Discuss About The Emergency Management And Homeland Security?
The aim of this report is to provide guidance to the A4A organization considering the processing and storage of data that is about to store in the information systems. The scope of this report is to provide a security risk management approach for the organization to the integrity, confidentiality, and availability of information that are being stored in the information systems of the organization.
A4A is Non-Governmental Organization that is about to transform its existing system into the information system that means various data and information are about to be uploaded into the database. This will be vast transformation that will include outsourcing of the systems for other organizations and for larger space, they will need cloud storage that could result in various security issues related to the organizational operational activities and all the data related to the employees that are looking forward to join the organization.
This report focuses on the guidelines that could help in achieving information security in better and efficient way for the data and information related to the organization. Risk assessment process have several step and these steps have been explained in the below report.
The policy for security of information by the Australian Government policy has been promulgated through the ISM and the PSPF. Several requirements those are mandatory within the PSPF that can be helpful to relate the handling of A4A information (Sylves 2014). A4A can only be able to achieve effective information security for the information that is about to save in the system regarding its members and operational activities. This can only be achieved if it becomes the part of the culture, operation and practices plans of the A4A. This implies that the A4A should not build protective security as an afterthought rather it should build it into the governance processes. The organization should proactively mitigate and manage the identified security risks at its early stages that are associated with the information storage system.
Set of thirteen APPs (Australian Privacy Principles) has been included within the Privacy Act 1988 (Cth) that can be helpful in regulating the handling of personal information by the A4A (Arregui, Maynard and Ahmad 2016). The information those have been remarked as “personal” should be determined by the A4A and handling of these information should be done according to the principles of the APPs.
The pieces of legislations that are applicable to this policy can be listed as: Firstly, Freedom of Information Act 1982, secondly, Privacy Act 1988 and Archives Act 1983 (Zetler 2015).
This can be stated as the set of guidelines for the risk assessment process on the basis of existing frameworks that is being defined in the Australian Standards AS/NZS ISO 31000:2009 Risk management that includes HB 167:2006 Security Risk Management, and guidelines and principles. Risk assessment can be referred as the subjective process and A4A should ensure that the defined process is justifiable, documented, and transparent (Saint-Germain 2015). It is the best option for many objectives like firstly, identifying the level of risk tolerance, secondly, identifying the specific risks to the employees, assets, and information that are being stored in the system. Third benefit is that identifying the appropriate protection in order to mitigate the risks that have been identified previously.
The process of risk assessment process should be consistent within the existing standards. In order to successfully manage the risk assessment, the whole process can be sub-divided into five key points that can be stated as (Draper and Ritchie 2014):
Establishment of the Context: This step states to define the external and internal influences that can have impact on the implementation of the arrangement directly or indirectly.
Identification of the Risks: Developing a robust list of the identified risks, this might have the capability to affect the success in implementing this arrangement.
Assessment of the identified Risks: After the first two steps it states to analysing the list of identified risks in contrast with the organisations likelihood, impact, and the tolerances.
Selection of Proper Treatments: This step includes choosing risk assessing strategies that are appropriate for A4A including the controls for those identified risks.
Development of overall Risk Assessment: This is the last and final step that includes summarization of the output of identified risks in accordance with the mitigating measures or control into all the categorized risks.
|
Control risks |
|
Evaluate Risks |
|
Analyze risk |
|
Identify risk |
|
Established Context |
|
Consultation and communication |
|
Monitor and Review |
Figure 1: Risk Assessment Process
(Source: Created by Author)
The assessment process that is going to be implemented with the system of A4A must address the security, organizational and strategic risk management contexts in order to eliminate all the existing risks. All facets of the functions or activities of the organization will be covered by the security risk assessment (Whittman and Mattord 2013). For a successful risk management system it is necessary that the risk management is appropriate to be prevailing and emerging risk environment. Establishment of the context is a very critical objective as it provides a platform on which all the respective activities of the risk assessment are being conducted.
Internal environment in which the organization is willing in order to achieve its goals can be stated as the context of the A4A. Following are the objectives that can be included in this topic:
A4A must consider the aspects of the strategic contexts that are relevant according to the situation that will be the factors which will be implemented in the risk assessment management process. These include, firstly, relevant Australian regulation, policy, and legislation considering the facts that are responsible for safeguarding the information related to the operational activities of the A4A (Peppard and Ward 2016). Secondly, it includes potential jurisdictional and foreign laws access to information, and third objective that is being included in this is the potential benefits of off shoring or outsourcing arrangements that is being arranged to manage the systems that needs to be installed.
Identifying risk can be used in manner to comprehensively determine the sources of risk that are applicable and the events that have potential to impact the business of A4A organization. There should be full description on the issues that is being identified in manner to make the decision makers completely understand the facts that is all about. A4A risk management team should determine the risks that are related to the availability, integrity, and the confidentiality of the types of data that is being saved in the information system considering the personal information of the employees and the operational data or information (Webet al. 2014). As mentioned in the AS/NZS 4360:2004 risks can be defined as “The chance of something happening that will have an impact on the objectives”.
|
Intolerable risk Scope for A4A |
|
Tolerable risk |
|
Increasing risk |
Figure 2: Risk Tolerance
(Source: Created by author)
This determination can be made during the ‘Establishing the context’ phase during the risk assessment processes. Risk tolerance is completely dependent on the organizational context of the A4A and Heads of the A4A. Tolerance level can be stated as the sum of risk appetite of A4A. The risk tolerance will be based on the the principle of managing risk to the reasonably practicable low level, while it still allows the scope for the innovation and flexibility in business practices. Boyens et al. (2014) stated that it can be affected or changed changing the evaluation criteria, which implies that appetite risk of the head of the A4A for the risk can be variable that can depends upon: Firstly, prevailing community and political expectations and sensitivities. Secondly, incident security nature such as hacking terrorist attack etc., thirdly, emergence or existence of security trends such as cyber-attacks, data breaches, trusted insider etc. Another factors may be business or strategic priorities, ability of the government, individual or the organization to compensate losses and lastly but not least availability of the resources for treatment.
In order to establishing context in a risk management it is very necessary to understand the nature of the vulnerabilities, criticality, and potential or relevant threat. The questionnaire that can be included in this section in order to facilitate it can be listed as (Rebello et al. 2015):
A4A can take into account the individual security plans while searching for the information that are related to the risk identification process due to the existing presence of information on security of the information.
Data Loss: There may be the permanent deletion or loss of data, which could be a result of malicious activity or by any accident.
Data Breaches: The information those are very sensitive for the organization could be leaked or stolen or might be manipulated by an unauthorized user (Peltier 2016).
Service traffic or Account Hijacking: this another potential threat that might lead the external entities eavesdropping on the operational activities such as manipulating data, transactions, through phishing, fraud, and return falsified information.
DOS (Denial of service): this threat or attack can block the user from accessing their application or data that will affect the organization and its consumers too.
API (Application Programming Interface) and Interfaces Insecure: In manner to circumvent the security processes, vulnerable interfaces may be exploited maliciously and accidentally both.
Malicious Insider: The insider formal stakeholders like contractor, former employee, or any of the other business partners can be threat who had or has the access authority to the network of the A4A organization (Dhillong, Syed and Sa-Soares 2017). This access authority can be misused for personal gain or profit by impacting negatively to the organization.
Insufficient Due Diligence: Implementing cloud services into the system of the A4A without considering the scope of undertaking the vulnerabilities and weaknesses of this implementation.
Shared Technology Vulnerabilities: Cloud infrastructure such as GPU, CPU caches etc. are vulnerable to scalable sharing practices if there is not any design established for the multi-tenant architecture.
In order to completely understand the impact of the risks that are identified, there should be proper emphasis on the vulnerabilities or causes that the identified risks possibly cause to the organization. In order to inform the risk assessment, it is essential to gauge the likelihood and the consequences of the risk events. Mapping risks will help in dividing the risks into categories according to their priority, which can be helpful in guiding the source allocation in order o mitigate the identified risks (Beckers et al. 2013). Various objectives are considerable during the mapping risks system those can be stated as: the sectors where there is the impact of the risks, the frequency of risk happen, outcome of the risk eventuating, the individuals that will be affected by the occurrence of the risk event and lastly, the stakeholders that are involved in the risk assessment including the impact of these risks on the stakeholders and many more.
