Report on IT Security Management: Policies, Fraud, and Risk

Verified

Added on 2022/12/29

AI Summary

This report provides a comprehensive overview of IT security management, addressing essential policies crucial for any business organization, including access control, acceptable use, disaster recovery, and user authentication. It explores the various ways computer programmers and IT personnel can be involved in fraud, such as hacking, SQL injections, and virus dissemination, while also outlining control mechanisms to monitor and prevent fraud, including testing key controls, fraud risk assessments, and the use of cloud computing. The report defines the roles and responsibilities of a security administrator, emphasizing their importance in protecting valuable information. It details the five steps of security risk assessment and explains ways to identify fraud scams, such as network intrusion detection and host intrusion detection. Furthermore, it discusses approaches to promote information security within an IT department, highlighting the importance of an effective IT security infrastructure, defensive systems, employee awareness training, and data protection.

Running head: REPORT ON INFORMATION TECHNOLOGY SECURITY MANAGEMENT
REPORT
ON
INFORMATION TECHNOLOGY SECURITY MANAGEMENT
Name of the Student
Name of the University
Author Note:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1IT security management
Question 1. List and explain any 4 information technology related policies which you
think is important to any business organization?
Answer:
Considering the rapid growth of the current It business services it has been noticed
that which applying the features of Information Technology, the organization must follow the
policies of IT system in order to provide effectiveness to the IT services. Hence it has been
identified that one of the most significant aspect present in this field is the data security and
access control. Followed by the above aspects the policies related to the security and access
controls are listed below:
Access Control Policy-
This policy outlines the patter and limitations of the access of the information to the
employs considering the organizational data and services. Access control and security
policies has been introduced in order to provide restriction to the network as well as the data
access of the organization which holds a significant impact on the IT system security and
services.
Acceptable Use Policy-
According to this policy the employs of an organization must agree to use the
organizational assets as well as the networks as per the rule of AUP. Followed by the above
regulation it also includes several other restrictions related to the HR, legal and IT security as
well.
Disaster Recovery Policy-
As per the conditions of this policy is includes two of the most efficient It security as
well as development team within the organization and develop a continuity group which hold

2IT security management
the capabilities to keep backup for all the organizational information in case of any error
occurred.
User Authentication Policy-
Considering the regulations according to this policies it has been noticed that the IT
systems can be accessed by only the authorized users. Hence, the users will need to login
with necessary login credentials which will be verified to provide the information access.
Question 2: In what ways, a computer programmer or IT personal can get involved in
fraud?
Answer:
An IT personal or a computer programmer can be involved in fraud in several ways.
Some of the ways are provided below:
Hacking: Computer programmers having advanced knowledge of computers hack the data
and misuse it for several reasons.
SQL Injections: The vulnerabilities present in the security of a system can be used for
hacking with SQL Injection technique by the programmers.
Virus Dissemination: Files or system can be infected by the viruses injected by the IT
professionals on purpose and have the likelihood for circulating in other computers in that
network.
Logic Bombs: Malicious code, known as logic bomb can be inserted intentionally into a
software for executing malicious tasks by the programmers.

3IT security management
Denial-of-Service Attack: Explicit attempt made by professionals intentionally in denying
service to users within that service.
Question 3: List and explain 4 control mechanism which might help might to monitor
and control fraud from an IT context.
Answer:
There exists many keys for prevention of fraud, however some of them are powerful
internet controls. Some of the mechanisms which can be used for prevention of fraud are
discussed below:
Test of key controls: It is important in differentiating the risk of fraud in testing of control.
The testing of control decides if the working procedure of controls are as required or not.
Hence, it is highly essential to verify the key controls whether these are effective or not.
Assessments of Fraud Risk: Personally Identifier Information (PII) is to be protected by
designing internet controls in accordance to current regulation and legislation. Fraud can be
controlled by strengthening the audits, procedures and policies. The procedures in which data
was hacked by SQL injection needs to be examined thoroughly.
Cloud Computing: Essential functions are performed by enabling technology. Applications
related to technology are high sources of risk. For reducing the risks of evolving technology,
cloud computing is involved. Cloud computing is required to strengthen the internal controls
and the information of the organization.
Technology for fraud prevention and detection: The fraud prevention and detection
technology helps to understand complex patterns of data. Enlightened decision models should
be used for managing false outputs and the network relationships are detected to see the
fraudster’s activity.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4IT security management
Question 4: Identify and briefly explain the roles and responsibility of a security
administrator?
Answer:
Valuable information is stored in system which hackers love to destroy or steal. A
security administrator handles every aspects related to information security. Essential data
resources of an organization are protected is protected by security administrator. The role of
security administrator is providing security of network, mobile and desktop and also
responsible in installing, troubleshooting and administrating the security solutions of an
organization. Staffs are trained on ideal protocols, monitoring network traffic to track any
illegal activity, auditing machines, performing risk assessment and ensuring proper defenses
are provided to every network resource by security administrator. Penetration tests and
performing vulnerabilities are also part of responsibilities of security administrator. Security
administrator consults with managers, executives and staff for best security purposes.
Question 5: Explain with examples the 5 steps of security risk assessment in information
security?
Answer:
Security Risks are identified with respect to the aspects of possible threats,
vulnerabilities as well as the assets. Hence, in order to identify the risk present in an
organizational infrastructure few steps needs to be followed which are listed and described
below:
Step 1- Identify the assets with respect to its priority: In this step the risk assessor needs to
identify the assets based on its priority.

