Prepare a report on Security Management and Governance. 

Introduction

With the growing technology and use of the internet, it was never so easy for our teachers and students to create information, communicate them and store them. Students and teacher now have a quick access to information, and peer classes have no access to education from anywhere in the world.  School and colleges now can easily create, transfer and store data in a more convenient way. Apart from this, grants are being rewarded too many schools, which allow for the purchase of technical equipment, which otherwise does not have financial access. (Kritzinger & Smith, 2008)
Unfortunately, with this amazing technique available, there are numerous security issues that used to arise.  It is the duty of every parent and school staff to get together and work with each other to teach their children about how to use safe while using the technology. 

Information Security at School

Like some other business, schools now rely upon Internet and broadband administrations for everyday exercises and activities. These innovations have brought a tremendous scope of chances and advantages, which give news strategies to help to instruct and training and to streamline activities and managerial procedures. (Andress, 2014)
Moreover, they additionally bring numerous kinds of risk, which are not legitimately overseen and kept up: These dangers incorporate the loss of sensitive, secret individual information, and possibly, where the administration of the security administrations is harmed or Fails, less or lost limit occasions for booking and planned learning and learning
We will setup an IT governance which will define how the decision will be made in school and will ensure that it will align with the aim and objectives of school that will deliver values to the school. Because of good IT governance in the education system, there will be a high amount of maturity and will guarantee that the school knows the worth of its investments in Information Technology. (Information Security Resources, n.d.)

Threats, vulnerabilities, and attacks

Using technology and the Internet through schools, schools are right to accept the ability and benefits of the cloud learning tool, but the responsibility of protecting sensitive data with greater connectivity is required. Here we will define different areas where there is a risk of threats, vulnerabilities, and attack. Even though these risks are applicable to any association with individual information and PCs, schools are especially exposed to many different risks identified with the safety of the internet, including: 
?    Exposure to violent, racist, sexually explicit and extremist content. 
?    Unfortunate contact with the individuals who may wish to abuse, exploit or spook the information.  
?    Online behaviors that can be very harmful to the students. 
Does an "effective approach" look like it is slightly subjective and may depend on the type of organization? In the experience of beaming, the safest administrations use suitable techniques, maintained with clear rules and, most prominently, a comprehensive user education. (Eloff & Eloff, 2005)
We will recommend following practices for schools to secure them self-form attacks, vulnerabilities, these are: 
1.    Senior Level Ownership: We will advise the advice of YMSC that a member of senior leadership team should be made responsible for security in schools
2.    Strong online border: For protecting the school from various attacks and vulnerabilities, we will advise YMSC to implement a strong firewall and gateway protection. 
3.    Implementation of content filter: In school, there is various youth who are having curious minds and these types of students need extra protection with the help of a content         filter. 
4.    Access Control: To reduce the risk of deliberate and accidental attacks, the effective procedure should be implemented by the school for managing user privileges for their           systems. Minimum access according to the use of users should be given. 
5.    Cold Storage: As the data of YMSC is stored on the cloud, we will recommend Cloud Storage Security in which we will provide strong data encryption. (Hong, Chi, Chao, &         Tang, 2003)

Legal and Regulatory

The YSMC has the responsibility to follow and adhere the various types of regulatory and legal requirements along with all current Australian laws. Following are some of the act for Information Governance in Australia: 
1.    Legally binding privacy guidelines and rules
2.    Privacy Act 1988
3.    Privacy Regulation 2013
4.    Freedom of Information (Charges) Regulations 1982
5.    Electronic Transactions Act 1999
6.    Digital Service Standard

Security Policy

A security policy covers a plan of goals for the organization, the principles of conduct for the client and the chairman and the system and administration, which by and large guarantees organize security and system networks in an association or school. A Security Policy is a "living report", which implies that the report never finishes, and it is always updated as a modification in the requirements of innovation and worker. (Doherty & Fulford, 2006)
AUP known as Acceptable Use Policy is one of the most common security policy. We will use the same policy in the YSMC. This policy defines how students and teachers are weather allowed or not and this even exist on the internet and intranet network. To avoid ambiguity or misunderstanding, AUP should be as clear as possible. For example, an AUP can list prohibited website categories.
Following are the benefits of Security Policy: 
1.    Used to protect students and teacher. 
2.    Rules set for Expected Behavior. 
3.    Authority is set for employees to monitor, analyze and investigate. 
4.    The result of violation is defined.

Components of Security Policy

?    Governing Policy: This is a treatment of the concepts of security at a very high level. Technical mentors and Administrators are the main target audience. The regulatory policy used to govern all the security-related contacts between the specialty units and the help divisions in the organization. With regards to extension, the overseeing strategy answers the "What" security policy questions.

 ?    End-User Policies: This record covers all security subjects that are imperative to end user. As far as extension level, EUP asks "what," "who," "when," and "where" the security policy at a proper level for an end user. 
?    Technical Policies: To carry out the requirements for the security of the system, security staff members use technical policies. This is an advanced version and more detailed than governing policy. In this, the “why” is decided by owner. (Knapp, Morris, Marshall, & Byrd, 2009)