Security Management and Governance

Prepare a report on Security Management and Governance. 


With the growing technology and use of the internet, it was never so easy for our teachers and students to create information, communicate them and store them. Students and teacher now have a quick access to information, and peer classes have no access to education from anywhere in the world.  School and colleges now can easily create, transfer and store data in a more convenient way. Apart from this, grants are being rewarded too many schools, which allow for the purchase of technical equipment, which otherwise does not have financial access. (Kritzinger & Smith, 2008)
Unfortunately, with this amazing technique available, there are numerous security issues that used to arise.  It is the duty of every parent and school staff to get together and work with each other to teach their children about how to use safe while using the technology. 

Information Security at School

Like some other business, schools now rely upon Internet and broadband administrations for everyday exercises and activities. These innovations have brought a tremendous scope of chances and advantages, which give news strategies to help to instruct and training and to streamline activities and managerial procedures. (Andress, 2014)
Moreover, they additionally bring numerous kinds of risk, which are not legitimately overseen and kept up: These dangers incorporate the loss of sensitive, secret individual information, and possibly, where the administration of the security administrations is harmed or Fails, less or lost limit occasions for booking and planned learning and learning
We will setup an IT governance which will define how the decision will be made in school and will ensure that it will align with the aim and objectives of school that will deliver values to the school. Because of good IT governance in the education system, there will be a high amount of maturity and will guarantee that the school knows the worth of its investments in Information Technology. (Information Security Resources, n.d.)

Threats, vulnerabilities, and attacks

Using technology and the Internet through schools, schools are right to accept the ability and benefits of the cloud learning tool, but the responsibility of protecting sensitive data with greater connectivity is required. Here we will define different areas where there is a risk of threats, vulnerabilities, and attack. Even though these risks are applicable to any association with individual information and PCs, schools are especially exposed to many different risks identified with the safety of the internet, including: 
?    Exposure to violent, racist, sexually explicit and extremist content. 
?    Unfortunate contact with the individuals who may wish to abuse, exploit or spook the information.  
?    Online behaviors that can be very harmful to the students. 
Does an "effective approach" look like it is slightly subjective and may depend on the type of organization? In the experience of beaming, the safest administrations use suitable techniques, maintained with clear rules and, most prominently, a comprehensive user education. (Eloff & Eloff, 2005)
We will recommend following practices for schools to secure them self-form attacks, vulnerabilities, these are: 
1.    Senior Level Ownership: We will advise the advice of YMSC that a member of senior leadership team should be made responsible for security in schools
2.    Strong online border: For protecting the school from various attacks and vulnerabilities, we will advise YMSC to implement a strong firewall and gateway protection. 
3.    Implementation of content filter: In school, there is various youth who are having curious minds and these types of students need extra protection with the help of a content         filter. 
4.    Access Control: To reduce the risk of deliberate and accidental attacks, the effective procedure should be implemented by the school for managing user privileges for their           systems. Minimum access according to the use of users should be given. 
5.    Cold Storage: As the data of YMSC is stored on the cloud, we will recommend Cloud Storage Security in which we will provide strong data encryption. (Hong, Chi, Chao, &         Tang, 2003)
The YSMC has the responsibility to follow and adhere the various types of regulatory and legal requirements along with all current Australian laws. Following are some of the act for Information Governance in Australia: 
1.    Legally binding privacy guidelines and rules
2.    Privacy Act 1988
3.    Privacy Regulation 2013
4.    Freedom of Information (Charges) Regulations 1982
5.    Electronic Transactions Act 1999
6.    Digital Service Standard

Security Policy

A security policy covers a plan of goals for the organization, the principles of conduct for the client and the chairman and the system and administration, which by and large guarantees organize security and system networks in an association or school. A Security Policy is a "living report", which implies that the report never finishes, and it is always updated as a modification in the requirements of innovation and worker. (Doherty & Fulford, 2006)
AUP known as Acceptable Use Policy is one of the most common security policy. We will use the same policy in the YSMC. This policy defines how students and teachers are weather allowed or not and this even exist on the internet and intranet network. To avoid ambiguity or misunderstanding, AUP should be as clear as possible. For example, an AUP can list prohibited website categories.
Following are the benefits of Security Policy: 
1.    Used to protect students and teacher. 
2.    Rules set for Expected Behavior. 
3.    Authority is set for employees to monitor, analyze and investigate. 
4.    The result of violation is defined.

Components of Security Policy

?    Governing Policy: This is a treatment of the concepts of security at a very high level. Technical mentors and Administrators are the main target audience. The regulatory policy used to govern all the security-related contacts between the specialty units and the help divisions in the organization. With regards to extension, the overseeing strategy answers the "What" security policy questions.

 ?    End-User Policies: This record covers all security subjects that are imperative to end user. As far as extension level, EUP asks "what," "who," "when," and "where" the security policy at a proper level for an end user. 
?    Technical Policies: To carry out the requirements for the security of the system, security staff members use technical policies. This is an advanced version and more detailed than governing policy. In this, the “why” is decided by owner. (Knapp, Morris, Marshall, & Byrd, 2009)

Place Order For A Top Grade Assignment Now

We have some amazing discount offers running for the students

Place Your Order

Risk Management Plan

Risk Management Plan for school is a very complex concept, which is made up of many tasks. It is the way of dealing with the uncertainty of exposure which influences the financial statements of the School District's assets, it comprises of five stages: analysis, identification, administration, finance, and control. " Identification of the risk is the most important part of risk management. (Raz & Hillson, 2005)
Our main objective of risk management is to guarantee that schools/trusts accomplish their goals in the best way and those assets are coordinated to those objectives. This won't be viewed as a different exercise however to accomplish the best of the objectives of the school/trust.
Here are some of the objectives of risk management: 
?    Accountability - Administration and employee ownership
?    Make a safety committee
?    Development of a written security program and work plan
?    Operate the School's Risk Assessment (Find all the risks)
?    Apply schemes to address exposure:
?    Identify high risk and apply control
?    Vehicle Safety Program - Field Trip
?    Sexual Harassment and Abuse Risk Management
?    School inspection program
?    Education Board and Staff
Now we will discuss what objectives our risk management will accomplish. These objectives and aim will be achieved:
?    Establishment and maintenance of risk management organizational structure to work in a recommended and guiding capacity that is available to all staffs
?    Maintaining the process for the document for Risk Control
?    Providing suitable info, supervision, and training. 
?    Effective communication and maintaining active participation of all employees. 
?    Maintaining a proper report of incident and recording system, establishing motive with the investigation process and preventing recurrence. 

Cost Benefit Analysis Security Risk Management. 

Cost-benefit Analysis is a procedure by which analysis of the business is done. Synopsis of the benefits of a given circumstance or activity identified with the business, and afterward the cost related to making that action is reduced. (Gillespie, Elixhauser, Reker, Fletcher, & Wolinsky, 1985)
Benefits of Cost Basis Analysis: 
?    If the asset remains unsafe then it determines the loss in value. 
?    Regulates the cost of security of an asset.    
?    Prioritizes action and expenditure on security.
Resource/Asset Value (AV) - Use of property to buy equipment, introduce programming, look after administration, redesign equipment, cost of training and retraining staff. 
Exposure Factor (EF) - Percentage loss of misfortune because of any vulnerability caused by an exploitation.  
Single misfortune desire (SLE) - Most likely by an attack (in value).  
SLE = AV * EF 
Illustration: DDoS attack results in SLE of Website.
Evaluated Value of a Web Site: AV = $ 2,000,000 
The aftereffect of a DDOS on location will be 10% of the site esteem (EF = 0.1). 
SLE for site: AV * EF = $ 200,000 
Will it be critical to put resources into hostile to DODOS frameworks, which will spend $ 200,000 yearly?
Annualized Rate of Occurrence (ARO) - demonstrates how regularly a strike is probably going to happen in a year. 
If like clockwork ⇒ ARO = 0.5 is an assault 
Annualized Loss Expectancy(ALE) - the general misfortunes made by any assault (i.e. vulnerability) every year.
Risk Management is an on-going process
It isn't sufficient to simply take the necessary steps intended to install the gadget and connect to the system. After that you will have to follow and evaluate the effect of your strategy on an ongoing basis. Furthermore, regardless of whether your method is working, you equally need to realize that your representative is utilizing the technology accurately, so risky conduct can happen, which is something with your antivirus programming, firewall, server or whatever else.


Risk Management is coming up with strategies to reduce the risks of an organization's risk and risk, and to manage their risk by evaluating their techniques and policies to help provide long-term guidance and peace of mind can help. It is related to the use of technology of the entire organization. Governance and Security Management will be a beneficial process for YMSC. 


Andress, J. (2014). What is Information Security. Retrieved 3 1, 2018, from
Canada, I. B. (2013). Risk Management. Retrieved 3 1, 2018, from
Doherty, N. F., & Fulford, H. (2006). Aligning the information security policy with the strategic information systems plan. Computers & Security, 25(1), 55-63. Retrieved 3 1, 2018, from
Eloff, J. H., & Eloff, M. M. (2005). Information security architecture. Computer Fraud & Security, 2005(11), 10-16. Retrieved 3 1, 2018, from
Gillespie, K. N., Elixhauser, A., Reker, D. M., Fletcher, J. W., & Wolinsky, F. D. (1985). Cost-Benefit and Cost-Effectiveness Analyses of Magnetic Resonance Imaging. International Journal of Technology Assessment in Health Care, 1(3), 537-550. Retrieved 3 1, 2018, from
Hong, K.?S., Chi, Y.?P., Chao, L. R., & Tang, J.?H. (2003). An integrated system theory of information security management. Information Management & Computer Security, 11(5), 243-248. Retrieved 3 1, 2018, from
Information Security Resources. (n.d.). Retrieved 3 1, 2018, from SANS Institute:
Knapp, K. J., Morris, R. F., Marshall, T. E., & Byrd, T. A. (2009). Information security policy: An organizational-level process model. Computers & Security, 28(7), 493-508. Retrieved 3 1, 2018, from
Kritzinger, E., & Smith, E. (2008). Information security management: An information security retrieval and awareness model for industry. Computers & Security, 27(27), 224-231. Retrieved 3 1, 2018, from
Raz, T., & Hillson, D. (2005). A Comparative Review of Risk Management Standards. Risk Management, 7(4), 53-66. Retrieved 3 1, 2018, from

Get Quality Assignment Without Paying Upfront

Hire World's #1 Assignment Help Company

Place Your Order