IT Risk Management: Security Basics, Planning, and Policies Report

Verified

Added on 2020/02/24

AI Summary

This report on IT Risk Management delves into the core concepts of information security, exploring the definition and types of security, including physical, information, and communication security. It examines the CNSS Security Model and the CIA triad (Confidentiality, Integrity, Availability) as fundamental principles. The report further addresses information security planning, emphasizing the role of planning in mitigating risks, and the Security Systems Development Life Cycle (SecSDLC). Organizational planning, including strategic, tactical, and operational planning, is discussed, along with contingency planning, including Incident Response Plans (IRP), Disaster Recovery Plans (DRP), and Business Continuity Plans (BCP). The report concludes by outlining information security policies and programs, differentiating between Enterprise Information Security Policy (EISP), Issue-specific security policies (ISSP), and System-specific security policies (SysSP), and examining information security programs tailored for large, medium, and small organizations. The report provides a comprehensive overview of IT risk management principles and practices.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: IT RISK MANAGEMENT
Information Technology Risk Management
Name of Student-
Name of University-
Author Note-

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1IT RISK MANAGEMENT
Topic 1: Information Security Basics
Definition of Security- Giving a protection to a organization, person, country or building
from threats those are done by some foreign countries or some attackers or hackers is known as
security (Collins, 2016). To secure a state’s security or an organization’s security, some
procedures are followed. Those procedures are that are followed or the measure that are taken is
known as security. With a secure environment, there comes a feeling of stable state, safe and a
state that is free from anxiety.
Types of security- The special areas where the security is needed are
 Physical Security
The protection of software, hardware, personnel, information and network from threats is
known as the physical security (Ortmeier, 2017). Physical security involves fire, theft, disasters
and any others. For organizations, physical security involves access control of organization’s
specific location or data by the employees.
 Information Security
Information security is also known as InfoSec. InfoSec includes a large set of processes
for the management of process, policies and tools which help to detect, respond and prevent the
hackers from non digital and digital data assets. Information security includes many categories:
application security, information security, mobile security and network security.
 Communication Security
The telecommunication is prevented from the hackers that are protected from the
unauthorized access of the network. This is known as communication security and COMSEC.

2IT RISK MANAGEMENT
The unclassified and classified traffic are both protected by COSMEC. This includes video, data
and voice that are carried on communications of military networks.
Information Security- The set of methods or processes that are used for management of
tools, policies and processes to detect and encounter the threats and prevent them from the
threats that are involved in digital and non digital data (Crossler et al., 2013). Set of business
process that protects the data from unauthorized threats is called information security. In
Information Security shows how the data is formatted. The private and sensitive information
receives threats from different sources. This may include identity threat, ramsomware, and
malware or phishing threats. The security of information protects the data from being hacked and
also initiative preventive methods are taken. Incident Response Plan (IRP) should be prepared by
the organizations and businesses for security groups and data breach. This helps them to limit
and control the damage of the data.
CNSS Security Model-
Figure 1: CNSS Security Model
Source: (Hoisl, Sobernig & Strembeck, 2014)

3IT RISK MANAGEMENT
CNSS security model is known as Committee on National Systems Security Model. For
the evaluation and establishment of Infosec detailed model are developed to secure a system. To
build a secure system, not only the security goal (CIA) is needed, but the goals that are
interrelated to different states and different regions (Hoisl, Sobernig & Strembeck, 2014). The
cells that are present in the cube depict all the areas that are needed to secure a organization from
data breach. The information of a system is secured by the CNSS Security Model.
C.I A. Triangle- C.I. A. stands for Confidentiality, Integrity and Availability. To give a
protection of all the aspects of the CIA triad, security measure are taken. To implement and
evaluate the information security of a n organization C.I.A (Tipton, Forkey & Choi, 2016). Triad
is needed. The main three components of C.I.A. Triad are defined as follows:
Confidentiality- the data or information of a system or organization must be accessed
only by the authorized person. The list of access control, security based on policy, password and
user id are to be kept personal to maintain the confidentiality of data.
Integrity- The data or information must be original when they are sent to receiver from
sender. The data received should be from the trusted sender. Hashing or data encryption
algorithms are used to provide the integrity of the data.
Availability- The information and data should be made available to all the systems and
controllers when they are needed at the time of execution.
Principle of Information Security Management- The principle of all organizations is
different from each other. The assurance management of all the organizations has its own
language that is related closely to the need of that particular business.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4IT RISK MANAGEMENT
Topic 2: Information Security Planning
Role of Planning- To avoid data risk or transfer, accept and mitigate the technologies and
the processes of an organization, information security planning is needed (Stallings & Tahiliani,
2014). The confidentiality, integrity and availability of the data are protected by the information
security planning.
Security Systems Development Life Cycle (SecSDLC)- This is a policy that defines the
requirements of information security planning and increase the protection of system
resources of information (Crook & Evans, 2014). The life cycles of the information system
are planning, development, maintenance, feasibility, retirement and implementation.
Security is to be maintained in all the stages of life cycle to achieve:
 The information that is sensitive is to be protected.
 Proper removal of data id ensured when the system is crashed.
 New risks should be prevented.
Organizational Planning- The objective of the organization, monitoring and
formulating and specific strategies that are achieved are the processes of
organizational planning (Alruwaili & Gulliver, 2015). The resource allocation and
staffing is also managed by organizational planning. The implementation and
formulation to see the goals of organization that are achieved are needed by the
organizational planning.
Strategic Planning: In strategic planning the long term goals and the future is
developed. The strategic plan depicts a structure of what the enterprise will attend in next five to
ten years.

