LD7087 Information Governance and Cyber Security Assignment Sample 2023
Task 1: Information Governance Need & Cyber Security Threats
1.1 Critical appraisal of latest cyber security threats
In this decade, digital modes of various processes are preferred by people from all walks of life. As a result, “Air MSky” and its decision to implement a “web-based” flight booking system to manage the increasing customer count is also acceptable because of the current population preference. However, the use of online and digital methods comes with risks and threats of data and information leaks.
| Threats | Impact and Effectiveness | Type | Mitigation strategy | Time taken |
| Phishing | “Phishing” is a type of hacking method in which the user is tricked to download harmful and malicious messages from the web. | Quantitative information | Installing firewall in order to enhance security. It can be an effective solution to fight against Phishing attacks. | 3 weeks |
| Ransomware | “Ransomware” is a form of malware that uses encryption to capture a user’s personal information at “ransom”. In this process, the critical and confidential data of a user or an organization is encrypted and it does not let the original users access their files, databases, or applications (Chen and Bridges, 2017). The hacker system demands a ransom to provide the access and return the files after that. | Quantitative information | Ransomware is a threat that appears from the websites and mails; thus, it is essential to avoid opening random links and spam mails. | 1 week |
| Malware | “Malware” is considered to be an intrusive software that is created and introduced into computers or computer systems to damage and corrupt them. The term “Malicious Software” is contracted to “Malware” (Chen and Bridges, 2017). Some common examples of malware that generally causes disruption in a computer system are “viruses, worms, Trojan viruses, spyware, adware, and also Ransomware”. | Quantitative information | Installation of antivirus is essential to avoid the threats of malware. | 2 weeks |
| Compromised Passwords | Several passwords in the real world that have been exposed in past data breaches are considered to be “Compromised Passwords”. These passwords when exposed, it makes them highly vulnerable and is not safe for use (Li et al. 2019). For example, if a password is typed in a website, Chrome generally warns the user if the credentials are already breached on some other sites or applications. | Qualitative information | End to end encryption is the key to overcome the issue of leaking passwords. | 3 weeks |
| Data Breaches | A data breach is a type of online security violation. In this, the “sensitive, protected or confidential data” end up being copied, transferred, viewed, and stolen or is used by any unauthorised individual or the so called hackers. Other terms for this type of threat can be “unintentional information disclosure”, “data leak”, “information leakage”, and “data spill” (Thomas et al. 2017). | Qualitative information | Development of strong security system is an effective way to overcome issues associated with data breaches. | 3 weeks |
Table 1: Cyber threats and explanation
(Source: Self-created)
These are the primary cyber threats that can affect “Air MSky”, its company procedures as well as the customers or passengers who are associated with the company. The people, who will be opting for the online booking method of the “Air MSky” services, will be susceptible to the negative aspects of the information technology. Therefore, the company officials of “Air MSky” should be responsible for the correct functioning of the company’s “web-based” booking system.
1.2 Requirements of Information Governance for the company
“Air MSky” primarily requires the application of “Information Governance” because they are implementing the online services for the first time and need better management procedures to keep up with the competition as well as to improve the customer experience. In this case, the company management can receive the information that they require to access. The underlying data and information can be properly “assessed, stored and secured”. Moreover, the regulatory requirements of the systems and procedures of “Air MSky” should be correctly observed in situations where it is necessary (Searchcompliance.techtarget.com, 2021). Lastly, the “risk management” has to be in such a condition that it can minimize any issues or problems that originate from the incorrect usage of processes.
Here comes the need for “Information Governance” for the management at “Air MSky”. The presence of a governance system will be helping the company officials and the workers to understand the valuable nature of the “information sets” that are there for certain business users. It is also responsible for the delivery of a “strategic framework for new IT systems”. This ensures the fact that business users understand the stipulated value and thus, work in a way that is very much natural for them (Van Grembergen and De Haes, 2018). Considering the “critical goals” of “Information Governance” it will strive to understand and promote the value of existing information and data assets of “Air MSky”. Simultaneously, it will also effectively resolve any issues regarding data and the creative process that will help the company officials to avoid future occurrences. Moreover, the “Information Governance” procedure will enforce conformance to company “standards and policies” that are related to the management of the company and consumer data.
1.3 Social, ethical and legal requirements to assess the effectiveness of ISMS
“Information Security Management Systems” or ISMS is a framework of “policies and controls” that are used in the management of risks and security, in a systematic method across the entire organisation. “ISO 27001” can be considered as an example and it is a set of specific details about the creation, management, and implementation of “ISMS policies and controls”. Measurement of these helps in the decision making and will improve the performance and accountability of “Air MSky”.
The effectiveness of ISMS can be measured through the social, ethical, and legal requirements by “Air MSky” management. Therefore, compliance with these specific requirements should be achieved through the management processes that can identify the needs and assess the “state of compliance, risks & potential costs”. This will occur only when there is non-compliance with the requirements against the portrayed expenses to reach conformance (Choubey and Bhargava, 2018). “Security management” will help measure the “effectiveness of the ISMS processes and controls”. “Corrective action” is another mechanism that drives the improvements while addressing the weaknesses present in the system.
Task 2: Framework
2.1 Justification of the approach
| Frameworks | Justification |
| Cyber security Framework | A “Cyber security Framework” can be referred to as a collection of the suitable practices that should be followed by any large organization such as “Air MSky” for the better management of the risks associated with online and digital modes of operations. The suggested approach or “Cyber security Framework” for “Air MSky” can be “NERC-CIP” or the “North American Electric Reliability Corporation – Critical Infrastructure Protection”. |
| Cyber risk management framework | The presence of a strong “cyber risk management framework” is highly influential on the various “risk management strategies” and “risk management programs”. |
Table 2: Justification of the approach
(Source: Created by learner)
“NERC-CIP” or the “North American Electric Reliability Corporation – Critical Infrastructure Protection” was introduced for the mitigation of the rise in attacks on the “critical infrastructure and growing third-party risk”, in the United States. This “Critical Infrastructure Protection” is a set of cyber security standards that were designed to help the ones in the “utility and power sector” for the reduction of cyber risk, ensuring the reliability of several large electric systems (Mylrea et al. 2018). This framework requires impactful organizations for the identification and mitigation of the prevalent cyber risks existing in the supply chain. “NERC-CIP” helps in stipulating a range of controls which include the “incident response and planning”, “categorization of systems and company’s critical assets”, “recovery plans for critical cyber assets”, “training personnel”, and “vulnerability assessments”.
This method (“NERC-CIP”) is advantageous and fit to be applied in “Air MSky” by the company officials because there are certain benefits of using this compliance. Due to “Air MSky” being a private flights service the online facilities should be flawless and less problematic to let the users use the online booking facility with full efficiency. The benefits of this compliance are the “improved operational control”, “improved readiness for disruptions and difficulties”, “upgraded environmental awareness”, “enhanced understanding of costs”, and “refined power-grid protection” (Herrera et al. 2017).
2.2 Rationale for the scope and content of ISMS
The essential reason for setting up the ISMS or “Information Security Management Systems” is to define the fact as to which information will need the protection. “Air MSky” will be responsible for the protection of this information irrespective of the location, reason, and nature of the person who accessed the information. Primarily, the scope of ISMS might be initially defined to involve only the specific “processes, services, systems or precise departments”. The success stories will also be presented as a business case for the expansion of the scope of the ISMS. It can also be done by the creation of another, different scope with separate protections and requirements. The phase that determines the scope of ISMS is known as the “Plan phase” (Asp Sandin, 2021). In this phase, “the scope and boundaries of the ISMS”, “its interested parties”, “environment, assets”, and all the “technology involved” are defined. Moreover, the policies, evaluations, risk assessments, and controls of the risks are also defined in this phase.
“Air MSky” will be facing several issues and problems regarding the newly launched online booking services of the company. The company officials will need to identify the information security risks and the need to select appropriate controls to tackle them. The controls of ISMS are essential for the tackling of these security risks (Susukailo et al. 2021). Those controls can be found outlined in “Annex A of the Standard”. There are “114 ISO 27001 Annex A controls”, which are further divided into 14 categories. Moreover, there are around “11 standards” that will help in the reliability of “Air MSky” and its cyber security system by the NERC plans on the introduction of more in the near future.
2.3 Critical evaluation of Information governance frameworks
Numerous large companies who have a bulk electrical system, operators, and users such as “Air MSky” need to comply with the “NERC-approved Reliability Standards”. Large airline companies like this are required to register with “NERC” with the help of an appropriate “Regional Entity” (Nerc.com, 2021). The company officials of “Air MSky”, can implement a training procedure for the employees and workers who will be appointed for the handling of company and customer data. The areas that should be covered are the ways to “back up data”, “securing company devices and network”, “encryption of important information”, “ensuring the use of multi-factor authentication (MFA)”, “management of passphrases”, “monitoring use of computer equipment and systems”, “putting policies in place to guide the company staff”, “training staff to be safe online”.
