Academics for Academics is a non-governmental organization or NGO, operating in its head office in Sydney with a branch in Singapore. All the projects of Academics for Academics (A4A) are funded from the public donations. The team of A4A consists of 10 staff members. This organization was established with an aim of helping the small public and private universities in Australia and south East Asia. The schools and colleges registered under A4A can only access the data and information produced by A4A. The organization has no proper policy and guidelines for protecting the resources of the company. The report identifies the different types of risks associated with resources of A4A and suggests some major guidelines that will help in management of the information security risks associated with the resources of the organization. The report develops proper guidelines that will prevent the unauthorized usage of the information resources of the organization by insider or outsider threat. The report aims at development of an issue specific security policy that will prevent the unauthorized use and circulation of the study materials and information technology resources of academics for academics (Höne and Eloff 2002). Issue specific privacy guidelines are created with an aim of addressing the specific information security threat and provide necessary information to the employees of the organization regarding the proper usage of technology and resources inside or outside the boundaries of the organization.The detailed process of management of the information security risks associated with A4A are evaluated in the following paragraphs.
The major aim of this report is to discuss and develop proper guidelines for managing the different information security risks associated with the organization A4A. The report explains the needs of identifying and analyzing the different resources of the company that are at risk. The report outlines the need for identifying the different risks associated with the information system of A4A. The report further identifies and analyzes the different risk mitigation approaches of the company and suggests some guidelines. These guidelines are necessary to develop the different security policies of the company.
The organization A4A is expanding and therefore, it becomes very essential to manage the information security risks associated with the organization. The report provides standard guidelines for the same that guarantees the security of the information assets of the organization. These guidelines provides a solution to manage the information security risks identified and will further help in managing the uncertainties associated with the organization. These guidelines forms the basis of threat handling and mitigation in an effective way and the guidelines are intended to provide a solution for the identified risk. The guidelines that are to be developed with provide a long term security options for A4A.
It is very essential to identify the information security assets of the company. It is essential to identify the information assets in order to identify and analyze the risks associated with the organization. The identified assets need proper protection from the threat and the uncertainties in order to prevent the loss of information. The identified information security assets of the company are as follows (Safa, Von Solms and Furnell 2016)-
The identified information security assets of the company is needed to be protected in order to avoid huge information loss of the organization. Therefore, proper guidelines are to be enforced in order to ensure responsible use of the organizations property (Spiekermann 2012). The Authorized and prohibited usage of the resources are mentioned in the guidelines. These guidelines will prevent an attacker in accessing the confidential resources of the organization.
The identified information assets of the organization further requires a proper identification of the risks associated with the information assets of the organization. The risks are needed to be identified and analyzed on basis of their impact in order to develop a proper risk mitigation strategy (Stallings et al. 2012). Classifying the risks in different groups will helps the organization in proper mitigation of the identified risk and prevent the organization in suffering the information loss of the organization.
The risk identification process will include the identification of the major information security assets of the organization. The different assets of the organization include the members and the confidential data of these members that are stored in the information system of the organization (Laudon et al. 2012). This information can be targeted by an attacker and therefore needs proper protection.
The data produced by the members of the organization are another major information asset of the organization. It is vital to protect these data present in the system, as these are developed in order to provide help to the different colleges and universities across the country. Therefore, it is essential to undertake a proper risk assessment process in these information assets in order to identify the associated risks with the same (Belleflamme and Peitz 2014). The risk identification of the private and confidential data produced by the members of the organization is to be carried out with highest priority.
It is the responsibility of the organization to eliminate the different risks associated with the information system. The risks associated software and the networks that are in use within the organization are to be identified and evaluated with highest priority in order to eliminate the risk. After successful identification of the information asset, it is essential to classify and categorize the information assets in order to properly identify the type of risk associated with it.
The identification of the information assets within the organization is essential to understand the type of risk in which the company is exposed to. After identification of the risk, it is essential to classify and categorize these information assets in order to understand the risks associated with these data. Depending on the need of data protection, the risk mitigation approach will be further identified for the associated risks. The information security asses of the organization are classified are as follows (Ifinedo 2012)-
After proper classification and categorizing of the risk, it is essential to access the value of the information assets so that proper risk mitigation processes are suggested.
Value Assessment
The risk identification process for A4A includes the stage of value assessment of the identified information asset of the organization. The value assessment will help in understanding and determining the priority of the risk mitigation process. The impact on the information assets are categorized on basis of the importance of the information assets of the organization. The impact is expressed on a scale of critical, high, medium and low (Peltier 2004). The critical ones need immediate attention, while the low ones do not need immediate attention.
The importance of information asset of the organization refers to the relative objectives it serves within the organization. The assets that generate most revenue or that are very confidential are very necessary to protect. Guidelines are to be developed on basis of the need or value of the information assets that needs immediate protection or in a critical stage. After proper value assessment of the information assets of A4A, it is essential to prioritize the information asset on basis of its importance in order to develop proper guidelines.
The information assets identified during the risk identification process is needed to be prioritized for identifying the sequence of risk mitigation. This prioritization process is mainly based on the impact, all the identified assets have on the organization and the impact on the organization in case such these information assets are compromised by the attackers. The assets in a critical level or the asset that has the highest impact will be given the highest priority in the mitigation process (Peppard and Ward 2016). The guidelines developed for the risk mitigation will include a secure use of these information assets, in order to eliminate the risks associated with the process.
Identification of the threats associated with the information asset of A4A is essential in order to mitigate the same. There are a number of security risks associated with the organization. If a member is working from outside the organization there are many other security risks associated with the transmission and storage of information. This includes the malware attack, data modification and unauthorized data access. This is a type of active attack on the information assets of an organization. A proper security guidelines is needed to be developed for the organization in order to protect the information technology assets of A4A. Apart from this, the threat from the insider includes the unauthorized use and circulation of the academy’s data and resources within the organization. Apart from this, the major threats associated with A4A are as follows (Von Solms and Van Niekerk 2013)-
The above lists mentions the major information security theft associated with the A4A. These threats are needed to be accessed and mitigated properly in order to protect the confidential information asset of the organization.
The threat assessment includes the identification of the probability of occurrence of these threats within the organization. The threats with highest probability are expected to cause a huge loss to the information assets of the organization. Therefore, it is the responsibility of the organization to identify the threat with highest probability of occurrence and the danger to the assets (Shamala, Ahmad and Yusoff 2013). This process can be done strategically by identifying the causes and actions of the identified threats on the information assets.
Once this process is done, the prioritization of the threat will be easier for the organization. It is the responsibility of the organization to prioritize these threats. Furthermore, the vulnerabilities of the information asset is needed to be identified as well in order to determine access the risk in a more strategic manner. The threats are linked to the identified assets for its proper mitigation.
With the successful risk identification process, risk assessment is necessary in order to identify the extent of the effects of the risk. This is done by the likelihood and consequences of the identified threat on the information assets. It helps in determining the priority of the risks as well. The consequences level of the threats that are used in the risk assessment process includes (Viduto et al. 2012)-
The likelihood level of the consequences identified for the associated risks includes-
Risk and threat assessment corresponding to the different information assets of the organization will be easier to evaluate on basis of these levels. The catastrophic threat with a almost certain likelihood should be removed with a highest priority. Therefore, the risk assessment process is vital for developing the guidelines associated for ensuring the information security risks within the organization. The valuable and important assets of the organization are scaled on basis of the associated threats, their consequences and likelihood. After successful risk assessment it is essential for A4A to consider the risk management process. Proper risk management is essential for developing the guidelines.
The Non Governmental organization A4A aims at developing proper guidelines for mitigating the risks associated with the information assets of the organization. The risk mitigation or management process includes classifying the risks on basis of their impact on the information assets of the organization. The level of risks can be classified as high, medium and low.
After proper classification of the risk according to the level of the vulnerability the information assets are exposed to, it is essential to implement proper risk mitigation or risk management plan as well (Snedaker 2013). The plans adopted by A4A as a mitigation approach includes Disaster recovery plan (for spontaneous data recovery in case of data breach) and business continuity plan (for normal business flow in case of a security attack) (Sahebjamnia, Torabi and Mansouri 2015). The disaster recovery plan will help in easy recovery of the important information and data of the organization.
Apart from this, it is suggested for A4A to have an incident response plan for taking immediate action during an information security attack (Silva et al. 2014).
Justification
It is justified to have a guideline for managing and protecting the information resources of the organization, as the data produced within the organization or by the members of the organization should solely remain the property of the organization. The guidelines are developed in order to protect the information assets of the organization (Fenz et al. 2014).
Academics for Academics is an NGO providing educational services to the colleges and Universities of the country. The circulation or misuse of the information resources of A4A is strictly prohibited and therefore, enforcement of proper guidelines in ensuring proper security of the information assets is important. The academy is in need of a strong security policy in order to remove the different threats and risks associated with the major information assets of the organization. The entire process includes identification of the major information assets of the organization and the risks associated with the information assets. This in turn helps in identifying the vulnerabilities the system is exposed to and the level of security a particular information asset needs. This process or guidelines will further help the organization in taking crucial decisions associated with the information security of A4A (Safa, Von Solms and Furnell 2016). The risk assessment process is vital for consideration as it helps in analyzing the impact of each threat on the information asset of the organization (Ifinedo 2014). The risk management process furthermore identifies and recommends back up and action plan in case the organization experiences a data or security breach.
The assumptions that are taken in consideration for the development of the guidelines for A4A are as follows-
Conclusion
Therefore, from the above discussion, it can be concluded that it is essential for Academics for Academics to have proper guidelines for ensuring security of the information assets of the organization. It is essential as A4A is gradually expanding and it is becoming increasingly difficult for the organization to keep a track of the data and security breaches occurring within the organization and the vulnerabilities, the information assets are exposed to. The report gives an idea of the guidelines set for the ensuring data protection in A4A by providing a detailed overview of the risks, threats associated with the information assets of the organization. The report concludes with the assumptions that have been taken into consideration for developing the guidelines for secure data exchange within the organization.
References
Belleflamme, P. and Peitz, M., 2014. Digital piracy (pp. 1-8). Springer New York.
Eldardiry, H., Bart, E., Liu, J., Hanley, J., Price, B. and Brdiczka, O., 2013, May. Multi-domain information fusion for insider threat detection. In Security and Privacy Workshops (SPW), 2013 IEEE (pp. 45-51). IEEE.
Fenz, S., Heurix, J., Neubauer, T. and Pechstein, F., 2014. Current challenges in information security risk management. Information Management & Computer Security, 22(5), pp.410-430.
Höne, K. and Eloff, J.H.P., 2002. Information security policy—what do international information security standards say?. Computers & Security, 21(5), pp.402-409.
Ifinedo, P., 2012. Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), pp.83-95.
Ifinedo, P., 2014. Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), pp.69-79.
Laudon, K.C. and Laudon, J.P., 2016. Management information system. Pearson Education India.
Laudon, K.C., Laudon, J.P., Brabston, M.E., Chaney, M., Hawkins, L. and Gaskin, S., 2012. Management Information Systems: Managing the Digital Firm, Seventh Canadian Edition (7th. Pearson.
Peltier, T.R., 2004. Information security policies and procedures: a practitioner’s reference. CRC Press.
Peppard, J. and Ward, J., 2016. The strategic management of information systems: Building a digital strategy. John Wiley & Sons.
Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model in organizations. Computers & Security, 56, pp.70-82.
Sahebjamnia, N., Torabi, S.A. and Mansouri, S.A., 2015. Integrated business continuity and disaster recovery planning: Towards organizational resilience. European Journal of Operational Research, 242(1), pp.261-273.
Shamala, P., Ahmad, R. and Yusoff, M., 2013. A conceptual framework of info structure for information security risk assessment (ISRA). Journal of Information Security and Applications, 18(1), pp.45-52.
Silva, M.M., de Gusmão, A.P.H., Poleto, T., e Silva, L.C. and Costa, A.P.C.S., 2014. A multidimensional approach to information security risk management using FMEA and fuzzy theory. International Journal of Information Management, 34(6), pp.733-740.
Snedaker, S., 2013. Business continuity and disaster recovery planning for IT professionals. Newnes.
Sommestad, T., Hallberg, J., Lundholm, K. and Bengtsson, J., 2014. Variables influencing information security policy compliance: a systematic review of quantitative studies. Information Management & Computer Security, 22(1), pp.42-75.
Spiekermann, S., 2012. The challenges of privacy by design. Communications of the ACM, 55(7), pp.38-40.
Stallings, W., Brown, L., Bauer, M.D. and Bhattacharjee, A.K., 2012. Computer security: principles and practice (pp. 978-0). Pearson Education.
Viduto, V., Maple, C., Huang, W. and LóPez-PeréZ, D., 2012. A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem. Decision Support Systems, 53(3), pp.599-610.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers & security, 38, pp.97-102.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download