-
QUESTION
comprehensive Information Assurance strategy
This assignment will be submitted to Turnitin®.
Instructions
The deliverables for your Project Paper Assignment include a Word document that answers the questions described below. Your final paper should be between 10 to 15 pages long (longer is perfectly acceptable without penalty). Be sure the report is in MS Word, Times New Roman 12-pt font, with double spacing and 1 inch margins all-around, no additional spaces allowed. Cover page and references pages are also required in proper APA format. In text citations must match the reference list providedHeavy Metal Engineering (HME), a manufacturing organization that creates metal shell casings for very high-end washer and dryer products has suppliers and customers world-wide, as well as world-wide offices. HME the US Corporate office in NY hires you as a professional Information Assurance consultant.
HME is looking to receive some significant third party funding for an international joint venture but was told they would be denied because they do not have any kind of Information Assurance plan to keep all data assets secure. You are required to create a comprehensive IA strategy that includes the
following:A detailed overview of what Information Assurance entails covering all the basics for an IA strategy (what will be protected and from what)
A plan or strategy for IA implementation including a framework
A complete risk mitigation strategy that completely outlines your plans to mitigate risks associated with operating in the 21st century workplace.
Select an accrediting body to ensure IA is not only a process but a part of organizational culture going forward
An incident response and disaster recovery plan in the event of intrusion and disaster
All sections should be clearly labeled and a separate section in each area specifically for
justifications of your selection/proposal.
Your thoughts must be solidified with viable sources consistent with graduate level work. No more than 2 sources may be used with ND or no author. Scholarly and Peer reviewed sources are expected to be used throughout the bulk of this paper.
| Subject | Business | Pages | 6 | Style | APA |
|---|
Answer
Comprehensive Information Assurance strategy for Heavy Metal Engineering
Introduction
For an organization to succeed in the modern business environment it requires a comprehensive information assurance strategy to secure its information system and the information it handles. This report provides a description of what an information assurance entails and covers the basics of an information assurance strategy for Heavy Metal Engineering. The report provides a framework for implementing an information assurance strategy. The report further provides a complete risk mitigation strategy including plans to mitigate the risks identified. The report also recommends an accrediting body to ensure the information assurance strategy becomes a culture and not just a process in the company. Lastly, the report provides an incident response and disaster recovery plan in case the company suffers an intrusion or a disaster.
Overview of what Information Assurance Entails
Information assurance refers to the steps taken by organizations to protect and defend their information resources and information systems by ensuring they are available when required, maintain integrity, can be authenticated, are confidential and are beyond rejection by stakeholders, that is cannot be repudiated. Information assurance processes ensure reaction, detection and protection capabilities are incorporated in information systems which provide for their restoration (Sosin, 2018). Information assurance has also been described by some writers as the use of information systems to identify, understand and manage risks in organizations. Other experts have identified information assurance as a process that involves the state of storage, transmission and processing of information which ensures nonrepudiation, integrity, authentication, confidentiality and availability of information by use of technology, policy and individuals (Sosin, 2018).
Confidentiality, integrity, availability, non-repudiation and authentication are the five main components of information assurance as detailed above. Securing information is not the only concern of information assurance as many assume, since its view is broader than that. All information that an organization transmits, stores and processes is included in information assurance processes. Information security, Information protection and cybersecurity are the subdomains of information assurance (Sosin, 2018). Information security focuses on three things namely availability, integrity and confidentiality as a component of information assurance. Information security is responsible for the different types of information that an organization handles whether in electronic or paper format, information transmission as well as storage. Information security is therefore concerned with cybersecurity and information protection; the other two domains of information assurance (Cambou, Flikkema, Palmer, Telesca & Philabaum, 2018).
Information protection is concerned with protecting information integrity and confidentiality. This is done through various methods which include categorization of information, and monitoring classification of information among other strategies that different organizations employ. Some view information protection as only being concerned with information that is sensitive such as a person’s health status and personal information that is considered confidential and sensitive (Sosin, 2018). To achieve their goals and produce results that are measurable organizations must take into consideration the three aspects of information assurance as it helps them understand information technology and be able to apply it effectively and efficiently in their operations (Sosin, 2018). All the components of information assurance are very important and must be fully integrated if an organization is to achieve success. For instance, nowadays it is easy for hackers to obtain data and information that is private and hence confidentiality is very critical. Organizations must therefore ensure that sensitive data and information is encrypted to prevent such an occurrence and ensure only authorized and vetted people can access it (Coronado, 2015).
To protect data and information organizations must ensure administrators in charge of information security and control are monitored and everything about them is known. To be secure information must only be accessed by authorized people only. There must also be authenticity in the information held otherwise it will be of no use. Organizations must also ensure information and data is not tampered with as that compromises integrity which is an important component of information assurance (Sosin, 2018). Availability is also a very important component as it describes the restrictions and limitations of using information and data. Organizations need to ensure data is only obtained after authorized administrators give permission in writing. Every organization must put in place policies to prevent attacks to its information system as such attacks could damage or shut down the entire information system (Sosin, 2018).
The interconnected corporate information technology system has made it possible for executives and ordinary staff to work from anywhere in the world due to distributed computing resources. This has created a new threat known as cybercrime. Cyber security focuses on protecting electronic (Sosin, 2018). Information systems and networks from being attacked by cybercriminals. New threats and vulnerabilities have been brought about by the new system of distributed computing and networks which enable people to work from remote locations and be able to communicate with their colleagues located at headquarters or elsewhere (Sosin, 2018).
Cyberspace attacks are sophisticated and organizations whether public or private are not sufficiently protected and this explains why cybersecurity is critical for organizational survival. Organizations must cooperate to understand the threats posed by cyberspace technologies and build defensive systems that protect them from cyber-attacks. Cybersecurity thus involves organizations sharing information and resources to be able to fend off cyber-attacks (Sosin, 2018). Many companies have over the years have lost integrity and confidentiality of their data and information to cyber-crime. To protect themselves, organizations must ensure only authorized personnel can access information and data over the internet. For example, a doctor who sends information to a technical about a patient through email must be confident that only the intended technician will receive it and not a receptionist or other unintended persons. For information assurance in such a case, the information must be encrypted before transmission from end-to-end to ensure only the technician can decode it (Sosin, 2018).
The goal of information assurance strategy is to ensure accuracy, integrity and safety of all information system processes and resources. Effective security management can minimize errors, frauds and losses in information systems that interconnects today’s companies with many stakeholders (Sosin, 2018). This need is being driven by the increasing rate of cybercrime and growing use of internet to link company systems with their partners and customers. Information security protects information system against unauthorized access or modification of information whether in storage, processing or transit and against denial service to authorized users. This includes measures to detect, document and encounter such threats (Sosin, 2018).
There are various reasons why information assurance is critical. Firstly, information systems are used across various levels and hence require protection. Secondly, there is increased system vulnerability due to the fast growth and use of the internet. Thirdly, there is increased theft of confidential data and financial frauds have increased as a consequence of cybercrime. Lastly, many jurisdictions have come up with increased legal requirements to ensure information systems and corporate networks are protected (Mourad, 2017).
One of the potential threats to information and information systems is computer viruses. These are rogue software programs which attach themselves to other software programs or data files without the computer user’s knowledge and permission. These computer viruses could clog the computer memory, erase or format the computer hardware making it difficult for the computer to run smoothly (Sosin, 2018). The next threat is write once read many or worm in short. Worms are software programs which copy themselves from one computer to the next in a network and can destroy data and information thus stopping computer operations in a network (Mourad, 2017). Trojan horse is yet another threat. Even though it appears to be genuine, Trojan horse is a software program that can cause unexpected damages to computers in a network. It opens a way for malicious software programs to access a computer and cause damage. There are also spywares software programs that pose a threat. These software programs attach themselves to computer networks and monitor the activities of users of information system resources. If the spyware is used by unauthorized persons then it can erode the information assurance of an organization (Mourad, 2017).
Another threat to information system resources is key loggers. Key logger is a software program that records every key stroke on a computer keyboard that a user makes and it is used to steal such confidential information as serial numbers of software programs with an intention of launching an internet attack. These software programs could lead to loss of personal information such as passwords and credit card details among others. Computer hackers pose another threat to information system resources (Mourad, 2017). Hackers have sufficient technical skills which enable them to access computer systems without any authorization and obtain information or modify information and data. Computer crackers are also individuals who pose a threat to information authenticity, availability. Nonrepudiation, confidentiality and integrity. Computer crackers gain access to computer systems since they identify weaknesses in the security protection used by an organization. They can obtain personal information which they use to their advantage. Cyber vandalism is another threat which refers to intentional defacement or destruction of a network or computer system by a cyber-criminal (Sosin, 2018).
Spoofing is another threat that information assurance strategy will seek to address. This involves redirecting a web link to a different address than the one intended by administrators. This enables unauthorized person to gain access to sensitive information of an organization. Another threat is denial of service which occurs when intruders into a network and flood it with thousands of false communication requests causing the authorized users to be unable to access the network (Sosin, 2018. Cybercrime is another threat that is addressed by a comprehensive information assurance strategy. Cybercrime can involve illegal access to a network, data interception and electronic theft among others. Cyber terrorism is also another threat posed to computer systems and networks. This is a situation where unauthorized persons use malicious software to crash or cause system failure of an organization’s computer system and network resources (Mourad, 2017).
Faves dropping is yet another threat to computer systems and networks of a company. This involves unauthorized listening of online conversation between people in a transmission media or electronic interception which enables someone to gain access to information not meant for them. Jamming is another risk posed when an unauthorized user creates transmission traffic blocking others from accessing a network (Sosin, 2018. Sniffing is another threat that is posed to computer systems and networks. This involves monitoring and capturing all data packets transmitted through an internet network. Sensitive information can be captured by sniffers in the process compromising data and information confidentiality and integrity (Ahmad, Thian, Tze & Norhashim, 2019).
Spamming is yet another threat posed and this involves sending multiple unsolicited emails to unintended persons. For example, this could involve sending advertising messages to people without their consent and knowledge. Flaming is another threat posed. This involves sending hostile and insulting messages to online users with an intention to arouse emotions and make them angry. Cyber bullying is yet another threat which involves bullying, intimidation or harassment using electronic emails (Mourad, 2017). Cyberstalking is another threat that poses a challenge to cybersecurity systems. Individuals use the internet to stalk and harass an individual or a group of people. Cyber stalkers use false accusations, slander, defamation or libel to harass people or stalk them. Other treats include phishing which is a fraudulent attempt to obtain sensitive information about an entity by pretending to be a genuine user of a network. Other threats which are physical in nature include burglary, terrorist activities, natural calamities such as earthquakes which may lead to collapse of buildings or arson among others. These pose threat of computer information system resources and networks (Mourad, 2017).
Information Assurance Strategy and Framework for Heavy Metal Engineering
For Heavy Metal Engineering to succeed it needs to prepare and implement an information assurance strategy. The organization must have a comprehensive information assurance document which guarantee its security against threats posed to its information and data and information system resources. The Information assurance strategy must contain a secure policy that is strong, security plans and methodologies which are used in assessment of information assurance and infrastructure used by an organization (Sosin, 2018. A security policy implementation is the foundation of a good information assurance strategy and this must have full senior management support for it to succeed. A good strategy emphasis the identifying the biggest challenges that an organization needs to focus its full attention and resources on. These challenges require to be worked on regularly to ensure data and information confidentiality, availability, nonrepudiation, integrity and authenticity (Coronado, 2015). A good information assurance strategy should ensure the lifecycle for the policy on security of information assets. Ensure needs are correlated with the security policies, these require to be brought to the current environment through constant updating to ensure security is upheld and needs are correlated to the security policy. Measures that need to be taken must also be identified to ensure the environment is secure (Sosin, 2018.
The information assurance strategy enables an organization to achieve its long term objectives and hence it’s a living document. The strategy must be comprehensive, free from bias, meet legal and regulatory requirements in the industry and must be a long term document (Sosin, 2018). The strategy should also be pragmatic, risk based, tactical, extensive and should be able to be customized as the need arises. The strategy should have a defense-in-depth plans or strategies which cover all the domains of information assurance. The defense-in depth strategies take into account people, technologies and policies which are the main critical elements of an organization (Sosin, 2018. The defense-in-depth strategies contain a wide range of measures aimed at countering different risks posed according to their rigidities and complexities and for information assurance it offers the best tactics that ensure information assurance. These plans should be planned well in advance so as to respond to events that are unpredicted and /or those that are highly sophisticated. Even though there is no strategy that can best guard against an unknown risk, an information assurance strategy is the best bet to ensure an organization achieves information assurance (Sosin, 2018.
Some of the defense-in-depth tactics include encryption of information and data. This involves use of security codes before data is transmitted to another party to ensure it is secure. Use of firewall is another strategy that can ensure information assurance. Firewall prevents unauthorized access to data and information of an organization. Use of virus defense software programs such as Avast, Kaspersky, Norton and Defender can protect computer systems and networks from dangerous computer viruses. Users can also be requested to use multi-level passwords and which should be changed periodically to prevent copying (Coronado, 2015). Back up files could also be used to store information away from the premises of the organization so that in case of a natural disaster the information can be retrieved. Use of technologies which capture the physical traits of persons can also help such as use of finger prints to open computer programs. Each organization must have controls to its information system (Sosin, 2018.
A Complete Risk Mitigation Strategy
Risk management is a process that would enable Heavy Metal Engineering to analyze, access and put in place control measures well in advance to mitigate risks posed to its information system and internet network. Risk management is not only useful in existing information systems but can also be useful in mitigating risks associated with systems that the organization is developing. It is very difficult for an organization to achieve success if it does not implement a strategy for assessing and mitigating risks that affect is long and short term sustainability (Pimchangthong & Boonjing, 2017). A risk assessment and mitigation strategy enhances economic efficiency and minimizes enterprise risks. Risk management will enable Heavy Metal Engineering to identify, manage and control risks that threaten its information assurance strategy objectives and involves theories, practices and policies which would assist the company to identify, manage and undertake risks mitigation effectively (Moeini & Rivard, 2019).
Information assurance risk management will enable Heavy Metal Engineering to face uncertainty in its operating environment. Risk management is critical to Heavy Metal Engineering’s information security program and would enable the organization to identify the best framework which would enable it select the most appropriate mitigation strategies for risks to its information system (Coronado, 2015). This would enable the organization to protect its assets as well its employees. Risk management will enable Heavy Metal Engineering to identify mitigation strategies which will enable it achieve its strategic goals and objectives. Risk management will enable the organization to identify the most vulnerable areas which would enable it to identify mitigation strategies for those risky areas. Both technical and human factors must be taken into account in developing the entire security network framework. Monitoring and management of information system threats should be done continually (Moeini & Rivard, 2019).
Risks could be measured through adoption of principles that are fundamental, analyze them and evaluate factors that are connected to a particular occurrence. Security measures which are translated from a methodology can be used to mitigate risks in the organization. Methodologies usually contain security approaches applicable to executive orders, policies regulations and applicable standards. No single risk management process applies to all organizations. Each organization develops its own risk management process which is unique and different from that applied by other organizations (Moeini & Rivard, 2019).
Heavy Metal Engineering should choose a risk management process applicable to its environment and include a cycle that is continuous which ensures it is monitored every time. The processes of risk management are related to information security of a company. Risk assessment, risk mitigation and evaluation and assessment are processes that are critical in risk management (Sosin, 2018). It is difficult to assess the impact of a risk on the company’s business without developing criteria for evaluating risks. The criteria indicate the level of damage caused by a risk and cost of mitigating it (Coronado, 2015). Heavy Metal Engineering should identify the scope, limitations and constraints of assessing risks. Qualitative and quantitative approaches should be used in risk assessment. Information, people, processes and technologies form the first phase of risk management process. Organization normally use a risk matrix approach since it measures the likelihood of occurrence of each risk identified and the potential impact of the risk should it occur (Ludwig & Mattedi, 2018).
Several control measures could be implemented to manage risks. These measures could include application controls such as input of data and information controls and processing controls. These controls ensure data and information is accurate and the system is not tampered with. Disaster recovery planning is also another mitigation strategy (Öbrand, Holmström & Mathiassen, 2018). These measures ensure that after a disaster the company will be able to restore its computing services. These measures could be preventive, detective or replacive in nature. The other mitigating strategy could be outsourcing of security services. Heavy Metal Engineering could decide to outsource its security since it may be cheaper and it enables sharing of risks among others (Öbrand, Holmström & Mathiassen, 2018).
Figure 1 below provides a risk matrix template that Heavy Metal Engineering could use to manage its risks.
|
SEVERITY OF RISK--------------à |
||||
|
LIKELIHOOD----à |
|
1 |
2 |
3 |
|
1 |
Low Risk |
Low Risk |
Medium Risk |
|
|
2 |
Low Risk |
Medium Risk |
High Risk |
|
|
3 |
Medium Risk |
High Risk |
High Risk |
|
Figure 1. Risk matrix template that Heavy Metal Engineering could use
Any risk that is classified as being low can be accepted as it is unlikely to occur and its effect is low on the company. Risks classified as medium risks should be mitigated since they can negatively impact on the outcomes of the business. Risks classified as high are risks that should could lead to a major disaster. Such risks should be avoided at all costs or a third party such as an insurance company should be contacted to assume the risk on behalf of the company (Ludwig & Mattedi, 2018).
Recommended Accrediting Body to Make IA Part of the Culture
For the sake of credibility, Heavy Metal Engineering should seek to be ISO 27001 certified. This is a certification that is provided by ISOQAR Inc.; a credited certification body incorporated in the United States of America in 1994; about 26 years ago. This is an accreditation body that has depth and experience in certification. ISO 27001 is specific to information security management and applies to all sectors of industry and commerce. Certification does not only relate to information contained in computers but addresses the security of company information in totality and in every form that information is transmitted, stored or retrieved (Šikman, Latinović & Paspalj, 2019).
The organization will be appropriately protected if its gets ISO 27001 certified as the focus will be on information in paper format electronically stored, transmitted verbally, through films or videos, post or email among others forms. Information security policies, organization of information security, human resources security, physical and environmental security and cryptography are some of the ISO 27001 controls and control objectives which will be subject to quality audit and assessment. In total fifteen information security areas will be included in controls and control objectives (Topa & Karyda, 2019). If the organization is certified, then it will have addressed all areas involved in system assurance. The most critical part is that this process is repeated annually to ensure the organization is in compliance with its information assurance procedures. If it is in compliance its certification is renewed if not, it is given some time to address any non-conformance issues and when they are addressed successfully certification is renewed. In that way it will become the culture of the organization (Topa & Karyda, 2019).
Incident Response and Disaster Recovery Plan
This involves the methods that the organization will use to ensure it recovers in the event of an intrusion or a disaster occurrence. The organization should prepare a set of policies and procedures aimed at protecting the company from negative effects of natural disasters and intrusion by unauthorized persons (Yang, Yuan & Huang, 2015).
This process is part of business continuity management and it involves preventive measures, measures that are replacive and those that are detective. An incident response and disaster recovery plan should have a purpose, set out responsibilities of various parties, scope of activities, mechanisms for disaster recovery, critical assets that need to be protected, procedures applicable for disaster recovery and key contacts in case the system fails (Yang, Yuan & Huang, 2015). The organization should consider security outsourcing as it is cheaper and also ideal if the organization has capacity constraints. It also enables the organization to share liability in the event of a disaster or intrusion. It also good for better control of risks among others (El-Temtamy, Majdalawieh & Pumphrey, 2016).
