Cis8018 Strategic Information Security Answers Assessment Answer

iii) Processes: This particular component ensures that the security program is efficient and repeatable and security activities are performed.

1. iv) Measurement: The measurement of security program helps in determining the various improvements required to be made.

Current Roles and Titles of the Security Personnel of ANSTO and Recommendations for Improvements 

ANSTO has kept some of the most significant and important security personnel and these people are responsible for maintaining the security within their organization (Xu et al. 2014). These are as follows:

1. i) Chief Security Officer: The chief security officer is responsible for maintaining overall the security of the organization. This particular person has the duty to observe the works of the security guards and provide them instructions properly. This person requires to be clearly visible as well as vigilant so that there is no loophole in the security of the organization.
2. ii) Chief Technical Officer: The chief technical officer of ANSTO is responsible for maintaining the confidential information and data and even the hardware and software of the company (Safa, Von Solms and Furnell 2016). The IT related all details are to be notified to him and if there is any type of discrepancy noted, he has the authority to undertake necessary actions against the specified person. There are other subsequent duties as well. Several technicians and employees work under this particular chief technical officer and all of them have to report to this officer. There could not be any change or alteration without the permission of the chief technical officer.

The security program of any organization should be updated and changed eventually for maintaining a proper balance of the information and their protection by the security personnel (Andress 2014). The few recommendations for the purpose of improving the security program within this organization of ANSTO are as follows:

1. i) Ensuring Executive Support: The first and the foremost recommendation that is required for the betterment of the organization of ANSTO is to ensure the executive support. The end user awareness should have a complete support to the top executives as well as the middle managers for becoming successful (Sommestad et al. 2014). Hence, the information flow would be possible easily and promptly.
2. ii) Focusing on the Changed Behaviours of Employees: Another important and significant recommendation for the maintenance of the information security within the organization of ANSTO is focusing on the changing behaviours and hence improving the security. This could only take place when the people could make relevant decisions and act in such ways that the risks are reduced in each and every aspect (Parsons et al. 2014). The organizational employees should be aware of the threats and risks associated with the systems.

iii) Solicitation of End User Ideas: Another important and noteworthy recommendation to improve the security program of ANSTO is by the solicitation of the end users’ ideas and encouraging the feedbacks. Moreover, the success or growth of the security program should also be measured effectively and efficiently by the respective security personnel.

Determination of ISO Security Standard

The organization of ANSTO is eventually following the ISO security standard of AS/ NZS ISO/ IEC 27001:2006 for their information securities (Disterer 2013). This particular standard is prepared for providing the model to form, deploy, function, monitor, evaluate, maintain as well as improvise the management system of information security. The adoption of this particular ISO security standard has also provided the strategic decision to the company of ANSTO (Safa et al. 2015). The design or implementation of the information security system of this company is majorly influenced by the various objectives and needs, processes employed, size or structure and security requirements. It is majorly expected that the supporting system of the organization should be changed time to time (Shropshire, Warkentin and Sharma 2015). The main goal of this type of information security is the proper balanced protection to gain three factors of confidentiality, integrity as well as availability for the maintenance of efficient and effective policy implementation and hence not hampering the productivity of the company.

This particular international information security standard even helps in adopting the process approach for the proper maintenance of the organizational information security system (Ab Rahman and Choo 2015). This specific process approach to the information security management for emphasizing on the size of the organization. Hence, the objectives as well as policies are subsequently established here and proper controls are being undertaken by them for managing each and every risk or threats. This organization of ANSTO has also monitored and reviewed the overall effectiveness and performance of the system of information security and hence the objective measurement is done for the continuous improvement of the organizational processes (Baskerville, Spagnoletti and Kim 2014). The international standard of AS/ NZS ISO/ IEC 27001:2006 is substantially aligned with ISO 14001:2004 and ISO 9001:2000 for supporting their integrated and consistent deployment as well as operation with the related strategies of management.

