Security Awareness: Importance, Types of Policies, and Strategies for Protection
VerifiedAdded on 2022/12/23
|7
|2173
|1
AI Summary
This document discusses the importance of security awareness in organizations, including the education and training of employees. It also explores the different types of information security policies and provides strategies for protecting data from cyber-attacks. The document emphasizes the implementation of hardware security, data encryption and backup, a security-centered culture, the use of anti-malware software, and investment in cyber-security insurance.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: SECURITY AWARENESS
SECURITY AWARENESS
Name of Student
Name of University
Author’s Note
SECURITY AWARENESS
Name of Student
Name of University
Author’s Note
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1SECURITY AWARENESS
RESPOND TO QUESTION NUMBER 1
Security awareness is the measure or awareness possess by an organization regarding
the physical data especially the assets and information of the organization. It is a formal
process of security awareness which educates and trains the employees of an organization
regarding the protection of IT information (Bada, Sasse & Nurse, 2019). The security
awareness involves the program to educate the employees, ensuring the security policies of
an organization provided as individual responsibility and the measure to audit these efforts
(McCormac et al., 2017). The security awareness is implemented in an organization to
understand the potential of risk acted by an individual or many to steal, damage or misuses
the data intentionally or accidentally, stored in the system of the organization. The security
awareness training includes:
i) To understand the nature and sensitivity of the information like trade secrets,
government classified information and trade secrets policies.
ii) Reviewing the nondisclosure agreements of the employee, as many of the
employees handles confidential data in an organization.
iii) Understand the proper method of protection of the information which are sensitive
to the organization by enabling the two-factor authentication method and including privacy
security policies.
iv) Understanding the other computer security concerns activities like phishing attack,
computer malware and social engineering.
There are three types information security policies which includes Enterprise
Information Security Policy (EISP), Issue-Specific Security Policy (ISSP) and System-
Specific Security Policy (SysSP).
Enterprise Information Security Policy
The Enterprise Information Security Policy is based on the implementation of general
security policies. The aim, visualisation and direction of an organization are maintained by
the EISP . It the standard set for the growth, implementation and security program initiated
by the management of an organization (Soomro, Shah & Ahmed, 2016). The EISP sets the
tone, direction and scope for all the security policies. The preliminary strategies of the EISP
RESPOND TO QUESTION NUMBER 1
Security awareness is the measure or awareness possess by an organization regarding
the physical data especially the assets and information of the organization. It is a formal
process of security awareness which educates and trains the employees of an organization
regarding the protection of IT information (Bada, Sasse & Nurse, 2019). The security
awareness involves the program to educate the employees, ensuring the security policies of
an organization provided as individual responsibility and the measure to audit these efforts
(McCormac et al., 2017). The security awareness is implemented in an organization to
understand the potential of risk acted by an individual or many to steal, damage or misuses
the data intentionally or accidentally, stored in the system of the organization. The security
awareness training includes:
i) To understand the nature and sensitivity of the information like trade secrets,
government classified information and trade secrets policies.
ii) Reviewing the nondisclosure agreements of the employee, as many of the
employees handles confidential data in an organization.
iii) Understand the proper method of protection of the information which are sensitive
to the organization by enabling the two-factor authentication method and including privacy
security policies.
iv) Understanding the other computer security concerns activities like phishing attack,
computer malware and social engineering.
There are three types information security policies which includes Enterprise
Information Security Policy (EISP), Issue-Specific Security Policy (ISSP) and System-
Specific Security Policy (SysSP).
Enterprise Information Security Policy
The Enterprise Information Security Policy is based on the implementation of general
security policies. The aim, visualisation and direction of an organization are maintained by
the EISP . It the standard set for the growth, implementation and security program initiated
by the management of an organization (Soomro, Shah & Ahmed, 2016). The EISP sets the
tone, direction and scope for all the security policies. The preliminary strategies of the EISP
2SECURITY AWARENESS
is drafted and prepared by the Chief Executive Officer of the organization. However, this
policy may be modified if there is any strategic changes took place in the organization.
Issue-Specific Security Policy
The Issue-Specific Security Policy is an address specific technology, which requires
statement and frequent updates about the position of the organization on certain specific
issues. The ISSP governs over an individual for using their systems and technologies in an
organization (Hettiarachchi & Wickramasinghe, 2016). The ISSP addresses and identifies the
activities like who has the internet access, using photocopy equipment, whether any
individual is using their personal equipment over the company’s network and provides
prevention and prohibits the systems from getting hacked
System-Specific Security Policy
The System Specific Security Policy provides a set of instruction which enacts as a
function or a procedure while configuring the system of an organization. The SysSP, is a
guide to configure the technological support to the information security provided by the
management in a documented format (Järveläinen, 2016). It generally a managerial guide and
technical specification of the system provided by the organization. It is a targeted document
in an organization relating only the specific systems which are designed to address. In brief it
provides a proper guidance in configuring the firewall system.
RESPOND TO QUESTION NUMBER 2
ISO/IEC
ISO/IEC is the joint technical association for the information security standard set by
the International Organization for Standardization and International Electro technical
Commission. The information security provided by the ISO/IEC standard on the basis of the
administrative, physical and technical domains are:
Administrative Security: According to the administrative security the personal
details of the employees must be verified thoroughly including the identity verification by
using any photo ID proof provided by the government. All employees must accept the
confidentiality and non-disclosure agreement which concerns about the security information
of the organization. The HR department must inform the administration when an employee is
taken on, suspended, resigned, transferred or terminated from the job.
is drafted and prepared by the Chief Executive Officer of the organization. However, this
policy may be modified if there is any strategic changes took place in the organization.
Issue-Specific Security Policy
The Issue-Specific Security Policy is an address specific technology, which requires
statement and frequent updates about the position of the organization on certain specific
issues. The ISSP governs over an individual for using their systems and technologies in an
organization (Hettiarachchi & Wickramasinghe, 2016). The ISSP addresses and identifies the
activities like who has the internet access, using photocopy equipment, whether any
individual is using their personal equipment over the company’s network and provides
prevention and prohibits the systems from getting hacked
System-Specific Security Policy
The System Specific Security Policy provides a set of instruction which enacts as a
function or a procedure while configuring the system of an organization. The SysSP, is a
guide to configure the technological support to the information security provided by the
management in a documented format (Järveläinen, 2016). It generally a managerial guide and
technical specification of the system provided by the organization. It is a targeted document
in an organization relating only the specific systems which are designed to address. In brief it
provides a proper guidance in configuring the firewall system.
RESPOND TO QUESTION NUMBER 2
ISO/IEC
ISO/IEC is the joint technical association for the information security standard set by
the International Organization for Standardization and International Electro technical
Commission. The information security provided by the ISO/IEC standard on the basis of the
administrative, physical and technical domains are:
Administrative Security: According to the administrative security the personal
details of the employees must be verified thoroughly including the identity verification by
using any photo ID proof provided by the government. All employees must accept the
confidentiality and non-disclosure agreement which concerns about the security information
of the organization. The HR department must inform the administration when an employee is
taken on, suspended, resigned, transferred or terminated from the job.
3SECURITY AWARENESS
Physical Security: It provides the access to support the communication, power other
essential physical infrastructure which must monitor at every stage to restrict the
unauthorized access to the system. The organization must implement the rules to prohibit the
act of photography and video recording at the restricted areas. Every year fire evacuation
drills must be conducted.
Technical Security: The user access should be limited in accordance with the
requirements provided by the asset owners. The production system must be prohibited from
creating any generic IDs unless specifically instructed by the information asset owner.
Security authentication such as two factor authentication must be implemented and access to
the removable devices like USB hard drives and CDs must be disabled.
CISA
Certificate Information System Auditor (CISA) is a professional certificate sponsored
by the ISACA regarding the information technology audit. The security domain provided by
it terms of administrative, physical and technical are:
Administrative Security: It provides security to the IT governance and protection of
information assets and helps in business continuity and disaster recovery. It also provides
administration in information system audit process.
