Security Management As A Subset Of Internal Control And The Transparency Of Information Security Management

Security Management and Internal Control

Internal control in auditing and accounting can be defined as the procedure of assuring the achievement of the objectives of any specific organization in the effectiveness in operations and the efficiency in compliance with the policies, regulations and laws.

The five layers of COSO model are as follows:

1. i) Control Environment
2. ii) Risk Assessment

iii) Control Activities

1. iv) Information and Communication
2. v) Monitoring Activities

The three layers of COSO model are information and communication, risk assessment and control activities. Security management in information and communication helps to secure the information that is being identified and communication within a specific timeframe. Security management in risk assessment helps to secure and prevent the risks that are being analyzed on the basis of determining them, i.e. either residual or inherent. There are various policies and procedures that are implemented within the layer of control activities for ensuring that the risks responses are properly carried out. Security management helps to maintain those policies and procedures effectively.

The two examples of ineffective security management damaging internal control are inadequate records and lack of control in authorized transactions.

Security management is the subset of internal control as this internal control is utilized for achieving various rules and regulations for maintaining the operational effectiveness and security management is used for ensuring the fact that security is maintained properly.

1. The main objective of information security risk assessment is to provide an accurate and proper inventory of all the data as well as information technology assets. This particular objective mainly depends on the asset values or importance of the assets.

The five steps in risk assessment process are as follows:

1. i) Identification of hazards or anything that causes harm.
2. ii) Taking the decision that who would be harmed.

iii) Assessing the risks and finally taking actions.

1. iv) Making a record of all those findings.
2. v) Reviewing the final risk assessment.

Two examples of risk assessment contributing to the transparency of security management are as follows:

1. i) Delivering Products: The security of the cars that are being driven should be kept on first priority. The risk assessment process in this particular example could be identifying the problem, i.e. understanding the risks of drivers working alone and could be stuck in congested traffic. Then decision is to be taken, the customer is harmed. An action could be calling the driver and asking him to be on time and finally making a record so that he is no longer late.
2. ii) Financial Risks: The security of this type of risks should be transparent as the financial risks could be extremely dangerous. The risk assessment process in this particular example could be hacking of financial data and proper mitigation techniques should be implemented.

Risk assessment helps in making the information security management absolutely transparent to the stakeholders as it helps to identify as well as control all the risks in the organization.

1. Trust is the reliance on any specific individual or organization about any particular situation or phenomenon.

Trust in security management provides assumptions and these assumptions are eventually implicit when the systems are changed. The major aspects of security management include identification of organizational assets, documentation, and policy implementation. These procedures help in risk assessment and threat assessment. 

The examples of lost trust in security management are as follows:

1. i) Decision makers finding it extremely difficult in mitigating the vulnerabilities after taking necessary resources to gain business goals. This occurred as the resources selected were not secured and hence problems occurred. Security measures should be undertaken for securing these assets.
2. ii) The old hardware could be affected with the threats and vulnerabilities and hence the security would be affected. It occurred as antivirus or anti malware was not installed. The probable security measure is by securing the hardware with antivirus or anti malware protection.

Trust in the information security management is solely promoted as it helps in processing symbolic representations of the trust for automatic decision making processes. Moreover, it is implemented in information security mainly in the access control policies.

1. Two areas of legislation affecting the information security management are as follows:
2. i) Hacking of Systems can be a major area of legislation for the information security management. Violations of the rules for hacking any confidential system could be extremely dangerous for any organization.
3. ii) Violation of the compliance laws is the second area of legislation that affects the information security management. These laws help to maintain the integrity and authenticity of any organization.

For the hacking of systems, there are strict laws in every nation that help to mitigate such activities. The best example of this is the high penalties that are being incurred fir hacking the system. Moreover, the hackers get up to 20 years of imprisonment.

Risk Assessment for Transparency of Information Security Management

For the violation of compliance laws in any organization, various legal actions are taken. One of the examples is infringement or several violations of rights regarding intellectual property.

All the aspects of law in any organization should be known by the security manager as he is responsible for the technical and functional expertise and any wrong functionality in the systems should be reported to him directly.

1. The main purpose of business continuity is to help the organization in responding to all types of disruptions to the critical business processes.

There is a difference between business continuity and disaster recovery. Business continuity is the plan that helps a business to help them to continue in any disaster. DR on the other hand, helps the business in understanding the procedure of IT recovering for any disaster. DR plans help in backing up of entire data.

The four steps in business continuity life cycle are as follows:

1. i) Risk Assessment.
2. ii) Business Impact Analysis or BIA.

iii) Implementation of plan

1. iv) Testing and maintenance of plan

These steps could be audited in accordance to the Internal Auditing Standards. There are few procedures for auditing the business continuity plan and these phases should be executed while auditing. The procedures include document reviewing and analysis, interviews, and walkabout survey.

The standards like resilience, recovery and contingency make it extremely easier to assess the business continuity as these standards ensures the continuity of the business. 

1. The role of security policy is to maintain the physical as well as location security, creation of a security policy document and reacting to the specific security exposure.

Two examples of security policies are application controls and data encryption. The application controls are the security policies that block the execution of any application or even deny the Internet access to any application. The data encryption, on the other hand, enables encryption of data of various files on the storage devices that are removable. 

The five steps in risk assessment process are as follows:

1. i) Identification of hazards or anything that causes harm.
2. ii) Taking the decision that who would be harmed.

iii) Assessing the risks and finally taking actions.

1. iv) Making a record of all those findings.
2. v) Reviewing the final risk assessment.

An example when risk assessment is used for determining the content of security policy is that the threat prone contents should be known for any specific security policy for understanding the risks.

Risk assessment are utilized for determining the security policy content as the risks should be assessed on what is present in the security policy. If the vulnerable contents will not be known, it is impossible to execute the risk assessment.

1. Compliance for information security refers to the standards or regulations for maintaining the security of information in any particular organization. Security refers to the measures undertaken for securing the confidential information.

The example of convergence of security and compliance is Payment Card Industry or PCI data security standard.  The example of divergence of security and compliance is crypto currencies.

The audit process is as follows:

1. i) Requesting documents.
2. ii) Preparing an audit plan

iii) Scheduling meetings

1. iv) Conducting Fieldwork
2. v) Drafting a report
3. vi) Setting up close meeting

Audit process would provide compliance to Payment Card Industry or PCI data security standard and crypto currencies as this process does not support security and only supports policy or standard compliance.

1. Trust is the reliance on any specific individual or organization about any particular situation or phenomenon. The three types of trusts in management of information security are third party trust, direct or personal trust and discretionary trust. Third party trust contributes in managing the information security by maintaining the trust on the sender and receiver of the information. The sender and receiver trust each other by simply sharing a common third party and this third party is for trustworthiness of them. Example is certification authority. Direct trust refers to the direct or personal trust between the sender and receiver and they do not take any third party for sharing their information. It is extremely secured. In discretionary trust, the information is not fixed, however is determined by the distinct criteria that is established within the trust instrument.

Examples of Ineffective Security Management

The role of the security manager is to look after the overall quality of the process of security management. He is responsible for coordinating with the alterations within the organization regarding information technology. The security manager is dependent on the various types of trust while carrying out two risk management processes. The example of this mainly includes management of SSL certificates. The security manager can undergo various processes while carrying out these processes.

1.  Business continuity can be defined as the ability of any company in maintaining the necessary functions during or after any disaster has occurred.

The steps in any business continuity process are as follows:

1. i) Risk Assessment.
2. ii) Business Impact Analysis or BIA.

iii) Implementation of plan

1. iv) Testing and maintenance of plan

In any organization, there are three departments. For each of the departments, the business continuity process could be implemented by explaining the major roles, documents or tasks. BCP should be implemented as it provides uninterrupted operational support and customer service support. Moreover, the business revenue is minimized and the client confidence is cultivated with this process.

Business continuity is a specific task that does not have an end. This is because the process or procedure of business continuity is required to be updated regularly so that there is no delay in continuing the business even if serious disasters occur.

1. The role of legal compliance in information security is to ensure that any organization is properly securing the information in complete compliance with each and every law and regulation. The role of standard in information security is to facilitate the communication and thus information security management is important.

