Assessment Description: A business continuity plan details all of the steps a company must take in the event of an emergency, whether it is fire, flood, or computer hacking. This is how to create one

Assessment Description: A business continuity plan details all of the steps a company must take in the event of an emergency, whether it is fire, flood, or computer hacking. This is how to create one
10 Information Technology Governance Framework Institutional Affiliation: Grand Canyon University Instructor’s Name: Khester Kendrick Student’s Name: Hamidou Oussoumanou Course Code: 630 Evaluate the components of IT governance that facilitate regulatory compliance within the organization. Mervin INC. has designed and developed its information governance framework to manage its information technology resources effectively, thus allowing it to achieve its objectives. Regulatory compliance is considered a critical aspect in the company’s information technology governance, and it has set up several components that will allow it to comply with its regulatory requirements. Some of the components that the company uses include Policies and procedures The policies and procedures allow the organization to meet the governance framework as they define the rules and guidelines on how information technology resources should be used and managed. Furthermore, the policies and procedures are designed to ensure information technology resources are standards required by the organization. Risk management The risk management process assesses and identifies the risks in the organization and classifies them according to their impacts on the business and the likelihood of the risks happening in the business. After the risks have been identified, the management of the organization sets strategies on how the risks can be eliminated. (Stein, 2018) Training and Awareness The organization uses training and awareness to ensure that the employees are aware of their requirements, thus allowing them to work in accordance with the requirements of the organization. Training and awareness allow employees to understand their roles, thus meeting regulatory compliance in the business. Compliance monitoring The organization has set and developed compliance monitoring strategies that ensure that the normal running of the information technology resources follows the organization’s standards. Compliance monitoring monitors a wide range of systems in the organization, including information technology systems, processes, controls, and issues reported to the required department. Incident management The information governance framework of the organization is composed of an audit plan that determines the requirements that are to be met by each regulatory compliance which is followed by an incident management plan which is composed of reporting plan, investigation, and a resolution plan which identifies how the risks of the business are to be handled in the business. (Barbosa et al. 2014) The overarching guidance and laws the industry should comply with The overarching guidance and laws allow the organization to operate fairly ethically and comply with its regulatory requirements. Some of the overarching guidance and laws include; Financial reporting and disclosure requirements – Mervin INC must comply with the financial reporting system and the disclosure requirements that allow it to provide accurate and timely information about its financial performance. Data protection and privacy laws – Mervin INC is required to comply with data protection and privacy laws that govern how the company can use the information that it collects, uses, and stores associated with the stakeholders of the business. Anti-corruption laws – the company must comply with anti-corruption laws, which prohibit it from participating in issues associated with corruption and other forms of corruption. Intellectual property laws – the company is required to comply with intellectual property laws that protect the use of copyrights, trade secrets, and trademarks. Labor laws – the organization is required to comply with the labor laws which govern issues such as working hours an employee is required to work overtime and a minimum wage for all the employees of the business. Examine the requisite set of standards, frameworks, policies, and best practices in the development and implementation of the organization’s objectives. The additional requirements that Mervin INC is required to come up with when developing and implementing the objectives of the organization include the Cybersecurity Framework (CSF), the international organization for standardization (ISO), and the National Institute of Standards and Technology (NIST). The cybersecurity framework is composed of voluntary standards and best practices that can be used by an organization to minimize cybersecurity risks. (Tallon et al., 2019) The National Institute of Standards and technology will play a crucial role in promoting innovation and industrial competitiveness by advancing standards and technology for economic security. NIST can be used in promoting measurements, standards, and technology to produce systems and services which are reliable to support business operations. Lastly, the management can opt to use the international organization for standardization to encourage innovation in the company as it supports the development of innovative ideas associated with the business, thus allowing it to increase its international trade and investment, which can play a crucial role in promoting economic growth and development. Requirement analysis for