LD7087 Information Governance and Cyber Security Assignment Sample 2024
Introduction
It can be concluded from that of the above discussion that organisations around the world like that of MSky is increasingly getting concerned about various issues that are associated with that of a recurrent level of security breaches. This kind of breaches in data tends to affect an organization’s reputation in a very bad way. Besides customers tend to move away from these kinds of organizations that do not have the capability to protect effective employee data. Effective employees, as well as that of data related to that of various consumers, are sometimes even sold off by of various hackers. These data tend to become case effective sources of remuneration for these people as well.
TASK 1: Cyber Security threats and requirement of information governance
Critically appraising latest cyber security threat
Cyber Security threats are being occurred due to series of illegal activities done by malicious individuals to steal secured data and bring disruption within digital life. As stated by Taeihagh and Lim (2019), illegal activities include cyber-attacks such as data breaches, “denial of service” and computer viruses. The UK is a highly developed country to prevent cyber security threats still many companies operating in that geographical location are facing such threats. Hence, the country is facing a lot of financial loss that is creating an impact on the “Gross Domestic Product” level. In this scenario, AirMSky has decided to expand its business operations by offering cargo booking services and telephonic flights to certain major domestic cities. Hence, this company realized the requirement of increasing knowledge regarding cyber security threats to provide maximum safety to customers’ information. In the last financial year, within UK, 65% higher to medium businesses, 64% of large businesses and 51% of high-income charities faced cyber security threats (gov.uk, 2021). Observing the current data of cybersecurity threats in the UK, it becomes visible that nearly four out of ten businesses are facing threats in this area.
AirMSky is aware of the cyber incident that took place in 2018 within British Airways business framework. Furthermore, rising risk of threat at an alarming rate this company segregates current cybersecurity threats to information assets for taking quick action. As opined by Vitunskaite et al. (2019), information assets refer to network security or computer security protecting assets that also guide a business to perform information-based activities effectively. Currently, cyber attackers are trying to steal data for gaining access to financial statements. In order to mitigate the issues, AirMSky is trying to identify trendy cybersecurity threats to information assets for protection of stakeholders’ information and avoid financial loss.
- Potential attack to AI-based systems: The rising utilisation of Artificial Intelligence (AI) leads to machine learning and creates a scope for both cybersecurity as well as threats. AirMSky is expanding its operations and including advanced mechanisms to ensure smooth functioning of business operations. Hence, utilizing AI by this company in varied technical grounds are automated security systems, detecting threats automatically, detecting faceand processing language. In contrast, this company needs to keep in mind that development of smart malware is possible through AI. Mainly, such malware are being prepared to bypass security protocols that manage data of information assets.
- Potential Vulnerability to Cloud: Cloud-based applications are commonly being established by Microsoft and Google that helps in keeping large databases. AirMSky with the decision of expanding business has to include more information from its stakeholders. As a result, cloud-based applications are the only solution for keeping large databases with constant updating and monitoring to safeguard leakage of data from information assets. Hence, phishing attacks, malicious software or erroneous errorsare significant sources that create vulnerability to cloud.
- Threat from Ransomware: AirMSky has a number of processes running with the support of advanced software as a result the business framework has high risk from ransomware. Relying heavily on software for conducting daily activities creates a scope for hackers to acquire most information to ask for ransom against publishing confidential data.
Function of Information Security auditors
“Information security auditors” follows a series of activities that identify flaws and vulnerabilities present within a company’s framework. Auditors falling within this category prepare audited documents that provide reflection inefficiency of internal management in safeguarding information assets with properly tested justification. As stated by Kiss and Muha (2018), an organisation hires such auditors to ensure potential solutions for resolving security issues. In this scenario, AirMSky is taking a business expansion decision that already involves a lot of finance. Any additional financial expenses due to cybersecurity threats might create financial burden to the company.
Discovering potential security flaws within the expanded business plan falls under the duty of this company’s “information security auditor”. This person is going to work as a team for recognizing entire integrity and health of this company’s corporate network to ensure maximum profitability from this business plan. Such auditors need to have sufficient knowledge on information technology for binding up companies procedures with legal, social and ethical requirements. It is highly recommended to include an auditor holding “Certified Information Security Auditor Certification” for avoiding malpractices and extract proper judgment from the auditor’s end.
