LD7087 Information Governance and Cyber Security Assignment Sample 2023
Task 1: Information Governance Need & Cyber Security Threats
Cyber security threats are vulnerable to attack any company’s data or damage digital operation plans and information. As per the views of Linkov et al. (2018), cyber threats can come from many actors such as hacktivists, criminal organizations, terrorist groups, and disgruntled employees. Nowadays it is observed that many high-profile cyber attacks are found and these attacks expose the sensitive data of the firm. Cyber attackers attacked British Airways (BA) in 2018 and exposed customers’ login details, booking information, and payment details. Hence, Air MSky desires to protect their personal data from unauthorised third parties through using robust information technology. Air MSky is situated in London and aims to deliver safe and high quality customers services in accordance with advanced technologies.
There are different types of cyber security threats faced by Air MSky and all of them are detailed below:
| Threats | Impact and Effectiveness | Type | Mitigation strategy | Time taken |
| Phishing | Phishing attacks customers by using fake communication channels such as emails and they influence customers to open their bank account details or credit cards and listen to their instructions (Selby, 2017). By finishing the conversation some customers reveal their card number and their accounts will be hacked. | Quantitative information | Using two factors authentication by identifying confirmation that an individual knows; e-mail filters can be initiated | 2 weeks |
| Emotet | Emotet is a cybercrime operation device, using these devices hackers can hack customers’ banking details. Air MSky has faced this type of security threat for its customers. It is a Trojan that spreads through e-mails. Emotet uses different types of tricks and techniques to influence customers (Selby, 2017). It provides family-friendly marketing so customers can not believe that it can be threatening for them in the future.
|
Quantitative information | Initiating regular data backups, networks should be continually monitored | 3 weeks |
| Malware | Malware is dangerous software used for cyber security hacking. Sometimes customers click on various links or attachments and then dangerous software installs. This software can access customers’ personal information and it can also expose customers’ detailed information (Lallie et al. 2021). This Malware software can block customers’ networks, install harmful software. It can also hack data from hard devices and create barriers so customers can not properly operate their devices. | Quantitative information | Using authentication methods, administrative accounts and the software should be updated | 2 weeks |
| Service for Denial | A service denial is a type of cyber threat that spreads through networks or computers. As opined by Vitunskaite et al. (2019), various types of techniques are used by hackers to target people through networks and Air MSky has faced this cyber threat before. Sometimes hackers use Botnets systems to hide their geographical location as using these systems will help them be hard to trace. | Qualitative information | Ensuring high level of network security, firewalls and certain detection system can be initiated | 3 weeks |
| Attacking passwords | The right password can save a person from revealing their information. Hackers can hack any password of any person and using them they can visit customers’ details and they may also reveal the personal details of customers. | Qualitative information | By using pen test, multi-factor authentication, enforcing and managing strong passwords | 3 weeks |
| Man in the middle | Man in the middle system can help hackers to do cyber security threats easily. This system helps hackers to increase two-party transactions. Firstly, they interrupt traffic and then steal data from people easily and people will not be aware of stealing their data. This system can attract people while people are using a public wifi network. Through this network information of individuals has spread and there is no security for the personal data. In recent years, customers of Air MSky have faced this type of cyber threat and their personal information was in danger.
|
Qualitative information | Public wi-fi avoidance, pay attention toward unauthenticated browsing notification | 2 weeks |
Role of information governance to improve cyber-security
In the era of digitalization, it is essential to develop the cyber walls of the organisation to be thicker so that it cannot be perforated by any criminals as well as no data breaching can take place in the organisation. According to Sedenberg and Dempsey (2018), this purpose highly lays under the risk management programs. Information governance signifies a complex idea to guide out any organisation for making organisational structure with risk-free aspects. The major purpose of this system relates to delivering as well as implementing an effective strategy that strengthens the security along with safety measures, especially during the cyber security system. According to Garcia et al. (2017), information governance helps to understand the business data through conducting a target audit of the organisation’s system. Information governance has the potential to test the information prior to use by the company which also reduces the risk of malware infections along with strengthening the data security purposes.
