Information Security Policy presentation
Risk Assessment Presentation
Nathan Bailey
CMGT/245
Prof. Michael Geoffreda
November 5, 2018
The main uses for an IT system
Communication purposes-in collecting and distributing information, and the IT system can make the process to be more efficient
Operations Management-IT system offers more complete and more recent information.
Communication purposes
Part of management is gathering and distributing information, and the IT system can make this process more efficient by allowing Ben to communicate efficiently
Operations Management
IT system offers more complete and more recent information, allowing Ben to operate the company more efficiently. Ben can use information systems to gain a cost advantage over competitors or to differentiate himself by offering better customer service. Sales data give Ben insights about what customers are buying and let him provide better services that are selling well. With guidance from the information system, Ben can streamline his operations.
*
The main uses for an IT system
Decision-Making- the IT system can help Ben make better decisions by providing all the needed information
Record-Keeping- the shop requires records of its operations for financial and regulatory functions
Decision-Making
The company information system can help Ben make better decisions by delivering all the information he needs and by modeling the results of his decisions. When Ben has accurate, up-to-date information, he can make the choices with confidence
Record-Keeping
Your company needs records of its activities for financial and regulatory purposes as well as for finding the causes of problems and taking corrective action. The information system stores documents and revision histories, communication records and operational data
*
Data Types and Risks
All data should be classified into either one of the following
Restricted Data-Data whose unauthorized disclosure, modification or destruction could lead to high level of risk to the business e.g. data protected by state
Data classification based on its level of sensitivity and the impact to the business should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All data should be classified into one of three classifications:
Restricted Data
Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the business or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements.
*
Data Types and Risks
Private Data-Data whose unauthorized disclosure, modification or destruction could lead to moderate level of risk to the business .
Public Data-Data whose unauthorized disclosure, modification or destruction could lead to little or no risk to the business
Private Data
Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the business or its affiliates.
Public Data
Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the business and its affiliates. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
*
Examples of data risks associated with the system
Low Risk-Information available on the business website and Business contact information not designated as "private"
Moderate Risk-Customer records and purchase orders, Personnel files and personal contact information
High Risk-Social Security Numbers and Credit card numbers
Low Risk
• Research data
• Information available on the business website
• Policy and procedure manuals
• Job postings
• Business contact information not designated as "private"
• Information in the public domain
Moderate Risk
• customer records and purchase orders
• Staff personnel files, benefits, salary, birth date, personal contact information
• Non-public business policies and policy manuals
• Non-public contracts
• Business internal memos and email, non-public reports, budgets, plans, financial info
• Business employee ID numbers
High Risk
• Social Security Numbers
• Credit card numbers
• Financial account numbers
• Driver's license numbers
• Passport and visa numbers
Data leakage or unintentional sharing of private data as a result of inappropriately classified data
Fraud and misuse of data or theft due to unclear or improper access to customer and suppliers’ resources
Social engineering attacks and phishing
Loss of reputation or legal Implications due to inappropriate e-mail handling and inappropriate utilization of utilities such as messengers or Skype
*
common risks associated with the system
Inappropriate data access, virus infection, fraud and misuse of the system
Data theft from non-limited access to BYOD devices by employees
Data leakage or unintentional sharing of private
Social engineering attacks and phishing
Loss of reputation or legal Implications
Inappropriate data access due to improperly defined or applied authentication and authorization causing
Virus infection and misuse of the system as a result of non-limited administrative access to physical infrastructure
Data theft from non-limited access to BYOD devices by employees
Unapproved access and data misuse due to weak user passwords in system and applications
Data leakage or unintentional sharing of private data as a result of inappropriately classified data
