Security Planning - Policies and Risk Analysis

Question: Discuss about the Security Planning, Policies and Risk Analysis. Answer: Introduction Effective security planning is very important for the application of the good and protective security but is often neglected (Peltier 2016). Moreover, the security planning is implemented primarily in the organization IT environments. Therefore, it can be a proposed plan for controlling as well as protecting a plan or an information system that is within implementation. On the other hand, risk analysis is the process of analyzing and demonstrating the dangers to government agencies, businesses and individuals posed by the human-caused, natural and potential adverse events. The major aim of this research project is to discuss as well as conduct research on the importance of security policies, planning and risk analysis as well for a medium sized organization in Singapore. Apart from that, this study also incorporates how security planning, policies and risk analysis for Garena, which is a well-reputed and medium sized organization in Singapore. On the other hand, this discussion aimed to be made in this assignment incorporates how these assure the business continuity for the company and the proper policies regarding security are aimed to be implemented in this study. Therefore, this study also provides the design of an appropriate security plan for the Singapore based organization, Garena. Company Background Garena was established by Forrest Li and his friends in 2009 because they aspired for transforming their passion for entrepreneurship into a great organization (Garena 2017). Garena distributes exclusively game titles on Garena+ in several nations across Taiwan and Southeast Asia like the multiplayer online battle arena games such as Heroes of Newerth and League of Legends. Moreover, this organization has also launched the online soccer game FIFA Online 3 and the first person shooter games, Alliance of Valiant Arms and Point Blank, which were released on March 2016 (Garena 2017). Garena+ is a social and online game platform and it has the interface equivalent to the platforms of instant messaging. Research and Discussion on the Importance of Security Planning and Policies Garena provides the gaming platform such as Garena+ that is a social as well as an online game platform. On the other hand, it has the interface equivalent to the instant messaging platforms (Garena 2017). Moreover, the features of Garena+ permits gamers for developing lists of buddy, checking on game achievements and progress as well as chatting with friends online. Being a medium sized organization, Garena needs to understand the essence of risk analysis, policies and planning for security (Markmann, Darkow and von der Gracht 2013). In order to implement the security planning and policies, an organization should analyze all the risks associated with the business operation of that particular company. Risk assessment and analysis simply helps Garena to identify and analysis risks so that it would become easy for the company to mitigate the risks. Risk assessment is the very crucial component of planning of computer security. Moreover, risk assessment gives a fundamental baseline to implement the security plans for protecting assets against several threats (Sovacool and Saunders 2014). Therefore, security planning as well as policies plays significant roles for assessing and minimizing risks along with the business operations especially for the small and medium sized organizations. Thus, Garena also has to identify the threats faced by this organization as well as prioritize and analyze those threats accordingly (Haimes 2015). On the other hand, Garena has also to devise the strategies as well as plans for minimizing the likelihood of those threats occurring. This organization also needs to prepare the contingency plans in case the threats are taken place. Figure 1: Security Plan (Source: Sawik, 2013, p.157) For this organization, the security plan and policies can be the fundamental component of the effective program of cyber security. This is simply because of the fact that the security plan and policies provide a beginning edge for Garena seeking to get serious regarding securing their online social and gaming platform (Sadgrove 2016). Apart from that, the security planning and policies can help Garena in formally documenting as well as demonstrating the organizational objectives and goals about the desire and security for exercising due diligence. Besides that, security planning and policies play crucial roles in for recognizing who is responsible formally for maintaining the security purpose of the business activities of Garena (Schumacher et al. 2013). On the other side, in regards to the risk analysis and risk minimization, the security planning and policies also help Garena for properly identifying the major processes, systems, applications and the common risks or threats towards the organization. In addition, Garena can also successfully recognize the important and necessary security plan and policies in terms of supporting the business goals and objectives of this medium sized organization in Singapore (Khouzani et al. 2016). Furthermore, security planning and policies can also provide the scope to this organization for identifying as well as implementing the applicable and suitable frameworks for security control such as state level, CJIS, NG-SEC and other frameworks. Most important fact associated with it is that the security planning and policies are strategic in nature as well as the security plan is the foundation of the security program that can provide the framework for future and consistent Public Safety Answering Point (PSAP) compliance. The security planning and policies should have visibility in terms of being effective (Lincke 2015). On the other side, the security policies should provide particular guidelines for the areas of responsibility and consist of plans that can give the steps for taking and rules for following the policies. Therefore, it must be stated that the good assessment for risks would be capable of