Central Texas College Information Assurance and Risk Management Research Paper

User Generated

GUBE1234

Business Finance

Description

#Its a closed company, we need to give some security assessment for that based on our assumptions

# Word count(3,900-4,200) excluding title page.table of contents,references,appendices.

*Introduction

-> The nature of the brief/commission and the topic should be briefly outlined and defined alongside details of

how the paper is organised

*Abstract

*Main body

1) Critical discussion of the scope for risk management in an organisational context

2).Implement a set of policies and procedures for research&development for cerious cybernetics corp company.

-> use ISMS policies

->Identification and evaluation of the principles and concepts of information assurance

and risk management.

3). Sample service improvement plan(SIP) pertaining to the scenario given. (need to be on ransomware)

4).Risk management

- assessing risk

- current risks,vulnerabilities,threats hazards

- risk management in action

- Assurance and certification

- Future Risk and Assurance Challenges

5).How to mitigate ransomware attack in IT company

-> which ISMS controls to be implemented for ransomware in cybernetics corp company for preventing it from cyber attacks

-> Use ISO standers and its quality measures

*Summary

*Acronyms and abbreviations

*References(use Harvard referencing style)

*Resources

*Appendix

Note :- please make sure you use ISO, ISMS, IG(information Governance)

The iso standards need to be more specific and we need to tell what type of standards are there out of that we need to suggest some standards and
explain why we suggest those standards.

1.First we need to talk about the available standards after that we need to specify why we choose some particular standards out of those.

2.In risk management we have to talk about somethings like risk assessment,risk assessment methodology,risk treatment plan,statement of applicability,risk identification.

User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Running head: SECURITY ASSESSMENT

1

Security Assessment of Cerious Cybernetics Company

Author’s Name
Institutional Affiliation
Course Name and Number
Professor’s Name
Assignment Due Date

SECURITY ASSESSMENT

2

Table of Content
Abstract...............................................................................................................................
Mitigating Ransomware attack in IT Company......................................................................
a) Educating The Company/Organizational Employees................................................
b) Adopting Smart Patch Management..........................................................................
c) Effective management of Privileged Account............................................................
d) Do not Enable Macros from Email Attachments.......................................................
e) Effective management of Privileged Account.......................................................
f) Regular Data Backup...................................................................................................
Summary...........................................................................................................................................
Refernce...........................................................................................................................................

Abstract
The document is about the Cerious Cybernetics Company. The organization is a research
and development company. It emphasizes on various ways through which organizations can
enhance good security within its machine and system. For example, it clarifies different scopes
for risk management in an organizational context. Additionally, it also elaborates more on the
necessary policies and procedures that should be developed by an organization. Multiple
principles and concepts of information assurance and risk management are also stated. Based on
the document, in mitigating ransomware attack within the organization, Cerious cybernetics
should take appropriate steps that involve the training of its employees, effective management of
privileged accounts, adopting smart patch management, and preventing macros from email

SECURITY ASSESSMENT

3

attachments. Some of the necessary practical measures that can be employed in developing a
cybersecurity system include analyzing the technologies that are used in the organization,
analyzing all the deficiencies that are introduced by employees and the procedures, doing all the
analysis on the history of cyberattacks, constant training on cybersecurity, and lastly maintaining
cyber risk management activities. The company should also use ISM Policies to ensure their
information is protected. Finally, it also emphasizes on the right ISMS controls to be
implemented for ransomware in Cybernetics Company to ensure effective prevention from cyber
attacks

Mitigating Ransomware attack in IT Company
Ransomware is a threat that organizations, IT consultants should take with lots of
precautions. It involves downloading of malware on to the host device. It is a form of software
that can run, and at the same time, it can also cause harm to the system in various ways. There
are different necessary steps that Organizational IT consultants can take in preventing the
company system from Ransomware attack (Manjezi, and Botha, 2018, pg. 149). Some of the
possible effects of malware include deleting or even stealing the stored data.
Additionally, it can also lock or unlock the device without knowledge of the official user.
It can also use the method in staging an attack on other users. It might also introduce certain
services that might require a financial cost. Ransomware always requests for payment.

SECURITY ASSESSMENT

4

It is therefore advisable for the organizational IT consultant to put various appropriate measures
through the use of ISO standers in ensuring the risk is appropriately controlled or avoided. Based
on the National Crime Agency recommendations, individuals should not pay the ransom always
requested by the Ransomware when they lock the system. This is because there is no guarantee
that the order will be unlocked once the sum amount is paid. It is therefore appropriate for
organizations to adopt the following six measures in preventing Ransomware Attack
a) Educating The Company/Organizational Employees
The organization management should ensure it educates all its employees to make them
aware of ransomware and the kind of role that they should play in preventing it. For example,
through training, the employees should be warned from opening various links or attachments in
emails that they are not aware of the original senders (Manjezi, and Botha, 2018, Pg.151). They
should also be informed on the right action to take once they suspect they have fallen a victim of
a ransomware attack. This will assist the organization in dealing with the issue at an early stage
before it causes more harm.
b) Adopting Smart Patch Management
The organization, Cerious cybernetics, should develop a centralized patch management
system. This move will assist in preventing its machine or method across the entire organization
from attack by addressing the issue of vulnerabilities immediately the parch becomes available
(Gibson, and Banik, 2017, Pg. 121). The organization, Cenrious cybernetics, in this case, should
be able to move beyond simple compliance to ensure i9n effectively address the issue of
vulnerability among the entire organizational system from being exploited. This system is a way
of shielding the whole of the corporate machine or network. It can be made more effective if

SECURITY ASSESSMENT

5

every employee or machine user ensures that all the softwares within the device are fully
unpadded and maintained at different intervals or frequently.
c) Effective management of Privileged Account
The organization should ensure the effective management of various privileged accounts.
When assigning privileged accounts to the employees, the organization should ensure they are
only assigned administrative access. Cenrious cybernetics should apply the principle of Least
Privilege to all its employees (Gibson, and Banik, 2017, Pg. 123). This move is useful since it
will assist the organization in limiting the chances of its machine being attacked by ransomware.
This action is also significant since it differentiates between initiating ransomware attacks and
mitigating the impact. The organization should also adopt the habit of removing the local
administrative rights since it can pave the way for comfortable shooting. This move will prevent
ransomware from affecting the local system. Locals' administrative rights are fundamental since
they play the role of being a significant component in the case of a ransomware attack.
d) Do not Enable Macros from Email Attachments
Macros are vital codes in an email that intertwine with information with the sole purpose
of reaching the recipient. For example, the first name of the contact, also known as a macro, is
replaced by the first name of the recipient. If an attachment is opened and macros are enabled,
the malware in the machine will then be executed by the embedded code. Companies or
organizations should block the message from a suspicious source more so those with
attachments. The emails should always be filtered to ensure that the organization is free from
suspicious emails that pose severe risks like a ransomware attack. With the reduction in the
number of employees who get harmful software or spam emails from unknown sources, the
company's chances of getting attacked are very minimal.

SECURITY ASSESSMENT

6

e) Use Application Whitelisting
Application whitelisting control and limit the programs that run on the computer. One of the
best strategies to prevent malicious software is through psychotic call.
f) Regular Data Backup
Data backup is one of the essential techniques to keep vital information for future
reference. Data backup reduces the chance of losing data and, simultaneously, improves the
process of information recovery (Corrigan, 2017). There is no know better was to store data than
backing them off and periodically verify the whole system. It is prudent that the backups are
stored on separate networks to minimize the risk of complete data loss. These three methods are
some of the best ways to reduce the risk of ransomware attacks.
Apart from controlling applying the necessary actions through ISO standers in controlling
or preventing ransomware, the organization should also take the following step in enhancing its
effectiveness and also improving its plan.
Incident Management: The organization should take necessary steps in managing the incident
by following the checklists. Additionally, they should involve effective communication between
individuals and also conduct checkpoint meetings (Carcary et al., 2016, pg.22)
Post Incident: The organization should also take necessary steps in maintaining and updating
the incident checklist frequently and applying the knowledge gained from relevant training on
various preventive measures to ensure they have sufficient control processes.
Summary
Cerious cybernetics company is a research and development company with its
headquarters in London, England. The company came up with an appropriate way or guidance
through which organizational information can be protected, and this is through the white paper.

SECURITY ASSESSMENT

7

The research document has also elaborated on various practical means of developing a
cybersecurity system, they include, analyzing the technologies that are used in the organization,
analyzing all the deficiencies that are introduced by employees and the procedures, doing all the
analysis on the history of cyberattacks, constant training on cybersecurity, and lastly maintaining
cyber risk management activities. The company should also use ISM Policies to ensure their
information is protected. These are the Information Security Management System, which
consists of rules and regulations which systematically help manage a company or organization’s
crucial information. Risk management is also useful, and it involved involves identifying,
assessing, and handling risks by making sure that it complies with attributes such as
confidentiality, integrity, and availability of a firm’s asset. In mitigating ransomware attack
within the organization, Cerious cybernetics should take relevant steps that involve the training
of its employees, effective management of privileged account, adopting smart patch
management, and preventing macros from email attachments

SECURITY ASSESSMENT

8

Reference
Carcary, M., Renaud, K., McLaughlin, S. and O'Brien, C., 2016. A framework for information
security governance and management. It Professional, 18(2), pp.22-30.
Corrigan, K., 2017. Ransomware: a growing epidemic for business (Doctoral dissertation, Utica
College).
Gibson, C.P. and Banik, S.M., 2017, December. Analyzing the Effect of Ransomware Attacks on
Different Industries. In 2017 International Conference on Computational Science and
Computational Intelligence (CSCI) (pp. 121-126). IEEE.
Manjezi, Z. and Botha, R.A., 2018, August. Preventing and Mitigating Ransomware.
In International Information Security Conference (pp. 149-162). Springer, Cham.

Attached.

Running head: INFORMATION ASSURANCE AND RISK MANAGEMENT

Information Assurance and Risk Management

Author’s Name
Institutional Affiliation
Course Name and Number
Professor’s Name
Assignment Due Date

1

INFORMATION ASSURANCE AND RISK MANAGEMENT

Table of Content
Abstract....................................................................................................................................4
Introduction..............................................................................................................................5
Necessary steps in developing cyber security………………………………………………..5
Technologies That Are Used In the Organisation………………………………..5
Deficiencies That Are Introduced By Employees and the Procedures…………..5
History of Cyber Attacks…………………………………………………………6
Constant Training on Cybersecurity……………………………………………..6
Maintaining Cyber Risk Management Activities ……………………………..…6
Procedures and Policies for Research and Development for the Company.............................7
Principles and Concepts of Information Assurance and Risk Management………………...8

Sample Service Improvement Plan (SIP) (Ransomware)……………………………………9

Curbing the Situation Using People……………………………………………………..…11

Process control…………………………………………………………………………….12

Technological control………………………………………………………………………12

Future Risk and Assurance Challenges……………………………………………………13

Risk management…………………………………………………………………………14

Current Risks, Vulnerabilities, Threats Hazards………………………………………….16
Risk management in action……………………………………………………………..…17

2

INFORMATION ASSURANCE AND RISK MANAGEMENT
Assurance and certification………………………………………………………………..17
Future Risk and Assurance Challenges……………………………………….…………..17
Mitigating Ransomware attack in IT Company....................................................................17
a) Educating The Company/Organizational Employees........................................18
b) Adopting Smart Patch Management..................................................................18
c) Effective management of Privileged Account...................................................18
d) Do not Enable Macros from Email Attachments..............................................19
e) Effective management of Privileged Account...................................................20
f) Regular Data Backup.........................................................................................20
Summary................................................................................................................................21
Refernce..................................................................................................................................22

3

INFORMATION ASSURANCE AND RISK MANAGEMENT

4

Abstract
The document is about the Cerious Cybernetics Company. The organization is a research
and development company. It emphasizes on various ways through which organizations can
enhance good security within its machine and system. For example, it clarifies different scopes
for risk management in an organizational context. Additionally, it also elaborates more on the
necessary policies and procedures that should be developed by an organization. Multiple
principles and concepts of information assurance and risk management are also stated. Based on
the document, in mitigating ransomware attack within the organization, Cerious cybernetics
should take appropriate steps that involve the training of its employees, effective management of
privileged accounts, adopting smart patch management, and preventing macros from email
attachments. Some of the necessary practical measures that can be employed in developing a
cybersecurity system include analyzing the technologies that are used in the organization,
analyzing all the deficiencies that are introduced by employees and the procedures, doing all the
analysis on the history of cyberattacks, constant training on cybersecurity, and lastly maintaining
cyber risk management activities. The company should also use ISM Policies to ensure their
information is protected. Finally, it also emphasizes on the right ISMS controls to be
implemented for ransomware in Cybernetics Company to ensure effective prevention from cyber
attacks

INFORMATION ASSURANCE AND RISK MANAGEMENT

5

Information Assurance and Risk Management
Introduction
Cerious Cybernetics Company is a research and development company, and it has
headquarters in London, England. This company has come to fame by assuring that the
information is comprehensive. The company has over sixty people that work as full-time
workers; in addition, the company also has more than twenty people to act in case of an
emergency. The headquarters of the serious cybernetics corporation has various departments like
finance, information technology human resources among other departments that play an integral
part in the provision of services. The corporations have several contracts in research and
development that are going on, and this includes the ministry of the United Kingdom and the
defence department in the United States of America. The company has done more than enough
research and has concluded that at the moment and the next five years, the corporation requires
white paper that will give guidance and informing the corporation.
Necessary steps in developing cyber security
a. Technologies That Are Used In the Organisation
Before getting rid of all the defects in the organization, the critical aspect in this field is
not what the organization has installed at the moment. The essential element is the manufacturers
and technologies that are present in different software applications operating systems software
applications, among others, and the deficiencies need to be identified and ensured that they are
eliminated.
b. Deficiencies That Are Introduced By Employees and the Procedures

