Executive Summary

The security assessment report is prepared following the octave methodology and the different criteria for the analysis of the risk is applied for the development of the risk mitigation plan. The octave methodology is applied because it is the best suited risk analysis method for AMC Pvt. Ltd. having more than 300 employees working in the organization. For the identification of the risk the following three phases are used.

Process 1: Determination of critical assets and how they are currently protected

The assets can be identified according to the information assets, software assets, physical assets and services.

The information assets can be of different form such as the customer information, accounts information, employee information, etc. The database server contains all the organizational information of AMC Pvt. Ltd. and its confidentiality and the integrity is maintained for maintaining the availability of data (21). The data files needs to be updated at a real time and detailed instruction must be provided for the performing different activities on the network. The old information in the database needs to be archived for saving space and maintain backup of the data.

The software assets are divided into two types such as application and system software. The application software is used for the implementation of the business rules and use of third party application software must be avoided because it can cause a flaw in the system and the intruder can get the access of the network by entering through an open port (4). The system software is such as DBMS, office productivity packages must be updated regularly with security patches.

The physical assets of AMC Pvt. Ltd. can be tangible or intangible and it consists of different computer equipment’s such as mainframe computers, servers, notebooks, desktops. There are different storage media and communication equipment’s such as modems, routers, fax machines, CDs, etc (16).

Process 2: Identification of security requirement for the critical assets

  There is a need to establish the accountability of the assets and the fixed assets of AMC Pvt. Ltd. should be maintained in a list for calculating the depreciation of the assets. The ownership of the assets must be established for increasing the accuracy of the calculation of the assets. The establishment of the ownership is a difficult job and if there is a change in the information the database must be updated (9). The business heads must be involved for addition of the ownership and should be given the power of decide the business value. It is essential to identify the business value of the asset for the development of the security requirement. The owner of the application software should also be identified for aligning the software according to the business rules of the AMC Pvt. Ltd. (7). The ownership of the system software should be identified for defending the organization from piracy.

Detailed Analysis of Security Requirement

Process 3: Identification of the organizational vulnerabilities within existing practices

There are different services such as outsourcing the maintenance and support team, communication services such as data and voice communication. There are other environmental services such as air conditioning, lightning and power supply. Assessment of the onsite component and completion within the scheduled time period.

Examination of different strategy for the application in the development process and handling the incidents and potential threats and increasing the safety of the workplace environment.

Management of the stakeholder’s identification of the requirement for the development of the network solution (3).

The strength and weakness of the network should be identified for the development of the network framework and align the needs with the proposed network design

For the assessment of the vulnerability interviews must be arranged with the stakeholders and their behavior and participation should be analyzed for identification of the behavior issues.

Process 4: Creation of a threat profile for the critical assets

For the development of the network solution it is important to identify the critical assets and their usage pattern for reducing the risk associated with the security of the network solution. The policy and the guidelines should be assessed and the respondents to any of the incidents should be identified for increasing the performance and addressing the threats acting on the network. Security training programs must be arranged for the faculty and the staffs such that the network and the other resources are used wisely and the responsibility should be understood by the users for management of a safe workplace environment (14). For the identification and the classification of the assets an organized structure is created and it helps in getting a better direction and administrative control over the network solution created for the AMC Pvt. Ltd.

Process 5: Identification of network access paths and IT components related to the critical assets

It is important to create a classification level following the confidentiality, value, right to access and the destruction level. The confidentiality is maintained for restricting a specific group of users to access the sensitive organizational information such as manufacturing secrets, plans, etc. It is maintained based on different factors such as confidential, only for company, shared or unclassified (13). Some of the information are kept in the database for the use of organizational purpose such as the customer database and manufacturing process. Some of the resources could be shared and the contact information should be shared with the agents and the employees for maintaining a proper communication management plan. The information should be secured because the information can be used by competitors for illegal use. The infrastructure of AMC Pvt. Ltd. is analyzed for the identification of the critical assets and identification of the vulnerability of the assets. There is different potential impact than can negatively impact the growth of the AMC Pvt. Ltd. The risk with higher score have higher impact and it should be prioritized for the creation of a risk mitigation plan. The threat scenario is used as a threat tree and there are different technical problems related with the access of the network resources. Different problem may arise that is required to be controlled by the organization and the unavailability of the critical infrastructure can mitigate the problem.    

