Faculty of Engineering and Computing

PROGRAMME : Bachelor of Information System (Hons) in

Business Management
ACADEMIC YEAR : 2020/2021
MODULE : Information Governance
MODULE CODE : CISY3021
MODULE LEADER : Choong Yip Yen
DISTRIBUTION DATE : Tuesday, 24 March 2021
SUBMISSION DATE : Monday, 24 May 2021 12:00PM

Student Name Student ID Marks

Arren Goh Chee Sheng B0759

Contents
List of Tables............................................................................................................................iii
List of Figures...........................................................................................................................iii
Risk Assessment Analysis..........................................................................................................4
Risk Assessment Matrix.........................................................................................................5
Risk Rating Matrix.................................................................................................................6
Risk Assessment Report.........................................................................................................7
ISO 27K...................................................................................................................................11
Annex A:9............................................................................................................................12
Annex A:11.1.......................................................................................................................13
Annex A:11.2.......................................................................................................................14
Annex A:12..........................................................................................................................15
Annex A:16..........................................................................................................................16
Annex A:18..........................................................................................................................17
Poster........................................................................................................................................18
Conclusion................................................................................................................................19
References................................................................................................................................20

ii
List of Tables
Table 1: Risk Assessment Matrix..............................................................................................5
Table 2: Risk Rating Matrix.......................................................................................................6

List of Figures
Figure 1: Poster for Disaster Recovery....................................................................................18

iii
Risk Assessment Analysis
A risk assessment analysis can be defined as a term used to describe the systematic
process and methods to establishing context and identifying, analysing, evaluating, treating,
monitoring and review risks (CCOHS, 2021). To ensure that stored data and information is
not at risk of being illegally accessed or tampered with, organizations need to have an
Information security team or department to manage data and information to minimize the risk
of the data being compromised.

But that does not mean that risk could only happen to Information and Technology, risk can
also take on physical forms that could hurt, injure or even kill, examples of it could include
electrical shock, burns and accidents. Having risk management allows organizations to
maximise output while minimizing the probability and impact of unexpected situations
(Wheeler, 2011). Applying risk management processes also prevent legal actions and lawsuit
to be taken by the company, which in turn prevents companies to have reputational issues
(Webb, 2021).

For this report, Fresh Air, an air conditioning system manufacturer and installer is the
organization that will be studied and written on.

4
 Risk Assessment Matrix
A risk assessment matrix is a visual representation of the risk analysis, it shows a
graph that is represented by risks, rating them by the categories of severity and its probability
(Garcia, 2019). Red represents the highest risk, yellow for medium risks, and green for low
risks. Having a colour coded document allows for better visibility and easier decision
making.

Table 1: Risk Assessment Matrix

Impact
Probability Catastrophic -A Critical – B Moderate – C Minor – D Negligible -E

Frequent – 5 5A - High 5B - High 5C - High 5D - Medium 5E - Low

Likely – 4 4A - High 4B - High 4C - Medium 4D - Medium 4E - Low

Possible – 3 3A - High 3B - Medium 3C - Medium 3D - Medium 3E - Low

Unlikely -2 2A - Medium 2B - Medium 2C - Medium 2D - Low 2E - Low

Remote -1 1A - Low 1B - Low 1C - Low 1D - Low 1E - Low

5
Risk Rating Matrix

A risk rating matrix functions similarly to the risk assessment matrix but instead of
categorizing risk, this matrix shows the total risk score of the combined score of impact and
probability of the risk.

Risk Scores value range:

 25 to 15 indicates high and is red.

 14-6 indicates medium and is yellow.
 5-1 indicates low and is green.

Table 2: Risk Rating Matrix

Impact
Probability Catastrophic -5 Critical – 4 Moderate – 3 Minor – 2 Negligible -1

Frequent – 5 25 20 15 10 5

Likely – 4 20 16 12 8 4

Possible – 3 15 12 9 6 3

Unlikely -2 10 8 6 4 2

Remote -1 5 4 3 2 1

6
 Risk Assessment Report
Risk Name Description Likelihood Severity Risk Mitigation
Score
Backup Server Lower level site may be flooded. Floodproof the server room by
Destroyed 2 2 4 placing the backup server at an
elevated place.

It is also possible to put the

backup server in cloud as well
to prevent physical risk.
Power Cut Lack of wind, or high intermittent wind may Install solar panels for getting
cause a power outage if turbines are stopped for 2 2 4 energy on sunny but not windy
too long. days.

Install and build a battery bank

so that extra energy that is
generated from turbines can
stored and used during a power
outage.

