Running head: INFORMATION SECURITY AND RISK MANAGEMENT
CSS450: Information Security and Risk Management
Raleigh Boots
22 May, 2018
1
INFORMATION SECURITY AND RISK MANAGEMENT
2
Table of Contents
Guidelines for Effective Information Security Management System ............................................. 3
Data Governance ........................................................................................................................... 4
Network Security ............................................................................................................................ 5
Asset Security Management ......................................................................................................... 5
Complying with Security Regulations ............................................................................................ 6
Introduction to Data Governance………………………………………………………………6
Background …………………...………………………………………………………………....7
Data Governance…………………………………………………………………………………7
Importance of data classification and its application……………………………………….....8
Integration of information security and risk management into security program………….8
References ....................................................................................................................................... 9
INFORMATION SECURITY AND RISK MANAGEMENT
3
Guidelines for Effective Information Security Management System
The corporate bodies must put in place proper information security management policies. This
will help the management in staying safe from unnecessary inconveniences caused by loss and
misplacement of documents. The policies and procedures are meant to offer guidance to the
employees and employers on how to go about the legal provisions regarding information security
management.
The Information Security Act comes up with the security standards for both individuals and
corporations. The Act was drafted and enacted to protect people and companies from unfair
exploitation by unscrupulous dealers. In a world where information is key, it is important to
come with a clear legal arrangement. The most important step in safeguarding information is to
ensure a high level of confidentiality.
The Information Technology Laboratory sets standards which must be met by the stakeholders.
The institution comes up with test, test method, reference data, evidence of implementation and
analysis t assist in the coming up and us of effective technology.
The standard guidelines are normally as a result of quality consultation among the relevant
agencies. The establishment of the relationship between the security standards and the guidelines
are as a result of collaboration between the private and the public sector.
The process of risk management must put into due consideration the risk that the U.S is exposed
to, in terms of the security of the delicate and sensitive state information. Therefore, the private
users of the cyberspace must subject themselves to proper guidance. This will help them in
avoiding acts that may put the country’s security information at risk (Chenoweth, 2005).
INFORMATION SECURITY AND RISK MANAGEMENT
4
Data Governance
Data governance refers to the general usability, readiness, integrity and security of the data in a
company. For a data governance arrangement to be complete, there is always the need to have a
governance council. The council will help in coming up with the rules and the procedures on
how to implement them.
In the current technological dispensation, management of information security is taking over the
place of IT. The previous years had always paid most of the attention to the IT. The
implementation of information security was left to the IT experts and the technicians. The
problem with such an approach was that it left so much gap on the governance procedures.
However, over the time, the security management standards have transformed and as such
witnessed massive improvements. The current data governance majorly used the ISO standards.
Such standards have been used by so many organizations all over the world (Humphreys, 2008).
Data governance a very vital component of the information risk management process. The social
media platforms have in most instances tricked people into sharing their personal details. Such
details are often converted into useful data. The data are used by both the corporate bodies and
state agencies to further various agenda. Unfortunately, the conversation on data governance is
one which has always been swept under the carpet by those parties that are unfairly benefiting
from the unscrupulous act. To remedy the situation, it is important that the social media
platforms be monitored on the manner in which they handle people’s personal details. The law
must strike the delicate balance between individual’s right to privacy and state security. Neither
of the concepts should be used at the expense of the other. Such a legal clarity will help in
exposing the cyber criminals.
INFORMATION SECURITY AND RISK MANAGEMENT
5
Network Security
The design of network security is to offer protection to the integrity and usability the media data.
The network security makes use of both the software and hardware technologies. The moment
there is adequate security then the network becomes easily accessible. The security system
singles out different kinds of threats and consequently stops then from reaching the network
(Cohen, 1997).
Network security plays a very pivotal role in the information security risk management system.
The moment unwanted viruses end up accessing an individual’s cyber space, then there is the
great risk vital documents and details getting eaten away. The loss of information can result to
serious financial losses should they involve delicate financial records. Furthermore, the amount
of work put in coming up with a new set of information and documents will obviously involve
more resources, in terms of time and labor. Network security works through a combination of
various defenses in the end and the network in general (Cohen, 1997).
Asset Security Management
There will always be need to mitigate the IT security risks. Security threat is dreaded by al the
organizations all over the world. There are several approaches which can be taken in security
asset management. These are:
Usage of inventory: The inventory can used to single out all the malicious. The inventory
software must be used in all the segments of the business. Once the information is used on a
regular basis, the workers will be estopped from using prohibited software. The unauthorized
software can always be identified and done away with.
INFORMATION SECURITY AND RISK MANAGEMENT
6
Avoiding risky applications: Such applications may contain virus that may end up being too
destructive in the long run. The malicious software can be prevented through the deployed.
Moreover, it is possible to deploy the software behind the firewall. The organization will in the
long run have effective control over the information management process.
Promoting rationalization and standardization: This entails doing aware with the dormant and old
soft wares. Such soft wares may turn into viruses and thus prove too messy.
Complying with Security Regulations
The current data governance majorly used the ISO standards. Such standards have been used by
so many organizations all over the world. The Information Security Act comes up with the
security standards for both individuals and corporations. The Act was drafted and enacted to
protect people and companies from unfair exploitation by unscrupulous dealers. In a world where
information is key, it is important to come with a clear legal arrangement. The data governance
council assists in complying with the security regulations (Kelley, 2009).
Introduction to Data Governance
Every company no matter how small or large it needs to put in place a plan that ensures that its
information asset is secured. This makes it necessary for a company to establish an information
security and risk management team that manages and control all information assets concerning
that company. A security and risk management program provides a framework on how to protect
a company's data assets and also projects the risks that a company exposes itself to threats for
failing to protect its data as well as outlining the policies on how to handle such risks when they
occur.
Background
INFORMATION SECURITY AND RISK MANAGEMENT
7
Basically, Information Security Risk Management (ISRM) is a main concern to every
organization around the world. Despite the fact that the number of existing ISRM strategies is
immense, companies have continued to invest heavily in making new ISRM techniques keeping
with the sole objective of capturing all the possible dangers of their intricate data frameworks
accurately. This process remains a critical knowledge-intensive one for all companies. In most
cases, however, the process is tended to in a specially appointed way. The presence of a
methodical approach to the advancement of new or enhanced ISRM strategies and techniques
would upgrade the adequacy of the procedure Kao (M. C., & Lee, 2014).
In any organization, the loss of any information that is crucial may lead to damages to the
organization. The information security and risk management programs secure documents that
contain information providing guidelines and procedures that guide the operations of the
organization. Failure to establish a practical plan to guarantee the safety of a company's
information exposes it to risks. For instance, the Information Security Act states the security
standards for individuals as well as corporations. This policy protects individuals and also
organizations information from malicious and unauthorized dealers.
Data Governance
This refers to the availability, usability, validity and the safety of a company's data. With the
dispensation of greatly advanced technology, most organization's data management team have
resulted in the adoption of information technology to secure their information (Daily, et al., 2013).
However, as a result of cybercrimes such as information phishing, there is need to develop
effective counteractive measures such as developing cybercrime laws to govern the accessing and
sharing of personal as well as organizations' data.
INFORMATION SECURITY AND RISK MANAGEMENT
8
Importance of Data Classification and Its Application
The main goal of classifying data in to enhance easy and efficient access at the time of retrieval.
Information labeling ensures the safety of information as it is tagged according to the defined
levels such as restricted, public, confidential and even internal use only. Information
classification is useful in healthcare facilities to ensure confidentiality of patients' information
thus ensuring the privacy of the patients.
Integration of Information Security and Risk Management into Security Program
Data security, however regularly saw as an arrangement of specific issues, must be held onto as a
corporate administration duty that includes hazard administration, detailing controls, testing and
preparing, and official responsibility (Schwalbe, 2015). It requires the dynamic commitment of all
managers and the board of governance. Moreover, a task force of corporate governance for the
national cyber security partnership has been developed to improve the data management
techniques. The task force report provides governance policies and controls that may include the
identification of cyber security roles and the duties of the management structures risk management
establishment as well as quality assurance to the information users.
INFORMATION SECURITY AND RISK MANAGEMENT
9
References
Chenoweth, J. (2005). Information Security Policies, Procedures, and Standards: Guidelines for
Effective Information Security Management. Journal of Information Privacy and Security, 1(1),
pp.43-44.
Humphreys, E. (2008). Information security management standards: Compliance, governance
and risk management. Information Security Technical Report, 13(4), pp.247-255.
Cohen, F. (1997). Managing network security — Part 5: Risk management or risk
analysis. Network Security, 1997(4), pp.15-19.
Kelley, B. (2009). Small concerns: nanotech regulations and risk management. SPIE Newsroom.
Daily, C. M., Dalton, D. R., & Cannella Jr, A. A. (2013). Corporate governance: Decades of
dialogue and data. Academy of management review, 28(3), 371-382.
Kao, M. C., & Lee, Y. W. (2014). U.S. Patent No. 8,694,772. Washington, DC: U.S. Patent and
Trademark Office.
Schwalbe, K. (2015). Information technology project management. Cengage Learning
Purchase answer to see full
attachment