The examples of three laws regarding compliance and standards are General Data Protection Regulation or GDPR, Federal Information Security Management Act or FISMA and Payment Card Industry Data Security Standard or PCI DDS.

1. i) GDPR: It helps to protect data and maintain privacy for all users.
2. ii) FISMA: It is the federal law that helps in requiring for the federal agencies for properly developing, documenting and implementing the information security.

iii) PCI DDS: It is the standard of information security for handling credit cards.

The above-mentioned standards of security management or security technology help the organization in achieving legal compliance by simply developing, documenting and finally implementing the program for information protection and security.

Three purposes of a security policy include confidentiality, integrity and availability or CIA in short for the systems as well as information for any specific organization. Example of confidentiality refers to maintaining privacy about confidential information like bank account details. Example of integrity refers to no change in confidential data without user’s permission like data of ATM card. Example of availability refers to the availability of information like backup of data. 

The security management framework is the set of policies for security. The methods where the security policy fitting into the security management framework includes identification of risks, ensuring policy to legal requirements and providing proper training. The risk assessment, risk treatment, audits and business continuity are done connecting the security policy with security management.

Information security policies encourage the ownership of security. The information security policies are applied to the executive department agencies and thus the security is maintained.

1. Humans can be defined as the weakest link in the defence of information security as there is always a high chance of information loss in this sector. The two interpretations include intentional loss of information and intentional damage to hardware.

Steps Involved in the Risk Assessment Process

Security audit is required for evaluating the information systems of any organization and thus maintaining the integrity of information.

The steps of security audit process are as follows:

1. i) Planning of Audit
2. ii) Holding Audit meeting

iii) Gathering data and testing IT controls

1. iv) Remediating identified deficiencies
2. v) Testing of remediated controls
3. vi) Analysis and reporting the findings

The role of audit in identifying the weakest links includes assessing the available resources and assets, risk assessment, gathering important data and finally testing the remediated controls. These steps would help in identifying the weak links in defence of information security.

1. The steps of risk assessment include:
2. i) Identification of hazards or anything that causes harm.
3. ii) Taking the decision that who would be harmed.

iii) Assessing the risks and finally taking actions.

1. iv) Making a record of all those findings.
2. v) Reviewing the final risk assessment.

The steps in risk treatment include:

1. i) Establishing the context: At first the context is to be established.
2. ii) Identification of risks: The probable risks are to be identified.

iii) Properly analyzing the risks identified.

1. iv) Evaluating the risks identified.
2. v) Finally treating all the risks.

Risk ownership is handled by assigning risks to the suitable persons or agencies where the un-owned risks are unmanaged. The examples of risk ownership include risk avoidance and risk buffering.

Risk management institutionalizes the risk ownership and do not treat risk as it helps in protecting the information from getting lost by accidents.

1. Business continuity can be defined as the ability of any company in maintaining the necessary functions during or after any disaster has occurred.

The steps in any business continuity process are as follows:

1. i) Risk Assessment.
2. ii) Business Impact Analysis or BIA.

iii) Implementation of plan

1. iv) Testing and maintenance of plan

Two examples of when the BCP deployed for supporting online e-commerce services include identification of target audience and potential crisis and setting out a plan if any type of disaster occurs.

For identification of the target audience, the business continuity process have specific effects on the trust of the users as the position would be known in the market and how to maintain that position without any type of problems or disasters. For disaster occurrence, the backup for data should be maintained for keeping the trust of the users.

1. The two pieces of information security legislation include Data Protection Act 1998 and Freedom of Information Act 2000.

The effects of Data Protection Act 1998 for ISO 27001 security management framework include processing of personal data lawfully and fairly, obtaining of personal data for specified as well as lawful purpose and processing of personal data according to data rights. The effects of Freedom of Information Act 2000 for ISO 27001 security management framework include giving right of access to the information, receiving by only authorized users.

Challenges in achieving the compliance with the information security related legislation are losing confidentiality and integrity and not having availability of information.

The steps of risk assessment include:

1. i) Identification of hazards or anything that causes harm.
2. ii) Taking the decision that who would be harmed.

iii) Assessing the risks and finally taking actions.

1. iv) Making a record of all those findings.
2. v) Reviewing the final risk assessment.