determining whether the good security controls as well as security policies are implemented. Moreover, the specification regarding the restrictive policy of account lockout enhances the potential or strength for the denial of service attacks. Risk Analysis Implementation of Appropriate Security Policies Risk assessment and analysis simply helps Garena to identify and analysis risks so that it would become easy for the company to mitigate the risks. Risk assessment is the very crucial component of planning of computer security (Stern 2014). Moreover, risk assessment gives a fundamental baseline to implement the security plans for protecting assets against several threats. there are several ways with the help of which all the risks involved within the business operations of Garena can be identified. Therefore, on way is the collection of personnel from within the company and have brainstorming session where the company enlist several assets and the risks towards those assets of the organization (Lincke 2015). Thus, it would help also fir enhancing the security awareness within the company. Figure 2: Relation between good risk assessment and Security planning (Source: Fitzgerald and Mulkey 2013, p.127) The business risks can come from three major sources such as unintentional risks, intentional risks as well as natural disaster risks. The step of assessing risk within the security strategy is very crucial (Almeshekah and Spafford 2014). The flowchart of risk assessment step within the security strategy cam be segmented into few steps. These are as follows: Recognize the assets, the organization intend to protect as well as the value of those assets Recognize the risks towards every asset Determine the category of the cause of the risk Recognize the techniques, tools or methods utilized by the treats. After the completion of these steps, it is possible for planning thee security planning as well as controlling for reducing the risk realization (Hansson and Aven 2014). Garena is a dynamic organization as well as the security plan of this organization is also dynamic. Therefore, this organization should update the assessment of the risks along with its business operations in a periodic manner. After the asset identification, it is important for determining all the risks, which can influence every asset. One approach of accomplishing it is by recognizing the different avenues through which asset can be destroyed, stolen, altered or damaged such as financial information captured on the database system (Sawik 2013). On the other hand, the risks incorporate the component failure, hardware as well as software misuse, worms, Trojan horses or virus, unauthorized modification or deletion, unauthorized information disclosure, software flaws as well as bugs and penetration. The information processed or produced at the time of the risk analysis should be categorized as per its sensitivity to disclosure or loss in terms of developing an effective policy regarding security planning by Garena. Numerous companies utilize few set of categories of information like proprietary, for internal use only or organization sensitive (Li 2014). On the other hand, the categories utilized within the security policy should be consistent with any existing categories. Therefore, the data should be broken into four classifications of sensitivity with different requirements of handling such as public, private, confidential as well as sensitive (Haimes 2015). This particular classification system of standard data sensitivity should be utilized through the company. After the indemnification of the data sensitivity and risks, the likelihood of every risk occurring should be estimated (Canto-Perello et al. 2013). Treat quantification is a hard work. Obtaining estimates from third parties, basing estimates on the company records, investigating collected statistics or published reports, basing estimates on guesses extrapolated from the previous experience are few significant ways for estimating the risk within the business operation of Garena. Security Plan for the Organization The security of an organization like Garena is comprised of several security policies. These policies provide the specific guidelines for few significant areas of responsibility and are comprised of plans those give steps for taking and protocols for following to implement the policies (Markmann, Darkow and von der Gracht 2013). Therefore, the policies should demonstrate what Garena considers valuable and should also provide the specification regarding which steps should be taken for safeguarding those assets. Moreover, the security policies within security planning can easily be drafted in several ways. Figure 3: Security Planning Process (Source: Sovacool and Saunders 2014, p.641) Apart from that, the other example is a draft policy for numerous sets of assets incorporating remote access policies, internet access policies, password policies and email policies. However, there are two common issues with the organizational policies of Garena. One of the issues is that the policy is a platitude rather than a direction or decision (Haimes 2015). Furthermore, this security policy is not really utilized by the company. Instead of that, it is the piece of paper for showing to the customers, lawyers, auditors and the other organizational components of Garena. Therefore, the policies of computer security should be implemented in such a way so that it can ensure that the unqualified support of the management of Garena is clear, in particular in the environments where the employees realize the inundated with procedures, guidelines, directives and policies (Sadgrove 2016). The security policy of Garena can be the vehicle to emphasize the commitment of the company towards t hee security and making it clear their expectations for the accountability, behavior and performance of the employees. The security policies in regards to the business operation of Garena, can be demonstrated for any area of security (Fitzgerald and Mulkey 2013). Moreover, it is up to the IT manager as well as security administrator in terms of classifying what policies have