lOMoARcPSD|52531729

Shirminaz-E021684-Unit-32 Information Security

Management 22 update
HND In Computing (ESOFT Metro Campus)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

Higher Nationals - Summative Assignment Feedback Form

Student Name/ID Shirminz Faizel Hassan / E021684

Unit Title Unit 32 – Information Security Management

Assignment Number 1 Assessor
Date Received
Submission Date
1st
submission
Date Received 2nd
Re-submission Date
submission

Assessor Feedback:

LO1. Explore the basic principles of information security management.

Pass, Merit & Distinction Descripts P1 M1 D1

LO2. Critically assesses how an organization can implement and maintain an Informati
Management System (ISMS).
Pass, Merit & Distinction Descripts P2 M2 D1

LO3 Appraise an ISMS and describe any weaknesses it may contain.

Pass, Merit & Distinction Descripts P3 P4 M3 D2

LO4 Examine the strengths and weaknesses of implementing ISMS standards

Pass, Merit & Distinction Descripts P5 M4

* Please note that grade decisions are provisional. They are only confirmed once internal and
external moderation has taken place and grades decisions have been agreed at the assessment
board.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Assessor Feedback:

Grade: Assessor Signature: Date:

Resubmission Feedback:

 Please note resubmission feedback is focussed only on the resubmitted work

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

 Please note that grade decisions are provisional. They are only confirmed once internal and external
moderation has taken place and grades decisions have been agreed at the assessment board.

BTEC HN Summative Assignment Feedback Form

Issue Date: June 2021 Owner: HN QD
DCL1 Public (Unclassified) Version 1.0

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Important Points:

1. It is strictly prohibited to use textboxes to add texts to the assignments, except for the compulsory
information. eg: Figures, tables of comparison, etc. Adding text boxes in the body except for the before
mentioned compulsory information will result in the rejection of your work.
2. Avoid using page borders in your assignment body.
3. Carefully check the hand-in date and the instructions given in the assignment. Late submissions will
not be accepted.
4. Ensure that you give yourself enough time to complete the assignment by the due date.
5. Excuses of any nature will not be accepted for failure to hand in the work on time.
6. You must take responsibility for managing your own time effectively.
7. If you are unable to hand in your assignment on time and have valid reasons such as illness, you may
apply (in writing) for an extension.
8. Failure to achieve at least PASS criteria will result in a REFERRAL grade.
9. Non-submission of work without valid reasons will lead to an automatic RE FERRAL. You will then be
asked to complete an alternative assignment.
10. If you use other people’s work or ideas in your assignment, reference them properly using the
HARVARD referencing system to avoid plagiarism. You have to provide both in-text citations and a
reference list.
11. If you are proven to be guilty of plagiarism or any academic misconduct, your grade could be reduced
to A REFERRAL, or at worst you could be expelled from the course.
12. Use word processing applications spell check and grammar check functions to help edit your
assignment.
13. Use the footer function in the word processor to insert Your Name, Subject, Assignment No, and
Page Number on each page. This is useful if individual sheets become detached for any reason.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

STUDENT ASSESSMENT SUBMISSION AND

DECLARATION
When submitting evidence for assessment, each student must sign a declaration confirming that the
work is their own.
Student name: Assessor name:

Issue date: Submission date: Submitted on:

Programme:

Unit: Unit 32
Unit 32 – Planning an ISMS, Security policy and DRP for Sigma Health

Plagiarism
Plagiarism is a particular form of cheating. Plagiarism must be avoided at all costs and students who break
the rules, however innocently, may be penalized. It is your responsibility to ensure that you understand
correct referencing practices. As a university-level student, you are expected to use appropriate
references throughout and keep carefully detailed notes of all your sources of materials for material you
have used in your work, including any material downloaded from the Internet. Please consult the relevant
unit lecturer or your course tutor if you need any further advice.

Guidelines for incorporating AI-generated content into assignments:

The use of AI-generated tools to enhance intellectual development is permitted; nevertheless, submitted
work must be original. It is not acceptable to pass off AI-generated work as your own.

Student Declaration
Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences
of plagiarism. I understand that making a false declaration is a form of malpractice.

Student signature: Date:

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Unit 32– Security & Information Security Management Assignment Brief

Student Name/ID Number Shirminaz Faizel Hassan / E01684

Unit Number and Title Unit 32 – Information Security Management System

Academic Year
Unit Tutor

Assignment Title Planning an ISMS, Security policy and DRP for Sigma Health

Issue Date
Submission Date

Submission Format
The submission should be in the form of an

 A 15-minute formal presentation

 A briefing paper

 individual report written in a concise, formal style using single spacing (refer to the assignment
guidelines for more details).

You are required to make use of headings, paragraphs, and subsections as appropriate, and all work
must be supported with research and referenced using Harvard referencing system. Please provide
in-text citation and a list of references using Harvard referencing system

The assignment submission is in the form of the following.

A formal 15-minute presentation (10–20 slides as a guide with supporting speaker notes) to
communicate an evaluation of your investigation to a non-technical audience, highlighting key
information regarding the range of IT security risks that organizations face and the IT security
solutions for them. The presentation will also include an assessment of the current organizational

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

security procedures and an evaluation of both the physical and virtual security countermeasures
presented.

A briefing paper to communicate an evaluation of your investigation to a non-technical audience,

highlighting key information regarding the basic principles of information security management. The
paper will also include an assessment of the current organizational ISMS and analysis of the elements.
required to establish and maintain an ISMS. The recommended word limit is 1500-2000words,
although you will not be penalized for exceeding the total word limit.

Formal report to the school management which process review to assess the existing risk assessment
procedures in an organization and review and summarize standard risk management approaches that
could be applied. The review will show how implementing IT security should work in conjunction with
an organization’s policy. The ISMS and the policy should include all stakeholders so that an audit trail
can be identified. The report will evaluate the suitability of the ISMS and the security tools selected to
meet the needs of the business. The recommended word limit is 4,000–4,500 words, although you
will not be penalized for exceeding the total word limit. You are required to make use of headings,
paragraphs and subsections as appropriate, and all work must be supported with research and
referenced using the Harvard referencing system.

Please note that the Presentation slide, speaker notes and the briefing paper should be
attached to the final individual report.

Unit Learning Outcomes

LO1. Explore the basic principles of information security management

LO2. Critically assess how an organisation can implement and maintain an Information Security
Management System (ISMS)

LO3. Appraise an ISMS and describe any weaknesses it may contain.

LO4. Examine the strengths and weaknesses of implementing ISMS standards

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Transferable skills and competencies developed

 Computational thinking (including its relevance to everyday life)

 Demonstrate knowledge and understanding of essential facts, concepts, principles, and
theories relating to computing and computer applications.
 Use such knowledge and understanding in the modelling and design of computer-based
systems for the purposes of comprehension, communication, prediction, and the
understanding of trade-offs.
 Recognize and analyze criteria and specifications appropriate to specific problems, and plan
strategies for their solutions.
 Critical evaluation and testing: analyze the extent to which a computer-based system meets
the criteria defined for its current use and future development.
 Methods and tools: deploy appropriate theory, practices and tools for the design,
implementation, and evaluation of computer-based systems.

Computing-related practical skills:

 The ability to specify, design and construct reliable, secure, and usable computer-based
systems.
 The ability to evaluate systems in terms of quality attributes and possible trade-offs
presented within the given problem.
 The ability to deploy effectively the tools used for the construction and documentation
of computer applications, with particular emphasis on understanding the whole process
involved in the effective deployment of computers to solve practical problems.
 The ability to critically evaluate and analyze complex problems, including those with
incomplete information, and devise appropriate solutions, within the constraints of a
budget.

Generic skills for employability

 Intellectual skills: critical thinking; making a case; numeracy and literacy.
 Self-management: self-awareness and reflection; goal setting and action planning.
 Independence and adaptability; acting on initiative; innovation and creativity.
 Interaction: reflection and communication.
 Contextual awareness, e.g. the ability to understand and meet the needs of individuals, business,
and the community, and to understand how workplaces and organisations are governed.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Assignment Brief and Guidance:

CASE STUDY
Connect Sri Lanka is a security solutions company based in Colombo. The organization provides network
security solutions for a range of clients from multiple industry sectors worldwide. The services offered
by Connect include the following. You have been employed as a Junior Network Security Specialist for
Connect Limited. Based on the job description your main duties are

● Providing a security audit and risk assessment of an organization’s network in the context of its
business requirements

● Reviewing and recommending improvements to an organization’s network security

● Implementing network security solutions and disaster recovery plan

● Plans and designs Information Security Management Systems (ISMS) for organizations.

CONNECT usually has large, multinational corporations as their clients, but the CEO has received an
unusual request from a new client and has decided that this would be an ideal project for you to handle
by yourself to test your skills and knowledge. The client is Sigma Health group of companies, the
Colombo based health service provider, consisting of three Hospitals (SFC). The Sigma group has a Chief
Information Officer and manages a budget of LKR116.4 million. One of the institutes that is part of this
chain is Sigma institute of Health, with 1500 students that specialize in Health science, Paramedics and
Psychology. Sigma Institute of Health has 65 members of staff, both teaching and non-teaching, and
has an operating budget of LKR LKR15.3 million.

All staff data, both personal and for payroll, are kept on dedicated Human Resource (HR) servers in the
Network Server Room. All student data is kept on the college Student Information System (SIS), which
contains data such as:

● Contact details for students and parents

● Medical history patents and other sensitive information

● Assessment data from homework and examinations, as well as historical data

● Attendance data – Present/Not Present/Authorized Absent for all lessons while at college

● Any Special Educational Needs (SEN) data.

All campus files are on a shared public access fileserver. This contains all educational resources created
by teachers and areas for students to upload coursework assignments and homework. An Acceptable
Use Policy was created for students (see Appendix 1). Staff were not considered a security threat, so no
staff policies were created. Similarly, the campus had a simple software firewall, however this was
configured just to block attempts at network intrusion from known malicious black site IP addresses.
Students logging in to any computer on the college network had Read Access to the fileserver; teachers
had Read/Write access. The campus maintained their own email exchange server, holding all staff and
student emails and historical emails from all previous years. The email server, fileserver, backup NAS

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

drive and Network Domain Server were in a non-secured room in the IT Technicians’ office. This room
was never locked in case staff or students needed IT support. The college had a Virtual Learning
Platform (VLP), that provided a web interface to the fileserver and provided a way for students to
access course materials. The campus computers ran older versions of Windows 7, as it was determined
to be too expensive to migrate to the current version of the software. To save money, a freeware VPN
had been set up to allow teachers to access college materials from home using college laptops installed
with a VPN client software. It was still possible for staff members to access the fileserver directly using
Remote Desktop. Because the college was deemed to be at a low risk, most of the security
countermeasures had been designed to minimize a threat from malicious damage from students:

● All IT labs were locked and could not be opened without a swipe card

● College policy was that no student could be in an IT lab unsupervised

● Virus scanners had been configured to automatically scan any USB drive plugged into a device

● All optical drives had been removed from each college computer.

The CEO considered the campus to be a low-priority threat, data backups involved a single 8TB Network
Attached Storage (NAS) Drive, where data was backed up each week. Security procedures were not
strictly followed as it was thought there was no requirement because the college was a ‘soft target’. The
ISMS implemented lacked a clear framework and failed to continuously measure effectively if the
security controls performed as expected. Just prior to the pandemic in March 2020, Sigma Institute
suffered a massive security breach. A ransomware virus was downloaded and deployed onto all the
institute servers, resulting in a complete and total loss of:

● All personal student and staff data

● All data on the backup server

● All coursework and teaching resource data on the public fileserver and VLP

● All current and historical attendance data

● All financial data on the HR servers, meaning college staff and contractors could not be paid

● All current and historical email data.

The campus did not have the finances to pay the ransom and so a completely new IT system was
purchased. All data was lost. As part of a review after the incident, it was determined that a teacher
working from home at the weekend, in trying to find extra teaching materials, inadvertently
downloaded a virus containing a malicious payload onto their staff laptop from a compromised website.
The teacher was not using the VPN. The ransomware was activated only when the laptop was
connected to the campus network on the following Monday. The ransomware virus then deployed and
copied itself onto all network devices from the target location, encrypting all data on all servers,

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

resulting in a total, catastrophic loss of all data. In the aftermath of the incident, the client wants you to
review the risk assessment procedures that were in place and provide a new risk assessment procedure
that is ISO compliant.
They also want you to clearly demonstrate how any new security will still allow Sigma campus to carry
out its normal operations, with a greater emphasis on lessons being delivered remotely.
To make sure that something like this does not happen again, the client also wants you to design a
suitable security policy, identifying key stakeholders, justifying your plan and the IT tools selected. The
new plan needs to cover a wide range of potential IT threats. You have been given the current IT Use
Policy from Sigma campus and their current Risk Assessment plan.

As part of your work for CONNECT, your CEO wants you to put together a presentation on IT security
threats and countermeasures and the risk assessment. You will present this to the CEO and four senior
Security Specialists, so that you can demonstrate you have the breadth of knowledge required to begin
to work with larger clients on your own.

ACTIVITY – 01
As junior security analyst your job is to perform an examination of the key principles of an ISMS and its
relevance to the successful operation in Sigma Institute of Health covering the following in a 15 minute
presentation.

● Conduct an assessment and critical analysis of the elements and processes required for Sigma
institute of health to establish and maintain a more robust ISMS, ensuring that the key ISMS principles
are met

● Conduct a risk assessment and analysis of the benefits that an effective ISMS can have on Sigma
Institute and perform a risk matrix and the prioritization table.

● A justification of the steps required for Sigma institute of health to implement an ISMS. You should
support any points you make in the 15-minute presentation with well-chosen examples from any
research you have carried out on related sectors or ISMS scenarios.

ACTIVITY - 02

Produce a process review document that assesses the current mechanisms and legislation for data
security within an organization. Your review should include the following.

● A review of the current risk assessment procedures in Sigma Institute. (Appendix 2 – Unit 5 – Risk
Assessment)

● An explanation of data protection processes and regulations, applied to Sigma Institute

● A summary of an appropriate risk-management strategy or applied ISO standard and its application to
IT security at Sigma Institute

● Justification, with reasons, for the designed security plan, including the selected physical, importance
of the virtual and policy elements

● An analysis of the possible impact on security at Sigma Institute of Health, following the results of an

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

IT security audit

ACTIVITY – 03

Present a written report to appraise an ISMS for Sigma Institute and design a suitable security policy,
based on the supplied evidence and operational requirements. Your report should include the
following.

● A plan of the design of an ISMS for Sigma Institute, including an implementation map, taking into
consideration functional and non-functional requirements of the digital systems

● A suitable security policy, including the main components of a disaster recovery plan for the college

● Identification and discussion of the stakeholders and their roles in implementing a security audit

● Justification, with reasons, for the designed security plan, including the selected physical, virtual and
policy elements

ACTIVITY – 04

You should support any points you make in the report with well-chosen examples from any research
you have carried out on related sectors or projects, as well as the existing scenario and any associated
documentation.

● An appraisal of and justification for the planned ISMS design, against the new IT security landscape in
Sigma institute of health, auditing the different stages of the process followed

● An analysis of the relationship between ISO and international ISMS standards and the establishment
of an effective ISMS for Sigma Institute

● An evaluation of the suitability of the tools used in the security policy designed for Sigma Institute in
terms of how it meets their needs

● A critical examination of the advantages and disadvantages of the planned ISMS for the college,
against key and international standards.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

APPENDIX1
SIGMA INSTITUTE STUDENTS ACCEPTABLE USE POLICY

Background and Definitions

This document provides the basis for determining the acceptability of the use of Sigma Institute IT facilities. It
defines unacceptable usage, to which users are expected to always adhere. Using the systems appropriately also
helps the equipment to be used efficiently and to be available when needed. Use of the Sigma Institute
computing resources and facilities is subject to Sri Lankan law such as computer crimes act, and personal data
protection act and illegal use will be dealt with appropriately. (for more information go to https://cert.gov.lk/)
for more information.

Acceptable Use

Sigma Institute provides each student with access to the college network, access to the internet, use of a desktop
terminal and an email account. This use is permitted and encouraged by the college where such use is suitable
for academic and teaching purposes and supports the college’s goals and objectives. The internet is to be used in
a manner consistent with the college’s standards of conduct and as part of any study-related activities. Use of
the network, internet/intranet, and email, including data sent on it, may be subject to monitoring for security
and/or network management reasons. Users may also be subject to limitations on their use of such resources.

Unacceptable Use

The Sigma Institute network may not be used for any of the following.