Outline of Security Policy for a Specific Issue or System

Process 6: Evaluation of the IT components

It is important to implement a classification schema for the easy identification of the resources required for the development of the network solution. The business plan of the company should be analyzed and it should be protected from illegal access. The business plan should be discussed confidentially (8). The communication channel used for communicating with the stakeholders must be encrypted and strong passwords must be used for protecting the assets and monitored for increasing the security.

Process 7: Conducting the risk analysis

There are several risk associated with the development of the network security information system and the risk may arise from different sources and its impact should be analyzed for the preparation of the risk mitigation plan. The assessment of risk is important for the risk management process and security practices must be followed such as the compliance of the standards of the hardware devices installed for the development of the information system (10). There are other risk associated with the involvement of the third party users for the development of the information system. The risk is determined by identification of the impact and is categorized into high, medium and low.

Process 8: Development of protection strategy and mitigation plan

Risk Description	Priority levels	Relevant risk	Risk cause	Mitigation
Losing the confidentiality and integrity of the resources of the network that can affect the organizational growth negatively (2).   The attack from different points can cause access of the sensitive organizational information that can cause loss of the organizational information.	High	The risk is caused for the data and the physical environment.	Malicious and sabotage attacks	For the mitigation of the risk the web server needs to be configured and antivirus program must be installed for protecting the system from spyware and virus.   The malicious codes can be by hackers to launch DoS attack and fetch all the data (1). A strong username and password should be used for increasing the security and protect the data from illegal access.

The risk associated with the network and the information system are categorized according to its severity and categorized as critical, major, normal and minor.

Critical issues

• Bugs in the information system causing corruption and loss of the stored data
• Exposing the vulnerability of the security
• Test failure caused as there is no support for the testing environment (5)  
• Regression in the developer and user experience and
• Memory error that can make the application impossible to install and reduce the performance   

Major issues

• Interference of the normal accounts with the admin account for the management of the information residing in the database of the information system.
• Triggering an error generated in PHP via the interface and affecting a small percentage of users
• Rendering of a feature that is unusable for the workaround
• Loss of the user input but no deletion or corruption of the data (3).
• Causing failure of the test and non-supportability of the automated testing platform.    

Normal issues

• Improvement of the naming class
• Cleaning and attaching a new css
• Request for new features from the user end

Minor issues

• Type error in the code and comment
• Formatting of the codes and use of whitespace.

For the development of the business continuity plan the risk that can have a negative impact on the growth of the current business are determined. This step is followed by the determination of the important tasks which is required for the mitigation of the risk. The people and the tools required for the development of the network and information security should be identified. The business continuity plan should consists of all the details of the stakeholders and their contact information. The details of the office, backups and the disaster recovery plans should also be included for the development of the business continuity plan. The recovery strategies should be documented in the plan and it helps AMC Pvt. Ltd. to respond quickly against the disruption and restore the essential services. The main objectives of the business continuity plan is to identify the procedures and arrangements for maintaining a continuous improvement and respond against the critical business functions.

The business continuity plan is used for maintaining a constant growth in AMC Pvt. Ltd. and handle the emergency condition such that the all the potential threats are avoided. All the potential threats must be analyzed the business continuity plan consists of the following items.

• Analyzing the threats related to the organization.
• Listing the primary task that are required for maintain a flow of the organizational operation.
• Location of the contact information easily (12)
• Disaster recovery plan for handling the emergency conditions
• Backing up of data and information at remote location
• Collaboration of all the business components of the organization

Octave Methodology for Security Assessment

The business continuity plan is used for reducing the injury and protect AMC Pvt. Ltd. assets from damage for reducing the losses and damages of the business functions. A communication should be maintained between the stakeholders for coordinating with each other and executing for the recovery (6). A project schedule should be created for the management of the activity and each of the steps should be monitored for the reducing the error in the development of the information system and the network solution. For the involvement of the third party vendor all the information must be included such as the contact information, the ability to recover and the service provided for maintaining a transparency in the current business process (13). The communication is the key point of success, thus all the details of the stakeholders and the vendors must be maintained.

Temporary facilities should be provided to the employees such as providing support to the employees and alternative course of action should be identified for handling the crisis. If there is a change in the business operation the business continuity plan should be updated for reducing the errors (17). A management team should be created for the management of the current business operations and the team roles and responsibility should be divided for analysis of the business impact. A questionnaire should be developed for gathering the input from the users and understanding the necessity of the users for the development of the information security network (23). The progress of the project should be discussed with the stakeholders with the arrangement of weekly meetings and getting the approval of the stakeholders for finalizing the requirement of the project. The leading responsibility should be taken by the response team for handling the emergency condition and respond to the crisis. For the activation of the business continuity plan the following procedures must be followed:

Condition for warning –

With and without warning

If a warning is received a notification should be generated for implementation of risk mitigation plan and reduce the errors in the project.

If no warning is received the risk that may affect the system should be analyzed according to the severity and different defense mechanism such as configuration of the router with firewall policy should be applied (20). The monitoring of the network is important for the generation of the alert and secure the network and the information system from unauthorized access.

Identification of the potential disaster status

For the identification of the potential disaster status the following criteria should be evaluated.

• Does the solution meets the potential threat regarding the safety of the employees?
• Is there any requirement for including emergency service for the development of the project?
• Is there any actual loss of workforce and IT/ network?

Control and Direction

The success of the development of the network and information security system depends on the management and on the availability of the resources (24). The project manager should monitor the progress of the development of the network and arrange the resources required for the development. An estimation of the cost of the equipment required should be prepared for the calculation of the budget. A team should be developed for starting the development process and roles and responsibility must be assigned for reducing the risk. The control on the project team must be maintained such that the project is completed within the estimated time and budget. A communication plan should be prepared such that it prevents the loss of data and improve the performance of the development process (19). The continuity plan should consists of the communication plan such that it can be followed for communicating with the higher level employees working in AMC Pvt. Ltd.

Purpose

The main purpose of the development of the security policy is to protect the information of AMC Pvt. Ltd. and the technological assets. The security policy of the organization should consists of the company plan and its employees must be trained to protect the asset of the company. Organized methodology and risk assessment strategy should be implemented for the deployment of the security mechanism and improve the security of the network and information system.  

Policy

• The hardware, software and the information system assets must be under control and a well balance between the technical and the non-technical measures must be maintained
• Cost effective measures must be applied for ensuring countermeasures and mitigation of the risk related with the network assets (11)
• Network security policy must be implemented for reducing the misuse of the network resources.  

Risk assessment and audit

• For appropriate risk assessment a trust should be maintained and all the business process must be covered under the business policy.
• Internal audit should be created for analyzing the compliance policy

Physical and environmental security

• The main network components should be installed in the core part and security barriers must be applied for the controlling the access of the components
• The security areas must be under supervision and sensitive network equipment’s must be kept under lock and key such that it cannot be accesses physically (18).
• The entry to the core zone of the network must be restricted for all the users and a log should be maintained for the people entering into the zone.

Access control to the network

• Secure logon procedure must be followed for the minimizing the risk of illegal access securing the authentication of the users (22).
• Formal documentation should be used for the allocation of the access of the users and separate authentication mechanism should be followed for the remote users
• The terms and agreement should be available for all the users such that the users are familiar with the agreement.

Remote access

• It is used for allowing the access of the network from remote geographical location
• It is important to maintaining trust for evaluation of the risk and identification of the controls for mitigation of the risk.
• The authorization of the applications for the remote users should be understood for securing the project from illegal users (12).
• The remote users should meet the compliance standards and for accessing the resources of the organization.

