Tag Archives: Theories of Security management

Applying Concepts-Theories of Security Management

Applying Concepts-Theories of Security Management

This class teaches learners about dealing with security threats, vulnerabilities, and potential losses facing an organization’s IS/IT systems.

Applying the Learning Outcomes to my Professional and Personal Life

The learning outcomes of this course are applicable to the professional as well as personal life. With regard to the professional life, the learning outcomes enable a learner to gain a better understanding about information security management in organizations. The learning outcomes of the course enable the learner to learn about various ways of securing business information as well as how one can handle the information environment. By studying the course, the learner is able to increase skills in ensuring the integrity, confidentiality, and security of the IS/IT system. Another way to apply the learning outcomes of the course to my professional life is in conducting research, which can enable the learner to come up with new ideas or innovations. Studying the course enables the learner to acquire skills and new knowledge that he/she can apply in developing new solutions to problems. This can foster innovation in the workplace.

The learning outcomes of the course will also apply in my personal life. The learning outcomes of the course will enable me to identify potential security threats that might affect me at the personal level. In the recent period, security threats have increased due to the increased adoption of technology and technological devices. For instance, financial services are increasingly accessible via the mobile phone. The improvement in technology also presents new opportunities for hackers to gain access to critical data through the new technological outlets. Consumers must be aware of the various methods used by hackers to steal critical information.

Related:

Dealing with Breaches-IT SECURITY MANAGEMENT

The CISSP Certification Exam

Question

“The CISSP Certification Exam” Please respond to the following:

  • Last week, you were asked to consider the CISSP certification exam. Describe the efforts you’ve made to secure a time, date, and location for the exam. Do you feel ready? Why or why not? Even if you don’t take the exam, you’ve learned so much valuable information. Talk about a few of the items you’ve learned and how having this knowledge will help you in your management position in IT once you get your master’s degree and get on the job. Why is it important to know about security if you’re going to manage program developers for example?

Sample paper

CISSP Certification

I have made various efforts to secure a time, date, and location for the exam. With regard to time and date, I have scheduled my exam through the Pearson VUE website. I have scheduled the exam at a time i will have completed my studies and done as many practice exercises as possible. This will help me pass my exams. The Pearson VUE website provides a list of available exam centers countrywide. The website also offers the learner the opportunity to choose a specific date for taking the exam. The website provides the learners with an average 8 different days in each month for which one can set as the exam date. I have chosen Pearson Professional Centers in Seattle as my exam venue. This is because I will be in Washington in the weekend leading to the exam date, which will be on December 18th 2017.

I feel ready to take my CISSP exam. I feel ready because in the last few months, I have dedicated a lot of my time in studying about information systems security. I have spent considerable time examining information relating to the CISSP exam domains. I have successfully completed all the training required. In addition to completing the required training, I have dedicated my time towards completing many practice questions. I have been able to answer the practice questions with ease and confidence. Given this, I feel confident to sit for my CISSP exam. I have no doubt in my mind that I will pass the CISSP exam.

I have learned so much valuable information in this course. The course provides learners with knowledge on how to deal with various security risks that may affect an organization. One of the areas I have gained immense knowledge is in designing and protecting network security. This is in the fourth domain of the course, communications and network security. The course provides an understanding of how an IT professional can secure a network. It also elaborates on the key components of a network that enable it to function. This knowledge will be very useful in the real world where as an IT professional I will be required to ensure the integrity of the network security. One of the key roles of an IT professional is to ensure the information systems are resilient from any form of attacks.

I have also gained a lot regarding security and risk management. This area deals with the identification, assessment, and prioritization of various risks facing an organization’s network systems. The course has provided me with knowledge on how to handle security threats once they occur in the organization. The course enables an IT professional to learn about how one may handle real threats within the organization. It provides in-depth details on how to monitor and lessen the impact of various unforeseen events in the organization. For instance, an IT professional with knowledge on security risk management can be able to prioritize activities based on the probability and possible consequence of risk. The IT professional can then focus more on the most risky and high value activities within the organization.

Another important item the course covers is security operations. In this era of rising cybercrime, it is important that an IT professional develop deep knowledge on how to secure information systems against attacks. The course provides knowledge on how an IT professional can enhance the integrity of the information system and ensure that day-to-day access does not increase the vulnerability of stored data. By covering about security operations, I have gained immense knowledge on how to reduce downtimes, whether resulting from malicious attacks or due to other reasons such as power failure.

It is important to know about security even if my role involves managing program developers. By knowing about security, it is possible to identify or pinpoint security weaknesses in various programs. As such, I may be able to highlight areas for improvement to the program developers. There is possibility that program developers may overlook certain key areas with regard to ensuring the security of the programs. Knowing about security can enable an IT professional in charge of program developers to ensure there are no malicious efforts by developers to create areas of weaknesses in the programs. Some malicious developers can create areas of weaknesses that they may later use to their advantage to cause damage to the organization, for instance, stealing customer data. Knowing about security can enable an IT professional to contribute towards fostering security innovations. The IT professional can be able to engage with the program developers and suggest possible improvements that may enhance the security of the programs.

Related:

Disaster Recovery

Disaster Recovery

Question

“Disaster Recovery” Please respond to the following:

  • Disaster recovery has been the topic of study this week. What do you think is the most difficult and expensive disaster to plan for? Do you think companies plan adequately? In your experience (or research if you have no experience) what aspect is most lacking in corporate planning? Why do you think this is?

Sample paper

Disaster Recovery

The most difficult and expensive disasters to plan for are the natural disasters, specifically storms. Natural disasters arise from environmental causes and are beyond human control. The cost of damage from natural hazards is very expensive to not only organizations but also the government. Natural hazards such as storms may cause great damage to buildings and infrastructure. The damage may extend over a wide geographical region hence affecting the entire economy. When natural hazards such as storms occur, businesses suffer direct and indirect losses. The direct losses result from the destruction of the buildings and the need to close business for some period. On the other hand, the indirect losses relate to the disruption of economic activities throughout the entire economy. In the recent period, the risk of natural disasters especially storms and floods have significantly increased due to the effects of climate change. The possibility of such catastrophic natural events continues to rise due to climate change.

Although the organization may take several measures to minimize its vulnerability to natural disasters, it is not possible to mitigate fully the risks emanating from various natural disasters such as storms and earthquakes. As the natural hazards increase in intensity and severity, the ability of the organization to mitigate the risks weakens. In 2014, the United States experienced severe storms leading to the closure of businesses. Majority of small businesses affected by these storms were unable to resume operations due to the severe damages experienced. A report by the American Red Cross (n.d) indicates that about 40 percent of small businesses never reopen following a major disruption caused by erratic weather such as flooding.

Companies often lack adequate disaster management plans and often react to events as they occur. A recent survey indicated that 43 percent of real estate investors did not consider disaster planning and recovery as an important business issue (“Real Estate Weekly News,” 2013). This survey was an analysis of 200 real estate professionals. The findings of this study support the findings of another study by Drew (2012). This study involved various business professionals in the small-scale sector. The findings indicated that over 60 percent of small businesses in the U.S. lack emergency response plans. This means that such businesses are vulnerable to natural catastrophes. A recent study by Zetta (2016) reveals that even among the organizations that develop disaster recovery plans majority fail to test their strategy. This leaves them vulnerable to applying the inefficient and ineffective strategies.

Majority of companies that lack disaster management plans associate this to high costs and difficulty in implementation of the plans. It is worth noting that disaster recovery plans are difficult to develop and maintain. They often take time to develop and may be too costly especially for the small businesses. They may also require the organization to tie a significant amount of resources to the plans. This may significantly increase the operational costs. Nonetheless, organizational leaders should be aware that disaster recovery plans are critical for the survival of the organization when disasters occur. The plans provide the organization with direction during difficult moments.

The aspect that is most lacking in corporate planning is the failure to test and implement the plans. While a significant number of organizations develop disaster recovery plans, few commit to ensuring that the plans are effective or practical. Most organizational leaders write plans but then fail to follow up with the plans to ensure they may be of use in times of disasters. Organizational leaders should continually review disaster recovery plans in order to ensure those plans are realistic. Continuous monitoring of the plans enables the organizational leaders to identify weaknesses in those plans and take necessary action to eliminate the weaknesses. Testing of the plans is a critical part of the disaster recovery process.

Failure to test the plans is the aspect lacking most because about 60 percent of firms have established some form of disaster recovery plans, yet when disasters strike a significantly higher number of firms see their operations affected. This is because in such firms, organizational leaders do not take adequate time to test the plans and see whether they can be of use in times of a real disaster occurring. The managers may assume that once drawn, the plans are fit to ensure the organization continues operations in the face of disasters. The failure to test the disaster recovery plans is one of the major reasons why the plans fail. As such, organizational managers must ensure that the plans are relevant and may actually support the organization even when the worst disaster strikes.

References

American Red Cross. (n.d). Preparing your business for the unthinkable. Retrieved from             http://www.redcross.org/images/MEDIA_CustomProductCatalog/m4240206_PrepYourB            usfortheUnthinkable.pdf

Drew, J. (2012). Most U.S. small businesses lack disaster-recovery plans. Journal of         Accountancy. Retrieved from h         ttps://www.journalofaccountancy.com/news/2012/aug/20126135.html

Survey reveals more than half of real estate companies lack business continuity and disaster         recovery plans. (2013). Real Estate Weekly News, , 371.

Zetta. (2016). State of disaster recovery 2016. Retrieved from         https://www.zetta.net/resource/state-disaster-recovery-2016

Related:

Dealing with Breaches-IT SECURITY MANAGEMENT

Mitigating Attacks

Question

“Mitigating Attacks” Please respond to the following:

  • We’ve been talking about the various forms of attacks that malicious hackers can use to compromise security this week. Do a search on the Internet for an article about a recent (Within the past 4-6 months) attack. What method did the hackers use? Was it a sophisticated attack, or more amateur in nature? Now that you’re learning about attacks and how to mitigate them, what recommendations would you have to your leadership at your company if this attack had happened on your watch? What steps would you take to protect your data personally?

Sample paper

Mitigating Attacks

Malicious hackers can use various forms of attacks to compromise the security of computer networks, information systems, personal computers, and infrastructures. In the recent period, cyberattacks has significantly increased. These attacks target individuals, corporations, government agencies, and even critical infrastructure. Some form of attacks is less intrusive – often meant to collect information from the target. Other forms of attacks may cause massive disruption to the normal operations of the company. For instance, cyberattacks designed to steal confidential customer information from financial institutions such as passwords. This short paper is an evaluation of a recent case of cyberattack in the country.

The article by Thompson and Mullen (2017) provides details of a recent ransomware attack that led to loss of millions of dollars by private and public businesses around the world. As earlier stated, the attackers used a ransomware to conduct attacks in different parts of the world. Ransomware is under the category of malware, which refers to malicious software designed to cause certain damage to a computer. Ransomware encrypts data or files stored on computers. The ransomware may prevent the user from accessing all or part of the data stored in the computer. Ransomware also displays messages asking for money to restore or decrypt the data or for other demands. Once the user makes the payment, the data or files are restored on the computer.

The ransomware attack seems to be amateur in nature due to various reasons. First, the ransomware, also known as WannaCry, had an easy-to-find kill switch (Kaste, 2017). This means it was easy to contain the spread of the ransomware. The kill switch was a URL address that came with code. The kill switch in sophisticated ransomware could be difficult to find. Secondly, the ransomware had a manual way of accepting payments from users. Sophisticated ransomware often utilizes an automated form of payment whereby users who pay the ransom get their computers unlocked instantly. In the case of WannaCry, the hackers would send each user a code. Probably the hackers had not anticipated it would spread quickly. Thirdly, the hackers were collecting bitcoins using just three addresses. Sophisticated hackers would create an address for each transaction, resulting in millions of addresses and making it difficult to track.

The WannaCry ransomware infected computers running on an earlier version of Windows, which had a particular security vulnerability (Thompson & Mullen, 2017). Microsoft had already developed a security patch for the said vulnerability in Windows. However, most organizations had not updated their operating systems and were still running on the earlier versions. In light of this, my recommendation to the management is to ensure that there is frequent updating of the various software, antivirus programs, and operating systems. Frequent updating of software and antivirus programs can increase the ability of the organization to eliminate security threats. This could be achieved by setting the computers to update software and operating systems automatically. The use of legacy systems significantly increases security threats to the company’s information systems. The organization should avoid legacy systems. It is also important to ensure constant data backup. This can ensure that in the event of loss, minimal damage or loss of data would occur.

In summary, companies are more likely to experience cyber-security threats today than any other period in history. As such, there is need to ensure they adopt various mitigation strategies to avoid cyberattacks. In the case of the WannaCry ransomware, companies and individuals would have been able to avoid attacks by frequently updating their computers’ operating systems.

References

Kaste, M. (2017, May 16). From kill switch to bitcoin, ‘WannaCry’ showing signs of amateur      flaws. NPR. Retrieved from            http://www.npr.org/sections/alltechconsidered/2017/05/16/528570788/from-kill-switch- to-bitcoin-wannacry-showing-signs-of-amateur-flaws

Thompson, M., & Mullen, J. (2017, May 14). World’s biggest cyberattack sends countries into    ‘disaster recovery mode’. CNN. Retrieved from           http://money.cnn.com/2017/05/14/technology/ransomware-attack-threat-   escalating/index.html?iid=EL

Related:

Communication Plan-National Infrastructure Protection Plan Paper

Communication Plan-National Infrastructure Protection Plan Paper

Question

Phase 2: Communication plan –

In this phase, you need to communicate with your troops about the National Infrastructure Protection Plan, through your information in the memo. The communication plan should involve a diagram showing the flow of information, the timing of the communication as well as the media of the communication. You also need to submit drafts of any communication pieces of your communication plan.

Sample paper

Communication Plan

A communication plan refers to a policy-driven approach towards keeping the stakeholders informed about the current project. The communication plan provides clarity about those who hold the authority to give information to the relevant stakeholders, the appropriate timing for delivery of the information, and the most appropriate channels for delivering the information. It is important to designate a specific individual to communicate information to the various stakeholders. The plan should include all relevant information to the stakeholders. There are many channels of communication available for passing the information. Some of the channels include presentations, email, printed reports, websites, public announcements, and among others. The choice of the suitable channel depends of various factors such as context, personality of the audience, complexity of the message, the ability to obtain feedback, and among others. This paper is a presentation of the communication plan to the troops about the National Infrastructure Protection Plan.

Objectives of the Communication Plan

The first and major goal of this communication plan is to inform the troops about what needs to be done to meet the standards based on the National Infrastructure Protection Plan. The second goal of the communication plan is to manage stakeholder expectations by keeping them informed about the project. By keeping the official communications open, it will be easier to management their expectations by eliminating false information (Turner, 2003). The third goal is to establish trust among all parties, including the Chief Information Officer, the troops, and I as the Information Security Director. The fourth goal of this communication plan is to enhance participation and collaboration in the project. By keeping the official communication lines open, the troops will be more willing to participate actively in the project, provide feedback, and be active in developing solutions to potential problems.

Target Audience

The target audience for this communication plan is the troops. It is important to ensure information reaches the troops at the right time to avoid confusion. The troops are one of the major stakeholders in the project. As such, it is important to ensure they receive information at the right time.

Key Message

The key message concerns integrating the standards outlined under the National Infrastructure Protection Plan in order to enhance the protection and resiliency of the critical infrastructure in the country (Wallace Foundation, n.d). The Infrastructure Protection Plan must take into account the provisions of the National Infrastructure Protection Plan in order to build resilient security systems in the organization. It is worth noting that the high dependence and interdependence of the country’s information systems increase the vulnerability to local and international threats. The memo outlines the various standards that troops must observe in developing a resilient information system. Other information to share with the troops include code of conduct, budget information, handling complaints, details about all partners involved, and important contact details.

Communication Method(s)

Three communication methods will be applied in delivering information to the intended audience. The methods involve written, oral, and electronic communication methods. In particular, general messages will be carried through posters and notice boards placed at strategic locations for easy access by the troops. On the other hand, electronic mail will facilitate the passing of personal or confidential information to select individuals. Electronic mail will also facilitate the passing of complex information such as graphs, budget analysis, and other information to the troops (Downs & Adrian, 2004). Models and demonstrations will help in clarification of complex issues arising during the project. This will facilitate direct exchange of information and ideas on the project. In addition, models and demonstrations will allow for instant feedback from the troops about the project (Downs & Adrian,2004). As such, it will be easy to learn about the issues arising from the project. The following diagram shows the flow of information, timing, and the media carrying the information.

Enhancing two-way Communication

Enhancing two-way Communication

Two-way communication will facilitate dialogue and gathering of important feedback, ideas, and suggestions from the troops (Wallace Foundation, n.d). This will help in making critical changes to the project and meeting the needs of various stakeholders including the troops. Gathering feedback will also enhance continuous improvement of processes in the project. As the Information Security Director, there is need to obtain constant feedback in order to make decisions on necessary adjustments to the program. It is worth noting that not all communication channels can facilitate receiving of feedback from the troops. In particular, written communication such as posters and notice boards may not facilitate feedback (Downs & Adrian,2004). On the other hand, electronic mail and oral methods such as demonstrations will facilitate feedback.

Specifying a Timeline

It is important to maintain communication at all stages of the plan (Wallace Foundation, n.d). Various stakeholders including the troops should receive information about the key developments of the project. Communication is most critical during the earlier stages of the project, while making changes, and in case of project delays or disruptions. The timeline should include the time prior to the initiation of the activities. In some cases, the timeline involve activities 3 months prior to the commencing of the project. For instance, the program manager should establish a number of things prior to working on the project. These include identifying all stakeholders, determining the situation analysis, identifying the goals and objectives of the project, reaching out to board members, and among others.

Budget for the Plan

The plan utilizes cheaper methods of communication to the troop members in order to keep costs low. Certain methods such as the mass media may lead to high budget costs for communication (Turner, 2003). There are many cheap methods of communication such as the ones utilized in this communications plan. The following is the budget for the communications plan.

Particulars Cost per unit Total number of units Total cost Description
Printing posters $20 10 $200 One poster per working area
Models and demonstrations $500 1 $500 The total cost of facilitating a single demonstration lesson
Electronic mail N/A N/A N/A
$700

 

Implementation

This involves rolling out the communication plan. The roll out will be easy since the communication plan aims at informing the troops only. In case there is involvement of various stakeholders, a need emerges to inform these stakeholders using a certain parameter (Wallace Foundation, n.d). For instance, the information should reach those in senior ranks first before flowing to those in junior ranks.

Monitoring

This involves carefully evaluating the communication plan to ensure it is effective in all aspects. Where weaknesses are identified in the communication plan, efforts should be made to improve on the weaknesses before they negatively affect the communication process. The monitoring process will be part of the overall program review. Various methods can help in reviewing whether the communication process was effective. These include observing, talking to the troops, obtaining written feedback, and other methods.

References

Downs, C. W., & Adrian, A. D. (2004). Assessing organizational communication: Strategic             communication audits. New York: The Guilford Press.

Turner, P. (2003). Organisational communication: The role of the HR professional. London:        Chartered Institute of Personnel and Development.

Wallace Foundation. (n.d). Workbook A: creating a communications plan. Retrieved from             http://www.wallacefoundation.org/knowledge-center/Documents/Workbook-A-    Communication.pdf

Related:

National Infrastructure Protection Plan Memo

National Infrastructure Protection Plan Memo

Question

Phase 1: Memo –

In this phase, you need to create 3-5 page professional memo about your assessment of what needs to be done to meet the standards based on the National Infrastructure Protection Plan. You need to make sure that the language in the memo is clear of free of errors. You also need to be creative in presenting this information to capture the most important points from the National Infrastructure Protection Plan. You need to demonstrate critical thinking to prioritize the action items based on your findings.

Sample paper

Theories of Security Management

To: The Chief Information Officer

From: Information Systems Security Director

Date: October 23, 2017

Subject: Meeting the Standards based on NIPP

The National Infrastructure Protection Plan (NIPP) sets out standards to enhance the protection and resiliency of critical infrastructure in the country. The Infrastructure Protection Plan must take into consideration the provisions set out by the NIPP in enhancing protection and resiliency of information systems. In the current environment, organizations are increasingly facing serious threats due to exposure of their information systems to external threats. The high dependence and interdependence of the information systems increases the vulnerability of attacks, which may result in a single point of weakness and affect the entire system. This memo is an assessment of what the Infrastructure Protection Plan should include based on the NIPP standards.

The Infrastructure Protection Plan should enhance information sharing as set out in the NIPP. One of the key goals of the NIPP is to enhance the sharing of information about security threats facing the information systems (Department of Homeland Security (DHS), 2009). Sharing of information should be accurate and timely to facilitate decision-making. Information sharing should include incidence reporting, warnings, and making alerts about possible and actual incidences. The Infrastructure Protection Plan should enhance collaborations among various partners. The strength of the NIPP largely depends on the nature of collaborations between the public and private sector (DHS, 2009). The collaboration between the public and private sector improves the understanding of security threats and vulnerabilities facing the information systems. For instance, the public and private sector may share the best practices for eliminating or managing active and potential threats. Nonetheless, both the public and private sector entities manage own risks at the organizational level.

The National Infrastructure Program must include an effective risk management program. The risk management program entails dealing with potential risks and hazards to the information systems (DHS, 2009). The organization should engage in continuous risk assessments and frequently update the risk management systems. Under the risk management, the organization should also adopt new technologies to increase its effectiveness in managing risks. The National Infrastructure Program must integrate security and resilience programs. Security and resilience should be factored during the design of systems and networks. During the development of the Infrastructure Protection Plan, the developers should apply infrastructure reliance principles (DHS, 2009). This may lead to improved effectiveness of the system’s ability to identify and deter threats. The security and resilience programs ensure that the network and systems can be able to withstand a significant number of attacks.

The Infrastructure Protection Plan should include ways of regulating access to stored information or data (DHS, 2009). The organization must develop ways of protecting access to data. This includes implementing physical restrictions to the use of passwords to restrict access. Restricting access begins with putting physical safeguards to the organization’s information systems. The next step is to implement controls against unauthorized access through remote means such as cyberattacks. The Infrastructure Protection Plan should include a risk assessment plan. The Chief Information Officer should conduct risk assessments on a regular basis in order to identify and correct system vulnerabilities. Risk assessment is also critical in identifying threats facing the organization (DHS, 2009). The threats may range from natural disasters such as damage to the physical systems in case of flooding to manmade threats such as cyberattacks. Risk assessments should bear four characteristics: they should be reproducible, defensible, complete, and documented.

The plan should include scenario identification. This entails identifying the specific risks that may affect the organization (DHS, 2009). There may be different risks facing the organization’s assets, systems, and networks. The key here is to identify the consequences of risks, system vulnerabilities, and potential threats in the environment. In conducting a risk scenario identification, it is important to map the components for which the possibility of risk would lead to the highest consequences. This can enable the security experts to learn where to implement protective measures. It is worth noting that open systems are likely to face increased risk of attacks, making screenings ineffective no matter how regular the screenings occur. The risk scenario should evaluate all the potential sources of harm (DHS, 2009). In addition, the risk scenario should include an evaluation of the conditions for evaluating consequence and vulnerabilities, for instance, applying the worst-case scenario in the possibility of terrorist attacks.

The Infrastructure Protection Plan should include a consequence assessment plan. Consequence assessment involves the analysis of the challenges the organization may face in case of an attack that cripples its networks and systems. Some attacks may be severe, affecting the organization’s critical processes. Other attacks may be limited to a few operations. The organization should mainly focus on risks that may cause a major disruption in operations if they occur, for instance, risks that may lead to a negative public image of the organization (DHS, 2009). Lastly, the plan should include a vulnerability assessment. Vulnerability assessment involves focusing on certain inherent attributes of the network and systems that may render them susceptible to attacks. System and network vulnerabilities may emerge from various sources. Some of these include lack of a firewall, use of legacy systems, and inadequate physical safeguards in the organization.

Reference

Department of Homeland Security (DHS). (2009). National Infrastructure Protection Plan.           Retrieved from http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf

Related:

Information Systems for Decision-Making