1) The creation, viewing or transmission of any offensive, obscene, or indecent images, data or other material, or
any data capable of being resolved into obscene or indecent images or material

2) The creation, viewing or transmission of material which is designed or likely to cause annoyance,
inconvenience, or needless anxiety

3) The creation, viewing or transmission of offensive materials (for example adult materials, images, or
pornography)

4) The transmission of material such that this infringes the copyright of another person without giving credibility
to the author

5) The transmission of unsolicited commercial materials or advertising

6) Deliberate unauthorized access to facilities or services accessible via the Sigma Institute network

7) To examine, change, or use another person's files, output, or username or password for which they do not
have explicit authorization
8) Deliberate activities with any of the following characteristics.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

 Wasting staff effort or networked resources, including time on end systems accessible via the Sigma Institute
network and the effort of staff involved in the support of those systems.
 Corrupting or destroying other users' data.
 Violating the privacy of other users
 Disrupting the work of other users
 Using the Sigma Institute network in a way that denies service to other users (for example deliberate or
reckless overloading of access links or of switching equipment. This includes the unwarranted use of internet
audio and video)
 Use of a VPN or proxy service to disguise or forge identity or usage while using the college network to
browse the internet.
 Using college network facilities for the playing, downloading, installing or distribution of games, web-games,
or materials, software or media which is copyrighted by a third party.
 Attaching items of equipment or peripherals that do not belong to the college to any college computers,
networks, or systems without explicit authorization from the IT Services team.

Where the Sigma Institute network is being used to access another network, any abuse of the acceptable use policy
of that network will be regarded as unacceptable use of the Sigma Institute network. Compliance It is the
responsibility of all users to take all reasonable steps to ensure compliance with the conditions set out in this policy
document and to ensure that unacceptable use of the Sigma Institute network does not occur.

Where necessary, service may be withdrawn from a user. This may take one of two forms:

1) An immediate, temporary withdrawal of service should a violation of any of these conditions occur after
appropriate warnings have been given

2) An immediate suspension of service should a serious violation of the policy occur or a violation that causes
disruption to computer services.

The use of Sigma Institute facilities is subject to Sri Lankan Personal Data Protection act and computer crimes act
Privacy legislation and any illegal use will be dealt with appropriately. All service withdrawals would be made on the
judgement of the Chief information Officer of Sigma Group, and the Principal, Head of School, Class Teachers, and
Parents / Guardian would then be immediately informed.

The use of Sigma Institute facilities is subject to Sri Lankan law and Act and any illegal use will be dealt with
appropriately.

APPENDIX 2
Asset Threat Probability Impact Risk Rating Priority
Computer Lab PCs Virus Very Likely Minor Medium 1
Computer Lab PCs Deletion of Data Likely Minor Low 1
Computer Lab PCs Breach of Copyright Very Likely Moderate High 2
Computer Lab PCs Transmission of Likely Moderate Medium 2
Unauthorized Material

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Staff Laptops Virus Unlikely Moderate Low 1

Staff Laptops Deletion of Data Unlikely Moderate Low 1
Staff Laptops Breach of Copyright Unlikely Moderate Low 1
File Server Virus Unlikely Moderate Medium 1
File Server Deletion of Data Unlikely Major Medium 2
Network DDOS attack Very Likely Major Extreme 3
Network Virus Unlikely Major Medium 1
Priority Index

Priority 3: Critical, must be dealt with immediately.

Priority 2: Medium, deal with as and when funds become available.

Priority 1: Low, not considered a likely event.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Recommended resources
Please note that the resources listed are examples for you to use as a starting point in your research – the
list is not definitive.
Weblinks:
https://advisera.com/ (n.d.) What is ISO 27001? Quick and easy explanation [online] Available at:
https://advisera.com/27001academy/what-is-iso-27001/ [Accessed 1 August 2022]
https://csrc.nist.gov/ (n.d.) COMPUTER SECURITY RESOURCE CENTER - countermeasures [online] Available
at: https://csrc.nist.gov/glossary/term/countermeasures [Accessed 1 August 2022]
https://onlinedegrees.und.edu/ (2022) 7 Types of Cyber Security Threats [online] Available at:
https://onlinedegrees.und.edu/blog/types-of-cyber-security-threats/ [Accessed 1 August 2022]
https://us.norton.com/ (2021) What is a firewall? Firewalls explained and why you need one [online]
Available at: https://us.norton.com/internetsecurity-emerging-threats-what-is firewall.html [Accessed 1
August 2022]
https://www.bmc.com/ (2019) Introduction to Information Security Management Systems (ISMS) [online]
Available at: https://www.bmc.com/blogs/introduction-to-information-security management-systems-
isms/ - :~:text=An%20information%20security%20management%20system,more%20focused%20on
%20your%20industry [Accessed 1 August 2022]
https://www.exabeam.com/ (2022) 21 Top Cybersecurity Threats and How Threat Intelligence Can Help
[online] Available at: https://www.exabeam.com/information-security/cyber security-threat/ [Accessed 1
August 2022]
https://www.isms.online/ (n.d.) Information Security Management System SaaS For ISO 27001 [online]
Available at: https://www.isms.online/information-security-management-system isms/ [Accessed 1 August
2022
https://www.iso.org/home.html (n.d.) ISO/IEC 27001 INFORMATION SECURITY MANAGEMENT [online]
Available at: https://www.iso.org/isoiec-27001-information-security.html [Accessed 1 August 2022]
https://www.itgovernance.co.uk/ (2022) ISO 27001: The International Information Security Standard
[online] Available at: https://www.itgovernance.co.uk/iso27001 [Accessed 1 August 2022]
https://www.sans.org/uk/ (2022) Security Policy Templates [Online] Available at:
https://www.sans.org/information-security-policy/ [Accessed 1 August 2022]

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Activity 01

Concerning information, the significance of the Security Management Systems Plan Important Elements

An organization's information security posture can be established, implemented, maintained, and constantly improved with the use of an ISMS
plan (International Organization for Standardization [ISO], 2013). It is customized to the unique requirements and organizational situation, taking
into account variables such as:

 Industry and company size

 Requirements for regulatory compliance

 Current security procedures

 overall goals for security

The strategy makes use of a risk-based methodology to recognize, evaluate, and lessen risks to information assets (TUV SUD, 2023). It describes
the roles, responsibilities, policies, and security measures that are in place to protect these assets.

Advantages of an ISMS Program:

Enhanced security posture: An organization's resistance against cyberattacks and data breaches is strengthened by a well-defined ISMS plan.

Better risk management: The framework offers a methodical way to recognize and lessen information security threats.

Regulation adherence: ISMS strategies can assist firms in abiding by data protection rules and regulations unique to their industry.

An ISMS plan demonstrates an organization's commitment to information security, which may help to build trust with partners and clients.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Important Elements of an ISMS Scheme:

The strategy-Do-Check-Act (PDCA) cycle for continuous improvement is generally aligned with the fundamental components of an ISMS strategy
(British Standards Institution [BSI], 2023).

Plan: In this phase, information security policies and objectives are established, risk assessments are carried out, and the ISMS's scope is defined.

Do: In this instance, the plan is carried out through employee training, security control implementation, and awareness raising.

Check: Performance evaluations and audits are used to track the efficacy of the ISMS.

Act: By making modifications to rules, controls, and processes, the ISMS is continuously enhanced based on the results from the "Check" step.

Formulating an ISMS Scheme:

An ISMS plan can be built by businesses using a number of well-established frameworks. The ISO/IEC 27001 standard, which describes particular
requirements for establishing an ISMS, is one well-known example (ISO, 2013).

The usual steps in creating an ISMS plan are broken down as follows:

Define the scope of the information assets and processes that are included in the ISMS.

Evaluate possible risks, weaknesses, and the effects they may have on information assets by conducting a risk assessment.

Security Policy Development: Create succinct, unambiguous policies that specify employee roles and information security procedures.

Control Selection and Implementation: Using the risk assessment as a guide, select the best security controls and put them into practice.

Awareness and Training: Inform staff members about best practices, rules, and procedures related to information security.

Monitoring and Review: Keep a close eye on the ISMS's performance and carry out routine reviews to make necessary improvements.

An organization's information security strategy is based on its ISMS plan. Organizations are able to protect their important data assets and
maintain a strong information security posture by utilizing established frameworks and adhering to a systematic approach.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

ISMS and its importance to Sigma Health Group's smooth operation

We will go more deeply into each principle and its application to make sure you have a thorough grasp of how Sigma Health Group may greatly
benefit from the principles of an Information Security Management System (ISMS).

1. Keep Information Private

Ensuring that only individuals with the proper authorization can access sensitive information is a crucial aspect of maintaining confidentiality.
Sigma Health Group places a high priority on protecting the privacy of student, staff, and patient records.

Use:

Role-Based Access Control (RBAC): Sensitive data should only be accessed by authorized persons, such as medical professionals, administrative
workers, and specific IT personnel.
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

Encryption: Both while in transit and while at rest, sensitive data should be encrypted. This means that all financial information, personal
information, and patient records need to be secured using encryption standards like AES-256.

Secure Access measures: Verify user identities before giving access to important systems and data by putting strong authentication measures in
place, such as multi-factor authentication (MFA).

2. Honesty

Integrity guarantees that the data is true and hasn't been altered. This is essential for Sigma Health Group to preserve the integrity of student
grades, financial data, and medical records.

Use:

Put checksums and hash algorithms into place to identify any unwanted data modifications. SHA-256 hash functions, for instance, can be used to
confirm the integrity of files.

Keep thorough audit trails that record all access to and changes made to important data. This makes it easier to find and address any
unauthorized changes.

Strict Access Controls: Put in place access controls to stop illegal data alterations. Sensitive records should only be edited or deleted by authorized
individuals.

3. Accessible

Availability guarantees that systems and data are accessible when required. Ensuring uninterrupted access to systems and data for medical
personnel, administrative staff, and students is of utmost importance to Sigma Health Group.

Use:

Redundant Systems: To achieve high availability, implement redundant systems for vital services. Having backup servers and networking hardware
is part of this.

Sturdy Backup Options: Make regular backups of all important data and store them in the cloud or off-site. Make sure backups are encrypted and
that their integrity and restorability are routinely checked.

Disaster Recovery Plans: Create and keep up-to-date detailed plans that specify what should be done in the case of a data breach or system
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

failure. To make sure you are ready, practice drills frequently.

4. Hazard Assessment

Information asset risks must be identified, evaluated, and mitigated as part of risk management. This entails assessing risks for Sigma Health
Group, including ransomware, data breaches, and system malfunctions.

Use:

Frequent Risk Assessments: To find possible threats and weaknesses, do regular risk assessments. Employ frameworks like ISO/IEC 27005 to
manage risks in an organized manner.

Mitigation solutions: Using the risks that have been identified as a guide, develop and implement mitigation solutions. For instance, patching
software vulnerabilities, setting up firewalls to stop fraudulent traffic, and training employees on phishing scams.

Continuous Monitoring: Use tools for continuous monitoring to quickly identify and address security incidents. Security data can be gathered and
examined by using Security Information and Event Management (SIEM) systems.

5. Observance

Following all applicable laws, rules, and regulations is referred to as compliance. Sigma Health Group finds it critical to adhere to local data
protection legislation and standards such as ISO/IEC 27001.

Use:

Frequent Compliance Audits: To guarantee adherence to pertinent laws and standards, conduct compliance audits on a regular basis. If you need
an impartial evaluation, bring in outside auditors.

Security policy updates should be made on a regular basis to take into account new risks, rules, and regulations. Make certain that all policies are
outlined in writing and distributed to the appropriate parties.

Education and Awareness: Educate employees on the significance of adhering to security standards as well as compliance obligations. This entails
being aware of data protection regulations and the repercussions of breaking them.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

6. Constant Enhancement

By implementing continuous improvement, the ISMS is made to adapt to changing business requirements and threats. This entails routinely
evaluating and upgrading security measures for Sigma Health Group.

Use:

Frequent evaluations: To find opportunities for improvement, conduct routine evaluations of the ISMS. Updates should be based on input from
risk assessments, audits, and security incidents.

Incident Response: Conduct a thorough study following any security incident to determine what went wrong and how future occurrences of the
same type of incident may be avoided.

Embracing Best Practices: Keep abreast of the most recent developments in cybersecurity best practices and integrate them into the ISMS.
Interact with the larger security community to gain insight from the experiences of others.

7. Both commitment and leadership

Strong management commitment and leadership are necessary for an effective ISMS. This means that in the case of Sigma Health Group, security
rules need to be actively supported and upheld by the CEO, CIO, and other leaders.

Use:

Security Governance Framework: Create a structure outlining the tasks, functions, and supervision of security management. Key stakeholders and
top management should be involved in this.

Resource Allocation: Make certain that sufficient funds, manpower, and equipment are set up for the ISMS's implementation and upkeep. This
indicates a top-down commitment to security.

Security Culture: Encourage an organization-wide culture of security awareness. Leaders must to lead by example by upholding security protocols
and stressing their significance.

8. Awareness and Training of Employees

Workers are frequently the security system's weakest link. For Sigma Health Group, preventing security breaches requires staff training on best
practices.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Use:

Conduct Regular Training Programs: Provide personnel with regular training on security best practices, such as identifying phishing attempts,
creating strong passwords, and reporting suspicious activity.

Phishing Simulations: To assess staff awareness and ability to respond to phishing attempts, conduct phishing simulation exercises. Utilize the
findings to customize training courses.

Transparent Communication: Make sure that all employees are aware of the security policies and procedures. Make sure that everyone is aware
of their obligations and roles in upholding security.

Significance to Sigma Health Group

Sigma Health Group will gain a lot from putting these principles into practice when they implement an ISMS:

 Data Security:

Safeguarding confidential patient, student, and staff information guarantees adherence to data protection regulations and upholds stakeholders'
confidence.

stops data breaches that can cause financial loss and legal problems.

 Business Continuity:

reduces the likelihood of interruptions to healthcare and educational services by guaranteeing the availability of vital systems and data.

improves the efficacy of remote instruction and telemedicine services.

 Risk Reduction:

decreases the possibility and effect of security incidents like ransomware attacks by identifying and mitigating possible security threats.

improves resistance to cyberattacks and overall security posture.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

 Adherence to Regulations:

aids Sigma Health Group in adhering to pertinent rules and legislation, preventing fines and improving reputation.

shows stakeholders and regulatory agencies that you are committed to data security and protection.

 Stakeholder Self-Assurance:

builds trust by showcasing a dedication to information security with patients, students, staff, and partners.

improves Sigma Health Group's standing as a trustworthy and safe company.

 Economy of Cost:

lowers the price of recovering from a data breach, including lost profits, legal fees, and system recovery costs.

prioritizes security investments according to risk assessments, which optimizes the use of available resources.

Sigma Health Group may substantially improve its cybersecurity posture, guarantee the continuity of its operations, and uphold the faith of its
stakeholders by adhering to the principles of an ISMS.

Performed Risk Assessment and Benefit Analysis of the Sigma Health Group's ISMS Plan
An essential step in the entire risk management process is risk assessment. This methodical approach entails recognizing, assessing, and
evaluating any risks and hazards together with the associated hazards (International Organization for Standardization [ISO], 2013).

Finding and controlling vulnerabilities to information security requires carrying out a thorough risk assessment. The ISO/IEC 27001 standards shall
be followed in the performance of this evaluation. The following steps are involved in the process:

01. Establish the context for the risk assessment by defining its parameters, including the resources, dangers, and weaknesses that are
pertinent to Sigma Health Group.

02. Determine whether hazards have the potential to jeopardize the organization's assets.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

03. Risk analysis: Examine the hazards that have been identified to ascertain their likelihood and possible impact.

04. Risk assessment: Assess the risks in order to rank them according to likelihood and possible impact.

05. Identify the best course of action for reducing, shifting, avoiding, or accepting the risks.

Step 1: Establishing the Context

Range:

Assets include the campus PCs, backup NAS drive, Network Domain Server, email exchange server, HR servers, and public access file server.

Information includes staff and student personal information, academic records, medical histories, attendance records, financial information, and
email correspondence.

Step 2: Identification of Risks

Possible Dangers:

01. sensitive info accessed without authorization

02. Breach of data due to external cyberattacks

03. Attacks using ransomware

04. data loss as a result of insufficient backups

05. Data leaking through unreliable remote access

06. student and staff insider threats

07. Physical security lapses

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

08. USB drives contaminated with malware

09. Outdated software can lead to system problems.

10. Data loss or corruption due to natural disasters

Step Three: Evaluation of Risks

Risk Likelihood (L) Impact (I) Risk Level (L X I)

sensitive info accessed without 3 4 12

authorization

Breach of data due to external 4 5 20

cyberattacks
Attacks using ransomware 3 5 15

data loss as a result of 2 5 10

insufficient backups
Data leaking through unreliable 3 4 12
remote access
student and staff insider 3 3 9
threats
Physical security lapses 2 4 8

USB drives contaminated with 4 3 12

malware
Outdated software can lead to 3 4 12
system problems.
Data loss or corruption as a 1 5 5
result of natural disasters

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Step 4: Assessment of Risk

Prioritization Table: The risks are ranked from highest to lowest risk level based on the risk matrix.

priority Risk Description Risk Level

1 Breach of data due to external cyberattacks 20
2 Attacks using ransomware 15
3 sensitive info accessed without 12
authorization
4 Data leaking through unreliable remote 12
access
5 USB drives contaminated with malware 12
6 Outdated software can lead to system 12
problems.
7 data loss as a result of insufficient backups 10
8 student and staff insider threats 9
9 Physical security lapses 8
10 Data loss or corruption due to natural 5
disasters

Step 5: Mitigation Strategies for Risk Treatment:

External cyberattacks resulting in data breaches:

 Install intrusion detection/prevention (IDS/IPS) and advanced firewall systems.