Information Governance Requirements
“Information technology” security governance and management are two important elements but perform two different functions within a business model. As commented by Baig et al. (2017), “IT security management” takes essential decisions to mitigate risk whereas “IT security governance” identifies the authorized personnel who are liable to make decisions. In this case study, AirMSky needs to incorporate information governance for ensuring protection of data confidentiality and preparing guidance to lower-level staff to use data handling mechanisms effectively. The governing body of this company is going to check performed duties from the workforce’s end are being performed ethically including duty of care.
Additionally, the governing body provides a framework that provides “information security strategies” aligning with business mechanisms to support achieving stated objectives quickly. As suggested by (), security governance provides advanced policies to include within business that provides maximum safeguard from financial loss to a company from cybersecurity threat. AirMSky knew British Airway has to bear a loss of £20million in form of fines due to cyber-attack and data breaches of 40,000 customers. Hence, this company decided to include the most effective policy to minimize financial loss beforehand.
Latest cyber security threats
| Threats | Impact | Effectiveness | Type | Mitigation strategy | Time taken |
| Customer data misconduct | Customers who are associated with various services of this organisation are having issues related to that of booking, reservations and that of various other issues. | A business organisation should always try to protect its data related to that of various customers or it may affect a business in a bad way in the long run. | Qualitative information | In order to protect customer data an AI powered centralised data system should be maintained to ensure proper data protection. | 3 weeks |
| Confidential data loss | Loss of data por breach of various confidential data tend to hamper reputation of that of a particular organisation in a very bad way. Moreover, it tends to demotivate employees in taking up enthusiasm for that of a particular task. | Loss of data sometimes tend to reduce various number of customers who are associated with that of a particular business. This is one of the main causes that have been causing some serious hindrances for MSky to expand its operations over various areas. | Qualitative data | In order to ensure that data is not constantly lost through that of cyber breaches, this organisation have got to take the help of various different innovative methods. This can only be ensured if the strategic team can come up with such methods that helps to integrate various newer technological tools that are perfectly fit for this company. | 2 weeks |
| Data breaches | Loss of data because of it has been breached by that of a diverse range of hackers causes financial loss to various customers. But on the other hand, various hackers tend to benefit from this module as there variouis confidential information are sold by tghem at high porioces in the market. | Loss of data tends to cause an extremely negative effect to that of a particular business concern and mars its business operations as well. | Quantitative information | In order to mitigate this kind of crisis organizations need to come forward with that of an effective plan as per this particular situation. This can be done by the usage of encryption methods that tends to act as a protective barrier for various data sets. Besides decryption techniques should also be made in such a way that it becomes difficult for everyone to analyse confidential data. | 3 weeks |
Table 1: Threats in Air MSky Company
(Source: Created by author)
TASK 2: Framework
Critical Evaluation of ISMS approach
“Information Security Management System” (ISMS) is a large framework that provides a series of policies as well as controls for handling risks from cybersecurity threats systematically across the current business mechanisms. As opined by Linkov et al. (2018), obtaining an effective framework lying within this large framework helps an organisation to maintain availability, integrity and confidentiality of information properly. SOC2 is the chosen framework recommended for AirMSky to achieve the fundamental objective of securing information from cybersecurity threats. This organisation can add up threat with vulnerability to achieve results on risk associated with current business procedures. Identifying a new threat related to cybersecurity with potential harm to a system helps in chalking out existing weaknesses hackers are going to exploit. Hence, risk management and risk assessment are the two primary action related areas that help this organisation to prepare a structured approach that tradeoff between costs from risk and risk-mitigating activities. Additionally, this tradeoff with inclusion of proper actions helps an organization from securing cybersecurity threats.
Recognizing Information governance framework
Scope of the framework:
“Service Organisation Control (SOC) Type 2″ is one of the trustworthy frameworks that include auditing standards developed by “American Institute of Certified Public Accountants”. This framework provides a report at the end of every financial year that reflects a company’s way of safeguarding customers’ information and efficiency in controlling operations in reducing cybersecurity threats (us.aicpa.org, 2021). Most of the service providing companies like AirMSky utilises this framework to establish trust and confidence with customer base. The provided company in this case study uses “cloud service providers” for keeping a large database that includes information of customers. Hence, SOC2 framework ensures this company is going to identify any recognizable risks from third-party technologies. The report generated from this framework covers up certain areas of a business such as Availability, Confidentiality, Privacy and Security. As opined by Steinbart et al. (2018), information from all these four aspects provides the current position of a company in handling cybersecurity threats. Hence, AirMSky needs to incorporate this framework to prepare a robust business model and generate a report to gather confidence in its customers.