Fraud and misuse of data or theft due to unclear or improper access to customer and suppliers’ resources
Social engineering attacks and phishing
Loss of reputation or legal Implications due to inappropriate e-mail handling and inappropriate utilization of utilities such as messengers or Skype
*
Prioritized list of the risks identified
| Risk | Likelihood | Low Risk | Moderate Risk | High Risk | Very High Risk |
| Inappropriate data access in secure file storage | Moderate | ✔ | ✔ | ✔ | |
| Virus infection of business network infrastructure | High | ✔ | ✔ | ||
| Fraud | High | ✔ | ✔ | ✔ | |
| Misuse of the system | Moderate | ✔ | ✔ | ||
| Data theft | ✔ | ✔ | |||
| Data leakage or unintentional sharing | High | ✔ | ✔ | ✔ | |
| Loss of reputation or legal Implications | Low | ✔ |
Inappropriate data access due to improperly defined or applied authentication and authorization causing
Virus infection and misuse of the system as a result of non-limited administrative access to physical infrastructure
Data theft from non-limited access to BYOD devices by employees
Unapproved access and data misuse due to weak user passwords in system and applications
Data leakage or unintentional sharing of private data as a result of inappropriately classified data
Fraud and misuse of data or theft due to unclear or improper access to customer and suppliers’ resources
Social engineering attacks and phishing
Loss of reputation or legal Implications due to inappropriate e-mail handling and inappropriate utilization of utilities such as messengers or Skype
*
Risks Mitigation
The installation of reliable antivirus software
Utilization of complex passwords in each of the computers and Web-based applications
Provision of guidelines through employee training on dos and don’ts of utilizing systems and Internet.
Creation of security policy to addresses the responsibilities, rights and duties of employees
Risks Mitigation
The installation of reliable antivirus software which acts as the final line of defense from unwanted attacks. The antivirus program detects and removes virus and malware as well as filter possibly malicious downloads or emails.
All employees must utilize complex passwords in each of the computers and Web-based applications that require key for access. Complex passwords make it hard for hackers to crack them.
Installation of encryption software that protects data related to credit cards and bank accounts. Strong encryption algorithms transform readable data into unreadable codes that make altering of information difficult to accomplish. Even when data is lost it becomes obsolete without the keys used to encrypt the data.
Provision of guidelines through employee training on dos and don’ts of utilizing systems and Internet. For example, on how to handle suspicious emails. A security policy provides guidelines on putting limited access to critical data, taking of regular back-ups and the securing of Wi-Fi Networks that are highly vulnerable to attacks.
The security policy to addresses the responsibilities, rights and duties of employees
*
Security Risk Review/Contingency Plan
Ben's Business is located in an area that is prone to flooding
Floods are associated with the risk of property damage leading to losses
Ben has resolved to create a Flood Contingency Plan to prevent losses in the event of floods
In a few words, Ben's Business is located in an area that is prone to flooding given the fact that Floods are associated with the risk of property damage leading to losses; Ben has resolved to create a Flood Contingency Plan to prevent losses in the event of floods. He hopes that this will prevent negative impacts
*
Important elements that Ben should include in the Flood Contingency Plan
1. Response Strategy
Ben should include response steps
Response steps should be easy to execute
A good response strategy should be timely
Timely response will reduce possible impacts
The first important element that Ben should include in the flood contingency plan is Response Strategy. Under this particular element, Ben should include response steps. Response steps should be easy to execute. A good response strategy should be timely. Timely response will reduce possible impacts
*
2. Operation support Plan
Ben should include a source of additional workforce
Additional workforce will replace employees that will be involved in response
Supplementary workforce will keep the business running
Extra workforce should be on a temporary basis
The second important element that Ben should include in the flood contingency plan is Operation support Plan. In this particular element, Ben should include a source of additional workforce. Additional workforce will replace employees that will be involved in response. Supplementary workforce will keep the business running. Extra workforce should be on a temporary basis
*
3. Implementation plan
Ben should state when the strategy will be executed
Ben should define how plan will be monitored
Strategy should include specific time when plan will be tested
Testing the plan will help Ben identify mistakes
