Cardiff Metropolitan University

B.Sc. (Hons) in Business Information Systems

Assessment Cover Sheet

Student Details (Student should fill the content)

Name

Student ID

Scheduled unit details

Unit code CIS6006

Unit title Cyber Security

Unit enrolment Details Year

Study period 2020

Lecturer

Mode of delivery

Assissent Details

Nature of the Assessment Coursework

Topic of the Case Study Identifying the key components of Cyber security along with what are
the current problems and methodologies that have been followed in real
world.

Learning Outcomes covered 1, 2, 3

Word count 5000

Due date / Time 06th June 2020

Extension granted? Yes No Extension Date

Is this a resubmission? Yes No Resubmission Date

Declaration
I certify that the attached material is my original work. No other person’s work or ideas have been used without
acknowledgement. Except where I have clearly stated that I have used some of this material elsewhere, I have not
presented it for examination / assessment in any other course or unit at this or any other institution

Name/Signature Date

Submission

Return to:

Result

Marks by 1st Name & Signature of the 1st Assessor Agreed Mark
Assessor

Marks by 2nd Name & Signature of the 2nd Assessor

Assessor

Comments on the
Agreed mark
Contents
Content...............................................................................Error! Bookmark not defined.
1. Scenario........................................................................................................................3
2. Identity and Access Control.........................................................................................3
3. Implementing Business Continuity Management System to Adams.........................10
4. Data Security..............................................................................................................19
5. Information Security Management System – ISO 27001..........................................21

Table of Figures
Figure 1: Sample Login form..............................................................................................4
Figure 2:Social Login..........................................................................................................5
Figure 3: User request access by SSO.................................................................................7
Figure 4: Successful authentication of SSO........................................................................8
 1. Scenario
The company “Adams” is a Clothing store where the management would like to launch
an online store facility to the customers island wide. Guidance on how to develop and
maintain the application securely.

The application will be developed, deployed and managed by Adams IT Services and
hosted in company own data center.

2. Identity and Access Control

Identity is a factor that can be used to recognize and individual user or a thing. Any
unique identifier can be used as an Identity such as: email address or User Id given by the
company. Authentication is a method of identify the user uniquely. When user attempt
to login for system, initially the user must claim the identity, typically by providing the
username and Password in to the system.

Below are the 3 factors of authentication

- Something you know (such as a password, PIN)

- Something you have (such as a smart card, ID card)
- Something you are (such as a fingerprint or other bio-metric method)

Authorization is a process of giving or granting permission to any intended system to do

define task. This capability of the user will define as Privilege of that user.

Identity and Access Control is a framework which consist of process and procedure on
how to access physical or virtual resources. Identity and Access Management(IAM)
products will offer role base access controls, which can be controlled by the system
administrator.

Let’s identify the use cases related to Adams Identity and Access Control and the
Industrial best practices.

Customer access:

- Visitor: View Item

 - Registered User: View and Purchase items

staff Access:

- Admin: Full Access on Database and Application

- Developer: Who will develop and test the application

For both scenarios role base access control should be implemented to grand relevant
permission to access the portal.

For Customer registration and access, we would use:

Traditional Authentication Method: Which is known as Username and Password. User

registration form will be presented to fill-out and as showed in the figure 1

First Name Last Name

Email
Address
Confirm
Password
Password
Phone Delivery
Number Address

Sign Up

Figure 1: Sample Login form

The Login page is a simple webpage where user able to provide Personal information.
This will be configured over SSL/TLS 2 which will encrypt the content over the internet
to securely transfer the personal details. The personal information will be encrypted using
AES 256 in the Database which will enable data security from server side. The webpage
can be tested over Owasp recommendation -https://owasp.org/www-project-top-ten/.

Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query. The attacker’s
hostile data can trick the interpreter into executing unintended commands or accessing
data without proper authorization.

1. Broken Authentication.
2. Sensitive Data Exposure.
3. XML External Entities (XXE)..
4. Broken Access Control.
5. Security Misconfiguration.
6. Cross-Site Scripting XSS..
7. Insecure Deserialization.
8. Using Components with Known Vulnerabilities.
9. Insufficient Logging & Monitoring.

Using Social Login: Which would be an effective and modern way of authenticating
using customer preferred social network account such as Facebook, Google. The visitor's
experience is simplified and companies gain access to the visitor's social data for accurate
lead information, even prepopulate registration forms and upload profile pictures.

Figure 2:Social Login

OAuth is an Open Standard Authorization protocol that allow to safely authenticate by

trusted social media servers without sharing credentials. In authentication parlance, this is
known as secure, third-party, user-agent, delegated authorization. OAuth is most related
to authorization where it customer can successfully login to the company’s site after
successful authentication. In the process of authorization:

- Initially the Adam’s portal will connect to the social media website (ex:
Facebook) on behalf of user via OAuth with the provided identity.
 - The Adam’s portal will generate a one-time password and a one-time token to the
transaction and initialize the connection between Facebook.
- Facebook will submit the keys to the authorization server and may ask customer
to approve the transaction or silently approve.
- After user approve the transaction, approved access token will be passed to
Adam’s portal and an acknowledgment token will be passed to Facebook server to
indicate successful transaction and ask permission to access user details on behalf
of user.
- If the customer allows to access the user information the details will passed to
Adam’s site.

Implementation reference - https://auth0.com/docs/connections/social/oauth2

Staff Access

To enable access control to the staff, admin will have challengers such as:

- Easy to configure and Update

- Efficient and easy to use for employees
- Enable centralized management
- Cost of implementation

To satisfy these requirements Single Sign-On (SSO) authentication mechanism would be

suitable and easy to cater the requirements. SSO is a method of Identity and access
management which will help the employee to securely login to other applications and
sites by logging in only once- with just one set of credentials. Without SSO every site and
application should maintain a database to store authentication credentials and user should
insert credentials to every site to access.

Authentication with SSO relies on a trust relationship between domains (websites).

Initially the site will check whether user has been authenticated with SSO, if yes it will
allow to access. If not, it will direct the user to the SSO login page. Then user will enter
the single username and the password of the corporate access. The SSO solution requests
authentication from the identity provider or authentication system that Adams uses. It
verifies the user’s identity and notifies the SSO solution. Then it will pass the
authentication acknowledgement to the intended website. In SSO authentication
acknowledgement passes as a token.

Figure 3: User request access by SSO

After user successfully authenticate by the server:

 Figure 4: Successful authentication of SSO

The authentication management can be integrated with the Identity Provider (IP)such as
Microsoft Active Directory or Azure Active directory. This will be known as Federated
SSO. This IP will store the user identity and information such as username password,
VPN groups, domains access, Activities user allowed to do in a site. SAML or OAuth
will help to pass standard authentication request and information securely. The
authentication requesting site or application need have a trust relationship with the SSO.
A trust relationship means that one domain trusts another’s information about user
identities, devices, and access privileges.
To Provide more security, company can enable Multi Factor authentication by
configuring with any other device. By using this method, user can only be login to the
site, after presenting two or more successful evidence of authentication. The most
effective way would be generating a onetime password by another independence device
such as Mobile phones.

Audit

Audit is a verification process such as examination or inspection of a process or

information system to ensure the system or process is compliant to the standard which
defined by the company. Audit will evaluate the effectiveness of the system. This will
ensure that individual elements within the system are effectively working to achieve the
intended outcome. Audit will provide evidence of concerns and it can use by
management to improve the effectiveness of the system and process. The audit can be
carried out by Internal audit team or external audit team which have experienced in audit
and as well as process.

There are several types of audits:

Adequacy Audit: This is the audit exercise which determines the extent to which the
documented system, represented by the manual, the associated procedures, work
instructions and record forms adequately meets the requirements of the system standard
and if it provides objective evidence that the system is correctly designed in this respect.

Compliance Audit:  This is the audit which determines the extent to which the
documented system is implemented and observed within the organization.

External Audit: This is an audit which will be conducted by external professionals which
have experience and qualification to perform. This can be Adequacy or Compliance or
both.

Extrinsic audit – This is an external audit carried out by an independent accredited third
party using a standard to provide assurance on the effectiveness of the systems. This audit
can also be adequacy and/or compliance audit or both. It is also known as third party
audit.
Internal Audit: This is an audit which will be carried out by internal resources which have
adequate competency. This will assure the internal process and systems are working in an
intended way.

Process or product audit – It is a vertical audit which considers complete system that goes
into the production of a specific product or service.

The audit will be phase out before performing. This will have an audit Plan, audit
preparation so on. Audit Initiation is the phase where it defines the audit scope and the
frequency of the audit. The scope of the audit is determined on the needs of the
organization and a decision is made with respect to systems elements such as activities,
departments and locations etc. Audit Preparation is the phase of planning the audit, where
auditor will review the policies and procedures of system and if there is any inadequacy it
should be resolved first.

To enable system audit, the system should enable the monitoring where system logs and
access logs should be captured and stored in a defined period by the company. The
system logs should be reviewed periodically to identify whether any unintended actions
taken. The privileged access logins should be mandatorily captured and stored in a
secured place where enable only intended personal can view. The Segregation of Duties
should be practiced here to secure the logs.

3. Implementing Business Continuity Management System to Adams

Business Continuity Management system help organization resist to incident that effect
the availability of systems and services from single system failure to business – critical
process and activities. ISO 22301, the international standard describes the best practices
of planning, implementing and monitoring controls.

The first component of the system seeks the Management Commitment. As any major
project BCMS also need to be supported by senior management. This ensures that Adams
will be given the necessary resources and that the project will be supported throughout
the organization.
The second major component is Business Impact Analysis. It will help to identify and
prioritized the functions or process which are critical to the business and helps to
determine recovery process. A large part of the analysis is ascertaining how soon after the
incident each activity needs to be resumed.

The other major component is Risk Assessment which will help to identify the events
which has a potential of causing a disruption to business and how severe the impact will
be. By assigning a number to each level of probability and severity, organization can
create a ‘risk score’ for each threat. Anything over a certain score – determined by the
organization based on its defense resources – will need to be planned for, but anything
below the threshold can be ignored because it probably won’t happen and/or won’t cause
significant damage.

Risk Assessment

Event/ Threat: the events and threats that could potentially impact the business /
organization.

Rating: Each event or threat must be rated based on the same criteria; probability, speed
of onset, and impact. A predefined set of measures has been defined in the template for
each of these criteria. These criteria will be used to establish an overall threat ranking
that will be calculated based on the responses given. The following provides a definition
of each measure by criteria:

Probability: What is the probability or likelihood that the risk will occur.

NA – Not Applicable (this threat is not possible at this location) *

1 – Rare (very unlikely to occur, may have not happened previously)

2 – Unlikely (possibility of occurring but probability is low)
3 – Possible (possibility of occurring and moderate level of probability)
4 – Likely / Probably (high probability of occurring)
5 – Almost Certain (very high probability of occurring and expected to happen at some
time)
* If NA is selected, no further assessment of this threat is required. This should be a rare
occurrence.

Speed of Onset: How fast is the onset of the risk and how much warning do you have
before it happens.

1 – Gradual / Slow (occurs over a long period of time)

2 – Sudden / No Warning (happens unexpectedly with no prior evidence of occurring)

Impact Severity: What is the level of impact the risk could have on your organization.

1 – Little Impact (very low or almost no impact)

2 – Some Impact (impact that can be managed by standard procedures)
3 – Considerable Impact (sufficiently high impact with some degree of recovery required)
4 – Serious Impact (significant impact requiring extra ordinary recovery)
5 – Severe Impact (very harmful impact possibly causing a lengthy recovery)

Threat Ranking: This is calculated automatically once all the ratings values have been
selected. The result is a number between 1 and 50, with 1 being the lowest possible
impact and 50 being the highest possible impact. The values are also color coded based
on the following ranges.

Green – indicates a threat ranking of 7 or less

Yellow – indicates a threat ranking between 8 and 22
Red – indicates a threat ranking of 23 or greater

Mitigation: Mitigating Factors & Existing Controls Are there factors and existing
controls that will reduce the impact of the risk.

1 – Weak / No Controls (weak or no controls exist to help reduce the impact of the risk)
2 – Average Controls (controls are in place that will reduce the impact of the risk to a
moderate degree) 3 – Strong Controls (controls are in place that will greatly reduce the
impact of the risk)
Residual Risk

Residual Risk Threat Ranking:

This is calculated automatically based on the Threat Ranking and the strength of the
Existing Mitigating Factors & Controls. The result is a number between 1 and 50, with 1
being the lowest possible impact and 50 being the highest possible impact. The values are
also color coded based on the following ranges.

• Green – indicates a threat ranking of 7 or less

• Yellow – indicates a threat ranking between 8 and 22
• Red – indicates a threat ranking of 23 or greater

Residual Risk Treatment: Once the residual risk threat ranking has been identified, it
must be determined if the remaining risk will be treated further. Note that the residual
risk treatment should describe only plans for additional treatment not already in place.

The different means of treating risks are:

• Transfer Risk – spread the risk by such means as sub-contracting, outsourcing, or
insurance
• Accept Risk – determine that the risk is within your risk tolerances
• Reduce Risk – minimize or control the risk by changing the process causing the risk, such as adding a fire suppression system to
minimize the impact of a fire.
• Avoid Risk – choose to eliminate the risk by not performing some activity.

Event/ Threat Rating Mitigation Residual Risk

Event Speed Impact Risk Mitigation Description Ranking Treatment Plan
Probabilit of Severit Rating Control
y onset y
Application 3 2 4 24 2 Load testing has 12 Accept
Failure
been done
Data Center 3 2 4 24 2 Data center 12 Accept
Loss / Outage
configured in high
availability
Loss of Network 3 2 5 30 3 Backup network 15 Accept
Services
line has been
configured
UPS / Generator 4 2 4 32 2 24h generator 16 Accept
Loss
available
Critical Security 4 2 5 40 3 Monthly patching is 13 Accept
Patching done
Business Impact Analysis for IT Department

The BIA is made up of the things the team does to support the products and services
Adams delivers. It lists the teams and processes activities depend on, the key suppliers,
and which teams are dependent on IT. BIA is to find out what are the activities are, how
critical they are, your busiest times of year, and the basic things need to be able to start
recovering in the event of an interruption

Process / Activity: This column will be pre-populated with process identified in

organization.

Revenue Impact: Quantify the impact on revenue in local currency figures. Also
consider any potential fees, fines and penalties that may be incurred. If the revenue
impact cannot be determined, type 'Unknown'.

Risk Category: All impacts to the business can be classified as being in one of four
categories, which are listed as drop-down options in the form. We understand that an
interruption to a process may impact more than one category, but for planning purposes
please select the category with the highest impact.
The risk categories are: Legal/Regulatory, Financial, Confidence/Reputational,
Operational

Impact Severity: How severe would the impact on the business be if you were unable to
carry out this process for a period? Below is some guidance to help you select the
appropriate impact severity level.
 Operational
(e.g. Increase to backlog, Additional Costs Market / Shareholder
Impact effect on department Revenue Incurred - Fees, Customer Service Legal / Regulatory / Confidence, Branding and
Severity objective and deliverables) Losses Fines, Penalties (internal / external) Contractual Reputation

