A New Online Learning Platform - Case Study Example

IT Security Plan

• Introduction

Remarkable University is developing a new online learning platform. This plan's importance is that the platform integrates both existing and newly developed systems, and it has been developed to secure the University from online security threats. With the changing trend in the students' needs, especially in this period of COVID-19, having an online learning platform is critical for the University. The new online learning platform consists of a learning managing system (LMS) that supports online classes and discussions for instructors and students, which meets the University's needs in expanding its operations globally. Other features for this online learning platform beneficial to the University and students include front-end web and application servers, databases, and network channels.

This online learning platform has been developed with the organizational risk profile in mind. First, data hacking or modification is a significant risk as there might be unauthorized access to the students' and instructors' personal information. In the recent past, hacking has been on the rise as they have compromised the organization's security system [2]. Secondly, Denial of Service (DoS) attacks can compromise the network's use as it is programmed to shut down the system and prevent it from being accessed by the intended users. This is often accomplished by increasing the traffic to the target system, which triggers the system to crash. Thirdly, malicious codes such as worms are a threat to the University's online platform. Other security concerns are the phishing attempts and automated scanning and exploit tools.

Remarkable University understands the risks it faces with developing the new online learning platform for the relationship between the organizational policy. The IT security plan ensures that the new online learning platform in remaining secure, using appropriate access controls, enforcing the least privileges, and ensuring that the information flowing to and from the platform is protected [3]. The development of the new online learning platform aligns with the above organizational policy. The protection of the IT system can ensure that its operation runs effectively and smoothly without any interference.

• Key IT Assets

The key assets refer to the resources possessed by an organization and play a critical role in their business. Organizations depend on key IT assets to create value for the customers and other relevant stakeholders. The key IT assets of the Remarkable University can prove crucial in determining its competency in the online learning platform. Identifying the key IT assets is the first step in developing an appropriate IT management plan.

The desktop and servers in the University are considered to be part of the IT assets' hardware. They provide users with access to the information presented. Other considerations are IoT sensors, virtual machines, and cloud services used to store data for the University. The hardware assets should be optimized and uniquely identified for ease of management and monitoring of the assets. IT administrators should keep information for the hardware information regarding the warranty, maintenance, and asset vendor name. Other relevant information to be captured includes the serial number, asset name, ownership, asset role, and the software installed on the asset acquired.

For the software used, Remarkable University relies on e-learning software such as the TalentLMS and Tovuti, which are cloud-based platforms that facilitate the University to develop online courses. They are useful in supporting the students in their learning process. Also, Remarkable University can utilize the Blackboard Learn services in providing the students and instructors with an interactive platform towards sharing the learning materials and conducting assignments and exams.

Data assets for the University include computer systems and databases, web pages, application output files, and documents. Data IT assets are used to store information for the company, which is essential when considering the future use of the data. The integrity of the stored files and data integrity is another critical IT asset that should be assessed for risk [3]. In Remarkable University, large volumes of vital data and information are stored in various documents and file servers. These are kept on either a specified database or individual files, and thus, their integrity is important for the University. These data also contained important information regarding the student's details, financial obligations of the students, instructor's personal information, and grades

.

The email was identified as another critical asset for Remarkable University. Many universities rely on email to communicate and interact with the students and instructors in the current technologically advanced business environment. Specifically, approximately 90% of the student and instructor interactions will use email. The email is used to communicate between the relevant external stakeholders and conduct the majority of internal communication.

• Risk Assessment

Risk assessment is an essential process in evaluating the vulnerabilities and threats that can affect the assets of businesses and organizations. It is an important step that can help inform the company on the appropriate measures to help mitigate risks and ensure that the company's operation is not affected. In IT security planning, companies need to consider the common risks that could significantly impact their core businesses and identify an appropriate solution to mitigate their chances of happening. The risk assessment for Remarkable University considers four main security areas that include user authentication and access control, software security, web, and network security and system, and other security. Remarkable University should determine the significant risks to its key assets and their chances of occurrences and the consequences. This can help prioritize the risks based on their impacts and facilitate appropriate decision making in the best way to manage and control the risks [10].

3.1. User authentication and access control

The user authentication and access control for the University's IT hardware are mainly managed using a strong password. Risks associated with user authentication usually affect the hardware system. The four risks associated with user authentication and access control include branded exploits against customers, physical threats, compliance incidents, and executive threats or impersonations. These risks can compromise the operation of firms.

3.1.1. Weak Passwords

The branded exploits are significant risks under this category, where the risk of not using a strong password on the e-learning platform can facilitate the hackers to predict the possible values of the password and access the platform. Where the user fails to use a strong password during registration, they can compromise the e-learning platform's security and thus interfere with the branding of customers. Only authorized individuals are required to access the online learning platform, including the students and instructors. Upon payment of registration fees, students are given the login details and the passwords, and they are authorized to access the hardware system. With current changes in the technological environment, organizations now depend on the internet (local area network -LAN) to connect with the different hardware, which exposes them to risks of unauthorized access [5].

3.1.2. Open Connection

Physical risks are also another area that can be compromised due to unauthorized access to the computer database system. Secondly, when using an open connection in accessing the e-learning platform can compromise the access control of the e-learning platform. Currently, the University uses the LAN to connect with the various IT hardware, including the laptops and desktop, and the security system for network access has been entirely undertaken to address the problem.

3.1.3. Executive Risks

Executive risks or personification can also impact on the performance of the e-learning platform. The expiration time on the website being accessed should be managed, and one should understand that the password should not be saved. There is a risk of other people accessing the information presented on the website where the expiration time is not managed. The validity of the information should have a specific period for expiration. The rise in cybercrime exposes the danger of security risks to the assets of the institution [9]. As a result, the interference of the control system of Remarkable University can have several consequences, such as affecting the safety of the students and instructors using the online learning platform.

3.1.4. Risks of Multiple Log-ins

The compliance incidence is the fourth risks associated with user authentication and control. Having multiple logins can compromise user authentication, which can have an implication on the security level and affect the system's overall security. The company's essential compliance documents can be affected by unauthorized access to the company's computer system. The bulk cooling, ventilation, and fire protection are possible areas that can be hugely affected by attacks. Furthermore, events such as environmental damage can lead to damages to the learning institution's hardware. Where the data is not fully backed, the Remarkable University can lose its data.

3.2. Software Security

The other risk identified as a threat to the online learning platform for Remarkable University is the e-learning software. The software security can expose the company's e-learning platform by exposing it to four main risks that include loss of data and other learning materials.

3.2.1. Loss of data and e-learning Materials

The first risk under this category is the loss of data and other e-learning materials. The University's e-learning platforms provide a link in which the authors can share their original materials such as journal papers and books, among others. However, the authors have refrained from providing their content to the e-learning platforms. They fear that the contents can be processed and duplicated and distributed to unauthorized students without their consent. Also, there is fear that hackers can destroy the lecturer's notes and home assignments, which affects the students' grades.

3.2.2. Instructors’ failure to Guide Students

Loss of contacts with the relevant stakeholders such as students, lecturers, and parents connected to the e-learning platform. Essentially, the instructors face a risk of not providing students the necessary support they require. As the discussions are mainly undertaken using discussion forums, understanding each student's weakness can be a problem as there is no maximum interaction of the students. Another risk facing the instructor using the e-learning platform is the credibility of the examination, with students having the possibility of cheating.

3.2.3. PC Affected by Virus

The virus attack is another software risks that can affect the e-learning platform. The e-learning platform manager assigns people the task to perform operations such as indexing, resourcing, and alteration. There is the risk of the individual PC and service being infected with viruses when emails are received. The people tasked with managing the system are unable to detect the problem [8]. Physical security can also be compromised, and intruders can access the hardware system such as the laptop and desktop and transfer information illegally. Damages to LAN and Wide area network (WAN) can cause delays in the e-learning activities, affecting the completion of course with the stated time.

3.2.4. Nature of Materials to Assess

Finally, students face risk in understanding the nature of the material that they need to access. Information stored in the e-learning platforms cannot be accessible without the login details, but students can give the third parties the log-ins details. Due to the attacks on these systems and the associated consequences, the rating was concluded as high to moderate. The attacks on the e-learning platform materials can cause severe damage to the organizational assets and thus compromise its performance.

3.3. Web and Network Security

3.3.1. Software Vulnerabilities

The other critical key assets identified were the integrity of the information stored in various databases and documents. The first risk under this category is the unauthorized access to the computer database and system. The information stored can be exposed to the risks of unauthorized access by third parties. According to [6], the unauthorized access and use of database and file systems have been rated as a leading computer crime. Both the external and internal entities can compromise the University's data and files. These assets' attacks can be fraudulent and malicious acts, modification, unintentional deletion, or confidential information disclosure.