Role of Information Security auditors
Information security auditors are someone who manages the effectiveness and safety of digital devices as well as their security components. As stated by Lykou et al. (2018), the auditors are majorly concerned with the digital systems that are going to be outdated and are at high risk of getting attacked by hackers. The key role, as well as responsibilities of information security auditors, is related to the following aspects:
- Detecting the potential security flaws are the main job role of information security auditors. Issues in security policies are also scrutinised by the auditors to ensure the data protection aspect (Eugen and Petruţ, 2018). However, determining the overall integrity and health of a corporate network is the core of information security auditing.
- They are also assigned to give organisation credibility through its compliance audits by following the best practices and through holding reliable information from CISA (“Certified information security auditor certification”)
- The information security auditors are also kept within an organisation to detect technical flaws and vulnerabilities related to information assets (Kiser and Shankar, 2019). They are assigned to identify data breaches and unauthorised access within the organisation as well as malware infections of the company that have the potential to negatively impact the business operations.
Task 2: Framework
Information governance framework delivers a useful foundation for enhancing cyber security risk management within AirMSky. Additionally, with the help of a proper framework organisations can highlight the major focus area for security risks and can plan according to management. As per the case study, the organisation became more aware after the cyber security theft that happened in British airway for which they were fined $20 that impacted more than 40,000 customers. Acknowledging the effectiveness of information governance in business security, the organisation desires to protect its data that includes stakeholders’ information and the personal data of customers (Johan, 2021). Hence, AirMSky is fascinated to adopt a robust information security policy with adhering to regulatory and legal compliances. The major scope of “Information Security Management Systems” (ISMS) relates to including only particular services, systems and processes to the business that ensures data security. However, the information security framework will also help to acknowledge the significance of IG in day-to-day business operations.
Content of the framework
There are plenty of cyber-security frameworks present to protect the confidentiality of business information. Among which FISMA (“Federal Information Security Management Act”) is suggested to the organisation as the framework to deliberately protect the information about stakeholders and customers (gsa.gov, 2021). Any private-sector organisation that signed a contractual agreement with the government to deliver services, receive grant money and support federal programs has to comply with FISMA. This will help the agencies to protect federal government data according to the regulated law that passed in 2002. However, with the help of the FISMA, the organisation can safeguard government information as well as assets and operations against threats and vulnerability.
Scope of the framework
This framework is highly recommended to the company to protect federal government data as well as systems from cyber security attacks. Implementing FISMA, the organisation can protect their state agencies data as the framework extends its rule for vendors and third parties who work for the federal government (Mikalef et al. 2018). FISMA is signified as the most important regulation for AirMSky to reduce the security risks as well as manage organisational expenditure on information security. Hence, the major scope of implementing FISMA in this organisation relates to increasing the data security aspects.
Risk mitigated: After using the framework business can detect and mitigate the risk
Long term: Using this framework it is ensured that business will not collapse
Value creation: Using the framework organisation can continue their business according to stakeholder’s requirement
The rationale for the framework
Compliance with FISMA highlighted a number of significant benefits which ultimately leads the organisation to select the framework for maintaining confidentiality. Below are the benefits for FISMA compliance:
- Risk management centred approaches: The prime aspect of FISMA is related to the implementation and development of risk management centred approaches in information security management. Using the FISMA framework, organisations first have to accept the potential risk and then make operational decisions to mitigate the risk (Brown and Toze, 2017). This helps the organisation to protect confidential data from unauthorised third parties.
- Regular monitoring along with assessment: FISMA compliance includes a framework on information security systems that incorporate scanning, monitoring as well as updating cyber security procedures and policies on a regular basis. Therefore, implementing a continuous monitoring and scanning process helps to create a robust management system for information security. Similarly, regular scanning and monitoring help the organisation to highlight the vulnerabilities prior to mounting a successful attack (nist.gov, 2021). However, potential threats and resource allocations are also obtained from continuous monitoring which also helps the organisation to manage its operations.
- Incident response and remediation: This is one of the essential aspects of FISMA compliance as it is of value to the information technology department in the organisation. A team of incident response works for FISMA compliance to detect a breach along with assuming the impact of a breach. Additionally, using the FISMA compliance incident team can predict threats and vulnerabilities due to the data breach (Brown and Toze, 2017). Finally, implementing and developing an incident response plan through FISMA compliance makes the organisation more resilient towards cyber-attacks.
Moreover, FISMA compliance not only provides data security towards the organisation it also brings monetary benefits for the organisation like allowing the private sector to do business with federal agencies. Hence, organisations that comply with FISMA are becoming more aware of security threats, more resilient against data breaches and more prepared for data security attacks.
Task 3: Risk assessment
Importance of information governance in terms of AirMSky
Information governance (IG) refers to the framework for decision making and accountability which is put in place to ensure the storage, creation, use, disclosure and destruction of information. The major importance of IG relates to acknowledging the value of information set in a particular business. There are three major principles of IG which include fair, transparent and lawful use of information technology (Nurse et al. 2017). The core aim of IG is related to providing data protection and confidentiality assurance to AirMSky. Moreover, the policy guides the organisation to inform the employees about the value of data handling procedures. Through IG the organisation gains accessibility incorporate information assurance, information assurance, information security assurance methods which help them to perform data subject right during processing personal data.
Below are some importances of IG in terms of the organisation:
- Transform data into valuable business information: In the business, data will only become valuable when it is accessible and appropriate. AirMSky has a vast pool of data but getting it into the right place and people becomes a challenge for them. Hence, using IG they can turn the data into business information through setting the policies as well as procedures which ensures that there will be many instances of information as possible (Mikalef et al. 2018). This information further can be accessible to the people who require this but maintaining regulatory compliance, the organisation has to remove it quickly.
- Improve compliance and minimise risks: IG helps the organisation to make sure the data available to the business is pertinent as well as up-to-date. Hence, the policy helps to reduce the risk and enhance the compliances (Brown and Toze, 2017). Implementation of effective information security in this organisation automatically leads to minimising the cyber risks.
- Provide better customer services: IG aims to set standards for the procedures which describes that all the required information is categorised, accessed and organised. This ensures that employee-facing staff can easily find the data about any customer as well as their transductions. Additionally, this helps to provide better customer services as customers nowadays want quick resolve for their queries.
- Improve employee productivity: AirMSky has a vast information pool for their customers which sometimes create a nuisance to find particular customer information. Hence, organising information through IT helps the employees to find customers’ data quickly which further increases their performances (nist.gov, 2021). Hence, IG aims to ensure that there are few versions of information stored for the people who require them which further improve employee productivity.
- Improve the significance of IT in business: The disconnection between the IT department and business users leads to the failure of many of the business plans. However, IG helps to realise the actual value of information technology for specific business users. It also delivers a strategic framework to inform about the value of IT systems in business operations.
- Minimise wasteful duplication of errors: IG comprises automatic classification of information to make sure about the availability of information as long as it is of value for the organisation. However, IG policies allowed the storage of business information in such a way through which data can be retrieved easily and quickly when required (Eugen and Petruţ, 2018). Hence, it reduces the wastage of time and cost for duplication as well as minimises guesswork during data retrieved.
- Eliminate unnecessary information from AirMSky: IG is built on the concept to detect the actual value of information within an organisation. Hence, a core part of this policy includes eliminating unnecessary data from organisations as soon as possible. The IG helps to shape the information chart by sorting the true value of information.
Risk assessment methodologies
| Risks | Impact | Likelihood | Type | Vulnerabilities |
| Associated risks with business | High | Medium | Quantitative Risk | The “Quantitative Risk Assessment,” or QRA, is a “formal and methodical” risk analysis approach in which the risks connected with corporate activities are quantified. |
| Risk Exposure for employees and the environment | Medium | High | Quantitative Risk | The “Quantitative Risk Assessment,” or QRA, is a useful method for determining the level of risk that people and the environment are exposed to. It also includes a full description of the company’s current assets as well as its popularity and reputation. |
Information assets
An information asset within AirMSky relates to any valuable information that the organisation has. Information assets are important within an organisation to keep the information stored confidentially. However, the assets can be of many types such as paper documents, digital documents, passwords and databases as well as an encryption key. AirMSky has three major types of information assets such as physical assets, software application assets and data assets (Johan, 2021). In AirMSky the information assets are stored in different processes like paper, USB stick, laptop, cloud and hard drive.
Threats, vulnerabilities and risks related to assets
Risk refers to the potential loss, destruction and damage of assets that are caused by cyber threats. In AirMSky threats related to assets extremely signifies the incidents that negatively impact the assets. The company potentially has threats of losing confidential data and unauthorised capture in their assets. Therefore, criminal hacking and malicious insider stealing information as well as technical malfunction are considered as threats for assets within the organisation. On the contrary, phishing emails and technological flaws like weak encryption locks are appraised as vulnerability for assets in AirMSky. Due to these vulnerabilities, unauthorised third pirates become able to steal data and assets can be hampered (Nurse et al. 2017). Moreover, potential risks related to assets are considered cyber theft or cyber-attack which leads to information loss.
Method to assess the risks
AirMSky aims to use a qualitative risk assessment method to produce a non-numerical assessment of risks. There are many ways and steps in qualitative risk assessment methods such as brainstorming, interviewing, risk rating scale, SWOT analysis, Delphi technique and historical data. In the qualitative risk assessment method, the risk related to assets is classified according to their likelihood and its impacts (Kiser and Shankar, 2019). Therefore, it becomes easy for the organisation to detect the more important risk to focus immediately. Finally, the major significance of the qualitative risk assessment method relates to prioritising risk assessment managers for the organisation.
References
Journals
Brown, D.C. and Toze, S., 2017. Information governance in digitized public administration. Canadian public administration, 60(4), pp.581-604.
Eugen, P. and Petruţ, D., 2018. Exploring the new era of cybersecurity governance. Ovidius University Annals, Economic Sciences Series, 18(1), pp.358-363.
Garcia, M., Forscey, D. and Blute, T., 2017. Beyond the network: A holistic perspective on state cybersecurity governance. Neb. L. Rev., 96, p.252.
Johan, B., 2021. Compliance & Standards-The Journey To Security. 8(1), pp.58-63
Kiser, R. and Shankar, A., 2019. 2019 GPN All Hands Meeting: Building a NIST Risk Management Framework for HIPAA, CUI, and FISMA.
Lallie, H.S., Shepherd, L.A., Nurse, J.R., Erola, A., Epiphaniou, G., Maple, C. and Bellekens, X., 2021. Cyber security in the age of covid-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Computers & Security, 105, p.102248.
Linkov, I., Trump, B.D., Poinsatte-Jones, K. and Florin, M.V., 2018. Governance strategies for a sustainable digital world. Sustainability, 10(2), p.440.
Lykou, G., Anagnostopoulou, A. and Gritzalis, D., 2018, June. Implementing cyber-security measures in airports to improve cyber-resilience. In 2018 Global Internet of Things Summit (GIoTS) (pp. 1-6). IEEE.
Mikalef, P., Boura, M., Lekakos, G. and Krogstie, J., 2018. Complementarities between information governance and big data analytics capabilities on innovation. 1(1), pp.35-36
Nurse, J.R., Creese, S. and De Roure, D., 2017. Security risk assessment in Internet of Things systems. IT professional, 19(5), pp.20-26.
Sedenberg, E.M. and Dempsey, J.X., 2018. Cybersecurity information sharing governance structures: An ecosystem of diversity, trust, and tradeoffs. arXiv preprint arXiv:1805.12266.
Selby, J., 2017. Data localization laws: trade barriers or legitimate responses to cybersecurity risks, or both?. International Journal of Law and Information Technology, 25(3), pp.213-232.
Vitunskaite, M., He, Y., Brandstetter, T. and Janicke, H., 2019. Smart cities and cyber security: Are we there yet? A comparative study on the role of standards, third party risk management and security ownership. Computers & Security, 83, pp.313-331.
Websites
gsa.gov, 2021, Federal Information Security Management Act, Available at: https://www.gsa.gov/reference/reports/budget-performance/annual-reports/agency-financial-report-2012/managements-discussion-and-analysis/gsa-management-assurances/federal-information-security-management-act [Accessed on 21st December 2021]
nist.gov, 2021, Federal Information Security Modernization Act (FISMA), Available at: https://csrc.nist.gov/projects/risk-management/fisma-background [Accessed on 21st December 2021]
Know more about UniqueSubmission’s other writing services:
