StudyDaddy Business & Finance TWO ASSIGNMENTS

TWO ASSIGNMENTS

Security Management CS654

IP 3: Security Policy Content and Risk

Continue development of the Comprehensive Security Management Plan by adding a section reviewing the security policy. Create a list of each section in the security policy. Some sections in the list are business security requirements that can be decomposed first to more refined requirements and later to detailed security policies in the Security Policy document. This decomposition should be included in the list. These detailed policies do not need to be written, but referenced or indicated as a policy that needs to be written.

The project deliverables are the following:

  • Update the Comprehensive Security Management Plan document title page with new date.

  • Update the previously completed sections based on the instructor's feedback.

  • Use the subheading "Security Policy."

    • List each section of the security policy.

      • Include decompositions of business security requirements into policies in this list.

        • For example, a business security requirement for authenticated access might map to policies for log-in access and policies for file access.

  • Be sure to update your table of contents before submission.

See Sources you CAN USE PLEASE!!!

Risk Management

Introduction

The main reason an organization creates a security risk plan is to minimize the risk of threats to the organization's security. An organization needs to evaluate possible threats and be able to implement countermeasures to guard against those threats. This is not an easy thing to accomplish; however, with the right leadership, security models, and organizational vision, risk can be minimized. Areas of Risk Management An organization must understand the risks that it faces. An initial step in risk management involves the discovery and evaluation of threats. The evaluation process includes the identification of an organization’s assets and rating the probability of attack for each asset in the organization. Following are the key areas of risk management that should be addressed by an organization to minimize the impact of threats (Whitman & Mattord, 2008): Risk identification: In risk identification, an organization inventories its assets and identifies assets that are vulnerable to attack. Vulnerabilities are identified for each asset. Organizational assets include people, places, data, and technology. Assets are classified by placing them into categories and prioritizing categories based on their value to the organization. Risk assessment: In risk assessment, a risk score is assigned to each vulnerability. This score is used as a comparative rating against the risk scores of all identified vulnerabilities for the organization. There are several factors that go into this risk score, including the probability of the vulnerability occurring, the value of the asset for which the vulnerability is identified, the quality of the controls to mitigate the risk, and the uncertainty of the vulnerability. Risk control strategies: After an organization has identified and assessed risks, it must implement strategies to control those risks. There are several strategies that can be considered. One preferred strategy is avoidance, which prevents the exploitation of the risk. This can be accomplished with the following techniques (Whitman & Mattord, 2008): o Policy application: Mandating that certain policies be followed o Training and evaluation: Continuing training for employees on security risks and threats o Threat countermeasures: Countering a threat before it strikes o Implementation of technical controls: Implementing hardware and software controls to stop a threat when it appears There are several sources to explore for developing risk management plans. A risk management plan should include the following (Stoneburner, Goguen, & Feringa, 2002): System description: Identify the characteristics of the IT system for which the risk management plan is being developed. Examples include identifying the information, hardware, software, and boundaries of the system. Identification of threats: Identify sources of threats that have the potential to take advantage of a weakness in an IT the system. Identification of vulnerability: Identify weaknesses in the IT system that leave it vulnerable to threats. Control evaluation: Evaluate controls that are in place or are planned that will protect the system from threats Probability of occurrence: Evaluate the probability that a threat will exploit a system vulnerability. Potential of impact: Analyze the impact of a threat successfully exploiting a system weakness. Risk assessment: Evaluate the likelihood of a threat exploiting a system vulnerability, the impact on the system, and the controls in place to counter the threat. Identification of controls: Determine the controls that will protect the system from threats. Results analysis: Develop a management report that discusses the results of the risk analysis. Conclusion The three main areas of a risk management plan are risk identification, risk assessment, and risk control strategies. A robust security risk plan helps an organization prepare for threats to its security. References Stoneburner, G.,

References

Goguen, A., & Feringa, A. (2002, July). Risk management guide for information technology systems (NIST Special Publication 800-30). Retrieved May 23, 2007, from the National Institute of Standards and Technology Web site: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf


Whitman, M. E., & Mattord, H. J. (2008). Management of information security (2nd ed.). Boston: Course Technology.

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!