Remarkable University is the organization for which an IT Security Plan is being developed. The university has implemented a student grading system and the core components of the system include a front-end application that is used by three types of the users viz. students, academic staff, and administrative staff. The second component of the system is the database in which the grades of the students are stored. There are various threats that have been identified against the system and the occurrence of these threats will possess a great risk to the confidentiality, security, and privacy of the data sets.
IT Security Plan is important because it specifies the mitigation and control strategies that shall be followed to deal with the security risks mapped with every asset of the system.
There are various assets that are associated with the student grading system being developed and implemented at the Remarkable University.
The assets involved with the system include:
The risk profile for the university is low as is it less vulnerable to the risks due to the education domain. It includes the following set of risks and threats that may be carried out on the IT assets.
There are various risks that are associated with the IT asset as the information. It is the primary asset that will be exposed to the security risks and attacks.
This is the security area that is exposed to various security risks and vulnerabilities that may have an adverse impact on the IT asset as the information stored in the student grading system.
The attackers may give shape to the account hacking attacks by breaking the authentication and access control measures and norms applied. This may lead to the exposure of the private and confidential information of the student.
Unauthorized access, data breaches, and leakage of the data sets may come up due to the poor access control measures applied.
The data servers will be exposed to malware risks and attacks. There may be physical security attacks that may also come up. The information stored in these servers will be exposed as an outcome.
The web application will be exposed to malware attacks, denial of service attacks, data breaches, and data integrity issues (O’Donnell, 2008). The information sets will be directly or indirectly impacted as an outcome.
The network architecture and protocols will be exposed to the network-based security threats and attacks. These may include phishing attacks, man in the middle attacks, denial of service attacks, malware attacks, and distributed denial of service attacks, message alteration attacks, and media alteration attacks. In all of these attacks, the privacy and confidentiality of the data and information sets will be hampered.
The devices which will be used for accessing the system may be exposed to attacks, such as device loss and malware attacks which will have a direct impact on the information sets stored within.
There will be web servers and database servers used in the system and will be kept in the server room. These may be exposed to the physical security attacks if the attackers succeed in breaking through the physical security parameters applied.
The PC and the mobile devices that will be used to access the student grading system will also be exposed to the risks of being stolen. The loss or stealing of the device will have sever impacts on the information and the user.
The software used in the system will be exposed to the risks, such as malware attacks, account hacking issues, target exploitation issues, data breaches, and data integrity issues.
The network architecture and protocols will be exposed to the network-based security threats and attacks. These may include phishing attacks, man in the middle attacks, denial of service attacks, malware attacks, and distributed denial of service attacks, message alteration attacks, and media alteration attacks.
A risk register has been prepared for the risks that have been identified above. There is a likelihood and impact score assigned to every risk. The likelihood and impact has been provided and the risk rank has been calculated as per the levels below.
|
Threat/Vulnerability |
Likelihood |
Consequence |
Level of Risk |
Risk Priority |
|
Account Hacking & target Exploitation |
Possible |
Major |
Extreme (E) |
8 |
|
Data Breaches |
Likely |
Catastrophic |
Extreme (E) |
2 |
|
Data Leakage |
Possible |
Catastrophic |
Extreme (E) |
6 |
|
Malware attacks |
Almost certain |
Major |
Extreme (E) |
1 |
|
Device loss |
Rare |
Catastrophic |
High (H) |
10 |
|
Denial of Service and Distributed Denial of Service |
Likely |
Catastrophic |
Extreme (E) |
3 |
|
Message and Media Alteration – Data Integrity Attacks |
Possible |
Major |
Extreme (E) |
7 |
|
Eavesdropping Attacks |
Possible |
Catastrophic |
Extreme (E) |
4 |
|
Man in the middle attacks |
Possible |
Catastrophic |
Extreme (E) |
5 |
|
Physical Security risks |
Unlikely |
Catastrophic |
Extreme (E) |
9 |
It will be necessary to take certain security actions and adopt strategies to make sure that the risks do not occur and are mitigated and controlled.
|
Risk Name |
Security Strategy and Actions |
|
Account Hacking & target Exploitation |
There shall be use of biometric recognition that shall be done for identity management and access control. Multi-path encryption must be used for access control. The authentication measures shall utilize multi-fold authentication wherein the log in to the accounts shall be made possible with the use of one time passwords and face recognition (Jung & Park, 2013). |
|
Data Breaches |
The data sets stored in the student grading system shall be encrypted so that the attackers do not succeed in capturing the same. There shall be technical security controls used and applied to protect from the security risk. |
|
Data Leakage |
The data sets stored in the student grading system shall be encrypted so that the attackers do not succeed in capturing the same. There shall be technical security controls used and applied to protect from the security risk. |
|
Malware attacks |
Anti-malware tools with ransomware protection must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out. |
|
Device loss |
The devices used by the end-users shall be installed with device tracker id so that the devices may be tracked in the case of loss or stealing. |
|
Denial of Service and Distributed Denial of Service |
Anti-denial tools must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out (Mahjabin, Xiao, Sun & Jiang, 2017). |
|
Message and Media Alteration – Data Integrity Attacks |
The data sets stored in the student grading system shall be encrypted so that the attackers do not succeed in capturing the same. There shall be technical security controls used and applied to protect from the security risk (Lin, Yu, Zhang, Yang & Ge, 2018). |
|
Eavesdropping Attacks |
The network-based security controls and tools, such as firewalls, network-based intrusion detection and prevention systems, network scanners, and network monitors shall be installed. |
|
Man in the middle attacks |
The network-based security controls and tools, such as firewalls, network-based intrusion detection and prevention systems, network scanners, and network monitors shall be installed (Wang, 2018). |
|
Physical Security Risks |
The server rooms must be secured by deploying a security guard at the entrance and the surveillance tools shall be used to keep a track of all the activities. Digital modes of authentication, such as biometric authentication and automated locks shall be used to protect the systems and servers. |
There are certain risks that may occur in spite of the measures and controls adapted. One such risk is the malware risks and attacks. It is because the attackers are coming up with new forms of malware codes and algorithms to launch the attack on the systems of the end-users. There shall be disaster recovery plan and data backups kept in place so that the impact of the risk may be reduced in the case of its occurrence.
The insider threats and attacks may also occur and may not be possible to be controlled. This is because the internal employees and the members of the staff may knowingly or unknowingly pass the information to the unauthorized entities.
The risks associated with the mobile devices, such as loss or stealing of the devices will also be left since the users may forget their devices at certain location. The devices may fall out of their pockets and such occurrences cannot be controlled.
|
Risk Name |
Likelihood Level |
Impact Level |
Risk Score |
|
Malware Attacks |
2 |
4 |
8 |
|
Insider Threats |
3 |
5 |
15 |
|
Device Loss or Stealing |
2 |
5 |
10 |
Biometric devices and sensors for the implementation of biometric recognition systems, surveillance tools, such as microphones and video cameras for enhanced physical security, and digital locks and vaults for keeping the devices safe and protected at all times.
The network-based security controls and tools, such as firewalls, network-based intrusion detection and prevention systems, network scanners, and network monitors shall be installed. Anti-malware tools with ransomware protection must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out. Anti-denial tools must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out.
The end-users shall be provided with the trainings on the security practices that they shall adopt to prevent and control the attacks from occurring. The users shall also be made aware of the common mistakes that they make which may allow the attackers to give shape to the security attacks. The security team must also be provided with the training on the security strategies that they shall adopt.
The maintenance work will include the installation of the updates and security patches at regular intervals. These will ensure that any of the security vulnerabilities and loopholes are resolved and avoided. The security software, such as anti-malware tools, anti-denial tools, and network-based security controls shall be updated as a part of the maintenance activities (Bays, Oliveira, Barcellos, Gaspary & Mauro Madeira, 2015).
References
Bays, L., Oliveira, R., Barcellos, M., Gaspary, L., & Mauro Madeira, E. (2015). Virtual network security: threats, countermeasures, and challenges. Journal Of Internet Services And Applications, 6(1). doi: 10.1186/s13174-014-0015-z
Huang, H., Zhang, Z., Cheng, H., & Shieh, S. (2017). Web Application Security: Threats, Countermeasures, and Pitfalls. Computer, 50(6), 81-85. doi: 10.1109/mc.2017.183
Jung, K., & Park, S. (2013). Context-Aware Role Based Access Control Using User Relationship. International Journal Of Computer Theory And Engineering, 533-537. doi: 10.7763/ijcte.2013.v5.744
Lin, J., Yu, W., Zhang, N., Yang, X., & Ge, L. (2018). Data Integrity Attacks against Dynamic Route Guidance in Transportation-based Cyber-Physical Systems: Modeling, Analysis, and Defense. IEEE Transactions On Vehicular Technology, 1-1. doi: 10.1109/tvt.2018.2845744
Mahjabin, T., Xiao, Y., Sun, G., & Jiang, W. (2017). A survey of distributed denial-of-service attack, prevention, and mitigation techniques. International Journal Of Distributed Sensor Networks, 13(12), 155014771774146. doi: 10.1177/1550147717741463
O’Donnell, A. (2008). When Malware Attacks (Anything but Windows). IEEE Security & Privacy Magazine, 6(3), 68-70. doi: 10.1109/msp.2008.78
Wang, Y. (2018). Analysis on the Causes of Network Language Violence and Its Countermeasures. Destech Transactions On Social Science, Education And Human Science, (adess). doi: 10.12783/dtssehs/adess2017/17825
Wsj. (2018). The Growing Role of the CIO. Retrieved from https://www.wsj.com/articles/the-growing-role-of-the-cio-1520992980
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download