Unit 5: Security
Student Name
Registration Number
2210117
Unit Title:
SECURITY
Unit Number:
Unit 5
Academic Year:
2022 – 2023
Unit Assessor:
Assignment Title:
Online Networking Event (Assignment Part 2 of 2)
Issue Date:
11-04-2023
Submission Date:
10-05-2023
Internal Verifier
Name:
Date:
11-04-2023
P5
1.1 Define a security risk and how to do risk assessment
a) Define a security risk: Identify, evaluate, and apply important
application security controls through a security risk assessment.
Additionally, it focuses on maintaining application security and
preventing flaws. Through the use of a risk assessment, enterprises
can view their application portfolio holistically. Using security controls
helps managers allocate resources, implement tools, and implement
security controls well-informed. In order to minimize risks, companies
should conduct an evaluation.
b) Risk assessment: In order to ensure that security threats are
addressed by existing controls, an Organizational Risk Assessment (or
SRA) is conducted to outline the risks in your organization, technology,
and processes. As part of compliance standards, such as those
imposed by PCI-DSS for payment card authentication, security risk
assessments are frequently included. For example, ISO 27001,
HITRUST CSF, and HIPAA compliance all require them, and they are
required by the AICPA as part of a SOC II audit. A risk assessment, an
IT infrastructure risk assessment, a safety risk audit, or a safety audit
are common names for security risk assessments.
c) What Is a Risk Assessment For Security: It involves the discovery,
evaluation, and prioritization of risks associated with various
information assets (including systems, hardware, applications, and
data), as well as all hazards that may affect such vulnerabilities.
Decision-makers are initially alerted to vulnerabilities in business
systems by risk assessments so that proactive defensive measures can
be adopted and risk responses can be planned. Executives will also be
able to make informed security decisions based on the executive
summary. Management can also reduce attack surfaces by training
staff after conducting security risk assessments.
An assessor who understands all aspects of the business processes conducts
security risk assessments to determine risk areas. It could be as simple as
an unsecure password-protected device, or it could be something more
complex, such as an insecure business process. As part of the appraisal
process, the appraiser will evaluate everything from HR policies to firewall
configurations.
d) How to do risk assessment:
In addition to the size and growth rate of an organization, resources and
asset portfolio all affect the depth of risk assessment models. A generic
assessment can be conducted when a company is limited by time or money.
It is also important to note that generalized evaluations often fail to include
the precise mapping of assets, risks, and mitigation mechanisms that are
associated with those assets, threats, and risks.
Scale, growth rate, capital, and portfolio of assets all influence the depth of
risk assessment models. A generalized evaluation may be conducted when
organizations are constrained by budgets or time constraints. The
generalized evaluations, however, usually do not provide comprehensive
information about properties, related hazards, defined risks, and
corresponding effects and controls. If there is not enough correlation
between these areas to conclude from the generalized assessment, a more
in-depth assessment is needed.
Security risk assessment: 4 steps to success
1. Identification. Create a risk profile for each of the critical assets of
your IT infrastructure. Then diagnose the sensitive data they create,
store, and transmit.
2. Assessment. Determine how to allocate time and resources towards
risk mitigation after you've evaluated and assessed the security risks
for critical assets. During the assessment, you'll look at how assets,
threats, vulnerabilities, and mitigating controls are related.
3. Mitigation. Implement security controls for each risk and define a
mitigation approach.
4. Prevention. Make sure your firm's resources are protected with tools
and processes.
1.2 Define threats and threat identification procedures.
A) Definition of threat:
The definition of a security threat is something that could be dangerous that
happens because of a security flaw in a computer system or application,
causing it to do something undesirable.
An "accidental" negative event can be something like a computer failure (for
example, an earthquake or a tornado) or an "intentional" negative event like
hacking (for example, a cracker or criminal organization). In contrast, a
threat actor is a person or group capable of performing the threat's actions.
An actor performs the actions of a threat, such as exploiting a vulnerability
for malicious purposes. As opposed to a threat actor, who is a person or
group capable of performing the threat's actions, like exploiting
vulnerabilities to harm others, this is distinct.
B) Threat identification procedures:
A threat model helps an organization to aggregate and measure the possible
threats by collecting data on possible threats. Threat modeling is a
systematic methodology that can assist management in identifying
information security risks. To determine the institution's vulnerability to
information security, and to apply this knowledge to the institution's
information security program, institutions should use threat modeling to
better understand threat frequency and complexity.
By identifying threats and their capabilities and objectives, we can take the
following actions:
- Identify and assess threats.
- Use threat knowledge to drive risk assessment and response.
- Design policies to allow immediate and consequential threats to be dealt
with expeditiously.
1.3 Review the risk assessment procedure
Using risk assessment procedures, organizations and their environments are
better understood, as well as their internal monitoring, and a risk
assessment procedure is carried out to identify and determine the risk of
material misrepresentation in financial statements and claims, whether it is
fraud or mistake.
The Risk Assessment divides 5 steps:
1st step: Identify the hazards
You should begin by determining what risks your company and employees
face, such as:
-Natural disaster
-Biological hazards
-Workplace accidents
-Intentional acts
-Technological hazards
-Chemical hazards
-Mental hazards
-Supply chains interruption
Your company may be affected by a variety of processes and operations
around your office. Consider all aspects of risk, including remote workers
and non-routine tasks like repairs and maintenance, when assessing how
risks have affected employment. For a better understanding of the dangers
that have harmed your business in the past, you can also review
accident/incident data.
2nd step: Determine who might be harmed and how
Whenever you are looking at your organization, consider how your workers
might be affected by company practices, as well as external influences.
Consider who might be affected by any hazards that you find.
3rd step: Evaluate the risks and take precautions
You must know how likely it is that a threat will occur and how significant its
consequences will be if it occurs after you have compiled a list of potential
hazards. As a result of this assessment, you will be able to determine which
risks should be prioritized first and which risks should be minimized.
4th step: Record your findings
In the event that your business has more than five employees, it is legally
required to record your risk management process. In your risk management
plan, you should explain the dangers you have identified, the persons they
impact, and how you plan to minimize them. You should include the
following information in the document:
-
Identified those affected
Controlled and dealt with obvious hazards
Initiated precautions to keep risks low
Kept your staff involved in the process
5th step: Review assessment and update if necessary
To stay on top of these new risks, your risk management process must
constantly evaluate and upgrade. Because your workplace is always
changing, so are your threats. Each new equipment, procedure, or employee
will bring a new hazard.
P6
2.1
Definition of data protection:
Definition: As the amount of data generated and processed increases
