Tuesday, May 5, 2020
Emergency Management And Homeland Security ââ¬Myassignmenthelp.Com
Question: Discuss About The Emergency Management And Homeland Security? Answer: Introduction The aim of this report is to provide guidance to the A4A organization considering the processing and storage of data that is about to store in the information systems. The scope of this report is to provide a security risk management approach for the organization to the integrity, confidentiality, and availability of information that are being stored in the information systems of the organization. A4A is Non-Governmental Organization that is about to transform its existing system into the information system that means various data and information are about to be uploaded into the database. This will be vast transformation that will include outsourcing of the systems for other organizations and for larger space, they will need cloud storage that could result in various security issues related to the organizational operational activities and all the data related to the employees that are looking forward to join the organization. This report focuses on the guidelines that could help in achieving information security in better and efficient way for the data and information related to the organization. Risk assessment process have several step and these steps have been explained in the below report. Applicable Policy The policy for security of information by the Australian Government policy has been promulgated through the ISM and the PSPF. Several requirements those are mandatory within the PSPF that can be helpful to relate the handling of A4A information (Sylves 2014). A4A can only be able to achieve effective information security for the information that is about to save in the system regarding its members and operational activities. This can only be achieved if it becomes the part of the culture, operation and practices plans of the A4A. This implies that the A4A should not build protective security as an afterthought rather it should build it into the governance processes. The organization should proactively mitigate and manage the identified security risks at its early stages that are associated with the information storage system. Australian Privacy Law Set of thirteen APPs (Australian Privacy Principles) has been included within the Privacy Act 1988 (Cth) that can be helpful in regulating the handling of personal information by the A4A (Arregui, Maynard and Ahmad 2016). The information those have been remarked as personal should be determined by the A4A and handling of these information should be done according to the principles of the APPs. Privacy Legislation The pieces of legislations that are applicable to this policy can be listed as: Firstly, Freedom of Information Act 1982, secondly, Privacy Act 1988 and Archives Act 1983 (Zetler 2015). Risk Assessment Framework This can be stated as the set of guidelines for the risk assessment process on the basis of existing frameworks that is being defined in the Australian Standards AS/NZS ISO 31000:2009 Risk management that includes HB 167:2006 Security Risk Management, and guidelines and principles. Risk assessment can be referred as the subjective process and A4A should ensure that the defined process is justifiable, documented, and transparent (Saint-Germain 2015). It is the best option for many objectives like firstly, identifying the level of risk tolerance, secondly, identifying the specific risks to the employees, assets, and information that are being stored in the system. Third benefit is that identifying the appropriate protection in order to mitigate the risks that have been identified previously. Applying ISO 31000 The process of risk assessment process should be consistent within the existing standards. In order to successfully manage the risk assessment, the whole process can be sub-divided into five key points that can be stated as (Draper and Ritchie 2014): Establishment of the Context: This step states to define the external and internal influences that can have impact on the implementation of the arrangement directly or indirectly. Identification of the Risks: Developing a robust list of the identified risks, this might have the capability to affect the success in implementing this arrangement. Assessment of the identified Risks: After the first two steps it states to analysing the list of identified risks in contrast with the organisations likelihood, impact, and the tolerances. Selection of Proper Treatments: This step includes choosing risk assessing strategies that are appropriate for A4A including the controls for those identified risks. Development of overall Risk Assessment: This is the last and final step that includes summarization of the output of identified risks in accordance with the mitigating measures or control into all the categorized risks. Control risks Evaluate Risks Analyze risk Identify risk Established Context Consultation and communication Monitor and Review Figure 1: Risk Assessment Process (Source: Created by Author) Establish the Context The assessment process that is going to be implemented with the system of A4A must address the security, organizational and strategic risk management contexts in order to eliminate all the existing risks. All facets of the functions or activities of the organization will be covered by the security risk assessment (Whittman and Mattord 2013). For a successful risk management system it is necessary that the risk management is appropriate to be prevailing and emerging risk environment. Establishment of the context is a very critical objective as it provides a platform on which all the respective activities of the risk assessment are being conducted. How to Determine A4A Context Internal environment in which the organization is willing in order to achieve its goals can be stated as the context of the A4A. Following are the objectives that can be included in this topic: A4A Organizational structure, governance, accountabilities or responsibilities, and roles. Extent and nature of the contractual relationships (Wensveen 2016). Culture of the A4A including its security culture Policies and objectives including the strategies that are being made to achieve them. Perception, values of, and relationships with the internal stakeholders Models, guidelines, and standards that are being adopted by the organisation Lastly, information flows, decision making processes, and information systems The Strategic Context of Outsourcing A4A must consider the aspects of the strategic contexts that are relevant according to the situation that will be the factors which will be implemented in the risk assessment management process. These include, firstly, relevant Australian regulation, policy, and legislation considering the facts that are responsible for safeguarding the information related to the operational activities of the A4A (Peppard and Ward 2016). Secondly, it includes potential jurisdictional and foreign laws access to information, and third objective that is being included in this is the potential benefits of off shoring or outsourcing arrangements that is being arranged to manage the systems that needs to be installed. Identifying Risk Identifying risk can be used in manner to comprehensively determine the sources of risk that are applicable and the events that have potential to impact the business of A4A organization. There should be full description on the issues that is being identified in manner to make the decision makers completely understand the facts that is all about. A4A risk management team should determine the risks that are related to the availability, integrity, and the confidentiality of the types of data that is being saved in the information system considering the personal information of the employees and the operational data or information (Webet al. 2014). As mentioned in the AS/NZS 4360:2004 risks can be defined as The chance of something happening that will have an impact on the objectives. How to Determine Agency Risk Tolerance Intolerable risk Scope for A4A Tolerable risk Increasing risk Figure 2: Risk Tolerance (Source: Created by author) This determination can be made during the Establishing the context phase during the risk assessment processes. Risk tolerance is completely dependent on the organizational context of the A4A and Heads of the A4A. Tolerance level can be stated as the sum of risk appetite of A4A. The risk tolerance will be based on the the principle of managing risk to the reasonably practicable low level, while it still allows the scope for the innovation and flexibility in business practices. Boyens et al. (2014) stated that it can be affected or changed changing the evaluation criteria, which implies that appetite risk of the head of the A4A for the risk can be variable that can depends upon: Firstly, prevailing community and political expectations and sensitivities. Secondly, incident security nature such as hacking terrorist attack etc., thirdly, emergence or existence of security trends such as cyber-attacks, data breaches, trusted insider etc. Another factors may be business or strategic priorit ies, ability of the government, individual or the organization to compensate losses and lastly but not least availability of the resources for treatment. Questions To Consider When Determining Risks within Cloud Context In order to establishing context in a risk management it is very necessary to understand the nature of the vulnerabilities, criticality, and potential or relevant threat. The questionnaire that can be included in this section in order to facilitate it can be listed as (Rebello et al. 2015): The aggregated value of the information holdings to the A4A How the integrity, availability, and confidentiality of A4A will be affected What would be the look of an unintended disclosure? What would be the look of an event or incident How outsourcing might affect the information of the A4A including the sources of risks and related threats How much impact on losing information can affect the A4A A4A can take into account the individual security plans while searching for the information that are related to the risk identification process due to the existing presence of information on security of the information. Potential Threats When Outsourcing Information Data Loss: There may be the permanent deletion or loss of data, which could be a result of malicious activity or by any accident. Data Breaches: The information those are very sensitive for the organization could be leaked or stolen or might be manipulated by an unauthorized user (Peltier 2016). Service traffic or Account Hijacking: this another potential threat that might lead the external entities eavesdropping on the operational activities such as manipulating data, transactions, through phishing, fraud, and return falsified information. DOS (Denial of service): this threat or attack can block the user from accessing their application or data that will affect the organization and its consumers too. API (Application Programming Interface) and Interfaces Insecure: In manner to circumvent the security processes, vulnerable interfaces may be exploited maliciously and accidentally both. Malicious Insider: The insider formal stakeholders like contractor, former employee, or any of the other business partners can be threat who had or has the access authority to the network of the A4A organization (Dhillong, Syed and Sa-Soares 2017). This access authority can be misused for personal gain or profit by impacting negatively to the organization. Insufficient Due Diligence: Implementing cloud services into the system of the A4A without considering the scope of undertaking the vulnerabilities and weaknesses of this implementation. Shared Technology Vulnerabilities: Cloud infrastructure such as GPU, CPU caches etc. are vulnerable to scalable sharing practices if there is not any design established for the multi-tenant architecture. Mapping Risks In order to completely understand the impact of the risks that are identified, there should be proper emphasis on the vulnerabilities or causes that the identified risks possibly cause to the organization. In order to inform the risk assessment, it is essential to gauge the likelihood and the consequences of the risk events. Mapping risks will help in dividing the risks into categories according to their priority, which can be helpful in guiding the source allocation in order o mitigate the identified risks (Beckers et al. 2013). Various objectives are considerable during the mapping risks system those can be stated as: the sectors where there is the impact of the risks, the frequency of risk happen, outcome of the risk eventuating, the individuals that will be affected by the occurrence of the risk event and lastly, the stakeholders that are involved in the risk assessment including the impact of these risks on the stakeholders and many more. Assessing Risk After the relevant identification of the risks the assessment process can be used for the determination of the level of risks. There should be holistic evaluation of the likelihood of the risk that might occurred, acceptable level of the tolerances that can be presented by the graph mentioned in the figure 2, and the consequences of the identified risk events (Oppliger, Pernul and Katsikas 2017). In manner to address the consequences and likelihood levels there should be proper consideration on the effectiveness control and the sources of risk events. Risk assessment includes the level of control and oversight organizations have on the management of their information. For better explanation an example can be that the A4A confidential information related to the employee and the operational activities can be assessed in the relation to the integrity, availability, and the confidentiality including the aggregation (Soomro, Shah and Ahmed 2016). The risk assessment should be assessed on the basis of the potential impact of the risks for the A4A for the sectors mentioned above including all the stakeholders that might be affected due to these risks. Guidance on Determining Potential Consequences This step is completely dependent on the profile of the information that is about to store in the information system of the A4A. Information related to the donors, employees sensitive information such as bank account number, social security number and many more, all the transactional informational and much other information are about o store in the information system of the A4A (Albakri et al. 2014). The expose of such information could relate to the privacy and security issue of the individuals that are related to the A4A. Evaluating the Risks Evaluation of the risks related o the unintended expose of information about the operational activities and the data about the employees involves the consideration of the risks within the context of the potential treatment and A4As risk tolerance options (Yang, Shieh and Tzeng 2013). In many of the circumstances the unauthorized expose or access of the information that is being stored in the system might be quantified almost the whole in financial terms on the basis of revenue loss that results it in a matter of financial calculation. However, for these circumstances, A4A can consider a wide range of factors that includes the impact on the reputation of the organization due to the expose of this sensitive information that includes loss of data related to the employees and organizational operational activities (Feng, Weng and Li 2014). These objectives results in the complexity for calculating the risks level and the acceptance resides with the head of the organization How to Consider Potential Risk Treatment Options The risks related to the security of the organization cannot be eliminated completely but it can be minimized to an extent level as the security cannot be absolute. Thus the aim should be provided in tolerating the threats that includes firstly, for the identified risks rating level while making selections for the risk treatments for the systems that are being introduced for the storage of information should be conducted proportionally (Raghupati and Raghupati 2014). This could be divided into six step processes where A4A: firstly, prioritise the intolerable risks, secondly, establishment of the treatment options, thirdly, identification and development of treatment options, fourth, Evaluating the treatment options, fifth, detailing the review and design the selected options also considering the management of residual risks, sixth, communication and implementation. Communication and Consultation There should be a consultation and communication plan management that should be established at very early stage during the risk assessment in order to determine the processes that will be informed or communicated to the stakeholders including external and internal stakeholders (Itradat et al. 2014). Proper and effective communication and consultation during the process of the risk assessment can be helpful in ensuring the facts that are responsible or the successful implementation of the risk assessment process and that are responsible with a stake in the process through understandings that will implies that what decision is need to be made in order to successfully assess the identified risks and enhance the performance of the organization. The risk that could potentially affect the organization should be well communicated during the process of the risk assessment, particularly if it is related to the employees of the A4A. The perception of the stakeholders is also very important whi le communicating about the identified risks during the process of risk management. Risk Monitoring and Review This is also one of the important guidelines for risk management processes for the information security. Following are the considerable facts that could be included in this process: Does transforming manual system into technology based operation have a continuous program or not and the cloud vendors have it or not (Layton 2016). The controls and their strategy of implementation can play an effective role or not such as tokenization and encrypting the files before saving into the cloud or database. The controls or the processes that are being introduced are cost effective and efficient or not that means considering other facts that might be applicable to reduce the threat. The introduced controls and changes complying with the legal requirements or not (Baskerville, Spangnoletti, and Kim 2014). For example Cloud solution meets the legislative requirements of Australia. Documenting the Risk Assessment and Risk Treatment At the final stage the A4A management should document all the considerable, acceptable, and calculated that can be associated with the security risks in the arrangements that is about to change within the organization (Haufe, Dzombeta and Brandis 2014). Approval Process The delegates and the heads of the organization need to consider the risk assessment before transforming the whole system into technological way. Ultimately this implies that the head of the A4A will also be responsible for managing risk into the organization, and the acceptance and understanding of the risks manifested through transformation, outsourcing, and cloud integration within the system (Luthra et al. 2014). Conclusion Based on above report it can be concluded that there should be proper management process in order to enhance the information security system within an organization. The guidelines that have stated above can play very important role in managing the information and data those are being stored into the system and keep it well secured and protected from unauthorized user that could lead to serious damage through exposing, manipulating or deleting the saved data. Cybercrimes can be considered as the most important issue regarding the information security and these guidelines can prevent the organization from being looted by such intruders and protect the assets of the organization. Other than the above guidelines it can be recommended that the security levels should be divided into the categories based on the level of authorization or posts. This could help in two ways the higher post individual will be able to monitor the individuals those are at lower post and the confidential informati on will be much safer. Through the guidelines mentioned above, A4A can achieve the highest level of security for the information related to the organization and be safer from any loss. References: Albakri, S.H., Shanmugam, B., Samy, G.N., Idris, N.B. and Ahmed, A., 2014. Security risk assessment framework for cloud computing environments.Security and Communication Networks,7(11), pp.2114-2124. Arregui, D.A., Maynard, S.B. and Ahmad, A., 2016. Mitigating BYOD Information Security Risks. Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security: Managing a strategic balance between prevention and response.Information Management,51(1), pp.138-151. Beckers, K., Ct, I., Fabender, S., Heisel, M. and Hofbauer, S., 2013. A pattern-based method for establishing a cloud-specific information security management system.Requirements Engineering,18(4), pp.343-395. Boyens, J., Paulsen, C., Moorthy, R., Bartol, N. and Shankles, S.A., 2014. Supply chain risk management practices for federal information systems and organizations.NIST Special Publication,800(161), p.1. Dhillon, G., Syed, R. and de S-Soares, F., 2017. Information security concerns in IT outsourcing: Identifying (in) congruence between clients and vendors.Information Management,54(4), pp.452-464. Draper, R. and Ritchie, J., 2014. Principles of security management: Applying the lessons from crime prevention science.Professional Practice in Crime Prevention and Security Management, p.91. Feng, N., Wang, H.J. and Li, M., 2014. A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis.Information sciences,256, pp.57-73. Haufe, K., Dzombeta, S. and Brandis, K., 2014. Proposal for a security management in cloud computing for health care.The Scientific World Journal,2014. Itradat, A., Sultan, S., Al-Junaidi, M., Qaffaf, R., Mashal, F. and Daas, F., 2014. Developing an ISO27001 Information Security Management System for an Educational Institute: Hashemite University as a Case Study.Jordan Journal of Mechanical Industrial Engineering,8(2). Layton, T.P., 2016.Information Security: Design, implementation, measurement, and compliance. CRC Press. Luthra, R., Lombardo, J.A., Wang, T.Y., Gresh, M. and Brusowankin, D., Citibank and NA, 2014.Corporate infrastructure management system. U.S. Patent 8,706,692. Oppliger, R., Pernul, G. and Katsikas, S., 2017. New Frontiers: Assessing and Managing Security Risks.Computer,50(4), pp.48-51. Peltier, T.R., 2016.Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press. Peppard, J. and Ward, J., 2016.The strategic management of information systems: Building a digital strategy. John Wiley Sons. Raghupathi, W. and Raghupathi, V., 2014. Big data analytics in healthcare: promise and potential.Health information science and systems,2(1), p.3. Rebollo, O., Mellado, D., Fernndez-Medina, E. and Mouratidis, H., 2015. Empirical evaluation of a cloud computing information security governance framework.Information and Software Technology,58, pp.44-57. Saint-Germain, R., 2005. Information security management best practice based on ISO/IEC 17799.Information Management,39(4), p.60. Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review.International Journal of Information Management,36(2), pp.215-225. Sylves, R., 2014.Disaster policy and politics: Emergency management and homeland security. CQ Press. Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management.Computers security,44, pp.1-15. Wensveen, J.G., 2016.Air transportation: A management perspective. Routledge. Whitman, M. and Mattord, H., 2013.Management of information security. Nelson Education. Yang, Y.P.O., Shieh, H.M. and Tzeng, G.H., 2013. A VIKOR technique based on DEMATEL and ANP for information security risk control assessment.Information Sciences,232, pp.482-500. Zetler, J.A., 2015. The legal and ethical implications of electronic patient health records and e-health on Australian privacy and confidentiality law.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.