Information Security Management of Zayed Air - Case Study Example

Zayed Air Information Security Management Proposal Name: Institution: Company Overview Zayed Air is a small, low-cost airline operating whose head office and operations are in the Dubai International Airport. The company is a relatively new airline that is currently expanding its services all over the world. Zayed Air has a total fleet size of 30 and is now operating a total of about 50 destinations. The following are the information assets of the company in the physical, human and cyber functional areas. 1. The security management of Human Resources 2. Organization and roles and responsibilities of information and security modules 3. Management of communications and operations 4. Access control 5. Incident management of the information security 6. Continuity of operations management 7. Environment and physical asset security management 8. Information systems acquisition, maintenance and development 9. Compliance management Zayed Air has the following interdependencies 1. Airside Operations 2. Landside Operations 3. Fleet management 4. Check-in 5. Security systems 6. Transaction processing system. Contingency Planning Impact Analysis in Business Impact Analysis in Business is the foundation that Business Continuity Plan (BCP) is built upon (Wallace & Webber, 2010). The process ascertains, quantities and also qualifies the impact of the loss of the business (Hiles, 2004). Through BIA, appropriate continuity plan can be constructed. BIA is conducted before Business Continuity Plan (BCP) is unrolled. BIA will be prepared after determining the impact of not delivering the identified functions at Zayed Air. To determine this, an Impact Assessment will need to be conducted. The following is the template for Business Impact Analysis template. The BIA will start with the function heading followed by the head count. The head count is the number of full-time employees in the business function. The third column heading will list the principle activities that are done in the function. It will clearly indicate those functions that will be affected by the stoppage of service activities. Priority ranking will be a subjective ranking of the service process on the basis of the criticality to Zayed Air business. The Recovery Time Objective is the time needed to normal after a disruption has occurred. The Recovery Point Objective is the time at which the function should have returned to normal operation after an interruption. The next heading on Parent Process Relies on will identify the process or the organization that the process will need for it to function efficiently. That is important as it will highlight the dependability of the service. The last column heading will be the listing the listing of the process that need the parent process for it to function adequately. Function Head Count Principle Activities Priority Ranking RTO RPO PP Relies on PP Required by Incident Response Plan An Incidence Response Plan is a prepared document that gives direction on the approach that should be taken to address and manage incidents. Incident occurs.  First individual to encounter the incident at LOCATION employs the local emergency procedures and informs the local Incident Assessment Team (IAT).  The local IAT comes together, performs an inquiry on the incident through a checklist, and ascertains if it is important that the IAT also informs public authorities and dials the emergency number.  If needed, the IAT will notify and activate the local Incident Management Team (IMT). The IMT ascertains a point of contact (POC) for the event. The POC starts the process of notification.  In the event of an urgent safety risk to life - the Incident Management Team Leader and the other staff in their team shall act to make sure they are safe and communicate when they are.  Immediately, the IMT Point of Contact makes sure they contact the Regional Incident Manager RIC through the phone and the Center for Threat Assessment of the event.  The Center for Threat Assessment Institutes local incident direction together with the IMT POC evaluates the development; and informs senior management about the incident.  The Regional Incident Manager informs their IM Team of the event.  Center for Threat Assessment ascertains if the situation entails escalation, on the basis of on contributions from the IMT and the local Damage Assessment Team.  Presuming the circumstances merits increase, the IMT analyzes the situation, informs the Regional Incident Manager and Center for Threat Assessment, and starts the declaration process for a disaster.  If there is no declaration of a disaster, IMT point of contact directs Regional Incident Manager and Center for Threat Assessment.  If a disaster is announced, the IMT 1. informs the Regional Incident Manager and Center for Threat Assessment 2. Initiates the Emergency Operations Center (EOC) 3. Initiates the plan for BC-IM 4. Starts the procedures necessary for emergency response  The Center for Threat Assessment consults with RIM on the incident. Feedback from the Center for Threat Assessment is communicated to point of contact for the local IM Team.  All Zayed Air employees are informed of the incident and the status of the operation.  The business continuity and the incident management plans carry on up to the time that the incident is resolved.  Source 1:SearchDisasterRecovery.com Disaster Recovery Plan The plan for the recovery from the disaster addresses the issue of how the resources, infrastructure, and applications will be brought back to normal optimal operation after an incident (Wold, 2006). The plan is part of the business continuity planning process. SYSTEMS PLAN OVERVIEW EQUIPMENTS Area: Type: Number of Model: Specifications: Interfaces: Requirements; Serial Number: DNS: IP: ON SITE EQUIPMENTS APPLICATIONSAND IMPLEMENTATIONS DEVICES CONTACTS Hardware and Software Suppliers Systems Developers Database Developers Application Developers Software Supplier Backup Storage Networking THE BACKUP FOR SYSTEM II Backup (daily) Backup (Monthly) Backup(Quarterly) THE DRP FOR SYSTEM II PROCEDURE Risk 1 Network downtime Scenario 2 Hardware malfunction ADDRESSES DECISION SUPPORT Design of the Support infrastructure network equipment key interfaces Backup files Backup services Other system services Business Continuity Procedure or Plan A BCP is the process of recognizing business risks and threats for the purposes of ensuring that that the personnel, equipment and site have adequate protection and are capable of functioning in the event there is a disaster. The BCP will be critical at Zayed Air, and it is important that it should be maintained. A business continuity plan will have the following main sections. 1. Contact list that will include the emergency numbers for the police, fire department, suppliers among others (Savage, 2002). 2. An event log will also be maintained to record the date, time and type of actions and decisions taken by the incidence and the event log will also have the initials of the individual doing the recording (Saleem, et al., 2008: Botha & Von Solms, 2004). 3. Risk management plan Description of Risk: Likelihood Effect Priority Deterrent Action Contingency Plans Interruption of business processes breakdown or damage of critical equipment (e.g. fire) Low Very High High Make sure that there is adequate insurance cover for business interruption and other losses. Institute an agreement with a good supplier for 24-hour maintenances and replacement for critical equipment Make provision for alternative site (if the equipment and location have been ruined) Ensure that immediate access to personal resources is possible while waiting for insurance to make payment payments Burglary H H H Ensure that insurance is active for theft of equipment. Install alarm and video surveillance camera A list of reliable sources should be maintained for replacement equipment. 4. Security for data and a backup strategy The plan will list how backup has been handled in Zayed Air to prevent data losses. The details on the backup processes will be listed in the table below. Data type Backup Frequency Backup media/ procedure Person responsible Backup procedure steps Customer database 7 days External hard drive, Compact Disks. The media will then be stored in the fire safe An individual for example computer operator or data officer Retrieve the Compact Disk or the external drive from the safe Copy data stored on the storage device and then Return it to the fire safe for safe keeping. Compliance Management data 7 days External hard drive, Compact Disks. The media will then be stored in the fire safe An individual for example computer operator or data officer Retrieve the Compact Disk or the external drive from the safe Copy data stored on the storage device and then Return it to the fire safe for safe keeping. 5. The next section of the document will be the Business Impact Analysis. 6. The next will be the incident recovery plan and the checklist for the recovery. Enterprise Information Security Policy 1. The first policy is on access management and will apply to any individual that has access to information technology resources. It will also apply to all the facilities, networks and any third party equipment connected to Zayed Air computer system. Only the appointed personnel will have access to critical data, and a record of the same shall be maintained. To control access to information, control passwords and user authentication systems shall be used (Tipton & Krause, 2003; Benantar, 2006). A log of all the personnel, their logins and role shall be maintained. This staff will also be responsible for backing up the information on hard drives that will be stored in fire safes. 2. All the software that have been internally developed or were purchased must the appropriate audit capabilities and security controls to prevent any authorized modification, loss of data, misuse and corruption (Stoneburner, Goguen & Feringa, 2002; Kankanhalli, Teo, Tan & Wei, 2003). Vendor or the developer information and contact will also be maintained for easier communication and access. 3. All the computer systems and equipment shall be configured securely on the basis of their intended purpose (Bishop, 2003; Boebert, 1999). 4. Risks will be assessed periodically and managed continually as part of the risk management program that would address vulnerabilities, risks and threats (Von Solms, Thomson & Maninjwa, 2011). 5. All employees will receive the necessary training on the importance of maintaining a security to the Airline's infrastructure and systems. The employee would also be trained in the manner that they would act in case of an incident that would affect the company systems and support (Mellado, Fernández-Medina & Piattini, 2006). All the necessary staff will be trained on how to respond appropriately to incidences that would affect the business (Sanchez, Villafranca, Fernández-Medina., & Piattini, 2007). 6. Annual review of the compliance will be necessary. The information security procedures, process, and practices would be reviewed to determine their effectiveness and any necessary modifications would be made. 7. Any violations of the policy would prompt remedial action that would not be limited to reassignment, terminating access, termination of employment or even criminal prosecution. Issue Specific Policies 1. The first issue specific policy that will have to be addressed is the data management system. The system would require information security to be implemented in a bid to secure the airline. In this case, the particular count of airline staff would be allowed full access and to data control and management. 2. Security infrastructure and procedures would also be essential as it would it would control accessibility to critical Zayed Air support. The rank and list of individuals that are allowed to access particular critical infrastructure will be required. The critical infrastructure includes servers, airline database among others 3. Access to the surveillance camera room would be restricted to the security personnel. Any modification to such monitoring software will have to be sanctioned by the top security personnel. 4. The systems management role will be restricted to the system administrator. The system administrator will be responsible for ensuring that there is an adequate encryption of data, virus protection, physical security and the monitoring of the employer. 5. Violations of the policy will attract disciplinary action from the company that will range from the termination of access, training and termination from employment. The employees are encouraged to report any violations that they may observe in the course of their employment through anonymous submissions. That may be done through writing and posting in the provided suggestion box r through in the company website through the designated portal. 6. The policy will give directions for a definite period through which a review will be done. The review of the document will be done on an annual basis in the last week of May. Reviews will ensure that the policy is current preventing any loopholes. 7. Limitations of liability. Zayed Air will not be held accountable if an employee violates the law or the company policy through the use of the company equipment and infrastructure. The company will also not protect or get involved in any workers cases involving a breach of security of the third party systems. The employee will personally be liable. The limitations of liability policy will protect both the company and the employees from ambiguity as to what is expected from the employees (Whitman & Mattord, 2004: Taylor, Alexander, Finch, Sutton & Taylor, 2013). 8. The email internet and email use is restricted to the company’s business. Internet and email will not be used for personal benefits. The policy is important as it would prevent authorized use of the company’s email and internet that can be harmful (Arnesen & Weis, 2007; Ioannidis, 2003). 9. Use of personal equipment like laptops on the organization’s network is strictly prohibited. That would protect the company from unauthorized access to its network that may pose security and malicious codes risks (Merkow & Breithaupt, 2014). 10. The home use of company’s computer system is prohibited unless proper authorization and documentation are kept on the same. That would prevent loss of equipment and unauthorized use of the internet. Risk Assessment The following template can be used to assess the risk to Zayed Air. Risk Likelihood of Risk (P) Impact of Risk (I) Risk Calculation denoted as PXI Internal flooding External Flooding Internal fire External fire Rain Storms Storm of wind Tremors and Earthquake Rain Tornado Rain Hurricane Storm of snow Storm of ice Hailstorms Drought and dry conditions Tsunami hits Mud-Slide Human Pandemic Bomb Explosion Leakages of flammable gas Structural collapse Software failure Apps failure Hardware failure Virus hits Hacking Communications hitch Supplier issues Human error Water shortage Sewage leaks Power outage Leakage of flammable Gas Steam leaks Communications breakdown Biological terrorism Chemical terrorism Radiological terrorism Nuclear terrorism Workers Strike Violence The risk assessment frame will follow the following outline. 1. System characterization Before the assessment can start, the first step is to define the scope of the effort (Landoll & Landoll, 2005). By employing the information-gathering techniques, the boundaries of the system are ascertained. Also, the resources and information that make up the system are also identified. 2. Threat Identification The next step is risk identification. The system vulnerabilities are best identified in this step and also documented. Among the most common risk sources include human, environmental and natural. 3. Identification of vulnerabilities In this step, the system vulnerabilities both technical and non-technical are listed. It is the process of identifying the vulnerabilities that are used by the potential sources of threat. 4. Control Analysis The main aim of the procedure is to highlight control techniques that have been used or are currently in use to minimize the system vulnerability. A list of current and possible technical and non-technical controls is provided. 5. The determination of Likelihood The step determines the probability of an individual source of threat to exploit the system vulnerabilities in the presence of planned or existing controls. 6. Impact analysis The objective of the step is the identification of the negative impact that would result from full exploitation of the vulnerability by the threat-source. 7. Risk determination The risk level is ascertained through the multiplication of impact analysis and risk probability. 8. Control recommendations The goal is to identify the specific control recommendations that would eliminate or minimize the likelihood of the identified risks occurring. 