A4A Organization: Information Security Management Guidelines Report
VerifiedAdded on 2020/03/23
|20
|4570
|189
Report
AI Summary
This report provides comprehensive information security management guidelines for the A4A organization, focusing on the transition to a technology-based system and the associated risks. It covers establishing context, risk assessment frameworks, and applying ISO 31000 standards. The report details the importance of Australian privacy laws, risk management overviews, and the identification and assessment of risks related to cloud integration and outsourcing. It emphasizes the need for a structured approach to risk management, including determining risk tolerance, mapping risks, evaluating potential consequences, and selecting appropriate treatment options. The report concludes with a discussion on communication, consultation, risk monitoring, and review to ensure the ongoing security and integrity of A4A's data and information.
Running head: INFORMATION SECURITY MANAGEMENT GUIDELINES
Information Security Management Guidelines
Name of the Student
Name of the University
Author Note
Information Security Management Guidelines
Name of the Student
Name of the University
Author Note
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1
INFORMATION SECURITY MANAGEMENT GUIDELINES
Executive Summary
The purpose of this report is to provide guidelines on improving the information security for the
organization and introduce and effective and efficient information security risk assessment
management for A4A organization. A4A is about to transform it’s traditional of data and
information into computerized based methods using information technology. These guidelines
cover from context establishment to the risk assessment management. An overview over this risk
assessment management has been introduced in this report that emphasis on the various steps
that could be helpful in successful implementation of the risk assessment processes. This report
also emphasis on the Australian laws that could be complementary for the A4A in establishing a
better risk assessment management system regarding the safeguard of the information and data
that are critical for the organization. It is very necessary to implement an information security
risk assessment management system for enhancing the performance of the technology and taking
benefits of the technology with complete efficiency, which has also been explained in this report.
This report focuses on the determining the context for A4A in manner to pave a platform for the
whole risk assessment processes that includes risks in outsourcing, cloud storage, cloud
computing and many other risks related to the implementation of information technology into the
existing system of the organization.
INFORMATION SECURITY MANAGEMENT GUIDELINES
Executive Summary
The purpose of this report is to provide guidelines on improving the information security for the
organization and introduce and effective and efficient information security risk assessment
management for A4A organization. A4A is about to transform it’s traditional of data and
information into computerized based methods using information technology. These guidelines
cover from context establishment to the risk assessment management. An overview over this risk
assessment management has been introduced in this report that emphasis on the various steps
that could be helpful in successful implementation of the risk assessment processes. This report
also emphasis on the Australian laws that could be complementary for the A4A in establishing a
better risk assessment management system regarding the safeguard of the information and data
that are critical for the organization. It is very necessary to implement an information security
risk assessment management system for enhancing the performance of the technology and taking
benefits of the technology with complete efficiency, which has also been explained in this report.
This report focuses on the determining the context for A4A in manner to pave a platform for the
whole risk assessment processes that includes risks in outsourcing, cloud storage, cloud
computing and many other risks related to the implementation of information technology into the
existing system of the organization.
2
INFORMATION SECURITY MANAGEMENT GUIDELINES
Table of Contents
Introduction......................................................................................................................................4
Applicable Policy and Legislation...................................................................................................4
Applicable Policy.........................................................................................................................4
Australian Privacy Law...............................................................................................................5
Privacy Legislation......................................................................................................................5
Risk Management Overview...........................................................................................................5
Risk Assessment Framework.......................................................................................................5
Applying ISO 31000....................................................................................................................6
Establishment of the Context.......................................................................................................8
Determining Context for the A4A...............................................................................................8
Identifying Risk...........................................................................................................................9
How to Determine Agency Risk Tolerance.................................................................................9
Considering Factors while Determining the Cloud integration Risk.........................................10
Potential Threats While Outsourcing Information....................................................................11
Mapping Risks...........................................................................................................................12
Assessing Risk...........................................................................................................................12
Guidance on Determining Potential Consequences...................................................................13
Evaluating the Risks..................................................................................................................13
How to Consider Potential Risk Treatment Options 2795........................................................14
Communication and Consultation.............................................................................................14
Risk Monitoring and Review.....................................................................................................15
Conclusion.....................................................................................................................................15
References:....................................................................................................................................16
INFORMATION SECURITY MANAGEMENT GUIDELINES
Table of Contents
Introduction......................................................................................................................................4
Applicable Policy and Legislation...................................................................................................4
Applicable Policy.........................................................................................................................4
Australian Privacy Law...............................................................................................................5
Privacy Legislation......................................................................................................................5
Risk Management Overview...........................................................................................................5
Risk Assessment Framework.......................................................................................................5
Applying ISO 31000....................................................................................................................6
Establishment of the Context.......................................................................................................8
Determining Context for the A4A...............................................................................................8
Identifying Risk...........................................................................................................................9
How to Determine Agency Risk Tolerance.................................................................................9
Considering Factors while Determining the Cloud integration Risk.........................................10
Potential Threats While Outsourcing Information....................................................................11
Mapping Risks...........................................................................................................................12
Assessing Risk...........................................................................................................................12
Guidance on Determining Potential Consequences...................................................................13
Evaluating the Risks..................................................................................................................13
How to Consider Potential Risk Treatment Options 2795........................................................14
Communication and Consultation.............................................................................................14
Risk Monitoring and Review.....................................................................................................15
Conclusion.....................................................................................................................................15
References:....................................................................................................................................16
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3
INFORMATION SECURITY MANAGEMENT GUIDELINES
Introduction
Following report aims at proving guidance on the information security and assessment
management for the organization A4A considering the storage of data and the way of keeping
them safer. The scope of this report is to present an information security management system for
the organization in manner to maintain the confidentiality, availability, and integrity of the data
about the operational activities and sensitive information about the employees working in the
same organization including the safety measures for the stakeholders too.
According to the case study, A4A is Non-Governmental Organization, which is going to
transform the existing system into a technology based system and about to set up information
systems to keep those data saved into the database of the systems. For this transformation
assumptions can be made that there will be need of outsourcing of Information and
Communication technology (ICT) and computers.
The guidelines provided in this report can be much efficient for the risk assessment
management and better protecting the information that is being store into the systems or in the
cloud. This is the most important aspect for all the organization, which is migrating data or
information into systems or in cloud.
Applicable Policy and Legislation
Applicable Policy
Australian Government policy promotes the PSPF and ISM for the policy related to the
information security. A4A can manage the information security with better efficiency through
the mandatory requirements that has been already stated in the PSPF. For A4A it is a very
important factor for its growth to establish a better and effective risk management for the
INFORMATION SECURITY MANAGEMENT GUIDELINES
Introduction
Following report aims at proving guidance on the information security and assessment
management for the organization A4A considering the storage of data and the way of keeping
them safer. The scope of this report is to present an information security management system for
the organization in manner to maintain the confidentiality, availability, and integrity of the data
about the operational activities and sensitive information about the employees working in the
same organization including the safety measures for the stakeholders too.
According to the case study, A4A is Non-Governmental Organization, which is going to
transform the existing system into a technology based system and about to set up information
systems to keep those data saved into the database of the systems. For this transformation
assumptions can be made that there will be need of outsourcing of Information and
Communication technology (ICT) and computers.
The guidelines provided in this report can be much efficient for the risk assessment
management and better protecting the information that is being store into the systems or in the
cloud. This is the most important aspect for all the organization, which is migrating data or
information into systems or in cloud.
Applicable Policy and Legislation
Applicable Policy
Australian Government policy promotes the PSPF and ISM for the policy related to the
information security. A4A can manage the information security with better efficiency through
the mandatory requirements that has been already stated in the PSPF. For A4A it is a very
important factor for its growth to establish a better and effective risk management for the
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4
INFORMATION SECURITY MANAGEMENT GUIDELINES
information security regarding the stored information. Risk management process can be achieved
only if these processes and systems becomes the integral part of A4A’s culture, operational, and
practices plans (Sylves 2014). There should be governance processes in manner to mitigate these
risks rather than building a proactive security system to manage the information security. The
risks should be identified at its very early stage and proper precautions should be taken regarding
elimination of the identified risks.
Australian Privacy Law
Regulation and handling of data and information of the A4A can be managed through the
set thirteen Australian Privacy Principles (APPs) those have been introduced within the Privacy
Act 1988. It emphasis on the privacy of the information of employees of the organization that are
very sensitive and personal to them (Arregui, Maynard and Ahmad 2016). Very personal
information should be determined by the A4A and that information should be handled according
to the principles of the APPs.
Privacy Legislation
Pieces of legislations applicable to this privacy legislations policy are: Firstly, Archives
Act 1983, secondly, Freedom of Information Act 1982, and lastly, Privacy Act 1988 (Zetler
2015).
Risk Management Overview
Risk Assessment Framework
Framework for the risk assessment can be referred to the set of guidelines that can be
applicable in assessing the risks based on the existing framework defined by the Australian
Standards AS/NZS ISO 31000:2009 Risk management and HB 167:2006 Security Risk
INFORMATION SECURITY MANAGEMENT GUIDELINES
information security regarding the stored information. Risk management process can be achieved
only if these processes and systems becomes the integral part of A4A’s culture, operational, and
practices plans (Sylves 2014). There should be governance processes in manner to mitigate these
risks rather than building a proactive security system to manage the information security. The
risks should be identified at its very early stage and proper precautions should be taken regarding
elimination of the identified risks.
Australian Privacy Law
Regulation and handling of data and information of the A4A can be managed through the
set thirteen Australian Privacy Principles (APPs) those have been introduced within the Privacy
Act 1988. It emphasis on the privacy of the information of employees of the organization that are
very sensitive and personal to them (Arregui, Maynard and Ahmad 2016). Very personal
information should be determined by the A4A and that information should be handled according
to the principles of the APPs.
Privacy Legislation
Pieces of legislations applicable to this privacy legislations policy are: Firstly, Archives
Act 1983, secondly, Freedom of Information Act 1982, and lastly, Privacy Act 1988 (Zetler
2015).
Risk Management Overview
Risk Assessment Framework
Framework for the risk assessment can be referred to the set of guidelines that can be
applicable in assessing the risks based on the existing framework defined by the Australian
Standards AS/NZS ISO 31000:2009 Risk management and HB 167:2006 Security Risk
5
INFORMATION SECURITY MANAGEMENT GUIDELINES
Management, and principles, and guidelines (Saint-Germain 2015). This is a subjective process
for all the organizations and in this case A4A should make sure that the process that is about to
be defined for the risk management should be justifiable, transparent, and documented.
Assessing risks on the basis of framework can be helpful in many objectives like risk tolerance
identification, identifying particular risk with each employee, and managing the risks as per the
priority of the types of information and about the information related to the assets those are being
stored in the system. Another beneficial aspect is that appropriate decision making can be made
based on the type of risk.
Applying ISO 31000
The risk assessment process should be consistent with the standard for the successful
management of the risk assessment. The whole process can be divided in to five steps and should
be executed accordingly after each step that can be listed as:
Establishing Context
Under this step the external and internal influences should be addressed those could have the
potential to impact the implementation of this management system in the existing system directly or
indirectly (Draper and Ritchie 2014).
Identifying Risks
After the completion of the first step there should be proper development of the robust list for the
risks that has been identified that could have the potential to affect the working of the organization as that
of in the first strep. Risks identifying could be first step towards arranging mitigation processes in context
with the risks.
Assessing Risks
INFORMATION SECURITY MANAGEMENT GUIDELINES
Management, and principles, and guidelines (Saint-Germain 2015). This is a subjective process
for all the organizations and in this case A4A should make sure that the process that is about to
be defined for the risk management should be justifiable, transparent, and documented.
Assessing risks on the basis of framework can be helpful in many objectives like risk tolerance
identification, identifying particular risk with each employee, and managing the risks as per the
priority of the types of information and about the information related to the assets those are being
stored in the system. Another beneficial aspect is that appropriate decision making can be made
based on the type of risk.
Applying ISO 31000
The risk assessment process should be consistent with the standard for the successful
management of the risk assessment. The whole process can be divided in to five steps and should
be executed accordingly after each step that can be listed as:
Establishing Context
Under this step the external and internal influences should be addressed those could have the
potential to impact the implementation of this management system in the existing system directly or
indirectly (Draper and Ritchie 2014).
Identifying Risks
After the completion of the first step there should be proper development of the robust list for the
risks that has been identified that could have the potential to affect the working of the organization as that
of in the first strep. Risks identifying could be first step towards arranging mitigation processes in context
with the risks.
Assessing Risks
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6
Control risksEvaluate RisksAnalyze riskIdentify riskEstablished Context
Consultation and communication
Monitor and Review
INFORMATION SECURITY MANAGEMENT GUIDELINES
This is the third step that discusses the main objective but can only be achieved successfully after
the completion of first two steps. This includes assessing the risks comparing it with the impact,
tolerances, and likelihood of the identified risks on the performance of the organization.
Selecting Treatments
Selection of the proper treatments for the risks should be given the same priority as the above
steps that includes providing control to the identified risk assessment strategies those been collected
through the above steps.
Developing overall Risk Assessment
Development of overall risk assessment is the final step in addressing the risks and mitigating the
threats through summarizing the identified risks in accordance with the control on the steps mentioned
above. Following is a diagram that can be better explainable for the risk assessment processes.
Figure 1: Risk Assessment Process
(Source: Created by Author)
Control risksEvaluate RisksAnalyze riskIdentify riskEstablished Context
Consultation and communication
Monitor and Review
INFORMATION SECURITY MANAGEMENT GUIDELINES
This is the third step that discusses the main objective but can only be achieved successfully after
the completion of first two steps. This includes assessing the risks comparing it with the impact,
tolerances, and likelihood of the identified risks on the performance of the organization.
Selecting Treatments
Selection of the proper treatments for the risks should be given the same priority as the above
steps that includes providing control to the identified risk assessment strategies those been collected
through the above steps.
Developing overall Risk Assessment
Development of overall risk assessment is the final step in addressing the risks and mitigating the
threats through summarizing the identified risks in accordance with the control on the steps mentioned
above. Following is a diagram that can be better explainable for the risk assessment processes.
Figure 1: Risk Assessment Process
(Source: Created by Author)
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7
INFORMATION SECURITY MANAGEMENT GUIDELINES
Establishment of the Context
Establishing context puts emphasis on the addressing the assessment processes that needs
to be implemented with the system of A4A in manner to address the security, strategic and
organizational risk management contexts for eliminating the risks that are going to be identified
throughout the whole risk management system (Whittman and Mattord 2013). The security risk
assessment will be covering all the facets of the activities or functions of the organization during
these processes. The risk assessment management processes should be according to the
prevailing and emerging environment for the risks. This will provide platform for the whole
managerial processes for the risk assessment that makes it a very critical objective for its
successful execution.
Determining Context for the A4A
Determination of context for the A4A can be for improving and promoting security of the
internal environment in which the organization is willing to achieve its goals. Objectives for the
successful completion of this section can be listed as:
Extent and contractual relationships’ nature.
The organizational structure, accountabilities, governance, roles and responsibilities of
the designated employees of the A4A.
Overall working culture and security culture of the A4A.
Values, relationship, and Perception with the internal stakeholders.
Consideration of proper Policies and objectives and the strategies that are being made to
achieve the assessments successfully (Wensveen 2016).
Information system and flows including the processes of decision-making
INFORMATION SECURITY MANAGEMENT GUIDELINES
Establishment of the Context
Establishing context puts emphasis on the addressing the assessment processes that needs
to be implemented with the system of A4A in manner to address the security, strategic and
organizational risk management contexts for eliminating the risks that are going to be identified
throughout the whole risk management system (Whittman and Mattord 2013). The security risk
assessment will be covering all the facets of the activities or functions of the organization during
these processes. The risk assessment management processes should be according to the
prevailing and emerging environment for the risks. This will provide platform for the whole
managerial processes for the risk assessment that makes it a very critical objective for its
successful execution.
Determining Context for the A4A
Determination of context for the A4A can be for improving and promoting security of the
internal environment in which the organization is willing to achieve its goals. Objectives for the
successful completion of this section can be listed as:
Extent and contractual relationships’ nature.
The organizational structure, accountabilities, governance, roles and responsibilities of
the designated employees of the A4A.
Overall working culture and security culture of the A4A.
Values, relationship, and Perception with the internal stakeholders.
Consideration of proper Policies and objectives and the strategies that are being made to
achieve the assessments successfully (Wensveen 2016).
Information system and flows including the processes of decision-making
8
INFORMATION SECURITY MANAGEMENT GUIDELINES
Standards, guidelines, and models adopted by the organization for the betterment in the
security of the information.
The Strategic Context of Outsourcing
The strategic contexts relevant to the situation should be considered by the A4A in
manner to implement a successful risk assessment management processes. Other than above
stated objectives it should include the Australian regulation, Australian legislation and Australian
policies in manner to increase the information security and make the system list risk affected
system (Peppard and Ward 2016).
Identifying Risk
This section explains the comprehensively determination of the sources of risks that have
the potential to impact the information that are being stored in the system and alternatively affect
the performance of the organization. The identified issues should be well described for the heads
or the executives who are going to take decisions for this management system. The information
or data should be categorized on the basis of integrity, availability, and confidentiality and the
A4A risk management team should give priority to the risks on this determination or
classification (Webet al. 2014). In the AS/NZS 4360:2004, definition of the risk is “The chance
of something happening that will have an impact on the objectives”.
INFORMATION SECURITY MANAGEMENT GUIDELINES
Standards, guidelines, and models adopted by the organization for the betterment in the
security of the information.
The Strategic Context of Outsourcing
The strategic contexts relevant to the situation should be considered by the A4A in
manner to implement a successful risk assessment management processes. Other than above
stated objectives it should include the Australian regulation, Australian legislation and Australian
policies in manner to increase the information security and make the system list risk affected
system (Peppard and Ward 2016).
Identifying Risk
This section explains the comprehensively determination of the sources of risks that have
the potential to impact the information that are being stored in the system and alternatively affect
the performance of the organization. The identified issues should be well described for the heads
or the executives who are going to take decisions for this management system. The information
or data should be categorized on the basis of integrity, availability, and confidentiality and the
A4A risk management team should give priority to the risks on this determination or
classification (Webet al. 2014). In the AS/NZS 4360:2004, definition of the risk is “The chance
of something happening that will have an impact on the objectives”.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9
Intolerable risk
Scope for A4A
Tolerable risk
Increasing risk
Incapacity to manage
INFORMATION SECURITY MANAGEMENT GUIDELINES
How to Determine Agency Risk Tolerance
Figure 2: Risk Tolerance
(Source: Created by author)
The risk tolerance can be identified during the execution of ‘Establishing the context’
step at its very early stage as it fully dependent on the context of the organization and the heads
of the organizational structure. Risk Tolerance is nothing but the sum of risk appetite of A4A
that is based on the principle of risk management to the extent level (Boyens et al. 2014). The
risk tolerance determination can allow the organization to raise scope of innovative and flexible
business practices. The risk tolerance can be manipulated or affected through changing the
evolution criteria that results in variable factors for the risk management by the heads of the A4A
and that will depend upon: First political expectations and sensitivities, and prevailing, Second
factor is the incident security nature like terrorist attack etc. Third factor is the existence or
emergence of trends in security like data breaches, trusted insider, cyber-attacks etc.
Considering Factors while Determining the Cloud integration Risk
While integrating Cloud storage system within the existing system of the organization, it
is important to establish context regarding the cloud implementation. This can be helpful in
Intolerable risk
Scope for A4A
Tolerable risk
Increasing risk
Incapacity to manage
INFORMATION SECURITY MANAGEMENT GUIDELINES
How to Determine Agency Risk Tolerance
Figure 2: Risk Tolerance
(Source: Created by author)
The risk tolerance can be identified during the execution of ‘Establishing the context’
step at its very early stage as it fully dependent on the context of the organization and the heads
of the organizational structure. Risk Tolerance is nothing but the sum of risk appetite of A4A
that is based on the principle of risk management to the extent level (Boyens et al. 2014). The
risk tolerance determination can allow the organization to raise scope of innovative and flexible
business practices. The risk tolerance can be manipulated or affected through changing the
evolution criteria that results in variable factors for the risk management by the heads of the A4A
and that will depend upon: First political expectations and sensitivities, and prevailing, Second
factor is the incident security nature like terrorist attack etc. Third factor is the existence or
emergence of trends in security like data breaches, trusted insider, cyber-attacks etc.
Considering Factors while Determining the Cloud integration Risk
While integrating Cloud storage system within the existing system of the organization, it
is important to establish context regarding the cloud implementation. This can be helpful in
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10
INFORMATION SECURITY MANAGEMENT GUIDELINES
understanding the nature of the criticality, vulnerabilities and other potential threats or risks
related to the information that is being stored in the cloud (Rebello et al. 2015). Following are
some of the considerable facts while determining the Cloud integration risks but not limited to:
firstly, the impact on the availability, integrity, and confidentiality of the data or information of
the A4A. The picture of the unintended disclosure or the incident or event can be stated as
second aspect. Third aspect is the impact of the risks that will occur due to the outsourcing of
technologies and introducing third party. Another fact can be the types of threats and risk related
to the information or data that is being saved into the system. Lastly the impact of losing data
should also be considered while identifying the risk. An individual plan can also be considered as
they focuses only on the information security related issues and their management. 1669
Potential Threats While Outsourcing Information
Following are the threats that might affect the proper functionality of the organization:
Data Breaches: This could affect the saved data in all the aspect as data breaches put all
the information and data at the sake by allowing access to an unauthorized user (Peltier 2016).
Data Loss: Due to some technical glitches and bugs there are chances of losing the whole
data that is being saved into the systems.
Service traffic or Account Hijacking: All the operational activity is being transferred
into the information technology that will be accessible through different accounts for different
level staffs and this could be hijacked by an attempt of any intruder that could access to the data
and manipulate them without having any authority (Dhillong, Syed and Sa-Soares 2017).
INFORMATION SECURITY MANAGEMENT GUIDELINES
understanding the nature of the criticality, vulnerabilities and other potential threats or risks
related to the information that is being stored in the cloud (Rebello et al. 2015). Following are
some of the considerable facts while determining the Cloud integration risks but not limited to:
firstly, the impact on the availability, integrity, and confidentiality of the data or information of
the A4A. The picture of the unintended disclosure or the incident or event can be stated as
second aspect. Third aspect is the impact of the risks that will occur due to the outsourcing of
technologies and introducing third party. Another fact can be the types of threats and risk related
to the information or data that is being saved into the system. Lastly the impact of losing data
should also be considered while identifying the risk. An individual plan can also be considered as
they focuses only on the information security related issues and their management. 1669
Potential Threats While Outsourcing Information
Following are the threats that might affect the proper functionality of the organization:
Data Breaches: This could affect the saved data in all the aspect as data breaches put all
the information and data at the sake by allowing access to an unauthorized user (Peltier 2016).
Data Loss: Due to some technical glitches and bugs there are chances of losing the whole
data that is being saved into the systems.
Service traffic or Account Hijacking: All the operational activity is being transferred
into the information technology that will be accessible through different accounts for different
level staffs and this could be hijacked by an attempt of any intruder that could access to the data
and manipulate them without having any authority (Dhillong, Syed and Sa-Soares 2017).
11
INFORMATION SECURITY MANAGEMENT GUIDELINES
API (Application Programming Interface) and Interfaces Insecure: For circumventing the
vulnerable interfaces or security processes may be exploited through malicious attacks or
accidentally.
DOS (Denial of service): This type of risk will block the access for a user to enter the
network of the organization and do the desired work.
Insufficient Due Diligence: There should be proper consideration of the advantages and
disadvantages of implementing the new technology within the organizational infrastructure such
as Cloud storage or Cloud computing and many more.
Malicious Insider: This is related to the formal stakeholders either the employee or
contractor or any other individual who might have access to the organizational network even
after leaving the bond with the organization. There might be misused of those accounts for the
personal benefits (Luthra et al. 2014).
Shared Technology Vulnerabilities: Cloud infrastructure has been offering share the
stored data between more than one user that implies some risks related to the multi-tenant
architecture that will become the ‘must’ factor for the organization.
Mapping Risks
Mapping risk can be helpful in managing the risks separately through dividing them
according to the priority of the risks that are identified in the above steps. Emphasis should be
made on the impact of the risks that may hamper the functionality of the organization (Beckers et
al. 2013). The facts that are considerable during mapping the risks includes: identifying the areas
and the level of impacts on those sectors, frequency of the risk occurrence, the stakeholders who
will be impacted by the risks that had been identified. These are the facts but not limited to this
INFORMATION SECURITY MANAGEMENT GUIDELINES
API (Application Programming Interface) and Interfaces Insecure: For circumventing the
vulnerable interfaces or security processes may be exploited through malicious attacks or
accidentally.
DOS (Denial of service): This type of risk will block the access for a user to enter the
network of the organization and do the desired work.
Insufficient Due Diligence: There should be proper consideration of the advantages and
disadvantages of implementing the new technology within the organizational infrastructure such
as Cloud storage or Cloud computing and many more.
Malicious Insider: This is related to the formal stakeholders either the employee or
contractor or any other individual who might have access to the organizational network even
after leaving the bond with the organization. There might be misused of those accounts for the
personal benefits (Luthra et al. 2014).
Shared Technology Vulnerabilities: Cloud infrastructure has been offering share the
stored data between more than one user that implies some risks related to the multi-tenant
architecture that will become the ‘must’ factor for the organization.
Mapping Risks
Mapping risk can be helpful in managing the risks separately through dividing them
according to the priority of the risks that are identified in the above steps. Emphasis should be
made on the impact of the risks that may hamper the functionality of the organization (Beckers et
al. 2013). The facts that are considerable during mapping the risks includes: identifying the areas
and the level of impacts on those sectors, frequency of the risk occurrence, the stakeholders who
will be impacted by the risks that had been identified. These are the facts but not limited to this
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 20
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.