Security Policy Implementation and Risk Management at Bedford College

Verified

Added on 2022/09/14

AI Summary

This report provides a detailed analysis of IT security risk assessment and policy implementation within an organization, specifically focusing on Bedford College. It covers key areas such as risk assessment procedures, data protection processes and regulations, and the application of the ISO 31000 risk management methodology. The report also discusses the potential impacts of IT security audits on organizational security and the roles of various stakeholders in maintaining a secure environment. Furthermore, it explores how IT security can be aligned with organizational policy, detailing the security impact and outlining the components of an organizational disaster recovery plan. The evaluation of proposed tools for IT security, including firewalls, antivirus software, and anti-spyware software, is also presented, along with an overview of security policies such as acceptable use policy, change management policy, and incident response policy. This document, contributed by a student, is available on Desklib, a platform offering a range of study tools and resources for students.

Running head: SECURITY POLICY
Security procedures and processes
Name of the Student
Name of the University
Author’s Note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1
SECURITY POLICY
Table of Contents
Task 1.........................................................................................................................................2
IT security risk assessment.....................................................................................................2
Data protection processes and regulations.............................................................................2
ISO 31000 risk management methodology............................................................................3
Impact of IT security audit on organizational security..........................................................4
Roles of stakeholders.............................................................................................................5
Explanation of IT security alignment.....................................................................................6
List of components for organizational disaster recovery plan...............................................6
Evaluation of proposed tools for IT security..........................................................................7
Task 2.........................................................................................................................................7
Implementation of security policy.........................................................................................7
References..................................................................................................................................9

2
SECURITY POLICY
Task 1
IT security risk assessment
The risk assessment is mainly utilized for identification or prioritization of risks of the
operational activities of the organizations and most of the activities are derived from the use
of information technology (Safa, Von Solms and Furnell 2016). However, the risks within the
organizational activities may occur a huge monetary losses which leads ton decrement of
business profitability. Fundamentally, the risk assessment consists of three factors including
importance of business assets (employees or money etc), critical effect of threats and also
vulnerability of the system due to threats. Therefore, it requires to stop the organizational
risks by collecting lots of information (Sommestad et al. 2014). The information may be
collected through interview or analysing the system or infrastructure and also reviewing of
the documentation. The overall risk assessment conducts through few steps and the steps are
such as:
 Finding of all of the valuable assets.
 Identification of potential customers.
 Identification of threats along with their levels.
 Identification of vulnerabilities within the organization.
 Assessment of risk.
 Making of risk assessment plan by risk register.
 Making of strategy which helps to mitigate the selected risks.
 Proceed the mitigation process.
Data protection processes and regulations
The General Data Protection Regulation (GDPR) is a kind of data protection policies
of the European Union and implement the policies to the organizations and also colleges.

3
SECURITY POLICY
This data protection policy provides a guidance to the colleges for protecting the existing data
of the colleges (Hsu et al. 2015). The data protection policies are given in below:
 It requires to make the legal changes on the data collection procedures of the students
for a certain period of time including August and also September due to having annual
turnover (Putri and Hovav 2014).
 It requires to ensure that it must has the sufficient protection policy in old IT based
system in case of personal data.
 It requires to provide the huge protection for the sensitive data of the colleges for
overcoming the disadvantages of data losing as well as improving the organizational
performance.
 It needs to develop the adequate arrangements for communication privacy purposes
with the students and also another data subjects.
 It requires to provide the proper reporting of the privacy issues to the Data protection
officer or equivalent government bodies.
 It requires to integrate the data protection law along with their obligations under
Freedom of Information Act.
ISO 31000 risk management methodology
ISO 31000 risk management policy is the International standard policy which was
founded in the year of 2009. This policy provides a proper guidance as well as principles for
the risk management for the organizations. This policy does not give the detailed solution for
managing the particular organizational risks, moreover it provides a generalised procedures
by which the risks within the organization can be managed.
This risk management based standard outlines with few major activities including:
Risk identification – The identification process is required for preventing the risks.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4
SECURITY POLICY
Risk analysis – It requires to analyse the risks for identifying the level of the risks.
Risk evaluation – Through this evaluation process, it requires to compare the risk analysis
based results along with the risk criteria for determining the tolerance of the risk (Kim, Yang
and Park 2014).
Risk treatment – By this process, it requires to change the magnitude of the risks in order to
achieve the benefits.
Establishment of the context – For making the risk assessment policy, initially it requires to
develop the organizational objectives and based on them it requires to establish the risk
evaluation based criteria.
Properly monitoring – It requires to properly monitoring the activities of the organization by
risk management based plan or equivalent framework for reviewing the level of the risks.
Communication with consultants – For checking the risk management based policy, it
requires to communicate with the stakeholders or consultants.
Impact of IT security audit on organizational security
The IT security audit mentions as a defence system by which the cybercrime of the
organization or other security issues are handled. By using the auditing system, it helps to
identify the vulnerabilities of the organization and introduce the security tests for evaluating
the blueprint of the security (Ifinedo 2014). The following impacts of the IT security are as
follows:
 It helps to evaluate the data flow within the organizations – Data is considered as the
important asset for the organizations and the audit team requires to understand the
type of data as well as process of data flowing within the organization and also
accessing of information (Han, Kim and Kim 2017).

