Scribd
Upload
14 views6 pages

Information Security

Princeton University's Information Security Policy aims to protect its information assets but lacks detailed procedures and an incident response plan. The document identifies high-risk phishing attacks and recommends controls such as education and multi-factor authentication. Additionally, it compares ISO 27002 and ITU-T X.816 standards, highlighting their similarities and differences in security auditing and control implementation.

Uploaded by

Shahzeb Haider
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views6 pages

Information Security

Princeton University's Information Security Policy aims to protect its information assets but lacks detailed procedures and an incident response plan. The document identifies high-risk phishing attacks and recommends controls such as education and multi-factor authentication. Additionally, it compares ISO 27002 and ITU-T X.816 standards, highlighting their similarities and differences in security auditing and control implementation.

Uploaded by

Shahzeb Haider
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Assignment No 4

Question No. 01

Princeton University's Information Security Policy, available at


https://oit.princeton.edu/policies/information-security, provides a
comprehensive framework aimed at safeguarding the institution's information
assets.
Evaluation:
Strengths:
Clear Purpose: The policy explicitly states its objective to "provide a security
framework that will ensure the protection of University Information from
unauthorized access."
Defined Scope: It delineates the applicability of the policy to all members of
the university community, ensuring comprehensive coverage.
Roles and Responsibilities: The policy assigns specific responsibilities to
various stakeholders, promoting accountability within the organization.

Areas for Improvement:


Detailed Procedures: While the policy outlines general principles, it could
benefit from more detailed procedures or references to specific guidelines for
implementation.
Regular Review Process: The policy does not specify a schedule for regular
reviews and updates, which is essential to keep up with evolving security
threats.

Missing Elements:
Incident Response Plan: A detailed incident response plan outlining steps to
be taken in case of a security breach is not evident.
Training and Awareness Programs: There is no mention of mandatory
training programs to educate staff and students on information security best
practices.
Questions Arising:
1. How does the university ensure compliance with this policy among all
departments?
2. What mechanisms are in place for reporting and managing security
incidents?

Perception of Information Security Level:


The policy reflects a solid foundational approach to information security,
indicating that the university acknowledges the importance of protecting its
information assets. However, the absence of detailed procedures and specific
implementation strategies may suggest areas where the institution's security
posture could be strengthened.

Confidence-Boosting Aspects:
The clear assignment of roles and responsibilities indicates a structured
approach to information security.
The policy's applicability to all community members demonstrates a
commitment to comprehensive security.

Trust-Reducing Factors:
The lack of detailed implementation procedures may lead to inconsistencies
in policy enforcement.
The absence of a specified review cycle could result in outdated security
measures remaining in place.
Question No. 02

Risk (Asset/Threat) Phishing attacks aimed at collecting students' personal and academic
information through deceptive emails.

Level of Risk High

Recommended • Educate students on recognizing phishing emails.


Controls: • Implement email filtering to detect and block phishing attempts.
• Enable multi-factor authentication (MFA) for accessing academic
portals.
• Regularly update and patch email systems to mitigate vulnerabilities.
• Conduct phishing simulation exercises to test students' awareness.

Priority High

Selected Controls • Enhance email filtering capabilities.


• Roll out multi-factor authentication for all student accounts.

Required • 4 days IT security team time to configure email filters, implement


Resources MFA, and test systems.
• 2 days training sessions for students and staff on phishing awareness
and MFA usage.

Responsible • Jane Smith, Lead IT Security Officer


Persons • University IT Support Team

Start to End Date February 8th, 2025 to February 14th, 2025

Other Comments • Regularly review and update email filtering rules.


Question No. 03
Similarities:
Focus on Security Incidents: Both standards place significant importance on auditing
security-related incidents2. For example, X.816 addresses security service requests and
use4, while ISO 27002 addresses incidents such as access control and fault logging.
Management and Monitoring: Both frameworks include system management and monitor
targets for auditing in order to verify that security controls are implemented and monitored
appropriately.
Compliance and Policy Enforcement: Both accentuate following security policies and
checking for compliance through thorough audits and tracking events.

Differences:
Scope: ITU-T X.816 is more concentrated on auditing in an environment for open systems
interconnection, targeting security frameworks for open systems specifically5. ISO 27002,
in contrast, introduces a more extensive collection of information security controls,
applicable in a variety of organizational environments.
Level of Detail: ISO 27002 offers a level of detail in terms of implementation guidance and
a larger collection of controls in a variety of domains (organizational, people, physical, and
technological). ITU-T X.816 addresses specific security events regarding connectivity,
service, and operations in management4.
Types of events: ITU-T X.816 addresses specific events such as deny access, create
objects, and use a privilege. ISO 27002 addresses thorough controls for such areas as
access control, secure coding, and information security in cloud services.

Complete Comparison:
ISO 27002 is overall a more thorough one, with its widespread collection of controls and
guidance for implementation applicable across a variety of security domains and
organizational levels.

ITU-T X.816 addresses specific security audits in an environment for an open system in
detail.

Both standards have a specific purpose, with ISO 27002 providing a general-purpose frame
and ITU-T X.816 offering focused detail in a variety of critical security events. Balance
between both can provide a strong strategy in terms of auditing and protecting information
systems.
Question No. 04
Step 1: Risk Identification:

ID Threat/Risk Description
1 Data Corruption Potential corruption of data files due to software/hardware
failures.
2 Unauthorized Data Risk of unauthorized changes to data files by malicious actors
Modification or insiders.

Step 2: Risk Analysis:

ID Threat/Risk Likelihood Impact Risk Level

1 Data Corruption Medium High High

2 Unauthorized Data High High Critical


Modification

Step 3: Risk Evaluation:

ID Threat/Risk Acceptable Action Required


1 Data Corruption No Yes
2 Unauthorized Data No Yes
Modification

Step 4: Recommendations for Risk Treatment:

ID Threat/Risk Recommended Controls


1 Data Corruption Implement Regular Backups, use raid Systems, and Conduct
frequent data integrity.
2 Unauthorized Data Enforce Strict Access Controls, use advance encryption, and
Modification employ intrusion detection system (IDS)

Risk Treatment Plan:


Data Corruption:
• Backups: Perform regular backups and store them in secure, offsite locations.
• RAID Systems: Use RAID (Redundant Array of Independent Disks) to mitigate the risk
of hardware failures.
• Data Integrity Checks: Conduct frequent integrity checks to identify and rectify
corrupted data quickly.
Unauthorized Data Modification:
• Access Controls: Implement strict access control policies to limit who can view or
modify sensitive data.
• Encryption: Use advanced encryption techniques to protect data both at rest and in
transit.
• Intrusion Detection Systems (IDS): Deploy IDS to monitor network traffic and detect
any unauthorized access attempts.

You might also like