Inf11109 Security Audit And Compliance Assessment Answers

Answer:

Introduction

Security management is a particular process that helps in identifying, recording, managing as well as analyzing the security threats or the security incidents in the present time. Security incident includes active threats as well as attempted intrusion for data breach (Ruefle et al., 2014). Examples of security incidents involves unauthorized access of data or policy violations that includes health, social security numbers, personally identifiable records as well as financial issues. The case study that is taken for this report is the data breach occurred in Marriott International. Marriott International is a leading global lodging company having their headquarter in U.K. that has more than 6,700 properties all over the world. This hotel group of Marriott International has announced that there was a massive data breach that had affected about 500 million guests. The data breach came from an unauthorized party that has access the database of Starwood guest authorization (Safa, Von Solms & Furnell, 2016). There was no specified amount about how much amount of money was beached in that incident. As a result of the data breach, Marriott International introduced an RSP model in the company for preventing any further data breach in the organization. This report addresses the RSP model and a detailed explanation of the model that is selected by the Marriott International. The reason for selecting the RSP model is addresses with a diagram that shows the details of the RSP model. Detailed model explanation with a discussion evaluating relation of the information security processes are explained.

Model Selection

The model that is selected for Marriott International is the RSP model. RSP model states Regions Security Policy (RSP) that is applied to regions of network security. This model is has a network architecture for network organizations by grouping the modes in regions that are based on some common purposes. There are many other models of security handling that includes SANS, CERT, ISO, and NIST model. The model selected for this organization is mainly based on all the methodologies that are included in all other security handling models. This particular model includes combination of all the processes that are in other security models. The aim of RSP security model is that this provides the organization with a systematic way of detecting data breach along with coherent approach to detect the processes as well as shows prompt reaction to the security incidents in the company.

This security model has been selected for Marriott International has four different stages that is shown below. The stages that are shown in the diagram are planning and the preparation stage, Use stage, review and the last stage is the improvement stage (He & Johnson, 2017). The model selected is mainly based on the PDCA (Plan, Do, Check and Act) concept and this security model is very much flexible in adopting the environment of ISO. This model does not includes and role of the stakeholders to design in the model of security incident. This model also does not provide any framework for the recovery.

As the steps are divided in four different stages, it is very easy to keep a track on the data involved in the organization. The planning and preparation stage helps in preparing a detailed planning for detecting as well as how to reacting for the security breach. The use stage can help Marriott International to detect and report the breach and evaluate them accordingly (Rahman, Cahyani & Choo, 2107). There is also a review stage and improvement stage that helps to improve the security in Marriott International. Review helps the analyst of Marriott International to review all the steps that are taken for analyzing and evaluating the data breach and further improvements includes in further improvement that can be made in future.  A detailed explanation of the RSP model of security handling is explained in the section below.

Model Explanation 

This report based on the information security handling model based on the report of Marriott International. This report has focused on the impacts of Regions Security Policy (RSP) Model, which would be helpful for handling the information security systems and technology within the hotel business (Cheng et al., 2013). The report is based on the revealing of massive form of data breach in Marriott International that would have affected around 500 million guests. These guests have submitted their credentials to the hotel reception during their stay at the hotel. These credentials included name, addresses, passport number and other information, which could have been stolen by hackers for their personal use.

Based on the incident of data breach, there could be a suggestion of using of a information security model that could be proposed for the organisation in order to prevent such kind of incidents in the future (Duffield, 2014). The RSP model could be defined to provide a new kind of look at the network architecture of the organisation. This model is primarily based on the methodologies that would be proposed by NIST, SANS, ISO and CERT model. The primary objective of the model is based on providing a coherent and systematic approach based on the process of detecting and reacting to several incidents of security. This model would comprise of four stages, which could be discussed as:

1. Planning and Preparation– This stage is considered as the primary stage based on providing a definition for the detection and reacting to different forms of abuse on the IT systems (Nelson & Staggers, 2016). The different kinds of actions would be mainly based on developing of a proper organisational structure. This could be achieved based on three layers: Process Layer, Organisation Layer and Technology Layer.
2. Use Stage– This is considered as the secondary stage. This stage would be able to constitute the primary part based on the presented process of detecting and reacting to several IT systems (Crossler et al., 2013). There are some of the steps that have been defined within the use stages. These include:

• Detection and Reporting– This phase would be able to focus on the collection of events that would be entirely connected based on IT security. This would be able to report to the concerned people within the proper time interval.
• Evaluation and Making of Decisions – In this phase, the classification of abuse would be conducted along with the proper form of assessment based on the impact of IT environment (Skopik, Settanni & Fiedler, 2016). During this phase, the different forms of vital decisions that would be concerned on the seizure of evidences and their analysis would be made.
• Reaction– There are some kinds of actions, which would be taken based on the classification of data based on abuse within the stages:

1. Publishing– Different kinds of contacts within the environment based on purpose of acquiring or passing of information would be detected.
2. Containment– All kinds of actions would be undertaken for the purpose of minimizing the negative kinds of influences within the IT environment of the concerned organisation.
3. Eradication– Different suitable measures would be connected based on the elimination of several kinds of factors that would make the abuse to be possible (Pearson, 2013).
4. Recovery– Various kinds of activities would be carried out based on restoring of normal kind of operational status within the IT system.
5. Review– Some of the following steps that would be conducted within the Review phase include:

• Analysis of different materials of evidences that would be located outside of the IT system based on the relation of abuse (Almorsy, Grundy & Müller, 2016).
• Preparing of various enhancements based within the IT environment that would be connected within the identified abuse (Soomro, Shah & Ahmed, 2016).
• Preparing of potential improvements based within the process of detection and reaction based on situations of abuse whenever different deficiencies would be discovered.
• Preparing of final report.

1. Improvements– This stage would mainly put focus on the implementation of processes such as prevention, correction and detection of mechanisms within the IT environment (Kshetri, 2013). This stage would also concentrate on the implementation of several enhancements within the processes of reaction and detection of IT systems within every layer.

Discussion 

Information Security Processes

Risk Management processes within Information Security could be defined as the processes of management of risks that would be associated within the use of IT systems within any concerned organisation. It would involve the certain processes such as identification, assessment and treating of risks. The final aim of the process is based on treating of risks based on according of the overall risks of the organisation (Baskerville, Spagnoletti & Kim, 2014). Different businesses should not eliminate the need of risk assessment. They should be able to seek the identification and achievement of an acceptable form of risk levels based within the organisation.

Role of Audit based on Information Security

An Information Technology (IT) audit could be defined as the examination of the controls of management within an IT infrastructure. Different kinds of IT audits should be able to determine whether the IT controls would be able to protect the assets of the company, ensure the integrity of data that would be aligned within the goals of the organisation (Rodrigues et al., 2013). The impact of audit within the Marriott International would be able to prevent such kind of systems from further kinds of IT data breaches.

Governance Issues Raised and Inclusion of Professional Roles

IT Security governance could be defined as the systems in which an organisation would be able to direct and control the IT security. Governance would be able to specify the framework of accountability (Flores, Antonsen & Ekstedt, 2014). This would be able to provide insight on ensuring of risks that the management would be able to ensure the risks and would be adequately mitigated.

Based on the consideration of the data breach incident at Marriott International, it could be considered that various professionals within an IT industry would be able to take responsibility of the protection of networks, computer systems and network architecture. The different roles of the people who would be able to handle the security of the systems include IT security engineers, Chief Information Officer (CIO), Chief Security Officer (CSO), Chief Technology Officer (CTO), Information Assurance Manager (IAM) and other computer operators (Hu, West & Smarandescu, 2015). These job of the IT professionals would mainly revolve around the protection of IT systems. These would include the infrastructure, network and every other areas of IT. Securing the information assets, data of customers, financial information would be very much essential for securing the primary information of customers within the hotel business.

Conclusion

From the discussion above, it can be summarized that security handling is an important part of an organization. There are many other models that handles the security incidents that occurs in a company. Marriott International that has been discussed in this report had faced a data breach which is explained in this report. As discussed above, Security management provides robust as well as comprehensive view related to any security issue within the company. Security incident includes active threats as well as attempted intrusion for data breach. Security management helps in identifying, recording, managing as well as analyzing the security threats or the security incidents in the present time. The management of security incident mainly utilizes combination of all the appliances, investigation that are human driven, as well as software system that are included in a data breach. This process basically starts with alert which states that the incident has already occurred and there is a need of engagement of a team who will be capable of handling the incident. There always remains a need of involving security handling incident model in a company and such a model is selected in this report for handling further data breach in Marriott International.

This report explained the RSP model and a detailed explanation of the model that is selected by the Marriott International. The reason for selecting the RSP model is addresses with a diagram that shows the details of the RSP model. Detailed model explanation with a discussion evaluating relation of the information security processes are explained.

References

Ab Rahman, N. H., & Choo, K. K. R. (2015). A survey of information security incident handling in the cloud. computers & security, 49, 45-69.

Ab Rahman, N. H., Cahyani, N. D. W., & Choo, K. K. R. (2017). Cloud incident handling and forensic?by?design: cloud storage as a case study. Concurrency and Computation: Practice and Experience, 29(14), e3868.

Almorsy, M., Grundy, J., & Müller, I. (2016). An analysis of the cloud computing security problem. arXiv preprint arXiv:1609.01107.

Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & management, 51(1), 138-151.

Cheng, L., Li, Y., Li, W., Holm, E., & Zhai, Q. (2013). Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers & Security, 39, 447-459.

Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioral information security research. computers & security, 32, 90-101.

Duffield, M. (2014). Global governance and the new wars: the merging of development and security. Zed Books Ltd..

Flores, W. R., Antonsen, E., & Ekstedt, M. (2014). Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Computers & Security, 43, 90-110.

He, Y., & Johnson, C. (2017). Challenges of information security incident learning: An industrial case study in a Chinese healthcare organization. Informatics for Health and Social Care, 42(4), 393-408.

Hu, Q., West, R., & Smarandescu, L. (2015). The role of self-control in information security violations: Insights from a cognitive neuroscience perspective. Journal of Management Information Systems, 31(4), 6-48.

Kshetri, N. (2013). Privacy and security issues in cloud computing: The role of institutions and institutional evolution. Telecommunications Policy, 37(4-5), 372-386.

Nelson, R., & Staggers, N. (2016). Health Informatics-E-Book: An Interprofessional Approach. Elsevier Health Sciences.

Pearson, S. (2013). Privacy, security and trust in cloud computing. In Privacy and Security for Cloud Computing (pp. 3-42). Springer, London.

Rodrigues, J. J., De La Torre, I., Fernández, G., & López-Coronado, M. (2013). Analysis of the security and privacy requirements of cloud-based electronic health records systems. Journal of medical Internet research, 15(8).

Ruefle, R., Dorofee, A., Mundie, D., Householder, A. D., Murray, M., & Perl, S. J. (2014). Computer security incident response team development and evolution. IEEE Security & Privacy, 12(5), 16-26.

Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70-82.

Skopik, F., Settanni, G., & Fiedler, R. (2016). A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing. Computers & Security, 60, 154-176.

Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), 215-225.