CISO Memo Report: Security Risks at University of Hertfordshire
VerifiedAdded on 2020/04/29
|6
|1366
|215
Report
AI Summary
This CISO memo report, addressed to the IS Authorizing Official at the School of Computer Science, University of Hertfordshire, details an assessment of security risks within the university's information systems. The report, authored by the Chief Information Security Officer (CISO), identifies signific...
Read More
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Date:
From: INSERT NAME
Chief Information Security Officer
University of Hertfordshire
To: IS Authorizing Official
School of Computer Science
University of Hertfordshire
Subject: CISO Memo (INSERT System Name)
From: INSERT NAME
Chief Information Security Officer
University of Hertfordshire
To: IS Authorizing Official
School of Computer Science
University of Hertfordshire
Subject: CISO Memo (INSERT System Name)
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Finding and Summary:
This memo report is mainly based on the identification and analysis of the risks associated with the
existing security policies and set up at the University of Hertfordshire. From the analysis of the existing
system, it has been found that there are several security risks associated with the system that cannot be
solved or addressed if the present security policies are in place. These policies must be modified as well
as several new steps must be taken to address all the associated risks.
Risk Statement:
In information systems, there are generally two types of risks – external and internal. No absolute
control can be established for the external risks and the organization only has the option to reinforce
information system security in order to prevent such risks for as long as possible. However, internal
security risks can be controlled by the organization by implementing various rules and guidelines.
Moreover, the organization can take suitable steps to ensure none of the security policies are broken by
any individual involved with the organization. In this particular case, it has been found that there are
several internal risks that are caused due to lack of sufficient security policies within the organization.
Internal activities like BYOD (bring your own device), accessing non-verified websites from the
organization server and opening spam emails from the system are the main reasons behind the system
security risks.
Impact Statement:
The risks mentioned above will have significant impact on the organization if they are not addressed
immediately. In order to reduce the overall operational costs, the university allows the students to use
their own laptops during computer practical classes. As a result, the malwares or viruses can easily enter
the university server from the students’ systems. Similarly, opening spam websites and links can also
insert malicious files into the system. These malwares can steal information from the server and can also
destroy the entire data and information stored inside the database.
Risk Level:
Low:_________ Moderate:_________ High:__Yes_______
Justification for Noncompliance or Deviation:
Till now, controls cannot be implemented for several reasons. If BYOD is scrapped, the university has
to encounter excess costs to provide systems to each of the students. Moreover, the spam websites
cannot be entirely blocked as most of them mask themselves with the domains of other verified sites.
This memo report is mainly based on the identification and analysis of the risks associated with the
existing security policies and set up at the University of Hertfordshire. From the analysis of the existing
system, it has been found that there are several security risks associated with the system that cannot be
solved or addressed if the present security policies are in place. These policies must be modified as well
as several new steps must be taken to address all the associated risks.
Risk Statement:
In information systems, there are generally two types of risks – external and internal. No absolute
control can be established for the external risks and the organization only has the option to reinforce
information system security in order to prevent such risks for as long as possible. However, internal
security risks can be controlled by the organization by implementing various rules and guidelines.
Moreover, the organization can take suitable steps to ensure none of the security policies are broken by
any individual involved with the organization. In this particular case, it has been found that there are
several internal risks that are caused due to lack of sufficient security policies within the organization.
Internal activities like BYOD (bring your own device), accessing non-verified websites from the
organization server and opening spam emails from the system are the main reasons behind the system
security risks.
Impact Statement:
The risks mentioned above will have significant impact on the organization if they are not addressed
immediately. In order to reduce the overall operational costs, the university allows the students to use
their own laptops during computer practical classes. As a result, the malwares or viruses can easily enter
the university server from the students’ systems. Similarly, opening spam websites and links can also
insert malicious files into the system. These malwares can steal information from the server and can also
destroy the entire data and information stored inside the database.
Risk Level:
Low:_________ Moderate:_________ High:__Yes_______
Justification for Noncompliance or Deviation:
Till now, controls cannot be implemented for several reasons. If BYOD is scrapped, the university has
to encounter excess costs to provide systems to each of the students. Moreover, the spam websites
cannot be entirely blocked as most of them mask themselves with the domains of other verified sites.
Compensating Controls:
The university can consider alternative practical classes for students in order to scrap BYOD and allow
students to work on the provided systems only. For instance, if there are 90 students, there can be
alternate classes for 30 students at a time and hence, the university can use only 30 laptops instead of 90.
Moreover, specific firewalls can be implemented in order to provide system resistance against malicious
files and viruses. Server restriction will also help to restrict access in the internet and will be prevent the
students from accessing spam and unverified websites.
Statement of Residual Risk:
Even if sufficient control is applied, there may be some residual risks in the system. The spam websites
cannot be entirely blocked and some of them can comprise verified sites and can enter the system even if
the user enters a verified website.
Risk Response Request:
As discussed in the previous headers, the identified risks are extremely serious and must be addressed
immediately with urgent response. All the risks discussed are internal and hence, they can be controlled
and minimized. It is evident that the university policies regarding the BYOD and open access to internet
are the root causes behind the risks discussed and hence, these policies must be modified and changed in
order to protect the overall information system. Furthermore, the university should also provide active
response in raising awareness among the students regarding the use of the systems and accessing
unverified websites while browsing through the internet. Finally, the university should recruit system
security experts so that they can develop system security using firewalls and antivirus softwares in the
systems that are connected to the central server of the university.
System/Business Owner Date_________________________________
Approval and Conditions:
I hereby acknowledge that I have reviewed the aforementioned request for a Risk Acceptance decision,
and certify that:
Yes. I understand and accept responsibility for the outstanding risk related to the deployment and
use of this application or service for the requested scope and timeframe. <Reason for Acceptance: I
find the compensating controls are adequate, or the risk to the organization’s mission is acceptable;
therefore, additional controls need not be applied.>
Yes, for temporary period while controls are improved. I accept responsibility for the
outstanding risks related to the deployment/ use of this application or service; however, I find the current
level of control inadequate. The following controls must be implemented by <date>:
The university can consider alternative practical classes for students in order to scrap BYOD and allow
students to work on the provided systems only. For instance, if there are 90 students, there can be
alternate classes for 30 students at a time and hence, the university can use only 30 laptops instead of 90.
Moreover, specific firewalls can be implemented in order to provide system resistance against malicious
files and viruses. Server restriction will also help to restrict access in the internet and will be prevent the
students from accessing spam and unverified websites.
Statement of Residual Risk:
Even if sufficient control is applied, there may be some residual risks in the system. The spam websites
cannot be entirely blocked and some of them can comprise verified sites and can enter the system even if
the user enters a verified website.
Risk Response Request:
As discussed in the previous headers, the identified risks are extremely serious and must be addressed
immediately with urgent response. All the risks discussed are internal and hence, they can be controlled
and minimized. It is evident that the university policies regarding the BYOD and open access to internet
are the root causes behind the risks discussed and hence, these policies must be modified and changed in
order to protect the overall information system. Furthermore, the university should also provide active
response in raising awareness among the students regarding the use of the systems and accessing
unverified websites while browsing through the internet. Finally, the university should recruit system
security experts so that they can develop system security using firewalls and antivirus softwares in the
systems that are connected to the central server of the university.
