Information Security Plan for Grading System at Remarkable University

Verified

Added on 2022/12/28

AI Summary

This report outlines an information and security management plan for Remarkable University's new student grading system. It begins with an introduction emphasizing the importance of such plans in addressing potential risks and threats to organizational assets. The scope of the plan focuses on protecting the university's IT assets, including hardware, software, and student data. A detailed risk assessment is conducted, covering user authentication, server security, network security, and other potential risks, which is then compiled into a risk register. The report then details security strategies and actions to mitigate identified risks, including user authentication methods, server and network security measures, and strategies for addressing privacy concerns. A cost-benefit analysis is presented to evaluate the financial implications of the security plan. The report concludes by addressing residual risks and providing resources for maintenance and training, ensuring the system's ongoing security and effectiveness. The plan aims to provide a comprehensive approach to securing the student grading system, protecting it from various threats and vulnerabilities.

Running head: INFORMATION AND SECURITY MANAGEMENT
Information and Security Management
Name of the Student
Name of the University
Author’s Note:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1
INFORMATION AND SECURITY MANAGEMENT
Table of Contents
1. Introduction............................................................................................................................2
2. Scope......................................................................................................................................2
3. Risk Assessment.....................................................................................................................3
3.1 User Authentication and Access Control.........................................................................3
3.2 Server Security.................................................................................................................3
3.3 Network Security.............................................................................................................4
3.4 Other Risks.......................................................................................................................4
3.5 Risk Register....................................................................................................................5
4. Security Strategies and Actions.............................................................................................9
4.1 User Authentication and Access Control.........................................................................9
4.2 Server Security.................................................................................................................9
4.3 Network Security.............................................................................................................9
4.4 Other Risks.....................................................................................................................10
4.5 Cost Benefit Analysis.....................................................................................................10
5. Residual Risks......................................................................................................................11
6. Resources.............................................................................................................................13
7. Maintenance and Training....................................................................................................15
References................................................................................................................................17

2
INFORMATION AND SECURITY MANAGEMENT
1. Introduction
The main purpose of information and security management plan in any organization
or business is to address every potential risk or threat to all the resources and assets of that
particular organization (Peltier, 2016). The first step for successful establishment of this
particular plan is proceeding from every aspect of emergency, security and safety
management. The most significant parts of a security management plan include program
management, prevention, preparedness, response, recovery and training.
This kind of plan is extremely effective for avoiding crisis management and
avoidance of creation of problems (Soomro, Shah & Ahmed, 2016). This type of plan is even
helpful for fraud management and computer security. Special tools are being eventually
included in this plan to ensure that better effectiveness and efficiency is being achieved.
Remarkable University is deploying a new student grading system and it should be secured
from any type of threat. The major components of this particular student grading system are a
front end web and application server that is being utilized by the administrative staff,
academics and students and a database that will be holding the grades of students (Siponen,
Mahmood & Pahnila, 2014). Hence, it is needed to include information and security
management plan for the system and ensure that system is free from any kind of risk or
threat. The following report will be outlining a brief analysis of IT security planning for
Remarkable University with relevant details.
2. Scope
The organization of Remarkable University comprises of some of the major and the
most significant assets of information technology. Since, they will be implementing a student
grading system, it is extremely important and significant for them to ensure that the IT assets
as well as resources are absolutely safe and secured. The IT assets are referred to as the

3
INFORMATION AND SECURITY MANAGEMENT
company owned information, hardware and system, which is being utilized within the
subsequent course of several business activities (Ifinedo, 2014). The confidential information
that are related to better management include corporate data, human resource data,
information management, contracts, maintenance of data and finally information
management.
The IT assets of this organization include computer systems, network infrastructure,
system storing data and information of the students. Remarkable University has ensured that
organizational risk profile is able to provide an evaluation of the willingness of the individual
as well as the core capability of taking risks (Webb et al., 2014). The risk profile is extremely
vital to determine a proper investment asset allocation for the university and hence it becomes
quite easy to include high level of security amongst the systems and infrastructure. The scope
of this information and security management plan is that it would eventually reduce the
overall impact of the risks and vulnerabilities.
3. Risk Assessment
3.1 User Authentication and Access Control
Risks Confidentiality Integrity Availability
Computer systems Yes Yes Yes
Network
Infrastructures
Yes Yes Yes
Data storage
Systems
Yes No Yes
Student Information Yes Yes No
Table 1: User Authentication and Access Control
(Source: Created by the Author in MS Word)

