IS Security and Risk Management-Free-Samples-Myassignmenthelp.com

Question: Discuss about the Sinificance of IS Security and Risk Management. Answer: Introduction The information security is significant in organization in the areas such as the record keeping, as well as on the financial uses. The IT security could help organization in solving the requirements of the clients particularly in the management of their personal information, the data as well as the security information (Ali, 2014). These are the challenges which are encountered by the organization particularly in the management of the data so that it does not fall in the hands of the unauthorized individuals or perhaps the hackers. An effective IT security management system help in the reduction of the risk when there are crisis in the organization. The organization should understand the IT security to enable them overcome the challenges (Ali, 2014). Additionally, organization should have policies when it comes to securing of their data so that it could be safe (Ross, 2013). In this research it intends to answer the question on how the information technology security could be enforce d in the organization. Additionally, the essay will look at the main content of the IT security policy, and how it is determined (Bergstrm hlfeldt, 2014). The essay will be focused on the E-Bay organization. Other components that will be looked are the IT model for the organization, the security standards and the control, risk analysis and contingency planning. Lastly, it will focus on the analysis of the IT threats, vulnerabilities and tools. Key Terms Identification Protocols: These are often described in an industry or perhaps the international standard such as the TCP/IP protocols that uses the set rules to exchange the message with the other internet points at the data packet levels. Contingency: This is a plan which is set in place to prevent any shortcoming which may occur in the future. Standards: These are definite rules, principles or perhaps the measures which have been established to guide the organization against the risk that could occur. Overview of E-bay organization This is a multinational e-commerce corporation, which help the online consumer to consumer as well as the business to consumer sales (Chen, 2009). The organization manages eBay.com which is an online shopping portal that helps the people and the businesses to buy and sell goods and services globally (Bergstrm hlfeldt, 2014). In addition to its auction style sales, the website has expanded to Buy It Now shopping. Over the years the company has become one of the best online retail business organization. Discussion of Policy and Auditing features for E-bay The organizations requires protection against the cyber-attack which entails to document the information technology security policy (Ross, 2013). Each and every employee need to understand their obligation in order to protect the organization data (Anton, Anderson Mesic, 2004). The workers should have a clear expectation about their behavior when it comes to interaction with the information of the organization sales (Chen, 2009). There is need to have an IT security policy that should be published, understandable as well as enforceable. The following are the main components of an information technology security policy for E-bay organization; Security definition: the E-bay IT security policy have a well-defined security vision for the organization which is to safeguard on the safety of the clients and that of the business which they operate with (Axelrod, Bayuk Schutzer, 2009). This security definition is meant to make certain there is confidentiality, integrity in addition to the accessibility to the data and the resources through the use of the effective and established information technology security methods and the process. Enforcement: on this part it evidently outlines precisely how the policy could be enforced and also precisely how the security breaches might be handled sales (Chen, 2009). Additionally, the chief data officer in addition to the information system security have the responsibility of implementing on these policy and ensuringtheir compliance (Bergstrm hlfeldt, 2014). In this section it includes the procedures to request short term exception to the policy. Additionally, all the exceptions to the policy needs to be reviewed and also approved or perhaps denied by the security officers concerned. The user access to the computer resources: on their policy it outlines the functions along with the responsibilities of the customers accessing the resources of the business especially to their website (Peltier, 2013). It could include things like the passwords, guidelines for the termination of the accounts, procedure for the threat notification and the security awareness training to the clients. Security profiles: E-bay has an excellent security policy including the data which recognizes precisely how the security profiles might be utilized uniformly throughout the common devices, such as the firewalls, proxy servers and the servers (Peltier, 2013). Passwords: The passwords are very critical aspects especially in protecting the infrastructure of the organization. They have higher passwords so that they do not compromise the organization especially the website to the external threats, and also the insiders (Duncan Whittington, 2014). The passwords such as the user log in details need to be strong not to be compromised through social engineering or the password cracking procedures. Email: in the security policy of the E-bay organization there is an email usage policy which is very important. There are several viruses, malware and the Trojans which could use the email as the vehicle in order to propagate themselves through the internet (Duncan Whittington, 2014). To prevent this there are content filtering email messages. These help to filter out attachments with the extensions of exe, .scr or perhaps .inf, which would help enhance on the prevention efforts. Backup and recovery: E-bay does a comprehensive back-up as well as a recovery plan in order to mitigate any incidents. The backup acts as the key for the past. E-bay has an effective backup as well as recovery plans which are established through the comprehensive risk assessments of all their systems on the networks. Logical map of organisational structure Figure 1: The diagram shows the model for the organization E-bay organization illustrates to how information systems could help the business to compete, and the interdependence of the processes of the business, information systems, and the organization surrounding environment (Bodin, Gordon Loeb, 2008). E-bay organization has been able to take advantage of the opportunities which have been presented by the internet. The company has been able to pioneer in the online auctions where people could sell to the others. E-bay operates in very changing environment where the clients can easily switch to the other online retailers who are providing more value and the convenience (Duncan Whittington, 2014). The company has been able to revise on their IT business model through acquiring other internet businesses, and then de-emphasizing online auctions in the favor of the fixed price sales (Chen, 2009). The above diagram shows the model which has been used by the organization to remain competitive in the market and be the best than the rival organiza tions. Discussion of Models and standards There are various security standards and controls which are observed by E-bay organization (Bodin, Gordon Loeb, 2008). One of the security standards which is implemented in the organization is ISO 17799 which defines the information as an assets which could exist in many forms and has a value to the organization. The goal for the information security would be suitably protect the assets of the organization to ensure that the continuity of the business, minimize on the damage of the business, and maximize on the return of the investments (Bodin, Gordon Loeb, 2008). As defined by the ISO 17799 the information security has been characterized as the preservation of the confidentiality which ensures that the information is accessible only to the individuals who have been authorized to have access. Additionally, to ensure integrity which ensure that safeguarding the accuracy and the completeness of the information and the methods of processing (Lam, 2014). Lastly, it focus on the availab ility, which ensures that the users who are authorized have the access to the data and associated assets when they are required. The ISO 17799 has offered E-bay organization a benchmark against which to build on the organizational information security. Moreover, it provides a mechanism to manage of the processes of the information security. Another security standards that is utilized by the organization is the ISO 27001 which is a security management specification (Bergstrm hlfeldt, 2014). It is a framework which is more often procedures as well as policies that entails the physical, legal as well as the controls in the organization information risk management process (PITAS, N?mec Souek, 2014). This ISO has provided the organization the benefit of proof for the security especially the third parties for the partners, customers and the legal aspects. Moreover, there is a reduced cost through the optimization of the structures and transparency. Some of the security control which have been implemented by the organization is authentication. The staff of the organization are required to pass the multi factor authentication before they gain access to the system (Sadgrove, 2016). This helps keep the data of the organization safe from exploit of any vulnerabilities from internal access or external access (Bergstrm hlfeldt, 2014). Another control is the audit trail. The organization have a server which records the IP addresses as well as the URLs for each of the access and they are able to retain such data for a given period of time as an audit trail (Kranakis, Haroutunian Shahbazian, 2008). There is also the application of cryptography where the data is stored in encrypted on all the devices. Discussion of Risk Analysis for E-bay E-bay organization has a given protocol on how to carry the risk analysis. One thing they highlight is to identify on the hazards. This is achieved through understanding of the various difference between the hazard and the risk. The second thing is to decide on what could have caused it and how (Bodin, Gordon Loeb, 2008). When the organization identifies the risk that have affected them they evaluate them and decide on the control measures. Some of the risk analysis aspect to evaluate on the risks the focus is on security and the networks protocols, which E-bay organization has implemented. One of the network protocol is the secure sockets layer (Bodin, Gordon Loeb, 2008). This is a cryptographic protocol which has been designed in order to secure the communications over the TCP/IP networks. The SSL protocol became the Transport Layer Security which is intended to provide a secure connections between the client and the server through encrypting of the data which is passed between t hem. The E-bay network has been encrypted so that any individual who do not have an accessibility to the network would not sniff the packets, reading the user names, passwords, or maybe the credit card information as well as other confidential data which is sent across the network. The company also observes the document protocol that is accountable for the compression, the encryption in addition to the verification of the data. The data which the business transmit is split into the data. Each of the record consist of the header byte, which is accompanied by protocol version, the length to which the information is to be sent, in addition to the payload itself. Analysis of business processes The contingency plan can be done on the worst case risks which could affect the organization. An example could be on the case when the business is not in a position of supporting itself particularly on their ongoing basis. There could be issues of the security concern for the business (Lam, 2014). On the contingency plan it contains various things such as the vendor readiness plan. Each and every organization relies on the vendors in providing them with equipment, supplies, goods as well as the services. Discussion of Vendors Some of the vendors could be regarded very critical than the others. To minimize on the potential exposure to the disruption by the vendors, there are various steps which the company takes in advance (Lam, 2014). One of the step would be to avoid a single source. The organization has many vendors which provide each of our critical goods as well as the services required to support the business. Example of the vendors for E-bay are WC and the Flipkart. These groups helps the sellers to sell their goods to the shoppers all across the globe. Depth of analysis of threat, vulnerabilities and tools The vulnerabilities in the E-bay organization network security could be summed as the soft spots which are present to every information technology network. The networks could be plugged into three categories; the technology, configuration or the security policy weaknesses. The technology have intrinsic security weaknesses. Some of the vulnerabilities which have affected E-bay organization are TCP/IP protocol weaknesses, the operating and the network equipment. When you look at the TCP protocol the HTTP, ICMP could be insecure. On the operating system the OS could have security issues which needs to be addressed (Lam, 2014). The network equipment weaknesses highlights that the various kind of the networks equipments such as the routers, the firewalls have the security concerns and should be recognized in order to protect against. Some of the threats which the organization has encountered is the social engineering. This has occurred where the attackers have been able to obtain the data from the individuals accounts or the organization to use it for the malicious purpose (Lam, 2014). One kind of the social engineering that has been used by the attacker is phishing. The attackers use the email in an attempt to trick individuals into providing their sensitive data, for example the credit card numbers or perhaps the passwords. One of the tool that has been used for attack to obtain the customer information is the keylogger. This tool enables one to know everything which the user writes through the keyboard, and it can capture on the screens. The organization usually uses the integrated sales as well as the purchases system therefore the staff inputs data into the system which could pose a risk to occur. References Ali, S. M. (2014). Integration of information security essential controls into information technology infrastructure library-A proposed framework. International Journal of Applied, 4(1). Anton, P., Anderson, R., Mesic, R. (2004).Finding and Fixing Vulnerabilities in Information Systems. Santa Monica: RAND Corporation. Axelrod, C., Bayuk, J., Schutzer, D. (2009).Enterprise information security and privacy. Boston: Artech House. Bergstrm, E., hlfeldt, R. M. (2014, October). Information classification issues. In Nordic Conference on Secure IT Systems (pp. 27-41). Springer, Cham. Bodin, L. D., Gordon, L. A., Loeb, M. P. (2008). Information security and risk management.Communications of the ACM, 51(4), 64-68. Chen, T. M. (2009). Information security and risk management. In Encyclopedia of MultimediaTechnology and Networking, Second Edition (pp. 668-674). IGI Global. Duncan, B., Whittington, M. (2014, September). Compliance with standards, assurance and audit: Does this equal security?. In Proceedings of the 7th International Conference on Security of Information and Networks (p. 77). ACM. Kranakis, E., Haroutunian, E., Shahbazian, E. (2008).Aspects of Network and Information Security. Amsterdam: IOS Press. Lam, J. (2014). Enterprise risk management: from incentives to controls. John Wiley Sons. Peltier, T. R. (2013). Information security fundamentals. CRC Press. PITAS, J., N?mec, V., Souek, R. (2014). Mutual Influence of Management Processes of Stakeholders and Risk Management in Cyber Security Environment. In The 18th World Multi-Conference on Systemics, Cybernetics and Informatics. Orlando, Florida: International Institute of Informatics and Systemics (Vol. 2, pp. 94-97). Ross, R. S. (2013). Security and Privacy Controls for Federal Information Systems andOrganizations [includes updates as of 5/7/13]. Special Publication (NIST SP)-800-53 Rev 4. Sadgrove, K. (2016). The complete guide to business risk management. Routledge. Vacca, J. (2014).Network and system security. Waltham, MA: Syngress.