Security Management Exam: Policies, Risk, Trust - Univ. of London

Verified

Added on 2023/06/15

AI Summary

This document presents solutions to multiple questions related to security management. It covers topics such as security management as a subset of internal control, the role of risk assessment in ensuring transparency, and the importance of trust in information security management. The solutions also address the necessity of using risk assessment to determine security policy content, the role of audits in supporting policy and standards compliance, and the impact of information security policies on encouraging ownership of security. Furthermore, the document explores the human element in information security defense, the concept of risk management institutionalizing risk ownership, the essential role of audits in effective security management, the influence of law and regulation on trust in an organization's information security management, and the impact of compliance with security policies on protecting an organization's information. The document provides a comprehensive overview of critical aspects of security management.

Running head:SECURITY MANAGEMENTS
Security Managements
Name of the student:
Name of the university:
Author Note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1SECURITY MANAGEMENTS
Table of Contents
Solution of Question Paper1:.................................................................................................................3
1. Answer to Question number 1: “Security management is a subset of internal control. Discuss”. 3
2. Answer to question number 2: “One purpose of risk assessment is to make information security
management transparent to employees, customers, business partners and shareholders. Discuss.”. 4
3. Answer to question number 3: “Trust in information security management is promoted more
through how you do it more than what you do. Discuss”..................................................................6
Solution of Question Paper 2:................................................................................................................8
1. Answer to question number 1: “Risk assessment should always be used to determine the content
of a security policy. Discuss.”...........................................................................................................8
2. Answer to question number 2: “Audit supports policy and standards compliance but not
security. Discuss.”.............................................................................................................................9
3. Answer to question number 3: “Successful information security is impossible without trust.
Discuss.”..........................................................................................................................................10
Solution of Question paper 3:..............................................................................................................11
1. Answer to question number 1: “Information security policies encourage ownership of security.
Discuss.”..........................................................................................................................................11
2. Answer to question number 2: “Humans are the weakest link in information security defence.
Discuss.”..........................................................................................................................................12
3. Answer to question number 3: “Risk management institutionalizes risk ownership rather than
treats risk. Discuss.”........................................................................................................................14

2SECURITY MANAGEMENTS
Solution to question paper 4................................................................................................................15
Answer to Question number 3: “Audit is essential for effective security management. Discuss”..15
Answer to question 4: “Law and regulation encourage trust in an organization’s management of
information security. Discuss”.........................................................................................................16
Answer to question 5: “Compliance with security policies ensures the protection of an
organization’s information. Discuss”..............................................................................................17
Solution to question paper 5................................................................................................................19
Answer to question 1.......................................................................................................................19
Answer to question 2.......................................................................................................................20
Answer to question 3.......................................................................................................................22
References:..........................................................................................................................................24

3SECURITY MANAGEMENTS
Solution of Question Paper1:
1. Answer to Question number 1: “Security management is a subset of internal control.
Discuss”
Internal control assures profitability and efficiency of operations, a reliability of information
along with adhering to rules and different regulations. It is an integral part of daily management and
administration of companies.
The COSCO model is used to define control as a method which is affected by a board of
directors of entities, management and other personnel, developed to give reasonable assurance of
gaining objectives in various categories (Peltier, 2016). These categories include efficiency and
effectiveness of operations, dependability of financial reporting and compliance with applicable
regulations and laws. Under a smart internal control system, five layers work to support achievement
of the mission of entities.
Layers of COSCO model Discussion
Control environment It includes assignment of responsibility and
authority, commitment to competence, ethical
and integrity values and so on.
Risk assessment It involves managing change, risk analysis and
identification.
Control activities It comprises of business continuity and backups,
application change management and outsourcing.
Information and communication It includes the effectiveness of communication

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4SECURITY MANAGEMENTS
and quality of information.
Monitoring It includes reporting deficiencies, separate
evaluations and ongoing monitoring.
Ineffective security management has been damaging internal control in various ways.
Ineffective security management can damage internal control in various ways. First of all, there can
be lack of power with multiple authorisations of transactions. For example, with orders having
orders above a particular dollar value like $1000, more than a single quotation can be retrieved that
can be gained reducing overall expenditure (Chang et al., 2014). Another instance can be given
regarding lack of logical and physical security. Protecting personal data and banking data are turning
out to be vital with a rise in risk of credit or identity theft. An employee or personal data have been
preferably encrypted and could be stored in secure folders.
The problem statement can be analysed in the following way. Internal security audits are
essential sources of information. It highlights areas needing attention and is not overly driven by
recommendations and findings. In many cases, security controls are proper for infrastructure and not
related directly to business. It leads internal control tea, for organisations to seek weaker security
controls under that infrastructure.
2. Answer to question number 2: “One purpose of risk assessment is to make information
security management transparent to employees, customers, business partners and
shareholders. Discuss.”
Risk assessment provides guidance and insights to develop an effective security strategy.
Apart from analyzing,organizational risk, risk analysis focuses on examining governance,

