Module Code & Module Title

CC5052NI - Risk, Crisis and Security Management

Assessment Weightage & Type

50% Individual Coursework

Year and Semester

2020-21 Autumn

Student Name: BISHAL BHARATI

London Met ID: 19033779

College ID: NP01NT4S200003

Assignment Due Date: 04/02/2021

Assignment Submission Date:

04/02/2021
 GROUP – 3

What are the risks and benefits of outsourcing an information security program?
ANS: It is getting simpler and more rewarding to outsource IT services because third-party
providers will now provide services that are flexible to the needs of a business without major
investments in infrastructure. Cloud storage, convergence and hyper convergence
technology, database analytics, disaster recovery strategies, and other useful resources can
be provided by data centers, for instance. Such programs provide the potential of small and
medium-sized businesses to compete with larger companies. Third-party platforms also
provide the tools, security, and strategic planning to large corporations.
Risks and questions for any third-party vendor are present. An initial risk is to ensure that
you partner with the right company, one that has been thoroughly examined; one that will
deliver the IT services that your company wants. Other issues include a lack of direct IT
power, the location of the data center or other supplier of services, and the variety of
services that can actually be delivered by the outside vendor.
The benefits of outsourcing
The primary benefits of using outside services are these:
 Scalability: Generally, in-house firms prepare for their existing IT needs and factor in
a minor growth factor. There are a lot of issues that must be solved as enterprises
expand. Among other IT issues, new servers, applications, and storage devices will
be required. It can need new networks. There is a need for future technologies to be
compliant with existing systems. The old data has to be meshed with new knowledge.
 Better disaster recovery: Since they have workable plans in place, data centers are
much more positioned to get enterprise IT up and running in real-time. Data centers
operate on disaster relief regularly and they do so for many different users. Planning
means finding out what applications and knowledge are relevant. It also means
ensuring the proper architecture of hardware in order and ready backups of important
objects. Software that can properly reload old programs, records, network
connections, etc. should also be available from outside vendors.
 IT expertise: Outsourced providers have the technological experience and
specialized IT resources to clarify the IT options of an organization, to analyses what
is ideally tailored to those options, and to explore how the data center should
accomplish those objectives. They have an IT team in position to oversee the
 company's infrastructure, applications, network, phone, storage, and other IT
problems. Getting the experience and capital indicates quality at competitive rates
and higher results.
 More time for business development: IT outsourcing means that a corporation has
to spend less time finding internal IT workers, less installation time, and less servicing
time. This time and resource savings helps the company to concentrate on its main
goods and services, its marketing, and the other aspects of corporate activities.
 Lower costs: Usually, outsourcing is performed on a fixed, monthly fee basis. This
saves IT money on capital outlays and the payment and recruiting of internal IT
workers.

The risks of outsourcing

Some of the main IT outsourcing issues that each business should review are:
 Less control: When a corporation outsources its IT, it puts its confidence in a third-
party, depending on its experience, tools, and facilities. The transformation works out,
preferably. Yet it has to do better than just start from scratch if the business is not
happy with the third-party provider. It has to coordinate with new IT strategies, such
as constructing the IT in-house or using another provider, what the outside vendor
has already done.
 Security: With other tenants, cloud storage providers pool their resources. This
sharing aims to save money and makes IT flexible, but it does mean that some of the
same servers and equipment will be used by other businesses. This raises safety
issues that need to be addressed, especially if the organization has specific standards
for enforcement.
 Compatibility: Compatibility of IT services can be a challenge, especially if a
business retains part of its IT in-house and outsources only part of the overall IT.
 Lack of coordination between business goals and IT goals: Outsourcing
providers do not have a day-to-day experience of the business of your company. They
grasp challenges in the IT and general business market, but they don't deal for your
staff or clients directly. It is important to address this lack of teamwork.