exponentially, data protection becomes increasingly valuable in order to
prevent vital information from being tampered with, compromised, or lost. A
data protection strategy is crucial for any organization to protect its
information from fraud, hacking, phishing, and identity theft. It is imperative
that firms develop a data protection strategy if they wish to maintain the
security of their data. With the increasing amount of data stored and
created, data protection becomes increasingly important. Cyberattacks and
data leaks can result in catastrophic consequences. Ultimately, data
protection boils down to protecting and shielding data from a wide variety of
risks and situations. We discuss data protection in greater detail in the
following article.
How does it work: During the 1950s and 1960s, the Data Protection Act
was created to protect and establish guidelines for the use of personal data.
By appointing a Commissioner of Information to enforce the legislation, the
Act of 1998 provides protection for information or data about living people
recorded on a computer or in a structured paper file system.
2.2
Explain data protection process in an organization
As a result of the Data Protection Laws, individuals (known as "data
subjects") receive special rights over their personal data, while companies
that process it must take responsibility for their actions. In its capacity as a
recruiting firm, the firm collects and handles both personal and private
personal information.
An important element of data protection is ensuring that data can be
accessed and managed in the following ways:
In the event of a loss or compromise of data, consumers will still be able to
conduct business, as the information will be available.
Data management now includes taking advantage of dormant copies of data
in order to unlock business value for reporting, testing, enabling growth, and
analytics.
A backup copy of the protected data is created and maintained by the data
protection process, as well as modified copy recovery points are created
every few days. Using the points, you have recovered, you can retrieve
earlier versions of secured data. The backup copy distributes the protected
data in its entirety.
Data Protection circle
2.3
Why are data protection and security regulation important?
As data becomes more valuable, the ways and means of retrieving it
continue to evolve. Businesses and individuals can suffer severe
consequences when their personal data is handled in an unauthorized,
careless, or uneducated manner.
It is becoming increasingly important to protect data as the amount of data
generation and processing increases exponentially. Moreover, there is a lack
of tolerance for downtime, which can make accessing critical data difficult.
These three reasons explain why Data Protection Regulation is relevant:
- Data protection does not only protect individuals' data, but also their
fundamental rights and freedoms relating to such data. A person's rights and
freedoms can be protected although personal data are preserved. Incorrectly
handling personal data, for example, may result in a person being ignored
for employment opportunities or, worse, being fired from their current job.
-
It is also possible for an individual to lose all the money from their
bank account if they fail to comply with the regulations regarding
personal data security, or even to create a life-threatening situation by
manipulating health information by not complying with the regulations.
-
In order to guarantee fair and consumer-friendly trade and service
provision, data protection regulations are essential. A personal data
security law, for example, makes it illegal to openly sell one's personal
data, which allows the individual to decide who sells them and what
kind of offers they receive.
The importance of cyber-security
Security regulations
Companies are provided with guidelines and best practices, which are
tailored to their industry and data type, to help them improve their
information security strategy. In the event that these regulations aren't
followed, heavy fines could be imposed, or worse, a data breach could occur
The following 3 methods can help you protect your data more
effectively:
 Risk assessments:
Riskier data requires a higher level of security. The primary basis for
these assessments is the cost benefit, as stronger data protection
requires more money. Critical data should be closely guarded, whereas
low-risk data can be protected with less protection. Nevertheless, it
can be used to determine which information needs to be protected
more closely and to make the data processing system more efficient.
 In order to determine the level of security at risk, you should assess
the risk on two axes: the potential severity of a data breach and the
likelihood of it occurring. Data with a high risk on both of these vectors
is considered more sensitive. If you are unsure about what you are
doing, do not do it by yourself unless you have support from a Data
Protection Officer (Privacy Officer). Miss-labeled data may threaten
your business.
 Backups:
The backup is a way to keep data safe if something goes wrong or if
technology fails. It's important to create and update backups on a
regular basis. You'll spend more money creating daily backups, but
disrupting your routine business activities will cost you more. Time is
more important than money.
The above-explained approach should be followed when backing up
low-importance information instead of sensitive information. A backup
of sensitive data should never be stored in a cloud. The backup should
be stored in a safe place, and it should be encrypted. Ensure that
storage media are stored according to official guidelines and are
regularly reviewed for degradation as directed by the manufacturer.
Tape storage is also two-thirds less expensive (by two-thirds as much)
than hard disk storage at smaller volumes. Hard disk storage can
handle small-volume operations better than tape, but their overall
performance is still inferior.
Disk-based storage technologies are generally more efficient and more
compact. However, tape storage is still two-thirds cheaper than hard
drive storage. In general, data access is faster with disk storage.
 Encryption:
It is ideal to encrypt high-risk data every step of the way, from
acquisition to processing (full memory encryption) and from storage to
transmission (RSA or AES). In the absence of a data breach, wellencrypted information could not be accessed or recovered by
attackers.
Due to this, encryption is also expressly referred to in the GDPR as a
data protection tool, so you are likely to gain favor from regulators if
you use it correctly. It is not necessary to report an infringement of
encrypted data to the supervisory authorities if you encounter one! For
this reason alone, encryption should be your number one data
protection technique.
M4
1. Definition of IT security audit
Your enterprise's information security system is examined and assessed as
part of an IT security audit. Regular IT audits can help identify weaknesses
in your infrastructure and ensure regulatory compliance, as well as verify
your security controls.
Security Audit
Why does organizational need an IT security audit?
In order to combat cyber-attacks posed by hackers and other criminals who
manipulate IT systems for their own ends, you need an IT security audit to
ensure that your cyber-defenses are optimally up-to-date.
It is possible for everything your business has worked for to be at risk if the
defenses of an IT system fail to keep up with the cutting-edge tactics used
by hackers. With just one vulnerability, your bank details and ultimately
your cash can be stolen, as well as your personal information that you would
not want publicized.
Cybercriminals view small businesses as an attractive target, since they
have significant cash reserves due to being a commercial entity, but they are
unlikely to have a sizable IT protection team or resources. Infiltrators are
able to go about their business without being detected because their
attention is diverted elsewhere, whereas larger companies with more
manpower can easily detect an infiltrator's activities.
2. Types of security audit
IT security audits can be classified in a variety of ways, according to
Varghese (2020). There are several common categorizations.
 Approach Based