Physical Security: It provides the support to the system and infrastructure life cycle
management.
Technical Security: It provides the IT service delivery and support towards the
organization development.
CISSP
The Certified Information Security System Professional is an self-governing security
information certification approved by the International Information System Security
Certification Consortium. The security domains provided in terms of administrative, physical
and technical aspects are:
Administrative Security: It supports the practice of security management and the
different models of security architecture. It helps to initiate preventive measures on the
business continuity planning and disaster recovery planning. It also supports the law,
investigation and ethics on the organization.
Physical Security: It provides the access to support the communication, power other
essential physical infrastructure which must monitor at every stage to restrict the
unauthorized access to the system. The organization must implement the rules to prohibit the
act of photography and video recording at the restricted areas. Every year fire evacuation
drills must be conducted.
Technical Security: The user access should be limited in accordance with the
requirements provided by the asset owners. The production system must be prohibited from
creating any generic IDs unless specifically instructed by the information asset owner.
Security authentication such as two factor authentication must be implemented and access to
the removable devices like USB hard drives and CDs must be disabled.
CISA
Certificate Information System Auditor (CISA) is a professional certificate sponsored
by the ISACA regarding the information technology audit. The security domain provided by
it terms of administrative, physical and technical are:
Administrative Security: It provides security to the IT governance and protection of
information assets and helps in business continuity and disaster recovery. It also provides
administration in information system audit process.
Physical Security: It provides the support to the system and infrastructure life cycle
management.
Technical Security: It provides the IT service delivery and support towards the
organization development.
CISSP
The Certified Information Security System Professional is an self-governing security
information certification approved by the International Information System Security
Certification Consortium. The security domains provided in terms of administrative, physical
and technical aspects are:
Administrative Security: It supports the practice of security management and the
different models of security architecture. It helps to initiate preventive measures on the
business continuity planning and disaster recovery planning. It also supports the law,
investigation and ethics on the organization.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4SECURITY AWARENESS
Physical Security: It provides physical security on the cryptography and
telecommunication and network security along with operational security.
Technical Security: The technical security consist the logical access control
mechanism, password and resource management along with authentication and identification
methods.
The ISMS is a set of instruction and guidelines that systematically supervise the
sensitive data of an organization. ISO/IEC 27001 is an information security system that
focuses on the security updates of an organization. It specifies the management system that
intends to bring the control of the management under specific requirements. The proper plan
that focuses on the administrative of ISO/IEC 27001 is to build a proper human resource
security along with communicational and operational management from the physical aspects
which focuses on the technical aspects the control access. The Federal Emergency
Management Agency which provides homeland security of United States which provides
funds for training response on the aspects of administrative, physical and technical view
(Radvanovsky & McDougall, 2018).
RESPOND TO QUESTION NUMBER 3
According to the recent studies it has been observed the data breaches mainly attack
the businesses of all types regardless of the size and location. The businesses are at high
threats of cyber-attack at any instant of time. In reality there are five strategies that would
help the companies to run smoothly and secure the confidentiality of the data. The strategies
the companies adopted to protect the information from the cyber-attacks are implementing
proper hardware security, data encryption and backup should be taken, assures a security
centred culture, using and robust firewall anti-malware software and investment on cyber-
security insurance.
1. Implementing hardware security: The data breach generally occurs due to the stolen
equipment, so improving the company’s protection from the cyber threats is an effective
move. All the devices should be protected with long and complicated passwords (Ferraiuolo
et al., 2017). However, the passwords should be shared only to the device user only or by
memorizing it rather than writing it down somewhere which is easily accessible to others.
Physical Security: It provides physical security on the cryptography and
telecommunication and network security along with operational security.
Technical Security: The technical security consist the logical access control
mechanism, password and resource management along with authentication and identification
methods.
