Develop Information Security Policies and Controls that address Potential threats and Vulnerabilities and Plan for Business Continuity, including during a Process of Technological Change.
Information security risk evaluation is one of the ongoingprocedures of discovering, correcting, as well as preventing securityissues. The present report deals with the development of information security policies as well as controls, which can address potential threats along with vulnerabilities, and plan for making business continuity. In addition, information security for compliance with the ethical as well as legal frameworks that helps the utilisation and application of data are described in the report.
Information security in an organisation refers to the protection of information as well as information systems from unauthorised access, utilisation, disruption, modification as well as destruction (Parsons et al., 2017). Information security management is consideredto be a procedure of defining controls over security for protecting assets of information. In order to take actions regarding management program with a view information security to have anappropriate and effective security program in place (Telstra, 2017). As information security policies contribute to improve overall management of information, it is required to take effective policy within the organization. It can guide the organization to resolve the issues. However, there is an argument regarding obtaining some real proof of concept as well as explaining through a display on the monitor screen for security knowledge. Objectives of a security program include protection of the organisation as well as its assets. Pallegedara and Warren (2016) stated that management of risks through detecting the assets, discovering threats, as well as estimation of risksare included in the security program of an organisation.
In addition, providing direction for the security activities by theformation of information security policies, processes, guidelines, standards along with baseline, classification of information, security organisation as well as security education to the staff of the organisation are involved in the security program objectives of an organisation. Wilcox and Bhattacharya(2015) commented that Telstra involved a research firm named as Frost and Sullivan tointerview professionals responsible for making IT security with the organisationto gain key insights on a range of security.
There are several types of potential threats required to be understood properly. Also, tools as well as processing are arerequired to be put in proper place to combat them (Telstra, 2017). In this perspective, ongoing monitoring can assist in ensuring the measures remain effective. Telstra follows information security governance that assists developing and upholding aculture of protect infromation within the organisation (Pallegedara & Warren, 2014). It ensures that functions of security management are well designed, deployed,and operated effectively. It assures the objectives of the business as well as to the requirements of the stakeholders to protect key information. Telstra has implemented a range of information security policies and controls.
To complement information and security governance processes and organisations require policies that can cover how staffs utiliseand also access resources of ICT (Corones & Davis, 2017). The policies need to be communicated to every employee to remind that one click for sensitive systems can be compromised (Smith & Ingram, 2017). The policies require covering a range of areas that include the following:
Social networking: The particular policy through which the persons are accessing social sites, the place of access, and the time of access can be controlled.
Mobile devices: The devices connecting to the network as well as the circumstances that are expected for conducting while the mobile devices are used (Senarathna et al. 2016). The policies for the procedures happen to data on the devices when the staffs leave the organisation.
Desktop device policy:With the help of the policy, the devices connecting to the network and the level of patching required can be controlled (Telstra, 2017), as well asthe best possible anti-virus tools that could be installed as well as expected to conduct at the time of using the device.
Physical security policy:Corones and Davis (2017) mentioned thatpolicy,which allows access to the buildings, to the specific areas restricted, to the documents that are protected and to the process of storing and sharing, could be helpful.
To protect the organisation against the external attacks, it is crucial to have robust network links. On the other hand, some of the organisations rely on the public internet for connectivity (Brookes, 2015). It is considered as a better security afforded through the utilisation of a private IP network, which is sourced from the provider of telecommunications. Through theseparation of public internet traffic from the private IP networks,someof the carriers can provide distributed denial of service attack that will not determine the impact on the consumers utilisinga core private IP network.
Slocombe(2017) asserted that several enterprises have limited knowledge about the process occurring within IT systems as well as the infrastructure of the network. Also, lack of monitoring tools define that the organisations are not able to identify signs of the external security threats and the evidence of improper insider activity. There was a survey conducted by PricewaterhouseCoopers which stated that 23%of respondents admitted being unsure regarding the number of securityincidents occurred within the organisation (Kurek et al., 2015). However, 33% of the respondentswere not aware of the type of security. Also, 34%of the respondentswerenot able to answer nominating the source of attacks (Telstra, 2017). The resulting number indicates that 96%of the data breaches are available to the organisationsbeforethe actual compromise. On the other hand, most of the cases lose their evidence and go unnoticed. Real-time monitoring of networks, as well as critical systems, is vital. SIEM solutions are utilised for collection, analysis,and for logging in details of the activities from which evidence of the security threats are gained. SIEM is effective in spottingproof regarding insidersecurity threats. Zwolenski and Weatherill (2014) stated that there are a large proportion of insiders undertaking such attacks that can perform technical precursors. It includes downloading hacker tools and failing to undertake backups or performing improper access of data as well as systems. The activities are flagged through tools of SIEM for examination.
In order to develop a comprehensive system to log andanalyse data in the real time,and to determineanomalous events, the tools of SIEM are complimented with the help of additional forensic tools (Bennett, 2015). On the other hand, as there are complexities of ICT systems, it is required to have continuous development that keeps secure and increasingly complicated tasks. Some such policies and tools areworked together to encounter the challenge raised by trends like mobility, social networking,and cloud computing. On the other hand, ensuring effective security infrastructure is helpful for implementing, managing, growing and the number of organizations that turn to the external parties for assistance. It is important to enable that the act is important and that the partners provide anin-depth approach to security defence. Also, the partners need networkand technology for the organisation.
Jamasb and Nepal (2015) stated that the information policies of Telstra helpto protect the organisation from potential threats and vulnerabilities by developing a security program (Telstra, 2017). Top-Down approach and Bottom-Top approach of the organisationensure the safety through achieving the following tasks.
Top-Down Approach
Bottom-top Approach
On the other hand, security controls are categorised into three major categories: administrative controls, technical or logical controls, and physical controls.
Administrative controls: It includes developing as well as publishing of the policies, standards, and processes along with guidelines of the organisation (Austin, 2014). In addition, screening of personnel, conducting training programs for security awareness among staffs of the organisationandimplementation of change control processes are included under administrative controls of the organisation.
Technical or logical controls: Under this control approach, implementation, as well as maintenance of access controls mechanisms, password and resource management, detection as well as methods for authentication, devices of security and infrastructure configurations like works,are involved.
Physical controls: It includes controlling individual access into the facility as well as in several departments (Butavicius et al., 2016). Locking the systems, as well as removing unessential floppy and protection of the perimeter of the facility along with monitoring for intrusion and environmental controls,are covered under these security controls.
Also, to address threats and vulnerabilities in the organisation, information security policy and controls act as a safeguard for the organisation. With the help of this application, risks in Telstracan be mitigated. For example, strong password management and access control mechanisms within the operating system of the computers in Telstra assist in controlling security threat and vulnerabilities of the organisation. Moreover, deploying primary input/output system passwords and security-awareness training can be helpful to fulfil the purpose.
Lindsay (2015) stated that awareness for cyber security has been increased and appears to be adopting certain frameworks in order conduct security audits. It helps with theformulation of security policies within the business of Telstra (Telstra, 2017). However, it is crucial that the framework not become a tick and flick exercise. Telstra,with great security posture, has security controls across the business along with embeddedsecurity in every area of the businesstoensure an integrated approach in business. It results in branches in Australia and the Asian region to tend to emphasize more on the conduction of security audits and less on the conduction of cyber drill programs within the organisation. In this perspective, the value of conduction of cyber drills for a wide range of security happenings are not underestimated as highlighting deficiencies within the particular occurrence response process and related business continuity plans. In addition, requirements of thebusiness are to continue in delivering the key products and services to the acceptable business levels at the time of security incident and recovering as quickly and efficiently as possible.
On the other hand, email continues to be the basic communication channel for the business of the organisation. Thus, phishing email is one of the great challenges for security agents of Telstra to combat (Williams et al., 2015). Malicious websites and URLs are used mostly as adelivery method of phishing emails. It aims to trick therecipient into clicking on the malicious links or attachment,and malware is downloadedand it executes on the end points of the network. The particular malware can develop backdoor to the command as well as the control server. Spear phishing emails target a particular person within the organisation. Emails that target senior personnel of the organisationare called whaling. In this perspective, information security policies and steps taken by the management of Telstra help to minimise the risks. However, inbound email threat is considered as challenging tasks for the security of the organisation. Firstwave Cloud Technology delivers internet protection for Telstra. Email, as well as web content security for the government departments, organisations as well as business security,are included in their service in Australia. In 2016, Firstwave scanned more than 500 million inbound and outbound emails across the mail services of customers in Australia (Chen, Zhao& Jin, 2013). Email content security offers a multi-layered approachto protect the organisation against scam and malware. In addition, more than 47 million inbound threats across the inbound emails represent several threats that include profanities, offensive materials, PCI security standards breaches, malware, and spam (Telstra, 2017). Also, infected zip files, a common method utilised for evading detection through cyber criminals were detected by Firstwave Cloud Technology.
On the other hand, Business Email Compromise, defined by the FBI is consideredto be a sophisticated scam, targeting business that works with the foreign suppliers and businesses, which can perform transferring payments of wire. The scam is carried out through compromising legitimate business email accounts by social engineering and techniques of computer intrusion for conducting the unauthorised transfer of funds. All these processes help to pursue business continuity in Telstra.
It is important to have proper security compliance with ethicaland legal frameworks in Telstra. Organisations dealing with the personal records and financial transactions canshow to place suitable security procedures as well as tools for maintaining theintegrity of the information (Udagepola et al., 2015). However, the organisations involved in doing business with larger organisations or the government’s departments, adhere to a specific range of recognised compliance standards that will be essential for the organisations. In this perspective, examples of such compliance standards are as follows:
ISO 27001: The international security standard for managing security is useful for managing thesecurity of the organisation. In addition, compliance is needed by the end consumers and the business partners.
PCI DSS: It is important for the organisationto accept credit card payments. Failure in complying results in fines and complete exposure to financial losses that arearising from a breach of security.
ASCI 33: The Australian Government security standard is aprerequisite at the time of working on the sensitive projects of the Government.
Basel II: Compliance is needed at the time of providing banking services in countries, which are signatories to the agreement.
FISMA: Compliance is needed at the time of dealing with the agencies of US Federal Government. The Federal Information Security Management Act of 2002 is useful in this perspective.
SANS-FBI: In this perspective, it is important to follow security guidelines that are established by the SysAdmin, Audit, Network and Security (SANS) Institute that is regarded as the largest security research group in the world.
Sarbanes-Oxley: Compliance is neededas to whether it is listed or is operating over the US.
It is necessary for long-term performance, sustainability,and reputation to improve interests of the stakeholders todemonstrate excellence in making corporate governance (Telstra, 2017). The code of conduct, as well as policy framework,is underpinnedwithin the values of Telstra. Thus, it is important to make a commitmentto good corporate governance and responsible in business practices (Wiryawan, 2016). The customers, the workforce,and the communities in whom the environment of Telstra operated, are important to be considered (Holm & Mackenzie, 2014). On the other hand, providing a structure through which compliance with the legal obligations is maintained is necessary. Telstra needs all staffs to observe the high standards of business as well as the personal ethics. The ethical behaviour framework involving values, outlines,and standards,are helpful in this aspect. Thus, proper action about the matters would be helpful for successful compilation.
In order to mitigate security threats and vulnerabilities of using as well as applying data, some measures need to be taken. Organisations require puttingsafeguardsin place for protecting against the threats, which may occur from the internal sources. The recommendations can be given as follows:
Conclusion
From the above discussion, it can be concludedthat effective information and security policies have an important role in the development of a business organisation. The rapidadoption of cloud services delivers great agility along with portability advantages. However, it leads to several security threats that can affect the business to a great extent. Therefore, it is important to develop awareness among the employees of the organisation, give them the training to combat with security threats that can be helpful for the organisation to improve its business. However, effective information security policies and regulation can be helpful to mitigate security threats and to ensure the continuity of the business of the organisation.
References
Austin, G. (2014). Australia’s digital skills for peace and war. Australian Journal of Telecommunications and the Digital Economy, 2(4), 341.
Bennett, S. (2015). Why information governance needs top-down leadership. Governance Directions, 67(4), 207.
Brookes, C. (2015). Cyber security: Time for an integrated whole-of-nation approach in australia. Indo-Pacific Strategic Papers.12(15),154.
Butavicius, M., Parsons, K., Pattinson, M., &McCormac, A. (2016).Breaching the human firewall: Social engineering in phishing and spear-phishing emails. arXiv preprint arXiv:1606.00887.
Cheng, J. H., Zhao, R., & Jin, C. (2013).Enlightenment from Australian Network Security Plan to Chinese Information Security.In Advanced Materials Research,756(2),2542–2546.
Corones, S., & Davis, J. (2017). Protecting Consumer Privacy and Data Security: Regulatory Challenges and Potential Future Directions. Fed. L. Rev., 45(10),165.
Holm, E., & Mackenzie, G. (2014). The significance of mandatory data breach warnings to identity crime. International Journal of Cyber-Security and Digital Forensics (IJCSDF), 3(3), 141–152.
Jamasb, T., & Nepal, R. (2015). Issues and options in the economic regulation of European network security. Competition and Regulation in Network Industries, 16(1), 2–22.
Kurek, T., Lason, A., &Niemiec, M. (2015).First step towards preserving the privacy of cloud?based IDS security policies. Security and Communication Networks, 8(18), 3481–3491.
Lindsay, J. (2015). Legacy PSTN applications cause confusion: Disclaimers are no substitute for actual service. Australian Journal of Telecommunications and the Digital Economy, 3(4), 70–76.
Pallegedara, D., & Warren, M. (2016, January).Unauthorised Disclosure of Organisational Information through Social Media: A Policy Perspective. In IDIMC 2016: Exploring our digital shadow: From data to intelligence,14(10),(pp. 86–93).
Pallegedara, D., & Warren, M. (2014).Evaluating Australian social media policies in relation to the issue of information disclosure.ACIS.31(14), 67–76.
Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., &Zwaans, T. (2017). The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies. Computers & Security, 66(10), 40–51.
Senarathna, I., Yeoh, W., Warren, M., &Salzman, S. (2016). Security and privacy concerns for Australian SMEs cloud adoption: Empirical study of metropolitan vs regional SMEs. Australasian Journal of Information Systems, 20(31),64
Slocombe, G. (2017). Defence’s cyber security benefits from industry support. Asia-Pacific Defence Reporter (2002), 43(6), 54.
Smith, F., & Ingram, G. (2017).Organising cyber security in Australia and beyond. Australian Journal of International Affairs, 43(6), 1–19.
Telstra. (2017).Telstra—mobile phones, prepaid phones, broadband, internet, home phones, business phone.Retrieved from https://www.telstra.com.au
Udagepola, K., Xiang, L., Afzal, N., Ali, M., & Robinson, M. (2015). Case Study: Cloud Computing Consumer Protocol in Australia. J. Appl. Environ. Biol. Sci, 5(9), 76–83.
Wilcox, H., & Bhattacharya, M. (2015).Countering social engineering through social media: an enterprise security perspective.In Computational Collective Intelligence (pp. 54–64).Springer, Cham.
Williams, J. L., Costello, B., Ravenel, J. P., Ritter, S. J., Pelly, J., Rutherford, M. C., & Payne, J. (2015). U.S. Patent No. 9,094,434. Washington, DC: U.S. Patent and Trademark Office.
Wiryawan, D. (2016). Implementation of the Acunetix for Testing the Banking Website (Owned by the government and non-government in Indonesia). International Information Institute (Tokyo). Information, 19(6A), 1785.
Zwolenski, M., &Weatherill, L. (2014).The Digital Universe. Australian Journal of Telecommunications and the Digital Economy, 2(3),64
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order formOnce we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignmentAs soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download