Black Box Audit: An auditor, in this case, only has access to
publically available information about the audited organization.

White Box Audit: As part of this type of audit, the auditor receives
detailed information pertaining to the organization being audited (i.e.
source code, employee access, etc).

Grey Box Audit: An auditor is given some information about the
auditing process in this section. This information may also be collected
by the auditors themselves, but is provided as a time-saving measure.
 Methodology Based

Penetration Tests: A breach of the organization's infrastructure
is attempted by the auditor.

Compliance Audits: Identifying whether an organization
complies with security standards only involves checking certain
parameters.

Risk Assessments: In case of a security breach, a list of critical
resources may be threatened.

Vulnerability Tests: A number of false positives may occur as
the result of necessary scans to find possible security risks.

Due Diligence Questionnaires: An assessment of the
organization's security standards is conducted using this tool.
3. Impact of IT security audit
As well as database management and resource planning, a comprehensive
IT security audit also covers chain network organization, and other core
business areas. Here is a breakdown of the specific impacts of an audit:
 Data flow within your business is evaluated by this tool
You need to maintain top security controls when it comes to your data.
An IT security auditor determines how and where your organization's
information flows, and who has access to it.
Data breach prevention measures review all technology and processes
related to preventing data loss, theft, misuse, and mishandling.
Moreover, your auditing team can lay the groundwork for any
improvements or enforcements that need to be made in this area,
otherwise you run the risk of having legal disputes with your
customers.
 A vulnerability or problem area is identified by it
In addition to hardware, software, data, and procedures, IT systems
have several components. You can tell if your system has a problem
by contacting an expert outsourcing IT service. They can check your
hardware or software to see if it's configured well. You may also be
able to retrace security incidents from the past that might have
exposed your security weaknesses to them. They can check that your
hardware or software tools are configured correctly and working
properly. Tests may be conducted on-site on network vulnerabilities,
operating systems, access controls, and security applications as part of
an on-site audit.
 A security policy and standard's suitability determines whether
they should be modified
It is the pre-audit that begins the audit process, where auditors collect
relevant documents from previous audits, along with copies of current
policies and procedures. Following the audit, your entire system will be
analyzed and tested on-site. During the audit process, the auditors will
document everything they find out about the system's safety and
effectiveness. If you have adequate security measures that are
consistently implemented within your organization, they will have been
able to make a clear assessment by the end of the audit. They might,
for example, find instances of unauthorized wireless networks, which
pose a threat beyond what is acceptable.
 The article recommends ways to make your business more
secure through the use of information technology
In order to choose the right security tools for your organization, an IT
security audit should help you understand what level of security your
business needs. If your security solutions need to be centralized across
all devices or if you need to use specific software for each risk area,
the auditors should be able to help you. In addition to advising you
whether you are overspending or underspending on security, security
experts will also help you allocate security resources appropriately. If
they feel the level of risk is not sufficient, they may discourage you
from attempting to secure every server and app.
 You'll receive an in-depth analysis of your IT practices and
systems both inside and outside your organization
A formal IT security audit report includes a summary of findings,
supporting data, and appendices detailing the findings of the auditing
team. Concerning risk areas, compliance with industry standards,
security policies, and other aspects, it identifies problems and
proposes solutions.
4. Benefit of IT security audit

Ensures that an organization's critical data is protected.

Manages security certifications for the organization.

Prevents hackers from finding security loopholes.

Provides updates on security measures to the organization.

Determines the vulnerability of physical security.

Contributes to the development of the organization's security policies.