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4
INFORMATION AND SECURITY MANAGEMENT
3.2 Server Security
Digital security and physical safety are highly enhanced without any type of
complexity and it aims at creation of security management plan through several methods,
standards, guidelines and processes, a permanent secured solution to all types of conditions
that are helpful for prevention or reduction of the identified threats (Fenz et al., 2014). The
server security is often being violated by incorporation of few distinctive risks and threats
such as automated scanning and exploit tools, grade hacking or modification by students,
targeted exploit attempts and malware. Remarkable University should consider this type of
threat as vulnerable since, it could easily bring out few of the most distinctive and noteworthy
issues and organizational server might be affected.
3.3 Network Security
Security management is one of the most systematic and repetitive set of different
types of interlinked activities that help in ensuring secured operation, hence reducing total
likelihood of risks (Safa, Von Solms & Furnell, 2016). IT equipment of the organization are
the other important and significant assets of this university and these are the integral
components of organizational system and hence operational success is possible for the
organization. Furthermore, better efficiency is also achieved without any type of complexity
or issue. Network security risks are quite common in present days and they could out bring
major issues in the organizational network. The most common network security risks include
computer virus or worms, phishing, and many more threats. As the university will be
focusing on student grading system, it would be extremely vital for them to consider their
network security and ensure Internet fraud is not present in the networks.
3.4 Other Risks
The security management plan helps in ensuring authenticated as well as authorized
access to relevant assets. It is hence closely associated to management of authorization.

5
INFORMATION AND SECURITY MANAGEMENT
Information security can be referred to the security and privacy of confidential or valuable
information (Pathan, 2016). There are few of the most significant and important risks, which
fall into the category of other risks, such as privacy concerns for internal and external users.
These two types of risks could be treated after implementation of some of the most
significant anti risk strategies or plans.
3.5 Risk Register
The risk register of the identified risks is as follows:
Risk Description Likelihood Impact Severity Risk
Owner
Mitigating Actions
Grade
Modification or
Hacking, by
which students
could easily
modify the
grades obtained
by them.
High High High Students A security system
should be
implemented within
the grading system,
which can track
every moment and IP
address (Laudon &
Laudon, 2016). This
would the most
effective mitigation
action for grade
modification.
Privacy Concerns
for Internal
Users, by which
employees or
High Low Medium Employees
or staff
Implementation of
passwords and user
access controls
within the student

6
INFORMATION AND SECURITY MANAGEMENT
staff could use
the data for
bringing threats
and malware
activities in the
system.
grading system is the
most significant and
noteworthy
mitigation technique
to resolve insider
threats.
Privacy Concerns
for External
Users, by which
hackers or
students could
easily hack the
confidential data
or information
for committing
Internet fraud
(Tøndel, Line &
Jaatun, 2014).
Low Medium Low Students or
other
hackers
Implementing anti
virus software or
firewall security
within the student
grading system is the
most significant
mitigation technique
for this issue.
Malicious Codes
like Worms,
could easily
bring out major
harm to the
computerized
system and can
High Medium Medium Hackers or
attackers
The mitigation
actions for malicious
codes mainly include
reconstructing the
network maintenance
for being operative
effectively and

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7
INFORMATION AND SECURITY MANAGEMENT
even be in the
forms of Trojans
and viruses.
efficiently.
Implementation of
anti-virus software or
firewall security is
the second important
and significant
mitigation technique
for malicious
purposes (Barton et
al., 2016).
Automated
Scanning and
Exploit Tools, by
which the
organizational
tools and
technologies
could be
automated
scanned and then
exploited
majorly.
High Medium Medium Students
and hackers
The mitigation
actions for automated
scanning and exploit
tools mainly include
driving the
probability of
network management
in an effective
manner and even
ensuring checking
the tools on a regular
basis.
Targeted Exploit
Attempts, by
which hackers
High High High Attackers,
students and
Employees
The mitigation
actions for targeted
exploit attempts