 Perform vulnerability analyses and penetration testing on a regular basis.

 Achieve timely patching and software updates.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Attacks using ransomware:

 Make frequent backups of your data and save it offline in various places.

 Apply anti-malware programs and run routine scans.

 Inform employees on safe browsing techniques and phishing assaults.

sensitive info accessed without authorization:

 Use multi-factor authentication (MFA) to gain access to systems that are sensitive.

 To restrict access based on job responsibilities, use role-based access control (RBAC).

 Update and review access permissions on a regular basis.

Data leaking through unreliable remote access

 For remote access, make use of a robust VPN with strong encryption.

 Make sure logs are routinely examined and remote access systems are kept under observation.

 Educate employees on safe remote working techniques.

USB drives that are infected with malware:

 Turn off USB ports or impose stringent limitations on USB use.

 Utilize endpoint security to do an automated USB device scan.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

 Inform people of the dangers of utilizing USB devices that are not verified.

Outdated software can lead to system problems.

 Create and put into effect a patch management strategy.

 Update and upgrade systems to supported versions on a regular basis.

 Test for compatibility before releasing updates.

Data loss as a result of insufficient backups:

 Establish a reliable backup plan and test backup restorations on a regular basis.

 Backups should be kept in many locations, such as offsite and cloud-based services.

 To guarantee dependability and consistency, automate backup procedures.

staff members' and students' insider threats:

 Verify the background of staff members and students who have access to private information.

 Establish a thorough monitoring system to find anomalous activity.

 Encourage a culture of security awareness by holding frequent training and awareness campaigns.

Breach of physical security:

 Access control systems and locks provide security for server rooms.
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

 Install security guards and video cameras in key locations.

 Examine and upgrade physical security measures on a regular basis.

Data loss or corruption due to natural disasters:

 Construct a thorough disaster recovery plan (DRP).

 Update the disaster recovery plan (DRP) in light of lessons acquired from routine disaster recovery drills.

 Make sure all-important data is backed up and that it can be easily restored in case of an emergency.

By conducting this risk assessment, Sigma Health Group can better understand the threats to their information assets and prioritize their efforts
to mitigate these risks. Implementing the recommended mitigation measures will strengthen their information security posture, ensuring
compliance with ISO/IEC 27001 standards, and protecting their sensitive data and systems from various threats.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Examining the Advantages of the Sigma Health Group's ISMS Plan

An organization can benefit from a variety of factors when an Information Security Management System (ISMS) is implemented successfully.
These advantages are covered in great length below, with special attention to Sigma Health Group, which consists of hospitals and educational
facilities.

Sophisticated Security Measures to Safeguard Private Information:

Secrecy: The ISMS made guaranteed that only authorized people could access sensitive data, including student information, medical records for
patients, and payroll information. Given the sensitivity of medical data and personal information, this protection was essential.

Integrity: The ISMS protected data integrity by putting in place safeguards including digital signatures, checksums, and access limits. This
guaranteed that information stayed true and unchangeable, which was necessary to keep academic evaluations and medical records trustworthy.

Risk Control:

Risk Identification and Mitigation: Thorough risk evaluations revealed possible dangers and weaknesses, allowing Sigma Health Group to rank and
handle the most important risks. By being proactive, they were able to avert situations similar to the ransomware attack that had previously
destroyed their IT infrastructure.

Incident Response: A well-defined incident response plan is a necessary component of an efficient ISMS since it guarantees prompt identification,
containment, elimination, and recovery from security incidents. This maintained continuity in patient care and instruction by minimizing
downtime and lessening the impact on operations.

Adherence to Regulations

Fulfilling Legal Obligations:

Compliance with Standards: Sigma Health Group was guaranteed to comply with national and international legislation, including GDPR for data
protection and HIPAA for healthcare data security, by aligning the ISMS with ISO/IEC 27001 standards. Respect for the law prevented fines and
preserved stakeholder confidence.

Audit Readiness: Consistent adherence to regulatory requirements was guaranteed by frequent internal and external audits. Being prepared
helped to prevent unforeseen compliance problems and increased trust with regulatory agencies.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Exhibiting Carefulness:

Legal Protection: By following accepted security guidelines, you showed that you took reasonable precautions to safeguard confidential data. In
order to reduce responsibility and safeguard the company in the event of data breaches or legal issues, this legal defensibility was essential.

Operational Effectiveness Simplified Methods:

uniform Procedures: Sigma Health Group will operate more consistently and effectively as a result of the ISMS's implementation because it will
have uniform security procedures. Consequently, security responsibility management became less unexpected and complex.

Reduced Downtime: The preventative measures and rapid incident response capabilities of the ISMS significantly reduced operational disruptions.
This was necessary to maintain the smooth operation of healthcare services and educational programs, both of which depend on the continuous
availability of IT systems.

Resource Optimization:

Effective Use of Resources: By focusing resources on high-priority risks and necessary assets, Sigma Health Group made the best use of the
LKR116.4 million and LKR15.3 million budgets. The allocation that was developed ensured that security expenditures produced the highest return.

Enhanced trust and reputation.

Increasing Stakeholder Self-Belief:

Clients and Partners Trust: Due to our excellent information security standards demonstration, we have earned the trust of patients, students,
parents, and partners. Their level of trust in the company increased when they realized that their data was safe.

Competitive Advantage: Sigma Health Group's commitment to data security and privacy set them apart from rivals thanks to an efficient ISMS.
This competitive edge was especially helpful in drawing in new clients and students.

Public perception:

Positive Public Relations: Sigma Health Group's reputation was enhanced by efficient information security protocols and openness regarding data
protection. Preventing security incidents and data breaches prevented bad press that may have damaged the company's reputation.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Constant Development and Flexibility in Response to Emerging Dangers:

Proactive Security Measures: Sigma Health Group was able to stay ahead of emerging threats through regular risk assessments and ongoing
monitoring. They kept up a strong defense against changing cyber threats by modifying security measures in response to the most recent threat
intelligence.

Learning from issues: The ISMS was made to include the lessons learnt from security issues through post-incident reviews and feedback loops. The
organization's resistance to potential dangers was strengthened through this process of continuous development.

Inventiveness and Growth

Promoting Innovation: Sigma Health Group could concentrate on innovation in healthcare and education without having to worry about data
breaches all the time if it had a solid security foundation. Their services were able to be more inventive and better because to this independence.

Awareness and Engagement of Employees.

Culture of Security:

Regular training programs ensured that staff members were knowledgeable about security best practices and their role in protecting information.
This knowledge reduced the chance of human error, which is often a significant information security threat.

Participation in the ISMS process by employees improved their alertness and proactivity in spotting and reporting possible security threats. The
overall security posture of the organization was enhanced by this shared accountability.

Diminished Danger of Insider Attack:

Policy Compliance: Whether intentional or inadvertent, insider threats were less likely when there were clear policies and frequent training. For
Sigma Health Group, this meant that staff members and pupils adhered to security guidelines in order to safeguard private information from
internal exploitation.

Protecting Your Money:

Cost savings: The company averted significant financial losses from recovery efforts, legal fees, and possible fines by preventing data breaches and
reducing their impact. Over time, it proved to be economical to invest in an ISMS.

Insurance: Lowering the cost of cybersecurity insurance may be achieved by putting in place thorough security policies using an ISMS. This
strengthened the organization's financial security and demonstrated its dedication to reducing cyber dangers.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Student and customer satisfaction:

The dependable services provided to patients and students are the consequence of Sigma Health Group's assurance of data availability and
operational continuity. Their reliability resulted in an increase in customer satisfaction and loyalty.

Improved Learning Environment: Students at the Sigma Institute of Health had a better learning environment thanks to safe and easily accessible
IT solutions, which improved their academic achievement and general well-being.

In addition to attaining regulatory compliance, operational efficiency, reputation, continuous improvement, and employee engagement in
upholding a safe workplace, Sigma Health Group enhanced its security posture. These all-inclusive advantages contributed to the organization's
long-term success, stability, and capacity to offer top-notch medical and educational services.

Critically Examining the Needs to Create and Uphold Sigma Health Group's ISMS Plan
Important Components

Both commitment and leadership

Top Management Involvement: Sigma Institute of Health's Chief Information Officer (CIO) and upper management need to actively support and
promote the ISMS. Their participation is essential to obtaining resources and guaranteeing that goals are in line with the organization.

Information Security Policy: Create a thorough information security policy outlining the organization's dedication to safeguarding staff and
student data, guaranteeing system availability, and upholding regulatory compliance.

The ISMS's objectives and scope

Establishing the Purpose: All essential resources, such as the HR servers, Student Information System (SIS), email exchange server, public access
file server, backup NAS drive, and network domain servers, should be covered by the ISMS. All physical sites, such as server rooms and IT labs,
should be covered as well.

Setting Goals: Clearly define information security goals that complement Sigma's corporate objectives. For example, guaranteeing the privacy of
health information, the accuracy of academic data, and the accessibility of virtual learning environments

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Evaluation and Management of Risks

Risk Identification and Analysis: To detect potential threats like ransomware, cyberattacks, data breaches, and physical security hazards, conduct a
thorough risk assessment. To assess each risk's impact and likelihood, use risk matrices.

Create a risk treatment strategy that ranks hazards according to their seriousness. Put in place the necessary safeguards, such as improved
firewall configurations, multi-factor authentication (MFA), and frequent data backups, to reduce risks.

Documentation and the ISMS Framework

ISMS Framework: Using ISO/IEC 27001 standards as a foundation, create a systematic ISMS framework. Comprehensive rules, processes, and
recommendations for handling information security should be included of this framework.

Documentation: Keep thorough records of all ISMS operations, including incident reports, treatment plans, rules, procedures, and risk
assessments. Review and update this material frequently to take into account modifications to the organizational structure and threat landscape.

Putting Controls in Place;

Technical Controls: Put into practice technical controls such sophisticated firewalls, intrusion detection/prevention systems (IDS/IPS), encryption
for confidential information, and secure server and workstation setups. Update software frequently to guard against vulnerabilities.

Physical Controls: implement surveillance cameras, implement access control systems to secure server rooms, and make sure that only authorized
individuals have access to important places in order to improve physical security.

Administrative controls: Create and implement guidelines and protocols for incident response, user access control, data backup, and secure data
handling. Make routine audits to make sure these policies are being followed.

Knowledge and Instruction

Security Awareness Programs: To guarantee that all employees and pupils comprehend the value of information security and their part in
safeguarding information assets, regularly provide security awareness training.

IT staff and other critical personnel should receive specific training on advanced security procedures, incident response, and the usage of security
tools and technology.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Observation and Evaluation

Continuous Monitoring: To identify and react to security events quickly, establish continuous monitoring of networks and systems. For centralized
monitoring and analysis, make use of systems such as Security Information and Event Management (SIEM).

Frequent Audits: To assess the success of the ISMS and guarantee adherence to ISO/IEC 27001 standards, conduct routine internal and external
audits. Utilize audit results to pinpoint areas in need of development.

Response and Management of Incidents

Create and update an incident response plan that specifies what should be done in the case of a security occurrence. Make sure the plan outlines
the steps for recovery, eradication, containment, and detection.

Post-Incident Analysis: To identify the underlying cause of incidents and put corrective measures in place to stop them from happening again, do
post-incident analysis. Record your learnings and make the necessary updates to the ISMS.

Constant Enhancement

Plan-Do-Check-Act (PDCA) Cycle: Apply the PDCA cycle to guarantee that the ISMS is continuously improved. Plan, execute, evaluate, and improve
security measures on a regular basis in response to user input and changing threats.

Establish feedback channels to get opinions on the efficacy of the ISMS from employees, students, and other stakeholders. Make improvements
based on the input provided.

Sigma Health Group needed to establish and maintain an Information Security Management System (ISMS) that adhered to the fundamental
principles of confidentiality, integrity, availability, risk management, compliance, continuous improvement, leadership commitment, and
employee awareness. This required a thorough and structured approach. The thorough study that follows is in line with the unique needs and
conditions of Sigma Health Group.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

First Configuration and Scope

Specifying the Goals and Scope:

Scope: In addition to the three hospitals (SFC), the ISMS covered networked systems, data (patient, staff, and student), and IT infrastructure. It
also included the Sigma Institute of Health. This ensured that all of Sigma Health Group's vital components were covered.

The main objectives were to protect sensitive data (such as student information, staff payroll data, and patient medical records), guarantee data
availability, follow regulatory requirements, and enable safe remote learning and healthcare.

Engaging Stakeholders:

Engagement: Among the key players were students, administrative staff, medical professionals, senior management, the Chief Information Officer
(CIO), and IT personnel.

Roles and Responsibilities: It was crucial to make sure that all parties involved—from senior management to regular users—knew their roles and
responsibilities in maintaining security. It was simpler to coordinate efforts toward common security objectives when roles and responsibilities
were clearly understood.

Allocation of Resources:

Budgeting: The LKR15.3 million budget for Sigma Institute of Health and the LKR116.4 million budget of Sigma Health Group were used to allocate
resources. This guaranteed that there would be enough money to put the required security measures in place.

Employees and Equipment: Sufficient personnel and funding for essential security equipment and educational initiatives were guaranteed. This
involved bringing on board qualified staff and purchasing instruments for threat detection, data security, and monitoring.

Identifying Assets and Risks through Risk Assessment and Management

Assets: The campus network, backup NAS drive, email exchange server, public access file server, HR servers, and the Student Information System
(SIS) were all cataloged as essential assets. This made it easier to understand what required safeguarding.

Risks: Ransomware, phishing scams, device malfunctions, and data breaches were among the possible dangers that were found. Understanding
the vulnerabilities and their possible effects on the organization required completing this phase.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Putting Risk Mitigation Strategies into Practice:

Risks with the greatest potential for damage, such ransomware and illegal access to private information, were given top priority. This made sure
that the biggest risks were dealt with first.

Mitigation: The use of robust access restrictions, frequent software upgrades, endpoint security, and network segmentation were among the risk
mitigation techniques. By taking these steps, the exposure to known dangers was decreased.

Constant Observation and Evaluation:

Monitoring Tools: To keep an eye on network activity and spot irregularities, SIEM and intrusion detection/prevention (IDS/IPS) systems were
employed. Real-time insights into possible security incidents were made possible by these techniques.

Frequent Reviews: To keep up with emerging risks and organizational changes, regular security audits and risk assessments were planned. This
guaranteed the long-term efficacy of the ISMS.

Formulating Guidelines and Protocols Creating Security Guidelines:

Policies: Comprehensive security policies covering data protection, compliance, access control, and incident response were developed. These
policies were compliant with the ISO/IEC 27001 requirements.

Documentation: All policies were communicated to the relevant parties, maintained current, and easily available. This ensured that everyone was
aware of the security guidelines.

Interaction and Instruction:

Training Programs: Staff and students received regular training on security best practices, such as how to manage sensitive data and spot phishing
efforts. This promoted a culture of security awareness.

Policy Communication: To guarantee comprehension and adherence, policies and processes were made explicit to all users. Good communication
made sure that all parties complied with the security procedures.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Policies for Acceptable Use (AUP):

Staff and Student: Acceptable Use Policies (AUPs) that specify appropriate conduct and the utilization of IT resources were created and
implemented for both staff and students. This lessened the chance of IT resources being misused.

Guidelines: The handling of sensitive data, remote access, and the secure usage of IT resources were all covered. Enforcing these rules was crucial
to keeping the place safe.

Putting Technical Controls in Place Mechanisms of Access Control:

Role-based access controls, or RBACs, were put in place to make sure that only individuals with the proper authorization could access sensitive
data. This aided in restricting access to important information.

MFA: To improve security, multi-factor authentication was utilized to gain access to vital systems. This strengthened the defenses against
unwanted access.

Data Security Protocols:

Encryption: Payroll information, student data, and medical records were among the sensitive data that was encrypted while it was in transit and
at rest. Data security was guaranteed by encryption, even in the event of interception.

Secure VPN: To safeguard remote access, a more robust, enterprise-grade VPN solution took the place of the freemium VPN. This guaranteed the
security of data transferred across the VPN.

Security of Systems and Networks:

System Upgrades: In order to remove vulnerabilities, Windows 7 systems were upgraded to supported versions. To make sure the systems have
the most recent security features, this was required.

Network Security: To safeguard the network, IDS/IPS, advanced firewalls, and routine patch management were implemented. These precautions
assisted in averting attacks and unwanted access.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Solutions for Backup and Recovery:

Robust Backup: Cloud or off-site encrypted storage was used as part of robust backup solutions. Regular backups were performed and their
integrity was checked. This made sure that in the event of loss, data could be restored.

Disaster Recovery strategy: A thorough strategy for disaster recovery was created and kept up to date, with frequent drills and revisions
depending on emerging risks and lessons discovered. This strategy made certain that the company could bounce back from security breaches fast.

Response and Management of Incidents Formulating a Response Strategy for Incidents:

Comprehensive Plan: A thorough incident response plan was created that included guidelines for recovery, eradication, detection, containment,
and post-event evaluation. This plan offered a precise road map for dealing with security-related situations.

tasks and duties: Incident response teams were assigned certain tasks and duties. In the event of an incident, this guaranteed that everyone knew
their roles.

