Case Study: Cyber Security Frameworks, Legislation and Risk Assessment

Verified

Added on 2020/07/23

AI Summary

This case study delves into the multifaceted realm of cyber security, encompassing a comprehensive analysis of frameworks, legislation, and risk assessment methodologies. It begins by highlighting the importance of cyber security in safeguarding data and systems from various attacks, emphasizing the need for updated cyber awareness programs and executive support. The study examines essential legislation and frameworks, including COBIT, ISO 27001, and FISMA, which are crucial for information security professionals. It also explores long-term initiatives for assessing security risks and maintaining privacy within corporate environments, such as analyzing information types, asset location, and classification. Furthermore, the case study investigates various risk assessment methodologies, emphasizing simple approaches, basic perspectives, and stakeholder engagement. A comparison of these methodologies is also provided, concluding with the significance of engaging with stakeholders. This case study offers valuable insights for professionals seeking to enhance their understanding and implementation of robust cyber security practices.

A Case Study in Cyber Security

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

TABLE OF CONTENTS
INTRODUCTION...........................................................................................................................1
Recommendations and available frameworks for cyber security...............................................1
Legislation and frameworks that are essential for the information security professionals.........2
Long term initiatives for encouraging positive changes for assessing security risk and
maintaining privacy in a corporate environment........................................................................2
Risk assessment methodologies..................................................................................................3
Comparison of the methodologies .............................................................................................4
CONCLUSION................................................................................................................................5
REFERENCES................................................................................................................................6

INTRODUCTION
Cyber security is considered as a sort of technology that has been designed in order to
provide quality and standard rate of security to protect various programs, data and all the
information from any sort of attack (Pfleeger and Caputo, 2012). It is important because one can
try to hack someone's person account for having access to their personal data. So, for protecting
any sort of unauthorised access to the information or data or any program, cyber security can
help in doing the same. The research is about all the frameworks and legislations associated with
the cyber security factors. Also, some recommendations that the professions can follow.
Security risk assessment methodologies for an efficient and appropriate mapping have also been
included.
Recommendations and available frameworks for cyber security
There can be various factors included and adopted by the cyber security professionals,
that can influence some positive changes and these are discussed as under :
Updations are must
The cyber awareness programs that are being implemented by the cyber security
professionals needs to be updated on a regular basis. The ones that have not been updated for a
longer time is considered as a complete waste because the hackers and attackers involve various
new ways to hack or get the data. So, for dealing with the new ways, it is important that the
professions have also moved on to the new and updated factors. By this way, the processes and
action of the cyber security by the professionals can result in much better and positive changes.
Ensuring complete executive support
The professions must have proper support of the authorities and the executives. It is
because it is obvious that for implementing the updated factors, some support and help must be
required. Also, the cyber security professionals can try to detect the internal threats. It is because
sometimes the efficient asset of one acts as the biggest risk factor. So, along with all other
trained staff, technology can be the first priority and tool for dealing with internal threats.
Beware from tactics of social engineering
Although there are high security factors that can help in protecting the data but the
attackers involve enormous ways and tactics to get through login id or password of anyone
(O’Connell, 2012). So, the professions can ensure the involvement of ways by which they can
track what account has been hacked. It will help in a way that whenever an account will be
1

hacked, proper measures will be immediately taken by the professionals so that no data transfer
can happen from that account to another.
Legislation and frameworks that are essential for the information security professionals
There are various legislations and policies that are made on the basis of maintaining a
proper and secured access of the data and information and some well known examples are
discussed as under. Also, these can be considered for using as a base at the time of developing
their proposals.
Control objectives for information and related technology (COBIT)
COBIT is considered as a very well known and basic framework that has been
implemented by the governmental IT bodies and professionals, ISACA. The actual reason why
this framework started was with the forte of the fact that the technical risks can be minimized to
a huge extent. After involving with COBIT, it also started adopting strategic goals. Presently, it
is considered as the one of the basic frameworks that are being used by the information security
and cyber professionals.
ISO 27001
ISO 27001 is also classified as ISO/IEC 27001 is a sort of framework and also considered
as a specification that is associated with the information security management system (ISMS). IT
is also termed as one of a well known and basic framework that involves various policies and
legislations. Whether it is about the technical, legal or any physical access, it is capable of
managing all. Also, it includes the whole process of risk management. In the 27001 standard,
there are 114 controls on an over of 14 groups. Along with this, there are 35 control objectives as
well.
Federal information security modernisation Act 2014 (FISMA)
The Act provides various key standards and regulations that focuses on making all the
security programs cost effective so that they can involve much number of these programs. These
systems will be completely based on risk based information programs. Also, it says that with the
help of this framework, it will lead to the changes that will act more consistent and appropriate.
Also, they will be more secure as compared to the other security based programs.
Long term initiatives for encouraging positive changes for assessing security risk and
maintaining privacy in a corporate environment
Various ways for accessing the risks in cyber security programs are discussed as under :
2