3.3.2. The Computer Virus

The second risk is computer viruses, which have been one of the devastating security risks reported globally. For the universities that do not have strong anti-virus, this can have an implication on the contents stored in the computer system [11]. Software vulnerabilities can affect network security. However, these IT assets are protected by the University's outer firewall, reducing their likelihood of occurrence. Despite this, the data of Remarkable University can be compromised when there is a successful attack on these systems and assets.

3.3.3. Hacking

The third risk is hacking the computer system. The hackers can have an impact on the network security of the University. Remarkable University is concerned with implementing policies that can address the problem of hacking of its system. Regarding internal attacks, Remarkable University has appropriate policies and rules that govern these assets' accessibility and use. However, given that the University has enormous data and information to store data such as desktops, servers, and laptops, compliance might be difficult to achieve [12].

3.3.4. Financial Loss

The risk of financial loss is under the category of web and network security. Also, the consequences of the attack of these databases can be enormous due to the University's financial loss and image. The financial costs of recovering the information and data are high. Also, the attack on these files can have some legal implications for the University. Given the impact and consequences of the security threats stored data, it is concluded that the risk is high. Finally, employees can breach the security system of the University without realizing it. Most of the employees that are considered to be trustworthy tend to breach the security system intentionally, and this can cause devastating problems to the company. It is crucial to ensure that the employees understand their roles in the organization and secure the files that should be shared [13].

3.4. OS and other security

3.4.1. Risks of Confidentiality Integrity of Information System

The last asset identified as a source of IT security vulnerability is the confidentiality and integrity of the mail services used by Remarkable University. With the need for University to adopt new technologies in communication, online learning platforms find it appropriate to use online platforms to interact with each other. There is an increase in the use of online communication platforms by many firms due to its cost-effectiveness and efficiency. Remarkable University depends on email services as a means of communication between the students and the lecturers. As a result, it must keep its email services safe from attack by specific cyber threats and vulnerabilities.

3.4.2. Risks of Mail Worms

Without implementing an appropriate email system, the efficiency in sharing the learning materials by the University can be affected. According to [7], many firms have suffered the failure of their email services and systems due to the email worms. Also, there are new and emerging exploits that are transferred through the emails. These have caused alarms of vulnerabilities in many systems and applications that firms nowadays use in their operations.

3.4.3. Risk of External Aggression

Arguably, the high dependence of email by Remarkable University, including the University's regular opening and exchange of email, implies the increased chance of compromise is high [6]. Although the University does filter its email within the Internet gateway, there is a high likelihood that some exploit will penetrate. The attack of the email system of the University is also associated with several consequences.

3.4.4. The risk for Damage to Reputation

The University can lose confidential information that can lead to a loss of reputation and image in the e-learning sector. Based on the analysis of the University's email system's risks, the Remarkable University must identify appropriate strategies to help address such issues. The risk rating on the email system based on the analysis of its impact and consequences is high.

Risks Register

Domain

Threat/ Vulnerability

Likelihood

Consequence

Level of Risk

Risk Priority

User authentication and access control

Not using a strong password, using an open connection, not managing the expiration time on the website, and having multiple logins

Possible

Major

Extreme

1

Software security

Authors not submitting books, Instructors not guiding the students, PC infected by virus, and nature of the material to be accessed

Possible

Moderate

High

2

Web and Network security

Computer viruses, software vulnerabilities, hackers, and employees breaching the security system.

Almost certain

Minor

High

3

OS and other security

Hacking, computer viruses, unauthorized access, and multiple log ins

Rare

Minor

High

4

• Security Strategies

Based on the findings of the risk of the key assets of Remarkable University, it is evident that the majority of them are exposed to varying risks and vulnerabilities. As a result, the University needs to identify appropriate risks to mitigation strategies that can reduce their chances of occurrences and consequences [6]. Thus, the next step in the IT security management process is identifying possible control measures. The essential findings are that most of the University's IT system has not been appropriately updated, and there are high potential unpatched vulnerabilities. This shows that Remarkable University should focus on particular control mechanisms such as regular and systematic maintenance of all the applications and operating systems software on the servers and the e-learning platforms. Specific securities strategies should be applied to address the particular risks of the IT system of the University.

