IY5501 Security Management: Risk, Policies, Trust, and Continuity
VerifiedAdded on 2023/06/12
|25
|5075
|119
Essay
AI Summary
This essay provides a detailed overview of security management, covering key concepts, policies, and practices. It begins by discussing internal control and the COSO model, highlighting how security management contributes to risk assessment, information and communication, and control activities. The essay then delves into the risk assessment process, emphasizing its role in transparency and decision-making. The importance of trust in security management is explored, along with examples of lost trust and potential security measures. Furthermore, the essay discusses the impact of legislation on information security management, focusing on hacking and compliance laws. Finally, it examines business continuity planning, outlining its steps and auditing procedures, and concludes with the significance of legal compliance and standards in information security.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: SECURITY MANAGEMENT
Security Management
Name of the Student
Name of the University
Author’s Note:
Security Management
Name of the Student
Name of the University
Author’s Note:
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1
SECURITY MANAGEMENT
Table of Contents
Year 2013...................................................................................................................................2
Year 2014...................................................................................................................................7
Year 2015.................................................................................................................................11
Year 2016.................................................................................................................................15
Year 2017.................................................................................................................................19
SECURITY MANAGEMENT
Table of Contents
Year 2013...................................................................................................................................2
Year 2014...................................................................................................................................7
Year 2015.................................................................................................................................11
Year 2016.................................................................................................................................15
Year 2017.................................................................................................................................19
2
SECURITY MANAGEMENT
Year 2013
1. Internal control in auditing and accounting can be defined as the procedure of
assuring the achievement of the objectives of any specific organization in the effectiveness in
operations and the efficiency in compliance with the policies, regulations and laws.
The five layers of COSO model are as follows:
i) Control Environment
ii) Risk Assessment
iii) Control Activities
iv) Information and Communication
v) Monitoring Activities
The three layers of COSO model are information and communication, risk assessment
and control activities. Security management in information and communication helps to
secure the information that is being identified and communication within a specific
timeframe. Security management in risk assessment helps to secure and prevent the risks that
are being analyzed on the basis of determining them, i.e. either residual or inherent. There are
various policies and procedures that are implemented within the layer of control activities for
ensuring that the risks responses are properly carried out. Security management helps to
maintain those policies and procedures effectively.
The two examples of ineffective security management damaging internal control are
inadequate records and lack of control in authorized transactions.
SECURITY MANAGEMENT
Year 2013
1. Internal control in auditing and accounting can be defined as the procedure of
assuring the achievement of the objectives of any specific organization in the effectiveness in
operations and the efficiency in compliance with the policies, regulations and laws.
The five layers of COSO model are as follows:
i) Control Environment
ii) Risk Assessment
iii) Control Activities
iv) Information and Communication
v) Monitoring Activities
The three layers of COSO model are information and communication, risk assessment
and control activities. Security management in information and communication helps to
secure the information that is being identified and communication within a specific
timeframe. Security management in risk assessment helps to secure and prevent the risks that
are being analyzed on the basis of determining them, i.e. either residual or inherent. There are
various policies and procedures that are implemented within the layer of control activities for
ensuring that the risks responses are properly carried out. Security management helps to
maintain those policies and procedures effectively.
The two examples of ineffective security management damaging internal control are
inadequate records and lack of control in authorized transactions.
3
SECURITY MANAGEMENT
Security management is the subset of internal control as this internal control is
utilized for achieving various rules and regulations for maintaining the operational
effectiveness and security management is used for ensuring the fact that security is
maintained properly.
2. The main objective of information security risk assessment is to provide an
accurate and proper inventory of all the data as well as information technology assets. This
particular objective mainly depends on the asset values or importance of the assets.
The five steps in risk assessment process are as follows:
i) Identification of hazards or anything that causes harm.
ii) Taking the decision that who would be harmed.
iii) Assessing the risks and finally taking actions.
iv) Making a record of all those findings.
v) Reviewing the final risk assessment.
Two examples of risk assessment contributing to the transparency of security
management are as follows:
i) Delivering Products: The security of the cars that are being driven should be kept
on first priority. The risk assessment process in this particular example could be identifying
the problem, i.e. understanding the risks of drivers working alone and could be stuck in
congested traffic. Then decision is to be taken, the customer is harmed. An action could be
calling the driver and asking him to be on time and finally making a record so that he is no
longer late.
SECURITY MANAGEMENT
Security management is the subset of internal control as this internal control is
utilized for achieving various rules and regulations for maintaining the operational
effectiveness and security management is used for ensuring the fact that security is
maintained properly.
2. The main objective of information security risk assessment is to provide an
accurate and proper inventory of all the data as well as information technology assets. This
particular objective mainly depends on the asset values or importance of the assets.
The five steps in risk assessment process are as follows:
i) Identification of hazards or anything that causes harm.
ii) Taking the decision that who would be harmed.
iii) Assessing the risks and finally taking actions.
iv) Making a record of all those findings.
v) Reviewing the final risk assessment.
Two examples of risk assessment contributing to the transparency of security
management are as follows:
i) Delivering Products: The security of the cars that are being driven should be kept
on first priority. The risk assessment process in this particular example could be identifying
the problem, i.e. understanding the risks of drivers working alone and could be stuck in
congested traffic. Then decision is to be taken, the customer is harmed. An action could be
calling the driver and asking him to be on time and finally making a record so that he is no
longer late.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4
SECURITY MANAGEMENT
ii) Financial Risks: The security of this type of risks should be transparent as the
financial risks could be extremely dangerous. The risk assessment process in this particular
example could be hacking of financial data and proper mitigation techniques should be
implemented.