5 - Backlog requires
supplemental staff.
Deliverables / shipments
5- delayed or limited
Critical indefinitely.
4 - Backlog requires
supplemental staff to clear.
Deliverables / shipments
delayed or limited up to one
4 - Vital month.
3 - Backlog requires
supplemental staff to clear.
3- Deliverables / shipments
Important delayed up to one week.
2 - Some backlog created, but 2 - Permanent
delays are within acceptable
2 - Minor margins
1 - Some backlog created but
1 - Low deliverables not affected.
5 - A substantial number of
5 - Permanent customers would
loss of more permanently take their
than $1,000,000 5 - User defined business elsewhere
4 - A small number of
4 - Permanent customers would
loss of up to permanently take their
$1,000,000 4 - User defined business elsewhere
3 - A substantial number of
3 - Permanent customers would
loss of up to temporarily take their
$100,000 3 - User defined business elsewhere
2 - A small number of
customers would
loss of up to temporarily take their
$50,000 2 - User defined business elsewhere
1- Customers would be
1 - No impact. aware of the situation but
1 - Loss of less Additional costs not we're unlikely to lose
than $10,000 incurred. business
5 -Suspension of the 5 - A substantial number of
organization by the customers would permanently
regulator take their business elsewhere
4 - A small number of
4 - Suspension of the customers would permanently
activity by the regulator take their business elsewhere
3 - A substantial number of
3 - Risk of substantial customers would temporarily
fine by the regulator take their business elsewhere
2 - Risk of non- 2 - A small number of
substantial fine by the customers would temporarily
regulator take their business elsewhere
1- Customers would be aware of
1 - Situation of interest the situation but we're unlikely
to the regulator to lose business
 Revenue Impact
Does
(or any potential Business
Business Maximum Workaroun
fees, fines or Required Is there an
impact if Tolerable d/s meet the
Process/Ac penalties) Risk Impact Recovery existing, pre-tested
Process/Activit Period of RTO
tivity (in local Category Severity Time Workaround/s?
y cannot be Disruption requiremen
currency) Objective Briefly describe
completed (> than RTO) t?
or state (RTO)
Yes / No
'Unknown'
Patches will be
Critical patches
updated
Patching are essential to
5 - Permanent loss of Operationa automatically after
Manageme application Critical 5 days 24 hours Yes
more than $1,000,000 l tested and if it fails
nt servers to run
manual patching
uninterrupted
will be done
Changers need
to be deployed
Change
in timely 4 - Permanent loss of up Operationa
Manageme Vital 24 hours 1hour Yes Yes
manner to keep to $1,000,000 l
nt
the application
alive

Incident If any event 5 - Permanent loss of Operationa

Critical 24 hours 1hour Yes Yes
more than $1,000,000 l
Manageme happens, it must
 be handled in
nt
timely manner
Backup need to
take to prevent
Backup and 4 - Permanent loss of up Operationa
business Vital 24 hours 1hour Yes Yes
Archive to $1,000,000 l
interruption if
database fails
Strategy: The disruptions can be categorized in to below:

- Unavailability of staff
- Unavailability of Location
- Unavailability of Network
- Unavailability of Hardware Devices

Location: Staff can work from home by connecting through the VPN to access the application
and servers

Staff: Each key resource person has backup resource if in case the key person is unavailable.

Network: The office network has been provided by a well-known service provider and backup
lines are also deployed and each IT person facilitated with a Dongle.

Hardware Devices: The application infrastructure has been configured in high availability with
high redundant infrastructure, where we have hot and cold datacenter.

4. Data Security
Data security is set of standard and methods which protect data or information from intentional
or unintentional modification, destruction or disclosure. This is a broad topic which must be
considered in all aspects such as Physical security, logical controls, organization standard, user
awareness etc.… Data security is focus on Confidentially, Integrity and availability.