Some of the other threats include data center disruption, foreign problems for businesses
with overseas offices, and other concerns. (Networks, 2017)
Discuss the three types of information security policy proposed by NIST SP800-14.
ANS: An information security policy (ISP) is a collection of guidelines that govern people
who deal with IT assets. Your organization should develop an information management
strategy to ensure that security policies and practices are observed by your personnel and
all customers. A revised and existing protection policy makes sure that only approved people
can access classified information.
A key move in avoiding and minimizing data threats is to establish an efficient security
strategy and take action to ensure compliance. Adjust it in reaction to developments in your
business, emerging risks, lessons taken from past breaches, and other changes to your
security strategy to make your security policy fully successful.
The three types of information security policies are Enterprise Information Security Policy
(EISP), Issue-specific Information Security (ISSP) and System-Specific Information Security
(SYSSP).
Enterprise Information Security Policy (EISP): In brief, an Enterprise Information Security
Policy (EISP) describes what the ideology of a corporation is on security and seeks to set the
course, reach, and tone for all security activities of an organization. The Chief Executive
Officer (CEO) or Chief Information Officer (CIO) of the organization or someone working in
that role normally writes this sort of management-level text. The EISP will be used as a
blueprint for the implementation of potential security systems until finished, setting the
standard for how the organization approaches particular security matters. The EISP works to
articulate the conviction of the enterprise about how its security policy can be organized as it
applies to the various forms of tasks and obligations that arise in the security arena of the
business that ensure that key information is protected from intrusion. The document should
also define the applicable basic values of an effective security strategy and, by safety
requirements and recommendations, establish the appropriate levels of security. The EISP
must also ensure that the necessary duties are delegated to the relevant organizational
elements in order to achieve full security effectiveness. The core aspects of an Enterprise
Information Management Strategy will typically not need to be updated until it is completed
for the first time, unlike most enterprise security regulations, norms and practices that need
to be continually changed. The only way an EISP is normally changed is if there is a shift in
the organization's strategic strategy.
Issue-specific Information Security (ISSP): An organization creates an issue-specific
security policy or ISSP for short, to define the rules that regulate the use of particular
technology in that organization. The issue-specific security policy is more tailored than the
enterprise information security policy of an organization, targeting specific programs
explicitly, including:
 What corporate email can and cannot be used for.
 How employees may or may not use company-issued machinery.
 The minimum criteria for the configuration of computers (such as regular security
software updates).
 What an employee can and cannot do with personal equipment accessing company
Wi-Fi.

The ISSP, simply put, is a series of guidelines that workers are required to adhere to with
respect to the appropriate use of technology. Ideally, within this document, a company will
address every technology element it owns, ranging from computers to digital cameras to
tablets to copying machines and much more.
An ISSP educates staff on how to conduct themselves, but also protects the company from
any confusion regarding the use of technology. For instance, an ISSP that clearly spells out
that employees may not link their personal devices to the network of the company should be
sufficient to prevent employees from doing so or provide a way to discipline them if they
refuse to comply. The one drawback of an ISSP is that when technology evolve and are
introduced, it must be revised on a regular basis.
System-Specific Information Security (SYSSP): A System-Specific Security Policy, also
abbreviated as SysSP, has its own look, unlike an Enterprise Information Security Policy or
even an Issue-Specific Security Policy. The SysSP is more of a checklist of protocols for how
to install or manage programs. SysSPs are much tailored files, which are structured to
discuss only the particular framework. Therefore, to outline how it operates and how it is
operated, each system in a workplace would possibly need its own system-specific
regulation.
For this form of regulation, there are two general components associated. They are regarded
as guidance and technological specifications for management. And the SysSP is always
published as a single, systematic text that covers both, even when there are two classes to
be considered.
Managerial advice outlines the security priorities of an organization. Security priorities
describe how a given resource or device is used functionally or to achieve business goals. It
also details how the leadership of an organization needs structures to be developed or
retained. For instance, an IT administrator can select those settings based on his experience
or personal preferences without a SysSP that specifies managerial guidance for setting up a
firewall. Guidance for configuring the firewall framework is given in this section of the paper.
A company's operational security rules may also be considered the second part, technical
requirements. These guidelines clarify who has access to the scheme, what sort of access
they should be given and other requirements dependent on authorization. All business
users, for example, will have authorization to use a copy machine, but only those personnel,
such as those in management, have rights to install or change users. Another group of
workers can get permission to use the faxing capability of the copying machine. The
organization is protected by these parameters from unwanted entry or use of software or
resources.

What is the C.I.A. triangle? Briefly explain each of its component parts.
ANS: 'CIA' has little to do with a certain well-recognized US intelligence organization in the
information technology (InfoSec) community. These three letters, otherwise known as the
CIA Triad, stand for confidentiality, integrity, and availability.
Together, these three concepts form the foundation of the security architecture of every
organization; in truth, they (should) serve as priorities and targets for any security plan. The
CIA triad is so central to information security that you can be confident that one or more of
these values have been compromised if information is leaked, a device is targeted, a user
takes phishing bait, an email is hijacked, a website is maliciously taken offline, or any variety
of other security events occur.
Security professionals assess threats and vulnerabilities on the basis of their potential impact
on the confidentiality, integrity and availability of the assets of an organization, namely their
information, applications and critical systems. The security team implements a set of security
controls on the basis of that evaluation to reduce risk within their environment.
The Components of C.I.A are as follows:

Confidentiality: Confidentiality refers to the efforts made by an organization to keep its data
private or secret. In practice, to avoid unauthorized disclosure, it's about controlling access
to data. This typically involves ensuring that only those who are authorized have access to
specific assets and that access is actively prevented from being accessed by those who are
unauthorized. As an example, the employee payroll database should only be accessible to
authorized payroll workers. In addition, there may be additional, more stringent limitations
within a group of authorized users as to precisely which information those authorized users
are permitted to access. Another example: it is reasonable for e-commerce customers to
expect that the personal information they provide to an organization (such as credit card,
contact, shipping, or other personal information) will be protected in a way that prevents
unauthorized access or exposure.

In certain cases, confidentiality can be abused, such as by overt attacks intended to obtain
unauthorized access to programs, software, and databases in order to intercept or exploit
data. Network identification and other forms of scans, digital eavesdropping (through a man-
in-the-middle attack), and an attacker's rise in device rights are just a few instances.
Although by human error, carelessness, or insufficient security measures, secrecy may even
be inadvertently breached. Examples include failure to properly secure passwords (by users
or IT security); user account sharing; physical eavesdropping (also known as shoulder
surfing); failure to encrypt data (in operation, in transit, and when stored); bad, weak, or non-
existent authentication systems; and robbery of physical hardware and storage devices.

Data classification and marking are countermeasures to maintain confidentiality; strict

access controls and security mechanisms; data encryption in operation, in transit and in
storage; steganography; remote wipe capabilities; and adequate education and training for
all persons with data access.

Integrity: In regular use, honesty applies to the consistency of something being complete or
complete. In InfoSec, authenticity is about ensuring the it has not been compromised and,
thus, can be trusted. It is correct, it is authentic and it is accurate. For e.g., e-commerce
consumers require product and price information to be correct, and after making an order,
quantity, pricing, availability, and other information will not be altered. Banking clients need
to be able to believe that there has been no tampering with their banking records and
account balances. Protecting data in operation, in transit (such as while submitting an email
or uploading or accessing a file), even when it is processed, whether on a notebook, a
portable storage unit, in the data center, or in the cloud, requires maintaining confidentiality.

As is the case for privacy, integrity can be directly violated by an attack vector (such as
tampering with intrusion prevention devices, altering configuration files, or altering device
logs to prevent detection) or inadvertently, through human error, lack of consideration,
mistakes in code, or insufficient rules, protocols, and frameworks of security.
Encryption, hashing, cryptographic signatures, digital certificates are countermeasures to
safeguard data privacy. Trusted certificate authorities (CAs) grant digital certificates to
organization’s to check their identities with internet visitors, equivalent to the way a passport
or driver's license would be used to verify the identity of a person. Intrusion detection
methods, auditing, monitoring of copies, and strong processes and access controls for
authentication.

Availability: For an entity and its clients, programs, software, and data are of no use if they
are not available as they are needed by approved users. Very literally, functionality
indicates that there are up and running networks, programs, and software. It ensures that
approved users, when they are needed, have prompt, secure access to services.

Many factors, like hardware or software failure, power failure, natural disasters, and human
error, will jeopardize availability. The denial-of-service attack, in which the performance of a
server, database, web-based program, or web-based service is purposefully and
maliciously degraded, or the device becomes entirely unavailable, is probably the most
well-known attack that threatens functionality.

