Identification of Information Security Assets of A4A

Academics for Academics is a non-governmental organization or NGO, operating in its head office in Sydney with a branch in Singapore. All the projects of Academics for Academics (A4A) are funded from the public donations. The team of A4A consists of 10 staff members. This organization was established with an aim of helping the small public and private universities in Australia and south East Asia. The schools and colleges registered under A4A can only access the data and information produced by A4A. The organization has no proper policy and guidelines for protecting the resources of the company. The report identifies the different types of risks associated with resources of A4A and suggests some major guidelines that will help in management of the information security risks associated with the resources of the organization. The report develops proper guidelines that will prevent the unauthorized usage of the information resources of the organization by insider or outsider threat. The report aims at development of an issue specific security policy that will prevent the unauthorized use and circulation of the study materials and information technology resources of academics for academics (Höne and Eloff 2002). Issue specific privacy guidelines are created with an aim of addressing the specific information security threat and provide necessary information to the employees of the organization regarding the proper usage of technology and resources inside or outside the boundaries of the organization.The detailed process of management of the information security risks associated with A4A are evaluated in the following paragraphs.

The major aim of this report is to discuss and develop proper guidelines for managing the different information security risks associated with the organization A4A. The report explains the needs of identifying and analyzing the different resources of the company that are at risk. The report outlines the need for identifying the different risks associated with the information system of A4A. The report further identifies and analyzes the different risk mitigation approaches of the company and suggests some guidelines. These guidelines are necessary to develop the different security policies of the company.

The organization A4A is expanding and therefore, it becomes very essential to manage the information security risks associated with the organization. The report provides standard guidelines for the same that guarantees the security of the information assets of the organization. These guidelines provides a solution to manage the information security risks identified and will further help in managing the uncertainties associated with the organization. These guidelines forms the basis of threat handling and mitigation in an effective way and the guidelines are intended to provide a solution for the identified risk. The guidelines that are to be developed with provide a long term security options for A4A.

Identification and Assessment of Risks

It is very essential to identify the information security assets of the company. It is essential to identify the information assets in order to identify and analyze the risks associated with the organization. The identified assets need proper protection from the threat and the uncertainties in order to prevent the loss of information. The identified information security assets of the company are as follows (Safa, Von Solms and Furnell 2016)-

1. The members of the organization are major information assets of the company and includes the appointed members, managers and the university personnel.
2. The data produced by the members are other major information assets of the organization. These information assets of the organization include the assignments or the study helps produced by the members of the organization. However, the emails, marked assignment and the exams are not the properties of the organization. Along with this, the other confidential data of the organization includes the storage information of the assignments, the personal details of the members and the clients of the organization (Sommestad et al. 2014).
3. The information system that records and stores all the assignments prepared by the organization is an important information asset of the organization as well.
4. The member of the organization often works from outside the organization. Therefore, the networking components, which include the routers and firewalls, are another major information asset of the organization (Laudon and Laudon,  2016).
5. The hardware assets of the organization and the hard copy of the assignments produced within the organization are major information asset of the organization. Proper guidelines are to be develop in order to secure these components.
6. The organization works with the public donations. These include some confidential information as well. Protection of those information is necessary.

The identified information security assets of the company is needed to be protected in order to avoid huge information loss of the organization. Therefore, proper guidelines are to be enforced in order to ensure responsible use of the organizations property (Spiekermann 2012). The Authorized and prohibited usage of the resources are mentioned in the guidelines. These guidelines will prevent an attacker in accessing the confidential resources of the organization.

The identified information assets of the organization further requires a proper identification of the risks associated with the information assets of the organization. The risks are needed to be identified and analyzed on basis of their impact in order to develop a proper risk mitigation strategy (Stallings et al. 2012). Classifying the risks in different groups will helps the organization in proper mitigation of the identified risk and prevent the organization in suffering the information loss of the organization.

The risk identification process will include the identification of the major information security assets of the organization. The different assets of the organization include the members and the confidential data of these members that are stored in the information system of the organization (Laudon et al. 2012). This information can be targeted by an attacker and therefore needs proper protection.

