Posted: October 6th, 2022

Security Policy, Standard, and Practices

CYBER SECURITY MANAGEMENT: Security Policy, Standard, and Practices (a case study of an Enterprise company)
ADDITIONAL INSTRUCTION (Report Structure)

Title Page
– Abstract Page
– Contents Page: These should show the structure of the report –
– section numbers, heading, subheadings, and pages
– Table of content
– Table of Figures
– Charts, diagrams, and Simulations

– Introduction {brief description of aims (general) and objectives (what is done to achieve the aims to put report within the context/sets the scene for the reader (e.g., where does this development fit within the field); what are the problems/issues of the subject area}, The appropriate background is delivered as an introduction to the topic area of interest.

– Body of report {main part of the report; should be divided in several sections pending the research/discussions}, looking at relevant issues concerned and demonstrating in-depth knowledge in the topic area of interest by practical work(s), such as a case study of a cybersecurity toolkit with its functionality, application, and the demonstration of its usage, etc.

– Evaluation {evaluate the results; can be a subsection of the Body of report}

– Conclusions {condensed version of the body; briefly gives key findings and future works}

– References (Bibliography): Produced in the Harvard reference format.

– Appendices {optional if there is any}

26 Mar 2022 18:36
CYBER SECURITY MANAGEMENT:
Security Policy, Standard, and Practices (a case study of an Enterprise company)

– The project is to develop a security policy, standards, and practices for a medium-sized enterprise organization.

– This technical report should be the culmination of a good literature review, the analysis, and the applications of the topic: Security Policy, Standard, and Practices

– The literature review is to use a good mix of sources: journals, industry white papers, research outputs of organizations (European Commission, Mitre Corporation, Carnegie Mellon Software Engineering Research Institute, EPSRC, etc.), web resources that have provenance, and textbooks.

– The report should provide an abstract section at the beginning and a conclusion at the end. The appropriate background is delivered as an introduction to the topic.

– The body of the report should present an analysis of its technical content in-depth looking at relevant issues concerned and demonstrate your in-depth knowledge of the topic by examples, case studies, such as an organization’s information security risk assessment, firewall security policy design, information security toolkit use, etc.

– A list of resources referenced should be produced in the Harvard reference format.

– The report should not exceed 2500 words in length (excluding references and bibliography)
—

CYBER SECURITY MANAGEMENT: Security Policy, Standard, and Practices
A Case Study Or The Quickspace Enterprise Company
Name

Course
Tutor
University
The City and State
Date
Abstract
Generally, SMEs have been found to pay minimal attention to information security due to the belief that they are not important enough to be targeted by cyber attackers and thus they will not be finding any value by investing in information security. However, this exposes the SMEs to cyber security attacks that will cause considerable negative effects on their business operations and reputation. This research intends to develop a comprehensive and feasible cybersecurity management approach for Quickspace Enterprise. Particularly, the aim is provisioning this organization with recommendations for an information security policy, security standards and the right security practices that will position the SME at a better position in regards to cyber security.
Table of Contents

Abstract 2
Introduction 4
Literature Review 5
Cyber Security Management In SMEs 7
Information Security Policy (ISP) for the SME 8
Information Security Standards for the SME 9
Information Security Practices for the SME 10
Evaluation Approach 10
Conclusion 11
Reference List 12

