Management and Information Security - Assignment Example

Running header : Management and Information Security Student’s Name: Instructor’s Name: Course Code & Name: Date of Submission: Question 1 Project management body of knowledge constitutes of areas concerened with processes and knowledge which are universally accepted as good practice with regard to project management. PMBOK outlines the provisions of any efficient project management. PMBOK IS an universally accepted standard ISS 2003.PMBOK is comprised of 5 basic processes together with 9 knowledge bases essential in any project management irrespective of the sector concerned (Haughey 31). According to Haughey, the processes are initiating, planning, executing, monitoring/controlling and closing. The knowledge area are procurement planning, project integration management, time management, quality management, scope management, cost management, risk management, communication management and human resource management. Project procurement planning Project procurement planning is a knowledge concerned with processes involved with acquisition of goods plus services for a project. Project procurement management involves the following processes: procurement planning, solicitation planning, solicitation, source selection. Contract administration and lastly contract closeout. Procurement planning identifies the needs of the project that need to be procured. Procuring in this stage is aimed at ensuring that the project is able to get quality goods and professional services so that it can be able to meet its objectives. Procurement planning states the scope of the project outlining the project’s needs, product description which identifies any technical information that must be taken into consideration when planning, procurement resources which outlines who will supply the resources that the project need and lastly market conditions which identifies which goods and services can be gotten in the market and the specific person who can deliver than and the terms and conditions of the person. Solicitation planning involves the documentation of the product requirements and outlining potential sources for the products and services. Solicitation involves the obtaining of bids, offers, quotations and proposal from the potential suppliers and sellers. Source selection involves the choosing the best supplier/ seller from the potential tenders according to a selected selection criteria. Contract administration involves the signing of a contract with the seller/ supplier which outlines the terms and conditions of the transactions. The section also maintains a good relationship with the seller/supplier. Contract close out is the last process and involves the settlement of the contract after the terms and conditions outlined in it have been met. Project procurement planning is an essential knowledge needed in any project management which ensures that the project is able to acquire what it needs for its efficient running. Project procurement, management is usually headed by a procurement officer. Question 2 The security of any system is the paramount objective of the system development team. System security ensures that the system is not accessible to unauthorized people. In so doing, the organization gets assurance that the information in its system is unlikely to land in unwanted hands. The analysis phase of the system development life cycle is involved with analyzing if a system has met its requirements or not. Top among the requirement of a system is ensuring that the information security is guaranteed. Understanding the potential risks is vital in any system development. A thorough risk assessment should be conducted on the system so as to determine the potential risks to the system. A threat assessment team should be established which will look in to the loop holes and weaknesses of the system which might make it easier for threats to find their way into the system. The assessment team should include professionals in the field, users, operational experts and technological experts. Understanding potential threats therefore entails: identification of possible loopholes which can make the entrance of threats to the system easier, identification of the most probable threats to the system for instance viruses, hackers, worms and providing a security measure to counter the threats. In order to be able to understand the enemy, one must know the effect the enemy has on a system. common effects of enemies to a system include, information destruction or loss, slow done of the system, in effectiveness of the system whereby it does not do what its is instructed to do, inability to gain access to certain sections of the system and file replication among other effects (Lucas 3). The enemy can also be understood by the kind of information that is in a certain system. Specific information is more likely to attract specific type of enemies hence enabling the analysis team to have a speculation of which enemies to expect. The level of an organization in the public profile is also more likely to attract enemies. For instance a system belonging to the national intelligence is more likely to have enemies whose main intentions are getting access to specific information or damaging the information. Therefore, an enemy is best understood when its intentions are known. In so doing its behavior can be outlined for instance the multiplication and mutation of viruses when they have access to a system. In order to know if the analysis has covered all the bases likely to get attacks from an enemy, the system development team should conduct a test on a system. This is done in order to identify weaknesses and loopholes that could not be established during the system’s development or unforeseen problems or occurrences. An evaluation of the system’s success against its objectives should be conducted so as to determine if the system achieved its goals (Dennis 16) Question 3 Disasters are due to occur in any field. In many cases, the disaster has a very bad effect on the functionality of a business organization depending on the severeness of the disaster. In an information system, the most probable disasters are caused by entry of unauthorized parties to the system. a disaster recovery plan is a plan aimed at enabling the organization to gain control of the system and the organization as a whole. It is meant at ensuring the continuity of the business (Penson ,1 ). The main objective of a disaster recovery plan is to restore the system back to the normal functionality. The following is an analysis of a sample disaster recovery plan titled Business Continuity Planning (BCP). The plan has the following requirements of a good disaster recovery plan: The plan has been able to formulate the planning group. This is the group given the task of making the recovery plan and ensuring that it is successful. The plan has conducted an assessment on the disaster and the problems that have resulted because of it. This enables the management to be able to figure out the most appropriate method of recovery. The recovery plan also has well laid out recovery strategies. The type of strategy chosen is usually determined by the nature of the disaster and the extent of damage caused by it. The more the damage the more entailing the strategy will be and vice versa. A competent