formulating and deploying business information systems and solutions For Mervin INC to formulate and deploy the business information systems, it needs to know the financial tasks that are required to be carried out by the information systems. After identifying the tasks, it has to follow setting up the standards that the company requires for it to be successful, which the company’s information technology resources must meet. After setting up the standards, the company is required to identify the risks associated with the data management systems and an effective strategy on how the risks can be mitigated. (Stein, 2018) After setting up a strategic plan on how the company can analyze the risks, the company can ensure that its policies and procedures are always active and up to date and are adhered to ensure that they are able to comply with the regulatory requirements of the company. The company should ensure that whenever new systems are added to the network, they are well configured to the information systems to ensure that the security controls are effective enough to control security policies to be used in the company. Lastly, the management of the company should ensure that the information technology teams are well-trained in security and procedures on how they can handle data that is stored in the company. Critical data infrastructure assets of the company The company’s critical infrastructure includes the network, computer utilities, applications, computers, and the customer and client data categories, such as the basic and the interaction data. The networking infrastructure comprises networking hardware, software, and networking services that ensure all computers are in the same network. Computer applications are software that is designed with the aim of helping computer users carry out some tasks, which include managing computers, maintaining computers, and also optimizing computers. Computer applications are software designed to allow users to achieve a specific purpose, and there are several applications used in the company where they include creativity, communication, productivity, and the purpose of the business. Computers are electronic devices used in processing data, storing data, and running software applications. Client data that is considered to be a critical asset in the infrastructure include basic and interaction, as when criminals come across this data, they can impersonate customers, which leads to risks in the company. (Liu, 2020) Human resources for technical, management, and legal operations As a leading loan provider, Mervin INC is associated with multiple human resources for various operations. The human resource for technical operations is the information technology manager to ensure the technical infrastructure of the company meets its requirements. The human resource for management is the chief operations officer, and his main role is coordinating management activities and providing the company with a strategic plan on how various activities are to be done. The human resource for legal operations is to ensure that the company complies with relevant laws, regulations, and industry standards and helps the company overcome legal issues. The requisite law enforcement entity where data breaches are reported In case a data breach occurs in the company, the company has to evaluate the record stolen from the data breach and report the incident to the state law enforcement agency, as a data breach is considered a criminal offense where there the company might encounter financial loss and data theft. Reporting the incident to state law enforcement agencies will help the company investigate the attack, identify perpetrators, and prosecute them. (Tallon et al., 2019) Cybersecurity policies in relation to the organization are aligned with the laws, regulations, and standards. There are several cyber security rules and regulations that the company has to comply with, which include the Gramm-Leach-Bliley-Act(GLBA), Sarbanes-Oxley Act (SOX) National Institute of Standards and Technology (NIST), and the federal information security management act(FISMA). The Gramm-Leach-Bliley Act requires Mervin INC to safeguard and protect customers’ information. The Sarbanes-Oxley Act requires the company to maintain effective internal control of its financial reporting. The National Institute of Standards and Technology requires the company to use documented guidelines to improve cybersecurity risk management in the company. The federal information security management act requires the company to develop and implement security programs that will allow the company to protect information. (Lloyd, 2020) Reference Barbosa, S. C. B., Rodello, I. A., & Pádua, S. I. D. D. (2014). Performance measurement of information technology governance in Brazilian financial institutions. JISTEM-Journal of Information Systems and Technology Management, 11, 397-414. Liu, W., & Song, Z. (2020). Review of studies on the resilience of urban critical infrastructure networks. Reliability Engineering & System Safety, 193, 106617. Lloyd, I. (2020). Information technology law. Oxford University Press, USA. Stein, V., & Wiedemann, A. (2018). Risk governance: primary rationale and tentative findings from the German banking sector. In Current issues in corporate social responsibility (pp. 97-110). Springer, Cham. Tallon, P. P., Queiroz, M., Coltman, T., & Sharma, R. (2019). Information technology and the search for organizational agility: A systematic review with future research possibilities. The Journal of Strategic Information Systems, 28(2), 218-237.