The formulated report from SOC2 framework have users that wants to know
- The form of service a service organization is providing to its customers
- The insight of a service organisation’s system interaction with user entities and varied parties.
- The internal control lies with information security governance.
Gathered information from such a report indicates a service company includes “Trust Service Principles” and requires equal effort from internal management as well as auditors to prepare the report. This effort is mandatory as testing internal control is highly required for a specific period and where auditors conduct certain testing procedures. As opined by Seitkulov et al. (2020), sample testing is one of the major testing actions that provides an in-depth analysis to manage internal function with full efficacy over a specific time frame with producing documentation behind each activity. Hence, utilizing this testing mechanism AirMSky can produce documents that create evidence on operational effectiveness. Furthermore, this company can generate ideas on providing training on security awareness to employees related to expansion business to achieve efficiency.
Rationale of the framework:
Aligning a service providing business mechanism with the SOC2 framework ensures an advantageous outcome at the end of a specific period. This framework engages with certain principles that provide an outperformed result. Justifications in using this framework are as follows:
- Security: Unauthorized accesses within a company’s information assets are being barred that includes both logical and physical.
- Availability: Information and access to information assets are only available to individuals or parties agreed as well committed within a stated policy.
- Processing Integrity: The framework provides a robust system to a company that includes certain factors such as accuracy, timely, authorized and completeness.
- Confidentiality: Information within information assets are being designed in such a manner that is highly protected with several security checkpoints and available to agreed or committed individuals.
- Privacy: Stakeholders’ personal information are being collected, retained, used, disclosed and dismantled under the confirmation and commitments stated within entity’s privacy notice. The notice provides criteria to every service organisation that has been set by AICPA with a set of “Generally Accepted Privacy Principles”.
Justification of the approach
| Frameworks | Advantages | Disadvantages |
| ISMS Framework | ● This system tends to provide an overall protection to that of a diverse sets of company data.
● It reduces the cost in data flow as well. ● It provides an integrated approach to data protection. |
● This system needs constant updating in order to ensure its proper functioning every time.
● In this kind of framework password have to be put every time as well.
|
| Information Governance Framework | · An increasing use of this kind of method helps customers to get over various kinds of faulty data.
· This system ensures that customers have greater convenience when they go toi purchase various products as well as services. |
● In this system there is usually too much reliance upon usage of electronic data that tends to create problems in terms of storing these data
● Besides a highly sophisticated framework also is required here that tend to increase expenses at the initial stage. |
| ISO 27001 Framework | · A general adaptation of these kinds of methods tends to give organisations an edge over that of their numerous different competitors.
· Besides this kind of framework also helps to meet up with that of various governmental rules. |
· This framework is actually a framework of that of operations management module that needs to bre managed effectively.
· Handling the security section of this particular framework require talented team. |
Table 2: Frameworks to improve the organization’s security system
(Source: Created by author)
Task 3: Risk Assessment
Significance of information governance
Information Governance (IG) is a technique in which an organisation manages entire information related to personal as well as sensitive information related to each stakeholder. IG suggests a framework that creates an assurance every confidential informations is being dealt with effectively, efficiently, securely and legally. As started by Shayo et al. (2019), IG offers the internal workforce a clear structure that maintains clarity for incorporating policies related to cybersecurity in every action prominently to avoid financial loss from fraud. Hence, AirMSky needs to focus on this area of IG while performing business mechanisms.
Underlined key benefits within IG enhance its importance and rate of acceptance by most of the organizations.
- Converting business information into valuable one: IG converts normal data into valuable business information by including procedures and policies. This initiative is being taken in order to provide appropriate information to a user with proper accessibility (Morais et al. 2018). After usage of information gets over it is being removed through meeting regulatory compliance.
- Reduction in cost: IG enables quick discovery of information through e-Discovery technique. Hence, this smoothens up the path for auditors of a company to acquire documentation on an activity easily that reduces cost of manpower. Since an auditor is going to take less time to conduct an activity to assess whether proper cybersecurity actions are implemented or not.
- Improvement in decision-making technicality: Application of Big Data technicality is common among large enterprises. As stated by Nguyen et al. (2017), large organisations retrieve information related to daily activities from Big Data applications for interpreting trends and determining a correct decision related to business procedures. Hence, IG provides strategic steps to users for accessing the existing information to drive business agility.
