Ask a question from expert

Ask now

Concepts of information security assignment

6 Pages1366 Words215 Views
   

University of Hertfordshire

   

Added on  2020-04-29

Concepts of information security assignment

   

University of Hertfordshire

   Added on 2020-04-29

BookmarkShareRelated Documents
Date: From:INSERT NAMEChief Information Security OfficerUniversity of HertfordshireTo:IS Authorizing OfficialSchool of Computer ScienceUniversity of HertfordshireSubject:CISO Memo (INSERT System Name)
Concepts of information security assignment_1
Finding and Summary:This memo report is mainly based on the identification and analysis of the risks associated with the existing security policies and set up at the University of Hertfordshire. From the analysis of the existing system, it has been found that there are several security risks associated with the system that cannot be solved or addressed if the present security policies are in place. These policies must be modified as well as several new steps must be taken to address all the associated risks.Risk Statement:In information systems, there are generally two types of risks – external and internal. No absolute control can be established for the external risks and the organization only has the option to reinforce information system security in order to prevent such risks for as long as possible. However, internal security risks can be controlled by the organization by implementing various rules and guidelines. Moreover, the organization can take suitable steps to ensure none of the security policies are broken by any individual involved with the organization. In this particular case, it has been found that there are several internal risks that are caused due to lack of sufficient security policies within the organization. Internal activities like BYOD (bring your own device), accessing non-verified websites from the organization server and opening spam emails from the system are the main reasons behind the system security risks.Impact Statement: The risks mentioned above will have significant impact on the organization if they are not addressed immediately. In order to reduce the overall operational costs, the university allows the students to use their own laptops during computer practical classes. As a result, the malwares or viruses can easily enterthe university server from the students’ systems. Similarly, opening spam websites and links can also insert malicious files into the system. These malwares can steal information from the server and can alsodestroy the entire data and information stored inside the database.Risk Level:Low:_________ Moderate:_________ High:__Yes_______Justification for Noncompliance or Deviation:Till now, controls cannot be implemented for several reasons. If BYOD is scrapped, the university has to encounter excess costs to provide systems to each of the students. Moreover, the spam websites cannot be entirely blocked as most of them mask themselves with the domains of other verified sites.
Concepts of information security assignment_2
Compensating Controls:The university can consider alternative practical classes for students in order to scrap BYOD and allow students to work on the provided systems only. For instance, if there are 90 students, there can be alternate classes for 30 students at a time and hence, the university can use only 30 laptops instead of 90.Moreover, specific firewalls can be implemented in order to provide system resistance against maliciousfiles and viruses. Server restriction will also help to restrict access in the internet and will be prevent the students from accessing spam and unverified websites.Statement of Residual Risk:Even if sufficient control is applied, there may be some residual risks in the system. The spam websites cannot be entirely blocked and some of them can comprise verified sites and can enter the system even ifthe user enters a verified website.Risk Response Request:As discussed in the previous headers, the identified risks are extremely serious and must be addressed immediately with urgent response. All the risks discussed are internal and hence, they can be controlled and minimized. It is evident that the university policies regarding the BYOD and open access to internet are the root causes behind the risks discussed and hence, these policies must be modified and changed inorder to protect the overall information system. Furthermore, the university should also provide active response in raising awareness among the students regarding the use of the systems and accessing unverified websites while browsing through the internet. Finally, the university should recruit system security experts so that they can develop system security using firewalls and antivirus softwares in the systems that are connected to the central server of the university.System/Business Owner Date_________________________________Approval and Conditions:I hereby acknowledge that I have reviewed the aforementioned request for a Risk Acceptance decision, and certify that:Yes. I understand and accept responsibility for the outstanding risk related to the deployment anduse of this application or service for the requested scope and timeframe. <Reason for Acceptance: I find the compensating controls are adequate, or the risk to the organization’s mission is acceptable; therefore, additional controls need not be applied.>Yes, for temporary period while controls are improved. I accept responsibility for the outstanding risks related to the deployment/ use of this application or service; however, I find the currentlevel of control inadequate. The following controls must be implemented by <date>:
Concepts of information security assignment_3

End of preview

Want to access all the pages? Upload your documents or become a member.

Related Documents
Risk Assessment of Southern Cross University
|13
|2466
|317

BYOD Policy Threats and Security Strategies for Cybersecurity
|11
|2820
|426

Cyber Security: BYOD Risk Assessment, Certificate-based Authentication, and Anti-phishing Guideline
|9
|2240
|285

Information System Security: Risk, Assets, Migrations and Vulnerabilities
|7
|1522
|302

IT Security: Types of Risks, Organizational Procedures, Impact of Firewall Configuration, Implementation of DMZ, Static IP and NAT
|18
|1181
|61

Network Security Analysis: Cyber Security
|10
|1925
|30