CP60028E: Computer Security Policy and Standards Analysis Report
VerifiedAdded on 2023/01/18
|14
|3128
|42
Report
AI Summary
This report delves into the critical aspects of computer security, beginning with a definition of the security policy framework and its importance in safeguarding data, the most valuable asset in today's world. It then outlines and analyzes five key IT security policies: Acceptable Use Policy (AUP), Disaster Recovery/Business Continuity Plan (DR/BCP), Change Management, Information Security, and Remote Access. The report further explores IT security standards, providing detailed explanations and advantages/disadvantages of three key standards: ISO/IEC 27001:2013, NIST special publication 800-171 series, and COBIT 5. The report concludes with a discussion of regulatory compliance, specifically highlighting GDPR, and offers recommendations for maintaining robust IT security. The report emphasizes the need for organizations to proactively manage security risks and ensure compliance with relevant regulations.
Running head: COMPUTER SECURITY
Computer Security
Name of the student:
Name of the university:
Author note:
Computer Security
Name of the student:
Name of the university:
Author note:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1COMPUTER SECURITY
Table of Contents
Security policy framework.........................................................................................................2
List of 5 threat policies:..........................................................................................................2
IT security standards..................................................................................................................6
2-3 IT security standards with explanation............................................................................7
Regulatory Compliance for IT security................................................................................10
Recommendation:....................................................................................................................10
Conclusion................................................................................................................................11
References:...............................................................................................................................12
Table of Contents
Security policy framework.........................................................................................................2
List of 5 threat policies:..........................................................................................................2
IT security standards..................................................................................................................6
2-3 IT security standards with explanation............................................................................7
Regulatory Compliance for IT security................................................................................10
Recommendation:....................................................................................................................10
Conclusion................................................................................................................................11
References:...............................................................................................................................12
2COMPUTER SECURITY
Security policy framework
Definition:
The most valuable asset in today’s world is data and for these reason only it is
important to maintain security of data. Data breach and failure in providing security measures
can result into an economic risk across the world. Thus considering the importance of
maintaining security of the nation and its economy, an executive order was released by the
president of United States in order to take measures of reducing the cyber threats. (Atoum,
Otoom and Abu Ali 2014). A Cyber safety framework help san organisation to well
understand, achieve and decrease the cyber security jeopardies. It assists in decisive activities
that are most significant to assure serious processes and facility delivery, in turn it helps in
prioritizing the investments and helps in maximizing the impact of each dollar spent on cyber
security (Piro, Boggia and Grieco 2014). It consequences from a shift of agreement to actions
and species outcomes by providing a shared language to discourse cyber security risk
administration.
A cyber security framework is a type of guidance that is achieved voluntarily based on the
existing standards, practices and guidelines of organisations to better manage security risks.
List of 5 threat policies:
While signing contracts with clients it is often seen that IT security policies are the major
concern. In most of the cases problem arise of having an out dated IT security policy or either
having a policy that is not in place with the desired IT policy frameworks. For understanding
the purpose of foundation of data governance there are some top-level IT security policies
which needs to be followed. Among those top IT security policies 5 of them are mentioned
below:
1. AUP (Acceptable Use Policy):
Security policy framework
Definition:
The most valuable asset in today’s world is data and for these reason only it is
important to maintain security of data. Data breach and failure in providing security measures
can result into an economic risk across the world. Thus considering the importance of
maintaining security of the nation and its economy, an executive order was released by the
president of United States in order to take measures of reducing the cyber threats. (Atoum,
Otoom and Abu Ali 2014). A Cyber safety framework help san organisation to well
understand, achieve and decrease the cyber security jeopardies. It assists in decisive activities
that are most significant to assure serious processes and facility delivery, in turn it helps in
prioritizing the investments and helps in maximizing the impact of each dollar spent on cyber
security (Piro, Boggia and Grieco 2014). It consequences from a shift of agreement to actions
and species outcomes by providing a shared language to discourse cyber security risk
administration.
A cyber security framework is a type of guidance that is achieved voluntarily based on the
existing standards, practices and guidelines of organisations to better manage security risks.
List of 5 threat policies:
While signing contracts with clients it is often seen that IT security policies are the major
concern. In most of the cases problem arise of having an out dated IT security policy or either
having a policy that is not in place with the desired IT policy frameworks. For understanding
the purpose of foundation of data governance there are some top-level IT security policies
which needs to be followed. Among those top IT security policies 5 of them are mentioned
below:
1. AUP (Acceptable Use Policy):
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3COMPUTER SECURITY
This IT threat policy is meant for making users inform about the acceptability of
the use if technologies. Acceptable Use of Policy is a platform for all employees
which has the purpose to assure the rules that needs to be followed while following
the roads of Internet Technology. This policy covers almost all corporate resources
including host computers, application servers, mail servers, file servers,
communication servers, fax servers and various computer networks (Isaacs et al.