Suitable Security Model of ANSTO

The major responsibilities of this information security majorly include establishment of the collection of several business processes for the purpose of protecting the information assets irrespective of the fact that how this information was formatted (Ahmad, Maynard and Park 2014). The security model of any organization is the specific scheme that helps to specify as well as enforce the several security policies. This particular security model might be founded on the official model of the access right, model for the dispersed computing as well as the model for computations. The computer security model is usually implemented by taking the help of a particular security policy and hence it is always accurate and perfect and thus is being utilized by almost all organizations (Kolkowska and Dhillon 2013). There are some of the important and significant security models present in the technological world. Amongst them, the most suitable security model for this organization of the ANSTO is the Clark Wilson model.

The Clark Wilson integrity model is responsible for providing a specific foundation to specify and analyse the integrity policy for any particular computing system (Tamjidyamcholo et al. 2013). The Clark Wilson model is majorly concerned about the formalizing of the notion of the information integrity. Since, ANSTO is a nuclear science organization, information integrity is highly required. It is properly maintained by the prevention of the data items corruption either for the malicious intents and errors. The integrity policy subsequently describes the procedure of keeping the data items valid from any one state of their system to the other and even specified the major capabilities of the several principals within the systems (Webb et al. 2014). Hence, ANSTO would be highly benefitted if they would implement the Clark Wilson model; since this model defines the enforcement rules as well as certification rules.

Determination of the Suitability of Certification

 The Australian Nuclear Science and Technology Organisation should implement certification within their business (Cardenas, Manadhata and Rajan 2013). Certification is extremely vital and significant for any organization since it helps to maintain the adequacy of the information system security standards for each and every requirement of the organization. The issue of the security standards and methods are addressed with the certifications for the core purpose of enabling the analysis, evaluation and controlling of the security of the information system (Layton 2016). One of the most significant application of these security methods majorly involve the various checklists and guidelines that could allow avoiding the misses or lapses within the proper adoption or implementation of the security procedures or measures. Moreover, the critical processes and vulnerabilities regarding the information security is extremely important for ANSTO (Ahmad, Maynard and Park 2014). The respective discipline is being standardized and the basic guidance, industry standards and policies are set and collaborated for passwords, firewalls, legal liabilities, anti virus software and encryption software. There are some of the major objectives of these programs of information security and these objectives are the confidentiality, integrity as well as availability of the business related data or the IT systems (Shropshire, Warkentin and Sharma 2015). All of these objectives eventually ensure that the sensitive information could only be disclosed to the authenticated parties and the integrity of data is being maintained and modified. Hence, certification is extremely suitable for ANSTO.

Threat Identification and Risk Assessment for ANSTO

A specific process of risk management is present that help in identifying the threat sources, potential impacts, vulnerabilities, assets as well as possible controls (Baskerville, Spagnoletti and Kim 2014). The effectiveness of the risk management plan is also assessed here. The threats and risks are responsible for bringing major vulnerabilities within any specific organization and hence affecting the information security. ANSTO, being a nuclear organization, might face some of the most important and significant threats, which should be mitigated on time for maintaining their confidential information and data properly and perfectly (Parsons et al. 2014). The major and the most significant and noteworthy threats for the information security of ANSTO are given below:

1. i) Social Engineering Attacks: The first and the most important threat for the organization of ANSTO information security would be the social engineering attack. This particular attack manipulates the people to perform various actions and to divulge the confidential information for any type of malicious reason (Ab Rahman and Choo 2015). The best example of this attack is phishing.
2. ii) Disclosure of Passwords: The second important and significant threat of the organization is disclosure of passwords. These passwords should not be disclosed at any cost and hence should be kept in secret.

iii) Accessing of Network: Since ANSTO is a nuclear organization, there should not be any loophole for information security (Safa, Von Solms and Furnell 2016). The network should be accessed by the unauthorized persons under any circumstance.

1. iv) Errors in the Maintenance of Hardware: The hardware plays the most vital role in securing the confidential information for all companies. Hence, the several errors for the maintenance of the hardware could be extremely vulnerable. Moreover, the hardware could even be stolen by the respective attackers.
2. v) Human as well as Natural Disasters: These are the next significant and important threats that are quite common for the organization of ANSTO (Yang, Shieh and Tzeng 2013). The human disasters majorly involve the tampering and vandalism of information by the staffs and employees of ANSTO; however the natural disasters involve the volcanoes, storms and earthquakes.
3. vi) Destruction of Confidential Records: The next important and significant threat of the information security of ANSTO is the respective destruction of records (Siponen, Mahmood and Pahnila 2014). As this company deals with nuclear data, the sensitive records should not be destructed at any cost.