Introduction
As businesses increasingly rely on information and information systems, it has become fundamental that the businesses protect their critical information assets from theft, loss or misuse (Singh and Gupta, 2019, 1). The technical advancements that have been happening with the cyber security environment would also pose serious security threats and challenges even as they come with respective benefits. Any business is required to have an information system that is fully protected from the current and emerging security. It is however prudent to note that the full protection to an entity’s information systems will go beyond having the advanced technologies in place as they will not be sufficient in handling the increasing security challenges (Singh and Gupta, 2019, 2). An organization will need a balanced mix of technical, management and behavioral aspects.
Generally, SMEs have been found to pay minimal attention to information security due to the belief that they are not important enough to be targeted by cyber attackers and thus they will not be finding any value by investing in information security (Almeida et al., 2018, 3). In actual fact, there is an absence of understanding of how security is fundamental to the businesses and what would be the adversarial effects of a successful cyber attack. If the bigger organizations lose millions in the major cyber attacks against them, the damage on small businesses will similarly be catastrophic. The Federal Bureau of Investigations (FBI) and the National White Collar Crime Center (NW3C) through the Internet Crime Report stated that the number of valid cybercrime complaints that the losses from cybercrime have been increasing by 8.3% since 2011 (IC3, 2012, 4). This cyber risk only posits that all businesses should acknowledge that information is emerging as their most valuable asset that will be targeted by various threats with an intention of exploiting the system vulnerabilities and causing significant harm to the SMEs. To this effect it is fundamental that the right information security policies are implemented to reduce the opportunity of fraud and the loss of information.
Cyber security management entails that articulation of a feasible information security policy a set of standards and respective practices to be followed. These guidelines need to be adhered during the initiating implementation, maintenance and and improving the information security management in an organization. This research intends to develop a comprehensive and feasible cybersecurity management approach for Quickspace Enterprise Company. Specifically, the aim is provisioning this organization with an information security policy, security standards and the right security practices that will position the SME at a better position in regards to cyber security. This paper is hence structured as follows: a review of present literature related to cyber security management in SMEs with a consideration of security threats that medium-sized businesses such as Quickspace are facing to assert the need for the security policy, standards and practices. The main objective is looking at relevant issues concerning and demonstrating in-depth knowledge in cyber security management by practical work(s), such different case studies that have information systems management implemented in their operations.
Literature Review
Currently, information security is a fundamental concern for all businesses considering they are now operating within a global market that greatly depends on IT and has a fully online and digital presence. According to Saleem et al. (2017), information security management is a crucial problem for companies even as they work on preventing their exposure to security and privacy threats (19). Nevertheless, many of the SMEs still have a minimal IT infrastructure for fighting cyber attacks (Saleem et al., 2017, 19). These businesses are still acting in a preliminary phase which needs further developments if their security levels are to be improved. Notably, scholars such as Alfawaz (2011) indicated that the CIA truas which comprises confidentiality, integrity and availability provides a design model that the organizations could follow when developing their cyber security management approaches (15). These three values will ensure that the measures implemented define the authorized parties that will have access to the data and information, ensuring that the data can be trusted and remains accurate whenever they are accessed by the authorized parties.
Extensive literature has mentioned the extensive risks SMEs have bu running their operations in the digital world without proper information security management, Jaeger (2013) reported that 38% of the reasons for data breaches happening was due to lost paper files, 27% of them happened due to misplaced portable memory devices with only 11% of the data breach events happening due to the hackers (56). The internal system users actually turned out to be the weakest link to their companies’ information security. These users could unintentionally click on links that allow viruses or malware into their systems or others could use the knowledge, resources and access to the system for malicious gain. Malicious insiders could choose to violate security policies such as the access policies to maliciously access sensitive information, engage in identity theft or intentionally be fraudulent (Soomro et al., 2017, 217).
Thus, a research such as one done by Mubarak and Sitnikova (2009) would assert that the attainment of information security in these firms would require them to adopt security controls, have information security policies and practices implemented while ensuring that there is booth communication and cooperation across the entire organization (103). Many of the case studies used in the Mubarak and Sitnikova (2009) had just implemented the common security technologies such as antivirus software and firewalls with no attention given to having security policies, steps such as as constant monitoring nor the implementation of disaster recovery plans were still not being issues that were obtaining the right attention despite their significance. Suffice to say, many of the SMEs have their information systems still vulnerable despite their understanding of how it is important for them to be protected. This research will hence demonstrate the kind of security policies, standards and practices that the organizations need to have to establish that their information and information assets are adequately protected.
Cyber Security Management In SMEs
The large companies will normally benefit from economies of scale even on the information security perspective. Conversely, it is normally challenging for SMEs such as Quickspace to attain a reasonable level of information security due to budget constraints, limited resources and limited expertise in information security (Gordas, 2014, 2). This is despite the fact that numerous small companies avail services that are deemed crucial to their clients. The awareness of the organizations’ management in information security is not even among the top priorities. Thus if an SME is to become better in its information security standards then its first decision is to change its mentality. The company needs a perspective where information security is considered a top priority to the management and also the costs affiliated with its assurance needs to be accepted. Additionally, SMEs have the potential of catching up due to their agility and focus on mitigating the risks they face.
One of the cases that highly emphasizes the importance of a comprehensive cyber security management approach in companies has to be the 2014 data breach in the Payment Card System that was used by Home Depot in Northern America (Chand, 2020). The malicious attackers were able to penetrate their network system in early April and remained within it while hidden for five months. This access into the network was attained by hackers identifying and exploiting the system vulnerabilities that were present due to absent security procedures. This mal;icious attack led this company to having over 56 million email addresses, credit and debit card information stolen (Chand, 2020). This kind of personally identifiable information being accessed by a malicious party opens up a leeway for ransomware, fraud, manipulation among others.
Currently, there is no agreement in the SMEs industry on what their information security should look like for it to be regarded as good. Most of the approaches proposed a limited set of information security controls. However, this approach is very inadequate since the right information security needs a firm to have a set of controls established which matches with its requirements (Gordas, 2014, 2). This is attained after a comprehensive risk assessment of the significant threats that target them is done. A review of various approaches developed to act as guidelines for information security in SMEs would also show that every one of them does have its weaknesses. Considering ICO’s Guide, A Practical Guide to IT Security, Ideal for The Small Business, 2012, it fails to provide important measures for business continuity and disaster recovery (Gordas, 2014, 3). The ISSA’s Guide, Information Security for Small and Medium Sized Enterprises, 2011, provides the business continuity plans and disaster recovery approaches only in the level two and three of cyber security (Gordas, 2014, 3). These are fundamental elements of information security that an organization choosing to closely follow will miss out on fundamental measures. Thus, the only viable approach would be for an SME to implement an integrated solution for the organization’s information security which could be tailored to their requirements.
Information Security Policy (ISP) for the SME
The ISP supports the right behavior among the firm’s employees as it avails clear instructions on the responsibilities to be followed. The employees that appropriately follow the ISPs become assets to the SMEs information system. It is through the ISP that the gap between the organization’s expectations and how the people contribute to the appropriate implementation of the ISP is bridged. Furthermore, the ISP will also consider employees who need to be part of the policy development process, different organizations could choose to use jargon in reference to the policies which can be challenging for incoming new users. Thus, it should be the mandate for the SME to ensure that their ISP is clear enough to aid the employees in following their entity’s terms even when they face exceptional circumstances. A weak ISP design will lead to inadequate protection even for the subtle data and the employees could engage in detrimental actions against the firm’s information security.
To this effect, the requirements for a good ISP for an SME will focus on particular focus areas (Alqahtani, 2017, 695). These include the password management guidelines which entails locking the workstations, avoiding password sharing, and calling for the regular updating on passwords. The second focus should be on the use of emails where users are advised on how to identify the malicious links, being careful on forwarding emails and opening attachments. The other guidelines will relate to the use of the internet, social networking sites, mobile computing and handling information.
It is important that SMEs put more effort into their information security in terms of developing it and communicating it to its employees. According to Sadok and Bednar (2016), employees are still limited in terms of understanding the extensive role of having an information security policy (215). Organizations need to look into processes and practices of how the contextual use of information security is involved as per the pragmatic perspective. The active engagement of users in developing information security activities which should be present in the policy making will lead to having effective security measures and better alignment of security controls with business objectives. (Sadok and Bednar, 2016, 215)
Information Security Standards for the SME
ISO 27001 is one important security standard that any SME should work on attaining in its security strategies. Specifically, this security standard lays out the particular requirements for an entity’s information management system, and also provides guidelines that will protect all information including the proprietary information. In a study that saw around 50 SMEs located in the Center Part of Portugal implement the ISO-27001: 2013, it was evident that this standard boosted the robustness in their information security management and cyber awareness among all stakeholders (Antunes et al., 2021, 265). The research actually noted that the SMEs that fully adopted the recommended auditing processes and a continuous improvement mechanism in conjunction with training and certification of their stakeholders, were far much better in risk mitigations and attaining a positive impact on the entire SMEs activities (Antunes et al., 2021, 265). Thus, it would be recommended that this security standard is adopted in guiding the mechanisms that should be implemented.
Information Security Practices for the SME
In the fast changing threat cyber environment, SMEs need to be dynamic and updated with the current best practices related to information system management. This responsibility starts with the entity’s board and top management who will establish organization-wide information security security practices which includes clearly defined disaster recovery and business continuity plan that is commonly left out by SMEs. The best practices will include implementing 2-Factor Authentication in the passwords, creating strong passwords, secure network connections, using security headers, creating a cyberplan, back-up company data and files, secure wireless connection, having safeguards against phishing, turning employees to be vigilant cyber security and not neglecting regular patching and updates.
Evaluation Approach
The OCTAVE approach is a risk-based strategic assessment and planning technique for information security purposes in SMEs. By following this approach, the entity will have its information protected and their state of security improved. The strategy encompasses three phases of building an asset based threat profile, identifying the infrastructure vulnerabilities and developing the respective security strategy and plan (Antunes et al., 2021, 15). The implementation of this approach will ensure that the professionals look into the structure and organization of their information systems which includes considering how they have adhered to their security policies, security standards and implemented the best security practices. From this assessment, the organization is to identify the gaps within its cyber security management and have the right remedies implemented.
Conclusion
The main aim of this research was obtaining an in-depth understanding of how SMEs including Quickspace Enterprise will protect their information and information assets. The research focussed on security standards, policies and best practices for the SMEs. Information security is an evolving concept and it is important that SMEs remain vigilant in their measures so that they could be ahead of cyberattackers.

Reference List
Alfawaz, S.M., 2011. Information security management: a case study of an information security culture (Doctoral dissertation, Queensland University of Technology).
Almeida, F., Carvalho, I. and Cruz, F., 2018. Structure and challenges of a security policy on small and medium enterprises. KSII Transactions on Internet and Information Systems (TIIS), 12(2), pp.747-763.
Alqahtani, F.H., 2017. Developing an information security policy: A case study approach. Procedia Computer Science, 124, pp.691-697.
Antunes, M., Maximiano, M., Gomes, R. and Pinto, D., 2021. Information Security and Cybersecurity Management: A Case Study with SMEs in Portugal. Journal of Cybersecurity and Privacy, 1(2), pp.219-238.
Chand, P., 2020. Importance of Information Security Management – Case Study Analysis of Home Depot Data Breach. [online] Linkedin.com. Available at: [Accessed 9 April 2022].
Gordas, V., 2014. Implementing information security management system in SMEs and ensuring effectiveness in its governance. Egham: University of London.
IC3, “Internet Crime Report,” Internet Crime Complaint Center, 2012. Available in: https://pdf.ic3.gov/2012_IC3Report.pdf
Jaeger, J., 2013. Human error, not hackers, cause most data breaches. Compliance Week, 10(110), pp.56-57.
Mubarak, S. and Sitnikova, E., 2009. Case Study on an Investigation of Information Security Management among Law Firms.
Sadok, M. and Bednar, P.M., 2016, July. Information Security Management in SMEs: Beyond the IT Challenges. In HAUSA (pp. 209-219).
Saleem, J., Adebisi, B., Ande, R. and Hammoudeh, M., 2017, July. A state of the art survey-Impact of cyber attacks on SME’s. In Proceedings of the International Conference on Future Networks and Distributed Systems.
Singh, A.N. and Gupta, M.P., 2019. Information security management practices: case studies from India. Global Business Review, 20(1), pp.253-271.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp.215-225.

Order | Check Discount

Tags: re