Assessment Description: A business continuity plan details all of the steps a company must take in the event of an emergency, whether it is fire, flood, or computer hacking. This is how to create one
10 Evaluating Cyber Security Protection Protocols Institutional Affiliation: Grand Canyon University Instructor’s Name: Khester Kendrick Student’s Name: Hamidou Oussoumanou Course Code: 630 Identify gaps when security measures fail, challenges and opportunities for improvement by conducting a thorough audit. For an organization to identify the gaps facilitated by failure challenges and opportunities of its security policies, the organizations need to conduct a thorough audit of the security policies set. Conducting a thorough audit can be crucial in identifying the effectiveness of the existing security policies thus identifying the areas that needs to be improved in the security measures of the organization. Some of the gaps that can be identified by conducting a thorough audit include; Technical gaps: Technical gaps are associated with wrong implementation and configuration of security measures such as antivirus programs, firewalls, and intrusion detection system. If the systems are not well implemented, they can be easily exploited leading to unauthorized access to the systems. Policy gaps: Policy gaps are associated with implementation of strong security policies and procedures such as using effective passwords management, and access control. if these policies are not well configured, they can lead to security breach, incurring losses to the organization. Personnel gaps: Personnel gaps are associated with lack of creating effective awareness training to employees leading to security failure as intruders can use social engineering attacks and phishing attacks to harvest details of an employee, gaining unauthorized access, thus compromising security. Monitoring gaps: Monitoring gaps are associated with checking the security events of the system checking the files accessed and which computer they were accessed from. Insufficient log retention can be associated with internal security risks which can impact data stored in the systems and access control. (Nasser, 2017) Compliance gaps: compliance gaps are associated with the regulations and standards that have been set to regulate the industry. Non-compliance can lead to data loses thus making an organization to lose its reputation. After finding the gaps in the systems, the opportunities for improvement can be used in analyzing the main causes of these gaps and how better security controls can be implemented to harden the security controls. Some of the measures that can be taken to enhance security measures include improving system configurations, creating awareness amongst employees, and improving monitoring mechanisms such as system logs. Improving the security measures can allow organization to improve their security policies, thus reducing risks associated with security breaches. The concepts of privacy and the effects of internet on privacy. The privacy concepts on the internet can be described as the principles and practices that has been set to protect availability of personal information that is available in the internet. Some of the concepts that are available in the internet to promote data security include data privacy, privacy policies, and privacy standards. These concepts regulate the information that people can share in the internet, thus maintaining confidentiality, and integrity of a person’s data. The effects of the internet in privacy include; increased data collection of personal information, oversharing on social media, increased government surveillance and also cybercrime as a result of data breach. (Kang et al. 2015) Identify industry-specific cyber laws in relation to inquiries and incidents of obtaining data and evidence. The industry-specific cyber laws are the laws that have been passed with an aim of protecting sensitive information to ensure that evidence that is associated with a cybercrime is reported in the most effective and privacy manner and will allow prosecution of the cyber criminals. Some of the laws that have been passed to obtain data and evidence include; Computer fraud and abuse act (CFAA) which is responsible of criminalizing unauthorized access to computer systems and a cyber incident and organizations are required to comply with this law to meet the requirements of the law enforcement agents. Electronic communication privacy act (ECPA) which allows law enforcement agents to intercept electronic communications in case of a cyber incident and organizations are required to comply with electronic communication and privacy act in disclosing electronic communications. The payment card industry data security standard (PCI-DSS) law has been set to govern storage of data processing and transmission of credit card information thus allowing in the process of identifying the security breach. (Harichandran et al. 2016) Access the critical information infrastructure and determine configurations of logical control, physical controls, data storage, encryption, switches, servers, firewalls, routers, and hubs to be compliant A critical system infrastructure should be composed of both physical and logical security systems to protect data from theft as it can lead to issues associated with confidentiality, integrity and availability of information. Logical security controls include routers, firewalls, and routers which should always be well configured to maximize data confidentiality and availability. Physical assets include computer hardware such as hard drives, and surveillance cameras that are used for software installation thus allowing them to achieve various tasks for everyday activities. Data storage and encryption are the storages that are using in storing information associated with the information of the company which should be always available for easy retrieval. Data storages should always be encrypted to maximize privacy to the resources of an organization. Servers should be well configured with access control and effective access policies thus preventing unauthorized access of the resources of the critical infrastructure. Firewalls should be well configured to monitor the traffic coming in and out of the organization and block suspicious traffic as if would affect the resources of the infrastructure. Routers can protect the critical infrastructure by facilitating access control thus determining the level of control of each device in the internet. Routers can be configured with virtual private networks (VPN) to connect security to the infrastructure thus minimizing security risks. Hubs can be used in segmenting the network of the infrastructure thus reducing the level of the breach after an attack. V. Identify key auditable elements that would help in determining the current state of the organizations cybersecurity postures and explain the relevance of each element. Access control policies: these are to security policies provides the rules and guidelines on structuring who can access various data thus helping to maintain both data security and data governance in various organizations. These rules can be used in protecting information based on policies and rules meeting the needs of information security. Security policies and standards: these are rules guidelines and best practices that defines how organizations should protect their computing systems to prevent unauthorized access of data which can lead to both theft and damage. (Newhouse et al. 2017) Authentication and authorization: these elements by identifying the users tries to access the systems and determines the users who they are to provide with access and the users who they are to prevent thus protecting computers against unauthorized access and theft of information. Intrusion detection systems: these systems are preconfigured with policies thus creates guidelines on what they are to approve and what they are to reject thus helping the systems to meet their requirements. These is crucial in preventing unauthorized access to the information systems. Risk assessment and management: These tools are used in assessing the risk of an organization to be associated with cyber threat, vulnerabilities associated with the organization and the strategies that can be used in mitigating the risks. Incidence response plan: This is a document that is composed of procedures that outlines how organization will manage an incident associated with data breach in the organization. The incident response plan can be used in detecting, containing, mitigating, and recovering data in case a data breach is experienced in an organization. Virtual private network: these components work by encrypting data that is transmitted from the organization thus preventing security incidents which could be achieved from attacks such as man in the middle, eaves dropping and among others. (Newhouse et al. 2017) Network intrusion response: these are systems that are designed to monitor unauthorized activities in the network they are capable of blocking and flagging suspicious protocols thus allowing the security teams to monitor the traffic preventing breaches that might come through the network. Data encryption Protocols: this is the use of passwords to protect data from being accessed by unauthorized individuals in the organization. There are different types of data encryptions and security teams are required to select the most effective method depending on the information to be protected Security controls: security controls are composed of both technical and administrative control tools that are used in protecting the assets of the organization. Security controls includes tools like firewalls, intrusion detection systems and security monitoring tools. Legal elements and liabilities industries may face due to non-compliance. Non-compliance is associated with failure of fulfilling the needs of regulations, policies and standards and they are associated with serious impacts to an organization. Companies often face non-compliance issues due to trade infringement, copyright infringement, lack of adhering to acts associated with data protection and also breaching the terms stated in the contract. Legal elements and liabilities that an industry might face due to lack of compliance include fines and penalties, remediations, and reputational damage which would lead to lack of business to the company. (Bauer et al 2017) Reference: Nasser, A. (2017). Information security gap analysis based on ISO 27001: 2013 standard: A case study of the Yemeni Academy for Graduate Studies Sana’a Yemen. Int. J. Sci. Res. in Multidisciplinary Studies Vol, 3(11). Kang, R., Dabbish, L., Fruchter, N., & Kiesler, S. (2015, July). my data just goes everywhere:” user mental models of the internet and implications for privacy and security. In Eleventh Symposium on Usable Privacy and Security (SOUPS 2015) (pp. 39-52). Harichandran, V. S., Breitinger, F., Baggili, I., & Marrington, A. (2016). Cyber forensics needs analysis survey: Revisiting the domain’s needs a decade later. Computers & Security, 57, 1-13. Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017). National initiative for cybersecurity education (NICE) cybersecurity workforce framework. NIST special publication, 800(2017), 181. Bauer, S., Bernroider, E. W., & Chudzikowski, K. (2017). Prevention is better than cure! Designing information security awareness programs to overcome users’ non-compliance with information security policies in banks. computers & security, 68, 145-159.
Assessment Description: A business continuity plan details all of the steps a company must take in the event of an emergency, whether it is fire, flood, or computer hacking. This is how to create one
10 Organizational Compliance on Security Measurements INSTITUTIONAL AFFILIATION: Grand Canyon University INSTRUCTOR’S NAME: Khester Kendrick STUDENT’S NAME: Hamidou Oussoumanou COURSE CODE: 630 Identify how negotiations between organizations and accreditors should be dealt with and provide an example. Organizations and their accreditors are required to company with the aim of maintaining ethical and legal standards in the organization. This can be justified when organizations and their accreditors negotiate with one another to come to their best terms leading to credibility and development. Negotiations can be used to enhance integrity among the management and the auditors as it allows all the parties to express their views, thus allowing all the teams to come to a clear and concise conclusion. (Jiang et al. 2021) Negotiations between the accreditors and the organization should be transparent and open to all sides as they should focus on expressing the challenges faced by all sides, thus allowing them to meet the organization’s compliance requirements. After negotiations, all the key points should be documented to monitor the impacts of the changes on their impacts to the organization. Successful negotiations can be documented in the proposed mitigation controls of the organization as they can help reduce risks associated with non-compliance in the organization. Discuss the appropriate response strategies that should be put into action. Breach notification policies are essential to an organization’s cyber security as they identify the occurrence of the breach and how it can be contained to prevent the loss of more information. Breach notification allows the organization to notify customers and employees about the data breach allowing them to take action within the shortest time possible to prevent the impacts of the breach. Some of the appropriate response strategies that can be put into action in an organization include containment and mitigation, notifications, remediation and review and evaluation as the last step. Containment and mitigation is the first step which involves isolating the infected systems and restricting access to limit the scope of the breach. Notification is one of the important steps as it allows business stakeholders to know about the breach and possible actions they can take to protect their personal information. Remediation allows the organization to patch the vulnerabilities that might have led to the breach fixing the vulnerabilities and making it hard for intruders to get to the organization. Review and evaluation is the last step that seeks to identify the areas to improve to prevent such incidents in future. Effective breach notification policies can be critical in responding to data breaches, thus preventing the occurrence of such incidents in future. Explain employee training recommendations to create awareness of the organization’s security requirements. Training employees in an organization to create awareness is considered a critical component in cyber security as it allows the employees to be aware of the cyber security policies, thus maintaining security to the data stored in the organization’s information systems. Whenever the security is training the employees about security, they should always begin by pointing out the basics, such as the importance of having strong security in an organization and how they can enhance their security in the organization. (Chowdhury et al. 2021) The security teams can proceed and make the training more engaging, where they can try to simulate real-time threats making the training more memorable to the employees of the organization. Employees can proceed to emphasize the importance of reporting security incidents and how they should act as soon as they identify them in the organization. Lastly, the security teams can help the employees test their knowledge by providing them with quizzes and phishing simulations to identify how they act as soon as they identify the attack. How to obtain feedback on the effectiveness of security policies from stakeholders? Obtaining feedback on the effectiveness of security policies from stakeholders can be a critical part of the organization as it seeks to enhance its cyber security. Organizations can obtain feedback from stakeholders by identifying the stakeholders impacted by the security policies, developing an effective feedback mechanism, and asking specific questions associated with security controls followed by analyzing the feedback to take action. An example of an organization that should obtain feedback on the effectiveness of its security policies is an organization conducting online banking, as it might need to identify its views from its stakeholders and come up with possible strategies for enhancing the security policies. (Kumar et al., 2019) V. How to identify new threats, vulnerabilities and risk management that I might have encountered to the initial security measures that were first implemented In the organization where I worked, we used threat intelligence which identified and analyzed potential threats to the organization. Threat intelligence monitors the current threats in the market and identifies the potential way that can be used to eliminate the threat as soon as it is identified in the systems of the organization. Threat intelligence systems that be used to help the security teams to understand the risks that are likely to be faced in the organization and potential ways an organization can help to protect itself. Threat intelligence systems allow the organization to stay ahead of potential attackers while ensuring that the data stored in the organization is safe, thus managing risks effectively if they are to be encountered. VI. Identify mechanisms to adapt to threat intelligence, which identifies new and overlooked vulnerabilities, threats, and countermeasures. Mechanisms that can be used for maintaining strong postures within an organization include conducting regular scans of the organization’s resources, creating an incident response plan, using threat intelligence sharing systems, threat continuous monitoring systems, and lastly, making use of reporting and communication