Sei sulla pagina 1di 25
Security Plan JULY 25 AUTHORED BY: EDGAR CHIKWAVA MSC CYBER SECURITY UNIVERSITY OF LIVERPOOL Version

Security Plan

JULY 25

AUTHORED BY: EDGAR CHIKWAVA MSC CYBER SECURITY UNIVERSITY OF LIVERPOOL Version 5

Security Plan JULY 25 AUTHORED BY: EDGAR CHIKWAVA MSC CYBER SECURITY UNIVERSITY OF LIVERPOOL Version 5
Table of Contents EXECUTIVE SUMMARY 3 B USINESS A SSUMPTION S ECURITY I MPORTANCE A

Table of Contents

EXECUTIVE SUMMARY

3

B USINESS A SSUMPTION S ECURITY I MPORTANCE A SSETS TO BE S ECURED

3

3

4

SECURITY MODELS

4

S ECURITY MODELS TO BE APPLIED A CCESS CONTROLS TO INFORMATION SYSTEMS L IMIT USER DAMAGE I NTEGRITY OF THE INFO RMATION STORED

4

6

7

8

SECURITY STRATEGY

8

P HYSICAL SECURITY

8

M

OBILE DEVICES MANAGE MENT

9

M

OBILE DEVICE DATA SE CURITY

10

BYOD MANAGEMENT

11

COMPLIANCE AND LEGAL STANDARDS

12

IT

LAW COMPLIANCE

12

IT

CONTROL AND AUDIT

14

C RITERIA CERTIFICATIO N

15

RISK ANALYSIS AND AS SESSMENT

16

NETWORK SECURITY

18

PENETRATION TESTING AND USAB LE SECURITY

19

DIGITAL RIGHTS PROTE CTION

19

EXECUTIVE SUMMARY CO NCLUSION

19

REFERENCES

20

2

Executive summary Business Assumption Assignment response is based on a profile of Timelinx, a company

Executive summary

Business Assumption

Assignment response is based on a profile of Timelinx, a company in the business of selling timeshares. They use a database with previous, current and prospect clients. They have a booking system that should be consistently available online internally and externally. The company has the following employee structure; 20 people in the call centre office, 1 IT professional, 3 Administrative staff, 2 sales, a Law compliance officer and a Director. The company is based in South Africa as a subsidiary to Incentive Leisure Group.

Security Importance

Business digitization and cyberspace have presented favourable business opportunities and collaboration to corporations around the globe. These companies have access to technological benefits to pursue either economic or social activities. However, these conditions present with them cyber vulnerabilities whose legislation could be lagging behind to protect their interest and investments. Hence the need to invest in security technologies and programs.

Timelinx operates most of its business online, its client’s details are stored on a live database, data is shared among the branches across the world and their telephone system is based on the VoIP technology. To boost their market share, they have temporary kiosk in cities around South Africa on a market-need connecting to the main system in Cape Town. For Timelinx, security is important for these reasons;

To keep the system available on line all the time for business continuity

To preserve data integrity throughout the system

To protect client and employee information from unauthorized access

To avoid a budget surcharge recovering from penetration attack

To keep the staff cyber risk-aware to avoid social engineering attacks

3

Assets to be Secured Companies should do an inventory on assets and software running on

Assets to be Secured

Companies should do an inventory on assets and software running on their network to get a good overview of risk exposure. Technology security is important for Timelinx’s business operation however it comes with huge costs. The exorbitant cost in technology security forces management and stakeholders to quantify risk exposure and decide on with assets to give security priority. In selecting the assets that need to be protected, the business must identify mission critical assets that add value to the organization. Timelinx should also include the BYOD devices on the asset inventory. Some of the information assets that will be secured as the basis of this document include :

Data Servers

Network infrastructure :routers, hub, network slots, Wi-Fi

Computers, mobile phones and laptops

VoIP infrastructure

Websites

Security models

S ecurity models to be applied

The choice of a security model to be applied would rather be reviewed based on the

organizational changes and the environmental shifts. The core application of these models is

to maintain the basic computer security aspect: Confidentiality, Integrity and

Accessibility(CIA). All of the other computer security concepts are covered within CIA.

Whichever security model is chosen for the safety of Timilinx’s security in future, should

ensure a total coverage and consideration of the three security fundamentals(CIA).