The risk assessment is the input for two other processes of security management. The steps for security management process are as follows:

1. i) Determination and evaluating the information technology assets and resources.
2. ii) The next step is to analyze the risks in the process.

iii) The third step is to define the various security practices.

1. iv)  The next step is to implement the various security practices.
2. v) The fifth step is to monitor the violations and taking actions.
3. vi) The final step in security management is to re evaluate IT assets and risks.

The risk assessment is at the core of the management of information security as it helps to determine the security of the assets involved in the process of managing information. If the risks will not be assessed, it is evident that the information would lose confidentiality or integrity.

1. 2. The steps in any business continuity process are as follows:
2. i) Risk Assessment.
3. ii) Business Impact Analysis or BIA.

iii) Implementation of plan

1. iv) Testing and maintenance of plan.

The two functions of business continuity process are as follows:

1. i) Maintaining continuity of services and operations.
2. ii) Building customer confidence.

The three types of evaluation are planning, formative and summative. The planning evaluation is done before the execution of the process. The formative evaluation is done while developing of the processes and the summative evaluation is done after the processes are executed.

Recovery Time Objectives or RTO is the specific time duration where the business processes are restored after any disaster for avoiding the unacceptable consequences. Maximum Acceptable Outage or MAO is the maximum time amount that any system is unavailable before losing the organizational objectives.

The assigning of responsibilities is the most significant step in the planning of business continuity as it helps to define the processes perfectly and since the responsibilities are segregated, the execution of business processes is easier.

1. 3. Effective security management is the subset of internal control as this internal control is utilized for achieving various rules and regulations for maintaining the operational effectiveness and security management is used for ensuring the fact that security is maintained properly.

The steps in audit process are as follows:

1. i) Requesting documents.
2. ii) Preparing an audit plan

iii) Scheduling meetings

1. iv) Conducting Fieldwork
2. v) Drafting a report
3. vi) Setting up close meeting

Audit plays the most significant role in measuring the effective security management as it provides independent assurance of the organizational risk management, internal control process and governance effectiveness.

Two processes of security management contributing in its effectiveness are ISMS or Information Security Management System and risk management.

Audit helps to measure the effective security management by providing independent assurance of the organizational risk management, internal control process and governance effectiveness. Thus it is extremely effective.

1. The main difference between law and regulation is that laws are guidelines for setting up of organizations to govern the behaviour; however, regulation can be defined as the procedure for monitoring and rules enforcing. Example of law includes Freedom of Information Act 2000 and example of regulation includes Federal Act.

The key points of information security legislation include CIA or confidentiality, integrity and availability. This affects in organization interacting with the third parties. Legislation is the set of legal actions that helps to maintain and encourage the trust between the business and the third party.

Laws and regulations are responsible for maintaining the trust of the organization’s management of information security as the user gets the assurance that if any type of violation of rules occur, legal actions would be taken.

1. Information Security policy is the collection of rules that are enacted by any organization for ensuring the fact that all the users and the networks are working according to the laws set beforehand. The security policy should be of such a form that has all the details of the constraints related to the behaviours of the members and how those constraints should be addressed.  

An information security management system or ISMS is the collection of procedures or policies to systematically controlling all the confidential data of the organization. The objective of this information security management system is to reduce the risk and thus ensuring the business continuity by pro actively limiting the overall impact of the security breaches. The components of ISMS include scope and boundaries, information classification, risk management methodology, risk treatment, statement of applicability, physical security, incident handling and various controls. The ISMS is the core of the international information security management standard since it addresses the behaviour as well as processes of the data and technology. This is extremely important for the data type like the customer data and it helps in implementing in the comprehensive way.

Two distinct roles in functioning of the ISMS include management of the risk assessment, development of standards, policies and testing of security processes. The compliance with the security policies mainly ensure that the organization’s information is maintained perfectly without any type of problems in data integrity.

1. a) Information security can be defined as the state if being protected from various illegal information and unauthorized data. Thus concept deals with security of the electronic data and information.
2. b) Information security management deals with security of the data an information in the organization or an institution.
3. c) Information security management system refers to a set of policies that helps in maintaining the security if the data and information of an organization and institution.
4. d) Information security control deals with the safety measures taken by the organization for securing data and information for minimizing the security risks to physical property and computer system.

ISO/IEC 27000deals with the information security standards in the organization. It provides overview and vocabulary for the information security.

ISO/IEC 27001 deals with different security techniques for securing data and information in the organization.

ISO/IEC 27002 is a code of practice for various information security controls that can be managed by the ISMS.

1. a)The information security risk management in the information security is the most important subset of the process of enterprise risk management, including the assessing of information security risks and establishment of priorities to manage and implement various controls.
2. b)The ISO/IEC Information security risk management standard or ISO/IEC 27005 are as follows:
3. i) Identification of the risks
4. ii) Analysis of the risks

iii) Evaluating the rank of the risks.

1. iv) The fourth step is to treat the risk
2. v) The final step is to monitor and review the risk.

The advantage of quantitative approach of data analysis ensures validity and reliability. However, the disadvantage of quantitative approach of data analysis it does not provide statistical data like qualitative approach for data analysis.

1. c) The example of a risk that is not an information security risk is data availability. It completes depends on the availability of data and thus, it is not a part of information security.
2. a)Audit is the proper and systematic inspection or examination of the accuracy of data, processes or systems in any organization. The two reasons for utilizing audit in the general sense are to verify the onsite activities and to apply the productions and functions of the assets.
3. b)Audit in the information security perspective is the examination whether the information is accurate or not. Internal audits include auditing of the information related to employees of the company, while external audits include auditing of the information related to customers and stakeholders of the company.
4. c) Penetration testing is the proper testing of any system or network for finding the vulnerabilities of an attack. The two reasons for using penetration testing include determination of specific set of attack and identification of high risks vulnerabilities.

The two types of penetration testing are Black Box penetration testing and White Box Penetration Testing. These two types are extremely important for the users.

1. a)i) Staff vetting refer to a practice that helps in calling references for other employees in the organization. The vetting process include looking for prior convictions or jail time, checking credit references, verifying professional licenses and certifications, and tracking employment history.
2. ii) The steps included in the staff vetting process are as follows:

Conducting a background check: Checking previous record of the employee helps in finding the waste of resources and money done in the employee.

Privacy issues: privacy issues are related to the private information of the employees in the organization. This helps in understanding the private issues in the organization.

Employee references: References of the employee for the culprit helps in understanding about the nature if the employee in the organization.

1. b)i) Security culture in an organization deals with the security environment in the workforce that helps in securing data and information of the company.
2. ii) Positive Security culture helps in maintaining the positivism among the employees and motivating them or securing their data and information.

The second reason is that the positive security culture helps in maintaining the positive attitude of the employees in the workforce.

iii) Beneficial security culture helps in implementing the security practices in the organizational practice. The second way is by performing security analysis in the organizational culture helps in miantianing the security of data and information.

1. c)i) An acceptable use policy (AUP) is a document that outlines a set of rules to be followed by users or customers of a set of computing resources, which could be a computer network, website or large computer system.
2. ii)  General Use and Ownership, Security information, Unacceptable use
3. For Talk-Talk   one of the most important drawback and weakness was not patching the bugs and vulnerabilities for its databases which is accessed by the users of their site and this access could not be stopped as it is routine process. Other weaknesses include lack of monitoring even after its databases are attacked previously in the similar way. Even after the, attacks the organization does not change or improved the vulnerable web pages through the security testing of the pages such as use of quote character(‘) in the input controls on the Web form or query-based URL in it.
4. b)i) The Organization should have tested its website against some known attack techniques and patched up the database. In addition to that use of outdated database lacking of latest security patches also helped the attackers in being successful in their attack. 

1. ii) Talk-Talk may have used parameterized stored procedures rather than simple SQL queries to fetch and retrieve data in order to prevent this kind of attacks.  In addition to that, it is also important to ensure that the web applications do not run with the administrative privilege at the server end.
2. c)No, the attackers were successful due to the lack of monitoring of the organizations IT department even after they were previously attacked using the same technique.    The organization should have used new database system or patched the existing database with the latest released patches to ensure that the bugs are not exploited. As they neglected the security aspect of the applications and server they were not mere unlucky to be attacked using the SQL injection technique.