ASIA PACIFIC UNIVERSITY OF TECHNOLOGY & INNOVATION CT058-3-M – ISA (Information Security Architectures) Individual Assignment Intake : UCMF1811 and onward Lecturer : Email ID : *Submission Date:...

INFORMATION SECURITY ARCHITECTURES
Executive summary
Cyber security includes the practice for ensuring data security and confidentiality. This can provide with the ability for defending and recovering from the accidents for failure. This provides with the opportunity for dealing with the advanced threats and serious threats in the enterprise. This provides with the planning for every bit and critical analysis for the cyber security and application for network security in the organization. Security can help in keeping the company data safe. Management is required for system and building security standards for employee and provide with proper training. The use of cyber security program can help in prioritizing the operations and exclude the risk for the attacks.
Table of Contents
Introduction    4
Task 1    4
1. ISO Framework    4
2. ISO 270001 Implementation Checklist    9
3. Background of the Company    11
4. Business Framework Plan    12
5. Key elements of Cyber Security    13
Task 2    15
1. Introduction    15
2. Mission statement    15
3. Vision statement    15
4. Planning    16
5. Governance    19
6. Strategic Objective    22
7. Key Initiative    22
8. Conclusion    25
Task 3    25
1. Business Risk    25
2. Impact of Risk    26
3. Mitigation Strategy    26
4. Expected Outcomes    27
Conclusion    27
Introduction
Cyber security provides with the plan for ensuring the integrity, availability and confidentiality of the information. This is required for representation for proving with the ability for recovery from the accidents of power outage and attack of adversaries. The use of cyber security strategy can help in proving with the information and this trends toward cloud computing and BYOD policies in the workplace. The study describes about ISO framework and background of the company. The study includes the information for the use and planning for cyber security strategy. This includes the description of risk that can affect the business.
Task 1
1. ISO Framework
Large-sized organisations are required to be followed the structure of ISO format with four major frameworks namely ISO 27000, ISO 27001, ISO 27002 and ISO 27003. Based on the approaches of different framework, this company have used ISO 27001 framework[footnoteRef:2]. This particular framework serves best result for the large-sized organisations as organized checklist is also provided for this particular framework. ISO 27001 was published and issues in October 2005 with a specification number, which is BS7799-2. ISO 27001 offers overall strength of the security system for the organisation by implementing strong elements within the system. Comprehensive security model has been furnished with all aspects within the organisation. Five different attributes are connected with the special framework, which are Asset, Vulnerability, Threat, Risk and Control. Asset has different value to different organisations. Any types of weakness within the asset is categorised in vulnerability system. [2: Iso.org, 2019 ISO Available at: https://www.iso.org/isoiec-27001-information-security.html [Accessed On: 8th March, 2019]]
ISO 27001 frameworks mainly deals with vulnerability as well as thert for the overall information. The framework has issued 11 major categories of overall controls and countermeasures, which are called Domains. These major categories are also structured with 133 countermeasures for controlling all the threats and vulnerabilities presented within the company security system. The main information under the framework is categorised with three main attributes, which are Availability, Integrity and Confidentiality[footnoteRef:3]. Based on the approaches of driven from these three attributes, organisation work with the possible threats and vulnerabilities within the security system. Threats within the network are controlled in all parts of the framework and vulnerabilities within the network are mainly structured with above-mentioned attributes. 11 domains for ISO 27001 framework to deal with threats and vulnerabilities are: [3: Iso.org, 2019 ISO Available at: https://www.iso.org/isoiec-27001-information-security.html [Accessed On: 8th March, 2019]
]
· Security Policy
· InfoSec Organisation
· Asset Management
· HR Security[footnoteRef:4] [4: Iso.org, 2019 ISO Available at: https://www.iso.org/isoiec-27001-information-security.html [Accessed On: 8th March, 2019]]
· Physical and Environment Security
· Communication and Operation Management
· Access Control
· Information System Division and Maintenance
· InfoSec Incident Management
· Business Continuity Management
· Compliance
    Domains
    Controls
    Security Policy
    2
    InfoSec Organisation
    11
    Asset Management
    5
    HR Security[footnoteRef:5] [5: Bamford, James. The Puzzle Palace: Inside the National Security Agency, America's Most Secret Intelligence Organization. Tantor Media, 2018.]
