Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Information Security Policy Compliance

Verified

Added on 2020/05/16

AI Summary

This assignment examines the crucial topic of information security policy compliance within organizations. It explores various theoretical frameworks, such as motivation theory and social influence, that shed light on why individuals adhere to or deviate from established policies. The assignment also analyzes empirical studies and proposes a comprehensive model for understanding and improving policy compliance. Practical implications and strategies for enhancing organizational cybersecurity are discussed.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: INFORMATION SECURITY MANAGEMENT
Information Security Management
Name of the Student
Name of the University
Author Note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

1
INFORMATION SECURITY MANAGEMENT
Executive Summary
The purpose of this report is to identify and develop proper guidelines for A4A for managing the
information security risks of the organization. The report discusses the need of A4A in adopting
risk mitigation process for preventing unauthorized circulation of the academy’s information
resources and its use. The report further identifies the information security risks the company is
exposed to and suggests different guidelines, adherence to which might help A4A in managing
the identified security risks of the organization. The set guidelines are expected to prevent the
unauthorized use and access of the academy’s resources and aims at eliminating the risks
associated with the information assets. The report concludes with the assumptions that have been
considered while developing the guidelines for information security risks present within A4A.

2
INFORMATION SECURITY MANAGEMENT
Table of Contents
1. Introduction......................................................................................................................3
1.1. Organizational Context.............................................................................................3
1.2. Objective...................................................................................................................3
1.3. Report Outline..........................................................................................................4
2. Discussion........................................................................................................................4
2.1. Information Security Assets.....................................................................................4
2.2. Risk Identification....................................................................................................6
2.3. Risk Assessment.....................................................................................................10
2.4. Risk Management...................................................................................................11
3. Assumptions..................................................................................................................13
4. Conclusion.....................................................................................................................14
References..........................................................................................................................15

3
INFORMATION SECURITY MANAGEMENT
1. Introduction
1.1. Organizational Context
Academics for Academics is a non-governmental organization or NGO, operating in its
head office in Sydney with a branch in Singapore. All the projects of Academics for Academics
(A4A) are funded from the public donations. The team of A4A consists of 10 staff members.
This organization was established with an aim of helping the small public and private
universities in Australia and south East Asia. The schools and colleges registered under A4A can
only access the data and information produced by A4A. The organization has no proper policy
and guidelines for protecting the resources of the company. The report identifies the different
types of risks associated with resources of A4A and suggests some major guidelines that will
help in management of the information security risks associated with the resources of the
organization. The report develops proper guidelines that will prevent the unauthorized usage of
the information resources of the organization by insider or outsider threat. The report aims at
development of an issue specific security policy that will prevent the unauthorized use and
circulation of the study materials and information technology resources of academics for
academics (Höne and Eloff 2002). Issue specific privacy guidelines are created with an aim of
addressing the specific information security threat and provide necessary information to the
employees of the organization regarding the proper usage of technology and resources inside or
outside the boundaries of the organization.The detailed process of management of the
information security risks associated with A4A are evaluated in the following paragraphs.
1.2. Objective

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

4
INFORMATION SECURITY MANAGEMENT
The major aim of this report is to discuss and develop proper guidelines for managing the
different information security risks associated with the organization A4A. The report explains
the needs of identifying and analyzing the different resources of the company that are at risk. The
report outlines the need for identifying the different risks associated with the information system
of A4A. The report further identifies and analyzes the different risk mitigation approaches of the
company and suggests some guidelines. These guidelines are necessary to develop the different
security policies of the company.
1.3. Report Outline
The organization A4A is expanding and therefore, it becomes very essential to manage
the information security risks associated with the organization. The report provides standard
guidelines for the same that guarantees the security of the information assets of the organization.
These guidelines provides a solution to manage the information security risks identified and will
further help in managing the uncertainties associated with the organization. These guidelines
forms the basis of threat handling and mitigation in an effective way and the guidelines are
intended to provide a solution for the identified risk. The guidelines that are to be developed with
provide a long term security options for A4A.
2. Discussion
2.1. Information Security Assets
It is very essential to identify the information security assets of the company. It is
essential to identify the information assets in order to identify and analyze the risks associated
with the organization. The identified assets need proper protection from the threat and the