Identifying Methodology
IG includes risk assessment methodologies for achieving better outcomes and presenting a better brand image in front of existing stakeholders. Scenario Analysis is one of the most acceptable quantitative risk management techniques. The given company in this case study AirMSky can include scenario analysis technicality within IG policies and regulations for minimizing cybersecurity threats. As suggested by Mirtsch et al. (2020), scenario analysis refers to a procedure where inputs on any business element help to identify any risky area for the organisation that leads to large loss. Cybersecurity threats are not easy to identify as a result any minute information cannot be ignored that creates doubt. AirMSky is going to expand business as a result giving value to both internal and external stakeholders is necessary to enhance brand equity. Hence, even if a single employee points out data theft activities going on within the organisation, the entire internal management needs to analyse the in-depth scenario. This effective initiative ensures the organization can protect confidential information with full privacy.
Financial risk is the primary vulnerable area that a company faces from cybersecurity threats. As a result with the support of scenario analysis AirMSky’s internal management needs to assess risk of every scenario. Enhancing foreseeing capacity helps an organisation to identify outcome from a scenario that paves a path to make better strategic decisions. As suggested by Fonseca-Herrera et al. (2021), an organisation faces a lot of scenarios as result measuring severity and probability score is highly required to prioritize scenarios to focus. Ranking each scenario according to each scenario is going to help this company to look over more vulnerable scenarios to minimize the level of risk from cybersecurity threats. Furthermore, outcome of scenario analysis is going to identify the best way to adapt, revolver and respond to each scenario for reducing severity rising from business operations. Prioritizing the company’s deficiencies is going to help identifying remediations as well as scheduling IG techniques for implementing additional countermeasures. The changing business environment leads a path to every organization to adopt advanced software to function effectively. Hence, risks are also rapidly changing with the dynamic adaptation of varied software (Al-Qatamin and Al-Omari, 2020). Continuously monitoring is the only way out for a service providing organization like AirMSky to take immediate action on a new threat within software. Preparing active shooters within every scenario is also a quick solution based action can be taken from on the basis of scenario analysis outcome of each scenario.
| Risks | Information assets | Impact | Likelihood | Type | Vulnerabilities |
| Mismanagement if efficient data tends to create serious threats for MSky organisation in the long run. | In order to reduce occurrence of this kind of issues a proper system of data governance have got to bru implemented in this organisation. | High | High | Qualitative | In organisations that tend to dcal with that of Information security systems, Customers can and employees can become extremely vulnerable in case o0f data breach. This have got to be rfeduced to provide more flexibility. |
| Data breaches or leakages creates risk for this organisation | Management of this organisation need to come up with an efficient plan in order to help this organisation deal with recurrent issues of data breaches effectively. | Medium | Medium | Qualitative | Security system need tro be developed as inefficient security system tends to make a business more susceptible to threats. |
| Loss of important internal data of an organization | In this scenario MSky need to adopt that kind of a technique that is going to give more convenience to its various stakeholders. | High | Medium | Quantitative | Certain specific areas like that of installation of that of a proper system to secure data networks sometimes become difficult for various small organisations. |
Table 3: Risk assessment for Air MSky
(Source: Created by author)
Recognizing information assets and related threats
Information assets contain sensitive data of an organisation that requires high security for accessing. These assets refer to network security or computer security protecting assets that also guides a business to perform information-based activities effectively. As stated by Hong and Park (2020), vulnerability of such assets signifies weaknesses currently existing that create a scope of risk for an organisation. In this given scenario, AirMSky will have to identify vulnerability of its existing information assets through determining various scenarios and determining analysis. Financial loss, damage of brand equity, loss of privacy and legal implications are the recognisable losses a company might have to bear risk from vulnerability. Simple calculation of risk is multiplying vulnerability with threat. Risk management plan with proper IG regulation and policies has help to determine requirements of risk assessment to minimize breaches of information. Currently, cyber attackers are trying to steal data for gaining access to financial statements (Agustin et al. 2020). Therefore, AirMSky needs to incorporate this framework to prepare a robust business model and generate a report to gather confidence in its customers. Overall it can be judged that this company needs to focus on entire mechanism for achieving maximum profitability from the business expansion plan.
