COIT20263: Designing an Information Security Program for NTN

Verified

Added on 2022/08/28

AI Summary

This report focuses on designing an information security program for NTN, a private nursing school. It begins with an executive summary and table of contents, followed by an introduction that outlines the need for a security program to protect sensitive student and patient data. The discussion section delves into information security risk management, including asset identification and assessment (physical and non-physical assets), risk analysis, and the identification of threats, challenges, and vulnerabilities. The report also covers disaster recovery and business continuity planning, security strategies, and recommended controls. Furthermore, it addresses guidelines for information security certification and accreditation, identifying relevant bodies and security measures. The report concludes by summarizing the key findings and recommendations for NTN to enhance its information security posture. It follows the Harvard citation and referencing guidelines and aims to provide a comprehensive analysis of the security program design.

Running head: DESIGNING AN INFORMATION SECURITY PROGRAM
Designing an Information Security Program
Name of the Student
Name of the University
Author note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1DESIGNING AN INFORMATION SECURITY PROGRAM
Executive Summary
The report focuses on the critical scenario focusing on the information security management plan
for NTN. The discussed plan thus helps in identification of assets that are a part of the
organization and discusses various plans for their protection from security threats. The scenario
is based on the implementation of a security program for the effective use of internet strategies
being implemented at NTN. The report identifies the major risks that might face the organization
during the procedure of the implementation process of the program. The various occurring
threats, vulnerabilities and challenges focused over the organization have been identified and
critically discussed. After the identification of each of these, a proper security strategy and
proper recommended control that could be implemented in place are discussed. The report also
helps for the identification of a certification and accreditation body, which would maintain
control over the implemented security program. The security measures that would be put in place
for meeting up to the requirements of the chosen body have been discussed within the report.

2DESIGNING AN INFORMATION SECURITY PROGRAM
Table of Contents
1. Introduction..................................................................................................................................3
2. Discussion....................................................................................................................................4
2.1 Guideline for Information Security Risk Management.........................................................4
2.1.1 Risk Analysis......................................................................................................................4
1. Asset Identification and Assessment...................................................................................4
2. Risks....................................................................................................................................6
3. Threats, Challenges and Vulnerabilities..............................................................................6
4. Disaster Recovery and Business Continuity Plan................................................................9
5. Security Strategies and Recommended Controls...............................................................12
6. Residual Risks...................................................................................................................13
2.2 Guidelines for Information Security Certification and Accreditation.................................13
2.2.1 Identification of relevant local, state, and/or national/federal certification and
accreditation...........................................................................................................................13
2.2.2 Identification of security measures required by MTN..................................................13
3. Conclusion.................................................................................................................................14
References......................................................................................................................................16

3DESIGNING AN INFORMATION SECURITY PROGRAM
1. Introduction
A security program is termed as a certain set of documentation that are presented by
various skilled Information Security practitioners and organized bodies based on the needs of the
relevant body. The Information Security Program lists the different procedures, guidelines,
policies and standards that would be set for an industry based on their growing needs of security
within their used applications (Doss et al. 2016). The security program also supports a roadmap
based on implementing an effective procedure for security management control and practices.
With the implementation and following of the guidelines as outlined within the program, it
would help in ensuring the factor of confidentiality, integrity and availability (CIA) of the
customer and client information. The CIA would also be maintained for the essential data in
relation to the company.
The discussion in the following parts of the report would be focused upon the
establishment of a security program for NTN, which is a new established private nursing school
situated in Australia. The school maintains a broad range of communication with their in-built
group of satellite campuses, which are connected through the Internet. In the present times, there
is a major risk of incidents based on security breaches, which is posed on a high basis (Song et
al. 2016). Each of the information that is collected by the in-house teams at NTN are in relation
to students and patients.
The following parts of the report would be focusing on the performing of risk analysis
that would help in the identification of assets and assessment of each assets. Under the risk
analysis, there would be a discussion over the risks faced by IT assets at NTN. A following

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4DESIGNING AN INFORMATION SECURITY PROGRAM
discussion would also be presented over the challenges, threats and vulnerabilities. A guideline
based on security certification and accreditation would also be supported within the report.
2. Discussion
2.1 Guideline for Information Security Risk Management
2.1.1 Risk Analysis
1. Asset Identification and Assessment
1.1 Physical Assets – In the present case based on the use of Internet facilities at NTN, it
can be discussed that the various physical assets in relevance to the organization are:
a. Inventory – The inventory for a school are generally referred to the storage of
different documents that are capable of storing and recording of student data. In case of NTN,
there is a maintenance of different records of students located across all centers in Cairns,
Darwin and Sydney (Gao 2015). The nursing school also hosts a small mobile team comprised of
nursing students and doctors, who would travel across places to provide medical assistance to
patients.
b. Cash – Students deposit fees in cash modes and hence, this could be tracked by
hackers in the near future. The amount of money collected by the authorities might get exposed
due to security breaches and thus could lead to theft.
c. Student documents – The NTN would possess different kind of documents in relation
to students, admission forms, mark sheets and many others. Other documents are in relation to
patient reports and many others. These documents are highly crucial in nature and thus require a
high amount of security based on controlling them against security thefts (Shrivastava and

5DESIGNING AN INFORMATION SECURITY PROGRAM
Rathod 2015). The mobile teams responsible for scanning medical documents of patients should
be careful during the sending of document to hospital administration.
d. Marketable securities – These are defined as debts or securities that are meant to be
redeemed or sold within a year. The marketable securities as displayed on a balance sheet that
represents their present marketing conditions (Braouezec and Wagalath 2016). Hence, these are
considered as another type of asset that are highly helpful for the NTN organistion and hence
needs to be secured at the organizational end.
1.2 Non-Physical Assets – These are considered as intangible assets, which are defined
as non-physical and which possesses value towards any organization or business. The non-
physical assets in relation to NTN are:
a. Receivable account records – These are considered to be one form of intangible
assets for NTN. They collect different kind of information based on received amounts based on
the collection of funds from students, deposit of funds for various purposes and many others
(Wang 2018). These records are considered as the most important assets and thus the breach of
such form of information might lead to severe negative outcomes.
b. Computerized databases – The databases in relation to NTN help in storing valuable
data in relation to the organization. These thus store various records such as name of students,
their confidential details, patient information and other information in relation to patient records
(Groomer and Murthy 2018). Hence, the securing of the database records are an important
responsibility of the information security specialist.
c. Property use rights – These are termed as legal or theoretical ownership of resources
that are owned by NTN. The legal documents, which are prepared in an online version should be

6DESIGNING AN INFORMATION SECURITY PROGRAM
kept secured in a proper format in such a manner that it would remain encrypted for the
decreasing of possibility of getting hacked.
d. Training manuals – The training manuals that are provided for the students and
medical practitioners in order to understand the working procedures of an organization
(McIlwraith 2016). These training manuals should thus be secured in a proper form so that it
would not be breached by any third party.
2. Risks
2.1 Individual Asset Risk Analysis – The data based on the analysis for individual
assets risks are:
Assets Likelihood Impact
Cash L H
Student Documents H H
Marketable Securities M L
Receivable account records H M
Computerized databases H H
Property use rights L L
Training manuals L M
2.2 Risk Summary – From the understanding of the various discussed risks, it can be
defined that the various risks are considered as critical in nature. The analysis for these risks
helps in the identification of critical risks that could affect the organizational perspectives of
NTN. In order to secure the various physical as well as non-physical assets of the organization,
there is a need for analyzing the risks and identification of proper actions based on mitigating
them.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7DESIGNING AN INFORMATION SECURITY PROGRAM
3. Threats, Challenges and Vulnerabilities
3.1 Threats – These are defined as negative kind of influences that would be affecting
the overall productivity of the organization. Some of the threats that could be facing the NTN
are:
1. Loss of Data and Information – During the design of an information security
program for NTN, one of the most possible challenge that could be faced by them includes the
loss of information. Whenever different individuals responsible for working over the same
security program tend to work in different teams, they would tend to share policies and other
security strategies (Zhang 2018). In such scenarios, the designated teams would suffer from the
loss of confidential information.
In other cases, the crash or failure of server could be a leading factor towards loss
incurred for NTN. Employees would tend to find it difficult to secure all of the information at a
single chance. They would not be able to fetch any data through the use of emails.
2. Security Issues – Security is one primary concern that affects most of the employees
within an organization. Proper kind of measures needs to be taken at the most proper times based
on securing the organization from natural disasters as well as man-made disasters. It is the
primary responsibility of the management within the organization to resolve the claims made by
employees and fulfill the basic requirements (Kalaiprasath, Elankavi and Udayakumar 2017).
Thefts could also occur from within the organization and could affect the data transparency.
Hence, with the implementation of a security program for NTN, it would majorly help for
briefing out a proper roadmap that would be followed by the individual teams working for the
organization.

