Assignment Task (Assignment Number: UA519)
ISO 27001:2013 IMPLEMENTATION IN UNIVERSITY
2Background and Related Work
Each of your chapters should have an introduction to tell your readers what they will find in the chapter. Eventually this submission will form Chapter 2 of your report, so when you include it in your report it will be numbered accordingly and make sense in context of the whole. It will help you if you create a plan for your report now, with headings and sub-headings, so that you have an idea of your structure and how this chapter fits into the whole.
In this chapter you should summarise current knowledge and what others have done in the various topics of your project – in the application area and in the various technologies that you might have used or did use. You should evaluate that knowledge and state how it is useful for your project Write for someone familiar with computing, but not necessarily expert in the particular topics of your project. Give references to other work by using cross-references to entries in the References section, like this (Turner & Jennings, 2002).
It is often useful to start this chapter with an overview of its contents, giving the reasoning behind why you have structured it in a particular way. The main thrust of the chapter is a review of relevant work by other authors and the relationship between this and your own work.
You are aiming for around 8-10 pages for this chapter.
For editorial consistency, it is important to use Word styles properly. If the styles referred to below are not visible on the Home ribbon in the Styles category, choose ‘Apply Styles’ from the down arrow at the bottom right of the Styles category. Styles can then be applied from the drop-down box. To make a style visible as a quick style, choose Apply Styles, then click Styles (the AA icon) or use ‘Alt + Ctrl + Shift + S’, then right-click on the style and then ‘Add to Style Gallery’.
Chapters are entered using the ‘Heading 1’ paragraph style. The Heading 1 style automatically moves to the start of a new page and supplies the next chapter number. Pressing enter on a ‘Heading 1’ heading automatically inserts a ‘Heading 2’ heading underneath.
There should not be any text between a parent heading and its first sub-heading. For example, when you want to write an introductory section for the following sections, give that introductory section an own ‘Introduction’ heading instead of writing it between the heading preceding these sections and the first sub-heading.
As an example: This comment text is incorrectly placed between a ‘Heading 1’ (‘Introduction’) and a ‘Heading 2’ (‘Background and Context’).
Most text uses the ‘Normal Project Body’ paragraph style.
In general, use the default spacing that headings and paragraphs give you. Avoid using new-lines or spaces to format text. If you need to use quotes, preferably use single curly quotes ‘…’. If you wish to emphasise something, use the ‘Emphasis’ style. In addition, also a ‘Strong’ style is preconfigured.
Remember to Save frequently while you are working! Check that AutoSaving is enabled under options -> save -> ‘Save AutoRecover information every 5 minutes’.
2.2Section Title Rename Me
2.2.1Subsection Title Rename Me
You may wish to think about theming this chapter. Generally, 3 or 4 themes are enough. State your themes in the introduction and why they are relevant to your project. Each section could correlate to each of your themes. You must remember to state in each section why what you have discussed is relevant to your project, or why you have considered but are discarding it.
Linking your background reading to your project will get you extra marks. This whole chapter needs to link to what you are doing. If you cannot answer the question ‘SO WHAT?’ to everything you include here. then it has no place in this chapter.
You need to be critical and not descriptive, if all you are doing is regurgitating what you read, without being critical and without linking it to your project, you will not get a good mark. Look at the video on Blackboard that covers how to form an argument, it will help you write this chapter.
2.3Section Title Rename Me
2.3.1Subsection One Rename Me
As an example of a figure, consider Error: Reference source not found.
To place a figure, insert the picture / diagram / etc… where you want it to be, make sure it is selected and then apply the ‘Project Figure Title’ style which centres the figure horizontally.
Captions are entered through the ribbon menu under ‘References’ -> ‘Insert Caption’ or through right-clicking an image and selecting ‘Insert Caption’. Add the caption text in the box, separated with a dash as the example below shows.
Each figure is numbered automatically, and it is possible to make cross-references to figures.
Figure 1 – Highly Technical Diagram
2.4Section Title Rename Me
2.4.1Another Subsection Title Rename Me
To add a caption to a table, either select the whole table (e.g. by clicking on the + symbol in the upper left corner of the table), right-click it and choose ‘Insert Caption’ or click in any table cell and select ‘References’ -> ‘Insert Caption’ from the ribbon menu. Choose ‘Table’ as label and ‘above the item’ as position. Add the caption text in the box, separated with a dash as the example below shows.
Table 1 – Test Results
|Table Heading 1||Table Heading 2||Table Heading 3||Table Heading 4|
Write a short summary at the end of this chapter. This is not your conclusions, that will go at the end of your report. This is a summary of the chapter. Have a look at the examples on Blackboard. Do not start this section with ‘In summary’, it is obvious from the heading what it is.
Once you have finished this chapter put it aside for at least 48 hours, then come back to it. READ IT OUT LOUD to yourself, this is a good editing technique.
Then, ask someone else to read it for you.
Get some information feedback from your supervisory team. Make sure you do this with plenty of time before the submission date.
Not that this heading is not numbered. Please make sure you use the correct formatting for your references. Despite covering this topic multiple times, many students are still doing it incorrectly. If you are copying and pasting from somewhere else, check that the colour, font face and font size match the style for this document.
You should aim for at least 10-15 references (15 for a 1st). Ensure that the MAJORITY of these are good quality journal papers. This means at least 75% of them.
Assignment Solution/Sample Answer
Note: For this assignment, All the Images will be provided along with the complete sample report, once you pay the 6 USD charges.
ISO 27001:2013 IMPLEMENTATION IN UNIVERSITY
Telkom University is a private university in Bandung that was founded by the Telkom Education Foundation. Telkom University was established as a result of the Minister of Education and Culture’s decisions Number: 309/E/0/2013 on August 14, 2013, and Number: 270/E/O/2013 on July 17, 2013, to merge Telkom Technology Institute, Telkom Management Institute, Telkom Polytechnic, and Telkom School of Art and Design into Telkom University. The School of Applied Science, which presently offers eight study programs, has combined all diploma degrees into one faculty. The education paradigm is focused on vocational because certificates are prioritized, which implies that practical activities have a large influence on lectures. All practicum activities take place in the laboratory, which is divided into groups of scientific subjects and has a total of 41 laboratories. In general, the laboratory is organized into three groups: the computer group, the engineering group, and the hospitality group, all of which are responsible for the management of laboratory facilities and all operations. An information system was designed expressly to aid each unit’s business processes and store all data relating to facilities, assets, resources, and even administration and finance in the Laboratory Unit’s operating activities. SAS Laboratory Management Information System (SIMLAB), which has been in use since 2016 and was registered with Indonesian Intellectual Property Rights in 2019 with the domain simlabfit.telkomuniversity.ac.id, is the name of the system.
In SIMLAB, there are six different access levels, each with a different level of access. SIMLAB is mostly used during work hours, from 8 a.m. to 5 p.m., as well as for practicum activities and meeting support. The gap for data and information retrieval by irresponsible parties is fairly big due to the relatively dense data traffic used and so on the data transfer. Other cyber-attacks aimed at laboratory data have occurred in the past. They will pose a threat to the information system’s security. Confidentiality, Integrity, and Availability are three dimensions of information security that are threatened by the accident.
When you realize there are so many information dangers, you feel compelled to increase information system security. Information security refers to the safeguarding of data against all dangers in order to assure the continuity of corporate activities, reduce risks, and optimize opportunities.
In order to determine the level of security in SIMLAB, the information security requirements specification standard ISO 27001:2013 was used. ISO 27001:2013 is an international standard for evaluating system specifications and system performance in terms of information security reliability and correctness. ISO 27001 is an international standard released by the International Organization for Standardization (ISO) that describes the approach for managing information security in an organization, with the most recent revision in 2013. ISO 27001:2013 is a standard for information security management.
ISO 27001 is the most well-known of the ISO 2700 family of standards, which establishes requirements for information security management systems (ISMS). ISO 27001:2013 is the most recent iteration of this standard, which was published in October 2013 and covers the requirements for developing, implementing, executing, monitoring, analysing, maintaining, and documenting ISMS standards. ISO 27001:2013 specifies 14 management clauses and 114 controls (Annex A) for ISMS implementation.
The data for this study was gathered through observation and interviews with the user and the unit’s management. Defined scopes and clauses that are ideal for research backdrop to test maturity level in every area of the object based on ISO 27001:2013. Table 1 lists the clauses that were used.
Table 1. Clauses used in Research
No Clauses (Control Annex A)
- A.7: Human Resource Security
- A.8: Asset Management
- A.9: Access Control
4 A.11: Physical and Environmental Security
Defined controls that are tested against the SCE-CMM value criteria, a process-oriented methodology for developing secure systems. The procedures specify what the security engineering process must accomplish, and the maturity levels classify how well the process achieves its aim. Table 2 explains the maturity levels.
A compliance analysis is performed using the data and information gathered. The current levels of conformity with the practices code’s principles have been classified using the following definitions: 1) Compliant, fully compliant with ISO 27011:2013’s specific standard; 2) Partially compliant, on the way to being compliant but still needs a lot of effort; 3) non-compliant, does not have the controls to meet the ISO 27001:2013 standards.
3. Discussion and Conclusions
After gathering the results of statements from the Head of Laboratory Unit, the data was evaluated. The maturity level analysis was the initial step. Based on ISO 27001:2013, the clauses utilized to measure are 4 clauses, 45 security controls, and 73 customized statements. The maturity level outcome obtained for each target is controlled by those statements according to clauses. Table 5 shows the summary of the maturity level results.
Table 5. Summary Result of Maturity Levels Calculation
|A.7: Human Resource Security||2.61||3||Well-Defined|
|A.8: Asset Management||2.04||2||Planned and Tracked|
|A.9: Access Control||3.24||3||Well-Defined|
|A.11: Physical and Environmental Security||3.16||3||Well-Defined|
|Maturity Level All Clause||2.76||3||Well-Defined|
Each clause has a maturity level ranging from level 2 to level 3 on its own. It shows that, in terms of information security, the entire system is at level 3, classed as well-defined, based on ISO 2700:2013. In addition to maturity levels, compliance levels for specified requirements controls were acquired, and it can be shown that:
Only 16% of the controls examined were determined to be in compliance with ISO 27001 criteria.
The controls that were examined were determined to be partially compliant with ISO 27001 criteria in 49% of the cases.
The controls examined were found to be non-compliant with ISO 27001 criteria in 36% of the cases.
Figure 1 shows how the outcomes of the compliance level are represented.
Figure 1: The Level of Representation Compliance in All Clauses
After defining the projected maturity level, which equals 5 (optimal), as a compliance level in SIMLAB, and understanding the maturity level of information security for selected controls. The average value of the entire gap was calculated using the value gap for each sentence. Table 6 shows the total maturity level value disparity for all clauses as a summary result.
Figure 2 shows a representation of the maturity level gap, which is depicted by comparing the current maturity level to the predicted maturity level. The value of the projected maturity level is based on the ISO 27001:2013 standard.
Figure 2. Representation Maturity Level Result in All Clause
One of the first jobs in the installation of an ISMS is establishing the precise scope of the management system and analysing the requirements and situation of the business and its stakeholders.
The scope must be documented in line with the standard, and it should include the results of the requirements and scenario analysis, in addition to the processes and divisions covered by the ISMS.
Z The scope document is primarily designed for the management system’s stakeholders, and it should be delivered to them if they request it. It is the sole way for stakeholders (such as consumers) to confirm that the ISMS covers the processes, infrastructure, issues, or requirements that they are interested in.
When organizations get queries on this topic, they frequently point to their ISO/IEC-27001:2013 certificates, which, following closer analysis, turn out to be irrelevant to or insufficient for the enquiry because the process in issue is not covered or only partially covered by the ISMS. The scope document and/or a precise description of the scope should be requested in addition to the certificate to avoid any unpleasant and unintended surprises.
The statement of applicability, which is required by the standard, is another crucial document in terms of the scope of an ISMS. The comprises justifications for the decisions to adopt the controls in Annex A, such as whether the control in question is employed within the ISMS or not.
The information security policy usually includes a broad sketch of the scope. The security policy and the, unlike the scope document, are considered internal documents that should not be shared with third parties. However, as previously stated, in the context of service provider relationships and, if relevant, service provider audits, particular attention must be paid to the specific formulation of the scope and content.
Analysis of the Situation
The situation analysis’ goal is to position the ISMS in its entire context based on its scope. It should include conditions that are common for the given industry or region, in addition to the organizational and technical relations essential to the ISMS. Internal context, such as other management systems (ISO 9001:2015, ISO 22301:2012, and so on), must be considered.
Analysis of Requirements
The ISMS managers must have a good understanding of the existing stakeholders and their expectations for the organization and management system.
Legal and official rules (for example, the German Federal Data Protection Act BDSG, the German Act Against Unfair Competition UWG, the German Telemedia Act TMG, regulatory agencies, and so on) as well as contractual responsibilities may be included in the needs of interested parties. The organization (or a higher hierarchical level organization) may also have decision-making and/or policy-making authority, which must be considered.
Practical implementation success factors
Because determining the scope is the first and most important step in the process of establishing and managing an ISMS, it should be approached with caution.
Practical implementation success factors
Because determining the scope is the first and most important step in the process of establishing and managing an ISMS, it should be approached with caution.
Before any further actions (risk analysis, organizational structure, task definition and prioritization, project planning, etc.) are taken, the context must be understood; this is also an important prerequisite for estimating the feasibility and amount of work involved (resources, budget, time) in setting up and eventually operating the ISMS.
In ISO 31000:2009, Clause 5.3.2 ‘Establishing the external context’ and Clause 5.3.3 ‘Establishing the internal context,’ Z lists are supplied; these lists assist in ensuring that the information presented is complete.
The level of detail required to define the scope is usually defined by the organization’s internal and external information security requirements. In practice, describing the areas impacted by the ISMS in depth in the scope document has shown to be beneficial, since this description is an important control instrument that is significant for strategic decision-making and (future) coordination.
Z The identification of stakeholders (and their requirements), as defined in Clause 4.2 of the standard, must be done carefully and thoroughly, as this is the only method to define clear ISMS objectives and content, as well as to gain the greatest possible benefit. Owners, shareholders, the supervisory board, regulatory authorities/lawmakers, customers, clients, suppliers, service providers, and workers are all examples of stakeholders.
Z applicable external requirements might arise from company plans, contracts, and rules imposed by supervisory bodies and lawmakers on the impacted business processes, among other things.
Practical implementation success factors
The strategy is a crucial tool for the business since it assists management in articulating the importance of having an effective ISMS and meeting ISMS regulations. The policy also includes the most significant strategic and tactical goals that the ISMS is supposed to aid in achieving. It should ideally contain the repercussions and duties that the impacted members of staff and subdivisions within the purview of the ISMS are confronted with. Under addition, in the policy, the relevant management must offer a detailed but concise explanation of the existing ISMS, including its duties and obligations. The following factors must be taken into account:
- The IS policy must be accepted by higher leadership and available to the proper state authorities. Z The organisation must be recorded and subject to visible documented procedures. The IS policy might include a connection to the industry’s and IT’s goals. The wording used in the IS strategy must be consistent with the rest of the policy history of the firm It must suitably emphasise the statement’s importance.
- Worker’s training required to ensure that the staff affected by the IS policy are aware of the policy. The strategy must be conveyed to all impacted personnel and made accessible to all have all.
- Individuals’ workers must be aware of their own responsibilities and engagement in security controls, as well as the specific needs connected with relevant processes, in order to attain the aims (which are derived from the IS policy and are reflected in subject-specific guidelines and work instructions).
- Additional documents or implementation guidance, such as the substance of concepts or guides, should not be intermingled with the IS policy. However, in addition to making the ‘order of instructions’ or ‘chain of criteria’ more consistent, these types of ‘down – stream’ papers might refer to the policy (or other applicable high-level ISMS documentation).
- The present ISMS may change based on the ISMS strategy used.
- It may sound right to construct the IS policy as a single, comprehensive security document, or even to make it a ‘anchor’ or ‘starting point’ for the topic that can be filled by more detailed evidence, depending on the industry’s architecture and work organisation. In any scenario, it’s critical to make sure the phrasing and scope are in line with the IS policy’s goals.
- Despite the fact that there are a number of templates and sample text blocks available for this purpose, it is recommended that the IS policy be written from start, that is, as a new draft that completely fulfils the organization’s needs. Themes can help you come up with ideas on how to arrange your paper and what kind of content to include. The secret to a good policy implementation and staff engagement to computer security is to ensure that the policy is transparently aligned with current corporate and IT goals.
If a firm or group of enterprises already has a higher-level risk management strategy in place, the IS strategy should be incorporated into it (e.g., as a component of operational risk management). Risk assessment should, if at all feasible, be procedure rather than asset-oriented. This guarantees that risks and threats are expressed in the most (business) method manner possible, making them easier to comprehend for risk owners (and, in most cases, management teams). It also provides for highly specific communication of the potential (harmful) consequences.
To guarantee that risk analysis and assessments are performed out, the industry’s project implementation systematic approach should be adjusted (at varying levels of intensity depending on the nature and scope of the project). Risks that surpass a predetermined threshold must be moved on to another level of the hierarchy, dependent on how risk assessment is structured. If no systems are in place or the risk is acknowledged, the risk must be handed on to the risk owner in a formal, recorded manner. Making risk studies and assessment a mandatory component of organisational change is also recommended for (large) modifications to processes, programs, or systems.
If semi or weaknesses are discovered (for example, through surveillance or the other functional IT process like change, issue, or incident management), they must be analysed as part of the risk assessment procedure and managed by the risk owner. Risk evaluations and assessments usually need the process owner’s specific knowledge. During conversations or workshops, for example, the organization’s IS officers can give assistance for the process is to identify and analyse risks. Another method is to conduct surveys or identity. These self-assessments may also be subjected to a second set of eyes, regardless of the approach used. The crucial thing would be that a formalized, pragmatic procedure is in place to provide maximum assistance for department and construction managers while also ensuring that risks have been identified and dealt with correctly at an early stage.
Risk Management (BSI Standard 100-3) Based on IT Basis Security, there are a few starting points for conducting a risk assessment for data processing utilising the risks described in the IT Basic Safeguard Collections. The BSI strategy, on the other hand, necessitates that the stages in the IT benchmark protection mechanism be completed first (which include network infrastructure, analysis, deciding security standards, modelling, basic security check, complementary security assessment) before deciding which target artefacts will undergo a risk assessment and will not.
The knowledge itself is always the commodities to be secured in the context of an ISMS. It is the responsibility of the competent authority in each situation (business management, directors, process owners) to appraise the commodity’s worth to the firm/process.
As a result, the knowledge commodities are transformed into an information asset. The risk owner’s role is to create TOMs that are appropriate, efficient, and efficient at all stages of the process. The ISMS businesses lead as “watchdog groups” for the data security plan’s execution, and they are accountable for accurate reporting on default risk and security events, among other things. Practical implementation success factors
Success factors are only effective for presenting and controlling the current situation if they fulfil specified criteria. Numerous quality standards for performance measures are cited in the literature on the subject: The study ‘Network Security Metrics – State of the Art’23, produced by the Sweden Civil Contingency Board (Spanish: MSB) as part of the Managed Infosec research study, is an excellent place to start (COINS).
Evaluation and measurement of the cybersecurity is simpler to conduct using ISO 27001:2013 requirements, which are backed by particular security measures. With just four clauses, it received level 2 at maturity level after SIMLAB analysis and review. Clause A.7 Hr Department Security has attained maturity level 3 (Fellow human), and cybersecurity is partially in accordance with Established standards. It also lacks certain deployment paperwork, detailed processes, and a defence policy in the human resource manager. Clause A.8 Capital Management has reached mental maturity 2 (Scheduled and Tracked), however there are still some controls without execution documentation, processes that aren’t mature enough, and evaluation. Clause A.9 Access Management has reached maturity level 3 (Well-Defined), with sufficient processes but no execution; certain controls need a policy, while others meet ISO standards. Material and Environ Protection Clause A.11 Reach emotional maturity 3 (Well-Defined), with specific detail of most, if not all, ISO standards. However, support documents and processes are still required for some controls. During the examination, it was discovered that the methods and documents did not follow the same pattern and format. In general, this implies SIMLAB still has to design and implement all of the ISO 27001:2013 requirements.
- Calder, A. (2019). The case for ISO27001: 2013. IT Governance Publishing.
- Prabowo, H., Shihab, M. R., & Aji, R. F. (2018, May). Practical Implementation Of Information Security Management In The Energy Sector Insights From An Oil And Gas Organization In Indonesia. In 2018 International Workshop on Big Data and Information Security (IWBIS) (pp. 159-163). IEEE.
- Santarcangelo, V., & Oddo, G. (2020). Implementation of ISO27001 procedures for the improvement of the standard of information security for business accommodation. EQ (CS)^ 2-Conferenza italiana su eccellenza nella qualità, controllo statistico e customer satisfaction.
- Shojaie, B., Federrath, H., & Saberi, I. (2019, September). Evaluating the effectiveness of ISO 27001: 2013 based on Annex A. In 2014 Ninth International Conference on Availability, Reliability and Security (pp. 259-264). IEEE.
- Tariq, M. I., & Santarcangelo, V. (2016, February). Analysis of ISO 27001: 2013 Controls Effectiveness for Cloud Computing. In International Conference on Information Systems Security and Privacy (Vol. 2, pp. 201-208). SCITEPRESS.
- Watkins, S. (2018). An Introduction to Information Security and ISO27001: 2013: A Pocket Guide. IT Governance Publishing.
- Watkins, S. (2019). An Introduction to Information Security and ISO27001: 2013: A Pocket Guide. IT Governance Publishing.
Note: For this assignment, All the Images will be provided along with the complete sample report, once you have paid the 6 USD charges. Please click on the below image and mention Used Solution id UA 519 and pay the amount to receive the solution.