In the event of a cybersecurity breach, prepares the organization for
emergency response.
D2
1. What is Organizational Policy?
People and information are the primary concerns of a security policy, but it
should also establish expectations for users, system administrators, and
management and security personnel in terms of behavior. Defining the
company's baseline stance on security can help minimize risk and help track
compliance with appropriate regulations; it can also be used to authorize
monitoring, probing, investigating, defining and authorizing the
consequences of violations.
Having written policies may sound fine in theory, but as recent high-profile
cases have shown, people do not always follow them.
In addition to IT security, the organization's policies can be
related to seven other domains:
Culture: Organizational cultures that emphasize good information risk
management are crucial to the success of an organization.
Planning: It is possible to align resulting projects and actions to actual
business requirements through strategic and tactical planning activities of
the information security organization. As an example, enterprise architecture
principles are an integral part of security planning.
Processes: An ISMS based on ISO 27001 is used as the security
management program's strategic process approach. Instead of enforcing a
control baseline that fits all, it enables the business to assess, develop and
implement security solutions as and when it is required.
Communications: Service-level metrics should be developed between IT,
service providers, and user constituencies to quantify security-related
service-levels.
Competencies: Information security specialists aren't usually good at
architecture, communication, or marketing, but a business' alignment
requires them.
Technology: Technology users' perception of security can be heavily
influenced by the way security technology is utilized. As part of an ITIL v3based integrated service delivery strategy, security controls must be
technically integrated with IT services in order for it to be successful.
Relationships: A successful relationship with other roles and individuals
within the organization depends on establishing and maintaining effective
communication. In order to align, key decision makers, influencers, and
stakeholders must work together and support one another.
2. Explaining how misalignments may impact security.
External Misalignment:
 Customer Requirements: It is evident from the data analysis that
customer requirements influence the software development process to
some extent. Customer satisfaction is the primary concern for a BA,
but quality and credibility should remain high. It is clear from the data
analysis that customer preferences can result in security
vulnerabilities. However, both BAs and developers suggested that
when adding security features, customers' needs and preferences
should be taken into account. A customer in the study requested the
introduction of web banners to advertise their other products inside
the mobile banking application as an example of how this aspect can
be explored in the study.
 Standards and guidelines: The variability of security standards and
guidelines can also be a cause of external misalignment. In addition to
an additional security tool provided by a company specializing in
security, implementing both security mechanisms in mobile apps or
building security components in-house are also effective methods of
achieving security.
 Regulatory requirements: In the analysis of the data, it was found
that understanding government regulations related to information
security can be challenging. A company may be providing software to
customers in several countries, each of which has its own laws and
regulations, which may require them to take into account regulations
from a different country. It is difficult to follow and align several
regulations to the development process, according to one developer.
 Third-party software: Software development lifecycle alignment is
challenging when third-party applications are used. As part of ensuring
the security of this mobile banking application, the involved
organization integrated a third-party security application. As part of
the integration process for integrating a third-party security
application, challenges were encountered. One developer mentioned
that there was a misalignment in security policies and regulations due
to conflicting internal policies and regulations and vendor policies.
Role Misalignment: In an agile team, roles are easily distinguishable but
linked. A role misalignment occurs when different specific roles aren't
aligned. Scrum environments usually require understanding the tasks
performed by other team members because of augmented team
collaboration. A person will be able to determine their place in the team and
what each member needs to accomplish to complement the other.
Skills Misalignment: As a result of skills misalignment, the expected
competency level of a role does not match the individual's abilities. An
inadvertent assignment of responsibilities, idle time, and errors can result
from misalignment of skills. In the current study, several errors were made
on one simple task. Developers indicated that it took more time to complete
the task than expected due to a lack of knowledge on configuring a thirdparty security application to work with a mobile application. Generally,
software developers do not receive security education as part of their
educational program; instead, they learn how to code, which is why they
lack the skills needed to implement security requirements. It is common for
experience to lead to the acquisition of security skills.
Requirements Misalignment: When security requirements conflict with
general system requirements, requirements misalignment occurs.
Requirements can either be functional or non-functional requirements with
security requirements classified as non-functional requirements. The
development of software must take into account both functional and nonfunctional requirements equally as important. As a result of fragmenting
requirements classification, the different types of requirements are
alienated, and non-functional requirements are considered after the design
stage, with lower priority given to them.
Category Definition
External Misalignment
Software development processes
can become misaligned when they
conflict with external elements, such
as customers, regulations, and
third-party applications, that are
eternal and beyond the
development team's control.
Role Misalignment
An example of a role misalignment
is between developers and testers.
Skills Misalignment
The skills misalignment can lead to
mismatches of responsibilities and
incorrect implementations when
current skills are not adequately
aligned with the required workload.
Requirements Misalignment
The misalignment between security
requirements and general system
requirements occurs when the two
are at odds
Example of misalignment Categories
P8
1. Roles and definitions of stakeholders
Investors, employees, customers, and suppliers are the primary
stakeholders of a corporation. Stakeholders can have an impact on or be
affected by a company. An organization's stakeholders can come from within
or from outside the organization. An internal stakeholder is someone who
has a direct relationship with the company, such as employment, ownership,
or investment. Suppliers, creditors, public groups, and suppliers are all
considered external stakeholders, even though they do not directly work for
the company.

In a security audit, a company's information system is systematically
assessed based on a set of criteria to determine if it is secure. As part
of a thorough audit, the configuration and physical environment of the
system are often assessed, as well as the software, information
processing processes, and user practices. In addition to determining
compliance with regulations, security audits are often used to
determine how organizations must handle information.

Providing better customer service and/or analyzing data may require
the support of third parties in order to accomplish the purpose of
collecting business information. As part of the information security
process of the business, the following stakeholders are involved:
The following steps must be taken by the server manager, Branches:
APPLICATION SECURITY SOLUTION

The Web application firewall (WAF) solution (benefits - provides
continuous monitoring of Web application systems and alerts if
vulnerabilities appear within the application.)

Solutions to combat counterfeit transaction (Fraud detection)
(Benefits: Preventing forged transactions, appropriating payment
accounts on electronic payments, e-banking.)
DATA SECURITY SOLUTION

Solution for monitoring the security of database systems

The process of encrypting folders, files, and whole hard drives
(Benefits - Protecting sensitive data in encrypted forms)
NETWORK SECURITY SOLUTION

Security solution with multipurpose features for protecting system
ports (gateways) and protecting against risks from the Internet
environment

A solution to protect against intrusions and DDoS attacks (Benefits Specialized equipment to give you protection against DDoS attacks.)

This solution is designed to protect against intrusions and DDoS
attacks (Benefits - Protect against DDoS attacks with specialized
equipment.)

Solution to prevent email spam and viruses (Benefits - Dedicated
solutions to prevent email spam and viruses.)
SECURITY SERVICES:
HPT provides network security services in addition to the above security
solutions. These services include:

Black-box: Let's suppose that a hacker attacks a component of an
enterprise's system without knowing the information about it.

White-box test: It is assumed that hackers have full access to
system information such as diagrams, operating system descriptions,
and applications.