5SECURITY MANAGEMENTS
effectiveness and implementation of controls of information security. The result of the assessment is
a prioritized assessment of exposures and risks that could be addressed for better protection of
organization. Steps of risk assessment process include identification of hazards. This includes
anything that causes harm. It also helps in a decision that might be harmed and analyze risks and
undertake actions. Lastly, it makes a record of previous findings (Shameli-Sendi, Aghababaei-
Barzegar & Cheriet, 2016).
Data security is an integral part of decision making process. For instance, creating informed
decision is very challenging. This is mainly when operations of data centre and various other
primary elements of a service provider are invisible. Another example can be given about,
establishing a partnership with security management is vital to make sense of data security under
third-party solutions. With the help of transparency into service, one can develop a clearer vision of
risk management responsibilities and create a relationship of trust.
Application of transparency at every level of organisations permits leaders to communicate
with companies objectives to every staff. Moreover, through allowing every people in the company
helps in understanding clearly about how business could be run. This makes executive and boards
decide policies by transparency and accountability. Though it has neither been difficult for
organisations that are nor been customers to slide, beginning at any point is never too late (Ermakov
et al., 2014). Besides, transparency requires being appropriately established. Hence every part of that
organization would taste the see outcomes of transparent business.
The opening statement is true in many senses. As one is unaware of risks at a workplace, one
is simply putting themselves, employees, customers and full firm into danger. As it comes to
employee safety, moving above legal minimum helps to eliminate as much risk as possible to
decrease the number of safety-related incidents that are reported.

6SECURITY MANAGEMENTS
3. Answer to question number 3: “Trust in information security management is promoted
more through how you do it more than what you do. Discuss”
“Trust” is defined as the bilateral relationship. A trust relationship is important regarding
business conduction. Regarding trust, specialists must ensure that it is in a secure and safe place
where to perform and receive treatment (Soomro, Shah & Ahmed, 2016). For achieving this, every
member of employees requires supporting this work. It is done by reporting security concerns that
have been possessing and incidents that might occur.
For example importance of security management lies in the fact that it has ensured local
security managements meeting national standards. Further, it has been developing and improving
domestic security policies and provisions.
Various partnerships for security management never get success as partners are not aligned
with values and goals for an organization. This example shows the case of differing amounts. As the
business develops differences turn out to be a growing source of friction. This can be mitigated by
realizing that before entering a business relationship, prospective partners must be meeting and
articulating specific factors. This includes why they have wanted to become entrepreneurs. This also
includes determination of vision for the company along with long-term objectives.
Another example is a personality clash. Here, sharing of risks and possessing complementary
skills sets are huge advantages of business partnerships (Lowry et al., 2015). However, personalities
of partners have never been meshing sufficiently. This results in the fact that business has been
headed for trouble. All these problems can be solved by handling situations like dealing with
customers, vendors and difficulties. Moreover, they should keep in mind the differences in
personality that can benefit instead of a hindrance. This provides respect to partners, valuing
opinions and possesses a shared vision for the business.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7SECURITY MANAGEMENTS
The initial statement can be analyzed through the fact that few base levels of trusts are
needed to possess employment contracts. This is also helpful to get engaged in commercial
transactions. Moreover, beyond those minimum thresholds trust has also been playing an important
role.

8SECURITY MANAGEMENTS
Solution of Question Paper 2:
1. Answer to question number 1: “Risk assessment should always be used to determine the
content of a security policy. Discuss.”
Security policies are critical as it states how any company has been planning to secure
various physical and information technology assets of a business. They have been providing clarity
to readers while dealing with accountability activities and issues that are of crucial importance to the
company. This includes regulatory problems or requirements, legal liabilities, health and safety that
have severe outcomes.
RUSecure has been offering a set of security policies. This has been including supporting of
documentation that is ready to be customized and tailored to any particular needs. Further, they have
been offering an interactive editing activity and automated delivery toolset regarding security
policies also (Safa, Von Solms & Furnell, 2016). Another example can be given from the case of
Insight Consulting in the UK. They have been providing a training course that dealt with the
establishment of smart security policy. It has been covering the entire process from designing and
planning through deploying of maintenance and upkeep.
The risk assessment steps have been involving identification of hazards and deciding who
could be harmed. The next step is to evaluate risks and recognise precautions. Following this, the
records are to be found and then they are implemented. Lastly, the risk assessment and updating are
to be reviewed.
Content security policy is helpful in detecting and mitigating particular kind of attacks.
Example of this includes data injection attacks and cross-site scripting. The attacks are useful all the
things from stealing of data to a distribution of malware and site defacement (Flowerday &Tuyikeze,