5
INFORMATION SECURITY MANAGEMENT
uncertainties in order to prevent the loss of information. The identified information security
assets of the company are as follows (Safa, Von Solms and Furnell 2016)-
1. The members of the organization are major information assets of the company and
includes the appointed members, managers and the university personnel.
2. The data produced by the members are other major information assets of the
organization. These information assets of the organization include the assignments or the study
helps produced by the members of the organization. However, the emails, marked assignment
and the exams are not the properties of the organization. Along with this, the other confidential
data of the organization includes the storage information of the assignments, the personal details
of the members and the clients of the organization (Sommestad et al. 2014).
3. The information system that records and stores all the assignments prepared by the
organization is an important information asset of the organization as well.
4. The member of the organization often works from outside the organization. Therefore,
the networking components, which include the routers and firewalls, are another major
information asset of the organization (Laudon and Laudon, 2016).
5. The hardware assets of the organization and the hard copy of the assignments produced
within the organization are major information asset of the organization. Proper guidelines are to
be develop in order to secure these components.
6. The organization works with the public donations. These include some confidential
information as well. Protection of those information is necessary.

6
INFORMATION SECURITY MANAGEMENT
The identified information security assets of the company is needed to be protected in
order to avoid huge information loss of the organization. Therefore, proper guidelines are to be
enforced in order to ensure responsible use of the organizations property (Spiekermann 2012).
The Authorized and prohibited usage of the resources are mentioned in the guidelines. These
guidelines will prevent an attacker in accessing the confidential resources of the organization.
2.2. Risk Identification
Identification of the Assets
The identified information assets of the organization further requires a proper
identification of the risks associated with the information assets of the organization. The risks are
needed to be identified and analyzed on basis of their impact in order to develop a proper risk
mitigation strategy (Stallings et al. 2012). Classifying the risks in different groups will helps the
organization in proper mitigation of the identified risk and prevent the organization in suffering
the information loss of the organization.
The risk identification process will include the identification of the major information
security assets of the organization. The different assets of the organization include the members
and the confidential data of these members that are stored in the information system of the
organization (Laudon et al. 2012). This information can be targeted by an attacker and therefore
needs proper protection.
The data produced by the members of the organization are another major information
asset of the organization. It is vital to protect these data present in the system, as these are
developed in order to provide help to the different colleges and universities across the country.
Therefore, it is essential to undertake a proper risk assessment process in these information assets

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

7
INFORMATION SECURITY MANAGEMENT
in order to identify the associated risks with the same (Belleflamme and Peitz 2014). The risk
identification of the private and confidential data produced by the members of the organization is
to be carried out with highest priority.
It is the responsibility of the organization to eliminate the different risks associated with
the information system. The risks associated software and the networks that are in use within the
organization are to be identified and evaluated with highest priority in order to eliminate the risk.
After successful identification of the information asset, it is essential to classify and categorize
the information assets in order to properly identify the type of risk associated with it.
Classification and Categorization
The identification of the information assets within the organization is essential to
understand the type of risk in which the company is exposed to. After identification of the risk, it
is essential to classify and categorize these information assets in order to understand the risks
associated with these data. Depending on the need of data protection, the risk mitigation
approach will be further identified for the associated risks. The information security asses of the
organization are classified are as follows (Ifinedo 2012)-
1. The personal information of the members and the funding information of the A4A is a
confidential data type and are restricted only to the use of the organization. Therefore, this
information asset is at major risk and should be mitigated.
2. The data stored in the information system of the organization that consists of the
recruitment of members of the organization is another private and confidential data of the
organization and should be considered for internal use only. This information is restricted to the
members of the organization (Eldardiry et al. 2013).