After the relevant identification of the risks the assessment process can be used for the determination of the level of risks. There should be holistic evaluation of the likelihood of the risk that might occurred, acceptable level of the tolerances that can be presented by the graph mentioned in the figure 2, and the consequences of the identified risk events (Oppliger, Pernul and Katsikas 2017). In manner to address the consequences and likelihood levels there should be proper consideration on the effectiveness control and the sources of risk events. Risk assessment includes the level of control and oversight organizations have on the management of their information. For better explanation an example can be that the A4A confidential information related to the employee and the operational activities can be assessed in the relation to the integrity, availability, and the confidentiality including the aggregation (Soomro, Shah and Ahmed 2016). The risk assessment should be assessed on the basis of the potential impact of the risks for the A4A for the sectors mentioned above including all the stakeholders that might be affected due to these risks.
This step is completely dependent on the profile of the information that is about to store in the information system of the A4A. Information related to the donors, employee’s sensitive information such as bank account number, social security number and many more, all the transactional informational and much other information are about o store in the information system of the A4A (Albakri et al. 2014). The expose of such information could relate to the privacy and security issue of the individuals that are related to the A4A.
Evaluation of the risks related o the unintended expose of information about the operational activities and the data about the employees involves the consideration of the risks within the context of the potential treatment and A4A’s risk tolerance options (Yang, Shieh and Tzeng 2013). In many of the circumstances the unauthorized expose or access of the information that is being stored in the system might be quantified almost the whole in financial terms on the basis of revenue loss that results it in a matter of financial calculation. However, for these circumstances, A4A can consider a wide range of factors that includes the impact on the reputation of the organization due to the expose of this sensitive information that includes loss of data related to the employees and organizational operational activities (Feng, Weng and Li 2014). These objectives results in the complexity for calculating the risks level and the acceptance resides with the head of the organization
The risks related to the security of the organization cannot be eliminated completely but it can be minimized to an extent level as the security cannot be absolute. Thus the aim should be provided in tolerating the threats that includes firstly, for the identified risks rating level while making selections for the risk treatments for the systems that are being introduced for the storage of information should be conducted proportionally (Raghupati and Raghupati 2014). This could be divided into six step processes where A4A: firstly, prioritise the intolerable risks, secondly, establishment of the treatment options, thirdly, identification and development of treatment options, fourth, Evaluating the treatment options, fifth, detailing the review and design the selected options also considering the management of residual risks, sixth, communication and implementation.
There should be a consultation and communication plan management that should be established at very early stage during the risk assessment in order to determine the processes that will be informed or communicated to the stakeholders including external and internal stakeholders (Itradat et al. 2014). Proper and effective communication and consultation during the process of the risk assessment can be helpful in ensuring the facts that are responsible or the successful implementation of the risk assessment process and that are responsible with a stake in the process through understandings that will implies that what decision is need to be made in order to successfully assess the identified risks and enhance the performance of the organization. The risk that could potentially affect the organization should be well communicated during the process of the risk assessment, particularly if it is related to the employees of the A4A. The perception of the stakeholders is also very important while communicating about the identified risks during the process of risk management.
This is also one of the important guidelines for risk management processes for the information security. Following are the considerable facts that could be included in this process:
At the final stage the A4A management should document all the considerable, acceptable, and calculated that can be associated with the security risks in the arrangements that is about to change within the organization (Haufe, Dzombeta and Brandis 2014).
The delegates and the heads of the organization need to consider the risk assessment before transforming the whole system into technological way. Ultimately this implies that the head of the A4A will also be responsible for managing risk into the organization, and the acceptance and understanding of the risks manifested through transformation, outsourcing, and cloud integration within the system (Luthra et al. 2014).