    9
    Physical and Environment Security
    13
    Communication and Operation Management
    32
    Access Control
    25
    Information System Division and Maintenance
    16
    InfoSec Incident Management
    5
    Business Continuity Management
    5
    Compliance
    10
    Total
    133 (Countermeasures)
Table 1: Domains
(Source: Iso.org, 2019)
Policies and standards for ISO 27001 frameworks is built to deal with two different modes of attack. Attacks through technology and attacks through people are two different categories with which the overall policies and standards are incorporated. Attacks through technology has biggest priority for the overall security management system for ISO 27001 framework. Attacks through people can be happened through virus, trojan, worm, DOS attacks, SQL injection, buffer overflow, brute force attack and password cracking. Attacks through people can be happened through abuse of privileges, social engineering, and physical access to bypass controls, misuse of systems, password guessing and theft of laptops or social media[footnoteRef:6]. [6: Chapple, Mike, James Michael Stewart, and Darril Gibson. (ISC) 2 CISSP Certified Information Systems Security Professional Official Study Guide. Hoboken: John Wiley & Sons, 2018.]
Overall areas for all domains are categorised from management area to operation area. Plan-Do-Check-Act is established for developing Information Security Requirements and Expectations for the organisation. This act is mainly prescribed with the basic formation of four different stages namely Plan, Do, Check and Act. In the very first phase, establishment of information security requirements and expectations is required. This plan is also known as ISMS. in the second phase, it is mandatory to implement the plan and operated the overall ISMS with their basic strategies. Monitoring and reviewing process for the overall ISM is required to be done on the third phase. Last phase states about the process of maintaining and improving the overall ISMS. Completion of the overall Plan-Do-Check-Act results a managed information security.
Establishment of ISMS is also based on some of the major steps, which are also associated with the overall framework for the PDCA list[footnoteRef:7]. Establishment process for the ISMS follows following stages: [7: Alphand, Olivier, Michele Amoretti, Timothy Claeys, Simone Dall'Asta, Andrzej Duda, Gianluigi Ferrari, Franck Rousseau, Bernard Tourancheau, Luca Veltri, and Francesco Zanichelli. "IoTChain: A blockchain security architecture for the Internet of Things." In 2018 IEEE Wireless Communications and Networking Conference (WCNC), pp. 1-6. IEEE, 2018.]
· Scope for the company ISMS
· Policies and standards for the ISMS (Requirements and objectives)
· Systematic approach for overall risk management process
· Identifications of risks
· Assessment for all the risks
· Evaluation and treatment of the risks
· Specific controls for risk treatment and overall objectives
· Specific statement for applicability
· Approval from management for residual risks
· Authorisation process for implementation and operation
Figure 1: ISO 27001 Management Frameworks
(Source: Iso.org, 2019)
Implementation and operation process for the overall ISMS follows the following structure:
· Formulation of a risk treatment plan
· Implementation of the risk treatment plan
· Implementation of the selected controls[footnoteRef:8] [8: Arfaoui, Ghada, Pascal Bisson, Rolf Blom, Ravishankar Borgaonkar, Håkan Englund, Edith Félix, Felix Klaedtke et al. "A security architecture for 5G networks." IEEE Access 6 (2018): 22466-22479.]
· Implementation of awareness programs and training
· Management process for the overall operations
· Management of all the required sources
· Implementation process of all the required procedures as well as controls for detecting and responding towards all security incidents
Monitoring and reviewing process for the overall ISMS is structured by following the below-mentioned steps:
· Execution for the monitoring procedures
· Undertaking process for regular reviews
· Review process of residual risk[footnoteRef:9] [9: Ferraiuolo, Andrew, Mark Zhao, Andrew C. Myers, and G. Edward Suh. "HyperFlow: A processor architecture for nonmalleable, timing-safe information flow security." In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1583-1600. ACM, 2018.]
· Conduction of internal audits
· Undertaking process of management review
Maintenance and improvement process of ISMS is structured by following below-mentioned steps:
· Implementation process of identified improvements
· Appropriate corrective and preventive actions are required to be measured
· Communication process for overall results
· Ensuring process of overall effectiveness for the structure
Some of the major documentation plans are required to be evaluated to provide proper ISMS for the company, which are:
· Objectives
· Policies
· Procedures
· Scope
· Risk assessment methodologies
· Controls
· Risk treatment plan
· Protection and control of documents
2. ISO 270001 Implementation Checklist
Implementation process of overall structure for ISO 270011 framework for the organisation is required to be maintained 16 different steps as per ISO 27001-certification process.
· Obtain management support
· Treat the architecture as a large project
· Define the corresponding scope[footnoteRef:10] [10: Khan, Minhaj Ahmad, and Khaled Salah. "IoT security: Review, blockchain solutions, and open challenges." Future Generation Computer Systems 82 (2018): 395-411.]
