Risk Management Question1. Assessment phase1 Assessment phase is the evaluation of the risk assessment. It is considered as a step in risk management. Risk assessment plans consist of knowing how to handle a risk having a treatment plan for such a risk and knowing the effect of risks that might be on the program of YGT. Some of the risk assessments goals are: protection of information or data from any harm, evaluation of effects, and description of the overall risks.
Mitigation phase2 Mitigation phase is the process of reducing risks. In YGT, the IT manager will have to identify some control types to reduce the level of the risk, for example, the IT security manager can implement a security control such as firewall or intrusion detection system to reduce the large number of threats that the system might get. Some of the major activities that might be introduced in YGT are evaluating of some controls, implementing the appropriate controls, and developing an implementation plan.
Validation phase 3. Validation phase is the process of ensuring that the program meets all the specifications or the requirements that were given for its intended purpose. There are so many requirements such that YTG might need to ensure that our programs are on the right track, for example, two-way validations process will be required on any sensitive data. In order to do that, we have to validate the effectiveness of our security programs by testing them and making sure, they are working properly.
Sustainability phase 4. Sustainability phase is the final phase of the security program. In this phase, YTG will have to make sure that the network, applications, software, and computer systems are up and running in a secure and protected environment. In order for YGT to ensure sustainability of the program, it will have to assign a security team to do a daily check up for the company’s system to keep the system running in a secure environment. Q2: Definitions of key terms: Vulnerability: Vulnerability refers to the weakness of the system’s information, which may allow a system to be exploited. Risk: A risk is the possibility of an effect in a computer system due to some viruses or weaknesses that the computer system is experiencing. Risk management: Risk management is the process of identifying the vulnerabilities of a system, followed by designed approaches to reduce the risk to an acceptable level. The concept of risk management is the process of identifying the weaknesses and threats of YGT system and then having designed approaches to reduce the level of the risk and gain the best results. For YGT to gain the best result, we have to follow some specific factors such as have a security policy, maintain an acceptable level of risk, identify asset threats and vulnerabilities, evaluate the importance of organization assets, identify assets for review and define the scope of the analysis. Risk assessment is the evaluation phase of the risk management process. The structure of the risk assessment is to have established rules for what is assessed, who needs to be involved beside IT security manager, how the assets of an organization are evaluated, the terminology used in discussing and comparing the degrees of risks, and the documentation that must be collected and produced as a result of assessments and follow-on activities. There are goals that the company needs to approach to have a good risk management, such as establishing an objective measurement of the risk that will allow the company to have an understanding of the business risk. Some of the risk assessments that have to be performed are determination of a risk-reduction plan, vulnerability scan, penetration testing and risk profile development for the company’s environment. Question Three. A: Defense in depth concepts is about how to protect your system against all types of attacks by using numerous techniques. The idea of defense in depth is to have security considerations and services present in each level. When it comes to the security infrastructure of the company, we always assume that one full layer will fail, so that we have to present security consideration on each level. In other words, defense in depth will require the organization to establish sufficient security controls and safeguards, so that an attacker will face multiple layers of controls to reduce the risk that the system might get. Some of the components that the company will need are firewall, intrusion detection system, and demilitarized zone. The company will also need to educate its employees and train them to be aware of information security. B: So many security controls may be employed in a defense in depth strategy. Two levels of security controls are logical controls, and physical controls. Some examples of logical controls are access control list, intrusion detection system and firewall. Some examples of physical controls are cameras, alarm system, and cable locks. C: Physical controls are designed to deny access to any unauthorized access from physically accessing the building, resources, or data information storage. It is a protection for a network, data, programs, and hardware from being physically accessed by unauthorized people. The company needs to be protected from such access, in order to protect itself against any losses or damages. Question Four. The high-level components of this strategy are Business continuity planning, Incident response planning and Disaster recovery planning. Business Continuity Planning is the planning process associated with ensuring that critical business functions continue if a catastrophic incident or disaster occurs and it occurs concurrently with DRP when the damage is major or long term, requiring more than simple restoration of information and information resources. Incident response planning is the planning process associated with the identification, classification, response, and recovery from an incident. This component focuses on instant response, but if the attack escalates, the process will change to disaster recovery and BCP. Disaster recovery planning is the planning process associated with the preparation for and recovery from a disaster, whether natural or artificial. This component focuses on recovering or restoring the systems after a disaster, and as such, it is closely associated with BCP. Question Five. Many steps can be taken under physical security, for instance, safeguarding all the personal records and all the sensitive information that the company held. This step can be done by providing locks, cabinets, and tracking devices. All sensitive information should be placed on cabinets, and any access to any kind of this information should be recorded by the tracking device. The tracking device will continuously monitor all the confidential information. Before giving any employee, an access to the sensitive data, their name and employee’s number should be recorded. The goal of physical security is to provide a secure and safe measure to accomplish integrity of all sensitive information. To have a good physical security in YGT we should use the concept of defense in depth, so that it will be hard for an attacker or unauthorized personnel to have access to sensitive information. A process-improvement measure can be taken by the IT manager to have a security-awareness and improve the physical security. The IT manager can train the employees to follow certain methods to save all confidential information, for example, the IT manager can have a list of vulnerabilities that exist and then train the employees on how to safeguard against such vulnerabilities. In addition to that, we could have a check-in and checkout system that records all accesses to sensitive information. Question Six. One of the most important phases is validation of security programs. Validation of security programs will include some steps that the company needs to consider; such as, information classification, information protection, password management and communication. For proper validation of the effectiveness of the security program, it must be tested against various types of threats and susceptibilities. One security policy to be considered is the one that states that access and security should be strictly enforced and monitored. Any kind of services requested by anyone should be double-checked regardless of who has requested these information and what position they may have. Requests should be checked at the relevant service level to determine whether the requests that have been made are legitimate or if they are beyond scope. If they are found to be beyond the scope, they must be declined. Other steps that can be considered in order to further this effort is monitoring activates and having a scheduled management activates to determine whether control procedures are performed effectively and consistently. What we need in YGT is internal controls to provide reasonable assurance. Compliance with regulations such as SOX, YGT compliance with security policies, and YGT internal controls are effective measures against any type of threat. Question Seven. In order to ensure that the information security programs are functioning and improving over time, YGT will have to keep an eye on the security programs and make sure that the company’s network and environments are running in a secure and protected manner. Security programs should be managed by using a management model to operate ongoing security programs. These models are the frameworks that structure the task of managing particular sets of activates. The management model is a five-layer approach structure to the management of network and systems. The five approaches are fault management, configuration and name management, accounting management, performance management, and security management. The company’s system should always keep up with the security fixes. Fault management is the process of identifying, tracking, diagnosing, and resolving faults in a system. Configure and change management is the administration of the configuration of the components of the security. Change management involves two strategies, technical and non-technical changes. Accounting management involves how a particular component in a system is monitored. Performance management is all about monitoring the performance of a system.