Task 3: Risk Assessment
3.1 Justification of the importance of information governance
“Information Governance” is a matter of importance for the companies who aim to ring their market online for reaching a greater number of customers. Furthermore, because of the Covid-19 pandemic conditions in the United Kingdom, many companies have opened a separate digital market. This lets the customers access the company services remotely, from their homes. The new decision of “Air MSky” to adopt a well-functioning “Information Security Policy” is acceptable according to the current condition in the country. These online facilities should be in accordance with the “legal and regulatory compliances” of the sector and the country. “Information Governance” has the possibility to play a vital role in the daily operations of “Air MSky” because the better management of this sector helps in the establishment of “policies, procedures, and accountability” (Upward, 2019). This will become imperative for the company and it implements a better management of the customers and the stakeholders’ personal information by increasing the “data privacy and confidentiality”.
“Information Governance” further aims to help the internal employees of the company understand and have a better idea about the importance of data handling procedures. Apart from delivering protection assurance, it lets the company management and the IT officials of “Air MSky” enforce “information assurance”, “corporate information assurance”, and “information security assurance procedures”. Due to this, the performance of the employees will be ethical and they will be able to demonstrate “duty of care” along with the respect for “data subject rights” while customer data will be processed. The “Information Governance” procedure usually provides a framework that ensures the fact that the personal data of the consumer is being monitored “legally, securely, efficiently and effectively”. This is important because it caters to the protection of the service enjoyers. The core concepts of “Information Governance” include “security and privacy”, “information lifecycle management”, “integrity and authenticity”, and “business continuity” (Foxhayespractice.nhs.uk, 2021). These concepts remain the same for every organization.
3.2 Risk assessment methodologies
| Risks | Impact | Likelihood | Type | Vulnerabilities |
| Risks associated with the business operations | High | Medium | Quantitative Risk | Considering the “Quantitative Risk Assessment” or QRA, it is a “formal and systematic” approach of risk analysis in which the risks associated with the business operations are quantified (Arora et al. 2021). |
| Exposure of risk there is for the employees and the environment | Medium | High | Quantitative Risk | “Quantitative Risk Assessment” or QRA serves as an important tool to enhance the understanding of the amount of exposure of risk there is for the employees and the environment. It also gives a detailed account of the existing company assets and the popularity and reputation. |
Table 3: Risk assessment table
(Source: Created by learner)
“Risk assessment” or RA is considered as the essential activity in the risk management procedure of “Information Governance”. This is required to assess the various risks and mitigate them, to lessen the negative impact on the company. Primarily, the process of IT governance involves the evaluation and direction of the plans for the usage of ICT. This supports the organisation and monitors the fulfilment of these plans. It is mainly of two types, namely, qualitative and quantitative. This type of risk assessment is generally based on the “scenarios, mathematical, statistical and graphical analysis”.
Figure 3: Risk assessment
(Source: Arora et al. 2021)
“Air MSky” should devise the plan of launching a digital platform while keeping in mind the 2018 fiasco regarding the data breach that happened with the customers of the “British Airways” or BA. The hacking system took control over the company’s online service booking platform and confiscated the login details, payment cards, and passwords, and the booking information of around 400,000 customers (Bbc.com, 2020). The “Information Commissioner’s office” or ICO fined “£20m” to “British Airways” for the data breach. Therefore, the application of quantitative risk assessment methods in the company is recommended to have a deep insight into the scenario with a more numerical and statistical approach.
Considering the “NERC-CIP” or the “North American Electric Reliability Corporation – Critical Infrastructure Protection” framework, that is recommended for “Air MSky”, the usage of “Distributed energy resources” or DERs stands as a promise to provide the benefits for both “utilities and consumers”. This is done by the dynamic interoperation of the utility systems along with the grid-edge technologies owned by the customers (Christensen et al. 2019).
3.3 Identification of information assets, threats, vulnerabilities, and risks associated with assets.
As for the identification of the information assets, threats, vulnerabilities, and the risks that are associated with the management procedure, the primary goal for the quantitative risk analysis is to prioritise the threats on the basis of the previous occurrences and chances with a statistical approach (Nguyen et al. 2019). There is no place for the prediction based on probabilities. Therefore this serves as a precise account for the mitigation of risks. This will let the “Air MSky” officials to devise treatments for the issues in a logical way. This procedure might not have any area for a better idea about the risk exposure but will keep the management ready to counteract when a difficulty arises. Quantitative risk analysis classifies the risks in accordance with the impact and the number of repetitions by comparing the conditions. This will stand as an easier process for the determination of risks that the organization should focus on the ones that come under the highest similarity.
Reference list
Arora, A.S., Changotra, R. and Rajput, H., 2021. to Quantitative Risk Assessment Methodologies. Bow Ties in Process Safety and Environmental Management: Current Trends and Future Perspectives, p.211.
Asp Sandin, A., 2021. A simplified ISMS: Investigating how an ISMS for a smaller organization can be implemented.
Bbc.com, 2020 British Airways fined £20m over data breach Accessed on 21st December, 2021 from: https://www.bbc.com/news/technology-54568784
Chen, Q. and Bridges, R.A., 2017, December. Automated behavioral analysis of malware: A case study of wannacry ransomware. In 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA) (pp. 454-460). IEEE.
Choubey, S. and Bhargava, A., 2018. Significance of ISO/IEC 27001 in the Implementation of Governance, Risk and Compliance. International Journal of Scientific Research in Network Security and Communication, 6(2), pp.30-33.
Christensen, D., Martin, M., Gantumur, E. and Mendrick, B., 2019. Risk assessment at the edge: Applying NERC CIP to aggregated grid-edge resources. The Electricity Journal, 32(2), pp.50-57.
Foxhayespractice.nhs.uk, 2021. Importance of Information Governance Accessed on 21st December, 2021 from: https://www.foxhayespractice.nhs.uk/website/Y00568/files/http___www.newdevonccg.nhs.pdf
Herrera, J.M., Mingarro, M.S., Barba, S.L., Dolezilek, D., Calero, F., Kalra, A. and Waldron, B., 2017, December. Case study of time-domain automation and communications: field-proven benefits to automation, control, monitoring, and special protection schemes. In 2017 Saudi Arabia Smart Grid (SASG) (pp. 1-8). IEEE.
Li, L., Pal, B., Ali, J., Sullivan, N., Chatterjee, R. and Ristenpart, T., 2019, November. Protocols for checking compromised credentials. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (pp. 1387-1403).
Mylrea, M., Gourisetti, S.N.G., Bishop, R. and Johnson, M., 2018, April. Keyless signature blockchain infrastructure: Facilitating nerc cip compliance and responding to evolving cyber threats and vulnerabilities to energy infrastructure. In 2018 IEEE/PES Transmission and Distribution Conference and Exposition (T&D) (pp. 1-9). IEEE.
Nerc.com, 2021. Compliance & Enforcement Accessed on 21st December, 2021 from: https://www.nerc.com/pa/comp/Pages/default.aspx
Nguyen, S., Chen, P.S.L., Du, Y. and Shi, W., 2019. A quantitative risk analysis model with integrated deliberative Delphi platform for container shipping operational risks. Transportation Research Part E: Logistics and Transportation Review, 129, pp.203-227.
Searchcompliance.techtarget.com, 2021 information governance Accessed on 21st December, 2021 from: https://searchcompliance.techtarget.com/definition/information-governance
Securityboulevard.com, 2020. What to Know About Scaling NERC CIP Compliance Across Your Organization Accessed on 21st December, 2021 from: https://securityboulevard.com/2020/04/what-to-know-about-scaling-nerc-cip-compliance-across-your-organization/
Susukailo, V., Opirsky, I. and Yaremko, O., 2021. Methodology of ISMS Establishment Against Modern Cybersecurity Threats. In Future Intent-Based Networking (pp. 257-271). Springer, Cham.
Thomas, K., Li, F., Zand, A., Barrett, J., Ranieri, J., Invernizzi, L., Markov, Y., Comanescu, O., Eranti, V., Moscicki, A. and Margolis, D., 2017, October. Data breaches, phishing, or malware? Understanding the risks of stolen credentials. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security (pp. 1421-1434).
Upward, F., 2019. The monistic diversity of continuum informatics: A method for analysing the relationships between recordkeeping informatics, ethics and information governance. Records Management Journal.
Van Grembergen, W. and De Haes, S., 2018. Introduction to the Minitrack on IT Governance and its Mechanisms.
Know more about UniqueSubmission’s other writing services:
