Information Security Governance
This assignment was done incorrectly and cause me to receive a grade that is less than 50%. The professor comments are the following; “The purpose of the assignment was to use the “tool” ie. checklist and assess, (i.e. score) an organization you know as well as provide an opinion of the tool”. The professor is allowing me to resubmit this assignment with a time limit of 28 to 48 hours from today. So I am requesting that this assignment be corrected. I have the word document version of the Tool that have the checklist and assess that must be filled out. As my professor stated, use the tool to assess/ evaluate the organization that is selected. Please input the information in the word document tool. Also, provide your reaction to the usage of the tool as a whole and how it fair in assessing/evaluating and organization
Information Security Governance
Assessment
Higher institutions use information security assessment tools, for instance, universities in improving performance by ensuring information and cybersecurity. Information security governance requires active stakeholders, including a professional IT manager, risk management, too, the involvement of IT technology, as well as a well-planned process according to (Soomro, Shah, and Ahmed, 2016) . The paper involves an assessment done in helping organizational leaders in identifying areas that need improvement in the institution, for instance, IT involvement, people, and process of cybersecurity.
The institution, like any other, have a higher dependency on information technology systems in academic research projects as well as free supportive services.Internet is used in various processes, for instance, in student enrolment and storage of intellectual properties, although sometimes the institution goes through a network outage. The institution stakeholders, mostly the students, conduct their research work everywhere from classes to hostels, which poses a considerable risk of cyber-attacks.
The institution has tried to manage cybersecurity risks through the creation of an information security program that is documented and stored. The information security program includes results from previous assessments showing areas that need improvement in the organization. Students researching from anywhere is one of the threats and institution vulnerabilities identified in the program (Peltier, 2016). The institution has included the security strategy, which helps in planning, especially after determining the cost of assets required or need improvement. The budget is planned according to institutions’ ability, which has avoided disruption of other projects and operations in the institution. The institution conducts an annual review of the strategy for making changes where required. The institution has no identified process for monitoring public or international legislation to determine its application in the institution.
Every organization has stakeholders where, in this context, students, governing boards, funding agencies, and staff are part of the stakeholders. The university has acquired a chief information officer who is in charge of information security governance(ISG). The ISG maintains a security program together with conducting risk management. The staff has inadequate knowledge about information security, which is dangerous, but the ISG has all the necessary information f information security.
The institution does not have all the requirements for the information security program. Responsibility is shared in case of a disaster by the ISG, although the institution does not have any ongoing training program primarily for the staff, which has affected information security. The information security works independently and does not involve another human resource, for instance, students and teams, which is a significant risk ( Barton,et,al.,2016) . Reports are given frequently by the leaders on information security policies, although the senior management has not installed specific programs, for instance, training the stakeholders, which is the most important in curbing cyber insecurities.
The security architecture in the institution addresses all potential risks and vulnerabilities in the institution. In case of a predicted attack the institution architecture reports and gives out the necessary control requirements.The architecture carried out a risk assessment determining vulnerability, monitors operations, for instance, consistently changing security passwords as well as ensures high-security standards and policy development(Bromiley,et,al.,2015) . Although the policies are not systematically developed, therefore not available, especially to students. There is no conventional or strategic way of communicating policies, mainly due to the non-involvement of other human resources in information security programs. After plans are made and updated, creating a strategy that determines the finances and resources required where risk factors are included. Security issues are seriously taken, though not as needed for maximum management.
Inadequate training to staff and students on information security, data protection has been an issue experiencing a breach of information (Soomro, Shah, and Ahmed, 2016). Not all computers have antiviruses, especially students’ computers, therefore, making the network vulnerable to attacks. Students haring passwords and information to other institutions is standard in the institution affecting privacy as well as creating vulnerability.
The Internet is highly accessible, although the institution goes through network outage. There are no controls between a layer of end-tier systems as well as the systems have no automatic passwords or password complexity (Raffo, Clark, and Arik,2016) . Sensitive data is encrypted, especially information concerning students and the administration. An authentication system is put in place for resource protection as well as measures to protect servers from managing the network, for instance, the DNS server.
The institution has a high reliance on information systems, which is essential for a fast-growing and performing institution. Overreliance on IT has led to cyber risk factors where information security is at stake, especially students conducting their research in a sensitive environment to cyber-attacks. The university has tried to engage security programs in reducing information insecurities that have worked, although the university needs improvement in the application of security measures as well as management and internal security programs. Deficient in stakeholder’s involvement, which requires excellent attention through conducting domestic training programs.
References
Barton, K. A., Tejay, G., Lane, M., & Terrell, S. (2016). Information system security commitment: A study of external influences on senior management. Computers & Security, 59(2), (9-25).
Bromiley, P., McShane, M., Nair, A., & Rustambekov, E. (2015). Enterprise risk management: Review, critique, and research directions. Long-range planning, 48(4), 265-276.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.
Raffo, D. M., Clark, L. A., & Arik, M. (2016). Strategic responses of non-profit organizations to the economic crisis: Examining through the lenses of resource dependency and resourced-based view theories.
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs a more holistic approach: A literature review. International Journal of Information Management, 36(2), 215-225.