Gray-box verification: Imagine that an employee of an enterprise
gives a hacker an account as a regular user and he attacks that
system as an employee.
Business Partners:
SECURITY CONSULTING SERVICES

An overall analysis of risks and information security risks will be
conducted by HPT in order to provide overall security advice as well as
recommendations for security investments that are appropriate for the
system of the customer.

In demand security advice (On-demand security consultants): HPT
examines and analyzes the components of a system in detail to
determine whether the customer needs security advice on terminal
security, application security, or system gate level protection.
Customers:
Customers who use the services include surveys and assess the following
information:

System connection model.


Basic network equipment (Router, Switch, ...)
Network security software and devices (Firewalls, attack detection and
prevention systems, VPN systems, etc.)
Data backup and recovery system

Example stakeholders in ISP development.
User Community: Organizations have User Communities composed of
individuals (and groups of individuals) performing many different functions.
Most security literature refers to the User Community as "end users" or
"user communities". Security literature also refers to Computer Users, User
Communities, Data Entry Staff, Data Processors, and Information Collectors
(Szuba 1998).
Staff, Data Processors and Information Collectors (Szuba 1998).
ICT Specialists: A fundamental part of the ISP development process is the
involvement of the ICT Specialist. As a consequence, the ICT Specialist role
is highly represented in the ISP development literature, although ICT
Specialists are usually involved in managing an organization's computing
infrastructure in a variety of ways. There are several types of computer
specialists, including (but not limited to) computer specialists, computer
designers, IT specialists, computer administrators (Swanson 1998),
information security professionals (Anderson Consulting 1999), and
personnel within the IT department (Woodward 2000).
Security Specialists: As an adjunct to their main organizational role, IT
departments frequently play the role of Security Specialists within
organizations. It is more common, however, for medium to large
organizations to hire individuals who focus on developing security policies
and protecting the organization's information. As part of the ISP
development process, people in these roles are used for a variety of
activities, such as managing the complete process and providing safety and
security advice. In this role, stakeholders are expected to have a strong
understanding of security, however they may not be fully familiar with the
organization's computer systems and communication systems. It is common
for this stakeholder to lead the process of developing an Internet service
provider (Diver 2007).
Human Resources: For an ISP to meet standard organizational practices,
Human Resources involvement is crucial throughout the development
lifecycle. In addition to ensuring that the ISP is consistent with
organizational standards, Human Resources will also focus on equity of the
policy and training. During the process, they will make sure employees are
informed about the ISP and understand how it may affect them. During the
development process, Anderson Consulting (1999) says Human Resources
will be involved to make sure that communication channels are set up
throughout the organization for ISP communication, so that employees can
"comment" on the policies. Along the lifecycle of the ISP, Human Resource
representatives will need to be involved with issues such as changing job
descriptions, motivating employees, training them, and enforcing policies.
Executive Management: Senior management must be involved in any
strategic initiative for that initiative to succeed, just like any other initiative.
The involvement of senior management is a key success factor when
developing and implementing ISPs. Many other researchers have also
echoed this view, saying that corporate management must be involved in
policymaking. The State of Oregon emphasizes this in terms of the success
of implementing an information security program: "A meaningful information
security program rests on senior management support" (State of Oregon
1998).
External Representatives: The necessity for organizations to include other
individuals not previously mentioned may arise on occasion, for instance,
customers, suppliers, and other external entities may need to be involved in
some situations. Developing ISPs should involve outside clients who rely on
an organization's systems. The development of ISPs might also require
consultation with the second organization if there is a strong strategic
relationship between the two organizations. In the case of a major retailer, a
policy might be developed that impacts all suppliers who are directly
integrated into their warehousing, warehousing, and distribution computer
systems. Bowersox et al. 2002 report that organizations may encounter
issues in their ongoing strategic relationships if they fail to consult with their
suppliers.
Public Relations: The Public Relations team within an organization is one of
the stakeholder roles organizations are incorporating into ISP development
(Anderson Consulting 1999). Public Relations stakeholders must
demonstrate the commitment of the organization to security as security
becomes a more important issue for an organization. In the event of a
security incident, this stakeholder role will be particularly important. It is
expected that only large organizations will possess this stakeholder role.
M3
Using ISO/IEC 27001 as a risk management standard for IT security in this
scenario is an appropriate approach. In order to protect their information
assets, SMEs can develop effective policies and procedures that follow this
standard. It provides a systematic and structured approach to managing
information security risks.
In order to implement ISO/IEC 27001 in IT security, it is necessary to take a
number of key steps. The first is to conduct an assessment of the
information assets of your company to determine which risks and
vulnerabilities are present. It is possible for small and medium-sized
businesses to develop a risk treatment plan based on the results of this
assessment in order to determine what strategies can be used to mitigate
the identified risks.
Security measures, such as access controls, network security measures, and
data encryption, must then be implemented by SMEs to reduce security
incidents' likelihoods and impacts. Security controls need to be monitored
and reviewed on an ongoing basis to ensure their effectiveness and to detect
any emerging threats or vulnerabilities.
The implementation of ISO/IEC 27001 presents SME organizations with a
robust and effective means to implement an approach to managing risk in
the field of IT security, which emphasizes the importance of continuous
improvement through regular audits and reviews.
Small and medium-sized businesses can use the information that they obtain
in their security awareness booklet and security policy activity to educate the
staff about the importance of using a risk management approach such as
ISO/IEC 27001 to protect their information assets. An overview of the steps
involved in implementing this standard can be included in the booklet, while
an activity might involve creating a hypothetical risk treatment plan in order
to develop an understanding of the standard. Therefore, as SMEs learn more
about some of the threats facing IT security, their policies, and procedures,
they will be able to develop practical measures to protect their business
operations.
There are several key steps SMEs must follow in order to
comply with ISO/IEC 27001:
Risk assessment: In order to identify potential risks to their information
assets, SMEs should carry out a thorough risk assessment. The purpose of
this process is to identify assets, assess risks, determine controls, and
identify vulnerabilities and controls, as well as to determine the likelihood
and impact of threats.
ISO/IEC 27001 requires that risk assessments identify, analyze, and
evaluate potential risks to an organization's information assets. The steps in
conducting a risk assessment include the following:

Identify information assets: In order to protect information assets, the
first step is identifying them, including any information that is critical
to a business's operation, such as customer data, financial data, and
intellectual property.

Identify threats: In addition to identifying possible threats, it is also
important to identify the possibility of natural disasters or external
attacks affecting these information assets.

Identify vulnerabilities: Vulnerabilities can include weaknesses in
software, hardware, processes, human behaviors, or any combination
of these. Once the potential threats are identified, the next step is to
identify the vulnerabilities that could be exploited by these threats.

Assess likelihood: It is important to assess how likely it is that a threat
will occur, taking both its probability and frequency into account.

Assess impact: A threat's impact should be assessed by considering
how severe the damage could be as a result of it.

Evaluate risks: It is important to prioritize risks based on their level of
severity, resources required to address them, and likelihood and
impact of occurring based on likelihood and impact assessments.

Identify risk treatment options: Following the evaluation of the risks, it
is essential to identify risks treatment options, such as minimizing the
risks, transferring the risks, avoiding the risks, or accepting the risks.
Risk treatment: In order to mitigate risks, SMEs should develop a risk
treatment plan that outlines specific measures and resource allocations for
mitigating the identified risks.
ISO/IEC 27001's risk treatment step involves defining specific measures to
mitigate risks identified in the system by developing a risk treatment plan.
The following are the steps involved:
1. Prioritize risks: Small and mid-sized businesses should prioritize the
identified risks according to their probability and impact to ensure that
resources are allocated effectively and that the most critical risks are
addressed.
2. Identify risk treatment options: To mitigate identified risks, SMEs first
need to prioritize risks and then identify treatment options. Treatment
options include:

Avoiding the risk: In some cases, SMEs may feel safer avoiding the
risks by avoiding activities that can lead to the risks. For instance,
SMEs may avoid using software applications that can be hacked.

Transferring the risk: In addition to risk sharing, small businesses can
also choose to outsource their IT security to a third party, such as an
insurance company.

Mitigating the risk: Small- and medium-sized businesses can reduce
the likelihood of risks occurring by implementing controls. Such
controls can include technical measures, such as firewalls, encryption,
or non-technical measures, such as training.

Accepting the risk: When mitigating the risk costs more than the
potential impact, SME's can choose to accept the risk.
3. Develop a risk treatment plan: SME risk treatment plans should outline
specific measures to mitigate the identified risks based on the
identified risk treatment options. The following elements should be
included in the risk treatment plan:

Objectives: Organizations should align their risk treatment plans with
their overall objectives in order to achieve their goals.

Measures: In addition to technical measures, non-technical measures
must also be identified to mitigate the risks.

Responsibilities: In order for the risk treatment plan to be
implemented effectively, individuals or teams need clear
responsibilities.

Timelines: Clearly define the timeline and make it realistic when it
comes to implementing the risk treatment plan.
4. Implement the risk treatment plan: After establishing the risk
treatment plan, SME owners need to set up timelines, assign
responsibilities, and monitor their progress as they implement the
strategies.
5. Monitor and review: Regular audits and reviews of the implementation
of controls and the risk management approach are necessary for SMEs
to continuously monitor and review the effectiveness of the risk
treatment plan.
In order to mitigate identified risks and protect their information assets,
SMEs can follow these steps and develop a risk treatment plan. In this way,
SMEs can establish effective policies and procedures for dealing with security
incidents so that they can maintain the trust of their customers and
partners.
Security controls: The risk assessment and risk treatment plan should
guide the selection of appropriate security controls for SMEs, including
access controls, network measures, and data encryption.
An organization's information assets are protected by security controls, and
cyber threats are reduced through these measures. For SMEs to protect their
IT infrastructure, the following security measures can be implemented at
different levels within an organization. They can be technical or nontechnical and can be implemented at different levels.
1. Access Controls: Password policies, multifactor authentication, and
role-based access controls are all examples of access controls that
limit access to systems and data to authorized personnel.
2. Firewall: Network firewalls protect an organization's internal
network from unauthorized access by monitoring and controlling
incoming and outgoing network traffic.
3. Encryption: Using encryption, data can be protected before it
reaches its final destination, such as when it's kept on a hard drive
or in a backup, as well as when it's in transit, such as through an
email or file transfer.
4. Antivirus and Antimalware: Viruses, worms, and Trojan horses can
be detected and removed with antivirus and antimalware software.
In addition, these programs can prevent further infections once
they have been detected and removed.
5. Patch Management: In order to protect against known
vulnerabilities, it is imperative to periodically apply security updates
and patches. This is done through the use of patch management
tools, which monitor for security updates, test them, and deploy
them as soon as possible.
6. Backup and Recovery: Cyber threats, human error, and natural
disasters can all result in data loss. In the event of a security
breach, backups and recovery procedures should be in place to
ensure data is protected.
7. Physical Security: Information assets can be secured physically by
locking cabinets and doors, installing security cameras, and limiting
access to certain areas.
8. Training and Awareness: Regular training can help ensure
employees understand their role in maintaining the security of the
organization and how to address cyber threats when they arise.
SMBs can protect their IT infrastructure and information assets against cyber
threats by implementing these security controls. To remain protected
against evolving threats, SMEs should regularly review and update their
security controls. Security is, however, a continuous process and SMEs need
to review and update their security controls regularly.
Monitoring and review: Regular audits and reviews of the ISMS are
necessary for SMEs to ensure that their security controls are effective and
for identifying any emerging risks or vulnerabilities.
Identifying and responding to security incidents, assessing the effectiveness
of security controls, and continuously improving their security posture are all
parts of an effective IT security program. Monitoring and review are
essential components of security management. Here are a few of the key
elements:
1. Incident Management: In incident management, security incidents are
identified, reported, and responded to. Security incidents should be
reported to appropriate personnel and investigated to determine the
root cause, as well as quickly detected and responded to by
organizations.
2. Vulnerability Management: This can include vulnerability scanning,
penetration testing, patch management, and penetration testing.
Vulnerability management involves regular identification and
assessment of vulnerabilities in an organization's IT infrastructure.
3. Security Metrics: The effectiveness of a security program can be
assessed using security metrics. There are several security metrics,
including how many security incidents occur, how long it takes to
detect and respond to incidents, and how many vulnerabilities have
been identified and mitigated.
4. Risk Assessment and Management: An organization's IT infrastructure
is assessed, prioritized, and controlled for reducing risks by identifying,
assessing, and prioritizing risks, and by implementing controls to
mitigate those risks. In order to ensure that their risk assessments are
relevant and up-to-date, organizations should review and update them
regularly.
5. Audit and Compliance: An organization's security program must
comply with relevant laws, regulations, and industry standards by
going through audit and compliance processes. To ensure compliance
with relevant standards, such as ISO 27001., regular security audits
and assessments can be conducted to assess the effectiveness of
security controls.
6. Continuous Improvement: The main purpose of monitoring and
reviewing is to continuously improve an organization's security
posture. Organizations can identify areas for improvement and
implement appropriate changes by regularly reviewing their security
controls and processes.
In order to protect their IT infrastructure and information assets from cyber
threats, organizations need to implement effective monitoring and review
processes. All employees should understand their responsibilities and roles in
maintaining the organization's security by implementing these processes as
part of a larger IT security program containing policies, procedures, and
training.
The SMEs are able to provide a comprehensive understanding of ISO/IEC
27001 and its application to IT security when preparing the security
awareness booklet and security policy activity. In the booklet, information
can be provided regarding the benefits of adopting this standard, the key
steps involved, and the roles of employees in ensuring effective information
security.
As part of the security policy activity, SMEs may be required to develop a
risk treatment plan for a hypothetical scenario. This can assist them in
prioritizing risks and allocating resources appropriately. Employees can also
benefit from the activity by learning how effective risk management can
enhance their understanding of protecting information assets and the
importance of policies and procedures.
Small and medium-sized businesses can protect their information assets,
ensure the trust of their customers and partners by complying with ISO/IEC
27001 and providing security awareness materials to their employees.
P7
In this section, we will discuss organizational security
and how it is managed.
Creating a security policy requires an understanding of its meaning and
examples to guide you.
In a security policy, a corporation outlines how it intends to safeguard its
physical and IT assets. Throughout the evolution of technology,
vulnerabilities, and security requirements, security policies are continually
updated and modified. – (Lutkevich, 2023)
An organizational security policy covers a variety of sectors, but we'll discuss
a generalized example in this chapter.
Developing a security policy for an online networking event must prioritize
ensuring sensitive data is protected and preventing unauthorized access.
Keeping these policies in mind will help you make the right decisions:
 Use two-factor authentication, encrypt data, and employ secure
communication routes as examples of how the event's software and
platforms should be secure.
 You should employ a registration process to verify the identity of
attendees before allowing entry to the event. Only approved
individuals should be permitted entry into the event.
 Attendees must use unique login credentials to gain entry into the
event. This can include unique login and password information, as well
as an emailed one-time access token.
 Make use of monitoring programs to stay updated on attendee activity
during the event. Be on the lookout for any unauthorized access or
suspicious behavior.
 Ensure that attendees are aware of the expectations and actions that
will result in their removal from the event by establishing clear
guidelines for acceptable behavior.
 Keep sensitive information secure and encrypted throughout your
event. Reduce the amount of information that is shared throughout the
event.
 The plan should include processes for reporting security incidents as
well as a solution for resolving any issues that result from the event.
You can safeguard sensitive data and ensure the security of your online
networking event by following these instructions.
The disaster recovery plan can be discussed from this point forward.
As a guide for all management and staff during and after a disaster, a
disaster recovery plan outlines how to restart normal business operations,
rebuild or salvage essential data and equipment.
This was evident during the recent covid-19 pandemic, which forced many
organizations and individuals to adapt in order for the world to keep running
as normal.
Several steps are involved in preparing a disaster recovery plan.
BIA is the first step, analyzing essential business processes, their
dependencies, and the possible outcomes of disrupting these operations so
that recovery operations can be prioritized and resources can be allocated.
As we move forward, we will examine potential threats and weaknesses that
could disrupt business operations in order to develop strategies aimed at
mitigating or avoiding risks. A disaster recovery strategy can also include
procedures for resuming company operations if the company experiences an
interruption, as well as backup and recovery methods for important data,
applications, and systems.
In order to activate the plan, we must declare a disaster, activate the
disaster recovery plan, and alert the people who need to be alerted to it.
As a next step, a communication plan must be developed to inform
employees, customers, vendors, and other stakeholders of the disaster.
As soon as we've established the disaster recovery plan, we can begin
regularly training employees and testing it to ensure that it remains current
and effective.
Maintenance is vital to making sure the disaster recovery plan remains
effective in the face of changing business requirements and developing
hazards.
M5
Several factors are considered in the above security plan to prevent and
protect sensitive data, as well as prevent unauthorized access. Each element
was chosen for the following reasons:
The software and platforms which will be used for the event must meet the
most recent security protocols in order to avoid unauthorized access and
data breaches. Two-factor authentication and encrypted communications can
add an additional layer of security.
Access must be limited to authorized personnel to minimize the risk of
security breaches. Participants may be verifying their identity before being
granted access.
It is recommended to use unique login credentials such as usernames and
passwords or one-time access codes to prevent unauthorized access.
A monitoring tool that alerts you to any unexpected behavior can assist you
in detecting potential security issues and mitigating them. Monitoring event
attendees can help detect unwanted access, hacking, and breaches of data.
Clear guidelines for appropriate behavior during the event can help avert
security incidents by clearly defining what is expected of attendees and the
consequences for not following the guidelines.
By limiting the amount of sensitive information exchanged during the event,
the risks of data breaches can be reduced. Encryption and secure storage of
any collected data can add an extra layer of security.
Incorporating a response plan into your organization's security strategy can
help mitigate the impact of a security incident. Your response plan should
include procedures for reporting incidents and resolving any issues that may
arise.
Ultimately, the security plan outlined above was carefully crafted to protect
sensitive data and prevent unwanted access. The elements selected for the
event were chosen based on their ability to prevent security breaches and
provide a secure environment.
Justifying the disaster recovery plans
developed
In order to respond effectively to and recover from disasters, the previously
prepared disaster recovery plan includes several critical components.
A Business Impact Analysis (BIA) is a first step in developing a disaster
recovery strategy that identifies vital business processes and their
dependencies. To ensure a timely and successful response, organizations
need to understand these interconnected activities and distribute resources
appropriately.
As part of the corporate strategy, the Risk Assessment component plays a
crucial role in helping identify potential threats and vulnerabilities that might
disrupt operations. An organization can prevent or mitigate disasters by
understanding these risks, which can help them design strategies for
minimizing or avoiding them.
In the Disaster Recovery Strategies section of the plan, backups and
recoveries for critical data, applications, and systems, along with procedures
for resuming business activities, are included. It is imperative that this
component be in place in order for a company to recover from a crisis and
restart business operations promptly and effectively.
Activating the disaster recovery plan, notifying critical employees, and
declaring a disaster are all described in the Plan Activation Procedures
section. Disaster recovery plans must be implemented swiftly and effectively
in case of a crisis if this component is not present.
A disaster recovery plan also includes a Communication Plan, which details
methods for addressing the crisis and its impact to employees, customers,
vendors, and other stakeholders. By actively communicating with
stakeholders, an organization can reduce the effects of a disaster and ensure
a quicker, more effective recovery.
Keeping the plan up to date and effective depends on the Training and
Testing component of the plan. In a rapidly changing business environment
and growing dangers, regular training and testing can help identify areas for
improvement and ensure that the disaster recovery plan remains successful.
Keeping the plan current and effective in the face of changing risks and
business requirements requires the maintenance and review component. A
disaster recovery plan's effectiveness over time can be boosted by regular
maintenance and evaluation, identifying areas for improvement.
An organization's ability to respond to and recover from a disaster depends
upon the components of its disaster recovery plan. Organizations can reduce
the impact of crises and ensure that a timely and effective recovery can be
achieved by incorporating these elements.
Bibliography
(2023, april 18). Retrieved from imperva:
https://www.imperva.com/learn/data-security/dataprotection/#compliance-strategy
ERWIN, L. (2023, APRIL 13). Retrieved from VIGILANT:
https://www.vigilantsoftware.co.uk/blog/risk-terminologyunderstanding-assets-threats-andvulnerabilities#:~:text=A%20threat%20is%20any%20incident,either
%20be%20intentional%20or%20accidental.
hlbhamt. (2023, April 29). IT Audit Assessment Services in UAE. Retrieved
from hlbhamt: https://hlbhamt.com/services/it-audit-assessmentservices-dubaiuae/?GA_IT_AUD&utm_campaign=&utm_source=&utm_content={ad}
&utm_term=it%20audit&device=c&gclid=Cj0KCQjwgLOiBhC7ARIsAIee
tVArwzHB3Eukgh5X03YdGIJd3X3uBgNfhVc_kwrn_EfLWmVqUcvOU8aAryGEA
Lw_wcB
Leonard, K. (2023, April 16). What Are the Stakeholders' Roles in a
Company? Retrieved from Chron:
https://smallbusiness.chron.com/stakeholders-roles-company25029.html
Lutkevich, B. (2023, april 28). Retrieved from techtarget:
https://www.techtarget.com/searchsecurity/definition/securitypolicy#:~:text=A%20security%20policy%20is%20a,vulnerabilities%2
0and%20security%20requirements%20change.
Management Study Guide . (2023, April 15). Approaches to Risk
Management. Retrieved from Management Study Guide :
https://www.managementstudyguide.com/risk-managementapproaches.htm
National Center for Education Statistics . (2023, April 30). Security Policy:
Development and Implementation. Retrieved from National Center for
Education Statistics :
https://nces.ed.gov/pubs98/safetech/chapter3.asp
Rapid . (2023, March 20). Information Security Risk Management. Retrieved
from Rapid : https://www.rapid7.com/fundamentals/informationsecurity-risk-management/
Standard Fusion . (2023, April 30). What is an IT Security Audit? Retrieved
from Standard Fusion : https://www.standardfusion.com/blog/what-isan-it-security-audit/
True Tamplin, B. C. (2023, April 20). What Is a Stakeholder? Retrieved from
Finance Strategists : https://www.financestrategists.com/wealthmanagement/stakeholder/?gclid=Cj0KCQjwgLOiBhC7ARIsAIeetVAtXV0
UFB7l6btuPbbOj8KfDa9qE2VztXNXMxrPg2jqE67eRN6waUaAogUEALw_wcB
Tucci, L. (2023, April 21). What is risk management and why is it important?
Retrieved from TechTarget :
https://www.techtarget.com/searchsecurity/definition/What-is-riskmanagement-and-why-is-it-important
umsystem. (2023, April 29). Retrieved from
https://www.umsystem.edu/ums/fa/management/records/disasterprepare#:~:text=A%20disaster%20recovery%20plan%20maps,durin
g%20and%20after%20a%20disaster.
Varghese, J. (2023, April 30). IT Security Audit: Importance, Types, and
Methodology. Retrieved from Astra :
https://www.getastra.com/blog/security-audit/it-security-audit/