8
INFORMATION AND SECURITY MANAGEMENT
could easily
undertake
advantages of the
vulnerabilities on
the systems,
present in
Remarkable
University
(Ahmad &
Maynard, 2014).
mainly include
ensuring an
application running
within the user space
and not accessing
kernel memory and
invalidating the
cache of every
address in the attack
buffer.
Phishing
Attempts, by
which any target
is being
contacted either
text message,
telephone or
emails by
anybody posing
as the most legal
institution for
luring victims
into providing
their confidential
data like PII or
Medium Medium Medium Hackers The mitigation
actions for phishing
attempts mainly
include identification
as well as educating
the potential spear
phishing targets and
evaluation of the
online interactions
with respective
students.

9
INFORMATION AND SECURITY MANAGEMENT
passwords.
Table 2: Risk Register of Identified Risks
(Source: Created by Author in MS Word)
4. Security Strategies and Actions
4.1 User Authentication and Access Control
The security strategies and actions that are required for ensuring user authentication
and access control as well as maintenance of confidentiality, integrity and availability of the
four distinctive IT assets of Remarkable University mainly involve cookie based
authentication, token based authentication and third party access (Rittinghouse & Ransome,
2017). Each of these three authentication strategies would be extremely vital for the
organization to ensure that the security and privacy of the IT assets and resources are being
maintained and service is not at all compromised under any circumstance. Such
authentication strategies would even ensure that the student grading system is highly
authenticated.
4.2 Server Security
The issues or risks highlighted in the above paragraphs for ensuring server security of
Remarkable University are required to be reduced and diminished with incorporation of
proper actions and strategies (Baskerville, Spagnoletti & Kim, 2014). The first and the most
significant strategy of server security would be building as well as maintenance of a secured
network and this is possible with installation and maintenance of a firewall configuration for
protection. Another effective and efficient strategy for such risks is implementation of
stronger access control measures and even regularly monitoring or testing the networks.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

10
INFORMATION AND SECURITY MANAGEMENT
4.3 Network Security
The major risks or vulnerabilities highlighted in the above paragraphs to ensure
network security of the student grading system in Remarkable University could be reduced
with major security measures such as identification of the network assets, analysis of the
security risks, analysis of the security requirements or trade offs and development of a proper
security plan (Safa et al., 2015). This security plan even reduces the overall impacts of the
network security risks and developing processes to apply various security policies. According
to the CBA provided below, 1713065 dollars are required to be undertaken for 5 years plan.
Hence, this particular university would be able to achieve proper buy in from the technical
staff, managers and users.
4.4 Other Risks
The other risks of privacy concerns from internal and external users could be easily
and promptly mitigated after incorporation of few of the major mitigation techniques, such as
establishment of programs, protection of the IT assets, recognition and reporting and finally
assessment and providing responses (Brown, Gommers & Serrano, 2015). Thus, the
organization would not face any issue in protection of the physical and cyber assets from any
type of unintentional or intentional harm.
4.5 Cost Benefit Analysis
The cost benefit analysis of the student’s grading system is as follows:

11
INFORMATION AND SECURITY MANAGEMENT
Figure 1: CBA of Student Grading System
(Created by the Author in MS Excel)
5. Residual Risks
Residual risks can be defined as the subsequent amount of risks or danger that are
solely associated with specific actions or events, remaining only after every inherent or
natural risks are being decreased by various risk controls. The generalized formula for
properly calculating this residual risk would be subtracting the total impacts of risk controls
from the relevant inherent risks. The entire concept of risks would be multiplication of threats
and vulnerabilities and also severity and probability (Kavanagh, Rochford & Bussa, 2015).
This particular type of risk is the threat, which remains after every possible effort for
identification as well as elimination of the risks that are being made. The four most basic
methods to deal with such risks would be, reduction of it, avoidance of it, accepting it and
finally transferring it completely.
While addressing the respective residual risks, each and every organization must
identify the relevant GRC or governance, risks and compliance requirements. Moreover, the
respective strengths and weaknesses of the organizational control frameworks are also well