The data produced by the members of the organization are another major information asset of the organization. It is vital to protect these data present in the system, as these are developed in order to provide help to the different colleges and universities across the country. Therefore, it is essential to undertake a proper risk assessment process in these information assets in order to identify the associated risks with the same (Belleflamme and Peitz 2014). The risk identification of the private and confidential data produced by the members of the organization is to be carried out with highest priority.

It is the responsibility of the organization to eliminate the different risks associated with the information system. The risks associated software and the networks that are in use within the organization are to be identified and evaluated with highest priority in order to eliminate the risk. After successful identification of the information asset, it is essential to classify and categorize the information assets in order to properly identify the type of risk associated with it.

Value Assessment

The identification of the information assets within the organization is essential to understand the type of risk in which the company is exposed to. After identification of the risk, it is essential to classify and categorize these information assets in order to understand the risks associated with these data. Depending on the need of data protection, the risk mitigation approach will be further identified for the associated risks. The information security asses of the organization are classified are as follows (Ifinedo 2012)-

1. The personal information of the members and the funding information of the A4A is a confidentialdata type and are restricted only to the use of the organization. Therefore, this information asset is at major risk and should be mitigated.
2. The data stored in the information system of the organization that consists of the recruitment of members of the organization is another private and confidential data of the organization and should be considered for internal use only. This information is restricted to the members of the organization (Eldardiry et al. 2013).
3. The organization works for producing assignment for the colleges and universities across the country. The information therefore, produced is for public use. However, it is restricted to the use of the colleges and universities registered under A4A.

After proper classification and categorizing of the risk, it is essential to access the value of the information assets so that proper risk mitigation processes are suggested.

Value Assessment

The risk identification process for A4A includes the stage of value assessment of the identified information asset of the organization. The value assessment will help in understanding and determining the priority of the risk mitigation process. The impact on the information assets are categorized on basis of the importance of the information assets of the organization. The impact is expressed on a scale of critical, high, medium and low (Peltier 2004). The critical ones need immediate attention, while the low ones do not need immediate attention.

The importance of information asset of the organization refers to the relative objectives it serves within the organization. The assets that generate most revenue or that are very confidential are very necessary to protect. Guidelines are to be developed on basis of the need or value of the information assets that needs immediate protection or in a critical stage. After proper value assessment of the information assets of A4A, it is essential to prioritize the information asset on basis of its importance in order to develop proper guidelines.

The information assets identified during the risk identification process is needed to be prioritized for identifying the sequence of risk mitigation. This prioritization process is mainly based on the impact, all the identified assets have on the organization and the impact on the organization in case such these information assets are compromised by the attackers. The assets in a critical level or the asset that has the highest impact will be given the highest priority in the mitigation process (Peppard and Ward 2016). The guidelines developed for the risk mitigation will include a secure use of these information assets, in order to eliminate the risks associated with the process.

Identification of the threats associated with the information asset of A4A is essential in order to mitigate the same. There are a number of security risks associated with the organization. If a member is working from outside the organization there are many other security risks associated with the transmission and storage of information. This includes the malware attack, data modification and unauthorized data access. This is a type of active attack on the information assets of an organization. A proper security guidelines is needed to be developed for the organization in order to protect the information technology assets of A4A. Apart from this, the threat from the insider includes the unauthorized use and circulation of the academy’s data and resources within the organization. Apart from this, the major threats associated with A4A are as follows (Von Solms and Van Niekerk 2013)-

1. The internal threats due to human error
2. The malware attacks on the information system of the organization
3. The data theft and data modification
4. Unauthorized use and access to the data
5. Technical failures of the hardware and software
6. Incorrect data usage

Identification of Threats and Vulnerabilities

The above lists mentions the major information security theft associated with the A4A. These threats are needed to be accessed and mitigated properly in order to protect the confidential information asset of the organization.

The threat assessment includes the identification of the probability of occurrence of these threats within the organization. The threats with highest probability are expected to cause a huge loss to the information assets of the organization. Therefore, it is the responsibility of the organization to identify the threat with highest probability of occurrence and the danger to the assets (Shamala, Ahmad and Yusoff 2013). This process can be done strategically by identifying the causes and actions of the identified threats on the information assets.

Once this process is done, the prioritization of the threat will be easier for the organization. It is the responsibility of the organization to prioritize these threats. Furthermore, the vulnerabilities of the information asset is  needed to be identified as well in order to determine access the risk in a more strategic manner. The threats are linked to the identified assets for its proper mitigation.

With the successful risk identification process, risk assessment is necessary in order to identify the extent of the effects of the risk. This is done by the likelihood and consequences of the identified threat on the information assets. It helps in determining the priority of the risks as well. The consequences level of the threats that are used in the risk assessment process includes (Viduto et al. 2012)-

1. Insignificant
2. Minor
3. Moderate
4. Major
5. Catastrophic

The likelihood level of the consequences identified for the associated risks includes-

1. Almost certain
2. Likely
3. Possible
4. Unlikely
5. Rare

Risk and threat assessment corresponding to the different information assets of the organization will be easier to evaluate on basis of these levels. The catastrophic threat with a almost certain likelihood should be removed with a highest priority. Therefore, the risk assessment process is vital for developing the guidelines associated for ensuring the information security risks within the organization. The valuable and important assets of the organization are scaled on basis of the associated threats, their consequences and likelihood. After successful risk assessment it is essential for A4A to consider the risk management process. Proper risk management is essential for developing the guidelines.

The Non Governmental organization A4A aims at developing proper guidelines for mitigating the risks associated with the information assets of the organization. The risk mitigation or management process includes classifying the risks on basis of their impact on the information assets of the organization. The level of risks can be classified as high, medium and low.

Risk Mitigation

After proper classification of the risk according to the level of the vulnerability the information assets are exposed to, it is essential to implement proper risk mitigation or risk management plan as well (Snedaker 2013). The plans adopted by A4A as a mitigation approach includes Disaster recovery plan (for spontaneous data recovery in case of data breach) and business continuity plan (for normal business flow in case of a security attack) (Sahebjamnia, Torabi and Mansouri 2015). The disaster recovery plan will help in easy recovery of the important information and data of the organization.

Apart from this, it is suggested for A4A to have an incident response plan for taking immediate action during an information security attack (Silva et al. 2014).

Justification

It is justified to have a guideline for managing and protecting the information resources of the organization, as the data produced within the organization or by the members of the organization should solely remain the property of the organization. The guidelines are developed in order to protect the information assets of the organization (Fenz et al. 2014).  

Academics for Academics is an NGO providing educational services to the colleges and Universities of the country. The circulation or misuse of the information resources of A4A is strictly prohibited and therefore, enforcement of proper guidelines in ensuring proper security of the information assets is important. The academy is in need of a strong security policy in order to remove the different threats and risks associated with the major information assets of the organization. The entire process includes identification of the major information assets of the organization and the risks associated with the information assets. This in turn helps in identifying the vulnerabilities the system is exposed to and the level of security a particular information asset needs. This process or guidelines will further help the organization in taking crucial decisions associated with the information security of A4A (Safa, Von Solms and Furnell 2016). The risk assessment process is vital for consideration as it helps in analyzing the impact of each threat on the information asset of the organization (Ifinedo 2014). The risk management process furthermore identifies and recommends back up and action plan in case the organization experiences a data or security breach.

The assumptions that are taken in consideration for the development of the guidelines for A4A are as follows-

1. It is assumed that only the registered colleges and universities can access the information
2. It is assumed that the information systems are monitored by the information security department of the academy
3.  It is assumed that the information system of the organization is properly secured with an updated antivirus protection. It is further assumed that only the authorized members of the organization can access the resources of the information security system. A member of A4A can access the resources only after providing a valid user id and password. The user id is unique so that no duplication is possible.
4. It is assumed that Academics for Academics abides by the compliance and law of the government and does not promote any illegal activities. Furthermore, it is assumed that the organization works as a registered NGO.
5.  It is assumed that the members of A4A will abide by the guidelines set by the organization. Furthermore, the members are expected to report any cases of violation of the set guidelines. This will help in identification and management of the information security risk in Academics for Academics.
6. It is assumed that the guidelines are set keeping in mind all the information security risks that the company is subjected to.

Conclusion 

Therefore, from the above discussion, it can be concluded that it is essential for Academics for Academics to have  proper guidelines for ensuring security of the information assets of the organization. It is essential as A4A is gradually expanding and it is becoming increasingly difficult for the organization to keep a track of the data and security breaches occurring within the organization and the vulnerabilities, the information assets are exposed to. The report gives an idea of the guidelines set for the ensuring data protection in A4A by providing a detailed overview of the risks, threats associated with the information assets of the organization. The report concludes with the assumptions that have been taken into consideration for developing the guidelines for secure data exchange within the organization.

References 

Belleflamme, P. and Peitz, M., 2014. Digital piracy (pp. 1-8). Springer New York.

Eldardiry, H., Bart, E., Liu, J., Hanley, J., Price, B. and Brdiczka, O., 2013, May. Multi-domain information fusion for insider threat detection. In Security and Privacy Workshops (SPW), 2013 IEEE (pp. 45-51). IEEE.

Fenz, S., Heurix, J., Neubauer, T. and Pechstein, F., 2014. Current challenges in information security risk management. Information Management & Computer Security, 22(5), pp.410-430.

Höne, K. and Eloff, J.H.P., 2002. Information security policy—what do international information security standards say?. Computers & Security, 21(5), pp.402-409.

Ifinedo, P., 2012. Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), pp.83-95.

Ifinedo, P., 2014. Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), pp.69-79.

Laudon, K.C. and Laudon, J.P., 2016. Management information system. Pearson Education India.

Laudon, K.C., Laudon, J.P., Brabston, M.E., Chaney, M., Hawkins, L. and Gaskin, S., 2012. Management Information Systems: Managing the Digital Firm, Seventh Canadian Edition (7th. Pearson.

Peltier, T.R., 2004. Information security policies and procedures: a practitioner’s reference. CRC Press.

Peppard, J. and Ward, J., 2016. The strategic management of information systems: Building a digital strategy. John Wiley & Sons.

Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model in organizations. Computers & Security, 56, pp.70-82.

Sahebjamnia, N., Torabi, S.A. and Mansouri, S.A., 2015. Integrated business continuity and disaster recovery planning: Towards organizational resilience. European Journal of Operational Research, 242(1), pp.261-273.

Shamala, P., Ahmad, R. and Yusoff, M., 2013. A conceptual framework of info structure for information security risk assessment (ISRA). Journal of Information Security and Applications, 18(1), pp.45-52.

Silva, M.M., de Gusmão, A.P.H., Poleto, T., e Silva, L.C. and Costa, A.P.C.S., 2014. A multidimensional approach to information security risk management using FMEA and fuzzy theory. International Journal of Information Management, 34(6), pp.733-740.

Snedaker, S., 2013. Business continuity and disaster recovery planning for IT professionals. Newnes.

Sommestad, T., Hallberg, J., Lundholm, K. and Bengtsson, J., 2014. Variables influencing information security policy compliance: a systematic review of quantitative studies. Information Management & Computer Security, 22(1), pp.42-75.

Spiekermann, S., 2012. The challenges of privacy by design. Communications of the ACM, 55(7), pp.38-40.

Stallings, W., Brown, L., Bauer, M.D. and Bhattacharjee, A.K., 2012. Computer security: principles and practice (pp. 978-0). Pearson Education.

Viduto, V., Maple, C., Huang, W. and LóPez-PeréZ, D., 2012. A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem. Decision Support Systems, 53(3), pp.599-610.

Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers & security, 38, pp.97-102.