· Write a specific and complete ISMS policy
· Define the methodology used for Risk Assessment
· Perform the assessment of risk and treatment for the corresponding risk
· Write the statement of applicability
· Write the plan for risk treatment process
· Define the measurement for effectiveness of controls[footnoteRef:11] [11: Mayer, Nicolas, Jocelyn Aubert, Eric Grandry, Christophe Feltus, Elio Goettelmann, and Roel Wieringa. "An integrated conceptual model for information system security risk management supported by enterprise architecture management." Software & Systems Modeling (2018): 1-28.]
· Implement the overall controls and all the mandatory procedures
· Implement awareness programs and training program
· Operate the whole ISMS
· Monitor the whole ISMS
· Process for internal audit
· Review from top management
· Corrective as well as preventive actions
Potential issues in the existing architecture:
According to the overall structure provided by ISO, 27001 standards provide best possible solution to deal with security approach for an organisation. In case of small and medium-sized organisations, it has been observed that risk assessment plan and risk mitigation procedures are minimum. In case of this management structure, the company is now facing a problem with implementing risk assessment plan as selective security controls and needs of the organisation are completely missing[footnoteRef:12]. This particular part requires security expertise and risk management plan for implementing within the structure. The main problem with ISO 27001 is it does not provide an overall list of controls. The framework also does not tell the organisation how to do the entire task. It only provides framework, which is not enough for the organisation. [12: Mugheri, Abdul Aziz, Murtaza Ahmed Siddiqui, and Mohammad Khoso. "Analysis on Security Methods of Wireless Sensor Network (WSN)." Sukkur IBA Journal of Computing and Mathematical Sciences 2, no. 1 (2018): 52-60.]
The company is also facing a problem regarding the overall guidance for implementing risk management plan. ISO 27002 provides a complete list of controls for the framework but still the guidance is not complete for the overall structure. In every step of the architecture, IT experts are missing the proper guidance related with the overall risk management plan. Security expertise for this guidance is again required for the system[footnoteRef:13]. It has been already observed that the implementation process of ISO 27001 complaint Information Security Management System is possible for the organisation without addressing all the security measurement for the framework. In the beginning stage of the overall framework, it has been mentioned that compliance and external certification for ISO 27001 does not offer secure system for the organisation. It has been also observed that the existing structure is lacking with identifying most critical data for the network system. [13: Nath, Atul Prasad Deb, Sandip Ray, Abhishek Basak, and Swarup Bhunia. "System-on-chip security architecture and cad framework for hardware patch." In Proceedings of the 23rd Asia and South Pacific Design Automation Conference, pp. 733-738. IEEE Press, 2018.]
3. Background of the Company
CIS control version is currently used by the organisation, which is structured with version 7 for the overall organisation. Key principles of the security framework are structured with current attack mitigation method and authentication method for the overall organisation. It has been also observed that the framework delivers best result for dealing with several types of encryption decryption method. CIS framework has an ability to deal with other framework and it delivers the process of consistency with other networks[footnoteRef:14]. Operation management for the organisation is in a good structure as they are now operating with large number of staffs. This special framework also structures ecosystem for the overall company. [14: Sharma, Pradip Kumar, Mu-Yen Chen, and Jong Hyuk Park. "A software defined fog node based distributed blockchain cloud architecture for IoT." IEEE Access 6 (2018): 115-124.]
Structural changes within the preferred layout and format is established by this special architecture and framework. The main issue related with this framework is related with lack of trained staff for maintaining the framework. A huge shortage of skilled cyber security professionals is developed for the organisation, which is the main issue for dealing with this architecture. 82% IT staffs are not associated with this special framework and states the reason related with shortage of training and planning. Direct damage has been inferred for the company as management staffs and IT staffs are lacking with the knowledge of cyber security plan regarding CIS structure.
There are two major components associated with CIS framework, which are security budgets and security challenges. In case of present company, it has been observed that security budgets across the board are completely lagging behind the overall security challenges faced by the corresponding organisation. Lack of budget is one of the main issues for the organisation to deal with CIS framework[footnoteRef:15]. It has been reported that the average IT security budget for the industry is declined from 25.5 Million Dollar to 13.7 Million Dollar. Along with this particular issue, the company is also facing a problem related with lack of prioritization and management support[footnoteRef:16]. Security control related with this framework is in a critical position. It has been also observed that not all the top managers are attached with the security protocol, which is also a major problem. It is highly important for the organisation as well as for tactical managers for taking steps for introducing COOs, CEOs and board of directors with the CSCs for identifying and defending the assets of the organisation. [15: Verdouw, C. N., R. M. Robbemond, T. Verwaart, J. Wolfert, and A. J. M. Beulens. "A reference architecture for IoT-based logistic information systems in agri-food supply chains." Enterprise information systems 12, no. 7 (2018): 755-779.] [16: Wang, Kun, Jun Yu,...