Security Policy Assignment
Added on - 29 Apr 2020
Date:From:INSERT NAMEChief Information Security OfficerUniversity of HertfordshireTo:IS Authorizing OfficialSchool of Computer ScienceUniversity of HertfordshireSubject:CISO Memo (INSERT System Name)
Finding and Summary:This memo report is mainly based on the identification and analysis of the risks associated with theexisting security policies and set up at the University of Hertfordshire. From the analysis of the existingsystem, it has been found that there are several security risks associated with the system that cannot besolved or addressed if the present security policies are in place. These policies must be modified as wellas several new steps must be taken to address all the associated risks.Risk Statement:In information systems, there are generally two types of risks – external and internal. No absolutecontrol can be established for the external risks and the organization only has the option to reinforceinformation system security in order to prevent such risks for as long as possible. However, internalsecurity risks can be controlled by the organization by implementing various rules and guidelines.Moreover, the organization can take suitable steps to ensure none of the security policies are broken byany individual involved with the organization. In this particular case, it has been found that there areseveral internal risks that are caused due to lack of sufficient security policies within the organization.Internal activities like BYOD (bring your own device), accessing non-verified websites from theorganization server and opening spam emails from the system are the main reasons behind the systemsecurity risks.Impact Statement:The risks mentioned above will have significant impact on the organization if they are not addressedimmediately. In order to reduce the overall operational costs, the university allows the students to usetheir own laptops during computer practical classes. As a result, the malwares or viruses can easily enterthe university server from the students’ systems. Similarly, opening spam websites and links can alsoinsert malicious files into the system. These malwares can steal information from the server and can alsodestroy the entire data and information stored inside the database.Risk Level:Low:_________ Moderate:_________ High:__Yes_______Justification for Noncompliance or Deviation:Till now, controls cannot be implemented for several reasons. If BYOD is scrapped, the university hasto encounter excess costs to provide systems to each of the students. Moreover, the spam websitescannot be entirely blocked as most of them mask themselves with the domains of other verified sites.
Compensating Controls:The university can consider alternative practical classes for students in order to scrap BYOD and allowstudents to work on the provided systems only. For instance, if there are 90 students, there can bealternate classes for 30 students at a time and hence, the university can use only 30 laptops instead of 90.Moreover, specific firewalls can be implemented in order to provide system resistance against maliciousfiles and viruses. Server restriction will also help to restrict access in the internet and will be prevent thestudents from accessing spam and unverified websites.Statement of Residual Risk:Even if sufficient control is applied, there may be some residual risks in the system. The spam websitescannot be entirely blocked and some of them can comprise verified sites and can enter the system even ifthe user enters a verified website.Risk Response Request:As discussed in the previous headers, the identified risks are extremely serious and must be addressedimmediately with urgent response. All the risks discussed are internal and hence, they can be controlledand minimized. It is evident that the university policies regarding the BYOD and open access to internetare the root causes behind the risks discussed and hence, these policies must be modified and changed inorder to protect the overall information system. Furthermore, the university should also provide activeresponse in raising awareness among the students regarding the use of the systems and accessingunverified websites while browsing through the internet. Finally, the university should recruit systemsecurity experts so that they can develop system security using firewalls and antivirus softwares in thesystems that are connected to the central server of the university.System/Business Owner Date_________________________________Approval and Conditions:I hereby acknowledge that I have reviewed the aforementioned request for a Risk Acceptance decision,and certify that:Yes. I understand and accept responsibility for the outstanding risk related to the deployment anduse of this application or service for the requested scope and timeframe. <Reason for Acceptance: Ifind the compensating controls are adequate, or the risk to the organization’s mission is acceptable;therefore, additional controls need not be applied.>Yes, for temporary period while controls are improved.I accept responsibility for theoutstanding risks related to the deployment/ use of this application or service; however, I find the currentlevel of control inadequate. The following controls must be implemented by <date>: