Assurance Program Why/How to Create Case Study

Pages: 25 (6861 words)  ·  Bibliography Sources: 1+  ·  Level: Master's  ·  Topic: Education - Computers  ·  Buy This Paper


[. . .] Information Security

Several international organizations have written lots of white papers on how and why information should be made secured. Several laws have been promulgated by governments and agencies of governments and the countries and agencies involved in this explain how important it is to have information security. Bodies like the COMMISSION OF EUROPEAN COMMUNITIES (ECMA); the Organization for Economic Cooperation and Development (OECD); Canadian System Security Centre. Information security deals a lot with:

Disallowing unauthorized persons access to information not meant for them

Minimizing or eradicating the tendency for information to truncated while on transit

Making undecipherable information not meant for other people

Installing firewalls that disallows leakage of information

Training of IT staff to respect the code of ethics of the IT department (SACA, 2006).

The list is endless but for the case study organization, it is applicable.

System Safety

Systems differ from organizations to organization and from department to department but similar things that stand out in all systems are the hardware and the software. Safety of the system incorporates the components of the system. Each of the components requires different ways of securing them. The essence of this is to prevent or minimize damage to information in the system. For meaningful success to be a possibily in ensuring safety systems, early planning is necessary to allow for incorporation into the computer systems. A plan that spells out the steps to be taken in routine system safety and also complementary plan explaining steps to be taken in case of safety breach. Having in mind the dangers and cost of lost information due to unsafe systems and the vulnerability of the computer systems, the following general guidelines should be ensured:

(1) the system should be kept in a known secure place

(2) cut down on the probability of non-functional parts

(3) prevent sabotage of the computer systems

(4) restrict movement within the computer room or department to authorized persons

(5) install security alarms that notifies the security department in case of breach

After having established the various approaches to information assurance, the necessary steps to be taken are then considered. These steps represent a blueprint for the case study organization. They follow each other in order of priority. The essence of information assurance is relational to the organization and availability of information as at when needed. The protected and assured information is an asset to be guarded with all seriousness. The various steps or processes are: risk assessment, risk management plan, countermeasures, computer emergency response, cost analysis.

Processes of Information Assurance

The processes of information assurance are as listed above are the life and blood of ensuring a successful program.

Risk Assessment

Data and information are constantly being exposed to risks which may be as a result of technical challenges or human operator error. It is an evaluation of the likely risks that may occur. It is also a risk management process that identifies the vulnerability to the source of information of a business organization (CISA, 2006). An objective view of the risk and likely uncertainties must be considered. In order to prepare before hand, the Risk Management Team/Department are expected to have taken into account operational errors, system sabotage, information pilfering and many other risks that could occur while either processing or transmitting information.

There are series of methodologies that can be applied in order to tackle risks. Frameworks like ISO/IEC 27005:2008; BS 7799-3:2006 and SP 800-30 among others depending on the security needs of the organization. Of the listed models, the ones most applicable to the case study organization is ISO/IEC 27005:2008 and it has the following frameworks which will ensure that risk is well assesses in the organization: category establishment, assessment of risk, risk treatment, risk acceptance, communication of risk and risk review.

Category Establishment is basically bringing into focus the possible risks that can be exposed to. Some of them will fall into the same group and there are possibilities of different categories of risks.

Assessment of risk comes to play when after categories of risk have been established. This involves taking stock of the risk and the risk level and making necessary planning with cost analysis.

Risk management is the decisive and proactive steps or measures taken by the management at addressing the different risks that have been assessed and the factors implicated. If the risk is consequent upon system or likely system failure, this could be addressed by procuring, in addition to the main system, additional spare parts to replace malfunctioning ones. If however it is due to human error, this could be tackled either by retraining the It workers or reassigning them.

Countermeasures take into account the various steps required in correcting, minimizing and stopping a risk that the organization has been exposed to.

Computer emergency response is one of the countermeasures that the management can use in responding to risks or threat of risk. This method could be automated to ensure continuous operation in the absence of human instigator.

Communication of risk plays an important role in response to risk. In the presence of threat or assessed risks, the level of risk such is must be passed to the knowledge of those concerned or stakeholders in the security unit of the organization. Security alert could be set in such that an alarm can be offset to sound note of warning. This results in preparing for countermeasures and relaying risks. This is very essential in curtailing risk.

Risk review is the final lap in the entire series. This is where the stakeholders a meeting is held and everyone concerned is debriefed and decision taken based on security reports.

Risk management Plan

Risk can be appropriately defined as the possibility of unexpected negative uncertainties happening. Since the likelihood of risk is inevitable, certain steps must be taken to which is referred to as a plan to see the case study organization through in the event of risk. They are (1) identify the risk (2) assess the risk (3) identify the priority level of the risk and (4) control the risk (Thomas, 2001).

There are lots of risks and for a credible risk management plan to be established, the risk mist be identified in order to know the appropriate measures to undertake.

After the risk might have been identified, it is then assessed. It is assessed by way of knowing likely things that might have gone wrong for this kind of risk to occur. This helps the management of the case study organization respond appropriately.

The priority levels of the risks identified is important. This allows the management to know the particular risk to attend to before others are considered. In the event of multiple risks, this laid down plan of attaching priority level to the risk will identified goes a long way.

Control the risk. This final step in risk management plan is the most crucial. After the initial steps have been taken, these control measures can be taken, though other departments can have additional steps added to these:

(i) establishing security awareness programs

(ii) disaster planning

(iii) making risk analysis

(iv) establishing emergency response team

(v) setting up internet policy

(vi) having a modem control

(vii) establishing remote access

(viii) installing virus

(ix) computer crime investigation


This is the step taken to counter the effect of risks that have been established and accepted as risk. It is not all risks reported that are worth responding to but after defining the risk and prioritizing them, it then that the organization can device countermeasures to cushion the effect of the risk. This could be in the form of:

(i) firewall installations

(ii) installing anti-virus software

(iii) enacting security policies

(iv) staff training and retraining

(v) implementation of security advice by experts

Computer Emergency Response

This is a group of computer experts that handle computer-related issues. What they do is to identify, analyze and recommend measures to be taken or even deal with the risk themselves. This group come under many different names depending on the regions such is located and the expertise of those forming the group. This group can come handy in event of risk.

Cost Analysis

The monetary value of plans must be evaluated to ascertain the relative cost with other similar venture. It is defined as a relational cost comparison between similar services (Bleichrodt, 1999).

In the case study organization, if information assurance is to be successful in the face of identified risk, one of the countermeasures the management may consider is having what is called management change. Certain security flaws are due to the negligence of IT workers in the computer department or the security network is porous. It is necessary for there to be a change in the management setting of the case study organization. There are prescribed steps to be taken to make this as effective as possible… [END OF PREVIEW]

Four Different Ordering Options:

Which Option Should I Choose?

1.  Buy the full, 25-page paper:  $24.68


2.  Buy & remove for 30 days:  $38.47


3.  Access all 175,000+ papers:  $41.97/mo

(Already a member?  Click to download the paper!)


4.  Let us write a NEW paper for you!

Ask Us to Write a New Paper
Most popular!

Program Evaluation Home and Community-Based Waiver Services Essay

Improving Patient Care Through Training Term Paper

E-Learning Master's Degree Program in Teaching Literature Review Chapter

Quality Assurance Can Influence and Enhancing Flight Term Paper

Technology Issue in Information Assurance Term Paper

View 712 other related papers  >>

Cite This Case Study:

APA Format

Assurance Program Why/How to Create.  (2012, February 18).  Retrieved February 20, 2019, from

MLA Format

"Assurance Program Why/How to Create."  18 February 2012.  Web.  20 February 2019. <>.

Chicago Format

"Assurance Program Why/How to Create."  February 18, 2012.  Accessed February 20, 2019.