to be defined and who should make the plan for the security policies. There are few significant types of policies should be implemented by Garena such as password policies, email policies, internet policies as well as restore and backup policies. Password Policies the security provided by the password system is mainly dependent on the passwords those are being kept secret for all times. Therefore, a password can be vulnerable for compromising whether it is known, stored or utilized (Almeshekah and Spafford 2014). Passwords are vulnerable to compromise due to five necessary contexts of password system. The employees may not disclose their passwords to anyone and it would incorporate IT managers and administrators. Administrative Responsibilities the administrator has the responsibility to assign and generate the initial password for every user login. Thus, the user should be informed about the password (Hansson and Aven 2014). It may be essential for preventing exposure of the password to the administrator in some areas. User responsibilities The users should able to understand their responsibilities for keeping the privacy of password and reporting changes in their status, suspected violations of security and so forth (Canto-Perello, Curiel-Esparza and Calvo 2013). Thus, it can recommended that every user be needed for signing a statement for acknowledging the understanding these responsibilities for assuring the security awareness among the user population. Email Policies Email is very crucial to the normal conduct of business of Garena. Therefore, Garena requires the policies for email for helping the workers properly utilize email, for reducing the risk of inadvertent or intentional misuse and for assuring the official records transformed through email are managed properly (Haimes 2015). Internet Policies WWW or World Wide Web contains the body of software and a set of conventions as well as protocols utilized for traversing and finding information over the internet. The web servers can directly be attacked or utilized as jumping off points for attacking the internal networks of Garena (Li 2014). However, the web servers can be secured through few significant ways such as server scripts, web server software and other software. Moreover, proper configuration and firewall of the IP protocol and routers can help for fending off denial of service attacks. Backup and Restore policies Backups are necessary only if the information are captured over the system is of important and value (Stern 2014). These are important due to the computer hardware failure, user error, administrator error, software failure, hacking and vandalism, theft and natural disasters. Conclusion After conducting the entire study, it can be stated as the conclusion that the good assessment for risks would be capable of determining whether the good security controls as well as security policies are implemented. This study has successfully reached to its ultimate conclusion by properly discussing as well as researching the security planning, policies and risk analysis for a medium sized organization in Singapore such as Garena. Therefore, in this regard, this study has successfully portrayed the appropriate security which can help Garena by ensuting its business continuity within the gaming industry. Most importantly, this study has also successfully designed a perfect and an appropriate security plan in regards to Garena, which would ultimately shows this organization a significant way to control its security concerns and risks. References Almeshekah, M.H. and Spafford, E.H., 2014, September. Planning and integrating deception into computer security defenses. InProceedings of the 2014 workshop on New Security Paradigms Workshop(pp. 127-138). ACM. Canto-Perello, J., Curiel-Esparza, J. and Calvo, V., 2013. Criticality and threat analysis on utility tunnels for planning security policies of utilities in urban underground space.Expert Systems with Applications,40(11), pp.4707-4714. Fitzgerald, C.T. and Mulkey, J.R., 2013. Security planning, training, and monitoring.Handbook of Test Security, p.127. Garena - The Official Site. (2017). [online] Intl.garena.com. Available at: https://intl.garena.com/ [Accessed 17 Feb. 2017]. Haimes, Y.Y., 2015.Risk modeling, assessment, and management. John Wiley Sons. Haimes, Y.Y., 2015.Risk modeling, assessment, and management. John Wiley Sons. Hansson, S.O. and Aven, T., 2014. Is risk analysis scientific?.Risk Analysis,34(7), pp.1173-1183.. Khouzani, M.H.R., Malacaria, P., Hankin, C., Fielder, A. and Smeraldi, F., 2016, September. Efficient Numerical Frameworks for Multi-objective Cyber Security Planning. InEuropean Symposium on Research in Computer Security(pp. 179-197). Springer International Publishing. Li, W., 2014.Risk assessment of power systems: models, methods, and applications. John Wiley Sons. Lincke, S., 2015. Managing Risk. InSecurity Planning(pp. 61-83). Springer International Publishing. Lincke, S., 2015. Planning for Network Security. InSecurity Planning(pp. 135-158). Springer International Publishing Markmann, C., Darkow, I.L. and von der Gracht, H., 2013. A Delphi-based risk analysisIdentifying and assessing future challenges for supply chain security in a multi-stakeholder environment.Technological Forecasting and Social Change,80(9), pp.1815-1833. Peltier, T.R., 2016.Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press. Sadgrove, K., 2016.The complete guide to business risk management. Routledge. Sawik, T., 2013. Selection of optimal countermeasure portfolio in IT security planning.Decision Support Systems,55(1), pp.156-164. Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F. and Sommerlad, P., 2013.Security Patterns: Integrating security and systems engineering. John Wiley Sons. Sovacool, B.K. and Saunders, H., 2014. Competing policy packages and the complexity of energy security.Energy,67, pp.641-651. Stern, D.A., 2014. Balanced Design in Information Systems Security Planning. InThe International Conference in Information Security and Digital Forensics(pp. 110-120). The Society of Digital Information and Wireless Communication.