INFORMATION SECURITY AND RISK MANAGEMENT

Name

INF80043

Professor

University

City and State

Date

Exercise 1

1. Security concepts

The security conceptual framework by Onwubiko & Lenaghan (2007, p. 2) offers an analysis and description of major security concepts. The security systems are structured to achieve objectives such as confidentiality, integrity and availability of the resources. The main component covered by the information system includes hardware, software, firm ware and data. The major security components that Onwubiko & Lenaghan discussed in their framework include:

1. Confidentiality where the major objective is to prevent unauthorized exposure and disclosure f system and information either intentionally or unintentionally. The Victorian police files should only be accessed by a person with the right authorization. Failure to do that is against the confidentiality concept of a security system.
2. Integrity of the security systems refers to the guarantee that the network, its components and services offer accurate, complete and consistent information in a timely manner. The integrity of the system for the Victorian Police can only be said to be achieved where information is availed to the right and authorized person. In this case the system’s integrity is porous and unable to filter the exact piece of information required thereby exposing the system to a breach.
3. Availability of the service offered by a system refers to their availability within acceptable levels to the authorized bodies. In the case of the breaching of the Police confidential files, the service provider, IBM, followed the prescribed process of availing related files
4. Threats to a system refers to the situations, occasions or entities that pose danger of causing harm and distortion to the regular security operations through taking advantage of the vulnerabilities in the system. The major threat to the system for Victorian Police lies in the possibility of breach that arises from the outsourcing contract with IBM.
5. Harm to a system occurs when the confidentiality, privacy and integrity of computer network and their component have been broken into. The systems within the Victorian Police experienced a breach where confidential files were exposed to unauthorized individual.
6. The asset refers to any substance that an owner place attachment and importance to it. It may either be software, information, or physical infrastructure. In the described article the police files represents the assets which were valuable to the police.
7. The owner refers to the person or entity that have legal claim over a given asset. On the article from the Age, the Victoria Police had claim over the files that had been leaked to unauthorized person (Madew & Varghese, 2005)
8. Counter-measures refers to the protective controls put in place by the owners to safeguard the system for the vulnerabilities. The Victorian Police had set up measures, process and procedure that the IBM needed to follow when releasing files.

2. Asset Classification Model

Onwubiko & Lenaghan (2002, p. 3) provides three categories for classifying assets; minor, major, and critical. The minor assets relate to personal information whose exposure leads to small and insignificant financial losses and only affects a sole individual. The major assets relates to confidential information likely to cause significant financial loss that is survivable. It only affects the network partially. Critical assets refer to the sensitive and confidential information. Its exposure is likely to give rise to significant losses that are irrecoverable and affect more than one sections of the system. 

The leaked documents from the Victorian Police are said to be confidential can thus be classified as major assets. They file relates to multiple users as they hold information on more than one thousand individuals. This implies that the assets were breached from only one point, in this case retrieval from the third party. While it is a serious breach, the police can be able to survive its effects.

References

 Medew, J., & Varghese, S. (2005). 20,000 Pages Leaked in New Police Bungle. Retrieved from http://www.theage.com.au/news/national/20000-pages-leaked-in-new-policebungle/2005/08/16/1123958033738.html#

Onwubiko, C., & Lenaghan, P. (2007). Managing Security Threats and Vulnerabilities for Small to Medium Enterprises. Internationa Conference on Intelligence and Security Informatics. London.

Exercise 2

Situation: Use of worn-out tires

Threat: the tires are at a threat of bursting and causing the vehicle to roll over. Another threat may be the lack of grip with the surface of the road may make the vehicle to skid and slide.

Vulnerability: the major flaw on the asset in question (vehicle) is the worn out tires. Exposure of the flaws, to a threating condition puts the vehicle at a risk of getting an accident.

Likelihood: this refers to the probability that the assets may be compromised by the threats. In this case, continued use of the vehicle in such a state exposes it more the threats.

Risk: the vehicle is vulnerable to being involved in an accident or failing to perform as required in the instance the tire bursts or makes the vehicle slide.

Components relationship

The vehicle (asset) has vulnerability or flaws in its worn-out tire. This exposes it to conditions that may exploit this vulnerability thereby causing an accident. These threats include bursting of the tire or skidding due to loss of grip. The worn out tire are an indication of the security risk and indicates that the vehicle is un-roadworthy since it does not meet the security requirements. The requirements can only be achieved by enacting controls, such as regular tire replacement which ends up reducing the security risks.

Reflective practice essay

International standards provide a framework for ensuring the safety and quality of products and services. These standards also level the playground for international trade while at the same time ensuring maintaining the sustainability of our environment.  The standards also offers guidelines to businesses for dealing with arising challenges which ensure that their operations are efficient, productive and open up new markets for them (ISO, 2016, p. 1).

The availability of many different standards addressing risk management may confuse the organizations on the most suitable one to adopt. The organization should first comply with the specific prescribed standards by the industry and the customers. Organizations further face different types of risks and should thus match the standards which they opt to adhere to with the specific challenges facing the organization. Organizations normally regard risk management and quality improvement as integrated processes. Combined, the two offers a framework that guides all the operation of an organization, how to go about them and providing solutions to problem facing them (ACHS, 2013, p. 9).

The incorporation of the international and other national standards in the curriculum is a way of preparing the future and potential manager and industry players. Vries (2002, p. 3) identifies that people who need to be educated on standardization are the one who have a stake related to it or will carry out activities related to it. As scholars on the path of joining operations in the main field, it thus necessary to learn about standardization matters that we expect to face in the field. Learning on these standards helps prepare the people entering the professional life for their future roles and adequately equips them.

References

ISO. (2016). Benefits of International Standards. Retrieved from http://www.iso.org/iso/home/standards/benefitsofstandards.htm

The Australian Council on Healthcare Standards( ACHS). (2013). Risk Management and Quality Improvemnet Handbook. EQuIPNational.

Vries, H. J. (2002). Standardisation Education. Retrieved from www.erim.eur.nl