System/Business Owner Date_________________________________
Approval and Conditions:
I hereby acknowledge that I have reviewed the aforementioned request for a Risk Acceptance decision,
and certify that:
Yes. I understand and accept responsibility for the outstanding risk related to the deployment and
use of this application or service for the requested scope and timeframe. <Reason for Acceptance: I
find the compensating controls are adequate, or the risk to the organization’s mission is acceptable;
therefore, additional controls need not be applied.>
Yes, for temporary period while controls are improved. I accept responsibility for the
outstanding risks related to the deployment/ use of this application or service; however, I find the current
level of control inadequate. The following controls must be implemented by <date>:
Scrap BYOD
Implement Firewalls
Implement Restricted Access in the Internet
No. I find the residual risk greater than the potential business benefit. This risk acceptance
request is denied. The System Owner is to provide an action plan to mitigate this risk no later than
<Provide date>
_____________________________________
Authorizing Official or Date
Authorizing Official Designated Representative
Signature
_____________________________________
IC ISSO or Risk Functional Manger Date
(As applicable)
Acceptance by the UH Chief Information Officer (CIO) is needed for a risk that is categorized as a
HIGH risk OR a risk that is associated with a UH Enterprise System.
No, this risk acceptance does not require concurrence by the UH CIO.
Yes, this risk acceptance requires concurrence by the UH CIO.
Yes, I/we approve this Risk Acceptance
No, I/we do not approve this Risk Acceptance. See attached decision document.
_____________________________________
UH Chief Information Security Officer Date
Implement Firewalls
Implement Restricted Access in the Internet
No. I find the residual risk greater than the potential business benefit. This risk acceptance
request is denied. The System Owner is to provide an action plan to mitigate this risk no later than
<Provide date>
_____________________________________
Authorizing Official or Date
Authorizing Official Designated Representative
Signature
_____________________________________
IC ISSO or Risk Functional Manger Date
(As applicable)
Acceptance by the UH Chief Information Officer (CIO) is needed for a risk that is categorized as a
HIGH risk OR a risk that is associated with a UH Enterprise System.
No, this risk acceptance does not require concurrence by the UH CIO.
Yes, this risk acceptance requires concurrence by the UH CIO.
Yes, I/we approve this Risk Acceptance
No, I/we do not approve this Risk Acceptance. See attached decision document.
_____________________________________
UH Chief Information Security Officer Date
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
_____________________________________
UH Chief Information Officer Date
UH Chief Information Officer Date
Bibliography
Cavusoglu, H., Cavusoglu, H., Son, J.Y. and Benbasat, I., 2015. Institutional pressures in security
management: Direct and indirect influences on organizational investment in information security control
resources. Information & management, 52(4), pp.385-400.
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C. and Smeraldi, F., 2014, June. Game theory meets
information security management. In IFIP International Information Security Conference (pp. 15-29).
Springer, Berlin, Heidelberg.
Narain Singh, A., Gupta, M.P. and Ojha, A., 2014. Identifying factors of “organizational information
security management”. Journal of Enterprise Information Management, 27(5), pp.644-667.
Nazareth, D.L. and Choi, J., 2015. A system dynamics model for information security
management. Information & Management, 52(1), pp.123-134.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective
information security management. CRC Press.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security
policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Tu, Z. and Yuan, Y., 2014. Critical success factors analysis on effective information security
management: A literature review.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers &
security, 38, pp.97-102.
Cavusoglu, H., Cavusoglu, H., Son, J.Y. and Benbasat, I., 2015. Institutional pressures in security
management: Direct and indirect influences on organizational investment in information security control
resources. Information & management, 52(4), pp.385-400.
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C. and Smeraldi, F., 2014, June. Game theory meets
information security management. In IFIP International Information Security Conference (pp. 15-29).
Springer, Berlin, Heidelberg.
Narain Singh, A., Gupta, M.P. and Ojha, A., 2014. Identifying factors of “organizational information
security management”. Journal of Enterprise Information Management, 27(5), pp.644-667.
Nazareth, D.L. and Choi, J., 2015. A system dynamics model for information security
management. Information & Management, 52(1), pp.123-134.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective
information security management. CRC Press.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security
policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Tu, Z. and Yuan, Y., 2014. Critical success factors analysis on effective information security
management: A literature review.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers &
security, 38, pp.97-102.
1 out of 6
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.