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

 It is very important for analysing completely the different types of information that is
being managed in the work place. It must be including all the necessary features such as
mobile numbers of social security, credit and debit card details, records, all other
essential information and data. On the basis of it, a priority list is being made that what
factor out of all requires the most security. This is considered as the first step to access
the security risk assessment.
 The second step is to analyse properly the location of each specific item on the asset. The
assets may involve laptops, computers, removable devices, database, hard disks etc. It is
very important to have a proper idea of the location where these data files are located.
 The third step is the classification of the information assets. It can be done on the basis of
prioritization of the data such as on number 1, basic information such as contact
information, financial documents etc. can be placed. On 2nd, general policies of the work
place etc. can be listed, on number 3, all the data that is sensitive enough can be placed
such as the business and strategic plans along with the important agreements that has not
been even disclosed (Amin and et.al., 2013). On number 4, all the compensation data can
be placed and on the last, number 5, the records of employees etc. can be located.
 The forth step is to implement a threat analysing task. So, for rating the threats, the cyber
security professionals can make use of the STRIDE method as it is efficient enough and
capable of dealing with high level threats (Von Solmsand Van Niekerk, 2013).
 The final step is to confirm the information and implement the planning. A proper and
appropriate plan will help in managing all these risks, thus it can further help in an
efficient security risk assessment.
Risk assessment methodologies
There can be various methodologies that can provide a better and efficient mapping of the
threat landscape. Out of the all, the information risk assessment methodology has been classified
in a few steps that are discussed as following :
 Focusing on applying a simple approach : It is considered as a better approach because it
helps in making a better assessment process. When factors are complex, there is a
possibility that things can go complicated as well, so for avoiding that, the professionals
can make use of the simple and easy steps to continue the processing. So, all this is being
3

done in order to enhance an appropriate decision making that can help in getting positive
results.
 Focus on the basic perspective : The guidance is being provided to the people analysing
on the base of the actual perspective because it is obvious enough that the end outcome or
result will be a risk profile only which will help in analysing the actual risk.
 Obtaining a wider coverage : The professionals can involve various means so that the
information can get tracked at the present movement only when some hacker or attacker
is trying to have access to the information or some account. It is because often cyber
attackers try to involve various means that can automatically gets the information of login
ID and the password. When the person enters the specified information, it gets copied to
the other link that has been developed by the attackers (Ericsson, 2010). By this way, the
hackers get the particular information and have access to all the data and information that
is present inside the account. Thus, if the professionals will involve some way that will
help in getting the first try or access, it can help in preventing the whole data.
 Engaging with stakeholders : Although the cyber security professionals are efficient
enough that they can develop and implement enormous ways but with some help and
support from the stakeholders, it can result in implementing the factors in a better and
systematic manner. Therefore, the stakeholders and the professionals can further
conclude after an appropriate decision making process to a final outcome and that
outcome can act quite more positive for managing the situation.
 Along with these ways, there are various risk assessment tools as well that can also be
implemented in order to assess the risk before only so that proper preventive measures
can be taken in order to prevent the same.
Comparison of the methodologies
When making a comparison between the methodologies, it can be analysed that engaging
with the stakeholders can act better than focusing on the perspectives because involving
stakeholders and other associated people can actually provide a sort of support to the
professionals (Klimburg, 2012). One mind can have a single or two ideas but it is obvious that
many minds can have various number of ideas. So, a meeting can be made in order to analyse all
the factors and on the basis of that can conclude to the one that is the most suitable and relevant
4

one. Thus, it further helps in analysing and evaluating the best and suitable processes that can
help in protecting the data from any hacker or sort of unauthorised access. So, every single
methodology has some different influence which throws an impact of the operations and
procedures of the cyber security.
CONCLUSION
It can be concluded from the report that cyber security is considered as a very important
part of technology that helps in providing high quality and standard services in order to protect
the information and the data from any sort of unauthorised access or external factor. Various
frameworks and legislations have also been included that can be considered by the cyber security
professions for positive changes. There are various methodologies involved as well. Also,
various recommendations have also been included in order to make the processing of the
operations more efficient and appropriate.
5

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

REFERENCES
Books and Journals
Amin, S. and et.al., 2013. Cyber security of water SCADA systems—Part I: Analysis and
experimentation of stealthy deception attacks. IEEE Transactions on Control Systems
Technology. 21(5). pp.1963-1970.
Ericsson, G. N., 2010. Cyber security and power system communication—essential parts of a
smart grid infrastructure. IEEE Transactions on Power Delivery. 25(3). pp.1501-1507.
Klimburg, A. ed., 2012. National cyber security framework manual. NATO Cooperative Cyber
Defense Center of Excellence.
O’Connell, M. E., 2012. Cyber security without cyber war. Journal of Conflict and Security
Law. 17(2). pp.187-209.
Pfleeger, S. L. and Caputo, D. D., 2012. Leveraging behavioral science to mitigate cyber security
risk. Computers & security. 31(4). pp.597-611.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers
& security. 38. pp.97-102.
6