Posted: March 30th, 2022

IA Plan for HME

IA Plan for HME
The deliverables for your Project Paper Assignment include a Word document that answers the questions described below. Your final paper should be between 10 to 15 pages long (longer is perfectly acceptable without penalty). Be sure the report is in MS Word, Times New Roman 12-pt font, with double spacing and 1 inch margins all-around, no additional spaces allowed. Cover page and references pages are also required in proper APA format. In text citations must match the reference list provided

Heavy Metal Engineering (HME), a manufacturing organization that creates metal shell casings for very high-end washer and dryer products has suppliers and customers world-wide, as well as world-wide offices. HME the US Corporate office in NY hires you as a professional Information Assurance consultant.

HME is looking to receive some significant third party funding for an international joint venture but was told they would be denied because they do not have any kind of Information Assurance plan to keep all data assets secure. You are required to create a comprehensive IA strategy that includes the following:

A detailed overview of what Information Assurance entails covering all the basics for an IA strategy (what will be protected and from what)

A plan or strategy for IA implementation including a framework

A complete risk mitigation strategy that completely outlines your plans to mitigate risks associated with operating in the 21st century workplace.

Select an accrediting body to ensure IA is not only a process but a part of organizational culture going forward

An incident response and disaster recovery plan in the event of intrusion and disaster

All sections should be clearly labeled and a separate section in each area specifically for justifications of your selection/proposal.

Your thoughts must be solidified with viable sources consistent with graduate level work. No more than 2 sources may be used with ND or no author. Scholarly and Peer reviewed sources are expected to be used throughout the bulk of this paper.

I. Information Assurance Overview
Information security plays a significant function in Heavy Metal Engineering (HME). Securing its information will ensure that the company can exploit the internet resource together with its advancements adequately. One of the measures to be implemented to enhance this security is the development of an Information Assurance Plan. Information Assurance entails the activities improvised in managing information-related risks. The process will ensure the protection of information and informational assets by handling the several related fields of impact on the organization if a breach of information security happens, or the systems are inaccessible in time of need.
Additionally, this plan seeks to safeguard HME’s information and its assets while considering other crucial factors such as costs, performance, efficiency levels, and mission requirements. The IA plan will establish and document its implementation strategy, risk mitigation strategy, the selected accrediting body, and incident response and disaster recovery plan. To this effect, this plan will play several functions such as contributing to the systematic improvement of security controls on the company’s information and its systems, systematically contribute to providing security operations that will ensure the proactive and continuous monitoring of security infrastructure and finally the provision of information assurance guidance that is aligned with future technological advancements that are to de deployed in an agile environment.
The development and implementation of the Information Assurance (IA) plan are guided by three fundamental principles that form the CIA triad: confidentiality, integrity, and availability (Lundgren & Moller, 2019). HME is committed to the continuous achievement and maintenance of the principles while ensuring its clients continue to trust and have confidence in the company. The principles are defined below:
● Confidentiality: This is an assurance that only authorized users can access HME’s information.
● Integrity: This is an assurance that the system’s information is accurate and not altered in any manner.
● Availability: This is an assurance that the information remains accessible when the information is needed.
The insurance of these principles is the primary objective of HME’s IA plan. Notably, the organization understands that security is not absolute, and hence, its information security entails the management of risk. To this effect, no amount of security will offer full protection to the systems since there will always be risks affiliated with the three principles. The plan is to understand these risks and implement the proper controls to mitigate and manage them, thus achieving the best insurance against loss (Brinks, 2019). These security controls the company is looking to implement are mainly will primarily include access controls, encryption methods, distributive allocation, high availability, among others.
II. IA Implementation Strategy
The implementation framework of IA’s strategy will follow three primary steps: strategy formulation, strategy implementation, and strategy Assessment. The formulation stage primarily entails developing its objectives and aligning them with the company’s overall purpose. This IA plan seeks to assess the adequacy and effectiveness of the current security controls, policies, and procedures. This allows the plan to come up with the right security controls to ensure that the company establishes a relationship between information systems and security activities depicted in HME’s mission. This relationship will help the organization’s leaders to understand and demonstrate the value of information security within the organization. It is hence allocating proper and enough information security resources for different activities. The strategy will also incorporate several performance measures to demonstrate the performance levels of various controls. To this effect, the organization will have a system that will help make decisions, improve performance levels, and increase the organization’s accountability levels.
The Plan’s Vision
The plan is focused on developing an information security environment that supports all elements of HME’s business. It efficiently reduces the risks and attempts related to security breaches or cyberattacks. The organization seeks to have continuous and mature information security practices that will mitigate the exposure of HME to cyber risks.
The Projects Selection and Execution
The information security project selected and executed should lie within the core functions of the business to increase the likelihood of significant management attention and resources diverted towards them. The projects require proper coordination and buy-off from distinct areas so that any differing constraints and perspectives can be considered to streamline the process of decision-making. Additionally, the project selected should minimize the possibility of making trade-offs between increasing the security levels and maintaining high productivity levels. to this effect in determining the project to be executed, the spiral model will be utilized, encompassing four steps:
● Assessment of the situational environment.
● They are making decisions on what needs to be improved in the situational environment.
● Planning the Improvement Project
● Implementation of the Improvement project plan.
The spiral model process believes that information assurance is an ongoing process (Stahl & Pease, 2008). Therefore, any information security project selected is an ongoing part of the succession of information security for the organization’s assets and informational assets.

Figure 1: The Spiral Model Illustration
Early Stage Governance
The information assurance plan’s governance is focused on ensuring all related projects are successful through the proper execution of its key elements. To this effect, the governance has been tailored to fit HME’s specific needs. There are several components that they are to be considered since they have an impact on creating, implementing, monitoring, and controlling how the projects and plans come out. With respect to the IA plan (Alie, 2015). the components to be considered pertaining to early-stage governance include:
● Governance Model: The security reference model is preferred in the IA plan, which entails the provision of a common language and methodology to discuss the privacy and security of organizations’ information and informational assets (Stallings, 2018). This model is to guide ensuring the protection of these assets, specifically in designing and implementing security controls. One example of the model’s artifact is a continuous monitoring plan that describes the procedure followed by HME to monitor and analyze the security controls and reporting for high effectiveness levels.
● Stakeholder Engagement and Risk assessment involving different personnel understanding their specific functions, the communication of their status updates, any risks, and any amendments.
➢ The Chief Information Officers will ensure compliance with the requirements of the IA plan and related legislations.
➢ The Head of Communications, together with the communications department, ensures proper management of information, its protections, and streamlined communication systems to ensure that it is adequately shared.
● Risk Assessment focuses on the key challenges and implementation of mitigation measures.
● The assurance that focuses on tracking the entire information security experts to ensure that it is in line with the predetermined objectives and the project management plan.,
● Project Management Control, Roles, and Responsibilities where distinct individuals will know what to do and will be held accountable for.
Stakeholder Management
The three steps to be followed in stakeholder management include identifying stakeholders relevant to the IA plan, determining the present position of the stakeholders concerning IS, and determining their relative power in influencing the IA function. In this case, the stakeholders involved include the executive management who need to understand the IA plan and the security of their organization’s information and related assets. This is because they play a significant function in making decisions, especially in allocating resources, for the effective implementation of the plan. The second stakeholders are the end-users of the information and information assets. These users need to offer support for executing the various activities. For instance, the employees need to act as if there is a sense of ownership of the IA plan. Notably, they need to be involved in the development process to allow them to identify any errors and challenges that may hinder their support in fulfilling their respective functions in the plan.
The IA plan also needs legal counsel to ensure that the respective operations are in line with government regulations. The legal team will provide information on the existing laws and future trajectories to help the company bring in the right requirements to meet them. Another important stakeholder is the technical team in the organization who have the technical know-how on information security. the security team will ensure that the plan is developed in achieving the level of security required by the organization
Development of the Related area
The IA plan is focussed on addressing the cyber risk exposure of the HME’s data and data assets to ensure that they are secured continuously. To this effect, this field’s development will entail the allocation of proper resources and involvement of the right stakeholders to ensure that all potential risks are handled, and the right measures are implemented.
III. Risk Mitigation Strategy
A. Physical Access Control Systems
The physical access control systems are mechanical forms implemented to prevent the physical access of the information systems, both hardware and software, by unauthorized users. In terms of physical access, authorized users will have access cards with chip cards to allow their access, and electric lock grants will be implemented for access through software (Collins, 2014). Biometrics, which entail users’ physical characteristics to gain unauthorized access, is also to be implemented to add another layer of security. The organization will have an identity system that is to define and manage access of the users to particular devices and functions. The different security controls will reinforce each other to provide a higher degree of insurance from security attacks within this domain.
B. Distinctive User Accounts
the users of the company’s data and data assets are a culmination of unique, personalized information and experiences as they interact with the systems. Therefore, the organization will need a user management system characterized by low coupling and high cohesion between the different elements of the user’s profile. The distinctive nature of these user accounts will simplify the procedure of bringing in third-party identity providers and knowing what each user is doing with the information. It becomes easy to analyze each account differently and identify those at risk of cybersecurity risks, and they are mitigated promptly.
C. Employee Training
Each employee must understand their functions when it relates to the IA plan if the latter is to succeed. To this effect, each of them will need to undertake induction and ongoing training concerning their responsibilities and why they should fulfill them. They are trained on best practices and the security configuration procedures that will ensure whatever they do does not put the company’s information and related assets at a cybersecurity risk (Stefaniuk, 2020). Each employee is required to complete a security training course provided by an accredited school within a year of joining the company.
D. Traceability Logs
All the respective systems will generate manufacturer-specific traceability logs that are typically accessed to identify any anomaly activities. Notably, centralized logging is preferred for sensitive information systems to allow troubleshooting and traceability. This centralized logging will entail combining the logs for the many systems into a single chronological list (Advenica, 2018). However, this model can also enhance the risk of attacks, which is extremely difficult because it will be holding confidential information. Therefore, in creating secure, centralized logging, a unidirectional data flow is to be implemented. This entails having one data diode to protect all zones supplying log data. If one of the zones will have confidential information, the log system is without protected at a proper confidential level or the log information from that zone getting filtered to ensure that the respective log system is not contaminated.
IV. Accrediting Body
The National Institute of Standards and Technology will be the accrediting body for implementing the organization’s IA plan. The body examines, evaluates, and tests the security controls to determine their effectiveness depending on the type of information systems (ISASecure, n.d.). Its accreditation would mean that the process had formally accepted the residual risks inherent to the information systems and have the right monitoring and mitigation procedures.
V. Incident Response and Disaster Recovery Plan
HME currently has several processes to handle incidents whenever they occur and ensure that the disaster recovery plan is activated. These prompt reactions will ensure a rapid and effective re-establishment of services. These steps to be followed in responding to the incidents include the party that discovers the incident reports to the IT department or the risk management department. An incident response team is then formulated comprising the department that has been affected and the IT security professionals. The team will assess whether the resources affected are critical, the severity of the p[otential impact of the attack, information on the origin of the attack, and the system that is being targeted in conjunction with its operating system, IP address, and location. The team also assesses the realness of the incident, whether the incident is in progress. A complete assessment will lead to the categorization of the incident, depending on its potential threat. These threats include whether it is threatening p[ublic safety or lives, sensitive information, computer systems, or disrupting services.
The team then establishes their response depending on the assessment. These procedures include a virus response procedure, property theft response procedure, spyware response procedure, database of file denial of service response procedure, among others. The team then deploys forensic techniques to review the system logs and the gas and carry out interviews and victims to establish the cause of the incident. This process needs to be done by only authorized personnel to ensure the security of the information remitted. an understanding of the entire incident leads to recommending changes to prevent a re-occurrence. The changes are to be implemented when the leadership accepts these changes.
Off-site and on-site backups, in conjunction with the availability of secondary data centers, will enable the users to rapidly undertake the disaster recovery procedures to mitigate the impact in the event of a disaster occurring. Depending on the incident that has happened, a reinstallation of the affected systems ensures that the organization’s operations continue as required. The users should also be guided into changing their password into terms that cannot be sniffed, undertaking system hardening, system patching, real-time system protection, implementation of intrusion detection systems, and ensuring that the system is logging the current events at an appropriate level.
Notably, the incident should be documented entirely. That is all the details related to all the events that happened since its discovery when the response was determined to be effective. The evidence should be preserved, especially in dealing with litigation cases. The proper external agencies should be notified, the damage and cost passed, and the response reviewed to update policies.
VI. Summary
HME’s Information Assurance Plan is a general guideline to be taken by the organization in dealing with the potential cybersecurity risks affiliated with the company’s information and information assets. The document depicts the implementation strategy, the risk mitigation strategy, the accrediting body, and the incidence response and the disaster recovery plan. The company is expected to follow these guidelines but also could tailor the action plan in line with particular risks that are distinct.

References
Advenica, AB. (2018). Traceability and security logging. Retrieved from https://advenica.com/sites/default/files/2018-10/Traceability%20and%20security%20logging.pdf
Alie, S. S. (2015). Project governance: #1 critical success factor. Paper presented at PMI® Global Congress 2015—North America, Orlando, FL. Newtown Square, PA: Project Management Institute.
Brooks, R. (2019, March 26). The CIA triad and its real-world application. Retrieved from https://blog.netwrix.com/2019/03/26/the-cia-triad-and-its-real-world-application/
Collins, L. (2014). Securing the Infrastructure. In Cyber Security and IT Infrastructure Protection (pp. 247-267). Syngress.
ISASecure (n.d.). Certification bodies. Retrieved from: https://www.isasecure.org/en-US/Certification-Bodies
Lundgren, B., & Möller, N. (2019). Defining information security. Science and Engineering Ethics, 25(2), 419–441. https://doi.org/10.1007/s11948-017-9992-1
Stahl, S & Pease, K. A. (2008). A Success Strategy for Information, Security Planning, and Implementation. A guide for executives.
Stallings, W. (2018). Understanding Information Security Governance. Effective Cybersecurity: A Guide to Using Best Practices and Standards.
Stefaniuk, T. (2020). Training in shaping employee information security awareness. Entrepreneurship and Sustainability Issues, VsI Entrepreneurship and Sustainability Center, 7(3), 1832-1846.

Order | Check Discount

Tags: best assignment help websites in canada, best nursing paper writing service, buy psychology essay, Cheap Psychology Essay Writing Service, dissertation assignment help, History Dissertation Writing Services by UK Writers