Conclusion
This data is generally brought off by that of a diver4se range of competitor companies as well who purchased this information to analyse diverse trends in that of customer behaviour that is currently influencing diverse purchaser decisions.
Sometimes organizations do not tend to have a centralized and integrate4d approach that is essential to protect various data in order to protect it from that of various hackers. But gradually organisations need to build up their respective capacities in order to protect loss of essential data.
References
Journals
Agustin, A.P., Paramita, R.W.D. and Liyundira, F.S., 2020, September. GOOD CORPORATE GOVERNANCE ON DEBT COSTS WITH VOLUNTARY DISCLOSURE AS A MODERATING VARIABLES. In Proceedings Progress Conference (Vol. 3, No. 1, pp. 27-30).
Al-Qatamin, A.A. and Al-Omari, M.H., 2020. A study of the effect of information technology governance on quality of information technology services: The case of Jordan Customs Department. Review of Integrative Business and Economics Research, 9, pp.41-55.
Baig, Z.A., Szewczyk, P., Valli, C., Rabadia, P., Hannay, P., Chernyshev, M., Johnstone, M., Kerai, P., Ibrahim, A., Sansurooah, K. and Syed, N., 2017. Future challenges for smart cities: Cyber-security and digital forensics. Digital Investigation, 22, pp.3-13.
Fonseca-Herrera, O.A., Rojas, A.E. and Florez, H., 2021. A model of an information security management system based on NTC-ISO/IEC 27001 standard. IAENG Int. J. Comput. Sci, 48(2), pp.213-222.
Hong, S.W. and Park, J.P., 2020. Effective Management of Personal Information & Information Security Management System (ISMS-P) Authentication systems. Journal of the Korea Academia-Industrial cooperation Society, 21(1), pp.634-640.
Kiss, M. and Muha, L., 2018. The cybersecurity capability aspects of smart government and industry 4.0 programmes. Interdisciplinary Description of Complex Systems: INDECS, 16(3-A), pp.313-319.
Linkov, I., Trump, B.D., Poinsatte-Jones, K. and Florin, M.V., 2018. Governance strategies for a sustainable digital world. Sustainability, 10(2), p.440.
Mirtsch, M., Kinne, J. and Blind, K., 2020. Exploring the adoption of the international information security management system standard iso/iec 27001: A web mining-based analysis. IEEE Transactions on Engineering Management, 68(1), pp.87-100.
Morais, M.O., Pinto, A.C.F. and Klotzle, M.C., 2018. Scenario analysis in the BNDES experience: integrating operational risk management with the measurement of capital. Revista Contabilidade & Finanças, 29, pp.283-296.
Nguyen, V.H., Kolp, M., Wautelet, Y. and Heng, S., 2017. Aligning Requirements-driven Software Processes with IT Governance. ICSOFT, 46, pp.338-345.
Seitkulov, Y.N., Boranbayev, S.N., Tashatov, N.N., Davydau, H.V. and Patapovich, A.V., 2020. Speech information security assessing in case of combined masking signals. J. Theoret. Appl. Inf. Technol, 98(16), pp.3270-3281.
Shayo, C. and Lin, F., 2019. An Exploration of the Evolving Reporting Organizational Structure for the Chief Information Security Officer (CISO) Function. Journal of Computer Science, 7(1), pp.1-20.
Steinbart, P.J., Raschke, R.L., Gal, G. and Dilla, W.N., 2018. The influence of a good relationship between the internal audit and information security functions on information security outcomes. Accounting, Organizations and Society, 71, pp.15-29.
Taeihagh, A. and Lim, H.S.M., 2019. Governing autonomous vehicles: emerging responses for safety, liability, privacy, cybersecurity, and industry risks. Transport reviews, 39(1), pp.103-128.
Vitunskaite, M., He, Y., Brandstetter, T. and Janicke, H., 2019. Smart cities and cyber security: Are we there yet? A comparative study on the role of standards, third party risk management and security ownership. Computers & Security, 83, pp.313-331.
Websites
gov.uk (2021) Cyber Security Breaches Survey 2021Available at:https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/cyber-security-breaches-survey-2021 [Accessed on 21st December 2021]
us.aicpa.org(2020) SOC for Service Organizations: Information for Service Organizations Available at https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement#:~:text=Type%202%20%2D%20report%20on%20the,description%20throughout%20a%20specified%20period [Accessed on 21st December 2021]
Know more about UniqueSubmission’s other writing services:
