University ISM Security Management Report - Semester 1
VerifiedAdded on 2022/08/25
|17
|2844
|25
Report
AI Summary
This report, prepared for a university, addresses key aspects of Information Security Management (ISM). Task 1 focuses on a CISO blog, outlining the CISO's role, duties, and responsibilities, emphasizing the importance of cybersecurity and the implications of GDPR. Task 2 presents an Acceptable Use Policy (AUP) aligned with ISO27000, covering BYOD, data integrity, confidentiality, and availability. It includes security requirements for academic and administrative domains, along with recommendations for physical security, login standards, virus protection, auditing, disaster recovery, and training. Task 3 involves an infographic addressing data breaches, business continuity, and disaster recovery, emphasizing containment, recovery, and prevention measures. The report provides a comprehensive overview of security management, incident response, and compliance within a university context, offering insights into practical challenges and regulatory requirements.
Running head: ISM
ISM
Name of the Student:
Name of the University:
Author Note:
ISM
Name of the Student:
Name of the University:
Author Note:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1ISM
Table of Contents
Task 1...............................................................................................................................................2
Summary......................................................................................................................................2
CISO Blog...................................................................................................................................2
Task 2...............................................................................................................................................4
Summary......................................................................................................................................4
Acceptance Use Policy................................................................................................................4
Task 3.............................................................................................................................................10
Summary....................................................................................................................................10
Infographics...............................................................................................................................11
References......................................................................................................................................12
Appendix........................................................................................................................................15
Table of Contents
Task 1...............................................................................................................................................2
Summary......................................................................................................................................2
CISO Blog...................................................................................................................................2
Task 2...............................................................................................................................................4
Summary......................................................................................................................................4
Acceptance Use Policy................................................................................................................4
Task 3.............................................................................................................................................10
Summary....................................................................................................................................10
Infographics...............................................................................................................................11
References......................................................................................................................................12
Appendix........................................................................................................................................15
2ISM
Task 1
Summary
This task is about writing CISO blog which could be published on intranet of University.
In the blog, chief information security officer (CISO)’s role, duties as well as responsibilities
along with group infrastructure of cyber security would be introduced. The blog would outline
cyber security’s importance for University with special focus be given on General Data
Protection Regulation (GDPR).
CISO Blog
Cyber Security
22.03.2020
I have been appointed as new chief information security officer (CISO) for this
university. It is responsibility of CISO for providing security to data and information of the
university. It is job of CISO in analyzing the threats within the system of the university. It is role
of CISO to keep abreast of the developing threats in security and helping board understand the
potential problems of security which could arise from the acquisitions or all other big moves.
CISO must ensure that internal staff does not steal or misuse data. It is responsibility of CISO to
plan, buy and roll out security software and hardware as well as make sure network infrastructure
along with IT is designed having best practices for security. CISO ensures that only people
having authorization have access for restricted systems and data. It is duty of CISO keep ahead
of the security needs through implementation of projects or programs which mitigate risks (Voigt
and Von dem Bussche 2017). CISO detects what was wrong in breach, deals with those if they
are internal as well as plans for avoiding repeats of similar crisis.
Task 1
Summary
This task is about writing CISO blog which could be published on intranet of University.
In the blog, chief information security officer (CISO)’s role, duties as well as responsibilities
along with group infrastructure of cyber security would be introduced. The blog would outline
cyber security’s importance for University with special focus be given on General Data
Protection Regulation (GDPR).
CISO Blog
Cyber Security
22.03.2020
I have been appointed as new chief information security officer (CISO) for this
university. It is responsibility of CISO for providing security to data and information of the
university. It is job of CISO in analyzing the threats within the system of the university. It is role
of CISO to keep abreast of the developing threats in security and helping board understand the
potential problems of security which could arise from the acquisitions or all other big moves.
CISO must ensure that internal staff does not steal or misuse data. It is responsibility of CISO to
plan, buy and roll out security software and hardware as well as make sure network infrastructure
along with IT is designed having best practices for security. CISO ensures that only people
having authorization have access for restricted systems and data. It is duty of CISO keep ahead
of the security needs through implementation of projects or programs which mitigate risks (Voigt
and Von dem Bussche 2017). CISO detects what was wrong in breach, deals with those if they
are internal as well as plans for avoiding repeats of similar crisis.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3ISM
General Data Protection Regulation (GDPR) would make protection of data of the
university top priority. It is duty of CISO in taking measures for enhancing security of data as
well as eliminating or mitigating related risk. GDPR contains several provision which aimed to
strengthen data subjects’ rights. GDPR applies strict obligations over data controllers as well as
processors with respect to notifying to data subjects that are impacted as well as supervisory
authority in case of data breach. Data controller should notify supervisory authority about data
breach in certain period of time, unless breach would result in risk for freedoms and rights of the
data subjects (Albrecht 2016). GDPR states protecting information security and network is
legitimate interest for the university, which includes operators of the networks as well as
computer systems of the university. Requirements of GDPR apply for every member of the
university for creating more protection of the data within the system of the university. Few of
major data protection and privacy requirements of GDPR consist of: requiring subject’s consent
for processing of data, providing notifications of data breach, anonymizing data that is collected
for protecting privacy and safely handling data transfer. It is duty of CISO in overseeing GDPR
compliance. GDPR would mandate several standards for the university for handling data of the
university for better safeguarding processing as well as movement of sensitive data of the
university. Purpose of GDPR is imposing uniform law of data security for every member of the
university. CISO would be involved for ensuring every new offering is compliant to GDPR as
well as secure design from business, technical and legal standpoint. Role of CISO would change
quite little on everyday basis of practice (De Hert et al. 2018). It would be role of GISO to
maintain security practices for protecting sensitive data of the university.
General Data Protection Regulation (GDPR) would make protection of data of the
university top priority. It is duty of CISO in taking measures for enhancing security of data as
well as eliminating or mitigating related risk. GDPR contains several provision which aimed to
strengthen data subjects’ rights. GDPR applies strict obligations over data controllers as well as
processors with respect to notifying to data subjects that are impacted as well as supervisory
authority in case of data breach. Data controller should notify supervisory authority about data
breach in certain period of time, unless breach would result in risk for freedoms and rights of the
data subjects (Albrecht 2016). GDPR states protecting information security and network is
legitimate interest for the university, which includes operators of the networks as well as
computer systems of the university. Requirements of GDPR apply for every member of the
university for creating more protection of the data within the system of the university. Few of
major data protection and privacy requirements of GDPR consist of: requiring subject’s consent
for processing of data, providing notifications of data breach, anonymizing data that is collected
for protecting privacy and safely handling data transfer. It is duty of CISO in overseeing GDPR
compliance. GDPR would mandate several standards for the university for handling data of the
university for better safeguarding processing as well as movement of sensitive data of the
university. Purpose of GDPR is imposing uniform law of data security for every member of the
university. CISO would be involved for ensuring every new offering is compliant to GDPR as
well as secure design from business, technical and legal standpoint. Role of CISO would change
quite little on everyday basis of practice (De Hert et al. 2018). It would be role of GISO to
maintain security practices for protecting sensitive data of the university.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4ISM
Task 2
Summary
This task is about writing Acceptable Use Policy (AUP) for University within lines f the
ISO27000 family. Usage of Bring Your Own Device (BYOD) would be considered as well in the
AUP policy. Integrity, availability and confidentiality issues of information assets would be
considered also.
Acceptance Use Policy
Intentions of the University of Innovation to publish Acceptable Use Policy are not for imposing
restrictions which are contrary to the university’s established culture of integrity, openness and
trust and the university from damaging or illegal actions by the individuals, either unknowingly
or knowingly. Bring Your Own Device (BYOD) Policy would be implemented for legitimate
work purposes for the employees of the university. By applying appropriate security to the
system of the university for preventing any kind of hacking or breach of sensitive data of the
university (Karanja 2017). The policies cover all the requirements, procedures and standards for
development as well as implementation of security measures within the system of the university.
The purpose of the policy is outlining acceptable use of system of the university. The rules are
for protecting the sensitive data of the university as well as its employees. Inappropriate use of
the system of the university exposes the system to the risks, which includes virus attacks, legal
issues or breach of data (Solove and Citron 2017).
Below are several security requirements which might be needed from administration as well as
academic domains:
Academic Domain
Task 2
Summary
This task is about writing Acceptable Use Policy (AUP) for University within lines f the
ISO27000 family. Usage of Bring Your Own Device (BYOD) would be considered as well in the
AUP policy. Integrity, availability and confidentiality issues of information assets would be
considered also.
Acceptance Use Policy
Intentions of the University of Innovation to publish Acceptable Use Policy are not for imposing
restrictions which are contrary to the university’s established culture of integrity, openness and
trust and the university from damaging or illegal actions by the individuals, either unknowingly
or knowingly. Bring Your Own Device (BYOD) Policy would be implemented for legitimate
work purposes for the employees of the university. By applying appropriate security to the
system of the university for preventing any kind of hacking or breach of sensitive data of the
university (Karanja 2017). The policies cover all the requirements, procedures and standards for
development as well as implementation of security measures within the system of the university.
The purpose of the policy is outlining acceptable use of system of the university. The rules are
for protecting the sensitive data of the university as well as its employees. Inappropriate use of
the system of the university exposes the system to the risks, which includes virus attacks, legal
issues or breach of data (Solove and Citron 2017).
Below are several security requirements which might be needed from administration as well as
academic domains:
Academic Domain
5ISM
Electronic mail
Access to federal or state agencies
Access to Internet
Access to instructional programs
Remote access
Access to every department
Administration Domain
Restricted access of student data
Restricted access of financial data
Restricted access of alumni data
Restricted access of admission data
Electronic mail
Restricted access of marketing data
Access to every campus
Access to internet
Access to federal or state agencies
Many requirements like electronic mail and internet access are common, however these might
need different setup requirements for security. After having such security requirements which are
mentioned above, several areas need to be secured (Janakiraman, Lim and Rishika 2018). The
areas should be mentioned in the policy and are as follows:
Physical security
Virus protection
Electronic mail
Access to federal or state agencies
Access to Internet
Access to instructional programs
Remote access
Access to every department
Administration Domain
Restricted access of student data
Restricted access of financial data
Restricted access of alumni data
Restricted access of admission data
Electronic mail
Restricted access of marketing data
Access to every campus
Access to internet
Access to federal or state agencies
Many requirements like electronic mail and internet access are common, however these might
need different setup requirements for security. After having such security requirements which are
mentioned above, several areas need to be secured (Janakiraman, Lim and Rishika 2018). The
areas should be mentioned in the policy and are as follows:
Physical security
Virus protection
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6ISM
Login standards
Auditing
Password standards
Disaster recovery
Training
Contingency planning
Few recommendations are made for better security of the system of the university. The
recommendations are as follows:
Physical security
Workstations must have power protection
Have UPS
Servers must be in locked rooms that has limited access
Ensuring that sufficient backup power is there.
Warning signs of cables as well as pulling of electrical plugs
Wiring closets must be locked.
Maintain the maintenance agreements
Users must utilize the anchoring devices with software or hardware security devices
Ensure that plugs and cables are being protected from the foot traffic
Develop as well as maintain control system of asset which would keep the records of
every networking and computing software and equipment
Maintain logs for every network transaction
Record as well as report every network malfunction.
Login standards
Auditing
Password standards
Disaster recovery
Training
Contingency planning
Few recommendations are made for better security of the system of the university. The
recommendations are as follows:
Physical security
Workstations must have power protection
Have UPS
Servers must be in locked rooms that has limited access
Ensuring that sufficient backup power is there.
Warning signs of cables as well as pulling of electrical plugs
Wiring closets must be locked.
Maintain the maintenance agreements
Users must utilize the anchoring devices with software or hardware security devices
Ensure that plugs and cables are being protected from the foot traffic
Develop as well as maintain control system of asset which would keep the records of
every networking and computing software and equipment
Maintain logs for every network transaction
Record as well as report every network malfunction.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7ISM
Login Standards
All users accessing network must have unique id.
Ensure that user accounts are not guest accounts.
While using guest account, password should protect it.
Allow only 5 unsuccessful attempts of login.
Password standards
Every account should have password.
Passwords must be encrypted.
Password should not be shared.
User as well operating system must only know password.
Password history must not be allowed.
In case user forgets password, temporary password would be provided and account would
be forced in changing password after first login.
Virus protection
The servers must have virus scanning as well as cleaning program.
Virus programs must be regularly updated.
Diskless workstations’ use might be considered.
The user computers as well as workstations might contain virus program also.
Auditing
Software’s every unauthorized copies must be removed.
The audit logs should be reviewed regularly.
Login Standards
All users accessing network must have unique id.
Ensure that user accounts are not guest accounts.
While using guest account, password should protect it.
Allow only 5 unsuccessful attempts of login.
Password standards
Every account should have password.
Passwords must be encrypted.
Password should not be shared.
User as well operating system must only know password.
Password history must not be allowed.
In case user forgets password, temporary password would be provided and account would
be forced in changing password after first login.
Virus protection
The servers must have virus scanning as well as cleaning program.
Virus programs must be regularly updated.
Diskless workstations’ use might be considered.
The user computers as well as workstations might contain virus program also.
Auditing
Software’s every unauthorized copies must be removed.
The audit logs should be reviewed regularly.
8ISM
Breach to network or systems must be investigated.
Auditing software must be periodically run.
Audit procedures must be generalized.
Disaster Recovery
Backups must be automated as well as be nightly performed.
Backups must be teste for ensuring what is needed.
Users must be trained in storing important files over servers.
Maintain accurate and complete backup logs.
Recovery and contingency plan must be tested.
Training
Awareness should be spread among users about security procedures and policies.
Network administrators as well as their backups must be trained properly.
Ensure there is knowledge about logs for network administrators for gathering
information.
Along with standard topics which must be included within security policy, there are other
considerations as well which should be considered:
Remote access
Software security
Responsibilities of network security
Breach to network or systems must be investigated.
Auditing software must be periodically run.
Audit procedures must be generalized.
Disaster Recovery
Backups must be automated as well as be nightly performed.
Backups must be teste for ensuring what is needed.
Users must be trained in storing important files over servers.
Maintain accurate and complete backup logs.
Recovery and contingency plan must be tested.
Training
Awareness should be spread among users about security procedures and policies.
Network administrators as well as their backups must be trained properly.
Ensure there is knowledge about logs for network administrators for gathering
information.
Along with standard topics which must be included within security policy, there are other
considerations as well which should be considered:
Remote access
Software security
Responsibilities of network security
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9ISM
Intent of the policy is assisting the users of the university for developing security policy for the
university (Cheng, Liu and Yao 2017). The recommendations made in this policy are typical for
environment of the university. These procedures and policies need to be enforced properly.
Cybersecurity incidents’ increasing amount causes negative impact, prompting in
exploring new regulations as well as policies. Having finalized initial implementation stage of
GDPR, the university’s CISO would proceed in dealing with practical challenges that are related
to new requirements. GDPR would act to notify authorities of university about incidents as well
as breaches. Terminology that is used for different situations could vary (Gwebu, Wang and
Wang 2018). Few acts are for incidents and few are for breaches. In order for understanding
which steps are to be taken for ensuring appropriate breach or incident reporting in the
university, this is recommended for taking in consideration following aspects:
Requirements applicable for university: The system might be subject for specific obligations
which depend on several factors.
Classification of event: This is essential in understanding what triggers obligation for reporting
incident such as kinds of information, people and systems which are impacted (Gonscherowski
and Bieker 2018).
Reaction time: It needs in addressing deadline to report several kinds of incidents or breaches.
Reporting: Notification obligation’ scope might be different also. Few acts need reporting to the
authorities (Danger et al. 2017).
Contents: Finally it is about identifying information which would be reported depending on
requirements of the system.
Intent of the policy is assisting the users of the university for developing security policy for the
university (Cheng, Liu and Yao 2017). The recommendations made in this policy are typical for
environment of the university. These procedures and policies need to be enforced properly.
Cybersecurity incidents’ increasing amount causes negative impact, prompting in
exploring new regulations as well as policies. Having finalized initial implementation stage of
GDPR, the university’s CISO would proceed in dealing with practical challenges that are related
to new requirements. GDPR would act to notify authorities of university about incidents as well
as breaches. Terminology that is used for different situations could vary (Gwebu, Wang and
Wang 2018). Few acts are for incidents and few are for breaches. In order for understanding
which steps are to be taken for ensuring appropriate breach or incident reporting in the
university, this is recommended for taking in consideration following aspects:
Requirements applicable for university: The system might be subject for specific obligations
which depend on several factors.
Classification of event: This is essential in understanding what triggers obligation for reporting
incident such as kinds of information, people and systems which are impacted (Gonscherowski
and Bieker 2018).
Reaction time: It needs in addressing deadline to report several kinds of incidents or breaches.
Reporting: Notification obligation’ scope might be different also. Few acts need reporting to the
authorities (Danger et al. 2017).
Contents: Finally it is about identifying information which would be reported depending on
requirements of the system.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10ISM
For stopping employees using the resources of the university, the acceptance user policy
is required. It would outline every activity which are prohibited for the employees of the
university. The aim of this acceptance user policy is keeping the employees of the university
away from the viruses as well as malwares as this would prevent them to slack off. Temptation is
for setting approach of zero tolerance. The AUP would tell employees of the university how they
are monitored for ensuring the policy is followed. Monitoring activities need to be unobtrusive
and deliberate. Under no such circumstances, should the university use automated or exhaustive
measures like spyware, nor should they use methods which leaves no trace to monitor.
Acceptance user policy would outline the guidance for what strong password might be. Systems
should be implemented also which prompt staff of the university in changing their password in
every few months. IT would have policy which hardens system of the university as well as
detects viruses and spams. One of biggest threats through email is phishing that could be
mitigated. Scam emails look often legitimate enough for bypassing the spam filter. Email
policies would mandate that awareness is taken by the employees of the university.
Task 3
Summary
This task is about preparing infographic which would be distributed to the team as
urgency matter. The infographic would address data breach’s security level for University, plan
for business continuity as well as disaster recovery and measures for containing, recovering as
well as preventing same incidents from taking place in future.
For stopping employees using the resources of the university, the acceptance user policy
is required. It would outline every activity which are prohibited for the employees of the
university. The aim of this acceptance user policy is keeping the employees of the university
away from the viruses as well as malwares as this would prevent them to slack off. Temptation is
for setting approach of zero tolerance. The AUP would tell employees of the university how they
are monitored for ensuring the policy is followed. Monitoring activities need to be unobtrusive
and deliberate. Under no such circumstances, should the university use automated or exhaustive
measures like spyware, nor should they use methods which leaves no trace to monitor.
Acceptance user policy would outline the guidance for what strong password might be. Systems
should be implemented also which prompt staff of the university in changing their password in
every few months. IT would have policy which hardens system of the university as well as
detects viruses and spams. One of biggest threats through email is phishing that could be
mitigated. Scam emails look often legitimate enough for bypassing the spam filter. Email
policies would mandate that awareness is taken by the employees of the university.
Task 3
Summary
This task is about preparing infographic which would be distributed to the team as
urgency matter. The infographic would address data breach’s security level for University, plan
for business continuity as well as disaster recovery and measures for containing, recovering as
well as preventing same incidents from taking place in future.
11ISM
Infographics
Infographics
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 17
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.