Assessment Description: The main objective of information security frameworks is to lower the level of risk, reducing the possibility of a vulnerability and making the company more secure. The framewo

Assessment Description: The main objective of information security frameworks is to lower the level of risk, reducing the possibility of a vulnerability and making the company more secure. The framewo
14 Accessing Critical Data Infrastructure INSTITUTIONAL AFFILIATION: INSTRUCTOR’S NAME: STUDENT’S NAME : COURSE CODE : Part 1 Identify critical systems and their impacts on an organization Critical systems in a business are the systems that support the most important functions of the business. By the systems playing important roles in the business, criminals consider them a high priority as compromising them would be associated with a major impact on the organization. The critical functions associated with the organization include business intelligence financial systems, customer relationship management systems (CRM), an e-commerce platform, and the communications platform. (Beynon-Davies, 2019) By an organization having multiple critical systems, it becomes the primary target of intruders, and whenever intruders find a vulnerability that can be exploited, it can have negative impacts on the organization, which can disrupt how various services are carried out. For instance, if the cybercriminal is able to exploit the relationship management systems, he is likely to steal sensitive data, which can lead to legal issues, which might make the organization face penalties, and also, it might lose its reputation as a result. Suppose the cyber-criminal is able to exploit the e-commerce platform. In that case, he is likely to alter the transactions between customers and the organization, which is likely to cause the organization to incur heavy financial losses. Suppose cybercriminals can exploit the financial and business intelligence systems. In that case, they are likely to alter the data causing the systems to give wrong financial projections, thus affecting the decisions that are to be made by the management of the business, which can lead to financial losses. If cybercriminals are able to exploit communications platforms, they are likely to affect communications between the organization and its customers, which can reduce the profit made by an organization. Different critical systems are associated with different challenges in an organization. The more valuable a system is, the more severe it is, as cybercriminals are likely to prioritize exploiting these systems leading to negative impacts and challenges to the organization. (Beynon-Davies, 2019) Highlight high-risk findings and recommend mitigation strategies. After the audit was conducted in the organization, several areas of high risk were identified, and there was a need to reduce the risks in the organization. Some high-level risks that were identified in the organization include a lack of effective security control policies, a lack of appropriate fire control policies, and potential health and safety hazards within the organization. These risks were identified as high-level risks in the organization, and whenever any of them occurred, they would leave adverse impacts on the organization. Some mitigation strategies that would be used in mitigating the high-level risks experienced in the organization include enhancing the security control policies, improving fire safety standards for the organization, and addressing the potential health and hazards effects in the organization. Mitigating the high-risk levels would have increased safety in the organizations, thus minimizing the risk that an organization would experience in case of a breach. (Hartomo et al. 2021) If the organization could mitigate some risks, such as security controls, it would make it hard for unauthorized access to be experienced in the organization, thus maintaining confidentiality and integrity among the customers’ data for the organization. Minimizing health and safety would make the organization a conducive working place making workers prioritize efficiency, thus meeting the goals set by the organization for growth and development. What is to be done in each case to compensate for the controls that cannot be implemented? If a control cannot be implemented within an organization, it is always appropriate to seek an alternative control. This would be crucial in the organization as it would give it equivalent protection minimizing the impacts of data breaches. If the organization cannot implement business intelligence and financial systems, it would be appropriate to use business intelligence systems, CRM, and e-commerce systems; it would be ideal to compensate it with NetSuite. NetSuite integrates business accounting, Enterprise resource planning systems, and e-commerce systems, making it an easy approach to managing the financial systems of the business. (Zhang et al., 2020) If the organization cannot deploy the communication platform, it would be ideal to deploy project management software which would be crucial in managing all the communications taking place within the organization, thus ensuring the messages are delivered to the platform’s customers effectively. Whenever the developers opt to use alternative controls to the systems of the organizations, they should consult the experts for the effectiveness of the alternative software, thus helping them to mitigate the risks that would be experienced within the organization. Whenever the developers deploy an alternative security control, they should prioritize monitoring the program regularly to minimize the security issues it might have on the platform to prevent data breach issues. Part 2 Explain the contingency plan to address and prioritize compliance gaps A contingency plan can be described as a proactive strategy that helps a business prepare for potential events that could negatively impact the organization. A contingency plan can also be described as a backup plan as it is designed to provide a course of action that can be critical in minimizing the size of an impact after unforeseen events are experienced within an organization. A contingency plan can be designed with compliance gaps that can be crucial in describing how the crisis can be handled, adhering to both the rules and the regulations set to be met in the organization. Whenever the contingency plan is developed, it is developed prioritizes critical elements of the business and how they work to ensure that the business requirements are met. The critical elements point to how data is to be shared in the organization and also prioritize security controls in the organization, which can be critical in the normal running of the business. Whenever a contingency plan is to be developed, it is developed, highlighting the procedures, policies, and protocols that guide the organization on how it can respond to risks of the organization. (Kock et al., 2020) Since a contingency plan is carried out to help the business recover from an incident, it Is developed, highlighting the critical controls that might seek to ensure that an organization can get back to its situation before the breach. The contingency plan can be developed, allowing it to increase business resilience and improve the ability to recover from an unexpected event. The recovery process involves taking necessary procedures of hardening security requirements, thus maximizing system security. Provide a cost/benefit analysis The cost analysis is considered a crucial element of the contingency plan as it seeks to determine the potential costs associated with implementing new controls for the organization to reduce financial risks and maximize compliance in the organization. The cost-benefit analysis can be used in an organization to ensure that organizations are able to utilize their resources effectively and ensuring that they are able to meet the compliance requirements set to be achieved in an organization. The cost analysis is considered comprehensive to allow it to consider all the costs that can be used in implementing new controls, which include hardware, software, training personnel, and also for maintenance purposes in the organization. Whenever the organization analyzes the costs for the contingency plan, it should begin by identifying the specific controls required for addressing compliance gaps and later estimating the costs required to implement each control in the organization. (Gelinas et al. 2017) Whenever the organization is analyzing the costs for the contingency plan, it should also consider the indirect costs, which include potential revenue loss and productivity, as they can potentially impact the functionality of the business leading to losses. Once the organizations have estimated all the costs, they should end by comparing them to the potential benefits, which include reduced risks, increased compliance, and increased security posture enhancing business controls, thus complying with the legal requirements. When controls cannot be implemented Business controls would not be implemented at times as implementing them would reduce the functionality of the business, making it hard for the system to be accessed, or they can endanger human lives. This might require compensation for the security protocols to maintain system functionality. An example of this is a process that involves shutting down critical systems during business hours could impact the business negatively as essential processes would not take place, affecting the company negatively. (Ncubukezi, 2023) Organizations should consider using alternative solutions to ensure that non-compliance does not affect business activities and that the business can run effectively despite If a security control were not implemented because it would endanger workers, it would be effective to add a physical control that would prevent unauthorized access, thus meeting the requirements of the organization. How compensating controls can ensure that non-compliant systems can operate within a secured and compliant environment the management of the organization can ensure that non-compliance in the organization is able to operate securely in the organization by monitoring and auditing the control process. As the organization’s developers monitor the non-compliance system, they can develop a manual that can be used for operating the non-compliance systems, thus meeting the organization’s requirements. Monitoring and auditing the non-compliant system regularly can help the security experts ensure that the control can carry out the required roles effectively, thus increasing the functionality of the business systems. Lastly, the developers and the security teams can keep updating the application to add functionality to ensure that it can meet the organization’s requirements. Differentiate the Likelihood of a cybersecurity breach within the compliant environment and its impact on the organization The Likelihood of a cyber-breach occurring in a compliant organization depends on several factors, including emerging threats, risks, and vulnerabilities to systems used in the organization. The organization can analyze the current threats in the market, which will allow it to identify potential risks and threats it might be associated with, allowing it to take actions to mitigate the risks before they occur to the organization. (Ncubukezi, T. (2023) Cybersecurity can be significant as it might target financial data or sensitive customer data, which can damage the reputation of the organization, making it hard for the organization to grow. Despite an organization being compliant, it needs to prioritize developing measures to prevent and respond to cybersecurity breaches in the shortest time possible to prevent damage to its reputation and facilitate growth. Part 3 For your organization, take the NIST Cybersecurity Framework Controls and reduce them to system configuration requirements and system test cases with pass/fail criteria The NIST cybersecurity framework is a set of guidelines and best practices that will allow an organization to manage and reduce risks. The NIST cybersecurity framework comprises five core functions: identification, protection, detection, response, and recovery, which should be assessed with pass/fail criteria to reduce cybersecurity risks. To implement a NIST cyber security framework, an organization is required to have a preconfigured set of system requirements for each function to establish effective system test cases, which can be justified as pass and failure criteria depending on the system functionality. Below is a pass/fail test for each of the system functionalities. (Krumay et al., 2018) Identification is the first core function of the NIST cybersecurity framework, as it is developed to identify and assess risks to the assets and operations of the organization. The organization can meet the requirement of this function by possessing unique identifiers that are capable of monitoring software applications, hardware, and system datasets. The Pass/fail criteria for identifying these systems should include verifying all devices, including hardware, software, and networking devices, to ensure they are well maintained to reduce the organization’s risks. Protection if the second core function of the NIST cybersecurity framework, and its main role is to implement access controls that ensure that only authorized personnel can access the information systems. This configuration involves implementing access controls to software, hardware, and firmware and communicating security policies that are to be adhered to by all employees. The pass/fail criteria for these systems should involve verifying access controls and ensuring that only authorized people have access to the information systems. Detection is the third core function of the NIST cybersecurity framework, and it involves monitoring vulnerabilities in the systems to detect vulnerabilities. The system configuration should focus on detecting unauthorized access and intrusions associated with security incidents, thus minimizing vulnerabilities that are associated with the information systems. The system pass/fail criteria for this function can be tested by verifying the systems to detect unauthorized access, intrusions, and related security incidents to prevent a data breach from the information systems. The response is the fourth core function of the NIST cybersecurity framework, and it involves developing an active incident response plan that can be used in containing and mitigating the impact of security incidents in an organization. The system configuration requirements should involve tracking, documenting, and responding to incidents incurred by the organization. The pass/fail criteria should involve verifying the incident response plan to mitigate the security incidents that the organization might experience. (Krumay et al., 2018) Recovery is the fifth and final function of the NIST cyber security framework, and it involves restoring data and systems after an incident has been experienced in the organization. The system configuration for this function should involve planning how data and systems will be recovered after a data breach has been experienced in the organization. The pass/fail for this function should include verifying the data restoration plans, which include data backup and recovery procedures to ensure that data can be restored after a security incident has been encountered in the organization. If the organization cannot restore data, this function should be classified as a failure. Reference Beynon-Davies, P. (2019). Business information systems. Bloomsbury Publishing. Gelinas, U. J., Dull, R. B., Wheeler, P., & Hill, M. C. (2017). Accounting information systems. Cengage learning. Hartomo, K. D., & Ramadhan, M. R. (2021, September). Quality Evaluation in Disaster Mitigation Information System using Webqual 4.0 Method. In 2021 2nd International Conference on Innovative and Creative Information Technology (ICITech) (pp. 174-178). IEEE. Kock, A., Schulz, B., Kopmann, J., & Gemünden, H. G. (2020). Project portfolio management information systems’ positive influence on performance–the importance of process maturity. International journal of project management, 38(4), 229-241. Krumay, B., Bernroider, E. W., & Walser, R. (2018). Evaluation of cybersecurity management controls and metrics of critical infrastructures: A literature review considering the NIST cybersecurity framework. In Secure IT Systems: 23rd Nordic Conference, NordSec 2018, Oslo, Norway, November 28-30, 2018, Proceedings 23 (pp. 369-384). Springer International Publishing. Zhang, Z., Mishra, Y., Yue, D., Dou, C., Zhang, B., & Tian, Y. C. (2020). Delay-tolerant predictive power compensation control for photovoltaic voltage regulation. IEEE Transactions on Industrial Informatics, 17(7), 4545-4554. Ncubukezi, T. (2023, February). Risk likelihood of planned and unplanned cyber-attacks in small business sectors: A cybersecurity concern. In International Conference on Cyber Warfare and Security (Vol. 18, No. 1, pp. 279-290).
Assessment Description: The main objective of information security frameworks is to lower the level of risk, reducing the possibility of a vulnerability and making the company more secure. The framewo
10 Information Technology Governance Framework Institutional Affiliation: Instructor’s Name: Student’s Name: Course Code: Evaluate the components of IT governance that facilitate regulatory compliance within the organization. Mervin INC. has designed and developed its information governance framework to manage its information technology resources effectively, thus allowing it to achieve its objectives. Regulatory compliance is considered a critical aspect in the company’s information technology governance, and it has set up several components that will allow it to comply with its regulatory requirements. Some of the components that the company uses include Policies and procedures The policies and procedures allow the organization to meet the governance framework as they define the rules and guidelines on how information technology resources should be used and managed. Furthermore, the policies and procedures are designed to ensure information technology resources are standards required by the organization. Risk management The risk management process assesses and identifies the risks in the organization and classifies them according to their impacts on the business and the likelihood of the risks happening in the business. After the risks have been identified, the management of the organization sets strategies on how the risks can be eliminated. (Stein, 2018) Training and Awareness The organization uses training and awareness to ensure that the employees are aware of their requirements, thus allowing them to work in accordance with the requirements of the organization. Training and awareness allow employees to understand their roles, thus meeting regulatory compliance in the business. Compliance monitoring The organization has set and developed compliance monitoring strategies that ensure that the normal running of the information technology resources follows the organization’s standards. Compliance monitoring monitors a wide range of systems in the organization, including information technology systems, processes, controls, and issues reported to the required department. Incident management The information governance framework of the organization is composed of an audit plan that determines the requirements that are to be met by each regulatory compliance which is followed by an incident management plan which is composed of reporting plan, investigation, and a resolution plan which identifies how the risks of the business are to be handled in the business. (Barbosa et al. 2014) The overarching guidance and laws the industry should comply with The overarching guidance and laws allow the organization to operate fairly ethically and comply with its regulatory requirements. Some of the overarching guidance and laws include; Financial reporting and disclosure requirements – Mervin INC must comply with the financial reporting system and the disclosure requirements that allow it to provide accurate and timely information about its financial performance. Data protection and privacy laws – Mervin INC is required to comply with data protection and privacy laws that govern how the company can use the information that it collects, uses, and stores associated with the stakeholders of the business. Anti-corruption laws – the company must comply with anti-corruption laws, which prohibit it from participating in issues associated with corruption and other forms of corruption. Intellectual property laws – the company is required to comply with intellectual property laws that protect the use of copyrights, trade secrets, and trademarks. Labor laws – the organization is required to comply with the labor laws which govern issues such as working hours an employee is required to work overtime and a minimum wage for all the employees of the business. Examine the requisite set of standards, frameworks, policies, and best practices in the development and implementation of the organization’s objectives. The additional requirements that Mervin INC is required to come up with when developing and implementing the objectives of the organization include the Cybersecurity Framework (CSF), the international organization for standardization (ISO), and the National Institute of Standards and Technology (NIST). The cybersecurity framework is composed of voluntary standards and best practices that can be used by an organization to minimize cybersecurity risks. (Tallon et al., 2019) The National Institute of Standards and technology will play a crucial role in promoting innovation and industrial competitiveness by advancing standards and technology for economic security. NIST can be used in promoting measurements, standards, and technology to produce systems and services which are reliable to support business operations. Lastly, the management can opt to use the international organization for standardization to encourage innovation in the company as it supports the development of innovative ideas associated with the business, thus allowing it to increase its international trade and investment, which can play a crucial role in promoting economic growth and development. Requirement analysis for formulating and deploying business information systems and solutions For Mervin INC to formulate and deploy the business information systems, it needs to know the financial tasks that are required to be carried out by the information systems. After identifying the tasks, it has to follow setting up the standards that the company requires for it to be successful, which the company’s information technology resources must meet. After setting up the standards, the company is required to identify the risks associated with the data management systems and an effective strategy on how the risks can be mitigated. (Stein, 2018) After setting up a strategic plan on how the company can analyze the risks, the company can ensure that its policies and procedures are always active and up to date and are adhered to ensure that they are able to comply with the regulatory requirements of the company. The company should ensure that whenever new systems are added to the network, they are well configured to the information systems to ensure that the security controls are effective enough to control security policies to be used in the company. Lastly, the management of the company should ensure that the information technology teams are well-trained in security and procedures on how they can handle data that is stored in the company. Critical data infrastructure assets of the company The company’s critical infrastructure includes the network, computer utilities, applications, computers, and the customer and client data categories, such as the basic and the interaction data. The networking infrastructure comprises networking hardware, software, and networking services that ensure all computers are in the same network. Computer applications are software that is designed with the aim of helping computer users carry out some tasks, which include managing computers, maintaining computers, and also optimizing computers. Computer applications are software designed to allow users to achieve a specific purpose, and there are several applications used in the company where they include creativity, communication, productivity, and the purpose of the business. Computers are electronic devices used in processing data, storing data, and running software applications. Client data that is considered to be a critical asset in the infrastructure include basic and interaction, as when criminals come across this data, they can impersonate customers, which leads to risks in the company. (Liu, 2020) Human resources for technical, management, and legal operations As a leading loan provider, Mervin INC is associated with multiple human resources for various operations. The human resource for technical operations is the information technology manager to ensure the technical infrastructure of the company meets its requirements. The human resource for management is the chief operations officer, and his main role is coordinating management activities and providing the company with a strategic plan on how various activities are to be done. The human resource for legal operations is to ensure that the company complies with relevant laws, regulations, and industry standards and helps the company overcome legal issues. The requisite law enforcement entity where data breaches are reported In case a data breach occurs in the company, the company has to evaluate the record stolen from the data breach and report the incident to the state law enforcement agency, as a data breach is considered a criminal offense where there the company might encounter financial loss and data theft. Reporting the incident to state law enforcement agencies will help the company investigate the attack, identify perpetrators, and prosecute them. (Tallon et al., 2019) Cybersecurity policies in relation to the organization are aligned with the laws, regulations, and standards. There are several cyber security rules and regulations that the company has to comply with, which include the Gramm-Leach-Bliley-Act(GLBA), Sarbanes-Oxley Act (SOX) National Institute of Standards and Technology (NIST), and the federal information security management act(FISMA). The Gramm-Leach-Bliley Act requires Mervin INC to safeguard and protect customers’ information. The Sarbanes-Oxley Act requires the company to maintain effective internal control of its financial reporting. The National Institute of Standards and Technology requires the company to use documented guidelines to improve cybersecurity risk management in the company. The federal information security management act requires the company to develop and implement security programs that will allow the company to protect information. (Lloyd, 2020) Reference Barbosa, S. C. B., Rodello, I. A., & Pádua, S. I. D. D. (2014). Performance measurement of information technology governance in Brazilian financial institutions. JISTEM-Journal of Information Systems and Technology Management, 11, 397-414. Liu, W., & Song, Z. (2020). Review of studies on the resilience of urban critical infrastructure networks. Reliability Engineering & System Safety, 193, 106617. Lloyd, I. (2020). Information technology law. Oxford University Press, USA. Stein, V., & Wiedemann, A. (2018). Risk governance: primary rationale and tentative findings from the German banking sector. In Current issues in corporate social responsibility (pp. 97-110). Springer, Cham. Tallon, P. P., Queiroz, M., Coltman, T., & Sharma, R. (2019). Information technology and the search for organizational agility: A systematic review with future research possibilities. The Journal of Strategic Information Systems, 28(2), 218-237.
Assessment Description: The main objective of information security frameworks is to lower the level of risk, reducing the possibility of a vulnerability and making the company more secure. The framewo
10 Evaluating Cyber Security Protection Protocols Institutional Affiliation: Instructor’s Name: Student’s Name: Course Code: Identify gaps when security measures fail, challenges and opportunities for improvement by conducting a thorough audit. For an organization to identify the gaps facilitated by failure challenges and opportunities of its security policies, the organizations need to conduct a thorough audit of the security policies set. Conducting a thorough audit can be crucial in identifying the effectiveness of the existing security policies thus identifying the areas that needs to be improved in the security measures of the organization. Some of the gaps that can be identified by conducting a thorough audit include; Technical gaps: Technical gaps are associated with wrong implementation and configuration of security measures such as antivirus programs, firewalls, and intrusion detection system. If the systems are not well implemented, they can be easily exploited leading to unauthorized access to the systems. Policy gaps: Policy gaps are associated with implementation of strong security policies and procedures such as using effective passwords management, and access control. if these policies are not well configured, they can lead to security breach, incurring losses to the organization. Personnel gaps: Personnel gaps are associated with lack of creating effective awareness training to employees leading to security failure as intruders can use social engineering attacks and phishing attacks to harvest details of an employee, gaining unauthorized access, thus compromising security. Monitoring gaps: Monitoring gaps are associated with checking the security events of the system checking the files accessed and which computer they were accessed from. Insufficient log retention can be associated with internal security risks which can impact data stored in the systems and access control. (Nasser, 2017) Compliance gaps: compliance gaps are associated with the regulations and standards that have been set to regulate the industry. Non-compliance can lead to data loses thus making an organization to lose its reputation. After finding the gaps in the systems, the opportunities for improvement can be used in analyzing the main causes of these gaps and how better security controls can be implemented to harden the security controls. Some of the measures that can be taken to enhance security measures include improving system configurations, creating awareness amongst employees, and improving monitoring mechanisms such as system logs. Improving the security measures can allow organization to improve their security policies, thus reducing risks associated with security breaches. The concepts of privacy and the effects of internet on privacy. The privacy concepts on the internet can be described as the principles and practices that has been set to protect availability of personal information that is available in the internet. Some of the concepts that are available in the internet to promote data security include data privacy, privacy policies, and privacy standards. These concepts regulate the information that people can share in the internet, thus maintaining confidentiality, and integrity of a person’s data. The effects of the internet in privacy include; increased data collection of personal information, oversharing on social media, increased government surveillance and also cybercrime as a result of data breach. (Kang et al. 2015) Identify industry-specific cyber laws in relation to inquiries and incidents of obtaining data and evidence. The industry-specific cyber laws are the laws that have been passed with an aim of protecting sensitive information to ensure that evidence that is associated with a cybercrime is reported in the most effective and privacy manner and will allow prosecution of the cyber criminals. Some of the laws that have been passed to obtain data and evidence include; Computer fraud and abuse act (CFAA) which is responsible of criminalizing unauthorized access to computer systems and a cyber incident and organizations are required to comply with this law to meet the requirements of the law enforcement agents. Electronic communication privacy act (ECPA) which allows law enforcement agents to intercept electronic communications in case of a cyber incident and organizations are required to comply with electronic communication and privacy act in disclosing electronic communications. The payment card industry data security standard (PCI-DSS) law has been set to govern storage of data processing and transmission of credit card information thus allowing in the process of identifying the security breach. (Harichandran et al. 2016) Access the critical information infrastructure and determine configurations of logical control, physical controls, data storage, encryption, switches, servers, firewalls, routers, and hubs to be compliant A critical system infrastructure should be composed of both physical and logical security systems to protect data from theft as it can lead to issues associated with confidentiality, integrity and availability of information. Logical security controls include routers, firewalls, and routers which should always be well configured to maximize data confidentiality and availability. Physical assets include computer hardware such as hard drives, and surveillance cameras that are used for software installation thus allowing them to achieve various tasks for everyday activities. Data storage and encryption are the storages that are using in storing information associated with the information of the company which should be always available for easy retrieval. Data storages should always be encrypted to maximize privacy to the resources of an organization. Servers should be well configured with access control and effective access policies thus preventing unauthorized access of the resources of the critical infrastructure. Firewalls should be well configured to monitor the traffic coming in and out of the organization and block suspicious traffic as if would affect the resources of the infrastructure. Routers can protect the critical infrastructure by facilitating access control thus determining the level of control of each device in the internet. Routers can be configured with virtual private networks (VPN) to connect security to the infrastructure thus minimizing security risks. Hubs can be used in segmenting the network of the infrastructure thus reducing the level of the breach after an attack. V. Identify key auditable elements that would help in determining the current state of the organizations cybersecurity postures and explain the relevance of each element. Access control policies: these are to security policies provides the rules and guidelines on structuring who can access various data thus helping to maintain both data security and data governance in various organizations. These rules can be used in protecting information based on policies and rules meeting the needs of information security. Security policies and standards: these are rules guidelines and best practices that defines how organizations should protect their computing systems to prevent unauthorized access of data which can lead to both theft and damage. (Newhouse et al. 2017) Authentication and authorization: these elements by identifying the users tries to access the systems and determines the users who they are to provide with access and the users who they are to prevent thus protecting computers against unauthorized access and theft of information. Intrusion detection systems: these systems are preconfigured with policies thus creates guidelines on what they are to approve and what they are to reject thus helping the systems to meet their requirements. These is crucial in preventing unauthorized access to the information systems. Risk assessment and management: These tools are used in assessing the risk of an organization to be associated with cyber threat, vulnerabilities associated with the organization and the strategies that can be used in mitigating the risks. Incidence response plan: This is a document that is composed of procedures that outlines how organization will manage an incident associated with data breach in the organization. The incident response plan can be used in detecting, containing, mitigating, and recovering data in case a data breach is experienced in an organization. Virtual private network: these components work by encrypting data that is transmitted from the organization thus preventing security incidents which could be achieved from attacks such as man in the middle, eaves dropping and among others. (Newhouse et al. 2017) Network intrusion response: these are systems that are designed to monitor unauthorized activities in the network they are capable of blocking and flagging suspicious protocols thus allowing the security teams to monitor the traffic preventing breaches that might come through the network. Data encryption Protocols: this is the use of passwords to protect data from being accessed by unauthorized individuals in the organization. There are different types of data encryptions and security teams are required to select the most effective method depending on the information to be protected Security controls: security controls are composed of both technical and administrative control tools that are used in protecting the assets of the organization. Security controls includes tools like firewalls, intrusion detection systems and security monitoring tools. Legal elements and liabilities industries may face due to non-compliance. Non-compliance is associated with failure of fulfilling the needs of regulations, policies and standards and they are associated with serious impacts to an organization. Companies often face non-compliance issues due to trade infringement, copyright infringement, lack of adhering to acts associated with data protection and also breaching the terms stated in the contract. Legal elements and liabilities that an industry might face due to lack of compliance include fines and penalties, remediations, and reputational damage which would lead to lack of business to the company. (Bauer et al 2017) Reference: Nasser, A. (2017). Information security gap analysis based on ISO 27001: 2013 standard: A case study of the Yemeni Academy for Graduate Studies Sana’a Yemen. Int. J. Sci. Res. in Multidisciplinary Studies Vol, 3(11). Kang, R., Dabbish, L., Fruchter, N., & Kiesler, S. (2015, July). my data just goes everywhere:” user mental models of the internet and implications for privacy and security. In Eleventh Symposium on Usable Privacy and Security (SOUPS 2015) (pp. 39-52). Harichandran, V. S., Breitinger, F., Baggili, I., & Marrington, A. (2016). Cyber forensics needs analysis survey: Revisiting the domain’s needs a decade later. Computers & Security, 57, 1-13. Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017). National initiative for cybersecurity education (NICE) cybersecurity workforce framework. NIST special publication, 800(2017), 181. Bauer, S., Bernroider, E. W., & Chudzikowski, K. (2017). Prevention is better than cure! Designing information security awareness programs to overcome users’ non-compliance with information security policies in banks. computers & security, 68, 145-159.
Assessment Description: The main objective of information security frameworks is to lower the level of risk, reducing the possibility of a vulnerability and making the company more secure. The framewo
10 Organizational Compliance on Security Measurements INSTITUTIONAL AFFILIATION: INSTRUCTOR’S NAME: STUDENT’S NAME: COURSE CODE: Identify how negotiations between organizations and accreditors should be dealt with and provide an example. Organizations and their accreditors are required to company with the aim of maintaining ethical and legal standards in the organization. This can be justified when organizations and their accreditors negotiate with one another to come to their best terms leading to credibility and development. Negotiations can be used to enhance integrity among the management and the auditors as it allows all the parties to express their views, thus allowing all the teams to come to a clear and concise conclusion. (Jiang et al. 2021) Negotiations between the accreditors and the organization should be transparent and open to all sides as they should focus on expressing the challenges faced by all sides, thus allowing them to meet the organization’s compliance requirements. After negotiations, all the key points should be documented to monitor the impacts of the changes on their impacts to the organization. Successful negotiations can be documented in the proposed mitigation controls of the organization as they can help reduce risks associated with non-compliance in the organization. Discuss the appropriate response strategies that should be put into action. Breach notification policies are essential to an organization’s cyber security as they identify the occurrence of the breach and how it can be contained to prevent the loss of more information. Breach notification allows the organization to notify customers and employees about the data breach allowing them to take action within the shortest time possible to prevent the impacts of the breach. Some of the appropriate response strategies that can be put into action in an organization include containment and mitigation, notifications, remediation and review and evaluation as the last step. Containment and mitigation is the first step which involves isolating the infected systems and restricting access to limit the scope of the breach. Notification is one of the important steps as it allows business stakeholders to know about the breach and possible actions they can take to protect their personal information. Remediation allows the organization to patch the vulnerabilities that might have led to the breach fixing the vulnerabilities and making it hard for intruders to get to the organization. Review and evaluation is the last step that seeks to identify the areas to improve to prevent such incidents in future. Effective breach notification policies can be critical in responding to data breaches, thus preventing the occurrence of such incidents in future. Explain employee training recommendations to create awareness of the organization’s security requirements. Training employees in an organization to create awareness is considered a critical component in cyber security as it allows the employees to be aware of the cyber security policies, thus maintaining security to the data stored in the organization’s information systems. Whenever the security is training the employees about security, they should always begin by pointing out the basics, such as the importance of having strong security in an organization and how they can enhance their security in the organization. (Chowdhury et al. 2021) The security teams can proceed and make the training more engaging, where they can try to simulate real-time threats making the training more memorable to the employees of the organization. Employees can proceed to emphasize the importance of reporting security incidents and how they should act as soon as they identify them in the organization. Lastly, the security teams can help the employees test their knowledge by providing them with quizzes and phishing simulations to identify how they act as soon as they identify the attack. How to obtain feedback on the effectiveness of security policies from stakeholders? Obtaining feedback on the effectiveness of security policies from stakeholders can be a critical part of the organization as it seeks to enhance its cyber security. Organizations can obtain feedback from stakeholders by identifying the stakeholders impacted by the security policies, developing an effective feedback mechanism, and asking specific questions associated with security controls followed by analyzing the feedback to take action. An example of an organization that should obtain feedback on the effectiveness of its security policies is an organization conducting online banking, as it might need to identify its views from its stakeholders and come up with possible strategies for enhancing the security policies. (Kumar et al., 2019) V. How to identify new threats, vulnerabilities and risk management that I might have encountered to the initial security measures that were first implemented In the organization where I worked, we used threat intelligence which identified and analyzed potential threats to the organization. Threat intelligence monitors the current threats in the market and identifies the potential way that can be used to eliminate the threat as soon as it is identified in the systems of the organization. Threat intelligence systems that be used to help the security teams to understand the risks that are likely to be faced in the organization and potential ways an organization can help to protect itself. Threat intelligence systems allow the organization to stay ahead of potential attackers while ensuring that the data stored in the organization is safe, thus managing risks effectively if they are to be encountered. VI. Identify mechanisms to adapt to threat intelligence, which identifies new and overlooked vulnerabilities, threats, and countermeasures. Mechanisms that can be used for maintaining strong postures within an organization include conducting regular scans of the organization’s resources, creating an incident response plan, using threat intelligence sharing systems, threat continuous monitoring systems, and lastly, making use of reporting and communication systems. Regular scans can be used in identifying emerging vulnerabilities in an organization, and whenever vulnerabilities are identified, the organizations should opt to use an effective incident response plan. Using threat intelligence sharing systems can allow particular departments to understand the trends of the threats, thus allowing actions to be taken within the shortest time possible, minimizing the impacts of the risks associated with the threat. ( Song et al. 2021) VII. How stakeholders identified by threat intelligence should be notified about a threat and provide an example of the notification methods. Organizations with different types of stakeholders can opt-in to use different notification systems depending on the threat in the organization and its impacts on the stakeholders. For instance, the operational managers should be notified about the breach using an email which points out the impacts of the threat and the recommendations. The organization can opt-in to use text messages or short message services to send messages to stakeholders or customers who might not be in their respective offices and don’t have access to their emails. (Song et al. 2021) The organization can opt in using applications notification to notify all the users about the breach, and they can know more about the breach as soon as they launch the application about the security alert. The organization can opt to use in-personal briefings to provide detailed instructions to members about the breach. Lastly, the organization can opt-in to use public announcements to inform the public about the security breach, including using social media platforms, radio and television. VIII. Identify organization management techniques for responding to new challenges. Different organizations are composed of different organization management techniques, and it is always crucial to adopt in developing effective policies for responding to new challenges. Some of the techniques that can be used in responding to new challenges include developing an effective risk management plan to identify potential risks and vulnerabilities, developing an incident response plan, and also training employees on the impacts of cyber security. The organization can prioritize compliance monitoring and compliance management to meet requirements set by various regulatory bodies such as General data protection regulation. IX. Define and apply the NIST cyber security framework functional areas, implementation tiers and profiles. The National Institute of Standards and Technology (NIST) cyber security framework provides guidance for organizations to manage and reduce cyber security risks within the organizations. The NIST framework is composed of three functional areas, which include identification protection, detection response and recovery tiers. Implementation tiers are applied to guide the organizations on actions to take to improve their cyber security postures. (Taherdoost, 2022) The NIST framework is made of four implementation tiers which prioritize on implementation of the functions identified, which include partial, risks informed, repeatable and adaptable tiers. The National institute of standards and technology has set up the profiles that are used to align cybersecurity functions and the implementation tiers to the organization’s objectives, risks tolerance and also resources used by the organization. Profiles are applied to a cyber-security organization to allow implementation tiers with their functional areas, thus enhancing the security policies of the organization. X. Describe how to develop a business continuity plan to prevent and recover from failures in the system. Business continuity plans are critical components in the organization as they help organizations to recover after a system failure. It is always essential to develop a strategic business continuity plan to provide a develop a strategic recovery process from a data failure. Some of the steps that can be used in developing a business continuity plan include; Defining the scope of attack: This step defines systems to be covered in the business continuity plan, and it also minimizes disruption of critical functions of the business to reduce the impacts. Conducting an impact analysis: This step identifies critical processes and functions performed by the business and analyses the potential impact associated with the disruption of these services. Developing a response plan: This step defines the steps that are to be considered when responding to the system failure, and it includes the parties responsible for each step and the resources required to mitigate the impacts. Developing a recovery plan: The recovery plan is composed of the steps that are to be taken to recover the system in case of a system failure. This strategy should focus on how the recovery of data, systems and processes should take place after the process. Testing the Business continuity plan: After the business recovery plan has been developed, it should be tested to facilitate effective recovery from system failures. Regular tests should be conducted to identify weaknesses associated with the systems. Maintain the business continuity plan – Maintenance should be carried out to the business continuity plan to ensure it is updated with the activities taking place in the organization and ensure all the personnel are aware of it. Reference: Chowdhury, N., & Gkioulos, V. (2021). Cyber security training for critical infrastructure protection: A literature review. Computer Science Review, 40, 100361. Jiang, J. X., Polsky, D., Littlejohn, J., Wang, Y., Zare, H., & Bai, G. (2021). Factors associated with compliance to the hospital price transparency final rule: a national landscape study. Journal of general internal medicine, 1-8. Kumar, R., & Goyal, R. (2019). On cloud security requirements, threats, vulnerabilities and countermeasures: A survey. Computer Science Review, 33, 1-48. Song, S., Wu, Q., Zheng, X., Wang, P., Dou, Y., Li, Z., & Zhai, L. (2021, October). Focus on the Stability of Large Systems: Toward Automatic Prediction and Analysis of Vulnerability Threat Intelligence. In 2021 IEEE Sixth International Conference on Data Science in Cyberspace (DSC) (pp. 445-449). IEEE. Taherdoost, H. (2022). Understanding Cybersecurity Frameworks and Information Security Standards—A Review and Comprehensive Overview. Electronics, 11(14), 2181.