Redundancy (on computers, networks, devices, and services), hardware error tolerance (for
servers and storage), frequent software patching and device updates, backups, robust
disaster recovery plans, and solutions for denial-of-service security are countermeasures to
help maintain availability. (Walkowski, 2019)

What is the difference between authentication and authorization? Can a system permit
authorization without authentication? Why or why not?
ANS: Authentication and authorization might sound similar, but they are distinct security
processes in the world of identity and access management (IAM).
Authentication confirms that users are who they say they are. Authorization gives those
users permission to access a resource.

Authentication: Authentication is the process of validating who users say to be who

they are. In every protection method, this is the first step. Giving anyone permission
to download a certain file on a computer or giving administrator access to an
application to particular users are clear examples of authentication.

Complete an authentication process through:

 Password: The most important considerations for authentication include

usernames and passwords. If the right data is entered by a customer, the
device believes the identification is legitimate and grants entry.
 One-time pins: For just one session or purchase, allow permission.
 Authentication apps: Generate authentication codes from an external party that
provides entry.
  Biometrics: A fingerprint or eye scan is presented by a user to obtain access to
the device.

In certain cases, before granting entry, systems require the successful verification of
more than one component. To improve protection above what passwords alone
would provide, this multi-factor authentication (MFA) requirement is also
implemented.

Authorization: Device protection authorization is the method of granting the user

permission to access a certain resource or service. For access control or client
entitlement, this expression is also used interchangeably.

Authorization must still obey verification in secure environments. Users can first show that
their identities are authentic before the administrators of an entity allow them access to the
services required.

Authentication vs. Authorization:

Authentication and authorization are different phases in the login method, considering the
similar-sounding terms. To effectively execute an IAM approach, knowing the distinction
between the two is crucial.
To outline the distinctions, let's use an example.
To provide care for a pet while the family is out on holiday, imagine a human walking up to
a locked door. That individual requires:

 Authentication: In the form of a key. The lock on the door only allows entry to
those with the right key in almost the same manner as only people with the
correct keys are allowed access by a device.
 Authorization: In the type of entitlements. When inside, the individual has
permission to enter the kitchen and open the cupboard that contains the food
for the cat. For a short nap, the person does not have permission to move into
the bedroom.

In this case, authentication and authorization function together. A pet sitter is allowed to
enter the house (authentication), and they have access to those places while there
(authorization). (Okta, n.d.)
 GROUP – 2

Q.No.1 Solution:
Likelihood of the occurrence of vulnerability = 0.1

Value of information asset = 100

Risk Control percentage = 75%

Uncertainty of current knowledge of vulnerability = 100% - 80% = 20%

Risk = 0.1 * 100 - 75% of (0.1 * 100) + (20% of 0.1 * 100)

= 10-7.5 + 2
= 4.5

Q.No.2 Solution:
Annualized Loss Expectancy (ALE prior) = $250,000

Annualized Loss Expectancy (ALE post) = $35,000

Annual Cost of Safeguard (ACS) = $135,000

CBA = ALE prior - ALE post – ACS

= $250,000 - $35,000 - $135,000

= +$80,000
 Group – 1

Q.No.1 ANS: Risk Mitigation

Q.No.2 ANS:

Annual Lost Expectancy (prior to control) = ALE (Prior) = NRs 10,000,000

Annual Lost Expectancy (prior to control) = ALE (Post) = NRs 500,000 * 12 = 6,000,000

Annual Cost of Safeguard (ACS) = NRs 500000

Cost Benefit Analysis (CBA) =?

CBA = ALE (prior) - ALE (post) - ACS

= 10,000,000 - 6,000,000 - 500,000

= 3,500,000

In the case of outsourcing the data center: the annual costs are less than the lost expected
from severe power outage problems to the ISP. There are positive benefits to outsourcing
the data center. Thus it is the right solution For ISP to implement.

Q.No.3 ANS:

.
 Bibliography
Networks, V. (2017) Vault Networks [Online]. Available from: https://www.vaultnetworks.com/risks-
benefits-challenges-outsourcing-services/ [Accessed 04 February 2021].
Okta. (n.d.) Okta [Online]. Available from: https://www.okta.com/identity-101/authentication-vs-
authorization/ [Accessed 04 February 2021].
Walkowski, D. (2019) F5 LABS [Online]. Available from:
https://www.f5.com/labs/articles/education/what-is-the-cia-triad [Accessed 04 February 2021].