Information Security Standards - Example

SGA478A SYSTEMS SECURITY Name Date Table of Contents Activity 1b 5 Target organization 5 Activity 1c 6 Activity 2a 7 Basic Attack Tools 7 Activity 2b 8 Difference between vulnerability and threat, and identify 8 Vulnerability 8 Threat 8 Identify 8 Activity 2c 9 Terms of Contemporary Security Environment Protect, Detect and React 9 Activity 2d 9 Activity 2e 12 Standards for IT security environment 12 Activity 3a 12 Internal threat Damage 12 Activity 3b 13 Essential aspects of organization Need Protecting 13 Activity 3c 14 Current security environment within your organization 14 Activity 3d 14 Barriers to security in the majority of modern organizations 14 Combating security in the majority of modern organizations 14 Activity 4b 17 Existing vulnerabilities 17 Activity 4c 18 Existing threats to the project organization 18 Activity 4d 18 Current risk analysis strategies 18 Activity 4e 19 Cost of loss versus the Cost of prevention and recovery 19 Activity 6a 19 Advantages and disadvantages of threat prevention strategies 19 Advantages of threat prevention strategies 19 Disadvantages of threat prevention strategies 20 Activity 6b 20 Advantages and disadvantages of disaster prevention strategies 20 Advantages of disaster prevention strategies 20 Disadvantages of disaster prevention strategies 21 Activity 6c 21 Disaster Recovery Plan for your organization 21 Activity 7a 21 Relevance of the Management Continuum to security 21 Activity 7b 22 What is a security resource? 22 Activity 7c 22 Security Education and Training Requirements 22 Activity 8a 23 Relevance of planning theory to security planning 23 Activity 8c 23 Relevant principles for technical security planning, 23 Activity 9a 24 Needs analysis for a new security regime 24 Activity 9b 25 Relevant Statutory Requirements 25 Activity 9c 25 Baseline Project Plan 25 Activity 9d 26 9d Internal Stakeholders requirements for the security regime 26 Activity 9e 27 External Stakeholders requirements for security regime 27 Activity 11a 27 Industry standards 27 Activity 11b 27 Security Products and Vendors 27 Activity 12a 28 Operational security requirements 28 Activity 12b 28 Acceptance criteria 28 Activity 13a 28 Inputs into the security strategy 28 Activity 13b 29 Broad objectives and guidelines for the security strategy 29 Activity 14d 29 User and Data Security Hierarchies 29 Activity 16b 30 Control mechanisms 30 Activity 17b New Procedures for Controlling Security Provisions 30 Activity 18b 30 Implementation options for implementation strategy 30 Activity 19a 31 Relevance of Control Principles relevant to security planning 31 Activity 21b 31 Constraints in implementing technology solutions 31 Activity 22a 31 Existing requirements for new Protection Technologies 31 Activity 23a 32 Existing requirements for new Detection Technologies 32 Activity 24a 33 New Response Mechanisms for project organization 33 Activity 29c 33 Comment on the Learning Unit 33 Bibliography 34 Activity 1a In this age of technology businesses are more and more reliant on the new technology based systems. In this scenario we can be able to assess that businesses success being reliant on the information communication networks, which are able to offer enhanced characteristics like that integrated security, carrier-class reliability, plus QoS become even more important. Networks have to be built or upgraded with cautious consideration of the novel high-availability networking necessities intended for enhanced Communications Services and sharing. In case of new technology based systems establishment the businesses desire high availability in both network software and hardware. However network security issues are one of the main reasons in the lacking business network performance. Network security management is one of main issues for the possible enhancement of the business performance through rapid business communication and data interchange. Activity 1b Target organization TRANSCORP is a transport company that is having a well established business in the market. TRANSCORP business is presently evolved to huge extent and TRANSCORP management desires to offer their customer more enhanced services and facilities in case of potential enhancement to business. In this regard the TRANSCORP company is going to establish a new IT and IS based infrastructure at the business. In this scenario I have appointed as a management personal at this project. My responsibility is to inform the management regarding the new technology based system establishment at the business. Activity 1c TRANSCORP Transport Company is going to upgrade it present LAN network and going to initiate a new project for the possible enhancement of the business connectivity to it customer and business staff. In this scenario business is going to offer a remote access facility for the business at the LAN network. This facility will be really helpful for the business as well as for customers. However the remote access also brings some dangers in case of business operating and tasks handling. What needs to be protected? Business data Customer data Staff data Business reports Transaction Online financial and money transfer operations Activity 2a Basic Attack Tools In case of upgrading the TRANSCORP Transport Company LAN network and establishment of the remote access facility for the business we are having a lot of dangers and security considerations. In this scenario the main and fundamental security breaches and attacks that come into scenario of the online adversaries are listed below: Spamming Phishing Identity Theft Flooding Activity 2b Difference between vulnerability and threat, and identify Vulnerability Vulnerability is a flaw or weakness found in software as well as operating systems that fears try to exploit. Here we have some sort of technology flaw in our system that takes toward the possible attack in case of system operating and working. Vulnerability is fundamentally a flaw, or Achilles' heel, discovered in a system or program (Chris Loza, 2010), (Turban, Leidner, McLean, & Wetherbe, 2005) and (Ray, 2004). Threat Threats are wrong/virus files or programs that hit an operating system's or application's vulnerability to achieve right of entry to our computer. Threats come in a lot of shapes, relying on their form of attack (Chris Loza, 2010). Identify Identity is the individuality of someone. Identity can be the personal information or details those found on the internet, those can be used for particular access or system usage (Turban, Leidner, McLean, & Wetherbe, 2005). Activity 2c Terms of Contemporary Security Environment Protect, Detect and React In case of modern/Contemporary Security Environment we are having three main aspects or areas those are used for the network security management. Here we have Protect, Detect and React theory. Here for majority of organizations, a cautious technique engages determining a suitable level of protection, then making sure that some security breaches that do happen is able to be efficiently detected as well as countered. This usually means setting up a wide-ranging program by means of top management assurance, with clearly described roles and jobs plus through sufficient resources we need to react and protect the coming danger (Tpub, 2010). Activity 2d Legislation for IT security environment In this section I am going to present a list of main web based Legislation rules and acts those specified for the IT security environment. Here I have outlined their types and source and also act name1. Act IT security: Communications Act of 1934 updated 1996 Act For IT security Filed: Telecommunications Online Information Source: www.fcc.gov/Reports/1934new.pdf Act IT security: Computer Fraud & Abuse Act (18 U.S.C. 1030) Act For IT security Filed: Threats to Computers Online Information Source: Online Information Source: www.usdoj.gov/criminal/cybercrime/1020_new.html Act IT security: Computer Security Act of1987 Act For IT security Filed: Federal Agency Information Security Online Information Source: www.cio.gov/documents/computer_security_act_Jan_1998.html Act IT security: Economic Espionage Act Act For IT security Filed: Trade Secrets Online Information Source: www.ncix.gov/pubs/online/eea_96.htm Act IT security: Electronic Communications Privacy Act of 1986 Act For IT security Filed: Cryptography Online Information Source: www.itpolicy.gsa.gov/itpolicy/5.pdf Act IT security: Federal Privacy Act of 1974 Act For IT security Filed: Privacy Online Information Source: www.usdoj.gov/foia/privstat.htm Act IT security: Gramm-Leach-Bliley Act of 1999 or Federal Services Modernization Act Act For IT security Filed: Banking Online Information Source: www.senate.gov/~banking/conf/ Act IT security: Health Insurance Portability & Accountability Act (HIPAA) Act For IT security Filed: Health Care privacy Online Information Source: www.hhs.gov/ocr/hipaa Act IT security: National Information Infrastructure Protection Act of 1996 Act For IT security Filed: Criminal Intent Online Information Source: http://policyworks.gov/policydocs/14.pdf Act IT security: U.S.A. Patriot Act of 2001 – H.R. 3162 Act For IT security Filed: Terrorism Online Information Source: http://thomas.loc.gov/cgi-bin/bdquery/z?d107 Activity 2e Standards for IT security environment Here we are having a lot of global security standards regarding the protection and safety of the information security. In this scenario we have ISO 17799 standard that is most widely recognized security standard for the IT security environment. It is complete in its exposure of security matters as well as holds a considerable number of control requirements (macassistant, 2010). Another security standard is ISO/IEC 27001:2005 (that is also typically recognized as the ISO27001) is the most excellent IT security practice specification that facilitates businesses as well as organizations all through the world to build up a best-in-class IT security environment (itgovernance, 2010) Activity 3a Internal threat Damage In assessing a potential damage made by an internal threat in an origination in listed below: Personal Information Theft Identity Theft Information Leakage Business data hacking Privacy Issues Accessibility Problems Password Theft Activity 3b Essential aspects of organization Need Protecting In case of IT security framework establishment we are having a lot of aspects and areas those need to be protected and made safe in case of organizational environment are listed below: Business Data Customer Data Security Files Business transaction Passwords Network Access Points Staff information Access Identities Activity 3c Current security environment within your organization TRANSCORP Transport Company is selected as my present business for the analysis. In case of analysis of security aspects in the present state, it is assessed that business is having no proper security framework. Here we are having traditional antivirus systems for the management of the security and attacks. Here no updates of antivirus are performed. Activity 3d Barriers to security in the majority of modern organizations There are lots of barriers in case of present business areas regarding security of IT some of them are outlined below: Cost issues Time Issues Lack of interest Less capable HR Combating security in the majority of modern organizations Developing Interest Security Education Management Interest development Training for HR Security policy implementation Activity 4a Attack Tree 1 Network Access Attack Tree 2 Client Access Attack Tree 3 Virus Attack Attack Tree 4 Illegal Access to Business Database Activity 4b Existing vulnerabilities In case of TRANSCORP business we are having main existing vulnerabilities listed below: HR Information is less protected Existing passwords un-changed Viruses have corrupted the email servers Old staff still having business data access passwords Activity 4c Existing threats to the project organization In case of above mentioned security aspects we are having main below given society threats the TRANSCORP business: Business HR records wrong exploitation Business and corporate Information leaks Data hacking Illegal network Breaches Virus attacks Activity 4d Current risk analysis strategies In case of analysis of the present business situation we are having business technology and security risk analysis framework. In this scenario we need to pay attention in case of establishment of the business technology and security risk analysis frameworks so that these risks can be identified and mitigated in a better way. Activity 4e Cost of loss versus the Cost of prevention and recovery In case TRANSCORP business security breaches we can have huge business lose that lead to overall business failure. In case of customer data theft we can face huge business damage in case of promotions and customer reliance. The theft of business data in case of business transactions the overall business operations can be stopped. However in case of spending money for the prevention of any possible security attack we can have much better assurance and protection against the business operational areas. Activity 6a Advantages and disadvantages of threat prevention strategies Her I have listed below: Advantages of threat prevention strategies Business data protection Safety from outer attack Customer satisfaction Business transactions safety Data transfer security Prevention from outer attacks Disadvantages of threat prevention strategies High Cost Qualified HR recruitment More Time Required Huge Project establishment Activity 6b Advantages and disadvantages of disaster prevention strategies Her I have listed below: Advantages of disaster prevention strategies Business operational safety Customer satisfaction Data back No data loss Business data safety Disadvantages of disaster prevention strategies High cost expenditures Long establishment time Qualified HR recruitment (High Cost) Activity 6c Disaster Recovery Plan for your organization In case of protection of the business data and network for the TRANSCORP Transport Company Business we have the below given plan for the business Disaster Recovery: Safety and security software installations Proper Data backup Password updates Security updates for the antivirus application Activity 7a Relevance of the Management Continuum to security For the In case of TRANSCORP Transport Company Business new upgraded LAN will be established in this scenario we will conduct proper analysis of system and develop a main system security management report and policy that will be send to management for approval. Besides this we will also analyze the business new LAN up-gradation project at each phase and assess the performance of the project all through areas. In this we will be able to involve the management in phase of project in a much better way. Activity 7b What is a security resource? For TRANSCORP Transport Company Business we will use the following security resources: Business data backup recovery systems Business data safety systems Antivirus systems Upgraded Operating systems Activity 7c Security Education and Training Requirements TRANSCORP Transport Company we will require to implement a very competent security policy that involves the proper training and management of the HR of the business. This involves the development of awareness among the staff for the personal improvement and following the main security management guidelines. Activity 8a Relevance of planning theory to security planning In case of the TRANSCORP Transport Company relevance of planning theory to security planning is having garter means. In this scenario we are requiring to have a more enhanced resource allocation for the projects of the security management and implementation for the business. Here we also need to make sure that all business staff is more conscious to business security management aspects. Activity 8c Relevant principles for technical security planning, For TRANSCORP Transport Company business we will establish a firm technical security planning, in this scenario principle checklist to be used for your projects’ organization is listed below: Establishing effective management for Passwords Protection Enabling better Access Control Management for network access Implementing a new more effective Network Access Management Deploying more better Physical Access Management arrangement Implementing a more enhanced Acceptable Use of business resource and areas Managing a better Wireless Networking Security Administration Deploying and installation Security Software (antivirus and firewall) Activity 9a Needs analysis for a new security regime TRANSCORP Transport Company business new upgraded LAN network we will have following new security regimes: Enhanced protection of the business network Management of security accounts Transaction protection Online data management Business operational support Safe communication Proper backup mechanism International security standards management and fulfillment Activity 9b Relevant Statutory Requirements Statutory Requirements for TRANSCORP Transport Company are about the better business information management that is handled and managed in a much better way for the enhanced performance of the business. Business need to be stored in such means as to offer enhanced but protected access to all business users. Here business information management also requires accomplishing the suitable standards of the workplace security standards. Activity 9c Baseline Project Plan In case of TRANSCORP Transport Company business the base line plan is given below: Requirements Analysis Soft design Hard system design New system specification placement New system development approval New system development initiation Error control and standards management Quality assurance for new system User and Staff training Market support Going Live Performance analysis Activity 9d 9d Internal Stakeholders requirements for the security regime Business data communication Safety of data transfer Proper database Less complex business handling Network support Error handling Resource management Activity 9e External Stakeholders requirements for security regime Better security support Safe transactions Help and remote access Activity 11a Industry standards IEEE 802 standards 2 Activity 11b Security Products and Vendors Norton 360 Version 4.0 3 Activity 12a Operational security requirements In case of TRANSCORP Transport Company business we will require the main operational security requirements those can be about the protection of user accounts, safety of business data, user protection of accounts, smooth working, less breaches for of data hacking and no virus and data corruption. Activity 12b Acceptance criteria In scenario TRANSCORP Transport Company business we have established proper acceptance criteria that will involve the enhanced establishment of all early sated requirements. Activity 13a Inputs into the security strategy Business review Security analysis reports Business system specification Data samples Improvement specification reports Activity 13b Broad objectives and guidelines for the security strategy Business data protection User Security Management Business Staff Security Management Implementing Physical Security Enhancing business working standards Legal tasks management Safe transaction and data protection Activity 14d User and Data Security Hierarchies Customer Data Staff Data Business Management Data Business operational data Business transactions Activity 16b Control mechanisms Recording and controlling the business new system development through a proper document control procedure that will involve the enhanced management and handling of the business projects and operations. Activity 17b New Procedures for Controlling Security Provisions Implementing network firewall Installing new security updates Passwords upgrades Secure access control Network data servers for backups Activity 18b Implementation options for implementation strategy In scenario of new technology system application at the TRANSCORP Transport Company business we can use the implementation strategy that will gradually replace the old system and implement the new system. In this way our business working will be operational and we will also be able to implement the new system in a much better way. Activity 19a Relevance of Control Principles relevant to security planning The business security policy management and implement involves the control principle and security planning. Here both are having relevance in case of fulfillment of all security standards and completion of project within limits of time and cost. Activity 21b Constraints in implementing technology solutions For the TRANSCORP Transport Company business the implementation of new project for the LAN system upgrading involves some of constraints those are about the cost and time. In case of case of cost and time overrun overall project can fail and we can face huge business damage. Activity 22a Existing requirements for new Protection Technologies User Data scanning User transaction protection User account protection HR data preservation Business data protection Business dealing data protection Routine scan Data backups Firewall protection Antivirus upgrades Activity 23a Existing requirements for new Detection Technologies Scanning all incoming traffic Identifying any suspicious entry Nominating suspicious entry Inquiring suspicious entry Declaring threat Reporting system administrator Requesting for response and action Activity 24a New Response Mechanisms for project organization We can have following ways and means for the project organization response: Through email Through online notification Through message Through Fax Through analysis report Through periodic meeting Activity 29c Comment on the Learning Unit In this assignment we have presented a deep and detailed analysis of some of the main areas and aspects of new technology based system application and analysis for the some of main security aspects for the new LAN network up-gradation for the TRANSCORP Transport Company business. In this report I have outlined some of main aspects and areas and addressed possible security scenarios we can have in the TRANSCORP Transport Company business new system application. This research and analysis based report has offer us an opportunity to have more better analysis and understating new security threats, protection mechanisms and operation those can be performed to fix the possible security breaches and problems. This report has offered us an opportunity to address some of main issues in can of possible security laps of the business. I hope that this report will offer a more enhanced understating of all possible security aspects and areas for the new technology based system application for the TRANSCORP Transport Company business. Bibliography Chris Loza. (2010). Difference Between Threat & Vulnerability. Retrieved 11 28, 2010, from http://www.ehow.com/about_6662790_difference-between-threat-vulnerability.html itgovernance. (2010). ISO27001 Information Security Standards. Retrieved 11 28, 2010, from http://www.itgovernance.co.uk/iso27001.aspx macassistant. (2010). ISO17799 Made Easy. Retrieved 11 24, 2010, from http://17799.macassistant.com/ Ray, R. (2004). Technology Solutions for Growing Businesses. New York: American Management Association (AMACOM). Tpub. (2010). Implementing Computer Security: Protect, Detect, React. Retrieved 11 26, 2010, from http://www.tpub.com/content/cg1997/ai97123t/ai97123t0007.htm Turban, E., Leidner, D., McLean, E., & Wetherbe, J. (2005). Information Technology for Management: Transforming Organizations in the Digital Economy . New York: Wiley. Read More