5IT RISK MANAGEMENT
Tactical Planning: The plans of strategic planning are translated to particular
plans that are needed in an organization. The functionality and the responsibility of the
departments that are at lower level are concerned in tactical plans.
Operational Planning: The low level manager makes the operational plans. Specific
processes or procedures that happen in the organization come sunder operational planning.
Routine tasks are planned n this planning.
Planning Contingency- The different situations that may come in the future of an
organization comes under planning contingency (Osburn, Hatcher & Zongrone, 2015). A good
planning of contingency should have all the positive or good events or plans that might change
the operation.
Incidence Response Plan (IRP) - The classification, response, recovery and identification
of an incident is done in IRP.
Disaster Recovery Plan (DRP) - this involve s the planning that should done after a
disaster happens in an organization.
Business Continuity Plan (BCP) – This plan states the critical functions that continue in
an organization.
Topic 3: Information Security Policy and Program
Definition of Information Security Policy- there are three elements in Information
security policy: Policy Statements, How to deal with information security and requirements.
Three types of Information Security Policy-

6IT RISK MANAGEMENT
Enterprise Information Security Policy (EISP) – In this policy there exists an external
audit that includes enterprise network and branch agencies that are executive (Crnjanski et al.,
2016). The audit in this EISP shows all the defects that are not addressed properly in the policies
and the documents that were defined previously.
Issue-specific security policies (ISSP) - Through this policy all the members and staffs
of the organization are instructed to use the resource of the organization. The technological
philosophies that are fundamentally related to the organization are guided in this policy.
System-specific security policies (SysSP) - These are not permanent policies of an
organization. These policies are created when the organization needs to function as procedures
and standards that are to be used in maintaining and configuring the systems. There are two
groups of SysSP- technical specification and management guidance.
Information security program for large organization- Different organizations have
different programs on information security (Peltier, 2016). The internal groups of the
organizations are made and again remade challenges that are long term even if they handle
security operations that are held daily. By information security programs, functions of the
organization are divided into groups. By dividing into groups the work is done faster and is done
efficiently.
Information security program for medium organization- The Infosec security programs
that are organized by medium organizations are: they must have a smaller amount of budget. The
size of security staffs must be small as the organization is medium. There must be programs that
includes to seek help from the IT staffs if are needed for practices and plans. The program that is
followed by medium organizations must have the way to set policies, handle all the incidents in

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7IT RISK MANAGEMENT
regular basis. Some of the security functions that are not so important can be neglected by
medium organizations.
Information security program for small organization- Small organizations follow
different sets of information security programs. These have very simple and centralized
organizational model in IT sector. Money is disproportionately spent on security of small sectors.
A single security administrator only has the responsibility to handle information security. The
policy of small industries are issue specific. Threats from internal issues are mostly less because
there is small number of employees.

8IT RISK MANAGEMENT
References
Alruwaili, F. F., & Gulliver, T. A. (2015). Secsdlc: A practical life cycle approach for cloud-
based information security. IJRCCT, 4(2), 095-107.
Collins, A. (2016). Contemporary security studies. Oxford university press.
Crnjanski, T., Krajnovic, D., Tadic, I., Stojkov, S., & Savic, M. (2016). An Ethical issue scale
for community pharmacy setting (EISP): Development and validation. Science and
engineering ethics, 22(2), 497-508.
Crook, S. R., & Evans, G. W. (2014). The role of planning skills in the income–achievement
gap. Child development, 85(2), 405-411.
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013).
Future directions for behavioral information security research. computers & security, 32,
90-101.
Hoisl, B., Sobernig, S., & Strembeck, M. (2014). Modeling and enforcing secure object flows in
process-driven SOAs: an integrated model-driven approach. Software & Systems
Modeling, 13(2), 513-548.
Ortmeier, P. J. (2017). Introduction to Security. Pearson.
Osburn, H. K., Hatcher, J. M., & Zongrone, B. M. (2015). Training and development for
organizational planning skills. The Psychology of Planning in Organizations: Research
and Applications, 334.

9IT RISK MANAGEMENT
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. CRC Press.
Stallings, W., & Tahiliani, M. P. (2014). Cryptography and network security: principles and
practice (Vol. 6). London: Pearson.
Tipton, S. J., Forkey, S., & Choi, Y. B. (2016). Toward Proper Authentication Methods in
Electronic Medical Record Access Compliant to HIPAA and CIA Triangle. Journal of
medical systems, 40(4), 100.