The ISMS is a set of instruction and guidelines that systematically supervise the
sensitive data of an organization. ISO/IEC 27001 is an information security system that
focuses on the security updates of an organization. It specifies the management system that
intends to bring the control of the management under specific requirements. The proper plan
that focuses on the administrative of ISO/IEC 27001 is to build a proper human resource
security along with communicational and operational management from the physical aspects
which focuses on the technical aspects the control access. The Federal Emergency
Management Agency which provides homeland security of United States which provides
funds for training response on the aspects of administrative, physical and technical view
(Radvanovsky & McDougall, 2018).
RESPOND TO QUESTION NUMBER 3
According to the recent studies it has been observed the data breaches mainly attack
the businesses of all types regardless of the size and location. The businesses are at high
threats of cyber-attack at any instant of time. In reality there are five strategies that would
help the companies to run smoothly and secure the confidentiality of the data. The strategies
the companies adopted to protect the information from the cyber-attacks are implementing
proper hardware security, data encryption and backup should be taken, assures a security
centred culture, using and robust firewall anti-malware software and investment on cyber-
security insurance.
1. Implementing hardware security: The data breach generally occurs due to the stolen
equipment, so improving the company’s protection from the cyber threats is an effective
move. All the devices should be protected with long and complicated passwords (Ferraiuolo
et al., 2017). However, the passwords should be shared only to the device user only or by
memorizing it rather than writing it down somewhere which is easily accessible to others.
5SECURITY AWARENESS
2. Data encryption and backup: Data encryption prevents from physical access of the
sensitive data by any outsider. Full disk encryption provides addition virtual security to the
system (Sun et al., 2018). The backup should be taken after the encryption of the data
because the Ransomware malware attacks the devices by their encryption code and ask for a
ransom payment for the decryption of the data. Taking backup provides an extra security to
the company’s system. As emphasised by the International Journal of Advanced Computer
Science and Application.
3. Security centred culture: The data breach in a system mostly caused by employee’s
intentional or accidental mishandling as they are not aware of the external data threats. The
organization should ban the employees from using the private devices as it may leads to
security breach approach (Gcaza et al., 2017). For an example, the according to the
UK Cyber Security Breaches Survey 2018, the government investigated that 43% of the
businesses in UK businesses have experienced a cyber-security breach or attack with only
20% of UK companies offering training to staff at the same time.
4. Using anti-malware software: The system should be protected with antivirus and anti-
malware software as Ransomware malware featuring the most widespread cyber security
threat, basically targeting the health organizations (Blythe & Coventry, 2018). According to
the survey report, UAE experienced 53% of the cyber-attack caused by the malware
infection.
5. Investing on cyber–security insurance: As the cybercrime activities are increasing
rapidly, certain cyber security insurance should be adopted to minimise the risks. According
to the research by the US in 2017, according to the reports it has been observed that the
average budget of a single data breach incident was about USD 3.6m. However, only 9% of
UK and 15% of US businesses have such insurances.
2. Data encryption and backup: Data encryption prevents from physical access of the
sensitive data by any outsider. Full disk encryption provides addition virtual security to the
system (Sun et al., 2018). The backup should be taken after the encryption of the data
because the Ransomware malware attacks the devices by their encryption code and ask for a
ransom payment for the decryption of the data. Taking backup provides an extra security to
the company’s system. As emphasised by the International Journal of Advanced Computer
Science and Application.
3. Security centred culture: The data breach in a system mostly caused by employee’s
intentional or accidental mishandling as they are not aware of the external data threats. The
organization should ban the employees from using the private devices as it may leads to
security breach approach (Gcaza et al., 2017). For an example, the according to the
UK Cyber Security Breaches Survey 2018, the government investigated that 43% of the
businesses in UK businesses have experienced a cyber-security breach or attack with only
20% of UK companies offering training to staff at the same time.
4. Using anti-malware software: The system should be protected with antivirus and anti-
malware software as Ransomware malware featuring the most widespread cyber security
threat, basically targeting the health organizations (Blythe & Coventry, 2018). According to
the survey report, UAE experienced 53% of the cyber-attack caused by the malware
infection.