Confidentiality: which means only authorized people or systems should have access to data.
Preventing Unauthorized disclosure. This can be achieved by implementing Encryption to the
system, Access control.

Integrity: Which means preventing from unauthorized modification. Which can be achieved by
limiting the user access to information – Access control, and Hashing

Availability: Which means Authorized users can access data in whenever they needed to do so.
This can be achieved by making redundant infra, backups. BCP mainly focus about availability.

The Data classification helps to categorize the data according to the criticality level

- DCL 1: Public data – which will be website data such as cloths inventory.
- DCL 2: Internal Only – Which only company has access to such as policies procedures.
 - DCL 3: Confidential – Which will only have accessed by set of authorized people such as
financial data, strategy plans.
- DCL 4: Private data – Such as Personal data of customers.

DCL 3, 4 data should be protected with high confidentiality and integrity. To achieve this the
data should be logically separated from other data. The production database need to deploy in
high secured infrastructure which should only accessed by the administrator. The database
should be configured in separate VPN which in DMZ zone where data can only be accessed
by Application.

DCL 2-4 data must be encrypted by AES 256 encryption methodology in the transit where
system -to-client and system-to -system. To implement HTTPS Adams should purchase a
Digital certificate from well-known CA. This will ensure the site will be trusted. Storage
encryption also need to be enabled. The backups also encrypted and hash value must be
calculated when generating a backup to ensure the integrity. These backups should be stored in
offsite from the datacenter. A Retention Policy will be helpful to define the storage period of
data and information.

Cryptography key management system should be implemented to generate, exchange, storage,

safeguard, use, vetting and replacing the keys.

The system logs should be enabling to capture to record the actioned performed by the admin.
The logs must be protected from modification and it must be stored in secured manner.

Password policy must be documented and communicated to employees. This must define the
acceptable length and characters, validity. Password reset methods must be enabled in the end
user devices. Password or passphrases cannot be hard corded in any systems and cods. User
passwords must be hashed with salt.

To protect the application Network should be configured securely. The Web Application
Firewall would be best to protect from any application layer attacks. If not, Firewall must be
configured to avoid network based attacks. IPS and IDS can also be implemented to enable
Defense in depth.

Application must be tested before it comes to production. Application security testing has been
done to find any bugs or misconfiguration present. Infrastructure must be scanned internally as
well as externally to avoid well known vulnerabilities.

Since application do online Purchasing the PCI-DSS standard should be followed and certified.

5. Information Security Management System – ISO 27001

ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and
continually improving an information security management system within the context of the
organization. It also includes requirements for the assessment and treatment of information
security risks tailored to the needs of the organization. The requirements set out in ISO/IEC
27001:2013 are generic and are intended to be applicable to all organizations, regardless of type,
size or nature.

Not only does the standard provide companies with the necessary know-how for protecting their
most valuable information, but a company can also get certified against ISO 27001 and, in this
way, prove to its customers and partners that it safeguards their data.

The main 3 objectives of ISMS are

Confidentiality: only the authorized persons have the right to access information.
Integrity: only the authorized persons can change the information.
Availability: the information must be accessible to authorized persons whenever it is needed.
An Information Security Management System (ISMS) is a set of rules that a company needs to
establish to:
- identify stakeholders and their expectations of the company in terms of information
security
- identify which risks exist for the information
- define controls (safeguards) and other mitigation methods to meet the identified
expectations and handle risks
- set clear objectives on what needs to be achieved with information security
- implement all the controls and other risk treatment methods
- continuously measure if the implemented controls perform as expected
 - make continuous improvement to make the whole ISMS work better

Requirement of ISO 27001

Clause 4: Context of the organization – defines requirements for understanding external and
internal issues, interested parties and their requirements, and defining the ISMS scope.

Clause 5: Leadership – defines top management responsibilities, setting the roles and
responsibilities, and contents of the top-level Information Security Policy.

Clause 6: Planning – defines requirements for risk assessment, risk treatment, Statement of
Applicability, risk treatment plan, and setting the information security objectives.

Clause 7: Support – defines requirements for availability of resources, competencies, awareness,

communication, and control of documents and records.

Clause 8: Operation – defines the implementation of risk assessment and treatment, as well as
controls and other processes needed to achieve information security objectives.

Clause 9: Performance evaluation – defines requirements for monitoring, measurement,

analysis, evaluation, internal audit, and management review.

Clause 10: Improvement – defines requirements for nonconformities, corrections, corrective

actions, and continual improvement.

There are 14 “domains” listed in Annex A of ISO 27001, organized in sections A.5 to A.18. The
sections cover the following:

A.5. Information security policies: The controls in this section describe how to handle
information security policies.

A.6. Organization of information security: The controls in this section provide the basic
framework for the implementation and operation of information security by defining its internal
organization (e.g., roles, responsibilities, etc.), and through the organizational aspects of
information security, like project management, use of mobile devices, and teleworking.

A.7. Human resource security: The controls in this section ensure that people who are under the
organization’s control are hired, trained, and managed in a secure way; also, the principles of
disciplinary action and terminating the agreements are addressed.
A.8. Asset management: The controls in this section ensure that information security assets (e.g.,
information, processing devices, storage devices, etc.) are identified, that responsibilities for their
security are designated, and that people know how to handle them according to predefined
classification levels.

A.9. Access control: The controls in this section limit access to information and information
assets according to real business needs. The controls are for both physical and logical access.

A.10. Cryptography: The controls in this section provide the basis for proper use of encryption
solutions to protect the confidentiality, authenticity, and/or integrity of information.

A.11. Physical and environmental security: The controls in this section prevent unauthorized
access to physical areas, and protect equipment and facilities from being compromised by human
or natural intervention.

A.12. Operations security: The controls in this section ensure that the IT systems, including
operating systems and software, are secure and protected against data loss. Additionally, controls
in this section require the means to record events and generate evidence, periodic verification of
vulnerabilities, and make precautions to prevent audit activities from affecting operations.

A.13. Communications security: The controls in this section protect the network infrastructure
and services, as well as the information that travels through them.

A.14. System acquisition, development and maintenance: The controls in this section ensure
that information security is considered when purchasing new information systems or upgrading
the existing ones.

A.15. Supplier relationships: The controls in this section ensure that outsourced activities
performed by suppliers and partners also use appropriate information security controls, and they
describe how to monitor third-party security performance.

A.16. Information security incident management: The controls in this section provide a
framework to ensure the proper communication and handling of security events and incidents, so
that they can be resolved in a timely manner; they also define how to preserve evidence, as well
as how to learn from incidents to prevent their recurrence.
A.17. Information security aspects of business continuity management: The controls in this
section ensure the continuity of information security management during disruptions, and the
availability of information systems.

A.18. Compliance: The controls in this section provide a framework to prevent legal, statutory,
regulatory, and contractual breaches, and audit whether information security is implemented and
is effective according to the defined policies, procedures, and requirements of the ISO 27001
standard.

Conclusion

The Adams is a clothing store which would like to deploy an online clothing portal which will
enable customers to view and purchase items online. With this I have analyzed and justified what
are the best practices can be implemented to achieved Information security in context of
Confidentiality, Integrity and Availability.

Below are the references.

27001academy, (2020). What is ISO 27001? Quick and easy explanation. [online] from
https://advisera.com/27001academy/what-is-iso-27001/
Auth0 (2019), Auth0 Overview, [Online] from https://auth0.com/docs/getting-started/overview.
Onelogin. How Does Sigle signOn works? [Online] From https://www.onelogin.com/learn/how-
single-sign-on-works
Owasp. Owasp top ten [Online] from https://owasp.org/www-project-top-ten/