Security Management and Governance
VerifiedAdded on 2023/03/17
|17
|3817
|35
AI Summary
This report discusses the case study of Power AI and the importance of security management and governance. It outlines the advantages of a security program, development of a security policy, identification of functions and roles, methods to develop a security management program, and implications of statutory and legal requirements. The report also includes a risk management plan and discusses threats, vulnerabilities, and attacks in the formal plan.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: SECURITY AND GOVERNANCE
Security Management and Governance
Name of the Student
Name of the University
Author’s Note:
Security Management and Governance
Name of the Student
Name of the University
Author’s Note:
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1
SECURITY AND GOVERNANCE
Executive Summary
The main aim of this report is knowing about case study of Power AI. PAI has total of 50
employee and amongst them 25 are directly included within the designing, development,
testing as well as implementation of products. All of the employee positions are stable and
the turnover of employees is quite high for the huge demand of IT staff with proper
knowledge of AI system. The senior management comprises of 3 employees, who are Sales
Manager, Finance Manager and IT Manager and business owner. The security management
and governance program would be extremely important for Power AI. This type of program
is responsible for providing several significant advantages and major security to the
respective organization. The information and systems that are present within the organization
are involved within this specific security management and governance program. This report
has clearly outlined a security program for PAI and the details regarding risks and mitigation
strategies for assets and data.
SECURITY AND GOVERNANCE
Executive Summary
The main aim of this report is knowing about case study of Power AI. PAI has total of 50
employee and amongst them 25 are directly included within the designing, development,
testing as well as implementation of products. All of the employee positions are stable and
the turnover of employees is quite high for the huge demand of IT staff with proper
knowledge of AI system. The senior management comprises of 3 employees, who are Sales
Manager, Finance Manager and IT Manager and business owner. The security management
and governance program would be extremely important for Power AI. This type of program
is responsible for providing several significant advantages and major security to the
respective organization. The information and systems that are present within the organization
are involved within this specific security management and governance program. This report
has clearly outlined a security program for PAI and the details regarding risks and mitigation
strategies for assets and data.
2
SECURITY AND GOVERNANCE
Table of Contents
Part A: Report............................................................................................................................3
1. Brief Description on Advantages derived from Security Management as an ongoing
Process and Reasons for having a Security Program Policy..................................................3
2. Development of a Detailed Security Policy and Security Management Plan....................4
3. Identification of main Functions, Tasks, Responsibilities and Roles for Security
Management Program for PAI and Roles of Several Individuals and Groups in Governance
................................................................................................................................................6
4. Identification of Main Methods and Models to Develop Security Management Program 7
5. Detailed Discussion on Implications of Statutory and Legal Requirements and Main
Advantages for Formal Approach..........................................................................................8
Part B: Appendix........................................................................................................................9
1. Risk Management Plan......................................................................................................9
2. Threats, Vulnerabilities and Attacks of the Formal Plan.................................................10
3. Plan for Managing Risks and Threats..............................................................................11
4. Responsibility for Users and Vendors..............................................................................12
Summary..................................................................................................................................13
References................................................................................................................................14
SECURITY AND GOVERNANCE
Table of Contents
Part A: Report............................................................................................................................3
1. Brief Description on Advantages derived from Security Management as an ongoing
Process and Reasons for having a Security Program Policy..................................................3
2. Development of a Detailed Security Policy and Security Management Plan....................4
3. Identification of main Functions, Tasks, Responsibilities and Roles for Security
Management Program for PAI and Roles of Several Individuals and Groups in Governance
................................................................................................................................................6
4. Identification of Main Methods and Models to Develop Security Management Program 7
5. Detailed Discussion on Implications of Statutory and Legal Requirements and Main
Advantages for Formal Approach..........................................................................................8
Part B: Appendix........................................................................................................................9
1. Risk Management Plan......................................................................................................9
2. Threats, Vulnerabilities and Attacks of the Formal Plan.................................................10
3. Plan for Managing Risks and Threats..............................................................................11
4. Responsibility for Users and Vendors..............................................................................12
Summary..................................................................................................................................13
References................................................................................................................................14
3
SECURITY AND GOVERNANCE
Part A: Report
1. Brief Description on Advantages derived from Security Management as an ongoing
Process and Reasons for having a Security Program Policy
Few important and noteworthy benefits, which can be easily derived from an ongoing
process of a security management program in PAI are provided below:
a) Helping in Protection of Every Technological Information Form: Since PAI has
to deal with both artificial intelligence and hardware, it is extremely important to secure each
and every form of information such as current state of their business, which would need AI,
appropriate reasons to implement these systems of artificial intelligence as well as advantages
gained from the AI systems (Peltier 2016).