7
 Employee Employee could cause accidents on site either to Having annual training can
Mistake physical or digital assets 1 4 4 reduce the chances of it from
happening.
Competition New competition that also has the same business Targeting new markets,
model could threaten the organization. 2 3 6 improve customer service and
gathering competitor’s
information allows the
organization to stay ahead of
the opposition.
Employee Fraud Employees commit property theft or steal funds Implementing policies or
from the organization. 3 2 6 security systems allows
organizations to minimize
employee fraud.
Faulty There could be problems with the manufacturing Have weekly to monthly
Machinery machines could cause injury to the workers or 2 4 8 maintenance checks to
even stop the production process. minimize the risk of machines
injuring workers.
Wind Extreme wind may cause damages or to the main If you have objects outside,
site, breaking windows or moving objects. them secure it by tying it down
3 3 9 after using it.

8
 For windows maybe have
storm shutters to protect
windows from shattering.
Product and Overlooked design flaws or manufacturing Have the designs and
Service Liability defects could become a threat to customers. 2 5 10 manufactures parts tested
before being installed at a
customer’s property.
Supply Chain Raw materials supply could be reduced or cut for Having more than one supplier
Interruption a duration. 3 4 12 can minimize the issue, also
having extra raw materials in
stock can minimize the impact
of the risk.
Fire / Lightning The main site may be struck by lightning can Install lightning rods, so that
cause a fire to break out. 3 5 15 lightning that struck the main
site will be dissipated to the
earth.
Information Lack of data access security on the sales system 4 4 16 Create a patch for the system to
Misuse computers in the main office. implement security upon it.

Unauthorized Server could be compromised and be easily Implement IDS and IPS
access to server hacked and have its information stolen or 4 4 16 systems to be minimize the risk

9
 destroyed. and be informed if a data
breach is happening.
Sickness from Employees getting infected by the Covid-19 Enforce SPO policies and
Pandemic virus. 4 5 20 might be possible to implement
plans for frequent sanitization
of high-touch places.

10
ISO 27K
ISO 27K is a set of standards and or best practices that should be implemented in
organizations of any size and industry to improve their information’s security systematically
through implementing an ISMS or Information Security Management Systems (TechTarget,
2009). Having an ISMS also allows organization to share information, while ensuring the
protection of the information and computing assets.

The ISO 27K is published by the International Organization for Standardization (ISO) and
the International Electrotechnical Commission (IEC). There are about 46 individual
standards, including the ISO 27K, that introduces the series and also clarification of key
terms and definitions (Irwin, 2020).By implementing ISO27K into an organization, they can
effectively lower the risk of information and data being compromised.

Implementation of ISO27K for Fresh Air is beneficial, having information security can
minimize business damage by minimizing the impact of the security incident while ensuring
business continuity. Its purpose is the preserve the confidentiality, integrity and the
availability of information.

 Confidentiality is to protect information from unauthorised access and misuse.

Almost all information systems stores information and some of them have a degree of

sensitivity. Example, proprietary information that competitors could use for their

benefit.

 Integrity is to protect information from any unauthorized alterations. This allows the

information to be accurate and the data to be complete. Data and information from

within and even between systems are needed to be protected in order to maintain data

integrity. Only legitimate and authorized users are able to alter information and data.

11
  Availability is to allow information to be accessed quickly. Disruptions to

information availability could cause losses of revenue, dissatisfaction of customers or

even reputational damage for the organization even in a short amount of time.

Annex A:9

Annex A:9 of the ISO27K talks about the procedures for access control (Thornton,
2020). Fresh Air has a lack of access control which is mentioned in the case study. Adding
this control assists in safeguarding and securing information. Access should only be given to
someone that has the rights and needs of having the information, also it is illegal to give
access to information to someone that does not have the need of having information. System
administrators are responsible to ensure the secure operations of their system, but they could
assign a system manager to handle day-to-day management and operations of the system.

As Fresh Air has no login function for their sales system, it means that anyone that has access
to the computer either physically or remotely has the ability to alter, remove, steal or even
destroy the data and information in the system. And if that happens the organization could
end up having great losses. Not to mention if the data stolen is publicly released, the
organization reputation would be tarnished and they could face lawsuits from customers for
negligence in handling information (Chandler, 2007).

Implementation a login function to their sales system also allows the organization to have a
log of data access to find out who has changed or removed data within the system, this makes
it so that the employees with access to the system to have responsibility over it (Chang,
2017).

12
Annex A:11.1

The Annex A:11 for ISO27K talks about securing physical and environmental areas.
This Annex control is to prevent unauthorised physical access, damage and interference
towards the organization’s information and information processing facilities. As mentioned
before with the lack of login for their Sales system, Fresh Air is prone from having their data
and information compromised.

With Annex A:11 we could limit the access to the computer physically so that the probability
of the data being compromised and be minimized. As found in (Biswas, 2019), security
perimeters should be created where sensitive or critical information are stored as well as areas
that process information.

Secure areas are to be protected with entry controls that are appropriate to ensure that only
authorised people are allowed access to the area. For example only staff from the sales
department should have access to the computers that has the sales system.

Offices, room and facilities are also part of the areas that should be secured, the computer for
the sales system should be located a room in the sales departments office, hence it should
only be employees of the sales department that have access to it.

13
Annex A:11.2

In Annex A:11.2, equipment and its protection is mentioned. Equipment needed for
the business process should be protected from risks like environmental threats and
unauthorised access (Bourgeois & Bourgeois, 2019). The equipment’s placement or sitting is
also important as its size and nature could determine its threats. Example, Fresh Air’s server
room must not be in an area where pipes are visible, this is because if the pipes in the room
burst, the server will most likely be destroyed. There are a few written standards within this
section:

 Equipment used to process data such as computer and laptops that handle sensitive
information should have restricted viewing angles to reduce the probability of the
information being view by unauthorised people during its use.
 Storage facilities are secured with keys to prevent unauthorised access.
 Food and drinks should be kept away from ICT equipment.
 Wireless routers and shared printers should be positioned in a way that allowed easy
access when needed and does not distract anyone from working or have information
left on the printer that should not be there.

 Computers and laptops are sited properly so that they are securely stored when not in
used and easily accessed when required.

14
Annex A:12

Annex A:12 ensures that information processing facilities are secure, this section
mentions on operational procedures and responsibilities, malware mitigation, information
backup, logging and monitoring, protecting integrity of operational software, exploitation of
system weakness and audit considerations (Irwin, 2020).

Areas of businesses that need to be considered for documentation procedures should

be where the organizations information assets is at risk through possible incorrect operations,
which can be later identified in a risk assessment. This involves many departments, but it
depends on the nature of the business. Example manufacturing companies has manufacturing
processes that can be documented that are not used by service companies.

Generally this section maintains business operations and helps minimise impact on
the business when an issue has happened. Prevention of data being compromised; business
process continuity and documentation of business processes are part of the A:12. By
implementing this organizations allows minimization of both impact and probability of
problematic issues hence allowing business continuity.

15
Annex A:16

This documents about how to manage and report security incidents. This process
involves identifying employees that are responsible for the actions, which means ensuring
consistent and effective procedures to the lifecycle of incidents and responses.

A good control describes how management establishes responsibilities and procedures

in order to ensure effective, rapid and orderly response to address weaknesses and security
incidents. Example, if the window were not closed when locking the office for the night, a
thief could have entered through the window to steal documents, money or even expensive
equipment. The weakness here is that the window could be damaged hence making it an
obvious place for a break-in.

Should an incident happen, employees and associated parties need to be made aware of their
obligation to report security incidents. In order to properly carry out the task employees need
to have awareness on exactly what makes up an information security weakness, event or
incident. If ever an information security event happens or is thought to have happened, it
should be immediately informed to the information security administrator and should be
documented accordingly.

If a weakness found in the security of information, it is essential that employees do not

attempt to prove it as it could be seen as misuse of the system, or risking damaging the
system and its stored data causing security incidents.

16
 Annex A:18

This section is about the compliance with legal and contractual requirements. It focus it to
avoid breaches of legal, regulatory, or contractual obligations relating to information security.
This allows organizations to identify relevant laws and regulations and helps them get a better
understanding of their legal requirements, mitigation of non-compliance risks and the
penalties that come with it (Irwin, 2020).

Organizations need to be documented and be kept up to date with legislations and regulations
that affects achievement of business objectives and the results of ISMS. This is an area that
organizations are usually caught out on, as there are more laws that could impact the
organization than they considered. An auditor can look to see how the organization has
identified and documented its legal, regulatory and contractual obligations.

17
Poster

18
Figure 1: Poster for Disaster Recovery

19
Conclusion
In conclusion if Fresh Air implements ISO27K into their organization, it will enable
them to have better information security, reduce the impact of possible IT related disaster and
also minimize legal actions that they would have to face.

The document created has its strength and flaws, I would say that the report created is
decent and can be used as a baseline for future works. Research on ISO27K was done and a
large amount of information was gathered from data relating to it. And better understanding
for the sections within ISO27K was achieved. But how it translated to this document is
uncertain.

This was a topic that required a lot of reading and thought to understand the standardization.
This research made me realise that companies with ISO27K certifications has done a great
deal in their information security system. This module definitely has helped in analysing
ISO27K documents, alas during the time I was faced with a few assignments where I had to
be rushed day by day. Hence a time constrain was put on me, and internet connections in the
college accommodations were unstable.

20
21