Management and Information Security - Project Management Body of Knowledge - Assignment Example

Running Header: Management and Information Security Student’s Name: Instructor’s Name: Course Name & Code: Date of Submission: Management and Information Security Question 1 Investigate the Project Management Body of Knowledge (PMBoK). Write a report on one of the knowledge areas. PMBoK is a collection of processes and various knowledge areas which are involved in project management discipline. It is also an internationally recognised standard which provides fundamentals of project management in areas which include construction, engineering, automobile etc. Duncan (2010) describes that PMBoK involves five process groups and nine knowledge areas. The concepts are applied to projects, programs and operations. The processes involve initiating, planning, executing, monitoring and controlling and closing stage. In this study, I chose to analyse project time management which is one of the nine knowledge areas. This is an area that requires timely completion of the project. It involves activities such as activity definition and the sequence used. Every process in project management contains a set of input and output and tools and techniques used in the process. The process describes the monitoring and control of time spent in a project. It describes the procedure used in the project step-by-step and shows how to use timesheets and time management logs to record how time is spent through out the project. Time management enables managers to control the time that every employee uses in building deliverables. This increases the chance of delivering on time and according to the schedule (Richard, 2009). Project time management enables one to; have a process of recording time within projects, make effective use of timesheets in monitoring staff and the time they take in every project. Richard (2009) shows project time management also helps one to identify and resolve issues occurring in time management of a project. It finally helps in maintaining the project up-to-date. The process of project time management is unique in various ways for example it lists the major steps taken in time management, it also has a process diagram showing the time that those processes are to be undertaken. The process what every role and responsibility in the project involves and it also pre-completed therefore ensures effective projects. It also saves time which can be used on other important activities. Project time management records time spent by various people in the project as it enables managers to identify the projects that have been worked on, when it was done and how long it took to complete the project. Time management process is applied when one needs to record the time actually spent on the project and the time planned for the project. The tools and techniques used in time management process include schedule network analysis, critical path method, applying leads and lags etc. Question 2 Discuss the task of understanding potential threats which is part of the analysis phase of the SecSDLC. What are some ways to truly understand the enemy? How can you be sure you’ve covered all the bases? Security Systems Development Life Cycle (secSDLC) is a methodology used by organisations to ensure that no steps are missed in project management. The process involves the identification of threats and the risks involved. It also involves the subsequent design and implementation of specific controls meant for countering the threats and assisting in risk management. The tasks of understanding potential threats start with a directive from upper management which specifies the process, outcomes and goals of the project. It also includes the budget and some constraints involved in the process (Infosecurity Europe, 2010). It also involves creation of security policies on which the security programs of the organisation are founded. The problem is analysed by a team of managers, employees and contractors. These people define the scope, specify goals and objectives of the project and identify additional constraints that are not included in the enterprise security policy. An organisational feasibility analysis is carried out which shows whether the organisation has resources and commitment to conduct a successful security analysis and design. The development team formed during the investigation phase then conducts a preliminary analysis of the existing security policies as well as the current threats and associated controls. This phase also involves the analysis of relevant legal issues that affect the design of the security solution. Bruc (2008) describes that the analysis phase of SecSDLC also includes risk management stage. This stage identifies, assesses and evaluates the levels of risks that affect the organisation. These include threats occurring to the business security and threats that may cause harm on information stored and processed by the organisation. It is therefore necessary to know the enemy and yourself as this result to winning the battle unlike in cases where one knows not the enemy or oneself. A threat is seen as an object or person that causes constant danger in achieving expected results. There are various threats to information security as shown in the diagram below. The diagram above shows an attack exploits vulnerability and this is facilitated by a threat that damages an organisation’s information. An exploit on the other hand is used in compromising a system and vulnerability is the weakness of a controlled system. The final step in knowing the threat is finding a method of prioritising the risk caused by every category of threat and the methods of attack. To ensure that one has covered all the bases, it is necessary to adopt the value of information assets. This includes classification and categorisation of certain elements such as people, procedures, and software and networking elements (Bruc, 2008). Question 3 Find an example of a disaster recovery plan. Write a report on the elements included in the plan. Is there anything missing that you think should have been included? According to Brad (2009) a disaster recovery plan consists of various elements. These include one the preliminary planning which describes the purpose, scope and responsibilities relative to the plan. The second stage is the purpose of having a disaster recovery plan. Third, the scope describes the extent of coverage of the plan in clear terms. The plan also contains assumptions basing on categories that can be established only after the completion of risk assessment including information such as the nature of the problem, the priorities taken and commitment to solving the problem. Responsibilities assigned by management are also involved in the plan and should be documented. It is also necessary to select the appropriate strategies after risk assessment. Strategies are made since it is difficult to assess the critical systems to be maintained and the demand for resources for supporting the critical systems. These strategies have to provide a sufficient base at the emergency response stage. The base is where the procedures are devised to ensure immediate capability to effective response to emergency situations. The other stage in the plan is backup operations as most backup sites do not have enough equipment or supplies for sustaining a complete operational requirements. It is therefore necessary to develop more effective backup strategy. The next stage in the plan includes the post-disaster recovery action. This shows that the strategy of recovery must be linked to the backup operations. A record of change should also be kept listing changes in the document for example change of date, details and the person responsible for the change. The security of the plan should be available to the people affected. Preparation actions are also a major element in the plan. People involved should be included for example their names, address and contacts are required in any recovery scenario (Glen, 2002). Data to which recovery is dependent should be effectively recorded and stored at a safe environment maintained as feasible and tested to ensure validity. A copy of the systems and application software programs should be stored at a secure place where they will be available when needed. Glen (2002) shows rapid replacement of hardware should also be minimized and the plan ensures that there is availability of needed hardware. The plan consists of LAN and WAN communication connectivity. Other elements included in the plan are supplies, backup sites free from external problems, space or location of recovery operation, power and environmental controls, documentation and action plan taking in response of emergency, backup operations and recovery actions. Finally is the post-disaster review which assesses the adequacy and success of the plan. Question 4 Find an example of an enterprise information security policy. What are four important aspects of this policy? Determine how the policy might be used. The policy has been applied at Kennesaw State University technology resources and associated communication to establish the minimum information security practices. The policy provides direction on security practices that ensures confidentiality, integrity and availability of information. The important aspects of the policy include information security elements such as the systems and hardware that transmit information. The policy states that the University Information Security Office is to proactively reduce risks to electronic information resources through the implementation of controls designed to detect and prevent errors. It also shows that all data processed, stored and transmitted over the University networks should be held in great trust and afforded greatest safeguards. There is also the aspect of applicability stating that staff, students, contractors or any other person using computer resources or communication networks owned by the University is subject to the policy (Harney, 2004). The policy also shows the review schedule showing that enterprise information security policy will be reviewed annually by the office of the vice president for operations and information security officer. Harney (2004) describes that the authority aspects show that the authority to establish and enforce this policy is made by the office of the vice president for operations. The assessment uses a subjective analysis basing on informed opinion and helps in the identification of assets and estimation of their value. A threat assessment is also necessary which include acts of nature, accidents and malicious acts originating from inside the organisation. This therefore ensures effectiveness of the control measures and provides cost effective protection without loss of productivity. Question 5 Research three recent information security breaches. Do the main targets seem to be larger or smaller companies? Is there a particular industry that seems predominately targeted? Do you think breaches at smaller companies are just as likely to occur but not as likely to make the news? Explain your reasoning. According to Ron (2010) information security breaches are capable of costing a country billions of pounds a year for example what is happening in British companies for the last two years. Research shows that data security breaches involving hackers and company insiders have significantly increased. Concern over information security breaches had led data protection commissioners in countries such as UK, Canada and Australia to publish guidance on breaches. Laws modeled on advice are also being formed by considerable authority. The laws require that institutions suffering breaches of personal information should notify people. There is no particular industry that seems to be predominately affected by information security breaches though more respondents who reported a breach were from the manufacturing industry. Research showed that every manufacturing respondent had experienced a malicious security breach in the year 2009. The study also showed that technology companies were less likely to have security breach though there were breaches reported (Ellen and Steven, 2008). Technology has however continued to evolve through the rise of cloud computing, virtualisation and social networks. It is therefore necessary for organisations to understand the various risks involved in information security. Dhillon (2007) shows according to information security breach report in 2008, 35 percent of companies had suffered a malicious breach while in 2010 the rate had risen to 90 percent for large companies and 75 percent of smaller companies. This showed that smaller companies had suffered about 11 breaches while large companies were 45 breaches. I think threats at smaller companies are just as likely to occur but not as likely to make the news as compared to those that occur in large companies since in large companies there are more staff and so increasing the likelihood of internal misuse (Infosecurity Europe, 2010). The other reason why large companies are mostly affected by security breaches is because their size and presence on the internet make them more attractive target for external attackers. Smaller companies with few employees of about 25 staff are easier to monitor and ensure that the guidelines set are effectively followed. It is also easy to carry out risk assessment. Information security breaches have increased the adoption of strong authentication and encryption. Ron (2010) shows these have been adopted by about 74 percent in utilities, telecoms and financial services. Organisations that need to meet the government requirements are more likely to adopt data transfers and removable media; however, organisations where government requirements are less explicit take a lower pace in the adoption of the system. References Brad, E. (2009). The project disaster recovery plan, viewed 16 August 2011, Bruc, M. (2008). How to make security and privacy fit together, Forbes. Dhillon, G. (2007). Principles of Information Systems Security: Text and cases, New York: John Wiley & Sons. Duncan, H. (2010). The Project Management Body of Knowledge (PMBOK), viewed 16 August 2011, Ellen, N. & Steven, M. (2008). Hackers have attacked foreign utilities, Washington: CIA. Glen, K. (2002). How to create a disaster recovery plan, viewed 16 August 2011, Harney, J. (2004). Business continuity and disaster recovery: Back up or shut down. Infosecurity Europe, (2010). Information Security Breaches Survey 2010, Technical report, Earl’s court, London. Richard, Y. (2009). Project management, viewed 16 August 2011, Ron, C. (2010). Information Security Breaches Survey: Attacks hit new high, viewed 16 August 2011, Read More