2014). Following this policy requires to consult the legal department of the specified
company in order to create and publish the policy to create an impact on the
corporation. The standard of following the Acceptable Use policy may differ from
company to company.
Some of the sub policies that needs to be followed under the AUP policy this
includes:
Access
No expectation of privacy
Responsibility of passwords
Legitimate business purpose
Communication of trade secrets
2. DR/BCP
The Disaster Recovery, Business Continuity Plan policy helps in assuring that the
business has a real time risk management facility. The policy includes retorting to
denial of service attacks, fires, deluges, hurricanes or any supplementary types of
potential disruption attacks to services (Alshammari and Alwan 2016). The policy of
business continuity seeks in keeping the business running in every situation and thus
This IT threat policy is meant for making users inform about the acceptability of
the use if technologies. Acceptable Use of Policy is a platform for all employees
which has the purpose to assure the rules that needs to be followed while following
the roads of Internet Technology. This policy covers almost all corporate resources
including host computers, application servers, mail servers, file servers,
communication servers, fax servers and various computer networks (Isaacs et al.
2014). Following this policy requires to consult the legal department of the specified
company in order to create and publish the policy to create an impact on the
corporation. The standard of following the Acceptable Use policy may differ from
company to company.
Some of the sub policies that needs to be followed under the AUP policy this
includes:
Access
No expectation of privacy
Responsibility of passwords
Legitimate business purpose
Communication of trade secrets
2. DR/BCP
The Disaster Recovery, Business Continuity Plan policy helps in assuring that the
business has a real time risk management facility. The policy includes retorting to
denial of service attacks, fires, deluges, hurricanes or any supplementary types of
potential disruption attacks to services (Alshammari and Alwan 2016). The policy of
business continuity seeks in keeping the business running in every situation and thus
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4COMPUTER SECURITY
results in redundancy of systems and personal plans. The disaster recovery policy
helps in recovering the plan from disruptive attacks in services.
Some of the sub policies that needs to be followed under this policy are listed
from the SunGard:
Recovery tasks- This sub policy provides a list of specific activities in order to
recover and to support each of the strategies that are outlined in this section.
Personal Recovery- This sub policy includes identifying specific peoples that
are involved in the continuity plan of the business.
Timeline plan- This sub policy includes a main body that lays out the steps
that are needed for carrying out the activity plans.
Critical resource requirements- This part of the policy includes detailed
requirements of the resources in the basis of quantity.
3. Change management:
This type of IT threat policy helps in assuring that the changes in the organisation
are managed, tracked and approved. This policy also helps in identifying that whether
the systems are updated, replaced or modified (Doppelt 2017). In case if a firewall is
implemented within a company’s software with out following the policy of change
management then it may lead to ceasing of traffic of the business causing unexpected
data loss (Trautman 2015). The change management policy helps in slowing down of
the business process making a perfect plan to assure that the change and its potential
creates an impact on the system of the corporate. The policy of change management
includes all the external vendors and personnel who are given the access for defining,
designing and production of software and systems.
Change in management includes some sub policy which includes –
results in redundancy of systems and personal plans. The disaster recovery policy
helps in recovering the plan from disruptive attacks in services.
Some of the sub policies that needs to be followed under this policy are listed
from the SunGard:
Recovery tasks- This sub policy provides a list of specific activities in order to
recover and to support each of the strategies that are outlined in this section.
Personal Recovery- This sub policy includes identifying specific peoples that
are involved in the continuity plan of the business.
Timeline plan- This sub policy includes a main body that lays out the steps
that are needed for carrying out the activity plans.
Critical resource requirements- This part of the policy includes detailed
requirements of the resources in the basis of quantity.
3. Change management:
This type of IT threat policy helps in assuring that the changes in the organisation
are managed, tracked and approved. This policy also helps in identifying that whether
the systems are updated, replaced or modified (Doppelt 2017). In case if a firewall is
implemented within a company’s software with out following the policy of change
management then it may lead to ceasing of traffic of the business causing unexpected
data loss (Trautman 2015). The change management policy helps in slowing down of
the business process making a perfect plan to assure that the change and its potential
creates an impact on the system of the corporate. The policy of change management
includes all the external vendors and personnel who are given the access for defining,
designing and production of software and systems.
Change in management includes some sub policy which includes –
5COMPUTER SECURITY
Managing of identity and reviewing of infrastructure networks and its
associated risks and vulnerabilities.
The policy includes some network topologies that maintains and describes the
connection points, hardware components and services
4. Information security
The information security IT policy lays the foundation of the risk management
programs within an enterprise including its process, technologies and people. The
information technology security policy serves as the purpose of defining the
management, technology and personnel within the structure of the program (Mbowe
et al.2014). The most important aspect of this policy includes defining roles of the IT
manager or the security analyst, by defining the aspects of environment and its scope
and the responsibilities of the employees and its organization.
Some of the sub policies of the Information security policy includes-
System Access Control
Password policy
User ID Insurance for Access to corporate information
Anonymous User IDs
Information Access.
5. Remote access
The main determination of the IT security policy is to define the standards for
connecting the network of the company from any host (Braun 2015). These standards
are created to minimize the potential damages of the company from getting exposed
resulting in un-authorized use of the resources of the company (Safa, Von Solms and
Furnell 2016). The policy is applied to all the employees, vendors, and agents within
the company connecting to other work stations of the company’s network.
Managing of identity and reviewing of infrastructure networks and its
associated risks and vulnerabilities.
The policy includes some network topologies that maintains and describes the
connection points, hardware components and services
4. Information security
The information security IT policy lays the foundation of the risk management
programs within an enterprise including its process, technologies and people. The
information technology security policy serves as the purpose of defining the
management, technology and personnel within the structure of the program (Mbowe
et al.2014). The most important aspect of this policy includes defining roles of the IT
manager or the security analyst, by defining the aspects of environment and its scope
and the responsibilities of the employees and its organization.
Some of the sub policies of the Information security policy includes-
System Access Control
Password policy
User ID Insurance for Access to corporate information
Anonymous User IDs
Information Access.
5. Remote access
The main determination of the IT security policy is to define the standards for
connecting the network of the company from any host (Braun 2015). These standards
are created to minimize the potential damages of the company from getting exposed
resulting in un-authorized use of the resources of the company (Safa, Von Solms and
Furnell 2016). The policy is applied to all the employees, vendors, and agents within
the company connecting to other work stations of the company’s network.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6COMPUTER SECURITY
The sub policies under this policy includes-
Responsibility of employees, contractors’ agents and vendors of the company
to ensure the remote access of the company’s network with the on-site users of
the company (Zomers 2014).
The policy also includes not permitting the access to internet for recreating the
household members via network of the company (Kalaiprasath, Elankavi and
Udayakumar 2017).
The policy also includes that no employees of the company should provide
their email id or passwords to any of the members of the company.
IT security standards
It is important to maintain some IT security standards while developing the guidelines
for implementing the IT security policies in the IT projects. IT security standards are
techniques that are published in attempt to safeguard the cyber environment of any
organisation.
2-3 IT security standards with explanation
Standard 1: ISO/IEC 2700011:2013:
The ISO/IEC 2700011:2013 standard of information security for managing systems
includes ten short clauses along with a long annex. This certification can be applied to any
accredited certification body but before applying this standard in any certification process,
the organisation needs to go through a formal process of auditing. The standard adopts a
process-oriented approach for establishing, operating, maintaining, monitoring and
implementing the Information Security Management System.
Advantages:
The sub policies under this policy includes-
Responsibility of employees, contractors’ agents and vendors of the company
to ensure the remote access of the company’s network with the on-site users of
the company (Zomers 2014).
The policy also includes not permitting the access to internet for recreating the
household members via network of the company (Kalaiprasath, Elankavi and
Udayakumar 2017).
The policy also includes that no employees of the company should provide
their email id or passwords to any of the members of the company.
IT security standards
It is important to maintain some IT security standards while developing the guidelines
for implementing the IT security policies in the IT projects. IT security standards are
techniques that are published in attempt to safeguard the cyber environment of any
organisation.
2-3 IT security standards with explanation
Standard 1: ISO/IEC 2700011:2013:
The ISO/IEC 2700011:2013 standard of information security for managing systems
includes ten short clauses along with a long annex. This certification can be applied to any
accredited certification body but before applying this standard in any certification process,
the organisation needs to go through a formal process of auditing. The standard adopts a
process-oriented approach for establishing, operating, maintaining, monitoring and
implementing the Information Security Management System.
Advantages:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7COMPUTER SECURITY
The ISO/IEC 2700011:2013 standard provides a framework for managing the security
system of a company. It has the following advantages:
It protects the information of the clients and the employees.
It effectively manages the risks related to te information security.
It is extremely beneficial in achieving the compliance with some regulations such as
the European Union General Data Protection Regulation (EU GDPR).
It also helps in protecting the brand image of the company
It also helps in maintain the confidentiality of the information that are stored.
The ISO/IEC 2700011:2013 standard also allows the stakeholders and the customers
the confidence in managing the risks.
It also allows exchange of information securely.
The standard also helps in enhancing the satisfaction of the customers improving the
retention of the clients.
Disadvantages:
The drawbacks of the ISO/IEC 2700011:2013 standard includes:
It has its own design, targets and metrices that needs to be followed.
It often misleads the customers
Implementing this standard is somewhat time consuming and it has high project costs.
The standard is restricted to only businesses.
The standard is limited to consumer awareness.
Standard 2: NIST special publication 800-171 series
The NIST special publication 800-171 series is a report of the computer security
addressing the general guidelines and outcomes of research based on the computer securities
The ISO/IEC 2700011:2013 standard provides a framework for managing the security
system of a company. It has the following advantages:
It protects the information of the clients and the employees.
It effectively manages the risks related to te information security.
It is extremely beneficial in achieving the compliance with some regulations such as
the European Union General Data Protection Regulation (EU GDPR).
It also helps in protecting the brand image of the company
It also helps in maintain the confidentiality of the information that are stored.
The ISO/IEC 2700011:2013 standard also allows the stakeholders and the customers
the confidence in managing the risks.
It also allows exchange of information securely.
The standard also helps in enhancing the satisfaction of the customers improving the
retention of the clients.
Disadvantages:
The drawbacks of the ISO/IEC 2700011:2013 standard includes:
It has its own design, targets and metrices that needs to be followed.
It often misleads the customers
Implementing this standard is somewhat time consuming and it has high project costs.
The standard is restricted to only businesses.
The standard is limited to consumer awareness.
Standard 2: NIST special publication 800-171 series
The NIST special publication 800-171 series is a report of the computer security
addressing the general guidelines and outcomes of research based on the computer securities
8COMPUTER SECURITY
that are conducted by the industries, academics and governments (Shackelford et al. 2015).
This standard of security is currently acquired by the Department of Defense with the clause
of 252.204-7012.
Advantages:
The NIST 800-171 standard delivers a set of strategies that helps in processing the
needs of the company by safeguarding the information (Johnson et al. 2016).
The requirements that are recommended in this standard are generally consequent
from the FIPS publication 200 besides the security control baseline of NIST Special
Publication 800-53 (Almuhammadi and Alsaleh 2017).
It covers the security control features of the US federal information system.
Unlike other security standards, it is one of the first standard to create an impact on
the subcontractor in addition to the prime stage contractors.
Disadvantages:
By complying, it is assumed that organisations will have less risk issues but
implementing this standard does not help in measuring the risks.
The standard can show directional improvement but is unable to display the
improvement of the ROI.
Without having a proper report on the level of risk, there is no guidance for the
company for the tiers.
Standard 3: COBIT 5
This IT security standard stands for Control Objectives for information and
technology linked to it. It was developed by the ISACA for IT governance and management.
One of the important aspects of the COBIT standard is that it provides a set of controls in
order to mitigate the risks (Mangalaraj, Singh and Taneja 2014). In order to compliment the
that are conducted by the industries, academics and governments (Shackelford et al. 2015).
This standard of security is currently acquired by the Department of Defense with the clause
of 252.204-7012.
Advantages:
The NIST 800-171 standard delivers a set of strategies that helps in processing the
needs of the company by safeguarding the information (Johnson et al. 2016).
The requirements that are recommended in this standard are generally consequent
from the FIPS publication 200 besides the security control baseline of NIST Special
Publication 800-53 (Almuhammadi and Alsaleh 2017).
It covers the security control features of the US federal information system.
Unlike other security standards, it is one of the first standard to create an impact on
the subcontractor in addition to the prime stage contractors.
Disadvantages:
By complying, it is assumed that organisations will have less risk issues but
implementing this standard does not help in measuring the risks.
The standard can show directional improvement but is unable to display the
improvement of the ROI.
Without having a proper report on the level of risk, there is no guidance for the
company for the tiers.
Standard 3: COBIT 5
This IT security standard stands for Control Objectives for information and
technology linked to it. It was developed by the ISACA for IT governance and management.
One of the important aspects of the COBIT standard is that it provides a set of controls in
order to mitigate the risks (Mangalaraj, Singh and Taneja 2014). In order to compliment the
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9COMPUTER SECURITY
COBIT standard often the RISK IT framework is used that is developed by the ISACA in
order to mitigate all types of cyber threats that are faced while using the IT.
Advantages:
The advantages of COBIT 5 includes:
It helps in maintaining high quality information to support the decisions of the
business.
It helps in achieving the strategic goals of the business and helps in realizing the
benefits of the business through effective innovative use of IT.
The COBIT 5 standard also helps in achieving excellence in operation via reliable and
efficient application of technology.
It also benefits in supporting obedience with applicable laws, agreements, guidelines
and plans.
Disadvantages:
The disadvantages of COBIT 5 includes:
It has a complicated concept and structure.
It lacks implementation of guidelines and proven benefits. It does not provide a
concrete method of guidelines which facilitates the organisation.
Keeping the COBIT standard up to date based on the organisational changes is a bit
time consuming.
Regulatory Compliance for IT security
In todays world, with everything being droven by data, it is important to have some IT
security compliances in order to secure data.
COBIT standard often the RISK IT framework is used that is developed by the ISACA in
order to mitigate all types of cyber threats that are faced while using the IT.
Advantages:
The advantages of COBIT 5 includes:
It helps in maintaining high quality information to support the decisions of the
business.
It helps in achieving the strategic goals of the business and helps in realizing the
benefits of the business through effective innovative use of IT.
The COBIT 5 standard also helps in achieving excellence in operation via reliable and
efficient application of technology.
It also benefits in supporting obedience with applicable laws, agreements, guidelines
and plans.
Disadvantages:
The disadvantages of COBIT 5 includes:
It has a complicated concept and structure.
It lacks implementation of guidelines and proven benefits. It does not provide a
concrete method of guidelines which facilitates the organisation.
Keeping the COBIT standard up to date based on the organisational changes is a bit
time consuming.
Regulatory Compliance for IT security
In todays world, with everything being droven by data, it is important to have some IT
security compliances in order to secure data.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10COMPUTER SECURITY
The most common of the regulatory compliances include:
1. GDPR- or in other words General Data Protection Regulation which aims in
protecting the citizens from data loss. It is applied to almost every company residing
in the EU but can also be applied to other companies.
2. CIA Act- The Central Intelligence Agency Act of 1949 is passed to meet the
protection of data through the security of CIA.
Recommendation:
Cyber threats are the major concerns that are arising in todays world and business
organisations are facing most of the cyber threats which often leads to losing of data. Few
measures that are recommended for overcoming this cyber threat includes:
1. Understanding the importance of sensitive data
2. Educating the employees about the recent cyber threats like Distributed denial of
service attack, phishing, spoofing, ransomware, cracking passwords and many more.
3. It is important that organisations should adopt proper IT security policies following
suitable IT security standards.
4. Hardware should be secured by locking down of computers and servers.
5. If needed business organisations need to hire security experts to safeguard the data.
Conclusion
Thus, from the above report it can be concluded that with the proliferation of data and
the types of data that people usually use, it is important to protect the business organisations
from the cyber security threats that are emerging now a days. As most of the business
organisations are moving to online platforms it has become easier for potential hackers to
The most common of the regulatory compliances include:
1. GDPR- or in other words General Data Protection Regulation which aims in
protecting the citizens from data loss. It is applied to almost every company residing
in the EU but can also be applied to other companies.
2. CIA Act- The Central Intelligence Agency Act of 1949 is passed to meet the
protection of data through the security of CIA.
Recommendation:
Cyber threats are the major concerns that are arising in todays world and business
organisations are facing most of the cyber threats which often leads to losing of data. Few
measures that are recommended for overcoming this cyber threat includes:
1. Understanding the importance of sensitive data
2. Educating the employees about the recent cyber threats like Distributed denial of
service attack, phishing, spoofing, ransomware, cracking passwords and many more.
3. It is important that organisations should adopt proper IT security policies following
suitable IT security standards.
4. Hardware should be secured by locking down of computers and servers.
5. If needed business organisations need to hire security experts to safeguard the data.
Conclusion
Thus, from the above report it can be concluded that with the proliferation of data and
the types of data that people usually use, it is important to protect the business organisations
from the cyber security threats that are emerging now a days. As most of the business
organisations are moving to online platforms it has become easier for potential hackers to
11COMPUTER SECURITY
reach the customer base and steal credentials from their accounts causing threats like scams
and various security risks like denial of service attacks, phishing, ransomware and many
more. Thus, business organisations need to tale necessary steps to put an effective cyber
security plan using various policies and standards and hence protect the business lines from
getting disrupted from getting hacked.
reach the customer base and steal credentials from their accounts causing threats like scams
and various security risks like denial of service attacks, phishing, ransomware and many
more. Thus, business organisations need to tale necessary steps to put an effective cyber
security plan using various policies and standards and hence protect the business lines from
getting disrupted from getting hacked.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 14
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.