5
SECURITY POLICY
 It helps to vulnerabilities or problems within the organizations – Through the
evaluation of the data flow of the organization, the auditors must identify the
vulnerabilities of the organization so that they can implement the security policy.
 It helps to determine the alteration of the security policies or standards – For
protecting the sensitive data, it must be done by the auditors to check that the
organization utilize the alternative security policy or not.
 It provides the depth analysis for the internal as well as external IT based practices
or policies – The organization handles lots of data both the cases of internal as well as
external environment. Therefore, in this case, the auditors must check the
implementation of the security policy in both internal and external purposes.
Roles of stakeholders
IT security audit is necessary step for protecting the organizational sensitive
information. In this purpose, the roles of the stakeholders of organizations are:
Employees – It requires to follow the exact security policy so that it keeps to protect the
organizational data (Li et al. 2014). Moreover, during the time of auditing, the employees
should cooperate with the auditors for checking the security procedures.
Managers – The managers are accountable for maintaining the security policies of the
organization and also check whether the employees follow the policies for organizational
security or not (Goldthau and Sitter 2015).
IT teams – IT teams are accountable to implement the IT security policies within the
activities of organizations.

6
SECURITY POLICY
Explanation of IT security alignment
IT security practices are necessary to implement within the organizations for
preventing the cybercrime of the organizations. To align IT security along with business
functions, it requires to follow the three steps and the steps are such as:
1. It requires to rely the business functions with the IT assets – During the rely timing,
the business functions include the government standards like ISO 31000, ISO 38500
etc. which need to rely on the IT assets (Siponen, Mahmood and Pahnila 2014).
2. IT assets will produce the data – During the transferring of the business functions to
the IT assets, it helps for detecting the business risks as well as external risks or cyber
threats so that the IT assets helps to overcome these through OWASP Top 10 models
or CVSS models etc.
3. Data will offer the business functions – After that, it produces the data for the
business functions through disaster recovery plan or security metrics etc.
List of components for organizational disaster recovery plan
The components are:
 Communication plan and discussions.
 Data continuity system.
 Checking back up.
 Detailing of asset inventory.
 Taking images of equipment.
 Communication with vendors.
 Service restoring plan.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7
SECURITY POLICY
Evaluation of proposed tools for IT security
The IT security based tools are as follows:
Firewalls – This is the security tools consisting with a number of layers which helps to
prevent the malware and viruses or other kinds of threats. This tool helps to scrutinize both of
the incoming and also outgoing data.
Antivirus software – This security tool involves in the scanning operation of the files and
determine whether there is any hidden threats are available or not (Al-Shomrani, Fathy and
Jambi 2017). During the scanning period, if the software can search the virus affected file
therefore, it can remove as well as quarantine that file.
Anti-Spyware software – As per this software, it can keep watching on the victims by
knowing such information regarding in which time they go to online and also their type
including the user name or passwords or other confidential data. In this way, it helps to
prevent the malware or viruses.
Password management software – This software saves lots of time and also prevents the
system from major kinds of mistakes like saving of passwords in browser.
Task 2
Implementation of security policy
To implement the security program, it requires to follow the security policy. The
security policies are:
Acceptable use policy (ASP): This policy helps to specify the practices that the employee
utilize the IT assets for accessing the corporate network or internet (Kaldor and Rangelov
2014). Before accessing the internet, the new employees require to read the policy and sign in
within the network.

8
SECURITY POLICY
Change management policy: This policy requires to implement when the changes occur
within the IT system or software development etc.
Information security policy: This policy provides the warning for following the policies
during accessing the organizational information over the networks.
Incident response policy: This policy provides an approach which derives how the
organization manages the incident and also reflects its impact on the operational activities.
Email/communication policy: This policy provides the proper guidance to the employees
for communication purposes within the business through emails or blogs or social media etc.
Disaster recovery policy: This policy includes both of the cyber security and also inputs of
the IT teams for developing the large business continuity plan.

9
SECURITY POLICY
References
Al-Shomrani, A., Fathy, F. and Jambi, K., 2017, March. Policy enforcement for big data
security. In 2017 2nd international conference on anti-cyber crimes (icacc) (pp. 70-74).
IEEE.
Goldthau, A. and Sitter, N., 2015. Soft power with a hard edge: EU policy tools and energy
security. Review of International Political Economy, 22(5), pp.941-965.
Han, J., Kim, Y.J. and Kim, H., 2017. An integrative model of information security policy
compliance with psychological contract: Examining a bilateral perspective. Computers &
Security, 66, pp.52-65.
Hsu, J.S.C., Shih, S.P., Hung, Y.W. and Lowry, P.B., 2015. The role of extra-role behaviors
and social controls in information security policy effectiveness. Information Systems
Research, 26(2), pp.282-300.
Ifinedo, P., 2014. Information systems security policy compliance: An empirical study of the
effects of socialisation, influence, and cognition. Information & Management, 51(1), pp.69-
79.
Kaldor, M. and Rangelov, I. eds., 2014. The handbook of global security policy. John Wiley
& Sons.
Kim, S.H., Yang, K.H. and Park, S., 2014. An integrative behavioral model of information
security policy compliance. The Scientific World Journal, 2014.
Li, L., He, W., Xu, L., Ivan, A., Anwar, M. and Yuan, X., 2014, August. Does explicit
information security policy affect employees' cyber security behavior? A pilot study. In 2014
Enterprise Systems Conference (pp. 169-173). IEEE.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

10
SECURITY POLICY
Putri, F.F. and Hovav, A., 2014. Employees compliance with BYOD security policy: Insights
from reactance, organizational justice, and protection motivation theory.
Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance
model in organizations. computers & security, 56, pp.70-82.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information
security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Sommestad, T., Hallberg, J., Lundholm, K. and Bengtsson, J., 2014. Variables influencing
information security policy compliance. Information Management & Computer Security.
