 70-82.
Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information
security risk assessment (ISRA). Computers & security, 57, 14-30.

12PRINCIPLES OF INFORMATION SECURITY
Shropshire, J., Warkentin, M., & Sharma, S. (2015). Personality, attitudes, and intentions:
Predicting initial adoption of information security behavior. Computers & Security, 49, 177-
191.
Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information
security policies: An exploratory field study. Information & management, 51(2), 217-224.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

13PRINCIPLES OF INFORMATION SECURITY
6. Appendix:
Figure 2: “Information security model”
(Source: Siponen, Mahmood & Pahnila, 2014, page no: 2017-227)

1 out of 14

+13062052269

info@desklib.com

Principles of Information Security

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

Importance of Standard of Good Practice for Information Security in Organizations

Security Management and Governance (Power AI /PAI)

Advanced Network Security : PDF

DIGITAL FORENSICS - IFN643 Assignment 2 Executive Summary Packet Filtering

Security Requirements and Assessment Testing for Banking Application

Cloud Computing: Security Threats and Preventive Methods