SECURITY EVALUATION

/in /by

SECURITY EVALUATION

by (Name)

The Name of the Class (Course)

Professor (Tutor)

The Name of the School (University)

The City and State where it is located

The Date

Planning Contingency

Contingency Planning

A contingency plan is a course of action developed to enable organizations to respond mainly to a risk that may or may fail to occur in the future (Maurer, Clark and B., 2015). In information security, contingency planning is the measures put in place to recover information in technological systems during or after a system disruption or an emergency that impacts an information system. A well-developed plan ensures a company minimizes losses that may occur due to information loss, allows a company to remain competitive and also minimizes disruptions and panic that may occur. The measures may include activities such as relocation of information systems, having back-ups on separate systems and recovery using different types of equipment or manual means (Freire and Padilla, 2019). Risks are bound to occur in an entity; hence organizations and individuals need to ensure that the information stored in devices is safe and can be recovered whenever an emergency occurs. A contingency plan is an alternative information system security plan that protects the company before information risks occur.

Personal Situation and Risks

Information storage in technological equipment and gadgets are usually at risk of loss if not well-managed and lacking methods to keep the data safe. Due to technological development, technological appliances have increased and improved. Therefore, for information processing and storage, I use a laptop. A laptop works the same way as a computer. It allows data input, processes. It gives information output, which can also be stored in the same device. Hence most of the work I do is stored on the laptop. Also, since communication with people is essential, I have a smartphone that allows me to communicate, and through it am still able to store data of documents, people’s contacts and information and also connect through social media apps stored in the smartphone. The two data storage methods store a lot of personal information that is helpful in the future and in providing evidence and reference whenever I require some past information.

Besides, I also use hard drives and flash disk to store other relevant information, since the mobile phones and laptops storage size is usually smaller. Therefore, these tools are used to back up information that is on the laptops and mobile phones to avoid loss of information whenever they get destroyed, or I lose them. Besides, the many activities and operations at times limit me from carrying all my storage devices. Thus, to ensure that I can access information from any place, at any time and through any other device, I store my information through email and google drives. Whenever I send emails to any individual, it is easy to access the information from any other device provided I log in using my details. This action as well happens for information stored in google drives as I can get them wherever I am and at any time. Emails are more convenient for me due to the easy accessibility of data stored.

Cyber attacks are one of the risks that profoundly affect technological devices for data storage. Cyber attacks lead to the loss of valuable and sensitive information of an individual. Malware is a type of cyberattack that occurs when an information system is corrupted, and data were stolen. It occurs in devices such as laptops and mobile phones. Also, phishing is an act that involves an attack on email by tricking the email recipient into providing confidential information or downloading malware through a hyperlink provided to the recipient through a message. Phishing may also happen through impersonation of another individual hence get information from owners. Data breaches are also a challenge to technological devices. Personal information can quickly get to the public through malicious ways for crimes or malicious theft.

Normative model

The normative model was constructed based on the devices applied by the user and the features they have. The devices have characteristics that either limit the risk of information or expose the user to losing data stored. Laptops, mobile phones, cloud data storage, use of portable devices have a risk to the destruction of information when exposed to many individuals. Therefore, in applying the controls, the possible risks were determined for the devices that may lead to information loss. These include access by individuals through theft or physical destruction, the security of contacts, classification and labeling for easy identification and safety of the tools. Since the risk that mostly affects personal devices and information stored in them is cyberattacks, techniques for security involves privacy and safety of login information, restriction to access and personalization of access rights. The controls were chosen link to the risks that may occur to the information stored in the personal devices.

After identification of the risk and control policy involves, The normative model is applied in the evaluation of the system. The controls provide the necessary actions to avoid loss of information; hence its application into the user’s gadgets leads to a finding on the security control of the user information. It involves a reactive analysis to evaluate the current condition of information stored as well as the risk of accessibility. Second, the information is assessed to find its importance through classification according to importance. The security of information should be according to the importance it holds to the user and the risk of other people wishing to have the same information. Third, an analysis is conducted to find ways to either develop the existing security policy or to find a new way to store and secure information in the devices. Also, the model involves the limitations analysis, where the challenges of the existing technology are analyzed, as well as the methods that may be used. The limitation analysis identifies the best technique for application to safeguard personal information.