8DESIGNING AN INFORMATION SECURITY PROGRAM
3. Lack of Funds – The areas of financial stability is considered to be of utmost
importance and hence a stable background would also be needed (Tulloch et al. 2015). Each of
the funds that needs to be supplied for enhancing the security program within the organization
should be supplied at proper times and this process needs to be followed efficiently.
3.2 Challenges and Vulnerabilities – The challenges faced with the aspect of security
for NTN are listed below:
1. Monitoring over Security and Cloud Configuration – As NTN mainly deals with
teaching lessons being provided to students on a virtual mode and treatment of patients in a
digital mode, hence, there is a constant challenge being faced with misconfigurations leading to
leaks in data (Chen et al. 2016). Monitoring over various cloud assets and internet infrastructure
is a major challenge for security practitioners.
2. The Insider Threat – The most important challenge facing NTN is based on security
breaches being faced from insiders or employees from within the organization (Legg 2015). This
could happen in the form that data could get leaked when employees might send important and
confidential emails to unauthorized recipients.
3. High Impact-based Attacks – Malicious codes written in security algorithms could
lead to high-impact based attacks. The NTN cannot ignore the overall increasing form of risks
that could be posed based on advanced leaked security code. This could be manipulated by
hacker professionals and thus could steal important data.
The vulnerabilities faced by NTN in securing their assets are:
1. SQL Injections – Hackers could make use of the technique of SQL injections for
tampering with the confidential data (De Meo, Rocchetto and Viganò 2016).

9DESIGNING AN INFORMATION SECURITY PROGRAM
2. Outdated Patches – Most hackers quest within computing systems that in search for
outdated security patches. Outdated security patches creates an entry point for attackers to entry
within the computing system and affect various applications.
3. Reuse of Passwords – Reuse of same passwords in various applications is considered
as a risky aspect towards NTN. Hence, the regular update on password is considered as a major
aspect for the protection of applications (Kim, Han and Seo 2017). Cyber attackers have the
tendency to tap into the same password at several instances.
4. Disaster Recovery and Business Continuity Plan
4.1 Business Impact Analysis – The BIA that could be applied for NTN could focus
over the following approaches that could be helpful for understanding the impact made by the
security program towards the environment at NTN:
a. A comprehensive understanding should be made over the current business environment
at NTN. This would help in developing a focus over the mission that is being tried to be achieved
by NTN with the implementation of a security program (Peltier 2016). Within this aspect, the
organisation would be able to understand the areas in which cost savings could be made with the
eradication of redundant or unnecessary technologies.
b. After a proper understanding of the core business processes, the organisation should
search for proper technologies that would help in performing of regular operations.
c. After identification of critical processes and technologies, the company could make use
of Recovery Time Objective (RTO) for deciding over the possibility of recovering after any
unacceptable incident.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

10DESIGNING AN INFORMATION SECURITY PROGRAM
4.2 Insurance Consideration – Insurance policies should be considered as the primary
principle that could help the organisation to recover from any unforeseen incident that might
cause harm to the organisation. Some of the insurance considerations that could be in relation to
NTN are:
a. Liability Insurance – The general insurance includes the different liabilities that
would be repaid back to the organisation (Woods et al. 2017). The liability insurance covers the
different aspects of insurance based on covering fidelity, computing systems and loss of
important and official documents.
4.3 Incident Response Team – A dedicated Incident Response Team, which would
generally be considered as a group of IT experts who would be responsible for reacting to any
emergency or critical situation that might overcome the organization (Ahmad, Maynard and
Shanks 2015). Hence, this team would comprise of various IT experts comprising of different
backgrounds, roles and technical skills.
4.4 Physical Safeguards – These are defined as policies, procedures and physical
measures that needs to be used for securing the Internet and the use of computing systems within
NTN. Some of the physical safeguards that could be used for securing the internal systems at
NTN includes workstation security, media and device controls and written policies for use of
workstations.
4.5 Incident Response Procedures – Some of the most important incident response
procedures that could be implemented for NTN are:
a. The responsibilities of the IT security management is based on responding to different
unforeseen security incidents in an effective and quick manner.

11DESIGNING AN INFORMATION SECURITY PROGRAM
b. The different security events should be properly assessed and further classified
according to various incidents (Ramachandran 2016).
c. The channels of communication should be established in an advance manner based on
a security incident.
4.6 Restoration Procedures – The restoration procedures for important data in relation
to NTN are:
a. Defining the goals of recovery
b. Identification of vital assets, which includes software applications, embedded data and
other forms of digital assets
c. Preparing for a backup strategy and restoring for a procedure testing (Halabi and
Bellaiche 2017).
d. Preparing an efficient strategy for establishing a proficient level of communication and
maintaining connectivity.
e. Performing detailed testing procedures and ensuring regular patch updates.
4.7 Forensics Considerations – The forensic considerations that could be affecting the
computing systems and the internet being used at NTN are:
a. Gathering of admissible evidence in a legal process without a proper form of inference
with business processes.
b. Investigation towards proceeding with cost in proportion to different incidents of
security breaches.