Information Security: Principles and Practice - Assignment Example

Heading: Information Security Your name: Course name: Professors’ name: Date Question 1 PMBOK is an amalgamation of processes and knowledge areas. According to PMBOK (2000) project management techniques entails two broad sections, namely project management process and project management knowledge areas. The focus will thus be on a sub category of the knowledge area called project scope management. Project scope management encompasses the task of ensuring that the process required in completing one and only a particular task is completely done. In the management of project scope there are several vital activities that must be observed and executed. This is intended to have a successful project as per the standards with the aim of achieving the required deliverables at the end of the task. These activities take into account several stages during the project scoping 1) initiation of the entire project from the beginning through the study of the existing project(s) or formation of a completely new project. This must be accompanied by a proposal that describes exhaustively the rationale of the idea behind the viability and feasibility of the intended project. 2) Scope planning is in most cases associated with the process of defining the project deliverables on each stage of the project development and defining boundaries which the entire project is limited to. The scope plan must take into account the basics of anticipated deliverables, project constraints, contract document and assumption of the entire project. 3) Scope definition is one of the very vital activities that set the boundaries of a project. A project must have explicitly defined requirements that are boldly written in a requirement document so as to act as a guide. 4) Scope verification is an activity that is conducted to ascertain whether the project is viable and doable in given span of timeline. 5) Finally scope change is an activity that facilitate a modification to the project if need be. Question 2 During the analysis phase of SecSDLC, dedicated teams facilitate in ensuring that valid initial analysis of all security plans or agendas, with their known threats are unveiled. It is also at this phase that the analysis of existing permissible matters affecting the design of security mechanisms is indentified. This analysis stage also entails risk management which allows for a process that helps in the identification, assessment and critical evaluation of all the available levels of security threats facing an organization. Specialty cases of all the threats and information quality stored in the organization servers is also reviewed. According to Marks (2009), knowing all kinds of threat that you are vulnerable to in regard to the world of IT is significant in the establishment of a security policy. In this case of IT, threats will range from all the IT objects, entities, persons who either deliberately or unintentional cause harm to organization resources or even unauthorized computer program that is embedded on a genuine program running in computer. In regard to the IT sector, common and threatening attackers will consist of malicious computer programs such as Trojan, hoaxes, back door entry, password sniffer and cracking, brute force attack, Dictionary attack, spoofing, mail bombing and spamming. While indentifying the threat agents, is also important that you list and prioritize the risk posed by each category of threats and attackers. Luckily, one can adopt readily available study of threats which can be customized to fit the needs. According to Das (2006), to effectively manage the risk, then you need to identify and assess the information assets. In essence, the iterative aspect must be classified and categorized as per such elements such as systems, procedures, data, people and information. The next undertaking is to evaluate relativity risk of each data by conducting a risk assessment which assigns a proportional risk score to each specific information assets. Question 3 The business continuity journal has an example of data recovery plan used as guidance to recovery steps for lost data retrieval. This is a common plan that is depicted in a series of steps in a flow chart. Generally, the first element of the above plan entails assessment of both monetary value and significance of the data as an asset of an organisation. To achieve its objective, one has to assemble and classify the information assets into various categories of importance then ascribe each of the categories in terms of monetary cost so that in case of any disaster one can ascertain the loss in monetary values. This helps in identification of the magnitude of the disaster and allows use different data to report the budget of developing a backup solution for a company. The second element of the above plan is weighing and consulting an expert so that he or she can offer professional data recovery steps. This can be accomplished via getting in touch with an IT expert who is dedicated to data back-up and disaster recovery for assistance and advice on the disaster recovery planning. One can as well discuss the budget of conducting the backup plan with the same expert. The last element that is notable in this plan is coming up with policy guidelines for disaster recovery plan. One ought to establish procedures which all workers will stick to as regards the company’s data and then communicate the whole plan to the stakeholders. However, the above plan is inaccurate since it does not specify various important issues. The plan should have incorporated elements such as availability of globally set standards for IT DR process and also include testing of the plan via a pre-organized and impromptu test of the plan to ascertain the validity. Question 4 Harvard developed a comprehensive Enterprise Information Security Policy meant to protect its resources, property, integrity, privacy and confidentiality in relation to its information assets. The four aspects of the security are as identified below. Data integrity Integrity is the dependability of any information assets. That is, the information is free from unauthorized modification whether deliberately via malicious acts or accidental. It also concerns the fact that information comes from the correct source and not forged by an imposter. Data integrity also encompasses the concepts of data validity and that it can be relied upon in decision making (Stamp 2011). Confidential and Privacy Confidentiality is the process limiting data disclosure and access from leaking out to unauthorized individuals. This may be accomplished through the use authentication and authorization of any user who intends to access the data. For example, the use of password protected system allows only the users who are able to authenticate themselves. Data availability Availability is the availability of the information being sought by the users. A system which does not avail the information to user when needed in time is said to have failed the test of availability. Unavailability can also be caused by technicalities such as the poor communication, intrusion, damages, computer breakdown and software malfunctioning. In addition, it can also be facilitated by incidence such as wind, water and human reasons which could be accidental or deliberate. Prevention and detection Protection and detection is meant to cover the three aspects confidentiality, integrity and availability. The aim of this is to identify and uncover potential security threat and prevent any further damages. It is separated into those which are oriented in the prevention and then those that persist on revealing. The prevention and detection is dependent on circumstances at hand. Question 5 Sony an electronic firm, AmeriHealth a medical firm and Royal Bank of Scotland are the most recent victims of information security breach where by all its confidential data was exposed to the public as listed by the open security foundation on its website. Chris Potter an executive at PricewaterhouseCoopers said that less developed enterprise do suffer less security breach to an approximation of a quarter of all cases reported in the year 2008. On the other hand, large companies account for the other remaining three quarter in the same year. He went ahead to enumerate the average cost of security breach whereby the small firm had an average of £55,000 as compared to large firm recording £170,000 in 2008. Most of the attackers do focus their attention on financial, learning and government firms that host very sensitive data about individuals. This is evident by the open security foundation which at a glance shows that most of the attacks are targeting schools, hospitals, government offices and banks. This is because most of these institutions have very sensitive data about unsuspecting citizen. For example, the open security foundation listed several acts where a hacker hacks into the database with an aim of revealing the staff identity of an individual so that he or she can use it to access address, date of birth, names, and Social Security number of an employee and all the bio data from hospital record which in turn is used elsewhere for malicious act. Most small firms do have weak security systems that are less protected and therefore more affected to security breach than large firm who have enough resources to invest in their very vital security systems. Conversely, security threat in a small firm is less felts since their significance and dependence on it is of little consequences. In fact the effect to the business continuity is not affected and at some instance fails to be reported completely. References Business Continuity Journal. (2007). IT continuity. The IT disaster recovery plan. Retrieved September 2, from http://www.continuitycentral.com/feature0524.htm. Das, S. (2006). Risk Management. New York, NY: Wiley and Sons. Gregory, Peter. (2008). IT Disaster Recovery Planning For Dummies. New York, NY: John Wiley and Sons. Marks, D. (2009). Inside Story. London: A&C Black. Open Security Foundation. (2005). Datalossdb. Latest incidence. Retrieved September 2, 2011, from http://datalossdb.org/index/latest. Project Management Institute. (2000). A guide to project management Body of Knowledge (PMBoK Guide). Newtown Square, NS: Campus Boulevard. Stamp, M. (2011). Information Security: Principles and Practice New York, NY: Wiley and Sons. Read More