Running head: INFORMATION SECURITY AND RISK MANAGEMENT
CSS450: Information Security and Risk Management
Raleigh Boots
13 June, 2018
1
INFORMATION SECURITY AND RISK MANAGEMENT
2
Table of Contents
Guidelines for Effective Information Security Management System ............................................. 3
Data Governance ........................................................................................................................... 4
Network Security ............................................................................................................................ 5
Asset Security Management ......................................................................................................... 5
Complying with Security Regulations ............................................................................................ 6
Introduction to Data Governance………………………………………………………………6
Background …………………...………………………………………………………………....7
Data Governance…………………………………………………………………………………7
Importance of data classification and its application……………………………………….....8
Integration of information security and risk management into security program………….8
References ..................................................................................................................................... 16
INFORMATION SECURITY AND RISK MANAGEMENT
3
Guidelines for Effective Information Security Management System
The corporate bodies must put in place proper information security management policies.
This will help the management in staying safe from unnecessary inconveniences caused by loss
and misplacement of documents. The policies and procedures are meant to offer guidance to the
employees and employers on how to go about the legal provisions regarding information security
management.
The Information Security Act comes up with the security standards for both individuals
and corporations. The Act was drafted and enacted to protect people and companies from unfair
exploitation by unscrupulous dealers. In a world where information is key, it is important to
come with a clear legal arrangement. The most important step in safeguarding information is to
ensure a high level of confidentiality.
The Information Technology Laboratory sets standards which must be met by the
stakeholders. The institution comes up with test, test method, reference data, evidence of
implementation and analysis to assist in the coming up and us of effective technology.
The standard guidelines are normally as a result of quality consultation among the
relevant agencies. The establishment of the relationship between the security standards and the
guidelines are as a result of collaboration between the private and the public sector.
The process of risk management must put into due consideration the risk that the U.S is
exposed to, in terms of the security of the delicate and sensitive state information. Therefore, the
private users of the cyberspace must subject themselves to proper guidance. This will help them
in avoiding acts that may put the country’s security information at risk (Chenoweth, 2005).
INFORMATION SECURITY AND RISK MANAGEMENT
4
Introduction to Data Governance
Data governance refers to the general usability, readiness, integrity and security of the
data in a company. For a data governance arrangement to be complete, there is always the need
to have a governance council. The council will help in coming up with the rules and the
procedures on how to implement them.
In the current technological dispensation, management of information security is taking
over the place of IT. The previous years had always paid most of the attention to the IT. The
implementation of information security was left to the IT experts and the technicians. The
problem with such an approach was that it left so much gap on the governance procedures.
However, over the time, the security management standards have transformed and as such
witnessed massive improvements. The current data governance majorly used the ISO standards.
Such standards have been used by so many organizations all over the world (Humphreys, 2008).
Data governance a very vital component of the information risk management process.
The social media platforms have in most instances tricked people into sharing their personal
details. Such details are often converted into useful data. The data are used by both the corporate
bodies and state agencies to further various agenda. Unfortunately, the conversation on data
governance is one which has always been swept under the carpet by those parties that are
unfairly benefiting from the unscrupulous act. To remedy the situation, it is important that the
social media platforms be monitored on the manner in which they handle people’s personal
details. The law must strike the delicate balance between individual’s right to privacy and state
security. Neither of the concepts should be used at the expense of the other. Such a legal clarity
will help in exposing the cyber criminals.
INFORMATION SECURITY AND RISK MANAGEMENT
5
Network Security
The design of network security is to offer protection to the integrity and usability the
media data. The network security makes use of both the software and hardware technologies.
The moment there is adequate security then the network becomes easily accessible. The security
system singles out different kinds of threats and consequently stops then from reaching the
network (Cohen, 1997).
Network security plays a very pivotal role in the information security risk management
system. The moment unwanted viruses end up accessing an individual’s cyber space, then there
is the great risk vital documents and details getting eaten away. The loss of information can
result to serious financial losses should they involve delicate financial records. Furthermore, the
amount of work put in coming up with a new set of information and documents will obviously
involve more resources, in terms of time and labor. Network security works through a
combination of various defenses in the end and the network in general (Cohen, 1997).
Asset Security Management
There will always be need to mitigate the IT security risks. Security threat is dreaded by
al the organizations all over the world. There are several approaches which can be taken in
security asset management. These are:
Usage of inventory: The inventory can used to single out all the malicious. The inventory
software must be used in all the segments of the business. Once the information is used on a
regular basis, the workers will be estopped from using prohibited software. The unauthorized
software can always be identified and done away with.
INFORMATION SECURITY AND RISK MANAGEMENT
6
Avoiding risky applications: Such applications may contain virus that may end up being
too destructive in the long run. The malicious software can be prevented through the deployed.
Moreover, it is possible to deploy the software behind the firewall. The organization will in the
long run have effective control over the information management process.
Promoting rationalization and standardization: This entails doing aware with the dormant and old
soft wares. Such soft wares may turn into viruses and thus prove too messy.
Complying with Security Regulations
The current data governance majorly used the ISO standards. Such standards have been
used by so many organizations all over the world. The Information Security Act comes up with
the security standards for both individuals and corporations. The Act was drafted and enacted to
protect people and companies from unfair exploitation by unscrupulous dealers. In a world where
information is key, it is important to come with a clear legal arrangement. The data governance
council assists in complying with the security regulations (Kelley, 2009).
Data Governance by Concept
Every company no matter how small or large it needs to put in place a plan that ensures
that its information asset is secured. This makes it necessary for a company to establish an
information security and risk management team that manages and control all information assets
concerning that company. A security and risk management program provides a framework on
how to protect a company's data assets and also projects the risks that a company exposes itself
to threats for failing to protect its data as well as outlining the policies on how to handle such
risks when they occur.
INFORMATION SECURITY AND RISK MANAGEMENT
7
Information security and risk management is simply the process of handling uncertainties
linked through usage of information technology. It comprises identification, assessment, and
treatment of such risks to the discretion, honesty, and accessibility assets to an organization. The
primary objective is to treat the risks in regard to the total risk tolerance to an organization itself.
There should no expectations of complete eradication of the risks but instead the efforts should be
driven towards identifying and achieving a suitable risk level for the respective organization.
The act of securing information by an institution or an organization is alarmed with the
privacy truth and the handiness of data in whichever method data could be required. Such forms
of data include electronic and print media among other forms used in the data governance (Ab
Rahman, & Choo, 2015). Data security is vital to the extent to an organization's reliance on data
innovation. At the point when an organization's data is presented to risk, the utilization of data
security technology is inevitable. Current data security innovations, however, manages just a little
portion of the issue of information risk. Further, it is evident that data security innovations do not
reduce data risk adequately.
Subsequently, data governance has gone through critical changes for over 50 years.
Research shows that data arose from lock boxes of incongruent bequest transactional systems
while data governance then developed to be a different and complex discipline supported by radical
hardware and software. Data management has undergone through downturns in 1990, 2001 and
2008 which has helped it match forward and increase quicker in spending than information
technology (Khatri, & Brown, (2010). The extent to which data has managed as an essential asset
in an organization has passed through diverse eras as follows; the solicitation era, Enterprise
depository era and finally the era of policy.
INFORMATION SECURITY AND RISK MANAGEMENT
8
Apparently, during the ancient days of communication, militant commanders knew the
importance of utilizing various mechanisms to protect the confidentiality of messages and to have
some means of detecting information tempering. In the mid-19th century, more complex
classifications were developed to enable administrations to handle their data according to a certain
degree of sensitivity (Ab Rahman & Choo, 2015). For instance, the multi-tier systems used to
communicate during the Second World War. The modern-day procedure-based approach to
information administration frameworks is derived from the work published by W. Edwards
Demming and the entire universe of Total Quality Management. Edward's holistic and processbased approach to the assembling sector of the economy was at first overlooked (Khatri, & Brown,
(2010). However, this approach was at long last embraced by many manufacturing businesses after
the rapid advancement in the quality of products from Japan in the 1960s.
Despite the perspective that the approach was only applicable in production-related
businesses, the approach ideas have since been effectively applied in various environments which
are not production related in nature. The information security and risk management is an instance
of applying the administration framework applied model to the discipline of Information Security
(Khatri, & Brown, (2010). The unmatched credits to this occurrence of management systems
include the following attributes. Firstly, risk management connected to data and in view of
measurements of secrecy, uprightness, and accessibility (Schwalbe, 2015). Additionally, Total
Quality Management applied to data security forms and in view of measurements of productivity
and adequacy. Moreover, a checking and announcing model in view of reflection layers that
channel and total operational points of interest for administration introduction. It is also an
organized approach towards coordinating individuals, process, and innovation to outfit
undertaking data security administrations.
INFORMATION SECURITY AND RISK MANAGEMENT
9
Meanwhile, the branch of data management has established and advanced fundamentally.
It provides frequent sections for specialism, containing safeguarding systems and unified
groundwork, fortifying applications and databanks, safety testing, statistics structures scrutinizing,
business development positioning, automated record release, and computerized offence act
investigation. Data security experts are exceptionally steady in their business (Schwalbe, 2015).
Starting at 2013 in excess of 80 percent of experts had no adjustment in boss or work over a time
of a year, and the quantity of experts is anticipated to ceaselessly develop in excess of eleven
percent every year onwards.
At the center of data security are data confirmation, the act of ensuring the secrecy, honesty,
and accessibility of data, guaranteeing that data is not interrupted in any capacity when basic issues
arise. These issues incorporate catastrophic events and disasters, computer malpractices and
physical robbery. While paper-based business tasks are as yet common, requiring their own
particular arrangement of data security rehearses, enterprise advanced initiatives are progressively
being stressed, with data confirmation presently being managed by information technology (IT)
security experts (Ab Rahman, & Choo, 2015). These specialists apply data security to innovation.
It is advantageous to notice that a PC does not necessarily mean a homework area. A PC is any
device with a CPU and memory capacity (Kao, & Lee, 2014). Such devices can move from nonnetworked autonomous devices such as calculators to structured portable reckoning devices, for
instance, mobile phones and tablets. Information Technology safety consultants are fairly regularly
found in any noteworthy foundation as of the natural surroundings and the value of the data
established by large business organizations (Schwalbe, 2015). The IT experts are responsible for
securing the bigger part of the technology within the business from malicious arithmetical attacks
that regularly attempt to obtain rudimentary secretive data or regulation of the inner outlines.
INFORMATION SECURITY AND RISK MANAGEMENT
10
The end result of context foundation stage is a clear data security risk mitigation approach.
Basically, it is almost impossible to undertake a risk management activity without such a
document. However, in more often occasions, specialized risk management solutions are
actualized without such procedure (Schwalbe, K., 2015). In the event these occasions happen, it is
extremely possible that such strategies are not lined up with company's main goal and high-level
hazard administration approach. It is also possible that numerous hazards related parameters are
not set and therefore, no legitimate choices can be made in view of the yield of such executed
solutions (Kao, & Lee, 2014). Henceforth, this implies only the false sense of security. The risk
management approach ought to clarify how an association surveys data security danger, reacts to
such dangers and screens dangers.
Contemporary, all protection frameworks apply data innovation (IT) in some shape,
which should be strong from computerized foes. This infers cybersecurity relates to munitions
structures and stages, for example, (C4ISR) Command, Control, Communications, Computers,
and Intelligence, Surveillance, and Reconnaissance structures and data frameworks.
Cybersecurity is a fundamental requirement for the Department of Defense and is a critical piece
of preserving the United States' specific prevalence (Ab Rahman, & Choo, 2015). The
Department of Defense starting previously changed a couple of its approaches to insistently
pressure the consolidation of cyber safety into its achievement activities to guarantee solid
systems (Kao, & Lee, 2014). This manual is proposed to help Suite Executives in the capable
and fiscally clever blend of cyber security into their structures, according to the revived
Department of Defense techniques such as Department of Defense Instruction RMF, Cyber
Security and Operation of the Defense Acquisition System.
Background
INFORMATION SECURITY AND RISK MANAGEMENT
11
Basically, Information Security Risk Management (ISRM) is a main concern to every
organization around the world. Despite the fact that the number of existing ISRM strategies is
immense, companies have continued to invest heavily in making new ISRM techniques keeping
with the sole objective of capturing all the possible dangers of their intricate data frameworks
accurately. This process remains a critical knowledge-intensive one for all companies. In most
cases, however, the process is tended to in a specially appointed way. The presence of a
methodical approach to the advancement of new or enhanced ISRM strategies and techniques
would upgrade the adequacy of the procedure Kao (M. C., & Lee, 2014).
In any organization, the loss of any information that is crucial may lead to damages to the
organization. The information security and risk management programs secure documents that
contain information providing guidelines and procedures that guide the operations of the
organization. Failure to establish a practical plan to guarantee the safety of a company's
information exposes it to risks. For instance, the Information Security Act states the security
standards for individuals as well as corporations. This policy protects individuals and also
organizations information from malicious and unauthorized dealers.
Data Governance by Definition
This refers to the availability, usability, validity and the safety of a company's data. With
the dispensation of greatly advanced technology, most organization's data management team have
resulted in the adoption of information technology to secure their information (Daily, et al., 2013).
However, as a result of cybercrimes such as information phishing, there is need to develop
effective counteractive measures such as developing cybercrime laws to govern the accessing and
sharing of personal as well as organizations' data.
INFORMATION SECURITY AND RISK MANAGEMENT
12
Importance of Data Classification and Its Application
The main goal of classifying data in to enhance easy and efficient access at the time of
retrieval. Information labeling ensures the safety of information as it is tagged according to the
defined levels such as restricted, public, confidential and even internal use only. Information
classification is useful in healthcare facilities to ensure confidentiality of patients' information
thus ensuring the privacy of the patients.
Integration of Information Security and Risk Management into Security Program
Data security, however regularly saw as an arrangement of specific issues, must be held
onto as a corporate administration duty that includes hazard administration, detailing controls,
testing and preparing, and official responsibility (Schwalbe, 2015). It requires the dynamic
commitment of all managers and the board of governance. Moreover, a task force of corporate
governance for the national cyber security partnership has been developed to improve the data
management techniques. The task force report provides governance policies and controls that may
include the identification of cyber security roles and the duties of the management structures risk
management establishment as well as quality assurance to the information users.
Risk Assessment
Data management has undergone various changes for almost 5 decades. Numerous studies
reveal that data originated from lock cases of different endowment transactional schemes while
data supremacy then advanced to be a diverse and compound discipline reinforced by essential
hardware and software (Farn, Lin, & Fung, 2004). Data Management therefore helps to tie together
the exact data apt for hovering an organization’s assurance and confidence in its data. Apparently,
INFORMATION SECURITY AND RISK MANAGEMENT
13
there are also risks related to data and its actions. Value apprehension is much wanted; a steadiness
between recognitions of paybacks with operational management of Risk is requisite to permit these
profits (Humphreys, 2008). Although data security in many organizations is restricted to
sanctifying it by way of a function, there is an indispensable need for allowing a risk managing
function to surety of the execution of the controls and program.
Data risk is the likelihood for a firm loss correlated to the control, administration and safety
of data. In data governance, the following are the risks it may be exposed to: Seller Lock-in which
mainly defines a clash with a software while the facility vendor who hold your files as a
negotiating chip and inhibits you from retrieving it, data exploitation where data becomes
corrupted in line for data putrefaction hence affecting the firm’s processes, dark data when an
organization carelessly gathers obscure information that becomes messy and pricey to manage,
data remanence where an organization fortuitously arranges equipment short of right spreading
and degaussing, compliance when a
business inadvertently offers buyer particulars to an
intermediary thus profaning local guidelines and finally the data breach in regard to a business
losing its intact customer records to a progressive insistent threat (Cohen, 1997). The databank is
vended to frequent firms exposing your clients to threats and pressure. This leads to obligation,
branding damage and governing investigations.
Competence Based Planning is a broadly contained technique in protection in an intention
to plan for any deliberate fluctuations. The principle is mainly to account for risks upfront instead
of discounting it (Cohen, 1997). The principle will be of significance especially in stemming out
issues of risks like data corruption, seller-in-lock, data breach etc.
INFORMATION SECURITY AND RISK MANAGEMENT
14
The use of inventory will aid to select all the mischievous incidents in the file system. The
software will be required to be used in all the sectors of the firm to avoid some risks like data
manipulation, dark data issues and so forth. When the information is used regularly, the employees
will be prevented from exhausting forbidden software which could interfere with the records thus
safeguarding the firm from the risks of data remanence or compliance (Cohen, 1997). The
unofficial software will be identified always and dealt with accordingly.
Safety Regulations compliance which will meet the required ISO standards will be of great
importance in safeguarding the firm from such risks since they have applied by many firms
worldwide. The Act entitled to Information Security provides the safekeeping ideals for both firms
and individuals. The Act was conscripted and sanctioned to guard individuals and corporations
from partial manipulation by immoral dealers thus reducing the incidence of risks such as data
corruption, data permanence (Cohen, 1997). Methodology like TOGAF can be applied which will
help list individuals, method, and material proportions for a specified ability.
Data Security provides valued understandings; best applies and references to create a
resounding firm case rationalization for either implementation of a data management program or
making of remedial and renovated changes to the existing program. Normally, two approaches can
be vital for the execution of an asset management package: established policies or established
performance (Schwalbe, 2015). The programs which are Policy-based have a tendency to backing
a lasting, life-cycle methodology to assessing venture remunerations and costs. The decision made
may be grounded on past funding reference point, tactical-based ruptures, or transaction-making
instead on recent performance intents or goals. The program will as well describe the guidelines
and general primacies for an agency's substructure management.
INFORMATION SECURITY AND RISK MANAGEMENT
15
On the other hand, the programs based on performance back the conservancy of prevailing
freeway assets through the usage of acknowledged methods and aims. They permit decision
makers to find the ideal balance between accessibility and deployment of any asset at any set
interval established on the instantaneous performance actions listed to current firm approach (Farn,
Lin, & Fung, 2004). The absence of performance effectiveness actions for preservation, setup, and
production, conversely, has occasioned to performance tactics founded further on management of
budget cost instead on management of asset performance.
As I sum up, it is apparent that in so as to improve data security, it is obligatory to ascertain
the organization assets, liabilities, pressures and lastly the controls in order to handle the risks
discussed in the entire paper linked to data management and risk compliance. Effectiveness in such
doing in the firm allow valuation, execution and communication proposal on the management of
asset security.
Conclusion
In conclusion, it is evident that in order to achieve data management or governance, it is required
to identify the assets of an organization, its vulnerabilities, threats and finally the controls so as to
be able to address such risks associated with information security and risk management.
Immediately when that is done in an organization, assessment, treatment and communication is
done to enhance effective handling on such risks.
INFORMATION SECURITY AND RISK MANAGEMENT
16
References
Chenoweth, J. (2005). Information Security Policies, Procedures, and Standards: Guidelines for
Effective Information Security Management. Journal of Information Privacy and Security, 1(1),
pp.43-44.
Humphreys, E. (2008). Information security management standards: Compliance, governance
and risk management. Information Security Technical Report, 13(4), pp.247-255.
INFORMATION SECURITY AND RISK MANAGEMENT
17
Cohen, F. (1997). Managing network security — Part 5: Risk management or risk
analysis. Network Security, 1997(4), pp.15-19.
Kelley, B. (2009). Small concerns: nanotech regulations and risk management. SPIE Newsroom.
Daily, C. M., Dalton, D. R., & Cannella Jr, A. A. (2013). Corporate governance: Decades of
dialogue and data. Academy of management review, 28(3), 371-382.
Kao, M. C., & Lee, Y. W. (2014). U.S. Patent No. 8,694,772. Washington, DC: U.S. Patent and
Trademark Office.
Schwalbe, K. (2015). Information technology project management. Cengage Learning
Ab Rahman, N. H., & Choo, K. K. R. (2015). A survey of information security incident handling
in the cloud. Computers & Security, 49, 45-69.
Khatri, V., & Brown, C. V. (2010). Designing data governance. Communications of the ACM,
53(1), 148-152.
Farn, K. J., Lin, S. K., & Fung, A. R. W. (2004). A study on information security management
system evaluation—assets, threat and vulnerability. Computer Standards & Interfaces,
26(6), 501-513.
Purchase answer to see full
attachment