Summary of the tasks undertaken

Steps in Reviewing

The information system review involved a series of steps that led to the finding. These steps include, first, a situation assessment. This step is an analysis of the current conditions of the user, including the consumers of the information stored, the usefulness of the data and the risks involved in the various storage methods. The analysis made validates the options to be used and allows the selection of a technique that fits the user and al other beneficiaries of the information. Second, is the information needs assessment, where the user identifies how the information is essential to them and the number of people it is bound to serve. Also, the goal of the user is identified. Through this information, an appropriate storage mechanism can easily be identified based on the importance of the information. Susceptible information is stored in highly secure situations compared to the other information of the user. The storage difference depends on the level of security for a particular technique.

Exploration of the information is the step following the assessment of information. Through this step, the information sources are analyzed and the means of sharing them with any other parties. This process is the identification of the medium appropriate for sharing information. After identification of the methods and information limitation analysis is conducted to determine the risks that can occur using any of the methods of data storage. It determines the gaps that exist for information stored and the risks that may lead to data loss or disruption. These gaps then lead to a generation of a technique that would help to prevent or reduce the risk in which the information is exposed. Based on the understanding of existing methods, the importance of information and the risks, a recommendation is made on the best method to use or action to take to ensure the safety of the personal information.

The steps were taken in consideration of the control policies according to the ISO 27002 model. The tests were based on the requirements of the model on the essential aspects required in providing a secure platform for information storage. The evidence used was the methodologies applied by the user, and the storage methods projected risks. Also, the history of information loss through device theft and interceptions were considered in finding more risks involved in the storage of information using the specific devices. For example, laptops and mobile phones are prone to system failures and viruses that may lead to system crash hence causing information loss that is difficult to restore. The tools used involved activity reviewing and non-automated means analysis of the devices. It is based on observational techniques on the devices and conditions of data storage. The user information is also useful in reviewing the information system.

Findings review and recommendations for improvement

The review of the information system devices proved to have strengths in some of the controls and required improvement in factors such as restriction to access to privilege rights. The strengths include:

Media handling

According to AS 27002 standard 8.3.3, media containing information should be protected and handled with care during transportation. The portable media used are the laptops, mobile phones, hard disks and flash disks gadgets. The review found that the handling of these devices is appropriate, with specific equipment for carriage purposes and an environment that ensures the safety of devices. Physical safety has been provided through having a laptop bag to prevent breakage when it falls and secure place of storage of the device. Also, mobile phones and other storage devices have storage equipment that ensures the safety of information in it that may be caused by physical damage. Since physical security has been guaranteed, the devices require information security due to technical system improvement. Also in AS 27002 8.2.2 requires labeling of information according to the classification scheme. Most of the information stored in the devices have been labeled based on the information it carries. It is easier to trace a document within a pile of folders created by the use of the labeling made for the documents.

The requirement of Access Control

A restriction has been made in most of the devices reviewed through passwords that secure the information. The devices can only be accessed through passwords, by which a user has to know before acquiring any information from them. There is also a mandatory access policy where the user has total power over the management of the device controls and any controls that need to be set. Also, in 12.4.2, the policy requires the protection of login information, which the user has developed well. The login information includes passwords that are encrypted and not easy to find. This strategy prevents other individuals from acceding the information in the devices unless they know the log information. However, the information is stored well and protected from being access by unauthorized individuals—a security system on access secure information against external risks that may occur. The restrictions on access control ensure integrity to access control rules where persona information requires to be shared by several people benefiting from the same information.

Information security in mobile devices

The user has failed to develop a security system that ensures the protection of data in the devices. In the standard 27002 articles 6, the controls require maintenance of appropriate contacts or relevant authority and a policy supporting security measures implemented. In the review, it was determined that the user shares devices with other individuals hence increasing the risk of losing information. Also, the contacts of authorities are not well kept. A riskier activity that may lead to cyber-attack is the connection to public wi-fi, which does not allow control and management by the user. The risk may compromise information stored in the connected devices as it is open to external access. This risk can be prevented through the implementation of a home connection, with the full managerial ability of the user. It limits access by external sources who wish to get information through malicious methods. It also guarantees safe usage during messaging and information sharing on various platforms.

Reflection on the methodology or review approach

The information system is integrated into an environment with hardware, software and humans, which represents the technical, nontechnical and user functions (Falih, 2018). The three parties have the responsibility to ensure the information stored is secure and cannot be easily accessed by external individuals. The hardware and software are controlled by the user; hence they have to find methods to keep the information safe. Therefore, in personal information security, it is the responsibility of the user to develop strategies that ensure information is secure. The issues to be addressed involving devices for information storage are proper to use, access and approval of usage, users rights and privileges and access to information (Implementing an Information Security Review: TechWeb: Boston University, 2020). The usage of various information storage methods requires a strategy for each device’s security using the user’s privileges and the importance of information. However, each system has to integrate with the features of a device to make it beneficial.

Personal information is not protected a lot compared to organizational information. The review shows a lack of most of the measures mentioned in AS 27002- 2015, except for the few most common ones. Passwords are one strategy most applied by individuals in finding safety for information stored and prevent external access. However, personal information also requires the best practices to allow secure data, as stated in the standards for system security. For example, back up of personal data is one of the essential information processing responsibilities based on the assumption that every system can crash at a point (Henkoğlu and Ucak, 2016). Therefore, with the knowledge, the back-up system should guarantee the safety of the information. The controls give a guideline that helps to strategize methodologies that work for a particular device.

A security policy should state the security need as well as the circumstances under which the need should be met (Computers at risk, 1991). With the application of the AS 27002 standards in review, the controls provide the requirements for a proper security system. Through the standards, I was able to find the need for information security and how the risks could occur. Having cyber-attacks as the main risk affecting devices for personal information, it defines the need to have a security system that protects the data. Identifying the individual’s devices shows the circumstances under which the risks may occur, leading to a loss of information. When a user enters personal information into a web or device, they acknowledge the sites for collection of data. Therefore, giving the need to secure any information stored in them for future restoration.

A review of system security reviews based on the application of AS 27002 leads to the development of strategies that help in securing data. The standards provide control for users to analyze and evaluate their information system to ensure it has the characteristics and features that contribute to the safety of information stored in the devices. Also, other than the identification of the risk, a strategy can be developed to improve the information storage system. The standards can also be applied in securing personal information stored in devices as well as the cloud.

Appendix I – Normative Model

Control Comments about evaluation Tests Recommendation

The policies for information security should be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. Policies for information security are not reviewed at all.

Access control policy was applied, but the access requests are not structured, which does not guarantee information security.

Passwords have been set for most of the information system gadgets. Develop an access control policy that reviews information security policies in access. Frequently review information security policies to ensure suitability and effectiveness.

6.1.3 Appropriate contacts with relevant authorities should be maintained Formal contacts are not supported. Information on contacts is not synchronized with devices.

Mobile devices policy was adopted to ensure limited access to devices by other individuals.

Appropriate contact sare stored in the cloud and device. External access to appropriate contacts reviewed and security evaluated. Develop a defense in depth with physical, technical and policy controls.

6.2.1 A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices. Mobile devices are, at times, shared with individuals.

The BYOD approach was implemented to evaluate the limit on handling by external parties.

Mobile devices are not well stored and not secure.

Mobile gadgets are connected to fee wi-fi, which may compromise information. A check on Connections with external wi-fi and accessibility to external individuals. Limit access of devices by family members and other parties

8.2.1 Information should be classified in terms of legal requirements, value, critically, and sensitivity to unauthorized disclosure or modification. Information is all mixed up in the various devices.

The classification scheme model was adopted to evaluate division n classification of data in the devices.

No classifications made as information are stored in devices and cloud, all together. Finding a classification for data separating legal and sensitive information. Develop a classification scheme to store information appropriately.

8.2.2 An appropriate set of procedures for information labeling should be developed and implemented in accordance with information classification scheme adopted by the org Information is labeled depending on its content.

Confidentiality level approach was used where confidential information is labeled aside from public knowledge.

Some information labeling is not clear and easily forgotten unless confirmed. Checking information label, how it is labeled and confidentiality kept Create an appropriate confidentiality level technique for labeling information.

8.3.3 Media containing information should be protected against unauthorized access, misuse or corruption during transportation Transportation of the media devices is appropriate, and packaging ensures physical safety.

Physical protection techniques of packaging in a carriage was adopted, hence guaranteeing physical security.

Security in transportation is also guaranteed. Reliable Transport and packaging Implement appropriate gadget storage for all media devices storing data.