9. Documentation The last step is the documentation of the risk assessment result which will then be presented to the owners of Zayed Air for budgeting, procedures and change of management purposes (Stoneburner, Goguen & Feringa, 2002). Security Staff Transport Security Officer (3) positions As a medium level company, Zayed Air would require a relatively small number of staff that would include the location transport security officer. The transport security officer will ensure that no deadly objects are entered in the airport. The skills and experience that the workers must possess are good verbal communication and dealing with people of many origins and races. The officers must have knowledge and training of the x-ray screening, law enforcement, and cargo handling. The minimum requirement of a two-year working experience at an airport and be ready. The officers will also need to have certification as a security guard. The officers will need to have experience and training in CCTV systems. They will also need to have basic computer skills where they can man a computer system. Supervisor Transport Security (1 position) The other position will be of a transport security supervisor. The officer will supervise the other officers in and give reports to the owners concerning transport security. The qualification for the supervisor will be a background in law enforcement and training in management. The requirement is to possess basic computer skills and x-ray screening procedures. Security Guard (2) Two security guards will also be required so that they can restrict access to the Airline premises and man the gate. They will be responsible for keeping records of all the vehicles that enter the premises and give guidance to visitors and customers. The only requirement will be previous experience in the same position, knowledge in radio communication and the means to actually converse with people of diverse affiliations and backgrounds. References Arnesen, D. W., & Weis, W. L. (2007). Developing an effective company policy for employee Internet and email use. Journal of organizational culture, communications and Conflict, 11(2), 53. Benantar, M. (2006). Access control systems: security, identity management, and trust models. Springer Science & Business Media. Bishop, M. (2003). What is computer security?. Security & Privacy, IEEE, 1(1), 67-69. Boebert, W. E., Rogers, C. O., Andreas, G., Hammond, S. W., & Gooderum, M. P. (1999). U.S. Patent No. 5,864,683. Washington, DC: U.S. Patent and Trademark Office. Botha, J., & Von Solms, R. (2004). A cyclic approach to business continuity planning. Information Management & Computer Security, 12(4), 328-337. Business Continuity Plan Template. (2015). Retrieved from https://www.business.qld.gov.au/__data/assets/word_doc/0005/15296/Business-conti nuity-plan-template.doc Hiles, A. (2004). Enterprise risk assessment and business impact analysis: Best practices. Rothstein Associates Inc. Ioannidis, J. (2003, February). Fighting Spam by Encapsulating Policy in Email Addresses. In NDSS. Kankanhalli, A., Teo, H. H., Tan, B. C., & Wei, K. K. (2003). An integrative study of Information systems security effectiveness. International journal of information management, 23(2), 139-154. Landoll, D. J., & Landoll, D. (2005). The security risk assessment handbook: A complete guide For performing security risk assessments. CRC Press. Mellado, D., Fernández-Medina, E., & Piattini, M. (2006). A comparative study of proposals for establishing security requirements for the development of secure information systems. In Computational Science and Its Applications-ICCSA 2006 (pp. 1044-1053). Springer Berlin Heidelberg. Merkow, M. S., & Breithaupt, J. (2014). Information Security: Principles and practices. Pearson Education. Saleem, K., Luis, S., Deng, Y., Chen, S. C., Hristidis, V., & Li, T. (2008, May). Towards a Business continuity information network for rapid disaster recovery. In Proceedings of The 2008 international conference on Digital government research (pp. 107-116). Digital Government Society of North America. Sanchez, L. E., Villafranca, D., Fernández-Medina, E., & Piattini, M. (2007). Developing a Model and a Tool to Manage the Information Security in Small and Medium Enterprises. In SECRYPT (pp. 355-362). Savage, M. (2002). Business continuity planning. Work study, 51(5), 254-261. SearchDisasterRecovery. (2015). IT disaster recovery (DR) plan template: A free download and guide. Retrieved 3 May 2015, from http://searchdisasterrecovery.techtarget.com/feature/IT-disaster-recovery-DR-plan-template-A-free-download-and-guide SearchDisasterRecovery.com's Incident Response Plan Template. (2015). Retrieved from http://cdn.ttgtmedia.com/searchDisasterRecovery/downloads/SearchDisasterRecovery _Incident_Response_Plan_Template.doc SearchDisasterRecovery.com Risk Assessment Template. (n.d.). Retrieved from http://cdn.ttgtmedia.com/searchDisasterRecovery/downloads/SearchDisasterRecovery _Risk_Assessment_Template.doc Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. Nist special publication, 800(30), 800-30. Taylor, A., Alexander, D., Finch, A., Sutton, D., & Taylor, A. (2013). Information Security Management Principles. Swindon: BCS Learning & Development Limited. Tipton, H. F., & Krause, M. (2003). Information security management handbook. CRC Press. Von Solms, R., Thomson, K. L., & Maninjwa, M. (2011, August). Information security governance control through comprehensive policy architectures. InInformation Security South Africa (ISSA), 2011 (pp. 1-6). IEEE. Wallace, M., & Webber, L. (2010). The disaster recovery handbook: A step-by-step plan to Ensure business continuity and protect vital operations, facilities, and assets. AMACOM Div American Mgmt Assn. Whitman, M., & Mattord, H. (2004). Management of information security. Boston, Mass.: Thomson Course Technology. Wold, G. H. (2006). Disaster recovery planning process. Disaster Recovery Journal, 5(1). Read More