Conclusion
Based on above report it can be concluded that there should be proper management process in order to enhance the information security system within an organization. The guidelines that have stated above can play very important role in managing the information and data those are being stored into the system and keep it well secured and protected from unauthorized user that could lead to serious damage through exposing, manipulating or deleting the saved data. Cybercrimes can be considered as the most important issue regarding the information security and these guidelines can prevent the organization from being looted by such intruders and protect the assets of the organization. Other than the above guidelines it can be recommended that the security levels should be divided into the categories based on the level of authorization or posts. This could help in two ways the higher post individual will be able to monitor the individuals those are at lower post and the confidential information will be much safer. Through the guidelines mentioned above, A4A can achieve the highest level of security for the information related to the organization and be safer from any loss.
References:
Albakri, S.H., Shanmugam, B., Samy, G.N., Idris, N.B. and Ahmed, A., 2014. Security risk assessment framework for cloud computing environments. Security and Communication Networks, 7(11), pp.2114-2124.
Arregui, D.A., Maynard, S.B. and Ahmad, A., 2016. Mitigating BYOD Information Security Risks.
Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), pp.138-151.
Beckers, K., Côté, I., Faßbender, S., Heisel, M. and Hofbauer, S., 2013. A pattern-based method for establishing a cloud-specific information security management system. Requirements Engineering, 18(4), pp.343-395.
Boyens, J., Paulsen, C., Moorthy, R., Bartol, N. and Shankles, S.A., 2014. Supply chain risk management practices for federal information systems and organizations. NIST Special Publication, 800(161), p.1.
Dhillon, G., Syed, R. and de Sá-Soares, F., 2017. Information security concerns in IT outsourcing: Identifying (in) congruence between clients and vendors. Information & Management, 54(4), pp.452-464.
Draper, R. and Ritchie, J., 2014. Principles of security management: Applying the lessons from crime prevention science. Professional Practice in Crime Prevention and Security Management, p.91.
Feng, N., Wang, H.J. and Li, M., 2014. A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Information sciences, 256, pp.57-73.
Haufe, K., Dzombeta, S. and Brandis, K., 2014. Proposal for a security management in cloud computing for health care. The Scientific World Journal, 2014.
Itradat, A., Sultan, S., Al-Junaidi, M., Qaffaf, R., Mashal, F. and Daas, F., 2014. Developing an ISO27001 Information Security Management System for an Educational Institute: Hashemite University as a Case Study. Jordan Journal of Mechanical & Industrial Engineering, 8(2).
Layton, T.P., 2016. Information Security: Design, implementation, measurement, and compliance. CRC Press.
Luthra, R., Lombardo, J.A., Wang, T.Y., Gresh, M. and Brusowankin, D., Citibank and NA, 2014. Corporate infrastructure management system. U.S. Patent 8,706,692.
Oppliger, R., Pernul, G. and Katsikas, S., 2017. New Frontiers: Assessing and Managing Security Risks. Computer, 50(4), pp.48-51.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.
Peppard, J. and Ward, J., 2016. The strategic management of information systems: Building a digital strategy. John Wiley & Sons.
Raghupathi, W. and Raghupathi, V., 2014. Big data analytics in healthcare: promise and potential. Health information science and systems, 2(1), p.3.
Rebollo, O., Mellado, D., Fernández-Medina, E. and Mouratidis, H., 2015. Empirical evaluation of a cloud computing information security governance framework. Information and Software Technology, 58, pp.44-57.
Saint-Germain, R., 2005. Information security management best practice based on ISO/IEC 17799. Information Management, 39(4), p.60.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp.215-225.
Sylves, R., 2014. Disaster policy and politics: Emergency management and homeland security. CQ Press.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management. Computers & security, 44, pp.1-15.
Wensveen, J.G., 2016. Air transportation: A management perspective. Routledge.
Whitman, M. and Mattord, H., 2013. Management of information security. Nelson Education.
Yang, Y.P.O., Shieh, H.M. and Tzeng, G.H., 2013. A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Information Sciences, 232, pp.482-500.
Zetler, J.A., 2015. The legal and ethical implications of electronic patient health records and e-health on Australian privacy and confidentiality law.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download