Conclusion
A comprehensive information assurance strategy is very critical for an organization such as Heavy Metal Engineering to succeed in the current competitive business environment. This report provides the basic components of an assurance plan which include confidentiality, integrity, nonrepudiation, authentication and availability and the sub-domains of information assurance which include information protection, information security and cybersecurity. The report highlights risk analysis and mitigation processes including a risk matrix that can be used to classify risks. The report ends with a description of the incident response and disaster recovery plan that can be implemented by the company
References
Ahmad, Z., Thian, S. O., Tze, H. L., & Norhashim, M. (2019). Security monitoring and
information security assurance behaviour among employees. Information and Computer Security, 27(2), 165-188. doi:http://dx.doi.org/10.1108/ICS-10-2017-0073
Cambou, B., Flikkema, P. G., Palmer, J., Telesca, D., & Philabaum, C. (2018). Can ternary
computing improve information assurance? Cryptography, 2(1) doi:http://dx.doi.org/10.3390/cryptography2010006
Coronado, A. S. (2015). Information assurance for the enterprise: A roadmap to information
security. Journal of Information Privacy & Security, 11(4), 274-275. doi:http://dx.doi.org/10.1080/15536548.2015.1105662
El-Temtamy, O., Majdalawieh, M., & Pumphrey, L. (2016). Assessing IT disaster recovery
plans. Information and Computer Security, 24(5), 514-533. doi:http://dx.doi.org/10.1108/ICS-04-2016-0030
Moeini, M., & Rivard, S. (2019). Sublating tensions in the IT project risk management literature:
A model of the relative performance of intuition and deliberate analysis for risk assessment. Journal of the Association for Information Systems, 20(3), 243-284. doi:http://dx.doi.org/10.17705/1jais.00535
Mourad, M. (2017). Quality assurance as a driver of information management strategy. Journal
of Enterprise Information Management, 30(5), 779-794. doi:http://dx.doi.org/10.1108/JEIM-06-2016-0104
Ludwig, L., & Mattedi, M. A. (2018). The information and communication
technologies in the risk management of social and environmental disasters. Ambiente & Sociedade, 21 doi:http://dx.doi.org/10.1590/1809-4422asoc0103r4vu18l1ao
Öbrand, L., Holmström, J., & Mathiassen, L. (2018). Between a rock and a hard place: Facing
dilemmas in IT risk management. JITTA : Journal of Information Technology Theory and Application, 19(3), 22-43. Retrieved from https://search.proquest.com/docview/2261001301?accountid=45049
Pimchangthong, D., & Boonjing, V. (2017). Effects of risk management practices on IT project
success. Management and Production Engineering Review, 8(1), 30-37. doi:http://dx.doi.org/10.1515/mper-2017-0004
Šikman, L., Latinović, T., & Paspalj, D. (2019). ISO 27001 - Information systems
Security, development, trends, technical and economic challenges. Annals of the Faculty of Engineering Hunedoara, 17(4), 45-48. Retrieved from https://search.proquest.com/docview/2344260662?accountid=45049
Sosin, A. (2018). How to increase the information assurance in the Information age. Journal of Defense Resources Management, 9(1), 45-57. Retrieved from https://search.proquest.com/docview/2178518357?accountid=45049
Topa, I., & Karyda, M. (2019). From theory to practice: Guidelines for enhancing information
security management. Information and Computer Security, 27(3), 326-342. doi:http://dx.doi.org/10.1108/ICS-09-2018-0108
Yang, C., Yuan, B. J. C., & Huang, C. (2015). Key determinant derivations for information
technology disaster recovery site selection by the multi-criterion decision making method. Sustainability, 7(5), 6149-6188. doi:http://dx.doi.org/10.3390/su7056149