The risk assessment of all the identified risks and threats within this organization of ANSTO is as follows:

Serial Number	Identified Threats or Risks	Impact of the Identified Risks
1.	Social Engineering Attacks	Medium
2.	Disclosure of Passwords	High
3.	Accessing of Network	High
4.	Errors in the Maintenance of Hardware	Low
5.	Human as well as Natural Disasters	Medium
6.	Destruction of Confidential Records	Extreme

Table 1: Risk Assessment of the Identified Risks of ANSTO

Conclusion

Therefore, from this above report, a conclusion can be drawn that the information security can be described as the distinct set of several strategies, which help in managing the various processes, policies as well as tools that are solely needed for the proper exposure, prevention, countering and finally documenting the probable threats to any type of digitalized or non digitalized organizational confidential information. A proper process of risk management is being conducted, by which the threats as well as vulnerabilities could be continuously assessed for applying protective controls. The above research report has clearly outlined a brief discussion on the organization of ANSTO regarding its security program. Various details such as threat identification, ISO security standards, and current roles of the security personnel are provided in this particular research report. Moreover, the suitable security model is also chosen here and the suitability of the certification is determined properly. Relevant recommendations are also provided in this research report for improving the entire security structure of the ANSTO.

References

Ab Rahman, N.H. and Choo, K.K.R., 2015. A survey of information security incident handling in the cloud. Computers & Security, 49, pp.45-69.

Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), pp.357-370.

Andress, J., 2014. The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress.

Ansto.gov.au. 2018. ANSTO | Australia’s Nuclear Science and Technology Organisation. [online] Available at: https://www.ansto.gov.au/  [Accessed 18 Oct. 2018].

Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security: Managing a strategic balance between prevention and response. Information & management, 51(1), pp.138-151.

Cardenas, A.A., Manadhata, P.K. and Rajan, S.P., 2013. Big data analytics for security. IEEE Security & Privacy, 11(6), pp.74-76.

Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M. and Baskerville, R., 2013. Future directions for behavioral information security research. computers & security, 32, pp.90-101.

Disterer, G., 2013. ISO/IEC 27000, 27001 and 27002 for information security management. Journal of Information Security, 4(02), p.92.

Kolkowska, E. and Dhillon, G., 2013. Organizational power and information security rule compliance. Computers & Security, 33, pp.3-11.

Layton, T.P., 2016. Information Security: Design, implementation, measurement, and compliance. Auerbach Publications.

Parsons, K., McCormac, A., Butavicius, M., Pattinson, M. and Jerram, C., 2014. Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Computers & Security, 42, pp.165-176.

Peltier, T.R., 2013. Information security fundamentals. CRC Press.

Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.

Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A. and Herawan, T., 2015. Information security conscious care behaviour formation in organizations. Computers & Security, 53, pp.65-78.

Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model in organizations. Computers & Security, 56, pp.70-82.

Shropshire, J., Warkentin, M. and Sharma, S., 2015. Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Computers & Security, 49, pp.177-191.

Singh, G., 2013. A study of encryption algorithms (RSA, DES, 3DES and AES) for information security. International Journal of Computer Applications, 67(19).

Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), pp.217-224.

Sommestad, T., Hallberg, J., Lundholm, K. and Bengtsson, J., 2014. Variables influencing information security policy compliance: a systematic review of quantitative studies. Information Management & Computer Security, 22(1), pp.42-75.

Tamjidyamcholo, A., Baba, M.S.B., Tamjid, H. and Gholipour, R., 2013. Information security–Professional perceptions of knowledge-sharing intention under self-efficacy, trust, reciprocity, and shared-language. Computers & Education, 68, pp.223-232.

Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers & security, 38, pp.97-102.

Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management. Computers & security, 44, pp.1-15.

Xu, L., Jiang, C., Wang, J., Yuan, J. and Ren, Y., 2014. Information security in big data: privacy and data mining. IEEE Access, 2, pp.1149-1176.

Yang, Y.P.O., Shieh, H.M. and Tzeng, G.H., 2013. A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Information Sciences, 232, pp.482-500.