













Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
IT security, focusing on risk assessment procedures, the ISO 31000 risk management methodology, and its application in IT security. It also explores the potential impacts of IT security audits on organizational security and the importance of aligning IT security with organizational policy.
Typology: Study Guides, Projects, Research
1 / 21
This page cannot be seen from the preview
Don't miss anything!














As the main point of contact for software training company MWS. I have written this report to help MWS staff and junior colleagues understand the privacy policy. Besides, the report contains organizational policies related to identifying and assessing IT security risks, both in general and in particular concerning MWS. The article focuses on information for MWS to protect its critical device and data, and how to implement the privacy policy. The content of the report I divided into 3 parts: Part 1: I mainly target the company MWS through the review: The security risks faced by the company. How data protection regulations and ISO risk management standards apply to IT security. The potential impact that an IT security audit might have on the security of the organization. The responsibilities of employees and stakeholders about security. In particular, the content of the report is divided into 2 main units: LO3 Review mechanisms to control organizational IT security. In this unit, I will present the following content. Firstly, I talk about: P5 Discuss risk assessment procedures and P6 Explain data protection processes and regulations as applicable to an organization. Next, I will continue to talk about: M3 Summaries the ISO 31000 risk management methodology and its application in IT security. And M4 Discuss World is possible to organizational security resulting from an IT security audit. Last but least, D2 Consider how IT Security can be aligned with organizational policy, detailing the security impact of any misalignment. LO4 Manage organizational security. In this unit, I will divide the content I want to talk about into 3 parts. The first is P7 Design and implement a security policy for an organization. And P4 List the main components of an organizational disaster recovery plan, justifying the reasons for inclusion. Next, I will specifically mention M5 Discuss the roles of stakeholders in the organization to implement security audit recommendations. 3
Finally, indispensable is D3 Evaluate the suitability of the tools used in an organizational policy Part 2: This is a personal reflection of me to MWS's top managers and managers. In short, this is the summary of the report. Part 3: Here is the documentation I have referenced using the Harvard reference system. It is called REFERENT LIST 4
❖ Risk assessment definition Risk assessment is a term used to describe the process or method of identifying, analyzing, and evaluating hazards and potentially harmful risk factors. That being said, risk assessment is the careful examination of your workplace to identify potentially harmful situations, processes, etc... Once determined, you analyze and evaluate the severity of the incident and then decide on the method to apply to eliminate and control the harm occurring. ❖ How to plan a risk assessment In general, define: ∙ What is your risk assessment scope ∙ The resources needed ∙ The measures will be used ∙ Who are the involved ∙ What relevant laws, regulations, codes, or standards may apply in your jurisdiction, as well as organizational policies and procedures. ❖ How to do a risk assessment Risk assessment should be performed by an authorized person or group of individuals knowledgeable about the situation. When evaluating you should: ∙ Identify dangers ∙ Determine the likelihood of harm, such as an injury or illness occurring, and its severity: - Consider situations as well as events: maintenance, shutdowns, power outages, emergencies, extreme weather, etc.
o Data protection is a law designed implementation to protect and control personal data
processing purpose must be protected against any risk such as unlawful or unauthorized access, loss, and destruction, or damage of data. Another organizational measure is to test regularly the system of vulnerabilities or threats of risk. 7) Accountability- the responsibility of an entity for using and process all personal data should be accountable for complying with the standards of data protection law and demonstrated how they comply with the data protection legislation. (durhamlimited.com) 8
Simply put, ISO 31000 is the international standard for risk management. First published in
9 Risk management principles These principles clearly describe the most important elements for an effective and effective risk management framework. This concept is expanded upon based on the eight principles of IS0 31000, namely: ∙ Risk management must be integrated into all activities and especially business operations ∙ The approach must be structured and comprehensive ∙ Dry processes and molds should be appropriate to the organization's set context and goals. ∙ Parties must be involved in the risk management process ∙ The risk management process must be dynamic, robust, think ahead, predict, detect, recognize and, in particular, adapt to changes. ⇨ These are the principles related to system planning and design ∙ When management must take into account all the limits of information ∙ Factors that are important and should be considered at all stages are human and cultural factors ∙ Need to improve the risk management framework regularly and continuously through learning and gaining experience. ⇨ These are the principles that focus on implementing and operating the framework of risk management.
11 It can be said that the core of risk management is two components: risk assessment and risk treatment. Risk assessment is divided into: Identification, Analysis, and Evaluation. And risk reduction, also known as risk response, is simply an action taken to identify, analyze and evaluate risk. The following is a diagram that illustrates how all elements of the ISO 31000 process interact: ISO 31000 process The above diagram illustrates a set of steps designed to be performed in a coordinated manner but not necessarily in the correct order, in fact, the process is repeated over and over again. So that's a plus of the PDSA cycle and innovation. II- ISO 31000's application in IT security The following are the uses of ISO 31000 in IT security: ∙ Risk management contributes to helping the organization achieve its goals as possible and improve performance. For example, health, human safety, security, environmental protection, product quality, project management, efficiency in operations, ... ∙ Risk management is an integral part of all organizational processes. It includes the strategic planning of all predictive and change management processes. ∙ Risk management helps decision-makers make informed choices ∙ Risk management addresses the nature and origin of uncertainty ∙ Risk management approaches the system in a timely and effective manner, reliably.
12 ∙ Risk management adapts to the context of the organization ∙ Risk management takes into account people's abilities, perceptions and intentions. Facilitate the achievement of the organization's goals. ∙ Risk management is always updated comprehensively continuously, transparently, responding to repetition and change (linkedin.com)
Here are a few of the possible security implications of an organization due to an IT security assessment: ∙ Keep sensitive data protected ∙ Identify security holes and ensure the level of security needed for the type of data to provide ∙ Keep the organization up to date with the latest security methods and preventive procedures. ∙ Make more effective security decisions. ∙ Protection from inaccurate or unwanted changes ∙ Reduce security problem due to human error ∙ Discover potential risks ∙ Prevent security breaches and reduce the impact of breaches ∙ Use findings from audits to create and implement new security policies and procedures.
Currently, small businesses, especially software training company MWS, are less inclined to equip employees with homework equipment and only a small fraction of them receive instruction
deviation, users often find out information in a rampant way, the scope of information is large. Users lack the knowledge to distinguish true and false information, resulting in a large range of data and lack of knowledge. ▪ Cumbersome and unused solutions suitable for the situation: With a Web application attack showing no signs of slowing down, organizations are required to understand and take steps to prevent negative effects potential and long-term and provide the optimal and most appropriate implementation plan for the current circumstances of the business. 14 LO4. Manage organizational security.
As an IT organization that adheres to all standards to a high degree and has a good understanding of how a company operates, some policies are implemented, one of which is described below here. Network server room policy
1. Purpose : The purpose of this policy is to maintain the level of security and standards of the Network Server Room equipment, data, and information for corporate employees and authorized employees to access into the Network Server Room. 2. Scope : This policy covers the appropriate usage needs, the IT organization's Network Server Room and applies to all qualified and trained engineers to access the network server room. 3. Policy 3.1 Technical requirements: ∙ The Network Server Room must be accessed only by qualified personnel ∙ Make sure the room is always clean and tidy ∙ Make sure the temperature in the room corresponds to the given specifications ∙ Make sure all cables and devices are connected and operating according to specifications ∙ Connection to the equipment in the room is only conducted when needed ∙ Access to server room must be done once a week or in case of emergency 3.2 User requirements:
∙ When accessing the server, qualified employees must log in and log out in the log ∙ When accessing the server room, all personal devices (laptops, phones) must be left out of the room. ∙ Security when accessing any information about the server ∙ When accessing the server room, qualified personnel must ensure that they have used the correct equipment for maintenance ∙ Qualified employees must wash their hands before accessing server rooms ∙ If any problem is discovered and cannot be resolved by qualified personnel who have accessed the room please report it 15
4. Manager Responsibilities Access is the responsibility of the Security Director and the part of the organization. The network server room is accessed by qualified personnel once a week. Responsibility for accessing the Network Server room with range maintenance rests with the Manager of the Security Director while the responsibility for proper access and maintenance of the Network Server room rests with the relevant Maintenance Operations Manager.
When disasters occur in an organization, the recovery plan should quickly begin automatically to support the recovery operation. In an organization, the recovery plan must be designed first for an action that can be taken by the employees until the DRP team arrives on-site if they are not there. Below is explaining the recovery plan for an IT organization. Risks the organization a risk can take place any time, affecting the business for that the organization focuses on the level of disaster and the type that can disrupt the organization. ❖ Type of Risk Description Impact Rating ▪ Earthquakes: This is caused by the movement of seismic plates can happen everywhere in the world and anytime.
o Email Every night Full Backup o Finance server Every night Every week Incremental Backup Full Back o HR Server Every night Every week Differential Backup Full Backup ∙ External communication: In case of any disaster as a recovery plan it will be necessary to communicate with different people outside of your organization with the scope of supplies of the needs of the organization recovery plan. ∙ Utilities: The organization recovery plan should include the contact of information and procedure of troubleshooting for some elements of the organization utilities such as electrical power, water, and natural gas during a disaster. ∙ Logistics and Supplies: In case of a disaster the organization should include in the recovery plan that suddenly must move a large number of people, supplies, and equipment to an alternative site also should include that some person will leave in the new site for an extended period and the recovery team must supply them with water, food, and appropriate facilities. 17 ∙ DRP team and training: The IT organization must continually provide training to the DRP team and for the new person to join the organization with the recovery plan. This training could include the Simulation Test when the DRP team should act and exercise as a disaster happens to become more confident and monitor what should be improved and implemented in case of a real disaster. The DRP team must provide the documentation after the simulation test of all the staff loss or recovery.
In an IT organization, there will be some type of management hierarchy to maintain control of the organization. The IT organization structure is illustrated below: ∙ Security Audit Committee
∙ Board of Directors ∙ Chief Information Officer (CIO) ∙ Security Managers ∙ Security Administrator ∙ Manager Security Analyst Facility ∙ Employee or Staff Audit Committee- these members are on the same level as the Board of directors and can be external audits from outside of the business with the scope of guidance and assistance in solving problems and also have full authority over all officers and executives. An example is an Internal Audits after using the SWOT report to analyze and evaluate the organization and report to the Senior Manager of the organization the changes that should be made as implemented a new policy or activated the firewall for better security. Board of Directors -there is usually key investors or appointed advisers. They are not involved in the daily routine of the organization and their job is to advise and inform the Chief Information Officers. 18 As a Senior Manager of the IT organization after the SWOT report was received the role is to inform and advise the CIO with the changes that should be made. Chief Information Officer (CIO) -is subordinate of the board of directors and is considering a primary key person for internal control of the organization. The CIO is supervising and manages all the Security managers of the organization. As a CIO in the IT organization after receiving the new changes that should be made for better functionality of the organization the role is to organize and inform each Security Manager of the new changes that should be implemented. Security Managers -the responsibility of managers is to supervise and guide the employees or
detect intrusions, and prevent malicious networks. ▪ Intrusion prevention systems (IPS): After Firewall, we need to have an equally advanced tool that the organization needs: IPS. With the task of checking traffic and performing automatic action to minimize threats. Also, IDS is used to scan the network and report on potential threats. ▪ Endpoint protection: Endpoint protection tools are used to protect desktops, notebooks, and other endpoint devices against viruses, malware, and other malicious activities. Through these tools, various anti-virus programs combine firewalls and anti-malware protection to protect the organization's network. (infoguardsecurity.com) 20
With this report, everyone as well as the MWS software training staff understands a little more about the security risks the company faces and takes proper and proper precautions. How the ISO risk management standards and data protection regulations apply to security as well as the potential impact IT security assessments can have on an organization's security. It also outlines the responsibilities of our employees and security stakeholders. The report sets out the agreed policies in the event of a computer system disaster. It could be a natural disaster like an earthquake or man-made such as the willful act of bad guys, virus from
email or employees. It also outlines an insurance policy to pay for additional recovery costs. Besides, the organization should have procedures in place to check the security and update it if necessary. Any updates may have to be tested before they go live. In a network, there will be a log of all activity. Checking this log will show a persistent error. This gives you a chance to categorize before it gets serious. It is also possible that during an inspection you could pretend to be a hacker and try to gain unauthorized access to the system. This will check if the system is secure or not. Some organizations will even pay people to try around their security, to check if they can enter the building without a card, etc. the correct computer system is not enough. There should be a code of conduct for each organization. Every person who uses it should sign an agreement that they have read it and will do what it says. This then imposes liability on them if anything goes wrong. There are many risks to an organization's computer systems, some high and some low. Senior managers need a plan to deal with each risk to build a strong and thriving organization. 21