4.1. User authentication and access control

The first risk of not using strong passwords can be addressed by relying on different characters when formulating a strong password. Normally, it is advisable to use a unique password from those used in other sites such as email accounts or social media platforms. This ensures that it is difficult to predict the password within the e-learning platform by the hackers. It secures an individual from the possibility of a loss of data and information [3]. It is essential to use an extensive set of values and ensuring that the values are unpredictably spread to minimize the possibility of being predicted. Secondly, the risk of open connection should be avoided, which should be minimized in addressing security issues. For instance, the HTTPS protocol should not be used without assessing the security features as this has an implication on the username-password lock as the hackers can access it. The e-learning university contents should not be accessed using an open connection as this will compromise the authentication security. A strict security audit of the site to be accessed can ensure that it minimizes access to the personal data. The risk of authentication can be managed when observing the malicious sites and not using an open connection.

Thirdly, for the expiration time of access to the e-learning platform, the user should use the automatic expiration time. This will prevent malicious access to the website when there is access to the students' information. As a result, the interference of the control system of Remarkable University can have several consequences, such as affecting the safety of the students and instructors using the online learning platform. The application that is used should rely on the idle time associated with the user activity. There should be informed consent when the student is inactive, and there is someone else interested in logging into the system. Finally, having an effective control mechanism ensures that the operations' credibility is achieved, and this facilitates the success of the policy framework undertaken [4]. The best strategy to be enacted should be based on focusing on the security of the operations' activities. Port scans should be assessed, which will minimize attacks from being initiated from outside to the company's computer system. There should be access control mode and a strong password for all the university's hardware devices, which improves the credibility of the services offered.

4.2. Software Security

The top priority risk of the University is the integrity of the stored documents and database information. The leading cause of this risk is attributed to the fact that the majority of the information can be accessed on the e-learning platform, which cannot be fully regulated. In essence, the student's information on the applied courses is essential in determining the consistency in the information being shared. The first strategy to manage this risk is to store all the documents and files on a small pool of file servers and applications [10]. As a result, it will easy to manage such a storage system using the appropriate protocol and applicable policies and controls. There is also a need to conduct an audit to know the individuals responsible for specific files to limit unauthorized accessibility and usage. The policies should also be enacted to govern how the key files should be created and stored on the central servers. This implies that the current organizational files should be transferred to the central servers for proper management, monitoring, and control [13]. The University should also embark on appropriate training programs for all the employees regarding storing the essential documents and data safely.

4.3. Web and Network Security

Web and network security have been a significant challenge in the University, and importance should be placed on managing the university's network towards improving its credibility. First, for computer viruses, Remarkable University should address this problem by having strong anti-viruses such as Kaspersky, as this will necessitate the security process of the network and platform. Most of the e-learning institutions have failed to develop a framework that will improve the operations' quality. The information in the University's records can be secured using the anti-virus. Secondly, software vulnerabilities can be addressed using a reputable company's software that cannot be hacked easily. This improves the credibility of the operations and minimizes the possibility of software security being compromised. Thirdly, the e-learning system's hacking has been on the rise, and the management should ensure that there are substantial security measures that prevent hacking of the system. Finally, the employees breaching the security system can be addressed by developing a policy that aids in mitigating this problem and ensuring that the employees align their interests to the university's objectives.

4.4. OS and other security

Hackers can compromise operating systems, and security measures should ensure that systems are not easily accessed. This is important in maintaining the available devices for security purposes, and this is influential in meeting the controls required towards implementing the credibility of the operations. It was noted that Remarkable University uses email service as the primary means of communication and thus is a priority IT risk area. The best strategy to reduce this type of risk is to use appropriate controls such as the ones related to malicious code protection and spyware and spam protection on the client IT system. Also, the incidence response and contingency planning can be applied to reduce this risk. There is also a need to introduce system for backup and recovery of files in the event of an attack.

Implementation Plan

Domain

Risk (Asset/Threat)

Level of Risk

Recommended Controls

Selected Controls

User authentication and access control

Not using strong password

High

Auditing monitoring and analysis

Data backup and recovery

Using an open connection

Extreme

Management policies and procedures

Data backup and recovery

Not managing the expiration time on the website

High or Moderate

Covered by general controls

Covered by general controls

Having multiple log ins

Minor

Management policies and procedures

Monitoring of the devices

Software security

Authors not submitting books

Minor

Management policies and procedures

Monitoring of the devices

Instructors not guiding the students

Minor

Management policies and procedures

Monitoring of the devices

PC infected by virus

High or Moderate

Covered by general controls

Covered by general controls

Nature of material to be accessed

Minor

Management policies and procedures

Monitoring of the devices

Web and Network security

Computer viruses

High or Moderate

Covered by general controls

Covered by general controls

software vulnerabilities

High or Moderate

Covered by general controls

Covered by general controls

Hacking

High

Auditing monitoring and analysis

Data backup and recovery

Employees breaching the security system.

High or Moderate

Covered by general controls

Covered by general controls

OS and other security

Hacking

High

Auditing monitoring and analysis

Data backup and recovery

Computer viruses

High or Moderate

Covered by general controls

Covered by general controls

Unauthorized access

Minor

Management policies and procedures

Monitoring of the devices

Having multiple log ins

Minor

Management policies and procedures

Monitoring of the devices

• Implementation

After recommending the appropriate strategies to address the security risks, Remarkable University should embark on the implementation process. The company needs to ensure a successful implementation process. The implementation process should start with the training of employees on the new security solutions being implemented. The training should be focused on the unique needs of the company [1]. Also, there is a need to identify the residual risks that can hinder the implementation process. This can include the risk of employees unwilling to accept the changes. This can be solved by appropriate training and motivation of the employees to take part in the process. The training of employees can ensure that adequate measures are undertaken to help address the issue. The employees should be issued sufficient steps to ensure that they engage in practices to improve IT management strategies.

Remarkable University needs to implement measures that prioritize the training of the involved employees on the online learning platform's management. The review of the updates available to the software used in the e-learning platform should be frequently undertaken in complying with the changes in technology. For instance, Blackboard Learn's canvas should be continually updated in meeting with the security changes, and this requires training of the staff on the implementation process of this platform. Also, the implementation process can include changes in the organization's culture. Remarkable University should change its culture in integrating the new technology. The employees should be informed on the changes to be implemented as this improves the university's data and information security. The proper monitoring, management, and maintenance strategies should also be put in place to reduce security risks and other vulnerabilities.

The desktop and servers in the University are considered to be part of the IT assets' hardware. They provide users with access to the information presented. Other considerations are IoT sensors, virtual machines, and cloud services used to store data for the University. The hardware assets should be optimized and uniquely identified for ease of management and monitoring of the assets. IT administrators should keep information for the hardware information regarding the warranty, maintenance, and asset vendor name. Other relevant information to be captured includes the serial number, asset name, ownership, asset role, and the software installed on the asset acquired.

For the software used, Remarkable University relies on e-learning software such as the TalentLMS and Tovuti, which are cloud-based platforms that facilitate the University to develop online courses. They are useful in supporting the students in their learning process. Also, Remarkable University can utilize the Blackboard Learn services in providing the students and instructors with an interactive platform towards sharing the learning materials and conducting assignments and exams.

Data assets for the University include computer systems and databases, web pages, application output files, and documents. Data IT assets are used to store information for the company, which is essential when considering the future use of the data. The integrity of the stored files and data integrity is another critical IT asset that should be assessed for risk [3]. In Remarkable University, large volumes of vital data and information are stored in various documents and file servers. These are kept on either a specified database or individual files, and thus, their integrity is important for the University. These data also contained important information regarding the student's details, financial obligations of the students, instructor's personal information, and grades

.

The email was identified as another critical asset for Remarkable University. Many universities rely on email to communicate and interact with the students and instructors in the current technologically advanced business environment. Specifically, approximately 90% of the student and instructor interactions will use email. The email is used to communicate between the relevant external stakeholders and conduct the majority of internal communication.

• Risk Assessment

Risk assessment is an essential process in evaluating the vulnerabilities and threats that can affect the assets of businesses and organizations. It is an important step that can help inform the company on the appropriate measures to help mitigate risks and ensure that the company's operation is not affected. In IT security planning, companies need to consider the common risks that could significantly impact their core businesses and identify an appropriate solution to mitigate their chances of happening. The risk assessment for Remarkable University considers four main security areas that include user authentication and access control, software security, web, and network security and system, and other security. Remarkable University should determine the significant risks to its key assets and their chances of occurrences and the consequences. This can help prioritize the risks based on their impacts and facilitate appropriate decision making in the best way to manage and control the risks [10].

3.1. User authentication and access control

The user authentication and access control for the University's IT hardware are mainly managed using a strong password. Risks associated with user authentication usually affect the hardware system. The four risks associated with user authentication and access control include branded exploits against customers, physical threats, compliance incidents, and executive threats or impersonations. Read More