b) Increment of Resilience to all types of Cyber Attacks: An information and
communication technology security program would be quite efficient for PAI to increment
the respective resilience towards every type of cyber-attack. This particular program could
easily and promptly detect the attacks on sensitive information without even involving issues
(Sennewald and Baillie 2015).
c) Providing Proper Framework for keeping Services and Products of PAI
Protected: The third advantage of this program would be that it can provide a correct and
suitable framework to keep all assets, services and products much more upgraded and
protected.
d) Reducing Expenses: Another important and significant that PAI would be enjoying
from this program is that this type of program ensures that the organization is not incurring
huge expenses during management of security of software data (Disterer 2013).
SECURITY AND GOVERNANCE
Part A: Report
1. Brief Description on Advantages derived from Security Management as an ongoing
Process and Reasons for having a Security Program Policy
Few important and noteworthy benefits, which can be easily derived from an ongoing
process of a security management program in PAI are provided below:
a) Helping in Protection of Every Technological Information Form: Since PAI has
to deal with both artificial intelligence and hardware, it is extremely important to secure each
and every form of information such as current state of their business, which would need AI,
appropriate reasons to implement these systems of artificial intelligence as well as advantages
gained from the AI systems (Peltier 2016).
b) Increment of Resilience to all types of Cyber Attacks: An information and
communication technology security program would be quite efficient for PAI to increment
the respective resilience towards every type of cyber-attack. This particular program could
easily and promptly detect the attacks on sensitive information without even involving issues
(Sennewald and Baillie 2015).
c) Providing Proper Framework for keeping Services and Products of PAI
Protected: The third advantage of this program would be that it can provide a correct and
suitable framework to keep all assets, services and products much more upgraded and
protected.
d) Reducing Expenses: Another important and significant that PAI would be enjoying
from this program is that this type of program ensures that the organization is not incurring
huge expenses during management of security of software data (Disterer 2013).
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4
SECURITY AND GOVERNANCE
Few important and noteworthy reasons to have a proper policy within the organization
of PAI are provided below:
a) Ensuring Resumption of Vital Business Procedures in timely Manner: One of the
most vital reasons for keeping a security management policy is PAI is ensuring resumption of
important business operations and procedures within timely manner (Von Solms and Van
Niekerk 2013). It is extremely important for periodical check-ups for software upgrades as
well as providing a major insight on a regular basis. Thus, PAI will have the capability of
executing such business procedures in an efficient manner.
b) Improvement in Company Culture: This type of security policy is also required for
bringing major improvements in the company culture. As PAI is developing software for
clients and they majorly emphasizes on development of AI system, PAI should improvise the
organizational culture for developing every application effectively (Jaferian et al. 2014).
c) Protecting CIA of Data and Software: CIA or confidentiality, integrity and
availability of both data and software could be highly protected by undertaking a collection of
few technical and physical controls. Hence, better analysis as well as development of the
artificial intelligence products would be secured easily (Chander, Jain and Shankar 2013).
2. Development of a Detailed Security Policy and Security Management Plan
The security management planning as well as security policy must be properly
developed by Power AI with the significant purpose of maintaining integrity in information
and even for fulfilment of legislative and regulatory requirements (Sylves 2019). Few
important and significant steps for successful development of a security management
planning and security policy for securing the respective artificial intelligence products or
services in Power AI are provided below:
SECURITY AND GOVERNANCE
Few important and noteworthy reasons to have a proper policy within the organization
of PAI are provided below:
a) Ensuring Resumption of Vital Business Procedures in timely Manner: One of the
most vital reasons for keeping a security management policy is PAI is ensuring resumption of
important business operations and procedures within timely manner (Von Solms and Van
Niekerk 2013). It is extremely important for periodical check-ups for software upgrades as
well as providing a major insight on a regular basis. Thus, PAI will have the capability of
executing such business procedures in an efficient manner.
b) Improvement in Company Culture: This type of security policy is also required for
bringing major improvements in the company culture. As PAI is developing software for
clients and they majorly emphasizes on development of AI system, PAI should improvise the
organizational culture for developing every application effectively (Jaferian et al. 2014).
c) Protecting CIA of Data and Software: CIA or confidentiality, integrity and
availability of both data and software could be highly protected by undertaking a collection of
few technical and physical controls. Hence, better analysis as well as development of the
artificial intelligence products would be secured easily (Chander, Jain and Shankar 2013).
2. Development of a Detailed Security Policy and Security Management Plan
The security management planning as well as security policy must be properly
developed by Power AI with the significant purpose of maintaining integrity in information
and even for fulfilment of legislative and regulatory requirements (Sylves 2019). Few
important and significant steps for successful development of a security management
planning and security policy for securing the respective artificial intelligence products or
services in Power AI are provided below:
5
SECURITY AND GOVERNANCE
a) Performing the Regulatory Reviewing: The first and the foremost step in
developing a security management planning as well as security policy is performing the
regulatory reviewing (Tu and Yuan 2014). The requirement of such plan or policy is being
identified in this particular step.
b) Specifying Governance, Oversight and Responsibility: The second important and
significant step in this developing a security management planning as well as security policy
is specifying organizational governance, oversight and responsibility of the subsequent
organization.
c) Undertaking Inventory of Assets: The third distinctive and vital step for
development of a security management planning as well as security policy would be
undertaking or considering the inventory of assets so that it becomes quite easy to bring out
major advantages or benefits from organizational assets (Karangelos, E., Panciatici, P. and
Wehenkel 2013).
d) Data Classification: Each and every type of data is needed to be properly analysed
so that data classification is being done in an effective and efficient manner. In PAI, the data
related to AI is termed as extremely vital.
e) Evaluating all Available Security Safeguards: PAI requires to evaluate all types of
available safeguards of security and this is extremely important for this organization (Fenz et
al. 2014). This particular step is extremely important for understanding the types of risks and
threats that are to be dealt within the business.
f) Performance of Assessment for Third Party Threats: The third party threats are
extremely vulnerable for PAI and AI related data, hence these threats are required to be
analysed properly to obtain an overall concept of the risk assessment for reducing all kinds of
vulnerabilities.
SECURITY AND GOVERNANCE
a) Performing the Regulatory Reviewing: The first and the foremost step in
developing a security management planning as well as security policy is performing the
regulatory reviewing (Tu and Yuan 2014). The requirement of such plan or policy is being
identified in this particular step.
b) Specifying Governance, Oversight and Responsibility: The second important and
significant step in this developing a security management planning as well as security policy
is specifying organizational governance, oversight and responsibility of the subsequent
organization.
c) Undertaking Inventory of Assets: The third distinctive and vital step for
development of a security management planning as well as security policy would be
undertaking or considering the inventory of assets so that it becomes quite easy to bring out
major advantages or benefits from organizational assets (Karangelos, E., Panciatici, P. and
Wehenkel 2013).
d) Data Classification: Each and every type of data is needed to be properly analysed
so that data classification is being done in an effective and efficient manner. In PAI, the data
related to AI is termed as extremely vital.
e) Evaluating all Available Security Safeguards: PAI requires to evaluate all types of
available safeguards of security and this is extremely important for this organization (Fenz et
al. 2014). This particular step is extremely important for understanding the types of risks and
threats that are to be dealt within the business.
f) Performance of Assessment for Third Party Threats: The third party threats are
extremely vulnerable for PAI and AI related data, hence these threats are required to be
analysed properly to obtain an overall concept of the risk assessment for reducing all kinds of
vulnerabilities.
6
SECURITY AND GOVERNANCE
g) Creating an Incident Response Planning: An incident response planning is
important for management of situations that result from several IT security breaches or
incidents (Fennelly 2016). This type of planning is being utilized in enterprise IT facilities or
environments for the core purpose of identifying, responding, limiting as well as
counteracting security incidents when they occur.
h) Training as well as Testing of Staff: The final step in developing a security
management planning as well as security policy for PAI is training and examining staff or
employees (Webb et al. 2014). It is needed for evaluation of the staff.
3. Identification of main Functions, Tasks, Responsibilities and Roles for Security
Management Program for PAI and Roles of Several Individuals and Groups in
Governance
There are three distinctive levels for data access control in Power AI in governance
and these are provided below:
a) Management Level: The management level involves recovery, corrective,
detective, compensating, preventative and deterrent (Paryasto, Alamsyah and Rahardjo
2014). All such categories include security policies, disaster recovery planning, registration
procedures, and periodical violation review report as well as duty separation.
b) Operational Level: All the above provided categories in management level are to
be protected by operational level and this level includes in depth defence, fire suppression
systems, CCTVs, warning signs and guards and fences.
c) Technical Level: This is the final level that is to be analysed in PAI for governance
management (Peltier 2013). All the five categories mentioned in management level include
security of warning barriers, log monitors, regular backups of data, keystroke monitoring and
forensic process.
SECURITY AND GOVERNANCE
g) Creating an Incident Response Planning: An incident response planning is
important for management of situations that result from several IT security breaches or
incidents (Fennelly 2016). This type of planning is being utilized in enterprise IT facilities or
environments for the core purpose of identifying, responding, limiting as well as
counteracting security incidents when they occur.
h) Training as well as Testing of Staff: The final step in developing a security
management planning as well as security policy for PAI is training and examining staff or
employees (Webb et al. 2014). It is needed for evaluation of the staff.
3. Identification of main Functions, Tasks, Responsibilities and Roles for Security
Management Program for PAI and Roles of Several Individuals and Groups in
Governance
There are three distinctive levels for data access control in Power AI in governance
and these are provided below:
a) Management Level: The management level involves recovery, corrective,
detective, compensating, preventative and deterrent (Paryasto, Alamsyah and Rahardjo
2014). All such categories include security policies, disaster recovery planning, registration
procedures, and periodical violation review report as well as duty separation.
b) Operational Level: All the above provided categories in management level are to
be protected by operational level and this level includes in depth defence, fire suppression
systems, CCTVs, warning signs and guards and fences.
c) Technical Level: This is the final level that is to be analysed in PAI for governance
management (Peltier 2013). All the five categories mentioned in management level include
security of warning barriers, log monitors, regular backups of data, keystroke monitoring and
forensic process.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
7
SECURITY AND GOVERNANCE
4. Identification of Main Methods and Models to Develop Security Management
Program
The most suitable model, which could eventually make the entire security
management program much more efficient and effective in Power AI as compared to any
other security program would be Control Objectives for Information and Related Technology
or COBIT and the details of this particular model are provided below:
a) Fulfilling all Needs of Stakeholders: This is the first and the most important step
in COBIT model for PAI (Wei et al. 2014). The stakeholders are the most important parts of
an organization and hence it is required to fulfil each and every need of stakeholder. To gain
such distinctive advantages, it is extremely important to develop security policy of
information. As the organizational management is majorly concerned regarding all types of
intellectual properties, it is vital to identify each and every risk, hence identifying all types of
challenges or gaps in business processes (Siponen, Mahmood and Pahnila 2014).
b) Covering up of End to End Enterprises: The respective enterprise end to end is
being effectively and efficiently covered so that it becomes much easy to reduce all types of
complexities in a better manner (Kanatov, Atymtayeva and Yagaliyeva 2014).
c) Applying a Single Incorporated Framework: A single incorporated and integrated
framework is being successfully applied in this particular step with the major purpose that
PAI can understand every risk for systems and equipment.
d) Allowing Holistic Approach: Holistic approach is needed for considering the social
factors within Power AI.
e) Separating Management and Governance: The final step is to separate
management and governance so that privacy as well as security of confidential data is being
maintained in a better manner (Oppliger 2015). All kinds of illegal data extraction is being
SECURITY AND GOVERNANCE
4. Identification of Main Methods and Models to Develop Security Management
Program
The most suitable model, which could eventually make the entire security
management program much more efficient and effective in Power AI as compared to any
other security program would be Control Objectives for Information and Related Technology
or COBIT and the details of this particular model are provided below:
a) Fulfilling all Needs of Stakeholders: This is the first and the most important step
in COBIT model for PAI (Wei et al. 2014). The stakeholders are the most important parts of
an organization and hence it is required to fulfil each and every need of stakeholder. To gain
such distinctive advantages, it is extremely important to develop security policy of
information. As the organizational management is majorly concerned regarding all types of
intellectual properties, it is vital to identify each and every risk, hence identifying all types of
challenges or gaps in business processes (Siponen, Mahmood and Pahnila 2014).
b) Covering up of End to End Enterprises: The respective enterprise end to end is
being effectively and efficiently covered so that it becomes much easy to reduce all types of
complexities in a better manner (Kanatov, Atymtayeva and Yagaliyeva 2014).
c) Applying a Single Incorporated Framework: A single incorporated and integrated
framework is being successfully applied in this particular step with the major purpose that
PAI can understand every risk for systems and equipment.
d) Allowing Holistic Approach: Holistic approach is needed for considering the social
factors within Power AI.
e) Separating Management and Governance: The final step is to separate
management and governance so that privacy as well as security of confidential data is being
maintained in a better manner (Oppliger 2015). All kinds of illegal data extraction is being
8
SECURITY AND GOVERNANCE
stopped by incorporation of this particular model and thus significant attack trends could be
determined.
5. Detailed Discussion on Implications of Statutory and Legal Requirements and Main
Advantages for Formal Approach
Few distinctive laws, which are suitable for the organization of PAI for security of
their applications and intellectual properties are provided below:
a) Privacy Act 2018: Every intellectual property is being secured by this particular
law (Brooks and Corkill 2014).
b) Corporations Act 2001: All the employees of PAI would eventually follow
regulations and ethics related to work by incorporation of this act.
c) Privacy and Data Protection Act 2014: As per this act, confidential information
and data are protected under every circumstance in PAI.
d) Security of Critical Infrastructure Act 2018: Organizational infrastructure are
secured by incorporation of this act and hence security is maintained efficiently (Bojanc and
Jerman-Blažič 2013).
The major advantages of this formal approach is that it can bring high security
towards intellectual properties, thus securing CIA for information.
SECURITY AND GOVERNANCE
stopped by incorporation of this particular model and thus significant attack trends could be
determined.
5. Detailed Discussion on Implications of Statutory and Legal Requirements and Main
Advantages for Formal Approach
Few distinctive laws, which are suitable for the organization of PAI for security of
their applications and intellectual properties are provided below:
a) Privacy Act 2018: Every intellectual property is being secured by this particular
law (Brooks and Corkill 2014).
b) Corporations Act 2001: All the employees of PAI would eventually follow
regulations and ethics related to work by incorporation of this act.
c) Privacy and Data Protection Act 2014: As per this act, confidential information
and data are protected under every circumstance in PAI.
d) Security of Critical Infrastructure Act 2018: Organizational infrastructure are
secured by incorporation of this act and hence security is maintained efficiently (Bojanc and
Jerman-Blažič 2013).
The major advantages of this formal approach is that it can bring high security
towards intellectual properties, thus securing CIA for information.
9
SECURITY AND GOVERNANCE
Part B: Appendix
1. Risk Management Plan
Risk management or risk assessment of every important and significant risk is
extremely vital for PAI.
i) There are some of the major benefits that any risk management plan could be
bringing to this organization and these are noted below:
a) Efficient Decision Making Process: The first advantage is that this type of plan is
extremely important for making decision making process efficient and hence helping the
organization.
b) Providing High Quality of Data: The data of the organization would become of
high quality with eradication of risks and threats by risk management plan.
c) Removing Issues and Complexities: Each and every risk and complexity could be
easily removed effectively by not facing any problem.
d) Easy in Spotting Projects: PAI would be able to spot better projects after
eradication of risks from their existing information systems and hence can enjoy profit to a
high level.
There are some of the major and most significant steps for making a risk management
plan and these steps are noted below:
i) Proper Identification of Threats and Risks.
ii) Detailed Analysis of every Identified Threat and Risk.
iii) Suitable Action undertaken for every Identified Threat and Risk.
iv) Risk Monitoring.
SECURITY AND GOVERNANCE
Part B: Appendix
1. Risk Management Plan
Risk management or risk assessment of every important and significant risk is
extremely vital for PAI.
i) There are some of the major benefits that any risk management plan could be
bringing to this organization and these are noted below:
a) Efficient Decision Making Process: The first advantage is that this type of plan is
extremely important for making decision making process efficient and hence helping the
organization.
b) Providing High Quality of Data: The data of the organization would become of
high quality with eradication of risks and threats by risk management plan.
c) Removing Issues and Complexities: Each and every risk and complexity could be
easily removed effectively by not facing any problem.
d) Easy in Spotting Projects: PAI would be able to spot better projects after
eradication of risks from their existing information systems and hence can enjoy profit to a
high level.
There are some of the major and most significant steps for making a risk management
plan and these steps are noted below:
i) Proper Identification of Threats and Risks.
ii) Detailed Analysis of every Identified Threat and Risk.
iii) Suitable Action undertaken for every Identified Threat and Risk.
iv) Risk Monitoring.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10
SECURITY AND GOVERNANCE
v) Removal of Risks.
Contingency planning and risk analysis is extremely important for helping any
specific organization to respond efficiently towards the future event and making an
alternative plan for actions. Risk analysis helps them in analysing all types of risks and hence
ensuring that risks are identified in a better manner without much complexities. With the help
of CBA or cost benefit analysis, the organization can analyse their decisions and calculate
benefits or profits for the business.
2. Threats, Vulnerabilities and Attacks of the Formal Plan
There are four categories of assets, which involve people, process, hardware and
software and four types of threats are internal, external, deliberate and accidental. The most
significant risks, vulnerabilities as well as attacks under these above mentioned threat
categories for formal plan are provided below:
a) Ransomware: The first kind of malware majorly is responsible for encrypting all
types of files as well as locking the entire system to make it completely inaccessible. It is
quite common for systems that deal with confidential information. It is an external and
deliberate threat.
b) Extortion of Information: Information extortion is the second risk that is to be
considered in this particular scenario. Organizational intellectual properties are often hacked
for extracting information in an effective manner. It is an internal as well as deliberate threat.
c) Trojan Horse: Another significant and important attack or threat towards patient
information for the organization of Power AI is Trojan horse. The most important purpose of
such distinctive threat is concealing the information in software that might seem ethical and
legal regarding software execution. This would lead to information theft and even losing of
data forever. It is an accidental threat category.
SECURITY AND GOVERNANCE
v) Removal of Risks.
Contingency planning and risk analysis is extremely important for helping any
specific organization to respond efficiently towards the future event and making an
alternative plan for actions. Risk analysis helps them in analysing all types of risks and hence
ensuring that risks are identified in a better manner without much complexities. With the help
of CBA or cost benefit analysis, the organization can analyse their decisions and calculate
benefits or profits for the business.
2. Threats, Vulnerabilities and Attacks of the Formal Plan
There are four categories of assets, which involve people, process, hardware and
software and four types of threats are internal, external, deliberate and accidental. The most
significant risks, vulnerabilities as well as attacks under these above mentioned threat
categories for formal plan are provided below:
a) Ransomware: The first kind of malware majorly is responsible for encrypting all
types of files as well as locking the entire system to make it completely inaccessible. It is
quite common for systems that deal with confidential information. It is an external and
deliberate threat.
b) Extortion of Information: Information extortion is the second risk that is to be
considered in this particular scenario. Organizational intellectual properties are often hacked
for extracting information in an effective manner. It is an internal as well as deliberate threat.
c) Trojan Horse: Another significant and important attack or threat towards patient
information for the organization of Power AI is Trojan horse. The most important purpose of
such distinctive threat is concealing the information in software that might seem ethical and
legal regarding software execution. This would lead to information theft and even losing of
data forever. It is an accidental threat category.
11
SECURITY AND GOVERNANCE
d) Data Sabotage: The next significant threat or vulnerability, which is to be analysed
is data sabotage. This could be done by organizational members themselves. It can either be
internal or deliberate or accidental threat.
e) Intellectual Property Theft: Another distinctive threat is the theft of intellectual
properties in PAI. Copyrights and patents are being violated by this threat and hence there
could be some of the major issues related to intellectual properties. It is a deliberate or
accidental threat.
f) Identity Theft: The other significant threat or risk would be identity theft. Such
distinctive risk is responsible for ensuring to act as other entity to eventually obtain all
personal information for any individual to access confidential data that is needed to access. It
is an internal threat.
3. Plan for Managing Risks and Threats
A proper plan to manage all types of risks for patient information in PAI is provided
below:
Threat, Vulnerability
and Attack
Set of Priorities Recommended Controls
Ransomware High Periodical up gradations of data backup
systems and software.
Extortion of
Information
Low Proper creation of file backup and
providing training to employees.
Trojan Horse High Installing protection software of right end
point.
Data Sabotage Medium Maintaining security of the policy and also
maintenance of physical security.
SECURITY AND GOVERNANCE
d) Data Sabotage: The next significant threat or vulnerability, which is to be analysed
is data sabotage. This could be done by organizational members themselves. It can either be
internal or deliberate or accidental threat.
e) Intellectual Property Theft: Another distinctive threat is the theft of intellectual
properties in PAI. Copyrights and patents are being violated by this threat and hence there
could be some of the major issues related to intellectual properties. It is a deliberate or
accidental threat.
f) Identity Theft: The other significant threat or risk would be identity theft. Such
distinctive risk is responsible for ensuring to act as other entity to eventually obtain all
personal information for any individual to access confidential data that is needed to access. It
is an internal threat.
3. Plan for Managing Risks and Threats
A proper plan to manage all types of risks for patient information in PAI is provided
below:
Threat, Vulnerability
and Attack
Set of Priorities Recommended Controls
Ransomware High Periodical up gradations of data backup
systems and software.
Extortion of
Information
Low Proper creation of file backup and
providing training to employees.
Trojan Horse High Installing protection software of right end
point.
Data Sabotage Medium Maintaining security of the policy and also
maintenance of physical security.
12
SECURITY AND GOVERNANCE
Intellectual Property
Theft
High Involving agreements for non competing
and employment.
Identity Theft Medium Maintenance of security for SSN or social
security numbers.
Table 1: Plan for Managing Risk in PAI
(Created by the Author in MS Word)
Table 2: Cost Benefit Analysis for PIA
(Created by the Author in MS Excel)
A recommendation for PIA is not to include more assets and resources so that they do
not have to identify more threats under any circumstance.
4. Responsibility for Users and Vendors
The user and vendor PIA comprises of few responsibilities that involve ensuring of
contract of suppliers supporting their business requirements. Moreover, procedure of ITIL
involves ensuring all supplier to meet contractual commitment. Users require to ensure that
data would not get hacked and awareness is maintained.
SECURITY AND GOVERNANCE
Intellectual Property
Theft
High Involving agreements for non competing
and employment.
Identity Theft Medium Maintenance of security for SSN or social
security numbers.
Table 1: Plan for Managing Risk in PAI
(Created by the Author in MS Word)
Table 2: Cost Benefit Analysis for PIA
(Created by the Author in MS Excel)
A recommendation for PIA is not to include more assets and resources so that they do
not have to identify more threats under any circumstance.
4. Responsibility for Users and Vendors
The user and vendor PIA comprises of few responsibilities that involve ensuring of
contract of suppliers supporting their business requirements. Moreover, procedure of ITIL
involves ensuring all supplier to meet contractual commitment. Users require to ensure that
data would not get hacked and awareness is maintained.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
13
SECURITY AND GOVERNANCE
Summary
Hence, conclusion can be drawn that program for managing security and governance
is required to effectively manage the respective patient information in PAI. Such distinctive
program is quite vital to know regarding significance for patient data and process of dealing
with this information. Moreover, a brief analysis of risk management plan is also given for
PAI after prioritizing the risks in an effective manner. The identified risks include data
sabotage, ransomware, extortion of information, intellectual property theft, Trojan horse and
identify theft. Mitigation strategies for these threats are also described here.
SECURITY AND GOVERNANCE
Summary
Hence, conclusion can be drawn that program for managing security and governance
is required to effectively manage the respective patient information in PAI. Such distinctive
program is quite vital to know regarding significance for patient data and process of dealing
with this information. Moreover, a brief analysis of risk management plan is also given for
PAI after prioritizing the risks in an effective manner. The identified risks include data
sabotage, ransomware, extortion of information, intellectual property theft, Trojan horse and
identify theft. Mitigation strategies for these threats are also described here.
14
SECURITY AND GOVERNANCE
References
Bojanc, R. and Jerman-Blažič, B., 2013. A quantitative model for information-security risk
management. Engineering management journal, 25(2), pp.25-37.
Brooks, D.J. and Corkill, J., 2014. Corporate security and the stratum of security
management. In Corporate security in the 21st century (pp. 216-234). Palgrave Macmillan,
London.
Chander, M., Jain, S.K. and Shankar, R., 2013. Modeling of information security
management parameters in Indian organizations using ISM and MICMAC approach. Journal
of Modelling in Management, 8(2), pp.171-189.
Disterer, G., 2013. ISO/IEC 27000, 27001 and 27002 for information security management.
Fennelly, L., 2016. Effective physical security. Butterworth-Heinemann.
Fenz, S., Heurix, J., Neubauer, T. and Pechstein, F., 2014. Current challenges in information
security risk management. Information Management & Computer Security, 22(5), pp.410-
430.
Jaferian, P., Hawkey, K., Sotirakopoulos, A., Velez-Rojas, M. and Beznosov, K., 2014.
Heuristics for evaluating IT security management tools. Human–Computer Interaction, 29(4),
pp.311-350.
Kanatov, M., Atymtayeva, L. and Yagaliyeva, B., 2014, December. Expert systems for
information security management and audit. Implementation phase issues. In 2014 Joint 7th
International Conference on Soft Computing and Intelligent Systems (SCIS) and 15th
International Symposium on Advanced Intelligent Systems (ISIS) (pp. 896-900). IEEE.
Karangelos, E., Panciatici, P. and Wehenkel, L., 2013, August. Whither probabilistic security
management for real-time operation of power systems?. In 2013 IREP Symposium Bulk
SECURITY AND GOVERNANCE
References
Bojanc, R. and Jerman-Blažič, B., 2013. A quantitative model for information-security risk
management. Engineering management journal, 25(2), pp.25-37.
Brooks, D.J. and Corkill, J., 2014. Corporate security and the stratum of security
management. In Corporate security in the 21st century (pp. 216-234). Palgrave Macmillan,
London.
Chander, M., Jain, S.K. and Shankar, R., 2013. Modeling of information security
management parameters in Indian organizations using ISM and MICMAC approach. Journal
of Modelling in Management, 8(2), pp.171-189.
Disterer, G., 2013. ISO/IEC 27000, 27001 and 27002 for information security management.
Fennelly, L., 2016. Effective physical security. Butterworth-Heinemann.
Fenz, S., Heurix, J., Neubauer, T. and Pechstein, F., 2014. Current challenges in information
security risk management. Information Management & Computer Security, 22(5), pp.410-
430.
Jaferian, P., Hawkey, K., Sotirakopoulos, A., Velez-Rojas, M. and Beznosov, K., 2014.
Heuristics for evaluating IT security management tools. Human–Computer Interaction, 29(4),
pp.311-350.
Kanatov, M., Atymtayeva, L. and Yagaliyeva, B., 2014, December. Expert systems for
information security management and audit. Implementation phase issues. In 2014 Joint 7th
International Conference on Soft Computing and Intelligent Systems (SCIS) and 15th
International Symposium on Advanced Intelligent Systems (ISIS) (pp. 896-900). IEEE.
Karangelos, E., Panciatici, P. and Wehenkel, L., 2013, August. Whither probabilistic security
management for real-time operation of power systems?. In 2013 IREP Symposium Bulk
15
SECURITY AND GOVERNANCE
Power System Dynamics and Control-IX Optimization, Security and Control of the Emerging
Power Grid (pp. 1-17). IEEE.
Oppliger, R., 2015. Quantitative risk analysis in information security management: a modern
fairy tale. IEEE Security & Privacy, 13(6), pp.18-21.
Paryasto, M., Alamsyah, A. and Rahardjo, B., 2014, May. Big-data security management
issues. In 2014 2nd International Conference on Information and Communication
Technology (ICoICT) (pp. 59-63). IEEE.
Peltier, T.R., 2013. Information security fundamentals. CRC press.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. Auerbach Publications.
Sennewald, C.A. and Baillie, C., 2015. Effective security management. Butterworth-
Heinemann.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information
security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Sylves, R.T., 2019. Disaster policy and politics: Emergency management and homeland
security. CQ Press.
Tu, Z. and Yuan, Y., 2014. Critical success factors analysis on effective information security
management: A literature review.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber
security. computers & security, 38, pp.97-102.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for
information security risk management. Computers & security, 44, pp.1-15.
SECURITY AND GOVERNANCE
Power System Dynamics and Control-IX Optimization, Security and Control of the Emerging
Power Grid (pp. 1-17). IEEE.
Oppliger, R., 2015. Quantitative risk analysis in information security management: a modern
fairy tale. IEEE Security & Privacy, 13(6), pp.18-21.
Paryasto, M., Alamsyah, A. and Rahardjo, B., 2014, May. Big-data security management
issues. In 2014 2nd International Conference on Information and Communication
Technology (ICoICT) (pp. 59-63). IEEE.
Peltier, T.R., 2013. Information security fundamentals. CRC press.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. Auerbach Publications.
Sennewald, C.A. and Baillie, C., 2015. Effective security management. Butterworth-
Heinemann.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information
security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Sylves, R.T., 2019. Disaster policy and politics: Emergency management and homeland
security. CQ Press.
Tu, Z. and Yuan, Y., 2014. Critical success factors analysis on effective information security
management: A literature review.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber
security. computers & security, 38, pp.97-102.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for
information security risk management. Computers & security, 44, pp.1-15.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
16
SECURITY AND GOVERNANCE
Wei, Z., Tang, H., Yu, F.R., Wang, M. and Mason, P., 2014. Security enhancements for
mobile ad hoc networks with trust management using uncertain reasoning. IEEE
Transactions on Vehicular Technology, 63(9), pp.4647-4658.
SECURITY AND GOVERNANCE
Wei, Z., Tang, H., Yu, F.R., Wang, M. and Mason, P., 2014. Security enhancements for
mobile ad hoc networks with trust management using uncertain reasoning. IEEE
Transactions on Vehicular Technology, 63(9), pp.4647-4658.
1 out of 17
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.