Risk assessment helps in making the information security management absolutely
transparent to the stakeholders as it helps to identify as well as control all the risks in the
organization.
3. Trust is the reliance on any specific individual or organization about any particular
situation or phenomenon.
Trust in security management provides assumptions and these assumptions are
eventually implicit when the systems are changed. The major aspects of security management
include identification of organizational assets, documentation, and policy implementation.
These procedures help in risk assessment and threat assessment.
The examples of lost trust in security management are as follows:
i) Decision makers finding it extremely difficult in mitigating the vulnerabilities after
taking necessary resources to gain business goals. This occurred as the resources selected
were not secured and hence problems occurred. Security measures should be undertaken for
securing these assets.
ii) The old hardware could be affected with the threats and vulnerabilities and hence
the security would be affected. It occurred as antivirus or anti malware was not installed. The
probable security measure is by securing the hardware with antivirus or anti malware
protection.
SECURITY MANAGEMENT
ii) Financial Risks: The security of this type of risks should be transparent as the
financial risks could be extremely dangerous. The risk assessment process in this particular
example could be hacking of financial data and proper mitigation techniques should be
implemented.
Risk assessment helps in making the information security management absolutely
transparent to the stakeholders as it helps to identify as well as control all the risks in the
organization.
3. Trust is the reliance on any specific individual or organization about any particular
situation or phenomenon.
Trust in security management provides assumptions and these assumptions are
eventually implicit when the systems are changed. The major aspects of security management
include identification of organizational assets, documentation, and policy implementation.
These procedures help in risk assessment and threat assessment.
The examples of lost trust in security management are as follows:
i) Decision makers finding it extremely difficult in mitigating the vulnerabilities after
taking necessary resources to gain business goals. This occurred as the resources selected
were not secured and hence problems occurred. Security measures should be undertaken for
securing these assets.
ii) The old hardware could be affected with the threats and vulnerabilities and hence
the security would be affected. It occurred as antivirus or anti malware was not installed. The
probable security measure is by securing the hardware with antivirus or anti malware
protection.
5
SECURITY MANAGEMENT
Trust in the information security management is solely promoted as it helps in
processing symbolic representations of the trust for automatic decision making processes.
Moreover, it is implemented in information security mainly in the access control policies.
4. Two areas of legislation affecting the information security management are as
follows:
i) Hacking of Systems can be a major area of legislation for the information security
management. Violations of the rules for hacking any confidential system could be extremely
dangerous for any organization.
ii) Violation of the compliance laws is the second area of legislation that affects the
information security management. These laws help to maintain the integrity and authenticity
of any organization.
For the hacking of systems, there are strict laws in every nation that help to mitigate
such activities. The best example of this is the high penalties that are being incurred fir
hacking the system. Moreover, the hackers get up to 20 years of imprisonment.
For the violation of compliance laws in any organization, various legal actions are
taken. One of the examples is infringement or several violations of rights regarding
intellectual property.
All the aspects of law in any organization should be known by the security manager
as he is responsible for the technical and functional expertise and any wrong functionality in
the systems should be reported to him directly.
5. The main purpose of business continuity is to help the organization in responding
to all types of disruptions to the critical business processes.
SECURITY MANAGEMENT
Trust in the information security management is solely promoted as it helps in
processing symbolic representations of the trust for automatic decision making processes.
Moreover, it is implemented in information security mainly in the access control policies.
4. Two areas of legislation affecting the information security management are as
follows:
i) Hacking of Systems can be a major area of legislation for the information security
management. Violations of the rules for hacking any confidential system could be extremely
dangerous for any organization.
ii) Violation of the compliance laws is the second area of legislation that affects the
information security management. These laws help to maintain the integrity and authenticity
of any organization.
For the hacking of systems, there are strict laws in every nation that help to mitigate
such activities. The best example of this is the high penalties that are being incurred fir
hacking the system. Moreover, the hackers get up to 20 years of imprisonment.
For the violation of compliance laws in any organization, various legal actions are
taken. One of the examples is infringement or several violations of rights regarding
intellectual property.
All the aspects of law in any organization should be known by the security manager
as he is responsible for the technical and functional expertise and any wrong functionality in
the systems should be reported to him directly.
5. The main purpose of business continuity is to help the organization in responding
to all types of disruptions to the critical business processes.
6
SECURITY MANAGEMENT
There is a difference between business continuity and disaster recovery. Business
continuity is the plan that helps a business to help them to continue in any disaster. DR on the
other hand, helps the business in understanding the procedure of IT recovering for any
disaster. DR plans help in backing up of entire data.
The four steps in business continuity life cycle are as follows:
i) Risk Assessment.
ii) Business Impact Analysis or BIA.
iii) Implementation of plan
iv) Testing and maintenance of plan
These steps could be audited in accordance to the Internal Auditing Standards. There
are few procedures for auditing the business continuity plan and these phases should be
executed while auditing. The procedures include document reviewing and analysis,
interviews, and walkabout survey.
The standards like resilience, recovery and contingency make it extremely easier to
assess the business continuity as these standards ensures the continuity of the business.
SECURITY MANAGEMENT
There is a difference between business continuity and disaster recovery. Business
continuity is the plan that helps a business to help them to continue in any disaster. DR on the
other hand, helps the business in understanding the procedure of IT recovering for any
disaster. DR plans help in backing up of entire data.
The four steps in business continuity life cycle are as follows:
i) Risk Assessment.
ii) Business Impact Analysis or BIA.
iii) Implementation of plan
iv) Testing and maintenance of plan
These steps could be audited in accordance to the Internal Auditing Standards. There
are few procedures for auditing the business continuity plan and these phases should be
executed while auditing. The procedures include document reviewing and analysis,
interviews, and walkabout survey.
