IY5501 Security Management: Risk, Policies, Trust, and Continuity
VerifiedAdded on  2023/06/12
|25
|5075
|119
Essay
AI Summary
This essay provides a detailed overview of security management, covering key concepts, policies, and practices. It begins by discussing internal control and the COSO model, highlighting how security management contributes to risk assessment, information and communication, and control activities. The essay then delves into the risk assessment process, emphasizing its role in transparency and decision-making. The importance of trust in security management is explored, along with examples of lost trust and potential security measures. Furthermore, the essay discusses the impact of legislation on information security management, focusing on hacking and compliance laws. Finally, it examines business continuity planning, outlining its steps and auditing procedures, and concludes with the significance of legal compliance and standards in information security.
Running head: SECURITY MANAGEMENT
Security Management
Name of the Student
Name of the University
Author’s Note:
Security Management
Name of the Student
Name of the University
Author’s Note:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1
SECURITY MANAGEMENT
Table of Contents
Year 2013...................................................................................................................................2
Year 2014...................................................................................................................................7
Year 2015.................................................................................................................................11
Year 2016.................................................................................................................................15
Year 2017.................................................................................................................................19
SECURITY MANAGEMENT
Table of Contents
Year 2013...................................................................................................................................2
Year 2014...................................................................................................................................7
Year 2015.................................................................................................................................11
Year 2016.................................................................................................................................15
Year 2017.................................................................................................................................19
2
SECURITY MANAGEMENT
Year 2013
1. Internal control in auditing and accounting can be defined as the procedure of
assuring the achievement of the objectives of any specific organization in the effectiveness in
operations and the efficiency in compliance with the policies, regulations and laws.
The five layers of COSO model are as follows:
i) Control Environment
ii) Risk Assessment
iii) Control Activities
iv) Information and Communication
v) Monitoring Activities
The three layers of COSO model are information and communication, risk assessment
and control activities. Security management in information and communication helps to
secure the information that is being identified and communication within a specific
timeframe. Security management in risk assessment helps to secure and prevent the risks that
are being analyzed on the basis of determining them, i.e. either residual or inherent. There are
various policies and procedures that are implemented within the layer of control activities for
ensuring that the risks responses are properly carried out. Security management helps to
maintain those policies and procedures effectively.
The two examples of ineffective security management damaging internal control are
inadequate records and lack of control in authorized transactions.
SECURITY MANAGEMENT
Year 2013
1. Internal control in auditing and accounting can be defined as the procedure of
assuring the achievement of the objectives of any specific organization in the effectiveness in
operations and the efficiency in compliance with the policies, regulations and laws.
The five layers of COSO model are as follows:
i) Control Environment
ii) Risk Assessment
iii) Control Activities
iv) Information and Communication
v) Monitoring Activities
The three layers of COSO model are information and communication, risk assessment
and control activities. Security management in information and communication helps to
secure the information that is being identified and communication within a specific
timeframe. Security management in risk assessment helps to secure and prevent the risks that
are being analyzed on the basis of determining them, i.e. either residual or inherent. There are
various policies and procedures that are implemented within the layer of control activities for
ensuring that the risks responses are properly carried out. Security management helps to
maintain those policies and procedures effectively.
The two examples of ineffective security management damaging internal control are
inadequate records and lack of control in authorized transactions.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3
SECURITY MANAGEMENT
Security management is the subset of internal control as this internal control is
utilized for achieving various rules and regulations for maintaining the operational
effectiveness and security management is used for ensuring the fact that security is
maintained properly.
2. The main objective of information security risk assessment is to provide an
accurate and proper inventory of all the data as well as information technology assets. This
particular objective mainly depends on the asset values or importance of the assets.
The five steps in risk assessment process are as follows:
i) Identification of hazards or anything that causes harm.
ii) Taking the decision that who would be harmed.
iii) Assessing the risks and finally taking actions.
iv) Making a record of all those findings.
v) Reviewing the final risk assessment.
Two examples of risk assessment contributing to the transparency of security
management are as follows:
i) Delivering Products: The security of the cars that are being driven should be kept
on first priority. The risk assessment process in this particular example could be identifying
the problem, i.e. understanding the risks of drivers working alone and could be stuck in
congested traffic. Then decision is to be taken, the customer is harmed. An action could be
calling the driver and asking him to be on time and finally making a record so that he is no
longer late.
SECURITY MANAGEMENT
Security management is the subset of internal control as this internal control is
utilized for achieving various rules and regulations for maintaining the operational
effectiveness and security management is used for ensuring the fact that security is
maintained properly.
2. The main objective of information security risk assessment is to provide an
accurate and proper inventory of all the data as well as information technology assets. This
particular objective mainly depends on the asset values or importance of the assets.
The five steps in risk assessment process are as follows:
i) Identification of hazards or anything that causes harm.
ii) Taking the decision that who would be harmed.
iii) Assessing the risks and finally taking actions.
iv) Making a record of all those findings.
v) Reviewing the final risk assessment.
Two examples of risk assessment contributing to the transparency of security
management are as follows:
i) Delivering Products: The security of the cars that are being driven should be kept
on first priority. The risk assessment process in this particular example could be identifying
the problem, i.e. understanding the risks of drivers working alone and could be stuck in
congested traffic. Then decision is to be taken, the customer is harmed. An action could be
calling the driver and asking him to be on time and finally making a record so that he is no
longer late.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4
SECURITY MANAGEMENT
ii) Financial Risks: The security of this type of risks should be transparent as the
financial risks could be extremely dangerous. The risk assessment process in this particular
example could be hacking of financial data and proper mitigation techniques should be
implemented.
Risk assessment helps in making the information security management absolutely
transparent to the stakeholders as it helps to identify as well as control all the risks in the
organization.
3. Trust is the reliance on any specific individual or organization about any particular
situation or phenomenon.
Trust in security management provides assumptions and these assumptions are
eventually implicit when the systems are changed. The major aspects of security management
include identification of organizational assets, documentation, and policy implementation.
These procedures help in risk assessment and threat assessment.
The examples of lost trust in security management are as follows:
i) Decision makers finding it extremely difficult in mitigating the vulnerabilities after
taking necessary resources to gain business goals. This occurred as the resources selected
were not secured and hence problems occurred. Security measures should be undertaken for
securing these assets.
ii) The old hardware could be affected with the threats and vulnerabilities and hence
the security would be affected. It occurred as antivirus or anti malware was not installed. The
probable security measure is by securing the hardware with antivirus or anti malware
protection.
SECURITY MANAGEMENT
ii) Financial Risks: The security of this type of risks should be transparent as the
financial risks could be extremely dangerous. The risk assessment process in this particular
example could be hacking of financial data and proper mitigation techniques should be
implemented.
Risk assessment helps in making the information security management absolutely
transparent to the stakeholders as it helps to identify as well as control all the risks in the
organization.
3. Trust is the reliance on any specific individual or organization about any particular
situation or phenomenon.
Trust in security management provides assumptions and these assumptions are
eventually implicit when the systems are changed. The major aspects of security management
include identification of organizational assets, documentation, and policy implementation.
These procedures help in risk assessment and threat assessment.
The examples of lost trust in security management are as follows:
i) Decision makers finding it extremely difficult in mitigating the vulnerabilities after
taking necessary resources to gain business goals. This occurred as the resources selected
were not secured and hence problems occurred. Security measures should be undertaken for
securing these assets.
ii) The old hardware could be affected with the threats and vulnerabilities and hence
the security would be affected. It occurred as antivirus or anti malware was not installed. The
probable security measure is by securing the hardware with antivirus or anti malware
protection.
5
SECURITY MANAGEMENT
Trust in the information security management is solely promoted as it helps in
processing symbolic representations of the trust for automatic decision making processes.
Moreover, it is implemented in information security mainly in the access control policies.
4. Two areas of legislation affecting the information security management are as
follows:
i) Hacking of Systems can be a major area of legislation for the information security
management. Violations of the rules for hacking any confidential system could be extremely
dangerous for any organization.
ii) Violation of the compliance laws is the second area of legislation that affects the
information security management. These laws help to maintain the integrity and authenticity
of any organization.
For the hacking of systems, there are strict laws in every nation that help to mitigate
such activities. The best example of this is the high penalties that are being incurred fir
hacking the system. Moreover, the hackers get up to 20 years of imprisonment.
For the violation of compliance laws in any organization, various legal actions are
taken. One of the examples is infringement or several violations of rights regarding
intellectual property.
All the aspects of law in any organization should be known by the security manager
as he is responsible for the technical and functional expertise and any wrong functionality in
the systems should be reported to him directly.
5. The main purpose of business continuity is to help the organization in responding
to all types of disruptions to the critical business processes.
SECURITY MANAGEMENT
Trust in the information security management is solely promoted as it helps in
processing symbolic representations of the trust for automatic decision making processes.
Moreover, it is implemented in information security mainly in the access control policies.
4. Two areas of legislation affecting the information security management are as
follows:
i) Hacking of Systems can be a major area of legislation for the information security
management. Violations of the rules for hacking any confidential system could be extremely
dangerous for any organization.
ii) Violation of the compliance laws is the second area of legislation that affects the
information security management. These laws help to maintain the integrity and authenticity
of any organization.
For the hacking of systems, there are strict laws in every nation that help to mitigate
such activities. The best example of this is the high penalties that are being incurred fir
hacking the system. Moreover, the hackers get up to 20 years of imprisonment.
For the violation of compliance laws in any organization, various legal actions are
taken. One of the examples is infringement or several violations of rights regarding
intellectual property.
All the aspects of law in any organization should be known by the security manager
as he is responsible for the technical and functional expertise and any wrong functionality in
the systems should be reported to him directly.
5. The main purpose of business continuity is to help the organization in responding
to all types of disruptions to the critical business processes.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6
SECURITY MANAGEMENT
There is a difference between business continuity and disaster recovery. Business
continuity is the plan that helps a business to help them to continue in any disaster. DR on the
other hand, helps the business in understanding the procedure of IT recovering for any
disaster. DR plans help in backing up of entire data.
The four steps in business continuity life cycle are as follows:
i) Risk Assessment.
ii) Business Impact Analysis or BIA.
iii) Implementation of plan
iv) Testing and maintenance of plan
These steps could be audited in accordance to the Internal Auditing Standards. There
are few procedures for auditing the business continuity plan and these phases should be
executed while auditing. The procedures include document reviewing and analysis,
interviews, and walkabout survey.
The standards like resilience, recovery and contingency make it extremely easier to
assess the business continuity as these standards ensures the continuity of the business.
SECURITY MANAGEMENT
There is a difference between business continuity and disaster recovery. Business
continuity is the plan that helps a business to help them to continue in any disaster. DR on the
other hand, helps the business in understanding the procedure of IT recovering for any
disaster. DR plans help in backing up of entire data.
The four steps in business continuity life cycle are as follows:
i) Risk Assessment.
ii) Business Impact Analysis or BIA.
iii) Implementation of plan
iv) Testing and maintenance of plan
These steps could be audited in accordance to the Internal Auditing Standards. There
are few procedures for auditing the business continuity plan and these phases should be
executed while auditing. The procedures include document reviewing and analysis,
interviews, and walkabout survey.
The standards like resilience, recovery and contingency make it extremely easier to
assess the business continuity as these standards ensures the continuity of the business.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7
SECURITY MANAGEMENT
Year 2014
1. The role of security policy is to maintain the physical as well as location security,
creation of a security policy document and reacting to the specific security exposure.
Two examples of security policies are application controls and data encryption. The
application controls are the security policies that block the execution of any application or
even deny the Internet access to any application. The data encryption, on the other hand,
enables encryption of data of various files on the storage devices that are removable.
The five steps in risk assessment process are as follows:
i) Identification of hazards or anything that causes harm.
ii) Taking the decision that who would be harmed.
iii) Assessing the risks and finally taking actions.
iv) Making a record of all those findings.
v) Reviewing the final risk assessment.
An example when risk assessment is used for determining the content of security
policy is that the threat prone contents should be known for any specific security policy for
understanding the risks.
Risk assessment are utilized for determining the security policy content as the risks
should be assessed on what is present in the security policy. If the vulnerable contents will
not be known, it is impossible to execute the risk assessment.
SECURITY MANAGEMENT
Year 2014
1. The role of security policy is to maintain the physical as well as location security,
creation of a security policy document and reacting to the specific security exposure.
Two examples of security policies are application controls and data encryption. The
application controls are the security policies that block the execution of any application or
even deny the Internet access to any application. The data encryption, on the other hand,
enables encryption of data of various files on the storage devices that are removable.
The five steps in risk assessment process are as follows:
i) Identification of hazards or anything that causes harm.
ii) Taking the decision that who would be harmed.
iii) Assessing the risks and finally taking actions.
iv) Making a record of all those findings.
v) Reviewing the final risk assessment.
An example when risk assessment is used for determining the content of security
policy is that the threat prone contents should be known for any specific security policy for
understanding the risks.
Risk assessment are utilized for determining the security policy content as the risks
should be assessed on what is present in the security policy. If the vulnerable contents will
not be known, it is impossible to execute the risk assessment.
8
SECURITY MANAGEMENT
2. Compliance for information security refers to the standards or regulations for
maintaining the security of information in any particular organization. Security refers to the
measures undertaken for securing the confidential information.
The example of convergence of security and compliance is Payment Card Industry or
PCI data security standard. The example of divergence of security and compliance is crypto
currencies.
The audit process is as follows:
i) Requesting documents.
ii) Preparing an audit plan
iii) Scheduling meetings
iv) Conducting Fieldwork
v) Drafting a report
vi) Setting up close meeting
Audit process would provide compliance to Payment Card Industry or PCI data
security standard and crypto currencies as this process does not support security and only
supports policy or standard compliance.
3. Trust is the reliance on any specific individual or organization about any particular
situation or phenomenon. The three types of trusts in management of information security are
third party trust, direct or personal trust and discretionary trust. Third party trust contributes
in managing the information security by maintaining the trust on the sender and receiver of
the information. The sender and receiver trust each other by simply sharing a common third
party and this third party is for trustworthiness of them. Example is certification authority.
SECURITY MANAGEMENT
2. Compliance for information security refers to the standards or regulations for
maintaining the security of information in any particular organization. Security refers to the
measures undertaken for securing the confidential information.
The example of convergence of security and compliance is Payment Card Industry or
PCI data security standard. The example of divergence of security and compliance is crypto
currencies.
The audit process is as follows:
i) Requesting documents.
ii) Preparing an audit plan
iii) Scheduling meetings
iv) Conducting Fieldwork
v) Drafting a report
vi) Setting up close meeting
Audit process would provide compliance to Payment Card Industry or PCI data
security standard and crypto currencies as this process does not support security and only
supports policy or standard compliance.
3. Trust is the reliance on any specific individual or organization about any particular
situation or phenomenon. The three types of trusts in management of information security are
third party trust, direct or personal trust and discretionary trust. Third party trust contributes
in managing the information security by maintaining the trust on the sender and receiver of
the information. The sender and receiver trust each other by simply sharing a common third
party and this third party is for trustworthiness of them. Example is certification authority.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9
SECURITY MANAGEMENT
Direct trust refers to the direct or personal trust between the sender and receiver and they do
not take any third party for sharing their information. It is extremely secured. In discretionary
trust, the information is not fixed, however is determined by the distinct criteria that is
established within the trust instrument.
The role of the security manager is to look after the overall quality of the process of
security management. He is responsible for coordinating with the alterations within the
organization regarding information technology. The security manager is dependent on the
various types of trust while carrying out two risk management processes. The example of this
mainly includes management of SSL certificates. The security manager can undergo various
processes while carrying out these processes.
4. Business continuity can be defined as the ability of any company in maintaining
the necessary functions during or after any disaster has occurred.
The steps in any business continuity process are as follows:
i) Risk Assessment.
ii) Business Impact Analysis or BIA.
iii) Implementation of plan
iv) Testing and maintenance of plan
In any organization, there are three departments. For each of the departments, the
business continuity process could be implemented by explaining the major roles, documents
or tasks. BCP should be implemented as it provides uninterrupted operational support and
customer service support. Moreover, the business revenue is minimized and the client
confidence is cultivated with this process.
SECURITY MANAGEMENT
Direct trust refers to the direct or personal trust between the sender and receiver and they do
not take any third party for sharing their information. It is extremely secured. In discretionary
trust, the information is not fixed, however is determined by the distinct criteria that is
established within the trust instrument.
The role of the security manager is to look after the overall quality of the process of
security management. He is responsible for coordinating with the alterations within the
organization regarding information technology. The security manager is dependent on the
various types of trust while carrying out two risk management processes. The example of this
mainly includes management of SSL certificates. The security manager can undergo various
processes while carrying out these processes.
4. Business continuity can be defined as the ability of any company in maintaining
the necessary functions during or after any disaster has occurred.
The steps in any business continuity process are as follows:
i) Risk Assessment.
ii) Business Impact Analysis or BIA.
iii) Implementation of plan
iv) Testing and maintenance of plan
In any organization, there are three departments. For each of the departments, the
business continuity process could be implemented by explaining the major roles, documents
or tasks. BCP should be implemented as it provides uninterrupted operational support and
customer service support. Moreover, the business revenue is minimized and the client
confidence is cultivated with this process.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10
SECURITY MANAGEMENT
Business continuity is a specific task that does not have an end. This is because the
process or procedure of business continuity is required to be updated regularly so that there is
no delay in continuing the business even if serious disasters occur.
5. The role of legal compliance in information security is to ensure that any
organization is properly securing the information in complete compliance with each and
every law and regulation. The role of standard in information security is to facilitate the
communication and thus information security management is important.
The examples of three laws regarding compliance and standards are General Data
Protection Regulation or GDPR, Federal Information Security Management Act or FISMA
and Payment Card Industry Data Security Standard or PCI DDS.
i) GDPR: It helps to protect data and maintain privacy for all users.
ii) FISMA: It is the federal law that helps in requiring for the federal agencies for
properly developing, documenting and implementing the information security.
iii) PCI DDS: It is the standard of information security for handling credit cards.
The above-mentioned standards of security management or security technology help
the organization in achieving legal compliance by simply developing, documenting and
finally implementing the program for information protection and security.
SECURITY MANAGEMENT
Business continuity is a specific task that does not have an end. This is because the
process or procedure of business continuity is required to be updated regularly so that there is
no delay in continuing the business even if serious disasters occur.
5. The role of legal compliance in information security is to ensure that any
organization is properly securing the information in complete compliance with each and
every law and regulation. The role of standard in information security is to facilitate the
communication and thus information security management is important.
The examples of three laws regarding compliance and standards are General Data
Protection Regulation or GDPR, Federal Information Security Management Act or FISMA
and Payment Card Industry Data Security Standard or PCI DDS.
i) GDPR: It helps to protect data and maintain privacy for all users.
ii) FISMA: It is the federal law that helps in requiring for the federal agencies for
properly developing, documenting and implementing the information security.
iii) PCI DDS: It is the standard of information security for handling credit cards.
The above-mentioned standards of security management or security technology help
the organization in achieving legal compliance by simply developing, documenting and
finally implementing the program for information protection and security.
11
SECURITY MANAGEMENT
Year 2015
1. Three purposes of a security policy include confidentiality, integrity and
availability or CIA in short for the systems as well as information for any specific
organization. Example of confidentiality refers to maintaining privacy about confidential
information like bank account details. Example of integrity refers to no change in confidential
data without user’s permission like data of ATM card. Example of availability refers to the
availability of information like backup of data.
The security management framework is the set of policies for security. The methods
where the security policy fitting into the security management framework includes
identification of risks, ensuring policy to legal requirements and providing proper training.
The risk assessment, risk treatment, audits and business continuity are done connecting the
security policy with security management.
Information security policies encourage the ownership of security. The information
security policies are applied to the executive department agencies and thus the security is
maintained.
2. Humans can be defined as the weakest link in the defence of information security
as there is always a high chance of information loss in this sector. The two interpretations
include intentional loss of information and intentional damage to hardware.
Security audit is required for evaluating the information systems of any organization
and thus maintaining the integrity of information.
The steps of security audit process are as follows:
i) Planning of Audit
SECURITY MANAGEMENT
Year 2015
1. Three purposes of a security policy include confidentiality, integrity and
availability or CIA in short for the systems as well as information for any specific
organization. Example of confidentiality refers to maintaining privacy about confidential
information like bank account details. Example of integrity refers to no change in confidential
data without user’s permission like data of ATM card. Example of availability refers to the
availability of information like backup of data.
The security management framework is the set of policies for security. The methods
where the security policy fitting into the security management framework includes
identification of risks, ensuring policy to legal requirements and providing proper training.
The risk assessment, risk treatment, audits and business continuity are done connecting the
security policy with security management.
Information security policies encourage the ownership of security. The information
security policies are applied to the executive department agencies and thus the security is
maintained.
2. Humans can be defined as the weakest link in the defence of information security
as there is always a high chance of information loss in this sector. The two interpretations
include intentional loss of information and intentional damage to hardware.
Security audit is required for evaluating the information systems of any organization
and thus maintaining the integrity of information.
The steps of security audit process are as follows:
i) Planning of Audit
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 25
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
 +13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2026 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.