Information Security Assignment Sample
Q1
We will start the class with some general discussion around the protection mechanisms mentioned in the lecture notes for this week. These are described in more detail in chapter 12 of Whitman and Mattord (2019), so it would be helpful if you looked at this chapter first.
The mechanisms that we could cover include:
• Access controls
• Monitoring systems
• Logging and audit trails
• Firewal Is
• Intrusion detection systems
• Scanning and analysis tools
• Wireless networking protection
• Encryption systems
For your submission, look at encryption systems and write a paragraph on the differences between symmetrical and asymmetrical encryption systems. When would you choose one over the other? What is a common use of asymmetrical encryption?
Q2
Select a section of the ISO 27002:2013 standard at the control level from section 12 (Operations Security). The control level is at the 3rd layer down, for example: '12.2.1 Controls against malware' has a control as its primary feature. We are trying to get a reasonable spread of these controls throughout the class so try to do this at random from section 12. [See the week 4 tutorial work if you need to know how to get a copy of the ISO 27002 standard.]
With respect to the control, consider the following issues (and include in your submission):
• should it be generally accepted (or generic, in that it should apply to all organisations using the standard), or company-specific (in that it should only apply to some organisations, based on the local circumstances)? (Justify your answer).
• can you find evidence from academic literature supporting the need for the control that you have selected (you may need to do a quick google scholar search)? One or two articles should be sufficient for this question.
• if this evidence is not apparent in the literature, how could this evidence be obtained to validate the need for such
get a copy of the ISO 27002 standard.]
With respect to the control, consider the following issues (and include in your submission):
• should it be generally accepted (or generic, in that it should apply to all organisations using the standard), or company-specific (in that it should only apply to some organisations, based on the local circumstances)? (Justify your answer).
• can you find evidence from academic literature supporting the need for the control that you have selected (you may need to do a quick google scholar search)? One or two articles should be sufficient for this question.
• if this evidence is not apparent in the literature, how could this evidence be obtained to validate the need for such controls, as distinct from just relying on 'best practice'?
Note that these questions are exploring the differences between 'best practice' (an expert consensus model) and academic evidence. Typically, standards like ISO 27002 are best practice models and are usually derived by groups of experts meeting to discuss the contents, and subsequently reaching some form of consensus about what should go into the standard and how it should be structured. This is quite different from academic literature where empirical evidence is used to substantiate claims.
Q3 Humphreys (2008) notes that:
"ISO 27001 is a standard that can be used by all these sectors [healthcare, transportation, telecommunications, finance, food supply, utilities, public services and others - my addition for clarity] and is not dependent on whether the organisation is small, medium and large sized company" Does this have the risk of making it too generic, and not providing sufficient practical and useful guidance to organisations?
References
Humphreys E (2008) 'Information security management standards: Compliance, governance and risk management', Information Security Technical Report, 13(4):247-255.
ISO (2013) ISO/IEC 27002:2013 Information technology - Security techniques - Code of practice for information security controls, International Standards Organisation, Switzerland.
Whitman ME and Mattord Hi (2019) Management of information security, 6th edn, Cengage Learning,
Solution
Question 1
Describing current business as well as individual scenarios without technology is not possible. Cyber criminals and scammers are affecting the data of millions of users in the recent time period. It is important to encrypt everything to prevent cyber criminals as well as scamming related incidents (Zhang, 2021). According to the technological development of the recent time period, there are two major inscription approaches such as asymmetric encryption and symmetric encryption. The symmetric encryption approach utilises the same key for encrypting and the decrypting data. On the other hand, the asymmetric encryption approach is considered as a pair of keys as a public key for encrypting data and it utilises a private key for decrypting information (Chen et al. 2023). The symmetric encryption method is a comparatively faster approach than the asymmetric encryption method. Asymmetric encryption should be applied while the encryption systems within email security and web security require key exchange facility over the public network.
Asymmetric encryption is categorised as a better technique for digital signing compared to the other methods. However, both the symmetrical and asymmetrical encryption systems can be used in this sector, but the asymmetric encryption method is crucial to transfer large amounts of data at a rapid pace (Gafsi et al. 2020). In the asymmetric encryption method, the private key must not be derived for common people and it provides the opportunity to distribute the public key freely and it does not compromise confidentiality.