5. Investing on cyber–security insurance: As the cybercrime activities are increasing
rapidly, certain cyber security insurance should be adopted to minimise the risks. According
to the research by the US in 2017, according to the reports it has been observed that the
average budget of a single data breach incident was about USD 3.6m. However, only 9% of
UK and 15% of US businesses have such insurances.
6SECURITY AWARENESS
References
Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security awareness campaigns: Why do
they fail to change behaviour?. arXiv preprint arXiv:1901.02672.
Blythe, J. M., & Coventry, L. (2018). Costly but effective: Comparing the factors that
influence employee anti-malware behaviours. Computers in Human Behavior, 87, 87-
97.
Ferraiuolo, A., Xu, R., Zhang, D., Myers, A. C., & Suh, G. E. (2017, April). Verification of a
practical hardware security architecture through static information flow analysis.
In ACM SIGARCH Computer Architecture News (Vol. 45, No. 1, pp. 555-568). ACM.
Gcaza, N., von Solms, R., Grobler, M. M., & van Vuuren, J. J. (2017). A general
morphological analysis: delineating a cyber-security culture. Information &
Computer Security, 25(3), 259-278.
Hettiarachchi, S., & Wickramasinghe, S. (2016). Study to Identify Threats to Information
Systems in Organizations and Possible Countermeasures through Policy Decisions
and Awareness Programs to Ensure the Information Security.
Järveläinen, J. (2016). Integrated Business Continuity Planning and Information Security
Policy Development Approach.
McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., & Pattinson, M. (2017).
Individual differences and information security awareness. Computers in Human
Behavior, 69, 151-156.
Radvanovsky, R. S., & McDougall, A. (2018). Critical infrastructure: homeland security and
emergency preparedness. CRC Press.
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs
more holistic approach: A literature review. International Journal of Information
Management, 36(2), 215-225.
Sun, W., Zhang, N., Lou, W., & Hou, Y. T. (2018, May). Tapping the potential: Secure
chunk-based deduplication of encrypted data for cloud backup. In 2018 IEEE
Conference on Communications and Network Security (CNS) (pp. 1-9). IEEE.
References
Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security awareness campaigns: Why do
they fail to change behaviour?. arXiv preprint arXiv:1901.02672.
Blythe, J. M., & Coventry, L. (2018). Costly but effective: Comparing the factors that
influence employee anti-malware behaviours. Computers in Human Behavior, 87, 87-
97.
Ferraiuolo, A., Xu, R., Zhang, D., Myers, A. C., & Suh, G. E. (2017, April). Verification of a
practical hardware security architecture through static information flow analysis.
In ACM SIGARCH Computer Architecture News (Vol. 45, No. 1, pp. 555-568). ACM.
Gcaza, N., von Solms, R., Grobler, M. M., & van Vuuren, J. J. (2017). A general
morphological analysis: delineating a cyber-security culture. Information &
Computer Security, 25(3), 259-278.
Hettiarachchi, S., & Wickramasinghe, S. (2016). Study to Identify Threats to Information
Systems in Organizations and Possible Countermeasures through Policy Decisions
and Awareness Programs to Ensure the Information Security.
Järveläinen, J. (2016). Integrated Business Continuity Planning and Information Security
Policy Development Approach.
McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., & Pattinson, M. (2017).
Individual differences and information security awareness. Computers in Human
Behavior, 69, 151-156.
Radvanovsky, R. S., & McDougall, A. (2018). Critical infrastructure: homeland security and
emergency preparedness. CRC Press.
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs
more holistic approach: A literature review. International Journal of Information
Management, 36(2), 215-225.
Sun, W., Zhang, N., Lou, W., & Hou, Y. T. (2018, May). Tapping the potential: Secure
chunk-based deduplication of encrypted data for cloud backup. In 2018 IEEE
Conference on Communications and Network Security (CNS) (pp. 1-9). IEEE.
1 out of 7
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.