The third important element that Ben should include in the flood contingency plan is Implementation plan. Under this particular element, Ben should state when the strategy will be executed. He should define how plan will be monitored. Strategy should include specific time when plan will be tested. Testing the plan will help Ben identify mistakes
*
4. Preparedness Plan
Ben should state whether employees are being trained on what to do during a flood tragedy
Ben should state the frequency of training
Great interval between training periods will lead to poor preparation
Short intervals between training periods will lead to good preparedness
The fourth important element that Ben should include in the flood contingency plan is Preparedness Plan. In this particular element, Ben should state whether employees are being trained on what to do during a flood tragedy. He should state the frequency of training. Great interval between training periods will lead to poor preparation. Short intervals between training periods will lead to good preparedness
*
5. Budget
Ben should include the money that the business has set aside for the flood tragedy
The allocated budget should be affordable
Budget will prevent wastage of funds
Budget money should be ready
The fifth important element that Ben should include in the flood contingency plan is Budget. Under this particular element, Ben should include the money that the business has set aside for the flood tragedy. The allocated budget should be affordable. Budget will prevent wastage of funds. Finally, budget money should be ready
*
Key items that Ben should consider when creating a Flood Contingency Plan
1. Potential Emergencies
Loss of lives
Damage of property
Contamination of food products
2. Likely Impact
Losses
Business Shutdown
Loss of loyal customers
Loss of experienced employees
Some of the key items that Ben should consider when creating a flood contingency plan include Potential Emergencies and Likely Impact. Potential Emergencies include loss of lives, Damage of property and Contamination of food products. Likely Impact include Business Shutdown, Loss of loyal customers and experienced employees
*
Cont’d
3. Goals and Objectives
To prevent property damage
To reduce impact of flooding
To prevent possible interruption of business
To prevent the possibility of business shutdown
4. Essential Preparedness Actions
Constructing trenches
Installation of flood proof doors and windows
Constructing strong premise walls to prevent impact of pressure from water
Other key items that Ben should consider when creating a flood contingency plan include Goals and Objectives and Essential Preparedness Actions. Goals and Objectives include preventing property damage, to reduce impact of flooding, prevent possible interruption of business and also to prevent the possibility of business shutdown. Essential Preparedness Actions include Constructing trenches, Installation of flood proof doors and windows and Constructing strong premise walls to prevent impact of pressure from water
*
Significant aspects of implementing the Flood Contingency Plan
1. Budget
Ben should state required amount of funds
Ben should state the sources of funding
Ben should determine the financial requirement for each activity
2. Time that each action needs
Ben should state the time frame for each business activity
A time schedule will prevent loss wastage of time
Good time management will lead to effective management of funds
A few of the significant aspects of implementing the flood contingency plan include Budget and Time that each action needs. Budget include the fact that Ben should state required amount of funds, state the sources of funding and also determine the financial requirement for each activity. Time that each action needs include the fact that Ben should state the time frame for each business activity, a time schedule will prevent loss wastage of time and good time management will lead to effective management of funds
*
Cont’d
3. Monitoring Exercise
Ben should state the interval of conducting monitoring
Ben should state the purpose of monitoring the plan
Ben should state the employees that will be involved in monitoring exercise
4. Goals and Objectives
Goals and objectives will provide direction
Goals and objectives will prevent time wastage
Goals and objectives will provide basis for decision making
Some of the significant aspects of implementing the flood contingency plan include Monitoring Exercise and Goals and Objectives. Monitoring Exercise include the fact that Ben should state the interval of conducting monitoring, state the purpose of monitoring the plan and also state the employees that will be involved in monitoring exercise. Goals and Objectives include the fact that they will provide direction prevent time wastage and also provide basis for decision making
*
Information Security Policy
Benefits of Implementing Access control
- It increases safety
- Increases security of sensitive data
- Helps to reduce theft and accidents
- Account for incoming and outgoing individuals
- Curtails unwanted strangers
(Rittinghouse & Ransome, 2016)
Increases safety
it increases the safety of employees getting into the business. It becomes faster to swipe access cards and it is not easily duplicated by malicious persons.
Increases security of sensitive data
The employees with the required clearance are the only ones that are given access to the company’s sensitive data. through this, the company is able to regulate the number of people that have access to some data that is deemed sensitive to be disclosed to the competitors or the general public.
Reduce theft and accidents
The business will be able to give only approved employees the access to some designated areas. This makes usre that theft or accidents are greatly reduced.
Account for incoming and outgoing individuals
Each individual accessing the system should be accounted for as this will be useful in ensuring that their actions are always accounted. Some of them might access the systems with malicious intent which needs to be identified fast for the good of the company.
Curtail unwanted strangers
Access control denies unwanted strangers the ability to log into the company’s systems to cause havoc in them or steal confidential data.
*
Ways to use Authentication and Authorization to protect Company Data
- Single-factor and Multi-factor authentication
- Biometrics
- Federations
(Ting et al., 2015).
Single and multi-factor authentication
Single-factor and multi-factor authentication will require any employee to produce some credentials e.g. passwords or PINS as well as usernames before they can be granted access to the company’s data or information
Biometrics
it is one of the secure ways to implement access control. They include fingerprint scanners, full hand scanners, eye scanners, facial recognition and voice recognition. This will help protect company data and sensitive information from malicious persons
Federations
Set by a means of federated identity that links system users identity with their privileges and hence restricting from accessing data and information that is beyond their clearance.
*
How Temporary Employees Make Data Vulnerable To Social Engineering Works.
Temporary employees make data vulnerable due to various reasons;
- Lack of adequate knowledge about the working of the organization. This way the employees make the data vulnerable because they do not understand the threats facing the system (Berson, 2011).
- Some have malicious intentions and therefore expose data to social engineering works.
Vulnerabilities to Social Engineering works
Some employees have ill-intentions and therefore expose data to vulnerabilities. Such employees can distribute confidential information over the internet.
Ignorance among some of employees maybe harmful to an organization. Such employees may fail to follow important data security protocols which in turn exposes data to vulnerabilities.
*
Methods To Mitigate Social Engineering Threats
Ways of mitigating social engineering threats include;
Educating employees about securing their personal information that can be used for social engineering attacks.
Ensuring that the software in use is up-to date.
Establishing policies that protect confidential information from exposure (DeLuccia,2008).
Mitigating Social Engineering Threats
Most social engineering criminals tend to success due to ignorance among people. It is the responsibility of the organization to teach its employees about these attacks to prevent future attacks.
Criminals ten to exploit updated software when executing their attacks. It is therefore important for organizations to ensure that they software are always up to date.
Having a security policy is a step towards mitigating social engineering threats.
*
This image depicts how
social engineering
attacks are planned
and executed
References
Berson, A., & Dubov, L. (2011). Master data management and data governance. New York: McGraw-Hill.
DeLuccia, J. J. (2008). IT compliance and controls: Best practices for implementation. Hoboken, N.J: John Wiley & Sons.
Dufey, G., In Frenkel, M., Hommel, U., & Rudolf, M. (2005). Risk management: Challenge and opportunity. Berlin: Springer.
Philip, T. R. (2016). Information security risk analysis. Auerbach publications.
Reagan, D. J., & Landoll, D. (2015). The security risk assessment handbook: A complete guide for performing security risk assessments. CRC Press.
Stephen, J. (2014). Security prices, risk, and maximal gains from diversification. The journal of finance, 20(4), 587-615.
REFERENCES CONT.
- Rittinghouse, J. W. & Ransome, J. F. (2016). Access Control: implementation, management and security. CRC Press.
- Berson, A., & Dubov, L. (2011). Master data management and data governance. New York: McGraw-Hill.
- DeLuccia, J. J. (2008). IT compliance and controls: Best practices for implementation. Hoboken, N.J: John Wiley & Sons.
- Ting, D. M. Hussain, O., & LaRoche, G. (2015). Systems and methods for multi-factor authentication.