9.1.1 An access control policy should be established documented and reviewed, based on business and information security requirement Devices have passwords to limit access.

Mandatory access policy is adopted where the owner gains full management of the devices and information in them. Checks on who needs to know about information stored, who needs to use the information, and how much they can get access. Implementation of a Formal procedure and defined responsibility of access to devices should be developed.

9.2.2. A formal user Access provisioning process should be implemented to assign or revoke access rights for all user types of toll systems and control User access provisioning is not developed except for google drives.

Provisioning and revoking policies are not applied; hence most information can be accessed.

Notification on other individuals’ access is not developed. Authorization of the owner of the information system and verification of access. Implement access to revoking and provisioning strategy.

9.2.3. The allocation of and use of privileged access rights should be restricted and controlled No restriction to access of privilege rights.

System administration technique restriction to limiting access to privileged access control. Control of privilege access rights such as deleting information. Implement information asset inventory and a system that prevents accessibility to privilege access.

9.2.5 Asset owners should review users access rights at regular intervals Access right of the owner is not reviewed.

An Audit of the systems not implemented by the owner hence no knowledge of the breach of access.

User access rights may be accessed by other individuals without prior knowledge. Authorization for privilege access rights. Review own access rights at individual and broader systems change.

12.3.1 Back-up copies of information, software, and system images should be taken and tested regularly in accordance with the agreed back-up policy. There exists an informal back-up strategy to store information.

Back up, tests have been implemented to ensure the restoration of the data whenever it is required.

However, monitoring of the back-ups is not implemented. Monitoring and recording of back-ups, the safety of back-up devices Design back up policy for file recovery.

12.4.2 Logging facilities and log information should be protected against tampering and unauthorized access Log in information is present for all the devices.

A unique identification policy is applied for the creation of a password for login into devices.

One specific password is adopted for use for almost all the technological devices owned. Presence of login facility and information, storage of information. Provide a secure and tamper free storage of log in information to devices, apps and any storage method.

18.1.4 Privacy and protection of identifiable information should be ensured as required by relevant legislation and Regulation where applicable Information are not protected by any policies. Access is easily granted through password.

Personally, identifiable protection technique has not been applied in the protection of information in the devices. Accessibility to personal information in the devices. Adopt privacy techniques to safeguard information.

13.1.1 Networks should be managed and controlled to protect the information in system and application The network not protected as the user has no control over its use.

Connects to public wi-fi provided hence cannot control or protect information that may be accessed through the system.

There is a high risk of information loss. Network connections used for devices. Implement your own network for use and avoid public Wi-fi.

13.2.1 Formal transfer policies, procedures, and controls should be in place to protect the transfer of information, through the use of all types of communication facilities. User is aware of risks that might occur in transfer policies.

Classification of information allows priorities in transfer policies.

Some communication facilities do not guarantee information protection.

Evaluation of the confidentiality integrity and safety controls for information transfer was conducted. Implement restrictions to interceptions, copying, or destruction of information.

13.2.3 Information involved in electronic messaging shod be appropriately protected Uses apps for communications and emails to send messages.

Encryption has been implemented for some information being sent hence cannot be accessed by the public. Check on devices and applications used for communication.

Determining the presence of encryption of information in the devices.

Adopt sharing information through encrypted systems in devices.

References

1991. Computers at risk. D.C .: National Academy Press

Bu.edu.2020. Implementing An Information Security Review: Techweb. Boston University. [Online] Available at https://www.bu.edu/tech/about/security-resources/bestpractice/infosec-review/

Falih, F., 2018. A Review Study Of Information System. International Journal of Computer Applications, 179(18), pp.15-19

Freire, F. and Padilla, V., 2019. A Contingency Plan Framework for Cyber-Attacks. Journal of Information Systems Engineering & Management, 4(2).

Henkoglu, T. and Ucak, N., 2016. Information Security And the Protection of Personal Data in Universities. International Journal of Business and Management Invention. 5(1)

Maurer, J., Clark, B. and B., Y., 2015. SOHO: Information Security Awareness in the Aspect of Contingency Planning. International Journal of Advanced Computer Science and Applications, 6(10).

Standards Australia 2015, AS ISO/IEC 27002:2015 Information technology – Security techniques – Code of practice for information security controls, Standards Australia International, Sydney.