recovery team should have the capability to identify the best strategy for certain disasters. Data recovery is a common strategy taken by many organizations since data loss is a common disaster. There are proffessioanal data recovery specialists to whom an organization can out source such kind of work in case the organization’s staff is not in a position to do so efficiently. The plan also has an inventory of the plan which is also accompanied by documentation. Lastly, the recovery plan has verification criteria which enables the organization to access the success of the recovery plan. The above requirements are in line with the requirements of an efficient disaster recovery plan. In addition the recovery plan has identifies a system recovery time. A recovery time is identified after the disaster has already occurred and is a must include in any recovery plan. Together with the recovery time is the recovery point. The plan should be able to restore the system to a time when it best functioned previously. The restore point is usually determined by the system analyst who identifies a time before the disaster which the system will be restored to. The above characteristics of the disaster recovery plan make the plan under analysis an effective plan capable of dealing with vast types of disasters likely to happen. Question 4 An enterprise information security policy is a document containing the exact requirements that must be taken in to consideration and met accordingly (SANS 4). An information security policy usually targets a specific area of focus. Examples of enterprise information security policies include: acquisition assessment policy, Bluetooth device security policy, information sensitivity security policy, risk assessment policy among others. The following section looks at aspects of an enterprise information security policy. The section takes into consideration a risk assessment policy drafted by SAANS institute. The following are some of the aspects of the policy that have been identified. Purpose The purpose of a policy state the reason as to why the policy was drafted. For instance the purpose of the risk assessment policy by SANS is to empower the information security (info sec) to carry out scheduled information security assessments with the aim of determining the weak points of the system which are due to make the system vulnerable. Policy The policy outlines the party which is responsible for the development, execution & implementation of the remediation programs. For instance in the policy by SAANS, the responsibility is bestowed to Info Sec and the department which is under assessment. The policy also outlines the responsibilities of each and every part that is concerned with the system being analyzed. In so doing, the executing body will be able to figure out which system is not functioning well and the specific person in contact with it and possibly figure out his/ her connection to a the malfunctioning of the system. A policy basically outlines what is to be done and who to do it. Enforcement This aspect specifies the repercussions that anyone found guilty of violating the policy would face. A policy which does not have a means of enforcing it is as good as dead since it lacks the measures to ensure that it achieves its objectives. For instance, the risk assessment policy by SANS specifies that any employee found guilty of violating the policy will face a disciplinary action which can be to the extent of employment termination. Definitions This aspect defines the terminologies used in the policy. More often than not, a policy may include legal and technological jargon which may not be understandable to the common employee. The definitions aspect ensures that the policy is made understandable to anyone reading it. The risk assessment policy by SANS can be used by any organization which wishes to carry out a periodic risk assessment on its systems, for example a banking institution. Question 5 Information security breaches are common and usually affect the functionality of an organization in addition to causing great losses to the organization. Information security breaches may also affect the clients to an organization leading to losses in form of money of vital information. Here are examples of recent information security breaches. There are reported cases of healthcare data breaches. This is according a research done by the Identity Theft Resource Center. The breaches are caused by poor data handling methods which have led to encryption and data loss (Medical Quack 67). Aetha Insurance has suffered from data breach which resulted to the renowned insurance company having to contact its customers telling them that their personal information had been exposed (Deutsch 7). A brokerage firm, D. A. Davidson has been hit by a data breach in 2008. As a result, the company had to part with $375,000 for its failure to protect its customers’ information. The brokerage firm suffered the breach when its computers were targeted by information security enemies which led to vital information on the clients being downloaded (Roberts, 67). The main targets of information breaches are businesses and organizations dealing with large volumes of money and people. This is due to the fact that the perpetrators of the information crimes also have intentions of gaining money from their crimes. The perpetrators are also with the intent of making other organizations to collapse by reducing the customer’s confidence on the organization. More often than not, most breaches are conducted by competitor organizations which want to reduce the influence of the target organization in the market. For instance loss or exposure of clients’ personal data would lead to customers losing confidence in the organization leading to the organization’s demise. The main targets of the breaches are big organizations due to their influence in the market. Their level of competitiveness in the market, number of people associated with the organization and the potential harm a breach on such an industry can cause in the market. However, breaches in smaller organizations do occur but fail to find their way to the news. This is because they affect a smaller group of people, an organization with a lower influence in the market. This is because of the fact that a large number of people will cause trouble in the market as opposed to a smaller group of people hence making news. Any organization has its enemies with disregard to its size. Works cited Deutsch, W. High Profile Data Breaches. Business Information. 7.3 (2009): Dennis, S. Introduction to System Analysis And Design. 2nd ed. (2009): 1-26 Haughty, The project management body of knowledge. Project Smart. 12. 3(2011):21-40 Lucas, J. The Malicious Logic Battle: Understanding the Enemy. Enterasys Networks. 1st ed. (2011): 1-8 Medical Quack . Health Care Data Breach Cases Reported Outnumbers Financial Breaches By Over 3 To 1, The Medical Quack. 19.1 (2010) : 56-76 Penson, Disaster Recovery Plan. 2th ed. (2009) : 1-17 Roberts, C. R. Brokerage Firm Fined$375,000 in Data Breach Case. The News Tribute. 2011 SANS. Risk Assessment Policy. SANS Institute 19.7(2011) : 1-8 SANS. Information Security Policy Templates. SANS Institute. 16. 5(2011) : 11-26 SANS institute. The Disaster Recovery Plan. SANS Institute. 3rd ed. (2010): 1- 14 Read More