Frequent drills and testing:

Simulations: To make sure everyone was ready and to pinpoint areas that needed work, regular incident response drills and simulations were
carried out. These drills aided in evaluating the incident response plan's efficacy.

Post-occurrence Analysis: To identify the underlying reasons of an occurrence and modify security protocols appropriately, post-incident analysis
was carried out. This contributed to averting more incidents.

Post-Event Examination:

Review and Improve: To determine what went wrong and how to stop it from happening again, security incidents were examined. The results
informed the updating of policies and controls. This feedback loop guaranteed ongoing improvement.

Observance and Ongoing Development

Management of Compliance:

Frequent Audits: To guarantee compliance with applicable legislation, such as data protection requirements, and ISO/IEC 27001 standards, regular
compliance audits were carried out. This guaranteed that the ISMS complied with all applicable laws and regulations.

External Auditors: In order to provide an objective evaluation, external auditors were called upon as needed. This offered an impartial
confirmation of the efficacy of the ISMS.
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

Constant Enhancement:

Feedback Loop: Based on input from audits, frequent reviews, and security incidents, a procedure for ongoing improvement was developed. As a
result, the ISMS was able to adapt to new difficulties.

Keeping Up to Date: The company included the most recent security best practices and trends into the ISMS by keeping up with them. This made
it easier to keep up a cutting-edge security posture.

Governance and Leadership:

Senior Management Support: The availability of essential resources and regular evaluations were part of the ongoing commitment from senior
management. The security agenda was mostly driven by leadership.

Security Governance Framework: Senior leadership and important stakeholders were included in the establishment of a security governance
framework that involved decision-making procedures. This made sure that organizational culture and decision-making took security into account.

Important Obstacles and Things to Take Into Account When Balancing Security and Usability:

User-Friendly Solutions: Security protocols were put in place without making it more difficult for staff, students, or healthcare practitioners to use
the systems. Sufficient training was given to reduce disturbances. Finding this balance between security and efficiency was essential.

Management of Change:

Easy Transitions: The ISMS was implemented with ease thanks to the application of effective change management techniques. All stakeholders
were made fully aware of the advantages of the ISMS in order to win their support. Adoption of new security measures was ensured and
resistance was minimized through effective change management.

Financial Restraints:

Prioritize Investments: To optimize the use of the resources at hand, security investments were ranked in order of risk. Budgets allotted for
security enhancements were strategically used. This made sure that, in spite of financial limitations, important regions got the financing they
required.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Organizational and Cultural Factors:

Security Awareness: The organization as a whole promoted a culture of security responsibility and awareness. To continuously enhance security
procedures, reporting of near-misses and security events was encouraged without fear of retaliation. Creating a culture that is security-aware
aided in the early detection and handling of threats.

Sigma Health Group was able to effectively build and maintain an effective Information Security Management System (ISMS) that adhered to the
fundamental concepts of confidentiality, integrity, availability, risk management, compliance, continuous improvement, leadership commitment,
and employee knowledge by addressing these areas in their entirety. This improved their entire security posture, guaranteed adherence to
pertinent regulations, and safeguarded their important data assets.

Motivations for Sigma Institute of Health to Adopt an ISMS

both dedication and leadership.

It was essential that Sigma's Chief Information Officer (CIO) and upper management took an active role. Their direction made sure the ISMS had
the tools and assistance it required. This choice was justified since it established a culture of security and accountability throughout the entire
company.

Information Security Policy: It was essential to draft a concise information security policy. This policy ensured uniformity in the management of
security and provided a framework for all security operations. It was justified since it made sure that everyone knew their roles and duties and
linked company objectives with security precautions.

The ISMS's objectives and scope

Establishing the Purpose: The Student Information System (SIS), email servers, backup NAS drives, public access file servers, network
infrastructure, and HR servers were all included in the scope of the ISMS. It also included all physical spaces, including IT labs and server rooms.
This action ensured that no important assets were missed and gave clarity and concentration, thus it was justifiable.

Evaluation and Management of Risks

Risk Identification and Analysis: By carrying out a comprehensive risk assessment, possible dangers like ransomware, cyberattacks, data breaches,
and physical security threats were found. It was justifiable to use risk matrices to assess each danger's potential and impact since they provide a
foundation for deliberating on security priorities and investments.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Risk Treatment Plan: Creating and putting into practice a risk treatment plan guaranteed that hazards were effectively addressed. This measure
was warranted since it assisted in ranking the necessary activities according to the level of risk, guaranteeing that resources were allocated
efficiently to address the most pressing problems. On risk severity, making sure that the most important risks were adequately mitigated with the
resources available.

Documentation and the ISMS Framework

ISMS Framework: An all-encompassing method for managing information security was made possible by establishing a structured ISMS
framework based on ISO/IEC 27001 standards. This action was necessary to guarantee uniformity, thoroughness, and adherence to global norms.

Documentation: It was imperative to keep thorough records of all ISMS operations, including risk assessments, treatment plans, guidelines,
policies, and incident reports. This action was warranted since it supported the continuous management of the ISMS, made audits easier, and
produced proof of compliance.

Putting Controls in Place

Technical Controls: To defend against cyberattacks, all vital systems needed to have sophisticated technical controls installed, including firewalls,
IDS/IPS, encryption, and safe configurations. Because it directly addressed technical vulnerabilities and decreased the likelihood of data breaches,
this action was justifiable.

Physical Controls: To safeguard physical assets, it was essential to improve physical security measures such installing surveillance cameras and
safeguarding server rooms with access control systems. Physical security breaches could result in major data losses and operational disruptions,
which is why this measure was necessary.

Administrative Controls: It was crucial to create and implement policies and procedures for incident response, user access control, safe data
handling, and data backup. This action was necessary since it guaranteed compliance with legal and regulatory standards and offered an
organized method of controlling security.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Knowledge and Instruction

Programs for Security Awareness: Regular security awareness training made sure all employees and students knew the value of information
security and their part in safeguarding information assets. This action was warranted since there was a substantial danger of human error and that
risk might be considerably decreased with awareness.

specific Training: It was essential to give IT professionals and important personnel specific training on incident response, enhanced security
procedures, and the use of security tools and technology. This action was warranted since it improved the organization's capacity to safeguard its
resources and handle emergencies.

Observation and Evaluation

Continuous Monitoring: It was essential to put in place continuous monitoring of networks and systems in order to identify security incidents and
take immediate action. This action was warranted since it lessened the possible consequences of security breaches and enabled the proactive
control of risks.

Frequent Audits: In order to assess the success of the ISMS and guarantee adherence to ISO/IEC 27001 requirements, it was imperative to conduct
both internal and external audits on a regular basis. This action was warranted since it guaranteed continuous compliance and offered an
unbiased evaluation of the ISMS.

Response and Management of Incidents

Incident Response Plan: It was essential to create and keep up an incident response plan that specified what should be done in the case of a
security occurrence. This action was warranted since a well-thought-out response might greatly lessen the effects of an occurrence and speed up
recovery.

Post-Incident Analysis: It was crucial to conduct post-incident analysis in order to identify the underlying causes of occurrences and put corrective
measures in place. This action was warranted since it encouraged ongoing development and assisted in averting recurrence.

Constant Enhancement

PDCA Cycle (Plan-Do-Check-Act): By applying the PDCA cycle, the ISMS was guaranteed to continuously improve. This action was warranted since
it encouraged continuous security measure improvement based on user feedback and changing threats.

Feedback Mechanisms: It was crucial to set up feedback mechanisms in order to get opinions on the efficacy of the ISMS from employees,
students, and other stakeholders. This action was necessary to guarantee that the ISMS will continue to be applicable and efficient in meeting the
security requirements of the company.
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

At Sigma Institute of Health, putting these procedures into practice to create and maintain an ISMS was essential for safeguarding confidential
data, guaranteeing compliance, and reducing risks. Each action was supported by how it furthered an all-encompassing and successful
information security management strategy that was customized to the unique requirements and environment of Sigma Institute of Health while
also adhering to ISO/IEC 27001 standards.

Examining the Present Risk Assessment Process

To guarantee strong information security management, the Sigma Institute of Health's current risk assessment processes must be in line with
international standards like ISO/IEC 27001 and ISO/IEC 27005. In order to fulfill these criteria, this evaluation will critically evaluate the current
practices and suggest changes.

Important Components of the Present Risk Evaluation

Identified Assets:

 PCs for Computer Labs

 Employee Laptops

 File Manager

 Interaction

Dangers Found:

 Infection

 Erasure of Information

 Violation of Copyright

 Transfer of Unauthorized Content

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

 DDoS Assault

Prioritization and the Risk Matrix:

 Risk ratings and priorities are determined by assessing probability and impact.

Examination of Existing Practices

Strengths in Asset Identification and Classification:

A variety of essential resources are recognized, encompassing both network and hardware elements.

For every asset, there are certain threats.

Drawbacks:

inadequate level of detail in the asset classification. Student and staff data servers, for instance

should be kept apart from common file servers because of their delicate nature.

absence of a thorough asset inventory encompassing hardware, software, and data.

Suggestions:

Create a thorough inventory of all your assets, including data, hardware, software, and physical infrastructure.

Assign assets a class according to how important and sensitive they are to company operations.

Strengths of Threat Identification and Analysis:

For every asset, pertinent dangers are found.

Drawbacks:

There is insufficient coverage of threats. Internal dangers, such staff members' unintentional data breaches or insider threats, are not taken into
account.
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

Advanced persistent threats (APTs) and supply chain attacks are examples of emerging risks that are absent.

Suggestions:

To find a larger variety of dangers, such as intentional, unintentional, external, and internal, use a threat modeling technique.

Update the threat landscape frequently to reflect fresh and developing dangers.

Risk Evaluation (Probability and Impact) Strengths:

Both probability and impact are considered for each danger.

Drawbacks:

Because probability and impact assessments do not follow a consistent methodology, there may be discrepancies.

Not all aspects, including financial loss, legal ramifications, and reputational harm, are taken into account in the impact assessment.

Suggestions:

Use a standardized method, such the scales in ISO/IEC 27005, to assess probability and impact.

Add financial, reputational, legal, operational, and strategic impacts to the list of criteria for impact assessments.

Prioritization and Risk Rating

Advantages:

Risks are divided into three categories: Low, Medium, and High using a risk matrix.

Drawbacks:

Variations in the order of importance of risks. High-impact risks, for example, are occasionally assigned a lesser priority.

Insufficient justification for decisions regarding prioritizing.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Suggestions:

Make sure prioritizing and risk ratings are in direct proportion to each other. High-risk assessments must to be matched with high-impact
initiatives.

Keep track of the justification for decisions on prioritizing to guarantee consistency and openness.

Strengths in Risk Treatment and Mitigation:

There are some details in the mitigation of the hazards that have been identified.

Drawbacks:

There is a lack of clarity and comprehensiveness in mitigation efforts.

Absence of precise controls correlated with recognized hazards.

Suggestions:

Create thorough risk treatment plans that include particular controls for every risk that has been identified, using ISO/IEC 27002 as a guide for
control selection.

Use a combination of corrective, investigative, and preventive controls.

Observation and Evaluation

Advantages:

Periodic review of some kind is implied.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Drawbacks:

absence of a set procedure for monitoring and reviewing.

There are no precise measurements or key performance indicators (KPIs) to gauge the ISMS's efficacy.

Suggestions:

As required by ISO/IEC 27001, establish a structured monitoring and review procedure that includes routine internal audits and management
reviews.

Create KPIs to gauge the ISMS's performance and guide ongoing efforts at improvement.

Records and Adherence to Regulations

Advantages:

There is some basic documentation of the processes used in risk assessment.

Drawbacks:

The documentation is neither thorough nor compliant with ISO/IEC 27001 standards.

insufficient proof of adherence to pertinent laws and guidelines.

Suggestions:

Keep thorough records of all ISMS operations, including incident reports, treatment plans, policies, procedures, and risk assessments.

By doing routine compliance audits and updating documentation as necessary, you can make sure that ISO/IEC 27001 and other pertinent
regulations are being followed.

Sigma Institute of Health's information security management skills will be greatly improved by harmonizing its risk assessment processes with
international standards like ISO/IEC 27001 and ISO/IEC 27005. Sigma may establish a more resilient Information Security Management System
(ISMS) that efficiently safeguards confidential information, guarantees adherence to regulations, and thoroughly reduces risks by tackling the
detected vulnerabilities and executing the suggested enhancements. In addition to safeguarding the company, this alignment will increase
stakeholder trust and reputation.
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

An explanation of Sigma Institute's data protection policies and procedures

The Sigma Institute of Health is highly dependent on data protection to secure confidential information, fulfill regulatory requirements, and
uphold the trust of stakeholders such as staff, students, and others. The relevant data protection policies and procedures that Sigma Institute
must abide by are covered in this section.

Important Procedures for Data Protection

Data Categorization and Inventory

Procedure: List all the data kinds that the institute handles and categorize them according to their level of sensitivity (e.g., personal data, financial
data, health information).

Application: A thorough data inventory must be made by Sigma Institute, and information must be divided into three categories: very sensitive
(like health records), sensitive (like contact information), and non-sensitive (like general announcements).

Gathering and Reducing Data

Procedure: Reduce the quantity of data gathered and only get the information required for particular goals.

Application: Sigma needs to examine all procedures for gathering data and make sure that only pertinent data is obtained from patients,
employees, and students.

Access Control and Data Usage

Procedure: Strictly limit access to sensitive data so that only individuals with permission can access it.

Application: Use role-based access control (RBAC) to limit access to the HR servers, SIS, and other vital systems by assigning access privileges
based on roles and responsibilities.

Encryption of Data

Procedure: To avoid unwanted access during storage and transmission, encrypt sensitive data both in transit and at rest.

Application: Sigma should use robust encryption mechanisms for data transfers, emails, and databases holding student and staff information.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Data Erasure and Retention

Procedure: Establish timeframes for data retention and safely remove data that is no longer required.

Application: Create data retention guidelines that adhere to legal specifications,

guaranteeing that personal information is only kept for as long as is required and that it is then safely deleted.

Reaction to Data Breach

Procedure: To promptly handle any data breaches, create and implement a data breach response strategy.

Application: Sigma has to develop a thorough incident response strategy that outlines the procedures for investigating, notifying, containing, and
fixing data breaches.

Relevant Regulations Regarding Data Protection

The Personal Data Protection Act of Sri Lanka

Overview: With an emphasis on the rights of data subjects and the duties of data processors, this act establishes the guidelines for protecting
personal information in Sri Lanka.

Crucial phrases:

Consent: The data subject must provide their explicit consent in order for personal data to be processed legally.

Restrictions on Use: Data may only be acquired for clear, reasonable, and legitimate purposes.

Data Security: Implement the required organizational and technical protections in order to ensure data security.

The capacity to access, amend, remove, and object to data processing is one of the rights of data subjects.

Application to Sigma: The Sigma Institute must ensure that personal data is used only for intended purposes, obtain express consent before
processing it, and implement robust security measures. The institute must also uphold the rights of data subjects to data correction and access.
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

Sri Lankan Computer Crimes Act

Overview: This law covers charges pertaining to illegal access, data manipulation, and system interference.

Key Provisions:

 Criminalizes illegal access to computer systems.

 Data change: Deals with illegal data deletion or change.

 System Interference: Turns off interference with computer system operation.

Application to Sigma: Sigma Institute must guarantee act compliance by securing its IT system against illegal access and data manipulation. These
covers using robust authentication methods and keeping an eye on systems for illegal activity.

Data Security Protocols for Sigma Institute

Officer for Data Protection (DPO)

Identify a person to serve as a DPO, who will be in charge of overseeing data protection measures and making sure that legal requirements are
followed.

Application: The DPO will oversee the development of data protection policies, provide training, and handle requests from data subjects.

Employee Education and Awareness

Procedure: Staff members receive regular training on corporate policies, legal requirements, and data protection principles.

Application: Ensure that all employees receive the needed training so they are aware of their responsibilities for safeguarding personal
information and abiding by the law.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Impact Assessments on Data Protection (DPIAs)

Process: To detect and reduce privacy problems, perform DPIAs for any new procedures or initiatives that use personal data.

Utilizing robust data protection methods and adhering to applicable regulations are essential for Sigma Institute of Health. Building
comprehensive data management rules, ensuring compliance with the Computer Crimes Act and Sri Lankan Personal Data Protection Act, and
securely safeguarding data are all important steps Sigma may take to protect its sensitive information, maintain compliance, and inspire trust in its
partners. By taking these actions, the institute will be able to lower the risks associated with data leaks while also ensuring the privacy and
security of personal data.

A Suitable Risk-Management Plan and Implemented ISO Standard for Information

Technology Security at Sigma Institute
An internationally recognized framework for creating, putting into practice, maintaining, and continuously improving an information security
management system (ISMS) is provided by the ISO/IEC 27001 standard, which was published by the International Organization for Standardization
(ISO) and the International Electrotechnical Commission (IEC) (ISO, 2013). Information security risks can be methodically managed by businesses
with the aid of an ISMS, protecting the privacy, availability, and integrity of their information assets.

Important Aspects of ISO/IEC 27001

 Organizational Context

 Headship

 Organizing

 Encouragement

 Function

 Assessment of Performance

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

 Advancement Significance to Sigma establishment

The Organization's Context

Application: Sigma Institute needs to be conscious of issues affecting its information security management system (ISMS) from the inside as well
as the outside. This includes being aware of the expectations and needs regarding data security and IT protection held by staff, students, and
other interested parties.

Headship

Use:

Top Management Commitment: To demonstrate their commitment to information security, Sigma's senior leadership should establish and
support the ISMS.

Information Security Policy: Draft and implement an information security policy that reflects the institution's objectives and legal requirements.

Organizing

Use:

Risk assessment: To assist lessen discovered threats, develop a risk treatment plan using the appropriate ISO/IEC 27002 controls. To do this, a risk
matrix must be constructed in order to rank hazards based on probability and impact.

Function

Use:

Operational Controls: These controls aid in reducing the risks to information security. This includes encryption, safe data storage, regulations for
access control, and regular updates for both the operating system and software.

Establish a system for incident management to locate, record, and respond to security occurrences in a timely manner.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Assessment of Performance

Use:

Monitoring and Measuring: Regular monitoring and assessment of the ISMS's effectiveness contributes to ensuring its effectiveness. This includes
internal audits and management reviews that ensure ISO/IEC 27001 compliance.

Continuous Improvement: Identify problem areas and make the necessary corrections to strengthen the ISMS.

Enhancement

Use:

Establish protocols to manage nonconforming behavior and put corrective measures in place to prevent recurrence.

Continuous Improvement: The ISMS can be made better all the time by incorporating new technologies, methods, audit and review feedback.

Sigma Institute's Risk Management Plan

Identification of Risks

Application: List all possible hazards to Sigma's information security, including those pertaining to employee and student data, IT infrastructure,
and outside threats.

Evaluation of Risk

Use:

Create a risk matrix to classify hazards according to their impact and likelihood. As an illustration:

High Probability, High Impact: Give certain dangers (such ransomware and DDoS assaults) top priority and take prompt action.

Low Impact, High Probability: Take steps to lessen the chance (e.g., student PCs infected with viruses).

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Risk Management

Use:

Implement controls to lessen hazards that have been identified. As an illustration:

DDoS prevention: Set up tools for network monitoring and DDoS prevention.

Prevent ransomware by using anti-malware software, making frequent backups, and informing employees about the dangers of phishing emails.

Residual Risk Management: Transfer residual risks via insurance or accept them if they are within reasonable bounds.

Risk Assessment and Monitoring

Application: Keep an eye out for potential threats and evaluate how well the measures you've put in place are working. As the danger landscape
or operational environment changes, make the required adjustments to the risk management plan.

Sigma Institute of Health can significantly enhance its IT security condition by implementing ISO/IEC 27001 and creating a comprehensive risk
management plan. This approach ensures that all potential dangers are identified, assessed, and minimized while continuously improving the
ISMS to address new issues. In addition to maintaining legal compliance and fostering confidence among interested parties, this will protect
private data.

Assessment of Sigma Institute of Health's Potential Security Impact Following an IT Security

Audit
To find vulnerabilities and improve the overall security posture at Sigma Institute of Health, an IT security audit is essential. The audit's objectives
are to evaluate the security mechanisms in place, spot any holes, and suggest enhancements. The possible effects of the audit's findings on Sigma
Institute's security will be examined in this analysis.

Principal Results of the IT Security Audit

Restricted Entry Procedures

Findings: Inadequate role-based access control, a lack of multi-factor authentication (MFA), and weak passwords all contributed to inadequate
access limitations that allowed for possible illicit access.
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

Unauthorized access to student and staff private data may result in data breaches, loss of personal information, and perhaps legal repercussions.

Unsecured Network Architecture

Findings: There were inadequate firewall configurations and no intrusion detection/prevention systems (IDS/IPS) due to the outdated network
design.

A higher susceptibility to ransomware, malware infestations, and distributed denial of service (DDoS) assaults might potentially undermine data
integrity and disrupt operations.

Poor Data Encryption Techniques

Results: An attacker's ability to intercept and access private data was facilitated by inadequate encryption of data while it was in transit and at
rest.

Unauthorized access to protected information on storage or communication devices results in data breaches and confidentiality violations.

insufficient Updates and Frequent Security Exchanges

Results: System and software updates and patches were not applied on a regular basis, nor were regular security assessments performed.

Impact: Increased vulnerability to exploitation due to vulnerabilities that are already known can lead to system intrusions and security lapses.

inadequate plan for responding to incidents

Consequences of insufficient incident response plans: Insufficient information or an outdated plan made it difficult to handle potential security
incidents.

Reactions to security events that are either insufficient or delayed will exacerbate the consequences of breaches and increase recovery costs and
times.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

inadequate systems for backup and recovery

Weak backup systems and inadequately defined, frequently validated recovery procedures were among the findings.

Administrative and instructional activities will be impacted by a higher chance of data loss and longer downtime from a cyberattack or system
failure.

Possible Effects on Security

Enhanced Position for Security

Enhancing network architecture, implementing robust encryption methods, and tightening access controls are ways to improve audit results and
fortify security posture.

Tighter security regulations will contribute to a reduction in vulnerabilities, which will make it harder for hackers to access systems and data.

Enhanced Obedience

Improved Compliance: Aligning security guidelines with relevant legislation, such as the Sri Lankan Personal Data Protection Act and the Computer
Crimes Act Maintaining legal compliance will reduce the likelihood of fines from the law and boost stakeholder trust in the institute's commitment
to data protection.

Enhanced Knowledge and Instruction

Frequent security awareness training ensures that employees and students understand their role in maintaining security. Improved awareness will
help to minimize the probability of human blunders triggering security incidents as unintended data releases or phishing campaigns.

Improved Reaction to Events and Recuperation

Enhancing incident response and recovery implementation requires developing a comprehensive incident response plan and regularly testing
backup and recovery systems. Fast and efficient reaction to security incidents will help to limit the impact of breaches, lower downtime, and
assure continuity of operations. Cost Consequences Investing in contemporary security technologies, frequent audits, and continuing monitoring
systems helps to achieve this. The long-term benefits of averting data breaches, fines from the law, and reputational harm will outweigh the early
and ongoing expenditures associated with these updates.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Confidence of Stakeholders

One can demonstrate their commitment to high security standards by keeping lines of communication open and providing regular updates on
security improvements.

Impact: Staff, parents, students, and law enforcement agencies will all be more confident in the institute's ability to protect personal data, which
will contribute to the development of a secure and reliable environment.

The Sigma Institute of Health's IT security audit reveals significant flaws that, if addressed, would significantly strengthen the organization's
security posture. By implementing the suggested improvements, Sigma may reduce the risk of cyberattacks, ensure compliance with data
protection regulations, and create a culture of security awareness. The benefits of increased security, decreased chance of data leaks, and
increased stakeholder confidence outweigh the associated costs and make these investments profitable.

Design of an ISMS Plan

Evaluation of ISMS:

 Significant flaws in Sigma Institute's pre-existing ISMS were revealed, which aided in the catastrophic ransomware assault. A summary of
the vulnerabilities is provided below:

 Limited Access Control: A simple firewall and reliance on single-factor authentication provided very little defense against unwanted access.
Through firewall flaws or credentials that were stolen, malicious actors may have easily gained access to the network.

 Insufficient Data Classification: A "one-size-fits-all" approach to security was adopted as a result of the absence of a data sensitivity
evaluation. Financial and medical details of students, among other sensitive data, were left unencrypted, making them easy targets for
hackers.

 Weak Incident Response: The lack of a clear procedure for recognizing and handling security events caused a delay in action and increased
the severity of the attack. The institute did not have protocols in place to isolate compromised systems, stop the ransomware from
spreading, and start the recovery process.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

 Limited Security Awareness Training: Employees were exposed to phishing assaults because they were not seen as security threats. Staff
members might have unwittingly introduced malware into the network by clicking on harmful links or attachments if they hadn't received
the necessary training.

 Inadequate Backups: The institute made a disastrous mistake by storing all of its data on a single local backup device. The primary data and
the local backup were both encrypted during the ransomware assault, making recovery impossible.

Initial Assessment Scope & Scoping:

Assets include the campus PCs, backup NAS drive, Network Domain Server, email exchange server, HR servers, and public access file server.

Information includes staff and student personal information, academic records, medical histories, attendance records, financial information, and
email correspondence.

Step 2 of the initial risk assessment is risk identification.

Possible Dangers:

03. sensitive info accessed without authorization

04. Breach of data due to external cyberattacks

05. Attacks using ransomware

06. data loss as a result of insufficient backups

07. Data leaking through unreliable remote access

08. student and staff insider threats

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

09. Physical security lapses

10. USB drives contaminated with malware

11. Outdated software can lead to system problems.

12. Data loss or corruption due to natural disasters

13. Step Three: Evaluation of Risks

Risk Matrix: A risk matrix aids in illustrating the probability and seriousness of hazards that have been discovered. Two factors are used to grade
each risk: the impact if the risk materializes (also on a 1 to 5 scale) and the likelihood of occurrence (also on a 1 to 5 scale).

Risk Likelihood (l) Impact (I) Risk Level (L x I)

Unauthorized access to 3 4 12
sensitive data
Data breach from external 4 5 20
cyber-attacks
Ransomware attacks 3 5 15

Loss of data due to inadequate 2 5 10

backups
Data leakage via insecure 3 4 12
remote access
Insider threats from staff and 3 3 9
students
Physical security breaches 2 4 8

USB drives contaminated with 4 3 12

malware
Outdated software can lead to 3 4 12
system problems.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Outdated software can lead to 1 5 5

system problems.

Development of Policy
Policy for Acceptable Use

IT resources are made available by the Sigma Institute of Health (SIH) to assist with the organization's administrative and instructional functions.
The purpose of this Acceptable Use Policy (AUP) is to provide guidelines and expectations for the responsible, ethical, and legal use of online
resources. This policy is applicable to all employees, contractors, and students.

Goals

 Make that the resources provided by IT are used for what they are meant to.

 Preserve information's availability, secrecy, and integrity.

 Observe all applicable laws and regulations.

 Encourage the prudent use of IT resources.

 Stop the exploitation of IT resources.

Range

This policy is applicable to everyone who uses SIH IT resources, such as:

 Computer laboratories

 infrastructure for networks.

 Email correspondence
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

 Internet connectivity

 Individual gadgets linked to SIH networks

Appropriate Application

IT resources are made available for use in academic and administrative settings as well as for research and instruction. Personal use need to be
kept to a minimum and shouldn't get in the way of fulfilling duties related to work or school.

Network and Internet Usage: One must utilize the internet and the SIH network in a way that aligns with the organization's objectives and
guidelines.

Email Usage: Official correspondence should be the main purpose of SIH email accounts. Email usage for personal use shouldn't impede
institutional activities or contravene other SIH guidelines.

Unacceptable Use

The usage of SIH IT resources for the following purposes is deemed inappropriate:

Participating in actions that are prohibited by municipal, state, federal, or international laws is known as illegal activity. This covers, among other
things, hacking, piracy, unapproved access, and cyberbullying.

Producing, accessing, or disseminating content that is derogatory, pornographic, or impure is known as offensive content. This covers content that
can be seen as libelous, harassing, or discriminatory.

The act of duplicating, distributing, or utilizing software, audio, films, photographs, or other intellectual property without the required permission
is known as copyright infringement.

Security violations include trying to get around or breach security measures, installing malware, or gaining access to other people's accounts or
data without authorization.

Resource misuse refers to intentional activities such as excessive bandwidth use, unlawful streaming, gaming, or downloading big files that
squander employee time or network resources.

Privacy violations include gaining unauthorized access to, using, or revealing another person's documents, information, or communications.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Disruption: Taking part in actions, such as denial-of-service assaults and network spamming, that interfere with other people's work or impair
system performance.

Unauthorized Equipment: Linking unapproved gadgets or add-ons to the SIH PCs or network without express IT Services permission.

Observance

User Responsibilities: Users are expected to make every effort to ensure that this policy is followed. It is their duty to notify the IT Services team of
any known or suspected violations.

Enforcement and Monitoring: SIH retains the right to keep an eye on and record network activity.

behavior, such as email and internet use, to guarantee adherence to this policy. Discipline up to and including the suspension or termination of
access to IT resources may be applied for violations.

Disciplinary Actions: Infractions of this policy may lead to warnings, the loss of access rights, and in extreme situations, legal action.

Methods

User Contract

Before being permitted to utilize SIH IT resources, all users must sign an Acceptable Use Agreement.

Signing the agreement signifies that users have read, understood, and agreed to abide by the AUP.

Notifying Violations

Reporting Procedure: Users are required to notify the IT Services staff right away of any infractions or questionable activity.

Incident Response: In compliance with SIH disciplinary processes, IT Services will look into alleged violations and take appropriate action.

Examine and refresh

Policy Review: To make sure the AUP is still relevant and useful, it will be examined once a year.

Updates: All users will be informed of any changes to the policy, and they could be asked to confirm their comprehension and adherence once
again.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Policy for Remote Work

The Sigma Institute of Health (SIH) encourages remote work options in order to maintain business continuity and encourage flexibility and work-
life balance. To guarantee that remote work is done safely and efficiently, this policy describes the standards, requirements, and processes.

Goals

Provide staff with flexible work schedules.

Make sure your data is secure and private when working remotely.

Continue to be accountable and productive.

Observe all applicable laws and regulations.

Range

All SIH workers who are permitted to work remotely, whether frequently or infrequently, must abide by this guideline.

Qualifications

Criteria: In order to be qualified for remote work, employees must fulfill a number of requirements, such as having the right job function, having a
clean performance record, and having the resources they need.

Conditions of Remote Work

Hours of Work and Availability

Work Schedule: As decided upon with their supervisor, remote workers are expected to have a regular work schedule.

Availability: Workers must be accessible during regular business hours and participate in online meetings as needed.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Execution and Responsibility

Performance metrics: Workers are required to fulfill deliverables and performance standards as specified by their managers.

Communication: To guarantee agreement on duties and objectives, supervisors must get updates and check-ins on a regular basis.

Tools and Materials

Equipment Provided: SIH will supply the required hardware, including software licenses, laptops, and VPN access.

Setup of a Home Office: Workers are in charge of creating a suitable workspace at home, which includes internet access and comfortable
furnishings.

Safety and Property

Data Security

Data Handling: Workers are required to treat all confidential data in accordance with applicable laws and SIH's data protection policies.

Data Storage: Instead of being kept on personal devices, all work-related data must be kept on platforms authorized by SIH.

Cybersecurity on the Network

Use of VPN: In order for employees to safely access the institute's network, they must use SIH's VPN.

Wi-Fi Security: Workers are responsible for making sure their home network is encrypted and protected with strong passwords.

Security of Devices

Antivirus Software: The most recent version of antivirus software must be installed on all devices used for remote work.

Access Control: To prevent unwanted access, devices should be locked when not in use.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Procedures for Working Remotely

Making a Request for Remote Work

Application Process: Staff members need to send a request form for remote work to HR and their supervisor.

Approval Process: In accordance with departmental requirements and eligibility standards, requests will be examined and authorized.

Organizing Remote Work

First Setup: IT will help with the essential hardware and software setup.

Instruction: Workers will get instruction on security procedures and remote work equipment.

Observation and Evaluation

Performance Reviews: To make sure remote work is productive, supervisors will carry out regular performance reviews.

Policy Compliance: Adherence to this policy will be tracked, and any violations will be dealt with right away.

Safety and Health

Ergonomics: In order to prevent injuries, employees should make sure their home office is set up correctly.

Work-Life Balance: To preserve a healthy work-life balance, employees should schedule regular breaks and manage their workload.

Abandonment of Remote Work

Notice Period: The remote work agreement may be terminated with fair notice by either the employee or SIH.

Return of Equipment: Upon ending the remote work arrangement, employees are required to return any equipment given by SIH in good working
order.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Observance and Corrective Measures

Policy Adherence: All relevant SIH policies as well as this one must be followed by employees.

Disciplinary Action: Failure to comply may result in disciplinary action, which may include dismissal from the company.

Policy for Data Protection

The confidentiality and accuracy of any personal information that the Sigma Institute of Health (SIH) handles are of utmost importance to it. The
principles, practices, and procedures that SIH adheres to in order to guarantee compliance with relevant data protection legislation, such as the
Sri Lankan Personal Data Protection Act and global best practices, are described in this data protection policy.

Goals

 Make sure that data protection rules and regulations are followed.

 Defend data subjects' rights.

 Preserve the privacy and security of personal information.

 Clearly define the rules for processing personal data.

 Encourage the company to have a data protection culture.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Range

All employees, students, contractors, and outside service providers who handle personal data on SIH's behalf are covered by this policy. It includes
any type of personal data that SIH processes, irrespective of the format or media.

Principles of Data Protection

SIH is dedicated to upholding the following guidelines for data protection:

 Lawfulness, Fairness, and Transparency: With regard to the data subject, personal data processing must be done in a way that is lawful,
equitable, and transparent.

 Purpose Limitation: Personal information may only be gathered for clear, unambiguous, and permissible objectives. It may not be used for
purposes other than those for which it was originally intended.

 Minimization of Data: Personal information must be sufficient, pertinent, and kept to a minimum in respect to the purposes for which it is
processed.

 Accuracy: Personal information must be true and, when required, updated. All reasonable measures must be implemented to guarantee
that erroneous personal data is promptly removed or corrected.

 Storage Restrictions: Personal information must be retained for as long as is required to fulfill the purposes for which it is processed, and
only in a format that makes it possible to identify the data subjects.

 Integrity and Confidentiality: Processing of personal data must provide suitable security, including defense against unauthorized or illegal
processing as well as against unintentional loss, destruction, or damage, by utilizing suitable organizational or technical safeguards.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Accountability

SIH is in charge of adhering to these standards and must be able to prove it.

Positions and Accountabilities

 Data Protection Officer (DPO): In charge of managing the strategy and execution of data protection to guarantee adherence to data
protection regulations. The primary point of contact for both regulatory agencies and data subjects is the DPO.

 The IT Services Team is responsible for monitoring IT infrastructure and systems for security, putting technical safeguards in place to
protect personal information, and handling data breaches.

 Department heads: Make sure your staff follows the rules and guidelines regarding data protection.

 Workers and Contractors: You are in charge of following data protection guidelines and informing the DPO of any potential problems or
breaches.

Rights of Data Subjects

The following rights of data subjects are acknowledged by SIH:

 Right of Access: Individuals are entitled to see their personal data and learn about the manner in which it is being used.

 Right to Rectification: Individuals who are the subjects of data are entitled to seek that

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

incorrect personal information.

 Right to Erasure: Subjects may, in certain circumstances, request that their personal data be erased.

 Right to Restriction of Processing: Under certain circumstances, data subjects are entitled to request that the processing of their personal
data be restricted.

 Right to Data Portability: Individuals have the right to transfer their personal information to another controller and to get it in a commonly
used, machine-readable, structured format.

 Right to Object: Under certain circumstances, data subjects are entitled to object to the processing of their personal data. Rights Regarding
Automated Decision-Making: Individuals who provide information have the right to be free from decisions that are made exclusively on
the basis of automated processing, including profiling, that have a substantial impact on them or that have legal ramifications.

Policies and Procedures for Data Protection

Gathering and Handling Data

 Data Inventory: Keep track of all the personal information that SIH processes, together with the reasons for processing and the duration of
data retention.

 Legal Basis: Verify that, in accordance with any applicable data protection regulations, every data processing activity has a legitimate basis.

 Consent: When necessary, get the data subjects' express consent and make sure they are aware of the uses to which their data will be put.

Information Security

 Strict access controls should be implemented to guarantee that only individuals with permission can access personal information.

 To safeguard private information both in transit and at rest, use encryption.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

 Data Breach Response: Create a plan that outlines the steps to take in order to report, look into, and mitigate data breaches.

Data Exchanges and Transfers

 Third-Party Agreements: Make sure that any agreements you have with third parties for data sharing have data protection provisions.

 International Transfers: Make sure sufficient security measures are in place and adhere to the regulatory requirements for the
transmission of personal data outside of Sri Lanka.

Instruction and Knowledge

 Training Programs: Ensure that all employees and contractors receive regular training on data protection.

 Awareness programs: Run awareness programs inside the company to encourage a data protection culture.

Observation and Evaluation

 Audits: Conduct frequent data protection audits to confirm compliance with this policy and identify areas for improvement.

 Policy Review: Every year or as needed, review and amend this policy to take into account modifications to organizational procedures or
legal requirements.

Policy for Access Control

The purpose of the Sigma Institute of Health (SIH) Access Control Policy is to safeguard information assets by making sure that only authorized
users have access to systems and data. This policy lays out the guidelines, practices, and protocols for controlling access control inside the
company in order to protect the privacy, availability, and integrity of data.

Goals

 Make sure that only authorized users are able to access information and information systems.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

 Prevent unauthorized access, alteration, or destruction of sensitive information.

 Respect all applicable legal and regulatory obligations.

 Encourage compliance with SIH's operational and security requirements.

Range

All SIH workers, contractors, students, and other parties with access to SIH data and information systems are covered by this policy. It includes all
information systems and data, including but not limited to computer systems, networks, applications, and databases, that are owned or
controlled by SIH.

Principles of Access Control

 Need to Know: The least privilege principle and the necessity of knowledge to carry out job duties are the foundations upon which access
to information is bestowed.

 Role-Based Access Control (RBAC): Permissions to access resources are granted according to each user's role inside the company.

 Authentication and Authorization: To confirm user identities, strong authentication procedures are needed. Authorization procedures
make sure users have the proper access permissions.

 Accountability: To guarantee accountability, all access to data and information systems must be linked to a specific user.

Positions and Accountabilities

 The Chief Information Officer (CIO) is responsible for supervising the administration and execution of access control rules.

 IT Security Manager: Oversees and keeps an eye on access control systems, performs routine audits, and makes sure that this policy is
followed.

 Department heads should make sure that, in accordance with their roles and duties, their team members have the proper access rights.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

 Workers, Independent Contractors, and Pupils: Adhere to the policies and procedures governing access control, and report any security
incidents or breaches.

Processes and Procedures for Access Control

Management of User Access

 User Registration: Before being able to use SIH information systems, new users must finish the user registration process. Identity
verification and department head permission are part of this process.

 Access Assignment: A user's role and duties inside the organization are taken into consideration when assigning access rights.

 Access Review: To make sure that access is still suitable given current job functions, user access rights are regularly reviewed.

Verification

 Each user is required to have their own unique user ID and password. Passwords need to be often updated and meet certain difficulty
requirements.

 Multi-Factor Authentication (MFA): To improve security, MFA is necessary to access sensitive data and important systems.

Permission

 The system of Role-Based Access Control (RBAC) assigns access rights according to pre-established roles. The degree of access to data and
systems that each role is allowed to have is determined by its permissions.

 Access Requests: The department head and IT Security Manager must authorize requests for additional access, which must be made
through a proper process.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Observation and Recordkeeping

 Activity Logging: Every access to data and information systems has to be recorded. User ID, access time and date, and resources visited
must all be included in logs.

 Frequent Audits: To detect and address unauthorized access attempts and other security events, access logs are regularly audited.

Termination of Access

 Deactivation of Accounts: Upon contract or employment termination, or when access is no longer needed, user accounts must be removed
right away.

 Periodic Review: To find and deactivate accounts that are superfluous or inactive, regular reviews are carried out.

Safety Procedures

 Network Security: Network access restrictions, including firewalls and intrusion detection/prevention systems, are installed to secure SIH
information systems.

 Physical Security: Only authorized workers are allowed physical access to places holding sensitive data and vital systems.

 Data Encryption: To prevent unwanted access, sensitive data must be encrypted both in transit and at rest.

Instruction and Knowledge

 Security Training: Best practices for access control and the significance of safeguarding sensitive data are covered in the security training
that all users are required to complete.

 Awareness Campaigns: To emphasize the value of access control and user obligations, regular awareness campaigns are held.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Observance and Implementation

 Monitoring Compliance: Regular audits and reviews are used to keep an eye on whether this policy is being followed.

 Non-Compliance: Failure to abide by this policy may lead to disciplinary action, which may include contract or employment termination.

Review of Policies

Every year or as appropriate, this policy is evaluated to make sure it still meets all legal and regulatory requirements and is still effective. All
pertinent parties are informed of updates to the policy.

Policy for information security

Information security is crucial to the Sigma Institute of Health (SIH) because it protects its resources, stakeholder privacy, and keeps its operations
running smoothly. The organization's information security management guidelines, protocols, and practices are set forth in this information
security policy.

Goals

 Defend SIH's information assets against disclosure, alteration, destruction, and unauthorized access.

 Guarantee the privacy, accuracy, and accessibility of the data.

 Observe all applicable laws and rules, such as the Sri Lankan Personal Data Protection Act.

 Encourage all stakeholders to adopt a culture of information security knowledge and accountability.

Range

All SIH staff members, vendors, trainees, and other parties with access to SIH data assets are covered by this policy. It encompasses all types of
information, independent of format or medium, including but not limited to verbal, physical, and electronic forms.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Information Security Guidelines

In order to make sure that its information security procedures are effective, SIH follows these guidelines:

 Information is shielded from unwanted disclosure in order to maintain confidentiality.

 Sensitive information is only accessible to those who are authorized.

 Integrity: There are safeguards in place to prevent illegal modification or alteration, and the information is accurate, comprehensive, and
dependable.

 Availability: When necessary to support SIH operations, information is available to and useable by authorized personnel.

 Authenticity: To avoid unwanted access and misuse, the veracity of the information and the identity of the people accessing it are
checked.

 Accountability: There are procedures in place to track and audit an individual's activities regarding information security, and they are held
responsible for their actions.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Information Security Guidelines

 In order to make sure that its information security procedures are effective, SIH follows these guidelines:

 Information is shielded from unwanted disclosure in order to maintain confidentiality.

 Sensitive information is only accessible to those who are authorized.

 Integrity: There are safeguards in place to prevent illegal modification or alteration, and the information is accurate, comprehensive, and
dependable.

 Availability: When necessary to support SIH operations, information is available to and useable by authorized personnel.

 Authenticity: To avoid unwanted access and misuse, the veracity of the information and the identity of the people accessing it are
checked.

 Accountability: There are procedures in place to track and audit an individual's activities regarding information security, and they are held
responsible for their actions.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Procedures and Processes for Information Security

Hazard Assessment

 Risk Assessment: To discover and assess information security risks and vulnerabilities, conduct periodical risk assessments.

 Risk Mitigation: To reduce identified risks and guarantee the privacy, accuracy, and accessibility of information, put in place the necessary
controls and procedures.

Control of Access

 User Access Management: Apply the least privilege concept to control user access to data and information systems.

 Authentication and authorization: To confirm user identities and provide the proper access privileges, put strong authentication
procedures and role-based access controls in place.

 Access Monitoring: Keep track of and audit user access in order to identify and address

attempts at illegal access.

Data Security

 Data Encryption: To prevent unwanted access, encrypt critical data both while it's in transit and at rest.

 Data Backup and Recovery: To guarantee the availability and integrity of data, put regular data backup practices into place and create a
disaster recovery strategy.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Response to Incidents

 Incident Reporting: Create protocols for quickly reporting and handling information security breaches and incidents.

 Investigation and Remediation: To reduce risks and stop recurrence, look into security incidents, evaluate the effects, and take the
necessary corrective action.

Controls for Information Security

 Network Security: To guard against malicious activity and illegal access to information systems, put intrusion detection/prevention
systems, firewalls, and other network security controls in place.

 Endpoint Security: To safeguard endpoints and stop malware infestations, implement mobile device management (MDM) programs,
antivirus software, and endpoint detection and response (EDR) tools.

 Physical Security: To safeguard tangible assets, data centers, and other vital facilities, put in place physical access controls, surveillance
systems, and security personnel.

Instruction and Knowledge

Security Training: To educate staff members, subcontractors, and students about security risks and best practices, conduct frequent information
security training and awareness programs.

Phishing Awareness: To assist staff in identifying and reporting phishing attempts and other social engineering attacks, provide phishing
awareness training.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Observance and Implementation

 Compliance Monitoring: Verify that information security policies, standards, and laws are being followed by conducting routine audits and
assessments.

 Enforce information security policies by disciplining people or organizations who are discovered to be in breach of the guidelines.

Review of Policies

In order to make sure that this policy is functional and in line with organizational goals, technological advancements, and legal requirements, it is
evaluated either annually or as needed. Changes to the policy are shared with all pertinent parties.

Evaluation of Risk and Course of Treatment

Comprehensive Evaluation of Risk

Prioritization Table: The risks are ranked from highest to lowest risk level based on the risk matrix.

Priority Risk Description Risk Level

1 Breach of data due to external cyberattacks 20

2 Attacks using ransomware 15

3 sensitive info accessed without authorization 12
4 Data leaking through unreliable remote access 12
5 USB drives contaminated with malware 12
6 Outdated software can lead to system problems. 12
7 data loss as a result of insufficient backups 10
8 student and staff insider threats 9
9 Physical security lapses 8
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

10 Data loss or corruption due to natural disasters 5

Priority: A numerical number is assigned in this column to represent the relative importance of tackling each risk. Diminished figures indicate
reduced hazards.

This column provides a brief description of the possible security threat.

Risk Level: Each risk's overall severity is represented numerically in this column. It is likely that two elements are included in this value:

Likelihood: The calculated likelihood that the risk will materialize.

Impact: The possible repercussions should the danger come to pass.

Reasoning behind Risk Levels:

 High Risk (15–20): Because of their high likelihood and serious consequences, these risks—ransomware and data breaches—pose the
biggest threat to Sigma Institute. They might cause serious financial losses, harm to one's reputation, and interruptions to educational
pursuits.

 Medium Risk (10–14): Unauthorized access, data leaks, virus infections, out-of-date software, and insufficient backups are among the
hazards that still need to be taken seriously. They might result in compromised sensitive information confidentiality, data loss, and system
outages.

 Low Risk (5–9): Compared to the higher-risk categories, these risks—such as insider threats, physical security breaches, and natural
disasters—are thought to be less likely to materialize or to have a less severe effect. They do, however, require some fundamental
mitigating techniques and should not be completely disregarded.

Important Notes:

 Due to their significant potential for interruption and data loss, cyber threats (ransomware, data breaches) are prioritized in the chart.

 There are serious risks associated with uncontrolled remote access and unsafe data handling procedures.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

 Vulnerabilities caused by outdated software and poor backups must be fixed.

 Even though physical breaches and insider threats are given a lower priority, security awareness training and preventative actions are still
necessary.

Plan for Treating Risks

Countermeasures:

External cyberattacks resulting in data breaches:

 Install intrusion detection/prevention (IDS/IPS) and advanced firewall systems.

 Perform vulnerability analyses and penetration testing on a regular basis.

 Achieve timely patching and software updates.

Attacks using ransomware:

 Make regular backups of your data and store it offline in various locations.

places.

 Apply anti-malware programs and run routine scans.

 Inform employees on safe browsing techniques and phishing assaults.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Plan for Treating Risks

Countermeasures:
External cyberattacks resulting in data breaches:

 Install intrusion detection/prevention (IDS/IPS) and advanced firewall systems.

 Perform vulnerability analyses and penetration testing on a regular basis.

 Achieve timely patching and software updates.

Attacks using ransomware:

 Make frequent backups of your data and save it offline in various places.

 Apply anti-malware programs and run routine scans.

 Inform employees on safe browsing techniques and phishing assaults.

sensitive info accessed without authorization:

 Use multi-factor authentication (MFA) to gain access to systems that are sensitive.

 To restrict access based on job responsibilities, use role-based access control (RBAC).

 Update and review access permissions on a regular basis.

Data leaking through unreliable remote access

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

 For remote access, make use of a robust VPN with strong encryption.

 Make sure logs are routinely examined and remote access systems are kept under observation.

 Educate employees on safe remote working techniques.

USB drives that are infected with malware:

 Turn off USB ports or impose stringent limitations on USB use.

 Utilize endpoint security to do an automated USB device scan.

 Inform people of the dangers of utilizing USB devices that are not verified.

Outdated software can lead to system problems.

 Create and put into effect a patch management strategy.

 Update and upgrade systems to supported versions on a regular basis.

 Test for compatibility before releasing updates.

Data loss as a result of insufficient backups:

 Establish a reliable backup plan and test backup restorations on a regular basis.

 Backups should be kept in many locations, such as offsite and cloud-based services.

 To guarantee dependability and consistency, automate backup procedures.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

staff members' and students' insider threats:

 Verify the background of staff members and students who have access to private information.

 Establish a thorough monitoring system to find anomalous activity.

 Encourage a culture of security awareness by holding frequent training and awareness campaigns.

Breach of physical security:

 Access control systems and locks provide security for server rooms.

 Install security guards and video cameras in key locations.

 Examine and upgrade physical security measures on a regular basis.

Data loss or corruption due to natural disasters:

 Construct a thorough disaster recovery plan (DRP).

 Update the disaster recovery plan (DRP) in light of lessons acquired from routine disaster recovery drills.

 Make sure all-important data is backed up and that it can be easily restored in case of an emergency.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Positions and Accountabilities within Organizations

Officer in Charge of Information (CIO):

 oversees the application of security guidelines and regulations.

 guarantees that security measures are in line with organizational objectives.

 serves as the main point of contact for security-related issues with top management.

Manager of Information Security:

 oversees the daily operations and activities related to security.

 evaluates risks and puts security measures in place.

 keeps an eye on adherence to security rules and standards.

Team IT Security:

 puts into practice technological security measures including encryption, intrusion detection systems, and firewalls.

 carries out penetration testing and vulnerability assessments.

 conducts forensic investigations and reacts to security incidents.

Heads of Departments:

 Verify that departments adhere to security policies and processes.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

 Verify that departments adhere to security policies and processes.

 Work together with the IT security team to solve security requirements unique to each department.

 Encourage their team members to adopt a security-aware mindset.

Workers, Independent Contractors, and Pupils:

 Observe the organization's security guidelines and protocols.

 Report any security lapses or events right away.

 Take part in security awareness and training programs to improve their knowledge of security dangers and recommended procedures.

Putting Security Controls in Place

Control of Access:

 Use role-based access control (RBAC) to limit access to confidential data according to employment roles.

 For access to vital systems and data, enforce robust authentication measures like multi-factor authentication (MFA).

 To make sure that only people with the proper authorization have access, regularly examine and adjust access rights.

Security of Networks:

 Install network segmentation, intrusion detection/prevention systems, and firewalls to guard against malicious activity and unauthorized
access.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

 To protect data while it's in transit, encrypt network traffic.

 To find and fix network vulnerabilities, do routine security evaluations and vulnerability scans.

Data Security:

 To prevent unwanted access, encrypt sensitive data both in transit and at rest.

 Put data loss prevention (DLP) procedures in place to keep an eye on and manage the transfer of sensitive data.

 To guarantee the availability and integrity of data in the event of data loss or corruption, establish backup and recovery methods.

Security of Endpoints:

 To safeguard endpoints against malware and other security risks, implement host-based intrusion prevention systems (HIPS), endpoint
detection and response (EDR) solutions, and antivirus software.

 To protect endpoints from unwanted access, enforce device encryption and strict password requirements.

Physical Safety:

 To limit access to critical places, put in place physical access controls like access cards and biometric authentication.

 Set up alarms and surveillance cameras to keep an eye on and prevent unwanted access.

 Protect against physical dangers with environmental controls and monitoring systems installed in server rooms and data centers.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Management and Response Strategy for Incidents

Goals

 Timely Detection: Recognize and quickly detect security problems.

 Effective Reaction: Limit and lessen the effects of events.

 Recovery: Return impacted services and systems to regular functioning.

 Documentation: Clearly record incidents and the measures taken in response.

 Constant Improvement: Examine occurrences to enhance security protocols and stop them from happening again.

Range

All SIH networks, data, and information systems are covered under this IRP. It includes all kinds of security incidents, such as denial-of-service
attacks, malware infections, data breaches, and unauthorized access.

Team for Incident Response (IRT)

Managing security issues and carrying out the IRP are the responsibilities of the IRT. The following roles are represented on the team:

Coordinator for Incident Response (IRC):

oversees and directs the incident response team (IRT).

serves as the main point of contact for communications and incident reporting.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Manager of IT Security:

offers direction and technical know-how for incident response.

guarantees that controls and security measures are applied correctly.

Administrators of systems:

help locate and isolate the impacted systems.

Carry out restoration and recovery of the system.

Administrators of networks:

Keep an eye on and examine network traffic for indications of security breaches.

Put in place network security measures to stop more incidents.

Officer of Law and Compliance:

makes certain that incident response measures adhere to all applicable laws and regulations.

if required, works in coordination with regulatory and law enforcement agencies.

Officer of Public Relations:

oversees correspondence with other parties, such as the media.

maintains the organization's reputation by providing accurate and timely information.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Phases of Incident Response

Getting Ready

 Policy and Procedure Development: Create and uphold protocols for handling incidents.

 Training and Awareness: To guarantee preparedness and awareness, provide the IRT and staff with regular training.

 Tools and Resources: Keep track of the resources and tools available for incident response.

Identification and Evaluation

 Monitoring: Keep a close eye out for any indications of security problems on networks and systems.

 Detection: To find possible incidents, use both manual and automated procedures.

 Analysis: Examine notifications and occurrences to verify the existence of an incident and ascertain its extent and consequences.

Recovery, Eradication, and Containment

 Implement containment strategies to keep the problem from spreading and to isolate impacted systems.

 Short-term containment: taking prompt action to put an end to the situation.

 Long-term containment: Taking steps to keep things running while dealing with the situation.

 Eradication: Find and eliminate the primary cause of the problem, such as malware removal or vulnerability closure.

 Recovery: Return impacted data and systems to regular operation. Make sure all systems are secure and keep an eye out for any
indications of a recurrence.
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

Following the Event

 Record everything that is done during the incident response process.

 Debriefing: Examine the occurrence and the efficacy of the reaction after it has happened.

 Reporting: Write up and send out an incident report that includes the conclusions, the steps you took, and suggestions for improvement.

 Continuous Improvement: Apply lessons learned to update security protocols, policies, and processes.

Reporting and Communicating Incidents

 Incident Reporting: Any suspected security incident must be reported right away to the IRC by all workers, subcontractors, and students.

 Internal contact: The IRC will arrange for contact with pertinent stakeholders and within the IRT.

 External Communication: If required, the public relations officer will oversee correspondence with law enforcement, government agencies,
and the media.

Classification of Incident Severity

 Events will be categorized according to their seriousness and effect on the company:

 Low Severity: Small-scale events with little consequence, such a virus outbreak in a single user.

 Events with a moderate level of severity include those that impact several users or systems, like a limited network outage.

 High Severity: Serious events that have a big effect, such a large-scale malware epidemic or data breach.

 Critical Severity: Events that result in significant interruption, including a widespread denial-of-service attack or significant data loss.
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

Examination and Upkeep

 Frequent Testing: To make sure the IRP is working, test it frequently using simulations and tabletop activities.

 Review and Update: To reflect changes in the organization, technology, and threat landscape, review and update the IRP on a regular
basis.

Plan for Disaster Recovery

Goals

 Reduce lost data and system outages.

 Assure a prompt and well-coordinated reaction to IT emergencies.

 Ensure that vital operations continue.

 Safeguard the confidentiality and integrity of the data.

Range

The Sigma Institute of Health's whole IT infrastructure and data are covered by the DRP, including but not limited to:

 infrastructure of networks

 servers (email, file, and HR servers, among others)

 Laptops and workstations

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

 Databases

 Software and applications

 systems for backup

Team for Disaster Recovery

The DRP is carried out by the Disaster Recovery Team (DRT). The following roles are part of the team:

 Chief Information Officer (CIO) is the DRT leader.

 The technical recovery process is supervised by the IT manager.

 Data backup and restoration is managed by a backup and recovery specialist.

 Restore network connectivity, network administrator.

 Application Specialist: Assures vital applications are recovered.

 Oversees both internal and external communications as the communication coordinator.

Management and Response Strategy for Incidents

Goals

 Timely Detection: Recognize and quickly detect security problems.

 Effective Reaction: Limit and lessen the effects of events.

 Recovery: Return impacted services and systems to regular functioning.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

 Documentation: Clearly record incidents and the measures taken in response.

 Constant Improvement: Examine occurrences to enhance security protocols and stop them from happening again.

Range

All SIH networks, data, and information systems are covered under this IRP. It includes all kinds of security incidents, such as denial-of-service
attacks, malware infections, data breaches, and unauthorized access.

Team for Incident Response (IRT)

Managing security issues and carrying out the IRP are the responsibilities of the IRT. The following roles are represented on the team:

Coordinator for Incident Response (IRC):

 oversees and directs the incident response team (IRT).

 serves as the main point of contact for communications and incident reporting.

Manager of IT Security:

 Offers direction and technical know-how for incident response.

 guarantees that controls and security measures are applied correctly.

Administrators of systems:

 help locate and isolate the impacted systems.

 Carry out restoration and recovery of the system.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

Administrators of networks:

 Keep an eye on and examine network traffic for indications of security breaches.

 Put in place network security measures to stop more incidents.

Officer of Law and Compliance:

 makes certain that incident response measures adhere to all applicable laws and regulations.

 if required, works in coordination with regulatory and law enforcement agencies.

Officer of Public Relations:

oversees correspondence with other parties, such as the media.

maintains the organization's reputation by providing accurate and timely information.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Phases of Incident Response

Getting Ready

 Policy and Procedure Development: Create and uphold protocols for handling incidents.

 Training and Awareness: To guarantee preparedness and awareness, provide the IRT and staff with regular training.

 Tools and Resources: Keep track of the resources and tools available for incident response.

Identification and Evaluation

 Monitoring: Keep a close eye out for any indications of security problems on networks and systems.

 Detection: To find possible incidents, use both manual and automated procedures.

 Analysis: Examine notifications and occurrences to verify the existence of an incident and ascertain its extent and consequences.

Recovery, Eradication, and Containment

 Implement containment strategies to keep the problem from spreading and to isolate impacted systems.

 Short-term containment: taking prompt action to put an end to the situation.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Phases of Incident Response

Getting Ready

 Policy and Procedure Development: Create and uphold protocols for handling incidents.

 Training and Awareness: To guarantee preparedness and awareness, provide the IRT and staff with regular training.

 Tools and Resources: Keep track of the resources and tools available for incident response.

Identification and Evaluation

 Monitoring: Keep a close eye out for any indications of security problems on networks and systems.

 Detection: To find possible incidents, use both manual and automated procedures.

 Analysis: Examine notifications and occurrences to verify the existence of an incident and ascertain its extent and consequences.

Recovery, Eradication, and Containment

 Implement containment strategies to keep the problem from spreading and to isolate impacted systems.

 Short-term containment: taking prompt action to put an end to the situation.

 Long-term containment: Taking steps to keep things running while dealing with the situation.

 Eradication: Find and eliminate the primary cause of the problem, such as malware removal or vulnerability closure.
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

 Recovery: Return impacted data and systems to regular operation. Make sure all systems are secure and keep an eye out for any
indications of a recurrence.

Following the Event

 Record everything that is done during the incident response process.

 Debriefing: Examine the occurrence and the efficacy of the reaction after it has happened.

 Reporting: Write up and send out an incident report that includes the conclusions, the steps you took, and suggestions for improvement.

 Continuous Improvement: Apply lessons learned to update security protocols, policies, and processes.

Reporting and Communicating Incidents

 Incident Reporting: Any suspected security incident must be reported right away to the IRC by all workers, subcontractors, and students.

 Internal contact: The IRC will arrange for contact with pertinent stakeholders and within the IRT.

 External Communication: If required, the public relations officer will oversee correspondence with law enforcement, government agencies,
and the media.

Classification of Incident Severity

 Events will be categorized according to their seriousness and effect on the company:

 Low Severity: Small-scale events with little consequence, such a virus outbreak in a single user.

 Events with a moderate level of severity include those that impact several users or systems, like a limited network outage.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

 High Severity: Serious events that have a big effect, such a large-scale malware epidemic or data breach.

Plan for Disaster Recovery

Goals

 Reduce lost data and system outages.

 Assure a prompt and well-coordinated reaction to IT emergencies.

 Ensure that vital operations continue.

 Safeguard the confidentiality and integrity of the data.

Range

The Sigma Institute of Health's whole IT infrastructure and data are covered by the DRP, including but not limited to:

 infrastructure of networks

 servers (email, file, and HR servers, among others)

 Laptops and workstations

 Databases

 Software and applications

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

 systems for backup

Team for Disaster Recovery

The DRP is carried out by the Disaster Recovery Team (DRT). The following roles are part of the team:

 Chief Information Officer (CIO) is the DRT leader.

 The technical recovery process is supervised by the IT manager.

 Data backup and restoration is managed by a backup and recovery specialist.

 Restore network connectivity, network administrator.

 Application Specialist: Assures vital applications are recovered.

 Oversees both internal and external communications as the communication coordinator.

Evaluation of Risk and Analysis of Business Impact

Evaluation of Risk

 Determine any possible dangers, such as hardware malfunctions, cyberattacks, and natural disasters.

 Evaluate each threat's chance and potential effects on IT systems.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Analysis of Business Impact (BIA)

 Determine the essential systems and procedures.

 For every system, ascertain the Recovery Time Objectives (RTO) and Maximum Tolerable Downtime (MTD).

 Establish acceptable data loss by establishing Recovery Point Objectives (RPO).

Strategies for Disaster Recovery

Data Restore

 Make regular backups of all important information.

 For backups, use both off-site and on-site storage.

 Make sure backups are safeguarded and encrypted.

Contingent Systems

 Use redundant network components and servers to reduce the number of single points of failure.

 For scalability and flexibility, use cloud computing and virtualization.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Replication of Data

 For essential systems, use real-time data replication to make sure the copies are current.

Alternative Locations

 Choose a different healing location (hot, warm, or cold) based on the demands of the company and available funds.

Procedures for Disaster Recovery

Initiation

 When necessary, the CIO evaluates the circumstances and declares a disaster.

 Notify all stakeholders and members of the DRT.

 Launch the DRP and establish the Disaster Command Post.

Notification and Interaction

 Tell employees, pupils, and other interested parties about the crisis and the measures being made to recover.

 Give frequent updates on how the recuperation process is going.

Data Recuperated

Check if the backup data is accurate.

Observe the RTO and RPO criteria when restoring data from backups.

To guarantee accuracy and completeness, test the restored data.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

System Recuperation

 Rebuild and set up the infrastructure and systems that are impacted.

 Databases and apps should be restored.

 Verify the performance and functionality of the system.

Network Recuperation

 Restore the connectivity of the network.

 Assure safe access to the recovered data and systems.

Validation and Testing

 Make sure all the recovered systems are thoroughly tested.

 Verify that regular company operations can resume.

Resuming Regular Business

 Shut off the Emergency Command Post.

 If recovery was carried out at a different location, return activities to the main location.

 After recuperation, review the information and record the lessons discovered.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Instruction and Knowledge

 Organize frequent DRP procedure training sessions for the DRT.

 Run simulations and drills to evaluate the DRP's efficacy.

Upkeep and Evaluation

 Every year or following any significant modifications to the IT environment, review and update the DRP.

 Conduct routine audits to make sure the DRP is being followed.

 Incorporate suggestions from disaster recovery drills to enhance the design.

Record-keeping

 Ensure that every DRP procedure, position, and responsibility is meticulously documented.

 For easy access in the event of a disaster, keep copies of the DRP in several places—both on and off site.

Observation and Evaluation

Constant Observation

Goal: Ensuring the availability, integrity, and confidentiality of information assets by quickly identifying and responding to security problems.

Important Tasks:

Real-time Monitoring: Use cutting-edge security monitoring solutions to gather and examine logs from multiple sources instantly, such as Security
Information and Event Management (SIEM) systems.

Log Management: Gather and store logs from all important systems, including as servers, network equipment, software, and databases, centrally.
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

Threat Identification: To spot and notify you of any unusual activity, use intrusion detection/prevention systems (IDS/IPS).

Anomaly detection: Use behavioral analytics to spot trends that deviate from the norm and could point to a security breach.

Integration of Monitoring Tools with Incident Response: To enable timely action, make sure monitoring tools are integrated with the incident
response process.

Automatic Alerts: Set up alerts to be notified of possible security breaches to the Incident Response Team (IRT).

Protocols for Handling Incidents: Adhere to established protocols for investigating and responding to incidents.

Frequent Monitoring Reviews: To spot patterns and opportunities for development, plan recurring evaluations of the monitoring results.

Create and evaluate monthly reports on security monitoring.

Quarterly Reviews: Evaluate security incidents and monitoring efficacy in-depth every quarter.

Instruments and Technology:

 SIEM Systems (such as IBM QRadar and Splunk)

 IDS/IPS (such as Palo Alto Networks' Snort)

 Solutions for managing logs, such as Elastic Stack and LogRhythm

Internal Examinations

The aim of this study is to verify adherence to security protocols, guidelines, and legal mandates while pinpointing opportunities for
enhancement.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Important Tasks:

Audit Planning: Create an internal audit timetable that addresses each of the ISMS's essential components.

Establish the annual audit plan's goals, objectives, and audit frequency.

Team Audit: Assign experienced internal auditors who are not involved in the activities under audit.

Audit Execution: Carry out audits in accordance with the plan, giving higher-risk areas priority by applying a risk-based methodology.

Document Review: To ensure compliance, review documents, policies, and processes.

Interviews: To gauge employees' and stakeholders' comprehension of and compliance with security measures, conduct interviews.

Testing: To confirm the efficacy of security measures, carry out technical tests like penetration tests and vulnerability assessments.

Reporting: Record audit results and offer practical suggestions.

Audit Reports: Write thorough reports outlining the state of compliance, areas of nonconformity, and recommended changes.

Management Action Plan: To address audit findings, collaborate with management to create and carry out an action plan.

Follow-up: Confirm that the corrective measures have been put into place and are working.

Monitoring Remediation: Keep tabs on the status of remediation efforts until they are completed.

Re-audits: Perform additional audits in the areas where substantial discoveries were found.

Rules and Recommendations:

Information Security Management Systems, ISO/IEC 27001:2013

Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Review of Management

Goal: To guarantee that the ISMS continues to be appropriate, sufficient, and successful in achieving the organization's security goals and
adjusting to shifts in the threat environment.

Important Tasks:

Review Meetings: Hold regular management review meetings to assess the ISMS's efficacy and performance.

Quarterly Reviews: Every quarter, senior management evaluates metrics and key performance indicators (KPIs) associated with the ISMS.

Annual Review: An extensive evaluation conducted each year to evaluate the ISMS's overall condition and its strategic alignment with the
objectives of the organization.

Compile pertinent information and inputs for the management evaluation.

Examine the conclusions drawn from both internal and external audits.

Examine security incident reports, taking into account the underlying reasons and corrective actions.

Conclusions of Risk Assessments: Consider any modifications to the risk profile as well as the results of most recent risk assessments.

Feedback: Take into account the opinions of all relevant parties, such as staff members, students, and government agencies.

Evaluate the outputs and make judgments and steps to enhance the ISMS.

Policy Modifications: Based on evaluation results, update security policies and procedures.

Resource Allocation: Provide the funds required to put the improvements into practice.

Plan for Continuous Improvement: Create a strategy for the ISMS's ongoing improvement.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Record-keeping:

Minutes of Management Reviews: Record the choices, talks, and actions from meetings for management reviews.

Improvement Plan: Keep track of all improvement projects and the progress of their execution.

Maintains Improvement

Goals

Make that the DRP is still applicable and useful.

Adjust to fresh dangers and weaknesses.

Combine the knowledge gained from exams with real-world disaster experiences.

Encourage a culture where catastrophe recovery procedures are always being improved.

Process of Continuous Improvement

Continual Evaluations and Updates

Annual Review: At least once a year, do a thorough evaluation of the DRP.

Post-Incident Review: Conduct a thorough analysis to pinpoint achievements and opportunities for enhancement following any major incident or
catastrophic catastrophe.

Technology and Business Changes: Revise the DRP to account for modifications to the organizational structure, business procedures, or IT
environment.

Mechanisms of Feedback

Feedback from Stakeholders: Find out what the staff, students, and other stakeholders think about how effective the DRP is.

Incident Analysis: To find opportunities for improvement, examine the incident's reactions and underlying causes.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Recommendations and conclusions from both internal and external audits should be incorporated into the DRP.

Instruction and Knowledge

Frequent Training: Give the Disaster Recovery Team (DRT) and other pertinent employees regular training.

Simulation Exercises: To evaluate the DRP and enhance response skills, regularly conduct disaster recovery exercises and simulations.

Awareness Campaigns: Conduct campaigns to educate all employees and students on the procedures involved in disaster recovery.

Monitoring and Performance Metrics

Define and track key performance indicators (KPIs) for disaster recovery, including recovery time objectives (RTO), recovery point objectives
(RPO), and incident response time.

Record-keeping and Documentation

• Incident Logs: Keep thorough records of every incident, including the steps taken in response and the results.

• Change Logs: Maintain a record of every modification made to the DRP, along with the rationale and the steps involved in getting approval.

• Audit Reports: Maintain a file of audit reports and make sure they are examined and addressed.

Evaluation of Management

• Schedule Regular Reviews: To make sure the DRP is in line with corporate aims and objectives, senior management should schedule regular
reviews of the document.

• Strategic Planning: Include catastrophe recovery planning in the organization's overall strategic planning procedure.

Cycle of Continuous Improvement

• PDCA, or Plan-Do-Check-Act, Use the PDCA cycle to improve continuously:

o Plan: Determine what needs to be improved and create plans of action.

o Do: Put the upgrades into practice.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Sigma Institute's implementation map

Sigma Institute of Health is implementing an Information Security Management System (ISMS) using a methodical, phased implementation
process. The main stages, assignments, and deadlines for ensuring a thorough and efficient deployment of the ISMS are described in this
implementation map.

Phase 1 (Months 1-2): Planning and Initiation

1. Launch of the Project

o Form the project team for ISMS.

o Specify the ISMS's goals and scope.

o Obtain resources and support for management.

2. Analysis of Gaps

o Examine gaps in relation to ISO/IEC 27001 standards.

o Determine the procedures and security controls in place.

o Record any holes and potential improvement areas.

3. Development of Project Plans

o Create a thorough project plan that includes deadlines and completion dates.

o Designate positions and duties.

4. Involvement of Stakeholders

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

o List the important parties (CIO, IT personnel, educators, staff members in administration, and students).

o Hold first meetings to explain the goals and scope of the project.

Phase 2 (Months 3–4): Risk Assessment and Control Selection

1. Evaluation of Risk

o Carry out a comprehensive risk analysis to find weaknesses and possible threats.

o to assess risks, create a priority table and risk matrix.

2. Selection of Controls

o Determine and choose the best controls to reduce risks that have been identified.

o Match control measures to ISO/IEC 27001 Annex A measures.

3. Inventory of assets

o Make a list of every essential asset, including servers, network devices, data, apps).

· Assign assets a priority and sensitivity level.

Phase 3: Documentation and Policy Development (Months 5–6)

1. Development of Policies

o Create the following important policies:

 The Policy on Information Security

 Acceptable Use Guidelines

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

 Policy for Data Protection

 Policy for Access Control

 Policy for Remote Working

Plan for Incident Response

2. Documentation of Procedure and Process

o Record the steps taken to implement and oversee security controls.

o Create policies for the safe handling of IT resources.

3. Consent and correspondence

o Get senior management approval for policies and processes.

o Inform all parties involved of policies and procedures.

Phase 4: Controls are implemented (Months 7-9)

1. Controls Technical

o Put in place intrusion detection/prevention systems (IDS/IPS), firewalls, and antivirus software.

o Set up segmentation and secure network architecture.

o Implement safe communication methods and data encryption.

Phase 5 (Months 10–11): Validation and Testing

1. Control testing

o Perform vulnerability analyses and penetration tests.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

o Evaluate disaster recovery and backup protocols.

2. In-house Examination

o Conduct an internal audit to verify that ISO/IEC 27001 is being followed.

o Identify areas that need improvement and non-conformities.

3. Evaluation of Management

o Discuss audit results with upper management.

o Based on audit findings, update and improve the ISMS.

Phase 6 (Months 12+): Certification and Ongoing Improvement

1. Certification and External Auditing

o Hire a recognized certifying authority to conduct an outside audit.

o Get certified as an ISO/IEC 27001 operator.

2. Ongoing Evaluation and Enhancement

· Establish real-time network and system monitoring.

o Carry out routine management reviews and internal audits.

o Identify areas that need improvement and non-conformities.

3. Evaluation of Management

o Discuss audit results with upper management.

o Based on audit findings, update and improve the ISMS.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Phase 6 (Months 12+): Certification and Ongoing Improvement

1. Certification and External Auditing

o Hire a recognized certifying authority to conduct an outside audit.

o Get certified as an ISO/IEC 27001 operator.

2. Ongoing Evaluation and Enhancement

· Establish real-time network and system monitoring.

o Carry out routine management reviews and internal audits.

o Update and enhance the ISMS frequently in response to user input and new threats.

The security plan that has been established for Sigma Institute of Health (SIH) takes a holistic approach to security, covering physical, virtual, and
policy elements. This is the method.

Physical Safety:

1. Measures for Access Control:

o Justification: Sensitive locations like server rooms and data centers are only accessible through physical access controls like access cards and
biometric verification. This lowers the possibility of physical theft or hardware damage and stops unauthorized individuals from accessing vital
infrastructure.

2. Monitors and Recorders:

o Justification: Alarms and surveillance cameras aid in keeping an eye on and discouraging unwanted entry to physical locations. They serve as a
deterrent to possible intruders, offer visual proof of security occurrences, and support forensic investigations.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

3. Environmental Management:

o Justification: Server rooms and data centers are protected against environmental risks by environmental controls, such as temperature and
humidity monitoring systems. Sustaining ideal conditions guarantees hardware dependability and guards against environmental variables causing
device failure.

Digital Safety:

1. Security controls for networks:

o Justification: SIH's IT infrastructure is shielded from malware, cyber-attacks, and unwanted access by network security mechanisms such
firewalls, intrusion detection/prevention systems (IDS/IPS), and network segmentation. These security measures guard against unwanted access
to private information, monitor and filter network traffic, and identify questionable activity.

2. The use of encryption

o Justification: Sensitive data integrity and confidentiality are guaranteed by encryption, both during data transmission and at rest. SIH reduces
the possibility of data breaches and unauthorized access by encrypting data, particularly when data is sent over public networks or kept on
portable devices.

3. Endpoint Protection Options:

o Justification: End-user devices are shielded from malware, phishing scams, and other security risks by endpoint security solutions, which include
antivirus software, endpoint detection and response (EDR) tools, and mobile device management (MDM) systems. By identifying and addressing
security threats at the endpoint level, these solutions lessen the possibility that cyberattacks will be effective.

aspect of policy
1. Policy for Data Protection:

Reasoning

• Compliance: The Sri Lankan Personal Data Protection Act and other pertinent data protection laws and regulations are guaranteed to be
complied with by the Data Protection Policy. The policy assists SIH in avoiding legal penalties and reputational harm associated with non-
compliance by setting rules for the gathering, storing, processing, and sharing of personal and sensitive data.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

• Confidentiality: The policy describes steps to protect data confidentiality, such as data classification, access limits, and encryption. The strategy
lowers the risk of data breaches and upholds stakeholder trust by shielding confidential information from unwanted access and dissemination.

• Integrity: To guarantee the correctness and dependability of data, data integrity controls, such as data validation and error-checking processes,
are put in place. The policy contributes to the preservation of information's quality and reliability by identifying and stopping illegal changes or
tampering.

• Availability: To guarantee the availability of crucial data and systems, the policy contains measures for data backup, disaster recovery, and
business continuity planning. SIH can lessen the effects of data loss or system outages and decrease downtime by putting backup and recovery
procedures in place.

2. Policy for Access Control:

Reasoning

• Asset Protection: Information about SIH is only accessible by means of the Access Control Policy.

systems and data, shielding priceless resources from theft, abuse, and unwanted access. The policy reduces the risk of insider threats and illegal
activities by adopting role-based access controls and applying the concept of least privilege.

• Confidentiality and Privacy: By restricting access to authorized individuals only who have a need-to-know basis, access controls help to ensure
the confidentiality and privacy of sensitive information. The policy safeguards individual privacy rights and avoids unauthorized disclosure of
personal data by allocating access privileges based on employment positions and responsibilities.

• Compliance: The policy assists SIH in meeting regulatory obligations pertaining to access control, such as the need to put access controls in place
to safeguard personal information in accordance with data protection regulations. SIH establishes its credibility and reputation as a reliable
company by proving compliance with industry norms and laws.

3. Policy for Information Security:

Reasoning

• Comprehensive Security Framework: To manage information security risks and safeguard SIH's information assets, a thorough framework is
provided by the information security policy. The policy guarantees a comprehensive approach to security management by covering many security
domains, such as risk management, governance, compliance, and incident response.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

• Risk Management: The policy lays out procedures for locating, evaluating, and reducing risks related to information security. SIH can manage
security risks proactively and stop security incidents and breaches by carrying out routine risk assessments and putting in place the necessary
measures.

• Security Awareness: By outlining security roles and expectations, the policy fosters a culture of security awareness and accountability among
staff members, subcontractors, and students. The policy gives stakeholders the tools they need to improve the security posture of the company
by offering guidelines on security best practices, training needs, and reporting protocols.

• Continuous Improvement: The policy contains guidelines for information security processes and controls that are monitored, reviewed, and
improved continuously. SIH can improve its security posture and resilience over time by routinely assessing the efficacy of security measures and
making adjustments in response to changing threats and vulnerabilities.

In summary, the designed security plan for Sigma Institute of Health integrates physical, virtual, and policy elements to establish a multi-layered
defense against security threats. By implementing a combination of access controls, surveillance systems, encryption technologies, network
security measures, and comprehensive security policies, SIH strengthens its overall security posture, mitigates risks, and protects its information
assets, infrastructure, and stakeholders from potential security breaches and disruptions.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

Analyzing the Sigma Institute's envisioned ISMS critically in comparison to important global
standards

Benefits of the Designed ISMS

Enhanced Position for Security

o Alignment with ISO/IEC 27001: Using the ISO/IEC 27001 framework guarantees a thorough approach to information security by methodically
handling risks.

o Risk Management: To lessen vulnerabilities and possible threats, the proposed ISMS includes comprehensive risk assessment and management
procedures.

o Comparison: NIST and other frameworks offer strong methodology, but ISO/IEC 27001 offers an organized approach to risk management. But
the international recognition of ISO/IEC 27001 lends legitimacy.

2. Adherence and Lawful Guarantee

o Regulatory Compliance: The ISMS will assist Sigma Institute in adhering to pertinent data protection laws, including the Computer Crimes Act
and the Sri Lankan Personal Data Protection Act.

o Audit Readiness: By preparing the company for external audits and inspections, an ISO/IEC 27001 certified ISMS builds stakeholder trust and
credibility.
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

o Comparison: While ISO/IEC 27001 emphasizes compliance, COBIT offers a more comprehensive governance framework by concentrating more
on IT governance.

3. Structural Adjustment

o Business Continuity and Disaster Recovery: The ISMS has a disaster recovery plan in place to guarantee both business continuity and a prompt
recovery from catastrophes.

o Incident Response: Strictly specified incident management protocols allow for efficient handling and impact-minimization of security incidents.

o Comparison: The NIST framework offers comprehensive incident response rules, improving operational resilience, whereas ISO/IEC 27001
requires business continuity planning.

4. Increased Trust Among Stakeholders

o Reputation management: Showing a dedication to information security increases stakeholders' trust in the institution's ability to safeguard
confidential data, including employees and students.

o Competitive Advantage: A strong ISMS can set an institution apart and draw in additional partners and students because of their confidence in
the security measures in place.

o Comparison: While ISO/IEC 27001 and COBIT both increase stakeholder confidence, ISO/IEC 27001 may have a greater competitive advantage
due to its international certification.

5. Savings and Efficiencies

o Resource Optimization: The ISMS can result in a more effective use of resources by streamlining security procedures and minimizing effort
duplication.

o Cost Avoidance: By averting data breaches and other security disasters, the organization can save a substantial amount of money on repairs,
fines, and reputational harm.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

One of the planned ISMS's drawbacks

1. Implementation Difficulties

o Initial Costs: Investing in technology, training, and possibly outside consulting can be costly when establishing an ISMS.

· Resource-intensive: Staff time and effort are needed to implement and maintain an ISMS, which might be difficult for an institution with little
funding.

o Comparison: Frameworks such as NIST can be adopted gradually, thereby lowering upfront costs, but ISO/IEC 27001 has substantial beginning
costs.

2. Intricacy and Red tape

o Complex Processes: The precise and structured nature of ISO/IEC 27001 can lead to complexity, which can slow down operations by making
processes laborious.

o Administrative Overhead: Upholding ISMS standards compliance may result in more administrative labor, which could tax staff members.

o Comparison: COBIT's governance-focused approach can potentially add complexity, but if properly integrated, it offers a strategic perspective
that could reduce procedures.

3. Opposition to Change

o Cultural Barriers: Employees and students may object to the adjustments needed to follow the new security rules and guidelines, which could
result in resistance and non-compliance.

o Training Requirements: It might be difficult and time-consuming to make sure that all stakeholders have received the necessary training on the
ISMS procedures.

o Comparison: NIST's adaptable methodology, which permits a more gradual adoption compared to ISO/IEC 27001's inflexible framework, may
lessen resistance to change.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)

 lOMoARcPSD|52531729

4. Dynamic Environment of Threats

o Changing Threats: Cyber threats are ever-evolving, necessitating constant awareness and adaptation on the part of the ISMS to meet emerging
vulnerabilities.

o False Sense of Security: Relying too much on the ISMS may cause stakeholders to become complacent and think that the ISMS is enough to
minimize all threats.

o Comparison: When compared to ISO/IEC 27001, NIST's focus on adaptive measures and ongoing improvement offers a more dynamic approach
to developing risks.

Framework ISO/IEC 27001 NISI Cybersecurity COBIT

Framework

Advantages globally acknowledged Useful advice for emphasizes IT governance

cybersecurity and goal alignment with
business objectives
a thorough approach to stresses ongoing extensive foundation for
information security development governance

Strict risk assessment and Reduced start-up expenses improves the ISMS's strategic
control and simpler incremental alignment with corporate
adoption objectives
Ideal for changing threat Enhances ISO/IEC 27001
Stakeholder confidence and environments
legal compliance

Disadvantages high starting costs and primarily created for US- A wide scope may result in
intricacy based companies complexity.

stiff structure that resists Integration with intricate

change little recognition abroad ISO/IEC 27001 procedures
could be difficult.
mostly concentrates on Not as extensive as COBIT restricted attention on
information security particular security
precautions
Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)
 lOMoARcPSD|52531729

References

Institution for British Standards (BSI). (2023). The PDCA cycle is Plan-Do-Check-Act. taken
from the pdca-cycle page at https://asq.org/quality-resources

The ISO, or International Organization for Standardization, (2013). ISO/IEC 27001:2013

outlines the requirements for information security management systems and security
practices in information technology. Extracted from the ISO website (ISO 27001 standard)

TUV SUD. May 18, 2023. A Comprehensive Guide to the Information Security Management
System (ISMS). Information security management was taken from
https://www.tuvsud.com/en/services/auditing-and-system-certification

ISACA, 2018. Information security with COBIT 5. Association for Information Systems Audit
and Control.

2020: NIST, the National Institute of Standards and Technology. ISO/IEC 27001 and the
NIST Cybersecurity Framework are compared.

ISACA (2019). The introduction and methodology of the COBIT 2019 framework. Association
for Information Systems Audit and Control.

NIST, 2018. National Institute of Standards and Technology, Framework for Improving
Critical Infrastructure Cybersecurity, Version 1.1.

Downloaded by Hishma Izamy (hishmaaa.i@gmail.com)