Threats And Vulnerabilities Analysis - Coursework Example

Threats And Vulnerabilities Analysis Figure showing Vulnerability Assessment Matrix   Object of Vulnerability   Physical Cyber Human / Social Enabling Infrastructure Attributes: Hardware (Data Storage, Input/Output, Clients, Servers), Network and Communications, Locality Software, Data, Information, Knowledge Staff, Command, Management, Policies, Procedures, Training, Authentication Ship, Building, Power, Water, Air, Environment Properties Leading to Vulnerabilities Design / Architecture Singularity         Uniqueness     inadequate security awareness   Centrality  Centralized network monitoring and control       Homogeneity standardized network architecture       Separability     mismanagement of subnets   Logic / Implementation Errors; Fallibility   insufficient testing     Design Sensitivity / Fragility / Limits / Finiteness       overloading of power Unrecoverability   Insufficient management of network and applications     Behavior Behavioral Sensitivity / Fragility   absence of audit trail     Malevolence     insider threats   Rigidity     lack of continuity   Malleability   unprotected passwords     Gullibility / Deceivability / Naiveté   insufficient trust models     Complacency unchecked user input   poor administrative procedures   Corruptibility / Controllability   Inadequate cryptographic controls     General Accessible / Detectable / Identifiable / Transparent / Interceptable     insufficient training   Hard to Manage or Control    Unauthorized software   overcrowded building Self Unawareness and Unpredictability       unpredictable power capacity Predictability common commercial hardware is well known common commercial software is widely known   Policy recommendation Introduction The Vulnerability Assessement Matrix, shown above, indicates the number of threats and vulnerabilities that the organization is likely to face. As the result, it is upon the institution to implement policies that would serve best in physical, technical and administrative safeguards of the system. The following section lists a number of policy statements that gives narration of the information security controls that could be used by the institution to implement recommendations for protection. The recommendations focus on major areas of the institutional operations including: Institutional Information, Information Systems, Computerized Devices, And Infrastructure Technology. The policy statements are applicable across all departments within the organization and they are categorized in terms of Information Security Plan, Physical Controls, Monitoring Controls, Technical Security and Access Controls, General Operational Controls, and Account and Identity Management Controls. Policy statements Information Security plan The top management is responsible for documenting and overseeing implementation of an Information Security plan. This would help in security the system and protection of data within the system, thereby thwarting intentions by any intruders. The Plan include the following: 1. The Security Plan shall delegate and plan responsibilities across the organization to the appropriate people. For instance, this shall cut across system owners and system operators. This way, there will be proper engineering of the system’s operation thereby avoiding vulnerabilities such as poor administrative procedures. 2. The top management shall integrate a plan that include timeline and landmarks for implementation. This will serve as a step for ensuring that every implemented strategy is carried out within the system engineering. 3. The organization’s approach meant for implementing the system security plan shall be described on the basis of department, functional and object type. This will be essential in assuring proper distribution of resources for managing the information system. Each critical object, for instance trust models, network architecture, passwords, shall be documented besides listing appropriate controls that would be implemented for each in the list. 4. To avoid the issue of hard to manage objects, the overseers of the Security Plan shall describe alternate or substituting controls that would be used in case the existing plan fails. The rationale for choosing each security control plan shall also be presented. General Operational Controls Apart from the information security controls, the team shall also implement general operational models that would integrate proper operational practice considered appropriate for the institution’s networks and information systems. The following are the policy statements that shall be considered: 5. The general operational plan shall integrate a fully equipped process for flaw remediation. This is essential in helping the company to adapt in case of the occurrence of any of the above mentioned vulnerabilities and threats. Further, the team shall develop countermeasure process for detection of malicious code or intrusion of unauthorized software that would otherwise paralyze the operation of the system. 6. A data protection shall be implemented together with a destruction process that would allow for practice of secure development. This shall serve as a step for ensuring integration of acceptable user standards. The team responsible for the process of shall also implement a business continuity to address case of inadequate continuity within the system. This will form a critical part in establishing a disaster recovery plan for the organization. Further, the organization shall strengthen this step by implementing secure development practices. 7. There shall be integration and implementation of secure development practices to help in fostering security within the system. This will act as a countermeasure for addressing instance of inadequate security awareness during occurrences of the threats. In addition, the secure development practices will be accompanied by a well-defined process for back-up and recovering of crucial data and software. The back-up system will help as a discourse for fighting the aftermath of any malware attack. 8. There shall be establishment of standards for the secure operation of the system. This shall include setting of maintenance and system build standards that would aid the organization in meeting the required threshold in relation to protecting the system. Further, the standards shall be set for technical architecture meant to support information security. Technical security and access controls This section of the policy statement shall deal with restricting access to important organization’s system and information in line with the company’s Privacy Policies and Standard. The controls are thereby defined by the following policy statements: 9. The management of the organization shall establish appropriate cryptographic controls required for offering protection. The protection of data, transmitted through the system, will be made possible since the use of encryption helps in fostering confidentiality. The cryptographic controls also help with authenticity and integrity of the data. Apart from the controls, the company shall also integrate the remote access process. 10. An authorization process for access shall be established for all the users. This will act as a step for protecting the institution’s system from unauthorized access. The authorization process shall also be activated for all the information systems. Besides the authorization, an authentication mechanism shall also be provided regulate access within the system. This will be provided for both the information systems and users. Protection measures for the network, system and application level shall also be ensured to help in proper application of the recommendations (Kane & Koppel, 2013). Monitoring controls This section will present policy statements that would help in defining event information that are to be logged and monitored (Warkentin & Vaughn, 2006). The policy statements will facilitate the determination of alert levels that are likely to be associated with incident response. The following are some of the policy statements: 11. A baseline measurement shall be established to help in evaluation of infrastructure protection performance. This shall be established for all the three aspects, that is Application, System and Network functionality (Warkentin & Vaughn, 2006). Through this, the organization will be in a better place for ensuring that all the milestones and limits set for successful operations are met. 12. A detection mechanism for intrusion shall be set to ensure that there is full protection against unauthorized access. The critical systems shall also be accessed on the basis for their monitoring capability. Processes for logging shall also be established for all the networks, applications and systems. This will provide a framework for avoiding cases of unchecked user input. Physical and identity management controls This section defines all the policy statements required for the security of data center, crucial information systems and institutional data (Warkentin & Vaughn, 2006). The policy statements defines and state way required to implement and maintain the physical controls as follows: 13. The organization shall preside over physical protection required for buildings that contain useful information and systems application. This will involve controlling access of the buildings by ensuring that only the authorized users can go in. a physical protection process shall also be established for crucial data systems and critical information used by the institution. 14. There shall be establishment of a verification and registration process to reside over confirmation of identity and eligibility of the users. This will be useful in facilitating procedures for background checking and hiring of new users. Control shall also be established for management of account life cycle meant for users and the systems. References In Kane, G., & In Koppel, L. (2013). Information protection playbook. Kidlingon, Oxford : Elsevier Warkentin, M., & Vaughn, R. (2006). Enterprise information systems assurance and system security: Managerial and technical issues. Hershey, PA: Idea Group Pub. Read More