systems. Regular scans can be used in identifying emerging vulnerabilities in an organization, and whenever vulnerabilities are identified, the organizations should opt to use an effective incident response plan. Using threat intelligence sharing systems can allow particular departments to understand the trends of the threats, thus allowing actions to be taken within the shortest time possible, minimizing the impacts of the risks associated with the threat. ( Song et al. 2021) VII. How stakeholders identified by threat intelligence should be notified about a threat and provide an example of the notification methods. Organizations with different types of stakeholders can opt-in to use different notification systems depending on the threat in the organization and its impacts on the stakeholders. For instance, the operational managers should be notified about the breach using an email which points out the impacts of the threat and the recommendations. The organization can opt-in to use text messages or short message services to send messages to stakeholders or customers who might not be in their respective offices and don’t have access to their emails. (Song et al. 2021) The organization can opt in using applications notification to notify all the users about the breach, and they can know more about the breach as soon as they launch the application about the security alert. The organization can opt to use in-personal briefings to provide detailed instructions to members about the breach. Lastly, the organization can opt-in to use public announcements to inform the public about the security breach, including using social media platforms, radio and television. VIII. Identify organization management techniques for responding to new challenges. Different organizations are composed of different organization management techniques, and it is always crucial to adopt in developing effective policies for responding to new challenges. Some of the techniques that can be used in responding to new challenges include developing an effective risk management plan to identify potential risks and vulnerabilities, developing an incident response plan, and also training employees on the impacts of cyber security. The organization can prioritize compliance monitoring and compliance management to meet requirements set by various regulatory bodies such as General data protection regulation. IX. Define and apply the NIST cyber security framework functional areas, implementation tiers and profiles. The National Institute of Standards and Technology (NIST) cyber security framework provides guidance for organizations to manage and reduce cyber security risks within the organizations. The NIST framework is composed of three functional areas, which include identification protection, detection response and recovery tiers. Implementation tiers are applied to guide the organizations on actions to take to improve their cyber security postures. (Taherdoost, 2022) The NIST framework is made of four implementation tiers which prioritize on implementation of the functions identified, which include partial, risks informed, repeatable and adaptable tiers. The National institute of standards and technology has set up the profiles that are used to align cybersecurity functions and the implementation tiers to the organization’s objectives, risks tolerance and also resources used by the organization. Profiles are applied to a cyber-security organization to allow implementation tiers with their functional areas, thus enhancing the security policies of the organization. X. Describe how to develop a business continuity plan to prevent and recover from failures in the system. Business continuity plans are critical components in the organization as they help organizations to recover after a system failure. It is always essential to develop a strategic business continuity plan to provide a develop a strategic recovery process from a data failure. Some of the steps that can be used in developing a business continuity plan include; Defining the scope of attack: This step defines systems to be covered in the business continuity plan, and it also minimizes disruption of critical functions of the business to reduce the impacts. Conducting an impact analysis: This step identifies critical processes and functions performed by the business and analyses the potential impact associated with the disruption of these services. Developing a response plan: This step defines the steps that are to be considered when responding to the system failure, and it includes the parties responsible for each step and the resources required to mitigate the impacts. Developing a recovery plan: The recovery plan is composed of the steps that are to be taken to recover the system in case of a system failure. This strategy should focus on how the recovery of data, systems and processes should take place after the process. Testing the Business continuity plan: After the business recovery plan has been developed, it should be tested to facilitate effective recovery from system failures. Regular tests should be conducted to identify weaknesses associated with the systems. Maintain the business continuity plan – Maintenance should be carried out to the business continuity plan to ensure it is updated with the activities taking place in the organization and ensure all the personnel are aware of it. Reference: Chowdhury, N., & Gkioulos, V. (2021). Cyber security training for critical infrastructure protection: A literature review. Computer Science Review, 40, 100361. Jiang, J. X., Polsky, D., Littlejohn, J., Wang, Y., Zare, H., & Bai, G. (2021). Factors associated with compliance to the hospital price transparency final rule: a national landscape study. Journal of general internal medicine, 1-8. Kumar, R., & Goyal, R. (2019). On cloud security requirements, threats, vulnerabilities and countermeasures: A survey. Computer Science Review, 33, 1-48. Song, S., Wu, Q., Zheng, X., Wang, P., Dou, Y., Li, Z., & Zhai, L. (2021, October). Focus on the Stability of Large Systems: Toward Automatic Prediction and Analysis of Vulnerability Threat Intelligence. In 2021 IEEE Sixth International Conference on Data Science in Cyberspace (DSC) (pp. 445-449). IEEE. Taherdoost, H. (2022). Understanding Cybersecurity Frameworks and Information Security Standards—A Review and Comprehensive Overview. Electronics, 11(14), 2181.