8
INFORMATION SECURITY MANAGEMENT
3. The organization works for producing assignment for the colleges and universities
across the country. The information therefore, produced is for public use. However, it is
restricted to the use of the colleges and universities registered under A4A.
After proper classification and categorizing of the risk, it is essential to access the value
of the information assets so that proper risk mitigation processes are suggested.
Value Assessment
The risk identification process for A4A includes the stage of value assessment of the
identified information asset of the organization. The value assessment will help in understanding
and determining the priority of the risk mitigation process. The impact on the information assets
are categorized on basis of the importance of the information assets of the organization. The
impact is expressed on a scale of critical, high, medium and low (Peltier 2004). The critical ones
need immediate attention, while the low ones do not need immediate attention.
The importance of information asset of the organization refers to the relative objectives it
serves within the organization. The assets that generate most revenue or that are very
confidential are very necessary to protect. Guidelines are to be developed on basis of the need or
value of the information assets that needs immediate protection or in a critical stage. After proper
value assessment of the information assets of A4A, it is essential to prioritize the information
asset on basis of its importance in order to develop proper guidelines.
Prioritizing the identified the information Assets
The information assets identified during the risk identification process is needed to be
prioritized for identifying the sequence of risk mitigation. This prioritization process is mainly

9
INFORMATION SECURITY MANAGEMENT
based on the impact, all the identified assets have on the organization and the impact on the
organization in case such these information assets are compromised by the attackers. The assets
in a critical level or the asset that has the highest impact will be given the highest priority in the
mitigation process (Peppard and Ward 2016). The guidelines developed for the risk mitigation
will include a secure use of these information assets, in order to eliminate the risks associated
with the process.
Identification of the threats associated with the information asset of A4A is essential in
order to mitigate the same. There are a number of security risks associated with the organization.
If a member is working from outside the organization there are many other security risks
associated with the transmission and storage of information. This includes the malware attack,
data modification and unauthorized data access. This is a type of active attack on the information
assets of an organization. A proper security guidelines is needed to be developed for the
organization in order to protect the information technology assets of A4A. Apart from this, the
threat from the insider includes the unauthorized use and circulation of the academy’s data and
resources within the organization. Apart from this, the major threats associated with A4A are as
follows (Von Solms and Van Niekerk 2013)-
1. The internal threats due to human error
2. The malware attacks on the information system of the organization
3. The data theft and data modification
4. Unauthorized use and access to the data
5. Technical failures of the hardware and software

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

10
INFORMATION SECURITY MANAGEMENT
6. Incorrect data usage
The above lists mentions the major information security theft associated with the A4A.
These threats are needed to be accessed and mitigated properly in order to protect the
confidential information asset of the organization.
The threat assessment includes the identification of the probability of occurrence of these
threats within the organization. The threats with highest probability are expected to cause a huge
loss to the information assets of the organization. Therefore, it is the responsibility of the
organization to identify the threat with highest probability of occurrence and the danger to the
assets (Shamala, Ahmad and Yusoff 2013). This process can be done strategically by identifying
the causes and actions of the identified threats on the information assets.
Once this process is done, the prioritization of the threat will be easier for the
organization. It is the responsibility of the organization to prioritize these threats. Furthermore,
the vulnerabilities of the information asset is needed to be identified as well in order to
determine access the risk in a more strategic manner. The threats are linked to the identified
assets for its proper mitigation.
2.3. Risk Assessment
With the successful risk identification process, risk assessment is necessary in order to
identify the extent of the effects of the risk. This is done by the likelihood and consequences of
the identified threat on the information assets. It helps in determining the priority of the risks as
well. The consequences level of the threats that are used in the risk assessment process includes
(Viduto et al. 2012)-

11
INFORMATION SECURITY MANAGEMENT
1. Insignificant
2. Minor
3. Moderate
4. Major
5. Catastrophic
The likelihood level of the consequences identified for the associated risks includes-
1. Almost certain
2. Likely
3. Possible
4. Unlikely
5. Rare
Risk and threat assessment corresponding to the different information assets of the
organization will be easier to evaluate on basis of these levels. The catastrophic threat with a
almost certain likelihood should be removed with a highest priority. Therefore, the risk
assessment process is vital for developing the guidelines associated for ensuring the information
security risks within the organization. The valuable and important assets of the organization are
scaled on basis of the associated threats, their consequences and likelihood. After successful risk
assessment it is essential for A4A to consider the risk management process. Proper risk
management is essential for developing the guidelines.
2.4. Risk Management
The Non Governmental organization A4A aims at developing proper guidelines for
mitigating the risks associated with the information assets of the organization. The risk
mitigation or management process includes classifying the risks on basis of their impact on the
information assets of the organization. The level of risks can be classified as high, medium and
low.

12
INFORMATION SECURITY MANAGEMENT
After proper classification of the risk according to the level of the vulnerability the
information assets are exposed to, it is essential to implement proper risk mitigation or risk
management plan as well (Snedaker 2013). The plans adopted by A4A as a mitigation approach
includes Disaster recovery plan (for spontaneous data recovery in case of data breach) and
business continuity plan (for normal business flow in case of a security attack) (Sahebjamnia,
Torabi and Mansouri 2015). The disaster recovery plan will help in easy recovery of the
important information and data of the organization.
Apart from this, it is suggested for A4A to have an incident response plan for taking
immediate action during an information security attack (Silva et al. 2014).
Justification
It is justified to have a guideline for managing and protecting the information resources
of the organization, as the data produced within the organization or by the members of the
organization should solely remain the property of the organization. The guidelines are developed
in order to protect the information assets of the organization (Fenz et al. 2014).
Academics for Academics is an NGO providing educational services to the colleges and
Universities of the country. The circulation or misuse of the information resources of A4A is
strictly prohibited and therefore, enforcement of proper guidelines in ensuring proper security of
the information assets is important. The academy is in need of a strong security policy in order to
remove the different threats and risks associated with the major information assets of the
organization. The entire process includes identification of the major information assets of the
organization and the risks associated with the information assets. This in turn helps in identifying
the vulnerabilities the system is exposed to and the level of security a particular information asset

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

13
INFORMATION SECURITY MANAGEMENT
needs. This process or guidelines will further help the organization in taking crucial decisions
associated with the information security of A4A (Safa, Von Solms and Furnell 2016). The risk
assessment process is vital for consideration as it helps in analyzing the impact of each threat on
the information asset of the organization (Ifinedo 2014). The risk management process
furthermore identifies and recommends back up and action plan in case the organization
experiences a data or security breach.
3. Assumptions
The assumptions that are taken in consideration for the development of the guidelines for
A4A are as follows-
1. It is assumed that only the registered colleges and universities can access the
information
2. It is assumed that the information systems are monitored by the information security
department of the academy
3. It is assumed that the information system of the organization is properly secured with
an updated antivirus protection. It is further assumed that only the authorized members of the
organization can access the resources of the information security system. A member of A4A can
access the resources only after providing a valid user id and password. The user id is unique so
that no duplication is possible.
4. It is assumed that Academics for Academics abides by the compliance and law of the
government and does not promote any illegal activities. Furthermore, it is assumed that the
organization works as a registered NGO.

14
INFORMATION SECURITY MANAGEMENT
5. It is assumed that the members of A4A will abide by the guidelines set by the
organization. Furthermore, the members are expected to report any cases of violation of the set
guidelines. This will help in identification and management of the information security risk in
Academics for Academics.
6. It is assumed that the guidelines are set keeping in mind all the information security
risks that the company is subjected to.
4. Conclusion
Therefore, from the above discussion, it can be concluded that it is essential for
Academics for Academics to have proper guidelines for ensuring security of the information
assets of the organization. It is essential as A4A is gradually expanding and it is becoming
increasingly difficult for the organization to keep a track of the data and security breaches
occurring within the organization and the vulnerabilities, the information assets are exposed to.
The report gives an idea of the guidelines set for the ensuring data protection in A4A by
providing a detailed overview of the risks, threats associated with the information assets of the
organization. The report concludes with the assumptions that have been taken into consideration
for developing the guidelines for secure data exchange within the organization.

15
INFORMATION SECURITY MANAGEMENT
References
Belleflamme, P. and Peitz, M., 2014. Digital piracy (pp. 1-8). Springer New York.
Eldardiry, H., Bart, E., Liu, J., Hanley, J., Price, B. and Brdiczka, O., 2013, May. Multi-
domain information fusion for insider threat detection. In Security and Privacy Workshops
(SPW), 2013 IEEE (pp. 45-51). IEEE.
Fenz, S., Heurix, J., Neubauer, T. and Pechstein, F., 2014. Current challenges in information
security risk management. Information Management & Computer Security, 22(5), pp.410-
430.
Höne, K. and Eloff, J.H.P., 2002. Information security policy—what do international
information security standards say?. Computers & Security, 21(5), pp.402-409.
Ifinedo, P., 2012. Understanding information systems security policy compliance: An
integration of the theory of planned behavior and the protection motivation
theory. Computers & Security, 31(1), pp.83-95.
Ifinedo, P., 2014. Information systems security policy compliance: An empirical study of the
effects of socialisation, influence, and cognition. Information & Management, 51(1), pp.69-
79.
Laudon, K.C. and Laudon, J.P., 2016. Management information system. Pearson Education
India.
Laudon, K.C., Laudon, J.P., Brabston, M.E., Chaney, M., Hawkins, L. and Gaskin, S., 2012.
Management Information Systems: Managing the Digital Firm, Seventh Canadian Edition
(7th. Pearson.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

16
INFORMATION SECURITY MANAGEMENT
Peltier, T.R., 2004. Information security policies and procedures: a practitioner's reference.
CRC Press.
Peppard, J. and Ward, J., 2016. The strategic management of information systems: Building a
digital strategy. John Wiley & Sons.
Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance
model in organizations. Computers & Security, 56, pp.70-82.
Sahebjamnia, N., Torabi, S.A. and Mansouri, S.A., 2015. Integrated business continuity and
disaster recovery planning: Towards organizational resilience. European Journal of
Operational Research, 242(1), pp.261-273.
Shamala, P., Ahmad, R. and Yusoff, M., 2013. A conceptual framework of info structure for
information security risk assessment (ISRA). Journal of Information Security and
Applications, 18(1), pp.45-52.
Silva, M.M., de Gusmão, A.P.H., Poleto, T., e Silva, L.C. and Costa, A.P.C.S., 2014. A
multidimensional approach to information security risk management using FMEA and fuzzy
theory. International Journal of Information Management, 34(6), pp.733-740.
Snedaker, S., 2013. Business continuity and disaster recovery planning for IT professionals.
Newnes.
Sommestad, T., Hallberg, J., Lundholm, K. and Bengtsson, J., 2014. Variables influencing
information security policy compliance: a systematic review of quantitative studies.
Information Management & Computer Security, 22(1), pp.42-75.

17
INFORMATION SECURITY MANAGEMENT
Spiekermann, S., 2012. The challenges of privacy by design. Communications of the
ACM, 55(7), pp.38-40.
Stallings, W., Brown, L., Bauer, M.D. and Bhattacharjee, A.K., 2012. Computer security:
principles and practice (pp. 978-0). Pearson Education.
Viduto, V., Maple, C., Huang, W. and LóPez-PeréZ, D., 2012. A novel risk assessment and
optimisation model for a multi-objective network security countermeasure selection
problem. Decision Support Systems, 53(3), pp.599-610.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber
security. computers & security, 38, pp.97-102.

1 out of 18

+13062052269

info@desklib.com

Information Security Policy Compliance

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Information Security Management: A Review

Information Security Management

Cloud Computing Security Risks and Mitigation

Ethical Use of Computers in the Workplace

Information Security Plan for WASSA Swim Association

Guidelines for Managing Information Security Risks for Cosmos Organization