StudyDaddy Information Systems Assessment Description: The main objective of information security frameworks is to lower the level of risk, reducing the possibility of a vulnerability and making the company more secure. The framewo

Assessment Description: The main objective of information security frameworks is to lower the level of risk, reducing the possibility of a vulnerability and making the company more secure. The framewo

14

Accessing Critical Data Infrastructure









INSTITUTIONAL AFFILIATION:

INSTRUCTOR’S NAME:

STUDENT’S NAME :

COURSE CODE :


Part 1

Identify critical systems and their impacts on an organization

Critical systems in a business are the systems that support the most important functions of the business. By the systems playing important roles in the business, criminals consider them a high priority as compromising them would be associated with a major impact on the organization. The critical functions associated with the organization include business intelligence financial systems, customer relationship management systems (CRM), an e-commerce platform, and the communications platform. (Beynon-Davies, 2019)

By an organization having multiple critical systems, it becomes the primary target of intruders, and whenever intruders find a vulnerability that can be exploited, it can have negative impacts on the organization, which can disrupt how various services are carried out. For instance, if the cybercriminal is able to exploit the relationship management systems, he is likely to steal sensitive data, which can lead to legal issues, which might make the organization face penalties, and also, it might lose its reputation as a result.

Suppose the cyber-criminal is able to exploit the e-commerce platform. In that case, he is likely to alter the transactions between customers and the organization, which is likely to cause the organization to incur heavy financial losses. Suppose cybercriminals can exploit the financial and business intelligence systems. In that case, they are likely to alter the data causing the systems to give wrong financial projections, thus affecting the decisions that are to be made by the management of the business, which can lead to financial losses.

If cybercriminals are able to exploit communications platforms, they are likely to affect communications between the organization and its customers, which can reduce the profit made by an organization. Different critical systems are associated with different challenges in an organization. The more valuable a system is, the more severe it is, as cybercriminals are likely to prioritize exploiting these systems leading to negative impacts and challenges to the organization. (Beynon-Davies, 2019)

Highlight high-risk findings and recommend mitigation strategies.

After the audit was conducted in the organization, several areas of high risk were identified, and there was a need to reduce the risks in the organization. Some high-level risks that were identified in the organization include a lack of effective security control policies, a lack of appropriate fire control policies, and potential health and safety hazards within the organization. These risks were identified as high-level risks in the organization, and whenever any of them occurred, they would leave adverse impacts on the organization.

Some mitigation strategies that would be used in mitigating the high-level risks experienced in the organization include enhancing the security control policies, improving fire safety standards for the organization, and addressing the potential health and hazards effects in the organization. Mitigating the high-risk levels would have increased safety in the organizations, thus minimizing the risk that an organization would experience in case of a breach. (Hartomo et al. 2021)

If the organization could mitigate some risks, such as security controls, it would make it hard for unauthorized access to be experienced in the organization, thus maintaining confidentiality and integrity among the customers' data for the organization. Minimizing health and safety would make the organization a conducive working place making workers prioritize efficiency, thus meeting the goals set by the organization for growth and development.

What is to be done in each case to compensate for the controls that cannot be implemented?

If a control cannot be implemented within an organization, it is always appropriate to seek an alternative control. This would be crucial in the organization as it would give it equivalent protection minimizing the impacts of data breaches. If the organization cannot implement business intelligence and financial systems, it would be appropriate to use business intelligence systems, CRM, and e-commerce systems; it would be ideal to compensate it with NetSuite. NetSuite integrates business accounting, Enterprise resource planning systems, and e-commerce systems, making it an easy approach to managing the financial systems of the business. (Zhang et al., 2020)

If the organization cannot deploy the communication platform, it would be ideal to deploy project management software which would be crucial in managing all the communications taking place within the organization, thus ensuring the messages are delivered to the platform's customers effectively. Whenever the developers opt to use alternative controls to the systems of the organizations, they should consult the experts for the effectiveness of the alternative software, thus helping them to mitigate the risks that would be experienced within the organization. Whenever the developers deploy an alternative security control, they should prioritize monitoring the program regularly to minimize the security issues it might have on the platform to prevent data breach issues.


Part 2

Explain the contingency plan to address and prioritize compliance gaps

A contingency plan can be described as a proactive strategy that helps a business prepare for potential events that could negatively impact the organization. A contingency plan can also be described as a backup plan as it is designed to provide a course of action that can be critical in minimizing the size of an impact after unforeseen events are experienced within an organization. A contingency plan can be designed with compliance gaps that can be crucial in describing how the crisis can be handled, adhering to both the rules and the regulations set to be met in the organization.

Whenever the contingency plan is developed, it is developed prioritizes critical elements of the business and how they work to ensure that the business requirements are met. The critical elements point to how data is to be shared in the organization and also prioritize security controls in the organization, which can be critical in the normal running of the business. Whenever a contingency plan is to be developed, it is developed, highlighting the procedures, policies, and protocols that guide the organization on how it can respond to risks of the organization. (Kock et al., 2020)

Since a contingency plan is carried out to help the business recover from an incident, it Is developed, highlighting the critical controls that might seek to ensure that an organization can get back to its situation before the breach. The contingency plan can be developed, allowing it to increase business resilience and improve the ability to recover from an unexpected event. The recovery process involves taking necessary procedures of hardening security requirements, thus maximizing system security.

Provide a cost/benefit analysis

The cost analysis is considered a crucial element of the contingency plan as it seeks to determine the potential costs associated with implementing new controls for the organization to reduce financial risks and maximize compliance in the organization. The cost-benefit analysis can be used in an organization to ensure that organizations are able to utilize their resources effectively and ensuring that they are able to meet the compliance requirements set to be achieved in an organization.

The cost analysis is considered comprehensive to allow it to consider all the costs that can be used in implementing new controls, which include hardware, software, training personnel, and also for maintenance purposes in the organization. Whenever the organization analyzes the costs for the contingency plan, it should begin by identifying the specific controls required for addressing compliance gaps and later estimating the costs required to implement each control in the organization. (Gelinas et al. 2017)

Whenever the organization is analyzing the costs for the contingency plan, it should also consider the indirect costs, which include potential revenue loss and productivity, as they can potentially impact the functionality of the business leading to losses. Once the organizations have estimated all the costs, they should end by comparing them to the potential benefits, which include reduced risks, increased compliance, and increased security posture enhancing business controls, thus complying with the legal requirements.

When controls cannot be implemented

Business controls would not be implemented at times as implementing them would reduce the functionality of the business, making it hard for the system to be accessed, or they can endanger human lives. This might require compensation for the security protocols to maintain system functionality. An example of this is a process that involves shutting down critical systems during business hours could impact the business negatively as essential processes would not take place, affecting the company negatively. (Ncubukezi, 2023)

Organizations should consider using alternative solutions to ensure that non-compliance does not affect business activities and that the business can run effectively despite If a security control were not implemented because it would endanger workers, it would be effective to add a physical control that would prevent unauthorized access, thus meeting the requirements of the organization.

How compensating controls can ensure that non-compliant systems can operate within a secured and compliant environment

the management of the organization can ensure that non-compliance in the organization is able to operate securely in the organization by monitoring and auditing the control process. As the organization's developers monitor the non-compliance system, they can develop a manual that can be used for operating the non-compliance systems, thus meeting the organization’s requirements.

Monitoring and auditing the non-compliant system regularly can help the security experts ensure that the control can carry out the required roles effectively, thus increasing the functionality of the business systems. Lastly, the developers and the security teams can keep updating the application to add functionality to ensure that it can meet the organization's requirements.

Differentiate the Likelihood of a cybersecurity breach within the compliant environment and its impact on the organization

The Likelihood of a cyber-breach occurring in a compliant organization depends on several factors, including emerging threats, risks, and vulnerabilities to systems used in the organization. The organization can analyze the current threats in the market, which will allow it to identify potential risks and threats it might be associated with, allowing it to take actions to mitigate the risks before they occur to the organization. (Ncubukezi, T. (2023)

Cybersecurity can be significant as it might target financial data or sensitive customer data, which can damage the reputation of the organization, making it hard for the organization to grow. Despite an organization being compliant, it needs to prioritize developing measures to prevent and respond to cybersecurity breaches in the shortest time possible to prevent damage to its reputation and facilitate growth.

Part 3

For your organization, take the NIST Cybersecurity Framework Controls and reduce them to system configuration requirements and system test cases with pass/fail criteria

The NIST cybersecurity framework is a set of guidelines and best practices that will allow an organization to manage and reduce risks. The NIST cybersecurity framework comprises five core functions: identification, protection, detection, response, and recovery, which should be assessed with pass/fail criteria to reduce cybersecurity risks. To implement a NIST cyber security framework, an organization is required to have a preconfigured set of system requirements for each function to establish effective system test cases, which can be justified as pass and failure criteria depending on the system functionality. Below is a pass/fail test for each of the system functionalities. (Krumay et al., 2018)

Identification is the first core function of the NIST cybersecurity framework, as it is developed to identify and assess risks to the assets and operations of the organization. The organization can meet the requirement of this function by possessing unique identifiers that are capable of monitoring software applications, hardware, and system datasets. The Pass/fail criteria for identifying these systems should include verifying all devices, including hardware, software, and networking devices, to ensure they are well maintained to reduce the organization's risks.

Protection if the second core function of the NIST cybersecurity framework, and its main role is to implement access controls that ensure that only authorized personnel can access the information systems. This configuration involves implementing access controls to software, hardware, and firmware and communicating security policies that are to be adhered to by all employees. The pass/fail criteria for these systems should involve verifying access controls and ensuring that only authorized people have access to the information systems.

Detection is the third core function of the NIST cybersecurity framework, and it involves monitoring vulnerabilities in the systems to detect vulnerabilities. The system configuration should focus on detecting unauthorized access and intrusions associated with security incidents, thus minimizing vulnerabilities that are associated with the information systems. The system pass/fail criteria for this function can be tested by verifying the systems to detect unauthorized access, intrusions, and related security incidents to prevent a data breach from the information systems.

The response is the fourth core function of the NIST cybersecurity framework, and it involves developing an active incident response plan that can be used in containing and mitigating the impact of security incidents in an organization. The system configuration requirements should involve tracking, documenting, and responding to incidents incurred by the organization. The pass/fail criteria should involve verifying the incident response plan to mitigate the security incidents that the organization might experience. (Krumay et al., 2018)

Recovery is the fifth and final function of the NIST cyber security framework, and it involves restoring data and systems after an incident has been experienced in the organization. The system configuration for this function should involve planning how data and systems will be recovered after a data breach has been experienced in the organization. The pass/fail for this function should include verifying the data restoration plans, which include data backup and recovery procedures to ensure that data can be restored after a security incident has been encountered in the organization. If the organization cannot restore data, this function should be classified as a failure.


Reference

Beynon-Davies, P. (2019). Business information systems. Bloomsbury Publishing.

Gelinas, U. J., Dull, R. B., Wheeler, P., & Hill, M. C. (2017). Accounting information systems. Cengage learning.

Hartomo, K. D., & Ramadhan, M. R. (2021, September). Quality Evaluation in Disaster Mitigation Information System using Webqual 4.0 Method. In 2021 2nd International Conference on Innovative and Creative Information Technology (ICITech) (pp. 174-178). IEEE.

Kock, A., Schulz, B., Kopmann, J., & Gemünden, H. G. (2020). Project portfolio management information systems’ positive influence on performance–the importance of process maturity. International journal of project management38(4), 229-241.

Krumay, B., Bernroider, E. W., & Walser, R. (2018). Evaluation of cybersecurity management controls and metrics of critical infrastructures: A literature review considering the NIST cybersecurity framework. In Secure IT Systems: 23rd Nordic Conference, NordSec 2018, Oslo, Norway, November 28-30, 2018, Proceedings 23 (pp. 369-384). Springer International Publishing.

Zhang, Z., Mishra, Y., Yue, D., Dou, C., Zhang, B., & Tian, Y. C. (2020). Delay-tolerant predictive power compensation control for photovoltaic voltage regulation. IEEE Transactions on Industrial Informatics, 17(7), 4545-4554.

Ncubukezi, T. (2023, February). Risk likelihood of planned and unplanned cyber-attacks in small business sectors: A cybersecurity concern. In International Conference on Cyber Warfare and Security (Vol. 18, No. 1, pp. 279-290).


Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!