Assessment Description: A business continuity plan details all of the steps a company must take in the event of an emergency, whether it is fire, flood, or computer hacking. This is how to create one
6 Data Classification in Information Security INSTITUTIONAL AFFILIATION: Grand Canyon University INSTRUCTOR’S NAME: Mr. Joshua McSwain STUDENT’S NAME : Hamidou Oussoumanou COURSE CODE : 690 I. Information Ownership Information ownership can be described as the moral or legal rights and responsibilities given to a person, group, or organization regarding how their information will be used with the aim of controlling their information. Information ownership calls for intellectual property rights as it provides a legal framework for protecting information that has been produced by a specific group, thus controlling how the information can be used. (Reed, 2021) Information ownership allows the creators of specific information to manage and categorize data according to its sensitivity and confidentiality, which makes it possible to introduce policies that can be used in governing and controlling the use of the information. Information ownership makes it possible to create trademarks, patents, and copyrights, thus allowing organizations and groups to benefit from the information they develop, thus facilitating innovation and creativity. II. Vulnerability mapping, management, and Trackability Vulnerability mapping and management can be described as identifying potential weaknesses and threats and creating a plan of how the vulnerabilities can be managed by using strategies such as making configuration changes and using security patches. Vulnerability management allows the security teams to create a remediation proposal that can be used in addressing the system vulnerabilities and the best approaches that can be used in solving the vulnerabilities associated with the information systems. Vulnerability trackability is the process of tracking and monitoring the vulnerabilities associated with the components used in the systems and the networks of infrastructure. Vulnerability trackability allows a record of the vulnerabilities associated with the system to be taken and the actions that were taken to address the vulnerabilities in the organization. The organization’s security teams can use vulnerability mapping, management, and trackability to mitigate the risks associated with the systems making minimal impacts. (Ali et al., 2019) Vulnerability mapping, management, and trackability can be used in identifying risks associated with the information systems, allowing the security teams to create a risk assessment plan to identify areas of potential threats and weaknesses. After vulnerabilities have been identified, security rules can be implemented, which reduces the chances associated with exploitation, thus protecting data stored in an organization. III. Significance of Configuration and Patch Management Policy Configuration and patch management are critical to the systems used in an organization as they are used in ensuring that an organization has been well maintained and is up to date. Configuration and patch management can be used to prevent problems associated with compatibility issues and software faults, thus maximizing the efficiency of the systems used in an organization. System configuration allows a solid setup to be used in the infrastructure, thus minimizing the impact of an attack. (Araujo et al., 2020) Configuration and patch management allow new devices to be added for security and software upgrades which enhances the services that are to be carried by the organization, and it also offers scalability of the systems in case of the expansion of the organization. Configuration management can be used to implement essential system fixes, which is crucial in preventing system failure and the occurrence of potential data breaches in the organization due to faulty systems. IV. Communication and assigned classifications. Communications should be diversified to different levels depending on the roles of the system users. Level 1 should be used to store sensitive information and only be authorized to specific users, such as system administrators, in the organization. The security of protecting information stored in level 1 should be stronger compared to other levels. Level 2 should store deemed sensitive information, which should not be considered a secret to the organization, and it should only be accessed by authorized system users. Level 3 should not store sensitive information associated with the users. The information stored in level 3 should be classified as not sensitive or public as it includes information that can be released to the public without any problems. Information stored in level 3 can include organizational updates and other essential information that administrators of the website would like potential visitors of the website to know about the company. V. Handling standards Enterprise Resource Planning requires data to be classified and handled into two main subgroups: the public and the sensitivity of the data to be handled. Both of these categories have different levels of confidentiality and require different handling tactics depending on how they are to be used in the organization. Sensitive data is composed of confidential and private information, and it should not be disclosed to unauthorized users of the organization. Handling sensitive data requires strict handling practices to facilitate data security. Some of the practices that can be used in handling sensitive data include setting up access controls, facilitating data encryption, compliance, and data masking. (Chen et al., 2020) Public data is data that is not considered sensitive information to an organization, and it may include general organizational data, marketing materials, financial statements, products sold, and others. Public data does not require the implementation of strict security controls and encryption measures as data should be freely shared and accessed by the public, and there should be ease of accessing the data. Reference: Ali, S. A., Khatun, R., Ahmad, A., & Ahmad, S. N. (2019). Application of GIS-based analytic hierarchy process and frequency ratio model to flood vulnerable mapping and risk area estimation at Sundarban region, India. Modeling Earth Systems and Environment, 5, 1083-1102. Araujo, F., & Taylor, T. (2020, November). Improving cybersecurity hygiene through JIT patching. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (pp. 1421-1432). Chen, R. C., Dewi, C., Huang, S. W., & Caraka, R. E. (2020). Selecting critical features for data classification based on machine learning methods. Journal of Big Data, 7(1), 52. Reed, C. (2021). Information Ownership in the Cloud. Cloud Computing Law (2nd Edn, OUP 2021).