INFORMATION ASSURANCE AND RISK MANAGEMENT

6

The critical aspect of the cyber management risk is to ensure that the processes and
procedures that are used get rid of the deficiencies that might be observed in due processes. This
can be done by ensuring that the employees do not come to work with their gadgets and use them
in the office, the organization can also avoid the deficiencies by ensuring that the personnel hired
are well equipped technologically. The organization can also ensure that it gives its employees
enough training, mainly annually, and also provide enough reading materials on cybersecurity.
The employees should not bring the virus to the organization, knowing that they are doing so and
also should ensure that they do not allow other people from outside to introduce the organization
to viruses unaware. Some of the processes, when kept in the official documentation, may not be
secure while others may be secure, but it is recommended that it should be kept unofficially.
c. History of Cyber Attacks
By analysing the history of the counter-attacks that had occurred previously, it provides
the ground at which to protect the corporation or organization, you need to examine the possible
ways that can enable hackers to hack the organization. If your organization has gone through
various failures in the hands of hackers, then the organization will provide the vulnerabilities
through which the organization might go through (Voeller, 2014).
d. Constant Training on Cybersecurity
In any organization, every employee has the capability of introducing viruses to the
network of the organization. For there to be enough cybersecurity management, there is a need to
train employees continually. It is essential to be told about the common mistakes that may render
the organization to threats from outside the organization.
e. Maintaining Cyber Risk Management Activities

INFORMATION ASSURANCE AND RISK MANAGEMENT

7

Maintaining the security of the network of your organization is something that the
organization needs to be vigilant about the organization need to plan activities that enable the
organization to manage the organization from the threats of the hackers.
Set of Procedures and Policies for Research and Development for Serious
Cybernetics Corp Company
ISM Policies used in Cerious Cybernetics Company
ISMS refer to the Information Security Management System, which consists of rules and
regulations which systematically help in managing a company or organization’s crucial
information. The main agenda of ISMS is to reduce risk and ensure business continuity in most
of the organizations by ensuring that information security breach is highly minimized (Camillo,
M., 2017,pg. 196). ISMS specifications mostly focus on addressing issues regarding employees,
such as how they behave and also the process that help in facilitating their behaviour. In addition
to these, ISMS also considers the type of data and technology being used by the organization
implementing it. Most of the time, ISMS has been used in targeting either clients’ data and
information or being used wholly in the organization and later on become a culture of that
organization.

ISMS Policies


The organization should ensure that continual development is highly promoted.



The organization should make sure that enough support is entirely given to the personnel
present to positively impact the organization’s information security management system
hence maximizing profit.

INFORMATION ASSURANCE AND RISK MANAGEMENT


8

The research done by the organization’s individuals should make sure that it helps the
available information security management system to achieve its goals.



Communication regarding the intrinsic part of an effective communication system should
be highly encouraged hence ensuring that it highly conforms to the information security
management requirements.



The organization should ensure that its information management system is well
integrated to meet the system security requirements of the organization.



The organization should make sure that all vital resources needed by the organization
information security management systems are readily available.

Identification and Evaluation of the Principles and Concepts of Information Assurance and
Risk Management

Information assurance refers to steps needed in protecting system security information by
ensuring that the system is always available, integral, confidential, and also authenticated. On the
other hand, risk management refers to identifying potential risks that may arise in the future
hence identifying proper ways of mitigating them (Camillo, M., 2017,pg. 197).

Procedures and policies


Information security systems should be highly organized and maintained in their working
places.



Risk analysts should identify the risks which may arise in the organization as early as
possible so that their mitigation is as well noticed.

INFORMATION ASSURANCE AND RISK MANAGEMENT


9

Organization should work according to its goal to make sure that it achieves what is
highly needed.



Computer viruses such as ransomware should be prevented an early as possible.



The company should employ a highly competent information assurance team to help
guide in providing information regarding information security systems before they get
damaged.

Sample Service Improvement Plan (SIP) (Ransomware).

Ransomware is made of a program called ransom and a dangerous plan that prevents the
victim from accessing the files that belong to him or her hence requesting payment in return to
exchange the data to be obtained. The threat ransomware, in most cases it operates like a
kidnapper accept the conditions in which the assets are found held captive with the files required.
These files that in most cases are found held up include multimedia files, office files, or system
files that most computers depend on while executing out their duties. Ransomware is among the
most hazardous and malicious software that is highly automated that once it affects peoples’
computers, it is then makes itself visible to the computer users. The Ransomware program carries
out its duty on a command and control m...


Anonymous
Really useful study material!

Studypool
4.7
Indeed
4.5
Sitejabber
4.4

Similar Content

Related Tags