5IT security management
Step 2- Identify the threat(s) and vulnerability(s): Followed by identifying the assets, threat is
something which could utilize vulnerability for breaching security and harm can be caused to
the organization.
Step 3- Analysis of Controls: The controls are analyzed which are in stage of planning for
eliminating or minimizing probability of threat which will utilize the system’s vulnerability.
Step 4- Prioritize the Risks of Information Security: The risk level to IT system is determined
by each pair of vulnerability.
Step 5- Recommendation of Controls: The actions are determined by senior authorities and
other accountable individuals which must be taken for mitigating risk is based on the level of
risk.
Question 6: As an IT security administrator, list and explain 4 ways to Identify Fraud
scams?
Answer:
As an IT security administrator it is huge responsibility to provide advance protection
to the IT organization. Followed by the mentioned purpose it is highly important to identify
the threats or scams which will help to provide prevention to the cyber-attacks, most effective
threat identification procedures are mentioned below:
There are 4 types of detection technology present in the IT scam detection which
includes the Network intrusion detection system-NIDS, host intrusion detection system-
HIDS, Perimeter intrusion detection system-PIDS and VM based intrusion detection system-
VMIDS.
Network intrusion detection system-NIDS: In this types of fraud detection system it
monitors and provides protection to the IT network of the organization followed by which the

6IT security management
organization is able to identify the unusual activities on the network and provides alert in
order to prevent the occurred actions.
Host intrusion detection system-HIDS: In these types of scam detection system the host
server is analysed in order to identify the unauthorised activities on the host server.
Perimeter intrusion detection system-PIDS: this is also another significant technique to
detect harmful activities on the IT infrastructure.
VM based intrusion detection system-VMIDS: Followed by the above mentioned detection
system it has been also noticed that VM detection systems are based on identifying the
unusual activities on the virtual environments in order to protect the organizational IT
infrastructure.
As an example: EDR- EndPoint detection and Respond, Malware SandBoxes,
Network Traffic Analysis, Cyber threat intelligence techniques can be used to identify the
organization fraud scams with the purpose to protect the IT infrastructure.
Question 7: In your opinion, explain different ways/approach which can be used to
promote information security in your IT Department?
Answer:
Followed by the concern of maintaining IT security within the organization there are
several ways present in the field of IT security in order to establish effective IT security
among the department, which includes the following approaches-
 Developing an effective IT security infrastructure will surely impact the security
management within the organization. Followed by this the organization needs to
incorporate effective security management techniques which includes the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7IT security management
implementation of incorporating advance systems such as the VPN, firewall as well as
the IDS systems.
 Along with all of the above discussion the organization also needs to incorporate
effective defensive systems in order to prevent the IT network of the organization
from the harmful threats.
 Followed by this conducting an awareness training for the employ in order to discuss
about how the employ should perform the organizational internal operations as well as
how they should use the internet. This training will help the employ to gain
knowledge about the security threats and vulnerability which will spread awareness
within the employ.
 Along with the above aspect it is very important to take care of all the activities that
happens in the organizational network.
 The administrator must take care of the data base of the organization in order to
reduce the data security vulnerabilities as well as to protect the customer data.
 Apart from the above precautions the organization must enable effective mitigation
approaches in case of any attack happens. In order to mitigate the risk factors related
to the data loss the organization must incorporate efficient data backup procedures.