9SECURITY MANAGEMENTS
2016). Besides, security policy content can be found out via HTTP response header like HSTS. This
has been defining an approved source of materials that could be led by contents.
The given statement can be justified by the fact that risks determined by risk assessment
contain security measures that help in reducing vulnerabilities and risks to a proper and reasonable
level to deliver data confidentiality, availability and integrity. This is to protect against reasonable
anticipated hazards and threats.
2. Answer to question number 2: “Audit supports policy and standards compliance but not
security. Discuss.”
“Compliance” is regarded as the state of being by various established specifications or
guidelines or process of becoming so. It can be defined as the encompassing effort ensuring
organisations have been abiding by a government and industry regulations.
“Security”, in Information Technology is the defence of IT assets and digital information
against external and internal, accidental and malicious threats. It includes response, prevention and
detection to threats by using IT services, software tools and security policies (Madi et al., 2016).
Compliance activities and security efforts converge roughly as policies in place, discovering
assets, defining strategies, analysing the level of compliance and remedying vulnerabilities or which
is out of respect. Here, for example, password policies comprise of relevance around internal
security rules GLBA, HIPAA, Sarbanes-Oxley and additional external mandates. Again, regarding
compliance patch policy is relevant to internal IT, NIST, HIPAA, GLBA and Sarbanes-Oxley
infrastructure management. Preferably, all these controls and procedures comprise of relevance
around activities of IT operation teams, security, compliance and audits (Jespersen et al., 2016).

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

10SECURITY MANAGEMENTS
Business requires compliance and security solutions transcending individual operation,
security and audit teams providing a holistic view of compliance posture and organisation risk. It has
been much more impactful for organisations to able to manage centrally every regulatory mandates
and security policies. Thus every policy is enforced efficiently, evaluated, maintained and accessed
through compliance, security and operation teams. Compliance audit comprehensively reviews
adherence of organisations towards regulatory guidelines. Thoroughness and strength of compliance
preparations are evaluated by IT, security or independent accounting consultants.
3. Answer to question number 3: “Successful information security is impossible without trust.
Discuss.”
Trust can be defined as a fiduciary relationship in which one party known as trustor provides
another party to hold property or assets(Bugiel, Heuser & Sadeghi, 2013). It is considered to be
benefit for third party which is known as beneficiary. Trust is generally used for providing legal
protection for the asset of trustor. It generally focusses on providing legal protection for the assets of
trustor so that it can save time, reduce paperwork and in some cases also reduce various kinds of
associated taxes.
Trust can be defined as a critical element for success in the fast changing world. Customers
generally buy products and services because of the built trust by the organization. It generally
focuses on building of trust both internally and externally (Chang, Kuo & Ramachandran, 2016). It
generally aims in setting of mutual goals so that stronger relationship can be built.
Security manager generally focus on organizing and overseeing of various kinds of security
operation in an organization (Ryoo et al., 2014). The ultimate goal is creating and saving the
environment where employees, visitors and property can be safe and be well protected. There are
large number of responsibilities of a security manager like:

11SECURITY MANAGEMENTS
 Development and implementation of security policies and procedures
 Proper budget for various kinds of security operation and analyzation of various kinds of
expenses.
 Planning and coordination of security events for various kinds of security operation.
 Proper reviewing of incidents and breaches.
 Investing and resolving of large number of issues.
Solution of Question paper 3:
1. Answer to question number 1: “Information security policies encourage ownership of
security. Discuss.”
Three distinct purpose of information security policy are
 Establishment of general approach to information security
 Detection and forestalling of information security like misuse of data, networks, computer
systems and various application related to it.
 Protection of reputation of organization with respect to legal and ethical kind of
responsibilities.
A security policies focus more on technical infrastructure. It has certain number of technical
infrastructure which can be used for protecting of information from unauthorized kind of access of
their employees (Chang, Kuo & Ramachandran, 2016). It is generally believed organization policies
should focus on dedication of needs of educating employees and proper protection of information
about the asset of information. It is generally believed that organizational policies should work in
such a way that it can educate employees about the way of protection of information related to
organizational assets (Ryoo et al., 2014).