Question 2
Section 12 of ISO 27002:2013 provides adequate attention for ensuring correct as well as secure operations related to information processing facilities. It is crucial for introducing proper protection against loss of data and it also ensures appropriate recording of different events as well as generating evidence (Iso.org, 2023). Data related issues for university assignment help are not limited to any local community and geographical territory does not impact on the overall sustainability of data. Based on the actual guidelines, it can be stated that the section 12 should be generally accepted as the different approaches or types of businesses cannot change the actual method of data gathering as well as data storing.
Controls against malware is an integral part of the Section 12 of ISO 27002:2013 and it indicates that individuals or business organisations can contact data quality as well as software reviews of applications for monitoring and investigating the actual condition. As stated by Diamantopoulou et al. (2020), increasing awareness among the individuals regarding data, literacy and malware related literacy might be helpful to ensure complete protection. It helps to introduce a structured risk management policy in the context of controlling malware.
Depending on best practice method can be categorised as one of the most effective approaches to enhance data security within individual or business levels. Large multinational organisations generally invest huge amounts in the research and development sector to ensure integrity within the data protection. Small and medium-sized business organisations might face issues to invest such huge amounts during the initial days due to lack of investment and they can depend on the evidence collected from the best practices.
Question 3
ISO 27001 is considered as a widely accepted element in multiple industries such as transportation, telecommunications, food supply, finance, public services and many others. Most of the business organisations used to believe IT is the major element to protect information but real life evidence indicates that it is not the key element (Humphreys, 2008). For instance, business organisations already have the required technology within their system to protect information but data breach related incidents happened due to the lack of knowledge of their employees.
ISO 27001 is categorised as the methodology for business organisations to identify potential incidents that could happen to their businesses (Iso.org, 2023). It is an universal approach to define the specific positives for changing the behaviour of the employees for preventing data breach related incidents. However, the cultural characteristics of each business are different from others and it is important to introduce proper flexibility within the adaptation of the particular methodology. Business leaders can adjust the strategies according to real-time data and it has the potential to provide the best quality outputs. Business organisations from different sizes and profitability can utilise the basic guidelines of this framework and improve the overall integrity of their data. Data breaching related incidents are similar in different industries and the generic approach is sufficient to mitigate this issue.
References
Chen, C.L., Lim, Z.Y., Xue, X. and Chen, C.H., (2023). Symmetric and Asymmetric Encryption in Blockchain. Symmetry, 15(2), p.458.
Diamantopoulou, V., Tsohou, A. and Karyda, M., (2020). From ISO/IEC 27002: 2013 information security controls to personal data protection controls: guidelines for GDPR compliance. In Computer Security: ESORICS 2019 International Workshops, CyberICPS, SECPRE, SPOSE, and ADIoT, Luxembourg City, Luxembourg, September 26–27, 2019 Revised Selected Papers 5 (pp. 238-257). Springer International Publishing.
Gafsi, M., Hajjaji, M.A., Malek, J. and Mtibaa, A., (2020). Efficient encryption system for numerical image safe transmission. Journal of Electrical and Computer Engineering, 2020, pp.1-12.
Humphreys E (2008) 'Information security management standards: Compliance, governance and risk management', Information Security Technical Report, 13(4):247-255.
Iso.org, (2023). ISO/IEC 27001:2013. Available at: https://www.iso.org/standard/54534.html [Accessed on 20.03.2023]
Iso.org, (2023). ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls. Available at: https://www.iso.org/standard/54533.html [Accessed on 20.03.2023]
Zhang, Q., (2021), January. An overview and analysis of hybrid encryption: The combination of symmetric encryption and asymmetric encryption. In 2021 2nd international conference on computing and data science (CDS) (pp. 616-622). IEEE.
Would you like to schedule a callback?
Send us a message and we will get back to you
Highlights
Earn While You Learn With Us
Confidentiality Agreement
Money Back Guarantee
Live Expert Sessions
550+ Ph.D Experts
21 Step Quality Check
100% Quality
24*7 Live Help
On Time Delivery
Plagiarism-Free
81 Isla Avenue Glenroy, Mel, VIC, 3046 AU