The standards like resilience, recovery and contingency make it extremely easier to
assess the business continuity as these standards ensures the continuity of the business.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7
SECURITY MANAGEMENT
Year 2014
1. The role of security policy is to maintain the physical as well as location security,
creation of a security policy document and reacting to the specific security exposure.
Two examples of security policies are application controls and data encryption. The
application controls are the security policies that block the execution of any application or
even deny the Internet access to any application. The data encryption, on the other hand,
enables encryption of data of various files on the storage devices that are removable.
The five steps in risk assessment process are as follows:
i) Identification of hazards or anything that causes harm.
ii) Taking the decision that who would be harmed.
iii) Assessing the risks and finally taking actions.
iv) Making a record of all those findings.
v) Reviewing the final risk assessment.
An example when risk assessment is used for determining the content of security
policy is that the threat prone contents should be known for any specific security policy for
understanding the risks.
Risk assessment are utilized for determining the security policy content as the risks
should be assessed on what is present in the security policy. If the vulnerable contents will
not be known, it is impossible to execute the risk assessment.
SECURITY MANAGEMENT
Year 2014
1. The role of security policy is to maintain the physical as well as location security,
creation of a security policy document and reacting to the specific security exposure.
Two examples of security policies are application controls and data encryption. The
application controls are the security policies that block the execution of any application or
even deny the Internet access to any application. The data encryption, on the other hand,
enables encryption of data of various files on the storage devices that are removable.
The five steps in risk assessment process are as follows:
i) Identification of hazards or anything that causes harm.
ii) Taking the decision that who would be harmed.
iii) Assessing the risks and finally taking actions.
iv) Making a record of all those findings.
v) Reviewing the final risk assessment.
An example when risk assessment is used for determining the content of security
policy is that the threat prone contents should be known for any specific security policy for
understanding the risks.
Risk assessment are utilized for determining the security policy content as the risks
should be assessed on what is present in the security policy. If the vulnerable contents will
not be known, it is impossible to execute the risk assessment.
8
SECURITY MANAGEMENT
2. Compliance for information security refers to the standards or regulations for
maintaining the security of information in any particular organization. Security refers to the
measures undertaken for securing the confidential information.
The example of convergence of security and compliance is Payment Card Industry or
PCI data security standard. The example of divergence of security and compliance is crypto
currencies.
The audit process is as follows:
i) Requesting documents.
ii) Preparing an audit plan
iii) Scheduling meetings
iv) Conducting Fieldwork
v) Drafting a report
vi) Setting up close meeting
Audit process would provide compliance to Payment Card Industry or PCI data
security standard and crypto currencies as this process does not support security and only
supports policy or standard compliance.
3. Trust is the reliance on any specific individual or organization about any particular
situation or phenomenon. The three types of trusts in management of information security are
third party trust, direct or personal trust and discretionary trust. Third party trust contributes
in managing the information security by maintaining the trust on the sender and receiver of
the information. The sender and receiver trust each other by simply sharing a common third
party and this third party is for trustworthiness of them. Example is certification authority.
SECURITY MANAGEMENT
2. Compliance for information security refers to the standards or regulations for
maintaining the security of information in any particular organization. Security refers to the
measures undertaken for securing the confidential information.
The example of convergence of security and compliance is Payment Card Industry or
PCI data security standard. The example of divergence of security and compliance is crypto
currencies.
The audit process is as follows:
i) Requesting documents.
ii) Preparing an audit plan
iii) Scheduling meetings
iv) Conducting Fieldwork
v) Drafting a report
vi) Setting up close meeting
Audit process would provide compliance to Payment Card Industry or PCI data
security standard and crypto currencies as this process does not support security and only
supports policy or standard compliance.
3. Trust is the reliance on any specific individual or organization about any particular
situation or phenomenon. The three types of trusts in management of information security are
third party trust, direct or personal trust and discretionary trust. Third party trust contributes
in managing the information security by maintaining the trust on the sender and receiver of
the information. The sender and receiver trust each other by simply sharing a common third
party and this third party is for trustworthiness of them. Example is certification authority.
9
SECURITY MANAGEMENT
Direct trust refers to the direct or personal trust between the sender and receiver and they do
not take any third party for sharing their information. It is extremely secured. In discretionary
trust, the information is not fixed, however is determined by the distinct criteria that is
established within the trust instrument.
The role of the security manager is to look after the overall quality of the process of
security management. He is responsible for coordinating with the alterations within the
organization regarding information technology. The security manager is dependent on the
various types of trust while carrying out two risk management processes. The example of this
mainly includes management of SSL certificates. The security manager can undergo various
processes while carrying out these processes.
4. Business continuity can be defined as the ability of any company in maintaining
the necessary functions during or after any disaster has occurred.
The steps in any business continuity process are as follows:
i) Risk Assessment.
ii) Business Impact Analysis or BIA.
iii) Implementation of plan
iv) Testing and maintenance of plan
In any organization, there are three departments. For each of the departments, the
business continuity process could be implemented by explaining the major roles, documents
or tasks. BCP should be implemented as it provides uninterrupted operational support and
customer service support. Moreover, the business revenue is minimized and the client
confidence is cultivated with this process.
SECURITY MANAGEMENT
Direct trust refers to the direct or personal trust between the sender and receiver and they do
not take any third party for sharing their information. It is extremely secured. In discretionary
trust, the information is not fixed, however is determined by the distinct criteria that is
established within the trust instrument.
The role of the security manager is to look after the overall quality of the process of
security management. He is responsible for coordinating with the alterations within the
organization regarding information technology. The security manager is dependent on the
various types of trust while carrying out two risk management processes. The example of this
mainly includes management of SSL certificates. The security manager can undergo various
processes while carrying out these processes.
4. Business continuity can be defined as the ability of any company in maintaining
the necessary functions during or after any disaster has occurred.
The steps in any business continuity process are as follows:
i) Risk Assessment.
ii) Business Impact Analysis or BIA.
iii) Implementation of plan
iv) Testing and maintenance of plan
In any organization, there are three departments. For each of the departments, the
business continuity process could be implemented by explaining the major roles, documents
or tasks. BCP should be implemented as it provides uninterrupted operational support and
customer service support. Moreover, the business revenue is minimized and the client
confidence is cultivated with this process.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
10
SECURITY MANAGEMENT
Business continuity is a specific task that does not have an end. This is because the
process or procedure of business continuity is required to be updated regularly so that there is
no delay in continuing the business even if serious disasters occur.
5. The role of legal compliance in information security is to ensure that any
organization is properly securing the information in complete compliance with each and
every law and regulation. The role of standard in information security is to facilitate the
communication and thus information security management is important.
The examples of three laws regarding compliance and standards are General Data
Protection Regulation or GDPR, Federal Information Security Management Act or FISMA
and Payment Card Industry Data Security Standard or PCI DDS.
i) GDPR: It helps to protect data and maintain privacy for all users.
ii) FISMA: It is the federal law that helps in requiring for the federal agencies for
properly developing, documenting and implementing the information security.
iii) PCI DDS: It is the standard of information security for handling credit cards.
The above-mentioned standards of security management or security technology help
the organization in achieving legal compliance by simply developing, documenting and
finally implementing the program for information protection and security.
SECURITY MANAGEMENT
Business continuity is a specific task that does not have an end. This is because the
process or procedure of business continuity is required to be updated regularly so that there is
no delay in continuing the business even if serious disasters occur.
5. The role of legal compliance in information security is to ensure that any
organization is properly securing the information in complete compliance with each and
every law and regulation. The role of standard in information security is to facilitate the
communication and thus information security management is important.
The examples of three laws regarding compliance and standards are General Data
Protection Regulation or GDPR, Federal Information Security Management Act or FISMA
and Payment Card Industry Data Security Standard or PCI DDS.
i) GDPR: It helps to protect data and maintain privacy for all users.
ii) FISMA: It is the federal law that helps in requiring for the federal agencies for
properly developing, documenting and implementing the information security.
iii) PCI DDS: It is the standard of information security for handling credit cards.
The above-mentioned standards of security management or security technology help
the organization in achieving legal compliance by simply developing, documenting and
finally implementing the program for information protection and security.
11
SECURITY MANAGEMENT
Year 2015
1. Three purposes of a security policy include confidentiality, integrity and
availability or CIA in short for the systems as well as information for any specific
organization. Example of confidentiality refers to maintaining privacy about confidential
information like bank account details. Example of integrity refers to no change in confidential
data without user’s permission like data of ATM card. Example of availability refers to the
availability of information like backup of data.
The security management framework is the set of policies for security. The methods
where the security policy fitting into the security management framework includes
identification of risks, ensuring policy to legal requirements and providing proper training.
The risk assessment, risk treatment, audits and business continuity are done connecting the
security policy with security management.
Information security policies encourage the ownership of security. The information
security policies are applied to the executive department agencies and thus the security is
maintained.
2. Humans can be defined as the weakest link in the defence of information security
as there is always a high chance of information loss in this sector. The two interpretations
include intentional loss of information and intentional damage to hardware.
Security audit is required for evaluating the information systems of any organization
and thus maintaining the integrity of information.
The steps of security audit process are as follows:
i) Planning of Audit
SECURITY MANAGEMENT
Year 2015
1. Three purposes of a security policy include confidentiality, integrity and
availability or CIA in short for the systems as well as information for any specific
organization. Example of confidentiality refers to maintaining privacy about confidential
information like bank account details. Example of integrity refers to no change in confidential
data without user’s permission like data of ATM card. Example of availability refers to the
availability of information like backup of data.
The security management framework is the set of policies for security. The methods
where the security policy fitting into the security management framework includes
identification of risks, ensuring policy to legal requirements and providing proper training.
The risk assessment, risk treatment, audits and business continuity are done connecting the
security policy with security management.
Information security policies encourage the ownership of security. The information
security policies are applied to the executive department agencies and thus the security is
maintained.
2. Humans can be defined as the weakest link in the defence of information security
as there is always a high chance of information loss in this sector. The two interpretations
include intentional loss of information and intentional damage to hardware.
Security audit is required for evaluating the information systems of any organization
and thus maintaining the integrity of information.
The steps of security audit process are as follows:
i) Planning of Audit
12
SECURITY MANAGEMENT
ii) Holding Audit meeting
iii) Gathering data and testing IT controls
iv) Remediating identified deficiencies
v) Testing of remediated controls
vi) Analysis and reporting the findings
The role of audit in identifying the weakest links includes assessing the available
resources and assets, risk assessment, gathering important data and finally testing the
remediated controls. These steps would help in identifying the weak links in defence of
information security.
3. The steps of risk assessment include:
i) Identification of hazards or anything that causes harm.
ii) Taking the decision that who would be harmed.
iii) Assessing the risks and finally taking actions.
iv) Making a record of all those findings.
v) Reviewing the final risk assessment.
The steps in risk treatment include:
i) Establishing the context: At first the context is to be established.
ii) Identification of risks: The probable risks are to be identified.
iii) Properly analyzing the risks identified.
SECURITY MANAGEMENT
ii) Holding Audit meeting
iii) Gathering data and testing IT controls
iv) Remediating identified deficiencies
v) Testing of remediated controls
vi) Analysis and reporting the findings
The role of audit in identifying the weakest links includes assessing the available
resources and assets, risk assessment, gathering important data and finally testing the
remediated controls. These steps would help in identifying the weak links in defence of
information security.
3. The steps of risk assessment include:
i) Identification of hazards or anything that causes harm.
ii) Taking the decision that who would be harmed.
iii) Assessing the risks and finally taking actions.
iv) Making a record of all those findings.
v) Reviewing the final risk assessment.
The steps in risk treatment include:
i) Establishing the context: At first the context is to be established.
ii) Identification of risks: The probable risks are to be identified.
iii) Properly analyzing the risks identified.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
13
SECURITY MANAGEMENT
iv) Evaluating the risks identified.
v) Finally treating all the risks.
Risk ownership is handled by assigning risks to the suitable persons or agencies
where the un-owned risks are unmanaged. The examples of risk ownership include risk
avoidance and risk buffering.
Risk management institutionalizes the risk ownership and do not treat risk as it helps
in protecting the information from getting lost by accidents.
4. Business continuity can be defined as the ability of any company in maintaining the
necessary functions during or after any disaster has occurred.
The steps in any business continuity process are as follows:
i) Risk Assessment.
ii) Business Impact Analysis or BIA.
iii) Implementation of plan
iv) Testing and maintenance of plan
Two examples of when the BCP deployed for supporting online e-commerce services
include identification of target audience and potential crisis and setting out a plan if any type
of disaster occurs.
For identification of the target audience, the business continuity process have specific
effects on the trust of the users as the position would be known in the market and how to
maintain that position without any type of problems or disasters. For disaster occurrence, the
backup for data should be maintained for keeping the trust of the users.
SECURITY MANAGEMENT
iv) Evaluating the risks identified.
v) Finally treating all the risks.
Risk ownership is handled by assigning risks to the suitable persons or agencies
where the un-owned risks are unmanaged. The examples of risk ownership include risk
avoidance and risk buffering.
Risk management institutionalizes the risk ownership and do not treat risk as it helps
in protecting the information from getting lost by accidents.
4. Business continuity can be defined as the ability of any company in maintaining the
necessary functions during or after any disaster has occurred.
The steps in any business continuity process are as follows:
i) Risk Assessment.
ii) Business Impact Analysis or BIA.
iii) Implementation of plan
iv) Testing and maintenance of plan
Two examples of when the BCP deployed for supporting online e-commerce services
include identification of target audience and potential crisis and setting out a plan if any type
of disaster occurs.
For identification of the target audience, the business continuity process have specific
effects on the trust of the users as the position would be known in the market and how to
maintain that position without any type of problems or disasters. For disaster occurrence, the
backup for data should be maintained for keeping the trust of the users.
14
SECURITY MANAGEMENT
5. The two pieces of information security legislation include Data Protection Act 1998
and Freedom of Information Act 2000.
The effects of Data Protection Act 1998 for ISO 27001 security management
framework include processing of personal data lawfully and fairly, obtaining of personal data
for specified as well as lawful purpose and processing of personal data according to data
rights. The effects of Freedom of Information Act 2000 for ISO 27001 security management
framework include giving right of access to the information, receiving by only authorized
users.
Challenges in achieving the compliance with the information security related
legislation are losing confidentiality and integrity and not having availability of information.
SECURITY MANAGEMENT
5. The two pieces of information security legislation include Data Protection Act 1998
and Freedom of Information Act 2000.
The effects of Data Protection Act 1998 for ISO 27001 security management
framework include processing of personal data lawfully and fairly, obtaining of personal data
for specified as well as lawful purpose and processing of personal data according to data
rights. The effects of Freedom of Information Act 2000 for ISO 27001 security management
framework include giving right of access to the information, receiving by only authorized
users.
Challenges in achieving the compliance with the information security related
legislation are losing confidentiality and integrity and not having availability of information.
15
SECURITY MANAGEMENT
Year 2016
1. The steps of risk assessment include:
i) Identification of hazards or anything that causes harm.
ii) Taking the decision that who would be harmed.
iii) Assessing the risks and finally taking actions.
iv) Making a record of all those findings.
v) Reviewing the final risk assessment.
The risk assessment is the input for two other processes of security management. The
steps for security management process are as follows:
i) Determination and evaluating the information technology assets and resources.
ii) The next step is to analyze the risks in the process.
iii) The third step is to define the various security practices.
iv) The next step is to implement the various security practices.
v) The fifth step is to monitor the violations and taking actions.
vi) The final step in security management is to re evaluate IT assets and risks.
The risk assessment is at the core of the management of information security as it
helps to determine the security of the assets involved in the process of managing information.
If the risks will not be assessed, it is evident that the information would lose confidentiality or
integrity.
SECURITY MANAGEMENT
Year 2016
1. The steps of risk assessment include:
i) Identification of hazards or anything that causes harm.
ii) Taking the decision that who would be harmed.
iii) Assessing the risks and finally taking actions.
iv) Making a record of all those findings.
v) Reviewing the final risk assessment.
The risk assessment is the input for two other processes of security management. The
steps for security management process are as follows:
i) Determination and evaluating the information technology assets and resources.
ii) The next step is to analyze the risks in the process.
iii) The third step is to define the various security practices.
iv) The next step is to implement the various security practices.
v) The fifth step is to monitor the violations and taking actions.
vi) The final step in security management is to re evaluate IT assets and risks.
The risk assessment is at the core of the management of information security as it
helps to determine the security of the assets involved in the process of managing information.
If the risks will not be assessed, it is evident that the information would lose confidentiality or
integrity.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
16
SECURITY MANAGEMENT
2. The steps in any business continuity process are as follows:
i) Risk Assessment.
ii) Business Impact Analysis or BIA.
iii) Implementation of plan
iv) Testing and maintenance of plan.
The two functions of business continuity process are as follows:
i) Maintaining continuity of services and operations.
ii) Building customer confidence.
The three types of evaluation are planning, formative and summative. The planning
evaluation is done before the execution of the process. The formative evaluation is done
while developing of the processes and the summative evaluation is done after the processes
are executed.
Recovery Time Objectives or RTO is the specific time duration where the business
processes are restored after any disaster for avoiding the unacceptable consequences.
Maximum Acceptable Outage or MAO is the maximum time amount that any system is
unavailable before losing the organizational objectives.
The assigning of responsibilities is the most significant step in the planning of
business continuity as it helps to define the processes perfectly and since the responsibilities
are segregated, the execution of business processes is easier.
3. Effective security management is the subset of internal control as this internal
control is utilized for achieving various rules and regulations for maintaining the operational
SECURITY MANAGEMENT
2. The steps in any business continuity process are as follows:
i) Risk Assessment.
ii) Business Impact Analysis or BIA.
iii) Implementation of plan
iv) Testing and maintenance of plan.
The two functions of business continuity process are as follows:
i) Maintaining continuity of services and operations.
ii) Building customer confidence.
The three types of evaluation are planning, formative and summative. The planning
evaluation is done before the execution of the process. The formative evaluation is done
while developing of the processes and the summative evaluation is done after the processes
are executed.
Recovery Time Objectives or RTO is the specific time duration where the business
processes are restored after any disaster for avoiding the unacceptable consequences.
Maximum Acceptable Outage or MAO is the maximum time amount that any system is
unavailable before losing the organizational objectives.
The assigning of responsibilities is the most significant step in the planning of
business continuity as it helps to define the processes perfectly and since the responsibilities
are segregated, the execution of business processes is easier.
3. Effective security management is the subset of internal control as this internal
control is utilized for achieving various rules and regulations for maintaining the operational
17
SECURITY MANAGEMENT
effectiveness and security management is used for ensuring the fact that security is
maintained properly.
The steps in audit process are as follows:
i) Requesting documents.
ii) Preparing an audit plan
iii) Scheduling meetings
iv) Conducting Fieldwork
v) Drafting a report
vi) Setting up close meeting
Audit plays the most significant role in measuring the effective security management
as it provides independent assurance of the organizational risk management, internal control
process and governance effectiveness.
Two processes of security management contributing in its effectiveness are ISMS or
Information Security Management System and risk management.
Audit helps to measure the effective security management by providing independent
assurance of the organizational risk management, internal control process and governance
effectiveness. Thus it is extremely effective.
4. The main difference between law and regulation is that laws are guidelines for
setting up of organizations to govern the behaviour; however, regulation can be defined as the
procedure for monitoring and rules enforcing. Example of law includes Freedom of
Information Act 2000 and example of regulation includes Federal Act.
SECURITY MANAGEMENT
effectiveness and security management is used for ensuring the fact that security is
maintained properly.
The steps in audit process are as follows:
i) Requesting documents.
ii) Preparing an audit plan
iii) Scheduling meetings
iv) Conducting Fieldwork
v) Drafting a report
vi) Setting up close meeting
Audit plays the most significant role in measuring the effective security management
as it provides independent assurance of the organizational risk management, internal control
process and governance effectiveness.
Two processes of security management contributing in its effectiveness are ISMS or
Information Security Management System and risk management.
Audit helps to measure the effective security management by providing independent
assurance of the organizational risk management, internal control process and governance
effectiveness. Thus it is extremely effective.
4. The main difference between law and regulation is that laws are guidelines for
setting up of organizations to govern the behaviour; however, regulation can be defined as the
procedure for monitoring and rules enforcing. Example of law includes Freedom of
Information Act 2000 and example of regulation includes Federal Act.
18
SECURITY MANAGEMENT
The key points of information security legislation include CIA or confidentiality,
integrity and availability. This affects in organization interacting with the third parties.
Legislation is the set of legal actions that helps to maintain and encourage the trust between
the business and the third party.
Laws and regulations are responsible for maintaining the trust of the organization’s
management of information security as the user gets the assurance that if any type of
violation of rules occur, legal actions would be taken.
5. Information Security policy is the collection of rules that are enacted by any
organization for ensuring the fact that all the users and the networks are working according to
the laws set beforehand. The security policy should be of such a form that has all the details
of the constraints related to the behaviours of the members and how those constraints should
be addressed.
An information security management system or ISMS is the collection of procedures
or policies to systematically controlling all the confidential data of the organization. The
objective of this information security management system is to reduce the risk and thus
ensuring the business continuity by pro actively limiting the overall impact of the security
breaches. The components of ISMS include scope and boundaries, information classification,
risk management methodology, risk treatment, statement of applicability, physical security,
incident handling and various controls. The ISMS is the core of the international information
security management standard since it addresses the behaviour as well as processes of the
data and technology. This is extremely important for the data type like the customer data and
it helps in implementing in the comprehensive way.
Two distinct roles in functioning of the ISMS include management of the risk
assessment, development of standards, policies and testing of security processes. The
SECURITY MANAGEMENT
The key points of information security legislation include CIA or confidentiality,
integrity and availability. This affects in organization interacting with the third parties.
Legislation is the set of legal actions that helps to maintain and encourage the trust between
the business and the third party.
Laws and regulations are responsible for maintaining the trust of the organization’s
management of information security as the user gets the assurance that if any type of
violation of rules occur, legal actions would be taken.
5. Information Security policy is the collection of rules that are enacted by any
organization for ensuring the fact that all the users and the networks are working according to
the laws set beforehand. The security policy should be of such a form that has all the details
of the constraints related to the behaviours of the members and how those constraints should
be addressed.
An information security management system or ISMS is the collection of procedures
or policies to systematically controlling all the confidential data of the organization. The
objective of this information security management system is to reduce the risk and thus
ensuring the business continuity by pro actively limiting the overall impact of the security
breaches. The components of ISMS include scope and boundaries, information classification,
risk management methodology, risk treatment, statement of applicability, physical security,
incident handling and various controls. The ISMS is the core of the international information
security management standard since it addresses the behaviour as well as processes of the
data and technology. This is extremely important for the data type like the customer data and
it helps in implementing in the comprehensive way.
Two distinct roles in functioning of the ISMS include management of the risk
assessment, development of standards, policies and testing of security processes. The
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
19
SECURITY MANAGEMENT
compliance with the security policies mainly ensure that the organization’s information is
maintained perfectly without any type of problems in data integrity.
SECURITY MANAGEMENT
compliance with the security policies mainly ensure that the organization’s information is
maintained perfectly without any type of problems in data integrity.
20
SECURITY MANAGEMENT
Year 2017
1. a) Information security can be defined as the state if being protected from various
illegal information and unauthorized data. Thus concept deals with security of the electronic
data and information.
b) Information security management deals with security of the data an information in
the organization or an institution.
c) Information security management system refers to a set of policies that helps in
maintaining the security if the data and information of an organization and institution.
d) Information security control deals with the safety measures taken by the
organization for securing data and information for minimizing the security risks to physical
property and computer system.
ISO/IEC 27000deals with the information security standards in the organization. It
provides overview and vocabulary for the information security.
ISO/IEC 27001 deals with different security techniques for securing data and information
in the organization.
ISO/IEC 27002 is a code of practice for various information security controls that can be
managed by the ISMS.
2. a) The information security risk management in the information security is the most
important subset of the process of enterprise risk management, including the assessing of
information security risks and establishment of priorities to manage and implement various
controls.
SECURITY MANAGEMENT
Year 2017
1. a) Information security can be defined as the state if being protected from various
illegal information and unauthorized data. Thus concept deals with security of the electronic
data and information.
b) Information security management deals with security of the data an information in
the organization or an institution.
c) Information security management system refers to a set of policies that helps in
maintaining the security if the data and information of an organization and institution.
d) Information security control deals with the safety measures taken by the
organization for securing data and information for minimizing the security risks to physical
property and computer system.
ISO/IEC 27000deals with the information security standards in the organization. It
provides overview and vocabulary for the information security.
ISO/IEC 27001 deals with different security techniques for securing data and information
in the organization.
ISO/IEC 27002 is a code of practice for various information security controls that can be
managed by the ISMS.
2. a) The information security risk management in the information security is the most
important subset of the process of enterprise risk management, including the assessing of
information security risks and establishment of priorities to manage and implement various
controls.
21
SECURITY MANAGEMENT
b) The ISO/IEC Information security risk management standard or ISO/IEC 27005
are as follows:
i) Identification of the risks
ii) Analysis of the risks
iii) Evaluating the rank of the risks.
iv) The fourth step is to treat the risk
v) The final step is to monitor and review the risk.
Figure 1: Steps in Risk Management
The advantage of quantitative approach of data analysis ensures validity and
reliability. However, the disadvantage of quantitative approach of data analysis it does not
provide statistical data like qualitative approach for data analysis.
c) The example of a risk that is not an information security risk is data availability. It
completes depends on the availability of data and thus, it is not a part of information security.
3. a) Audit is the proper and systematic inspection or examination of the accuracy of
data, processes or systems in any organization. The two reasons for utilizing audit in the
SECURITY MANAGEMENT
b) The ISO/IEC Information security risk management standard or ISO/IEC 27005
are as follows:
i) Identification of the risks
ii) Analysis of the risks
iii) Evaluating the rank of the risks.
iv) The fourth step is to treat the risk
v) The final step is to monitor and review the risk.
Figure 1: Steps in Risk Management
The advantage of quantitative approach of data analysis ensures validity and
reliability. However, the disadvantage of quantitative approach of data analysis it does not
provide statistical data like qualitative approach for data analysis.
c) The example of a risk that is not an information security risk is data availability. It
completes depends on the availability of data and thus, it is not a part of information security.
3. a) Audit is the proper and systematic inspection or examination of the accuracy of
data, processes or systems in any organization. The two reasons for utilizing audit in the
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
22
SECURITY MANAGEMENT
general sense are to verify the onsite activities and to apply the productions and functions of
the assets.
b) Audit in the information security perspective is the examination whether the
information is accurate or not. Internal audits include auditing of the information related to
employees of the company, while external audits include auditing of the information related
to customers and stakeholders of the company.
c) Penetration testing is the proper testing of any system or network for finding the
vulnerabilities of an attack. The two reasons for using penetration testing include
determination of specific set of attack and identification of high risks vulnerabilities.
The two types of penetration testing are Black Box penetration testing and White Box
Penetration Testing. These two types are extremely important for the users.
4. a) i) Staff vetting refer to a practice that helps in calling references for other employees
in the organization. The vetting process include looking for prior convictions or jail time,
checking credit references, verifying professional licenses and certifications, and tracking
employment history.
ii) The steps included in the staff vetting process are as follows:
Conducting a background check: Checking previous record of the employee helps in
finding the waste of resources and money done in the employee.
Privacy issues: privacy issues are related to the private information of the employees
in the organization. This helps in understanding the private issues in the organization.
Employee references: References of the employee for the culprit helps in
understanding about the nature if the employee in the organization.
SECURITY MANAGEMENT
general sense are to verify the onsite activities and to apply the productions and functions of
the assets.
b) Audit in the information security perspective is the examination whether the
information is accurate or not. Internal audits include auditing of the information related to
employees of the company, while external audits include auditing of the information related
to customers and stakeholders of the company.
c) Penetration testing is the proper testing of any system or network for finding the
vulnerabilities of an attack. The two reasons for using penetration testing include
determination of specific set of attack and identification of high risks vulnerabilities.
The two types of penetration testing are Black Box penetration testing and White Box
Penetration Testing. These two types are extremely important for the users.
4. a) i) Staff vetting refer to a practice that helps in calling references for other employees
in the organization. The vetting process include looking for prior convictions or jail time,
checking credit references, verifying professional licenses and certifications, and tracking
employment history.
ii) The steps included in the staff vetting process are as follows:
Conducting a background check: Checking previous record of the employee helps in
finding the waste of resources and money done in the employee.
Privacy issues: privacy issues are related to the private information of the employees
in the organization. This helps in understanding the private issues in the organization.
Employee references: References of the employee for the culprit helps in
understanding about the nature if the employee in the organization.
23
SECURITY MANAGEMENT
b) i) Security culture in an organization deals with the security environment in the
workforce that helps in securing data and information of the company.
ii) Positive Security culture helps in maintaining the positivism among the employees
and motivating them or securing their data and information.
The second reason is that the positive security culture helps in maintaining the
positive attitude of the employees in the workforce.
iii) Beneficial security culture helps in implementing the security practices in the
organizational practice. The second way is by performing security analysis in the
organizational culture helps in miantianing the security of data and information.
c) i) An acceptable use policy (AUP) is a document that outlines a set of rules to be
followed by users or customers of a set of computing resources, which could be a computer
network, website or large computer system.
ii) General Use and Ownership, Security information, Unacceptable use
5. For Talk-Talk one of the most important drawback and weakness was not
patching the bugs and vulnerabilities for its databases which is accessed by the users of their
site and this access could not be stopped as it is routine process. Other weaknesses include
lack of monitoring even after its databases are attacked previously in the similar way. Even
after the, attacks the organization does not change or improved the vulnerable web pages
through the security testing of the pages such as use of quote character(‘) in the input controls
on the Web form or query-based URL in it.
b) i) The Organization should have tested its website against some known attack
techniques and patched up the database. In addition to that use of outdated database lacking
of latest security patches also helped the attackers in being successful in their attack.
SECURITY MANAGEMENT
b) i) Security culture in an organization deals with the security environment in the
workforce that helps in securing data and information of the company.
ii) Positive Security culture helps in maintaining the positivism among the employees
and motivating them or securing their data and information.
The second reason is that the positive security culture helps in maintaining the
positive attitude of the employees in the workforce.
iii) Beneficial security culture helps in implementing the security practices in the
organizational practice. The second way is by performing security analysis in the
organizational culture helps in miantianing the security of data and information.
c) i) An acceptable use policy (AUP) is a document that outlines a set of rules to be
followed by users or customers of a set of computing resources, which could be a computer
network, website or large computer system.
ii) General Use and Ownership, Security information, Unacceptable use
5. For Talk-Talk one of the most important drawback and weakness was not
patching the bugs and vulnerabilities for its databases which is accessed by the users of their
site and this access could not be stopped as it is routine process. Other weaknesses include
lack of monitoring even after its databases are attacked previously in the similar way. Even
after the, attacks the organization does not change or improved the vulnerable web pages
through the security testing of the pages such as use of quote character(‘) in the input controls
on the Web form or query-based URL in it.
b) i) The Organization should have tested its website against some known attack
techniques and patched up the database. In addition to that use of outdated database lacking
of latest security patches also helped the attackers in being successful in their attack.
24
SECURITY MANAGEMENT
ii) Talk-Talk may have used parameterized stored procedures rather than simple SQL
queries to fetch and retrieve data in order to prevent this kind of attacks. In addition to that, it
is also important to ensure that the web applications do not run with the administrative
privilege at the server end.
c) No, the attackers were successful due to the lack of monitoring of the organizations
IT department even after they were previously attacked using the same technique. The
organization should have used new database system or patched the existing database with the
latest released patches to ensure that the bugs are not exploited. As they neglected the
security aspect of the applications and server they were not mere unlucky to be attacked using
the SQL injection technique.
SECURITY MANAGEMENT
ii) Talk-Talk may have used parameterized stored procedures rather than simple SQL
queries to fetch and retrieve data in order to prevent this kind of attacks. In addition to that, it
is also important to ensure that the web applications do not run with the administrative
privilege at the server end.
c) No, the attackers were successful due to the lack of monitoring of the organizations
IT department even after they were previously attacked using the same technique. The
organization should have used new database system or patched the existing database with the
latest released patches to ensure that the bugs are not exploited. As they neglected the
security aspect of the applications and server they were not mere unlucky to be attacked using
the SQL injection technique.
1 out of 25
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.