Access of third party 

• It should be based on the contract that satisfies the security condition of the organization
• IT Service Desk should ensure the access of the third party access for the network (15)
• The trusted staffs and the employees must be provided the access of internet and it should be monitored

References

• Ab Rahman NH, Choo KK. A survey of information security incident handling in the cloud. Computers & Security. 2015 Mar 1;49:45-69.
• Wu Y, Feng G, Wang N, Liang H. Game of information security investment: Impact of attack types and network vulnerability. Expert Systems with Applications. 2015 Sep 1;42(15-16):6132-46.
• Pathan AS, editor. Security of self-organizing networks: MANET, WSN, WMN, VANET. CRC press; 2016 Apr 19.
• Peltier TR. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press; 2016 Apr 19.
• Ermakov SA, Zavorykin AS, Kolenbet NS, Ostapenko AG, Kalashnikov AO. Optimization of expert methods used to analyze information security risk in modern wireless networks. Life Science Journal. 2014;11(10):511.
• Safa NS, Sookhak M, Von Solms R, Furnell S, Ghani NA, Herawan T. Information security conscious care behaviour formation in organizations. Computers & Security. 2015 Sep 1;53:65-78.
• Siponen M, Mahmood MA, Pahnila S. Employees’ adherence to information security policies: An exploratory field study. Information & management. 2014 Mar 1;51(2):217-24.
• D’Arcy J, Herath T, Shoss MK. Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems. 2014 Oct 1;31(2):285-318.
• Ab Rahman NH, Choo KK. A survey of information security incident handling in the cloud. Computers & Security. 2015 Mar 1;49:45-69.
• Wallace M, Webber L. The disaster recovery handbook: A step-by-step plan to ensure business continuity and protect vital operations, facilities, and assets. AMACOM Div American Mgmt Assn; 2017 Dec 28.
• Caruana A. A business continuity plan maturity index: a comparative study of Maltese licensed financial services firms(Bachelor’s thesis, University of Malta).
• McMurray AJ, Cross J, Caponecchia C. The Risk Management Profession in Australia: Business Continuity Plan Practices. InAlways-On Enterprise Information Systems for Modern Organizations 2018 (pp. 112-129). IGI Global.
• Ward J. Keeping the family business healthy: How to plan for continuing growth, profitability, and family leadership. Springer; 2016 Apr 30.
• Cannon DL. Business Continuity and Disaster Recovery. CISA®: Certified Information Systems Auditor Study Guide. 2016:517-70.
• Graham J, Kaye D. A Risk Management Approach to Business Continuity: Aligning Business Continuity and Corporate Governance. Rothstein Publishing; 2015 Feb 20.
• Järveläinen J. Integrated Business Continuity Planning and Information Security Policy Development Approach.
• Clark R. Validating Your Business Continuity Plan. IT Governance Ltd; 2015 Nov 17.
• Spremic M, Turulja L, Bajgoric N. Two Approaches in Assessing Business Continuity Management Attitudes in the Organizational Context. Always-On Enterprise Information Systems for Modern Organizations. 2017 Dec 1:159.
• Koen R, Von Solms R, Gerber M. ICT Readiness for Business Continuity in local government. InIST-Africa Week Conference, 2016 2016 May 11 (pp. 1-11). IEEE.
• Dahlberg R, Guay F. Creating resilient SMEs: is business continuity management the answer?. WIT Transactions on The Built Environment. 2015 Oct 6;168:975-84.
• Kato M, Charoenrat T. Business Continuity Management of Small and Medium Sized Enterprises: Evidence from Thailand. International Journal of Disaster Risk Reduction. 2017 Oct 10.
• Yoshida T, Murakami M, Miyamura M, Kubo T. Consideration to the Positioning and the Role of Building in Business Continuity Plan. InProceedings of the 18th International Symposium on Advancement of Construction Management and Real Estate 2014 (pp. 359-370). Springer, Berlin, Heidelberg.
• Torabi SA, Soufi HR, Sahebjamnia N. A new framework for business impact analysis in business continuity management (with a case study). Safety Science. 2014 Oct 1;68:309-23.
• Subhani NA, Iqbal MZ, Khan MM. Business Continuity and Crisis Management. InPAPG/SPE Pakistan Section Annual Technical Conference and Exhibition 2016 Nov 21. Society of Petroleum Engineers.