Clark and Wilson integrity model – This model addresses three integrity goals through

authorization and authentication list, maintain internal and external consistency and

4

prevents unauthorized and authorized users from executing improper system transaction. In setting it up, the

prevents unauthorized and authorized users from executing improper system transaction. In

setting it up, the IT professional should get a list of the transactions a user is supposed to

execute within the system and the equating privileges will be granted. This is a good model

for Timelinx since operations are based on the different roles and responsibilities. A telesales

marketing representative will not be able to view payments and other none marketing

details. This model should be used in conjunction with the Brewer and Nash model that is

equally known as a Chinese wall model. The Chinese wall takes into effect the dynamics of

IT and business environment by limiting conflict of interest on data and stops fraudulent

modification to object due to a separation of duties.

Graham-Denning Model – Based on Timilinx’s business operations, this security model will

be perfect in adding the creation of customers, assigning rights and privileges to customers

and employees, address the issues of managing data and process ownership and finally the

issue of data deletion. This model can be replaced with the Harrison-Ruzzo-Ullman model

that generalizes the Graham-Denning model making it cover more organization aspects and

security scenarios.

Bell-LaPadula Confidential Model – this model focuses on confidentiality with the CIA

fundamentals of computer security. The model with Timelinx will address issues of access

control. The organizational chart will be used to determine the level at which a system user

is at. The management will have to schedule a workshop to classify the company data from

“top secret” to “public”. The model preserves its security details as information changes

from one state to the other. The users are prevented from write up and read down, ensuring

data integrity is kept at an access level within the system.

There other models that could be implicitly implemented such as the non-interference model

that will capture all the user transactions and prevents user interference. Users are given

domains to log in and transact on the system through a separation of roles. The machine

models will ensure system accessibility through a mathematical algorithm. The developer

will have to set the availability parameters to ensure system stability and security.

5

Access controls to information systems Access control(AC) is very high on the security policy, it

Access controls to information systems

Access control(AC) is very high on the security policy, it is one of the best defense mechanism applicable. Basing on the security models described above, AC address challenges of users accessing information with different roles, levels of seniority and constant changes in the business environment requires system modification. Timelinx will provide the following access controls based on the roles and positions as depicted on their organogram. The below example can be used as a guideline to role and transaction proportioning

Director – the director will have access to key reporting transactions that will facilitate the efficient delivery of his duties. Must be able to approve use of funds and have an overall site of the company activities.

Law compliance officer – Will have access to matching transactions based on the job discerption. Access to client contracts, appointment and scheduling section could be some of the system activities a Law officer could have access to

Telesales – the telesales team will have access to basic system activity i.e. client details such as phone number, name, gender, age and location. However, within their team will be a team leader who should be able to have monitoring privileges to check on team member’s progress.

IT professional – Based on the complete involvement and requirement to assist any employee, they should be given access to the whole system on a none transaction basis in production. The machine models will come into effect with other control factors being borrowed from the rest of the models.

These access control practices will include but not limited to:

Authentication – This can be done through passwords polices, biometric scans, smart ID cards, clock-in and out systems etc.

Authorization – once authentication has occurred, the system must only present the activities and transactions that match the roles of the authenticated user.

Identification – This is when a person has to acknowledge they are who they say they are. Workflows set up can be used in reducing identity concerns and in other cases biometric scans can also confirm the person being who they say he/she is.

6

Limit user damage Cyber threats are not limited to a single source of origin and

Limit user damage

Cyber threats are not limited to a single source of origin and companies should try minimize risks from within since they have more control of their environment compared to external environments. The security models and AC principals should be applied in an attempt to reduces risks from inside and for those external users that have access to the Timilinx’s system.

Communicate system usage – System usage and capabilities should be communicated to the users. They should be able to report system bugs or suspicious behavior based on their system expectation from the communication. System patches and changed should be communicated prior to go-live and training given if need be.

User training – Users should go through training sessions on how to use the system. This will increase usage knowledge and system confidence.

Secure infrastructure – Timelinx should make use of secure infrastructure conforming to industrial configuration practices and setup. Use of default passwords must be avoided among other common security errors.

Pre-and Post-Attack strategies – Apart from this document Timelinx should come up with pre- and post-attack strategy document that will illustrate the sequence of events in dealing with cyber protecting for internal and external attacks.

7

Integrity of the information stored Information integrity can be easily compromised through a man-in-the-middle attack,

Integrity of the information stored

Information integrity can be easily compromised through a man-in-the-middle attack, sniffing and spoofing. Timelinx should encrypt information stored on their devices. Portable devices should have secure passwords with separate passwords to access cooperate information. A two- key authentication must be implemented to access data. Timelinx system should be based on a zero-trust approach, validating every entry that comes into the system. It is the responsibility of the IT profession must provide for information assurance and quality. Information integrity can be threatened by software defects and hardware failures or through attack launces.

The Wi-Fi and internet traffic must be encrypted to ensure end to end safe transmission. Third party tools are mostly advised to use for data encryption since they have more security practices compared to in-house practices. Data integrity is key to Timelinx and its stakeholders and integrity practices should be adopted from the modules cited above.

Security strategy

Physical security

Physical security controls and measures are key to protecting Timilinx’s’ IT infrastructure to guarantee the system’s confidentiality, integrity and availability. To achieve physical security, there needs to be an effective and efficient physical environment controls to prohibit unauthorized entry and access to the core IT infrastructure though much focus is on the data centre. A key security component is to have a disaster recovery centre that will have as much security as the persistent sever on site. At the core of every security mitigation Timelinx should educate its employees and stakeholders about security risks, their exposure, mitigation

8

and future security plans. The location of the recovery site should not be made public

and future security plans. The location of the recovery site should not be made public knowledge. In cases where the is electricity outage, Timelinx must ensure there is an optional power supply to keep the servers running for both data recovery centre and the on the premises server. The following countermeasures can be taken against potential physical threats.

Smoke detectors and firefighting systems should be serviceable in case of a fire.

Access to the data room should be controlled by a smart card or PIN and biometric scan to ensure only authorized personnel is allowed in restricted areas.

Doors should be strong enough to withstand forced entry with other deterring mechanisms such as sliding doors and screen bars.

A security guard should be stationed at the site.

Surveillance cameras and sensors should be implemented to record and monitor activity around and within the data centre.

Perimeter surroundings should be fenced with an electric fence or any other objects that can deter intruders by threating bodily harm.

Secure entry points with locks as a physical security countermeasure.

Conduct security risk awareness programs after every three (3) months.

Mobile devices management

Mobile devices are now part of the IT infrastructure, companies should include the security management strategy of mobile devices. The security staff’s scope of work has to consider the mobility threats that comes with mobile devices. Mobile devices include; laptops, smartphones, IPhone, web cameras, IPad and Tablets and storage devices such as USB memory sticks, Compact Discs and DVDs. The following countermeasures can be applied against threat to mobile device security.

Laptops should be locked with a laptop cable lock at all times in the office.

Employees should not leave any of the mobile devices unattended unless they are in a

9

secure position. • Devices should only be registered to one person and should be used

secure position.

Devices should only be registered to one person and should be used for individual purposes.

When travelling with a car, mobile devices must be kept in a locked drawer or boot.

If security at home is not guaranteed, devices must be left secure at the office.

Devices should have a screen lock password and the password must not be given to anyone.

Devices will be given protective casing to protect the devices from falling.

Lost or stolen devices should be reported with the twenty-four (24) hours.

Personnel must be trained on how to use mobile devices and go through security procedures to ensure compliancy.

Mobile device data security

Mobile devices have now become essential to business operations. They may be small and easy to carry around but their processing power and storage capabilities have since grown larger enough to host business data and its processes. However, these developments come with their own risks, mobile devices can be sneaked in and out of the building with company data, they can be easily stolen and expose company data to an attacker. Mobile devices are constantly threatened by a multitude of threats to again access to restricted information. These devices constantly have aces to corporate information leading to data manipulation and transfer threats. To counter the threats against mobile devices data, the following countermeasures are applicable;

Devices should always run on the latest software

Devices should be scanned for viruses, worms, Trojans, once they try to access the company network.

Devices should have an updated antivirus, spyware and malware running to counter attacks.

Devices should be encrypted and linked to device management systems for easy and central device management.

10

• Device passwords attempts must be set to a maximum of three (3) and should

Device passwords attempts must be set to a maximum of three (3) and should erase data after unsuccessful tries.

Android devices should be kept to a modern and current software i.e. android Oreo (8.0) and above.

Devices should be registered to the company network infrastructure before use.

Access to the network should be through a VPN or a secure form of connection.

Devices should be configured to apply the same rules of system authorization and authentication.

BYOD management

Most Companies are pushing towards "Bring Your Own Devise" BYOD to work given that we are in a connected world where information is easily accessible on mobile devices. The augment for it is that employees take work with themselves where ever they go, emails, instant messages and workflow approvals are some of the work examples that come through the mobile devices. The concept of BYOD has led to positive benefits in companies it has been properly implemented. Timelinx should make sure BYOD is properly managed with adequate and fitting policies based on the company’s environment.

Personal devices will have to be registered with the company’s infrastructure. An Enterprise mobility management (EMM) tool can be used to managed devices security and availability. Though mobile devices have power and large storage capacity they hardly have enough power reserves to efficiently execute EMM tools. Users may refuse to have EMM tools installed on their device and Timelinx will have to address these issues accordingly.

Cloud interface is another way of managing security flaws in BYOD. The device will not be storing or processing any data but the cloud services will. Other security risks posed by BYOD will be mitigated through the use of Internet-based services. The system controls to reduce the volume of data stored on a physical device should be in place since they reduce the data exposure in cases where the device gets stolen.

11

Employees should be willing to have company security tools installed on their devices if they

Employees should be willing to have company security tools installed on their devices if they are to use them for work purposes. Systems that will have low processing power should not be included in the BYOD strategy. To protect data on BYOD the IT professional must act tactically with current mitigation tools and continuously check security flaws exposed to BYOD by BYOD. BYOD security risks must be understood throughout the organizational hierarchy and combating BYOD risk should not entirely be left to the IT professional alone but the Director and his management team should also be involved.

Compliance and legal standards

IT law compliance

Timelinx business operates in South Africa(SA) and is governed by the laws of SA. Both

the technical and functional security measures taken by Timelinx to protect against

malicious attacks and unauthorized access it is expected to comply with the IT laws of

SA. The organization should avoid a breach in regulatory and contractual obligations

issued by the SA legislators. Foreign legislation should be considered in areas where

Timelinx has business in other countries interfacing with SA. Legal expert advice should

be sort after to clarify on legal issues where the company is in doubt.

There is a couple of acts that are key in South Africa and Timelinx should be in a position

to comply at all times, failure to comply carries a risk of a fine or jail term for the

executives as stated by the SOX Act. Some of these acts are as listed below:

Protection of Personal Information(POPI) act – Timelinx should manage and store

customer information they capture secure from unauthorized access and hackers.

12

Sensitive information such as bank details, home address, cell phone numbers, email address and other

Sensitive information such as bank details, home address, cell phone numbers, email

address and other related information that can be used to describe or get hold of a

person should not be exposed and mostly without the consent of the owner. POPI insists

on information privacy, following the above sections of this security policy, Timelinx will

be able to keep all the collected information secure and maintain its integrity. Breach of

POPI act comes with a maximum penalty of R10 million fine or imprisonment for a period

not exceeding 10 years or both a fine and imprisonment.

Computer Misuse Act – Timelinx should watch out for illegal use of its machines. This act

regards computer misuse as unauthorized access to computers and unauthorized

modifications to data and software applications. The act of misuse has a fine and jail time

linked to it. Computer misuse can either be with intent to cause harm or to access

unauthorized information, recklessness and sometimes without the knowledge of the act

i.e. botnets. Timelinx should always perform a system usage audit to assess if

computers are being legally used within the guidelines and provisions of the company.

Programs that run on company computers should only be company property and not for

any personal use.

Copyright Protection act – In cases where Timelinx has developed its own computer

programs and would like to obtain copyrights, Companies and Intellectual Property

Commission is an organization that assists with the copyright registration. Besides the

registration of Timelinx’s computer programs, they need to make sure they comply to the

copyrights of its computer’s programs suppliers. Timelinx should keep on file licenses

owned and make sure they are renewed on time to avoid penalties and unnecessary

inconveniences. The use of software outside its copyright laws constitute a civil or

criminal breach which if found guilty will result in a fine, jail term or both.

One of the major compliance issues in SA is the Disability Discrimination Act. If Timelinx

employees’ a person with a disability they need to comply with the provisions of goods,

services and facilities to match the disabled individual.

13

A review of these acts should be confirmed through an internal audit since changes can

A review of these acts should be confirmed through an internal audit since changes can

be effected without consultation. Management should constantly research the

environmental changes and implement all the necessary changes in order to comply.

IT control and audit

IT audit and control are key in the deliveries of Timelinx business objectives. Most

companies that get compromised fail to identify their weaker points before an attack. IT

audit is very critical in the evaluation of Timilinx’s information security strategy and

policies. IT audit evaluates the controls around information infrastructure with respect to

CIA. Timelinx should do an internal IT audit twice a year to go through the computer

vulnerability assessments or even thrice based on the current environmental needs or

per country’s legislation. An Audit will assist Timelinx in coming up with responses such

as the lag time from an attack detection to response, the deterrence mechanisms that

are available to minimize the risk of a successful attack and the audit will reveal to

Timelinx the vulnerabilities existing on the system.

Timilinx’s audit should look into the organizations BYOD implementation and its impact

on the organization and the employee behaviour towards the BYOD concept. The control

results should reflect if BYOD policies and strategies are being properly implemented and

properly embraced. The devices should be accounted for and assessed for possible

vulnerabilities and threats to the organization. Timelinx can perform an audit exercise

that includes the grey box assessment, black box assessment and configuration review.

Another key audit and control factor will be the assessment of Timilinx’s security and

privacy where the audit will reveal fundamentals in organization’s authentication and

authorization. Service Level Agreements(SLA) can be reviewed during an audit together

14

with control process and in case where SLA are absent but critical, the internal audit

with control process and in case where SLA are absent but critical, the internal audit

should be able to identify the gap and motivate towards the implementation of SLA.

Criteria certification

Compliance certification though not a requirement in the industry Timelinx is in, it is highly recommended. A compliance certificate gives a competitive advantage and gives investor confidence in the market. ISO/IEC 27001 certification provides an assurance to both stakeholders and customers that their information is secure and there is a standard risk management strategy in place. Based on the certification being perused, the criterions may differ. ISO/IEC 27001 has a world standard for their certification. Making each certified organization have the same benchmark. In most certifications, the initial step is a gap analysis where a representative goes through Timelinx systems and model of operation then make a comparison with the certification board i.e. ISO/IEC 27001. After gap analysis follows a formal assessment where the representatives from the certification board and Timelinx identify the already implemented sections of the certification and the ones to be implemented.

Once certification has been granted, it will be valid for a couple of years i.e. ISO/IEC 27001 is valid for three years. During the validity period, the certification board will be paying regular visits and staying in touch with Timelinx ensuring an uphold of the certification.

15

Risk analysis and assessment Timelinx like any other organization is exposed to external environmental and

Risk analysis and assessment

Timelinx like any other organization is exposed to external environmental and internal threats. IT is exposed to a number of dynamic vulnerabilities that may affect the achievement of a company’s objectives. A process of risk analysis and assessment gives management and the stakeholders an overall understanding of the organizations’ risk appetite. Following a good risk assessment and analysis, Timelinx can easily structure a risk management procedure for risk through avoidance, transfer, acceptance, exploit or mitigation.

The process of risk assessment and analysis is to be conducted by the internal staff of Timelinx. Experts can be consulted as and when it is necessary so that we limit the effects of brain drain and employee exclusion from important company projects which may result in disgruntled employees. Timelinx should follow an international standards framework that suits the environment and business model based on a five-year plan roadmap as per company’s mission statement or at the board’s discretion. Risk assessment tools can be used in isolation or in combination i.e. OCTAVE and ISO270001.

OCTAVE Allegro assessment should be repeated every time there is a significant change in the information asset risk environment. OCTAVE Allegro can be a tool of choice since it covers most of the risk assessments for a ready running organizations such as Timelinx, for implementing and developing mitigation plans for resources already in operation. Timelinx management should define the scope of a risk assessment project, gather together a team from within the employees and give the team both responsibility and authority to perform risk management tasks. As the initial steps, the risk team should define information assets that fall within the risk scope and the information assets owners. On identification of the key assets, the risk team should assess the value of the assets to the company and their contribution to value chain. From the list of important technological assets, a structured risk assessment should be performed. The risk team should gather as much information as they can on the critical assets identified in the previous sequences. The initial risk processes are repeated for each identified technology/information assets.

In conducting the risk assessment, the risk team should be aware of human threats. OCTAVE

16

Allegro makes notice of human actors as the origin and the bases of information assets

Allegro makes notice of human actors as the origin and the bases of information assets risks. Human actors using technical means can be accidental or deliberate, this is an attack that requires direct human involvement in the creation of an attack. For most accidental attacks within Timelinx, management can conduct awareness pieces of training and workshops regularly.

Risk management should be an organization’s effort not a function set aside for a single individual or part of a group. The other human threat is physical, which requires unauthorized

access to an information container through force or the use of social engineering skills. Insurance and other physical deterrence mechanisms can be implemented as part of a mitigation strategy.

Besides the technology assets, there are information containers responsible for information storage, processes, and transportation. A process of mapping information assets to information

containers is critical for the identification of vulnerability boundaries and asset threats. The risk team will now identify the risk that may affect each asset. Document all the threats and their

consequences, each threat scenario should match a consequence detailing the company’s financial impacts. Financial impacts can be estimated using methods such as the Annualized Loss Expectancy or Single Loss Expectancy.

Following the sequences in risk assessment comes to risk analysis, a complex undertaking. Analysis depends on personal skills, experience and external consultation on other grey areas. In risk analysis, this is where the risk team will decide on risk management methods i.e. avoidance, transfer, acceptance, exploit and mitigation. Risk will be classified as high, low or moderate based on its impact on the core processes of Timelinx. Risks are given scores based on a probability of occurrence, a magnitude of operational effects and the risk appetite of the company. Scoring of risk should be governed by the mission statement and objectives of Timelinx given the period of assessment and analysis. Risks should be described by their threat scenario and a resultant consequence, these consequences should be matched to an impact area with its own impact score.

Companies will put in place mechanism to guard against data breaches through the general use of firewalls and other technologies available. Surprisingly hackers keep finding ways to gain access to or disrupt the business process. These attacks can be very devastating to the point where some companies lose out on business value and company reputation. The kind of losses that can be experienced include but not limited to:

17

• system unavailability and downtime; • business being held to ransom; • loss of revenue;

system unavailability and downtime;

business being held to ransom;

loss of revenue;

loss of data;

reputational damage and costs associated with reducing the impact of a breach;

loss of competitive advantage;

industry and regulatory fines and penalties; and

litigation arising from compromised data.

Timelinx can transfer risk to other parties such as insurance, customers, third-parties and other stakeholders. Based on the risk analysis activity, decisions can be taken to take insurance against property damage and loss. Information assets can be insured against cyber-attacks given that there are enough deterrence procedures to warranty such an insurance. Timelinx should get insurance for:

Multimedia liability

Security & privacy liability

Data recovery & loss of business income

Technology & miscellaneous Error & Omissions

Crisis management costs

Further research can be done to understand the terms and the benefits for certain risk insurances. In cases of information assets breach or failure, Timelinx will incur recovery cost and these can be offset by the insurance.

Network security

18

Penetration testing and usable security Digital rights protection Executive summary conclusion 19

Penetration testing and usable security

Digital rights protection

Executive summary conclusion

19

References SHACKELFORD, S, FORT, T, & PRENKERT, J 2014, 'HOW BUSINESSES CAN PROMOTE CYBER PEACE',

References

SHACKELFORD, S, FORT, T, & PRENKERT, J 2014, 'HOW BUSINESSES CAN PROMOTE CYBER PEACE', University Of Pennsylvania Journal Of International Law, 36, 2, pp. 353-431, Index to Legal Periodicals & Books Full Text (H.W. Wilson), EBSCOhost, viewed 26 June 2018.

Perry, W 2012, 'CYBER SECURITY IS MISSION CRITICAL', Bized, 11, 4, pp. 36-41, Education Research Complete, EBSCOhost, viewed 26 June 2018.

Kritzinger, E, & von Solms, S 2010, 'Cyber security for home users: A new way of protection through awareness enforcement', Computers & Security, 29, pp. 840-847, ScienceDirect, EBSCOhost, viewed 26 June 2018.

Schia, NN 2018, 'The cyber frontier and digital pitfalls in the Global South', Third World Quarterly, 39, 5, pp. 821-837, Historical Abstracts with Full Text, EBSCOhost, viewed 26 June

2018.

Hunter, P 2013, 'Cyber security's new hard line', Engineering & Technology (17509637), 8, 8, p. 68, Complementary Index, EBSCOhost, viewed 26 June 2018.

Singh, S, & Thokchom, S 2018, 'Public integrity auditing for shared dynamic cloud data', Procedia Computer Science, 125, p. 698, Supplemental Index, EBSCOhost, viewed 4 July 2018.

Korus, P 2017, 'Digital image integrity---a survey of protection and verification techniques', Digital Signal Processing, 71, p. 1, MathSciNet via EBSCOhost, EBSCOhost, viewed 4 July 2018.

Gruska, DP 2012, 'Informational analysis of security and integrity', Fundamenta Informaticae, 120, 3-4, p. 295, MathSciNet via EBSCOhost, EBSCOhost, viewed 4 July 2018.

YIBIN, L, KEKE, G, ZHONG, M, HUI, Z, & MEIKANG, Q 2016, 'Intercrossed Access Controls for Secure Financial Services on Multimedia Big Data in Cloud Systems', ACM Transactions On

20

Multimedia Computing, Communications & Applications, 12, 4s, pp. 1-18, Computers & Applied Sciences Complete,

Multimedia Computing, Communications & Applications, 12, 4s, pp. 1-18, Computers & Applied Sciences Complete, EBSCOhost, viewed 4 July 2018.

Qiu, M, Gai, K, Tao, L, Thuraisingham, B, & Zhao, H n.d., 'Proactive user-centric secure data scheme using attribute-based semantic access controls for mobile clouds in financial industry', Future Generation Computer Systems-The International Journal Of Escience, 80, pp. 421-429, Science Citation Index, EBSCOhost, viewed 4 July 2018.

a, L, Zhong, Y, Tao, L, & Gai, K n.d., 'A novel social network access control model using logical authorization language in cloud computing', Concurrency And Computation-Practice & Experience, 29, 14, Science Citation Index, EBSCOhost, viewed 4 July 2018.

Liu, C, Lin, F, Chen, T, & Chen, C n.d., 'Design of secure access control scheme for personal health record-based cloud healthcare service', Security And Communication Networks, 8, 7, pp. 1332-1346, Social Sciences Citation Index, EBSCOhost, viewed 4 July 2018.

Fan, K, Wang, J, Wang, X, Li, H, & Yang, Y 2017, 'A Secure and Verifiable Outsourced Access Control Scheme in Fog-Cloud Computing', Sensors (Basel, Switzerland), 17, 7, MEDLINE with Full Text, EBSCOhost, viewed 4 July 2018.

'Logic of knowledge and belief in the design of a distributed integrity kernel' 1990, Proceedings. PARBASE-90: International Conference On Databases, Parallel Architectures, And Their Applications, Databases, Parallel Architectures And Their Applications,. PARBASE-90, International Conference On, p. 418, IEEE Xplore Digital Library, EBSCOhost, viewed 4 July 2018.

'Analysis of Security Models Based on Multilevel Security Policy' 2012, 2012 International Conference On Management Of E-Commerce And E-Government, Management Of E-Commerce And E-Government (Icmecg), 2012 International Conference On, Management Of E-Commerce And E-Government, International Conference On, p. 95, IEEE Xplore Digital Library, EBSCOhost, viewed 4 July 2018.

Timms, K 2017, 'BYOD must be met with a wider appreciation of the cyber-security

threat', Computer Fraud And Security, 2017, 7, p. 5-8, Scopus®, EBSCOhost, viewed 11 July

2018.

21

Welsh, K, France, D, Powell, V, Mauchline, A, Park, J, & Whalley, W 2018, 'Would

Welsh, K, France, D, Powell, V, Mauchline, A, Park, J, & Whalley, W 2018, 'Would Bring Your Own Device (BYOD) be welcomed by undergraduate students to support their learning during fieldwork?', Journal Of Geography In Higher Education, p. 1-16, Scopus®, EBSCOhost, viewed

11 July 2018.

Weeger, A, Gewald, H, Wang, X, Raisinghani, M, Sanchez, O, Grant, G, & Pittayachawan, S 2018, 'Determinants of Intention to Participate in Corporate BYOD-Programs: The Case of

Digital Natives', Information Systems Frontiers, p. 1-17, Scopus®, EBSCOhost, viewed 11 July

2018.

Baillette, P, & Barlette, Y 2018, 'BYOD-related innovations and organizational change for entrepreneurs and their employees in SMEs: The identification of a twofold security paradox', Journal Of Organizational Change Management, Scopus®, EBSCOhost, viewed 11 July 2018.

Speed, T, & Gajera, A n.d., Mobile Security. [Electronic Book] : How To Secure, Privatize, And Recover Your Devices : Keep Your Data Secure On The Go, n.p.: Birmingham, England : Packt Publishing, 2013., University of Liverpool Catalogue, EBSCOhost, viewed 11 July 2018.

Furnell, S 2009, Mobile Security. [Electronic Book], n.p.: Ely, U.K. : IT Governance Pub., 2009., University of Liverpool Catalogue, EBSCOhost, viewed 11 July 2018.

Raggo, MT n.d., Mobile Data Loss. [Electronic Book] : Threats And Countermeasures, n.p.:

Waltham, MA : Syngress, 2015, c2016., University of Liverpool Catalogue, EBSCOhost, viewed

11 July 2018.

Goodwin, B 2014, 'HOW TO APPLY IT GOVERNANCE IN THE ERA OF SHADOW IT', Computer Weekly, p. 18, Complementary Index, EBSCOhost, viewed 16 July 2018.

Calder, A IT regulatory compliance in the UK. [electronic book] : a pocket guide, Ely, Cambridgeshire : IT Governance Publishing, 2007.

Calder, A 2009, Compliance For Green IT. [Electronic Book] : A Pocket Guide, n.p.: Ely, U.K. :

IT Governance Pub., 2009., University of Liverpool Catalogue, EBSCOhost, viewed 16 July

22

2018. Jørgensen, RF 2013, Framing The Net. [Electronic Book] : The Internet And Human Rights

2018.

Jørgensen, RF 2013, Framing The Net. [Electronic Book] : The Internet And Human Rights, n.p.: Cheltenham : Edward Elgar Pub. Ltd., 2013., University of Liverpool Catalogue, EBSCOhost, viewed 16 July 2018.

Nijsen, AM 2009, Business Regulation And Public Policy. [Electronic Book] : The Costs And Benefits Of Compliance, n.p.: New York, NY : Springer, c2009., University of Liverpool Catalogue, EBSCOhost, viewed 16 July 2018.

Schmidt, P, Wood, J, & Grabski, S 2016, 'Business in the Cloud: Research Questions on Governance, Audit, and Assurance', Journal Of Information Systems, 30, 3, p. 173, Complementary Index, EBSCOhost, viewed 16 July 2018.

Järveläinen, J 2012, 'Information security and business continuity management in interorganizational IT relationships', Information Management & Computer Security, 20, 5, p. 332, Complementary Index, EBSCOhost, viewed 16 July 2018.

'IBM/ATEC ACHIEVE INDEPENDENT CERTIFICATION OF RED HAT' 2007, UNIX Update, 18, 8, p. 3, Complementary Index, EBSCOhost, viewed 16 July 2018.

'ISACA RELEASES AUDIT AND ASSURANCE PROGRAMS' 2018, Computer Security Update, 19, 1, p. 2, Complementary Index, EBSCOhost, viewed 16 July 2018.

'Information system audit an overview study in e-Government of Nepal' 2015, 2015 International Conference On Green Computing And Internet Of Things (Icgciot), Green Computing And Internet Of Things (Icgciot), 2015 International Conference On, p. 827, IEEE Xplore Digital Library, EBSCOhost, viewed 16 July 2018.

'Survey on Internet of Things (IoT) security issues & solutions' 2018, 2018 2Nd International Conference On Inventive Systems And Control (ICISC), Inventive Systems And Control (ICISC), 2018 2Nd International Conference On, p. 307, IEEE Xplore Digital Library, EBSCOhost, viewed 25 July 2018.

'Enhancing the security of IOT in forensics' 2017, 2017 International Conference On Computing And Communication Technologies For Smart Nation (IC3TSN), Computing And Communication

23

Technologies For Smart Nation (IC3TSN), 2017 International Conference On , p. 193, IEEE Xplore Digital

Technologies For Smart Nation (IC3TSN), 2017 International Conference On, p. 193, IEEE Xplore Digital Library, EBSCOhost, viewed 25 July 2018.

Senft, S., Gallegos, F., Manson, D., Gonzales, C. (2004). Information Technology Control and Audit, Second Edition. New York: Auerbach Publications.

'BlockCIS—A Blockchain-Based Cyber Insurance System' 2018, 2018 IEEE International Conference On Cloud Engineering (IC2E), Cloud Engineering (IC2E), 2018 IEEE International Conference On, IC2E, p. 378, IEEE Xplore Digital Library, EBSCOhost, viewed 21 July 2018.

'Cyber Insurance for Plug-In Electric Vehicle Charging in Vehicle-to-Grid Systems' 2017, IEEE Network, Network, IEEE, 2, p. 38, IEEE Xplore Digital Library, EBSCOhost, viewed 21 July

2018.

'Charging and Discharging of Plug-In Electric Vehicles (PEVs) in Vehicle-to-Grid (V2G) Systems: A Cyber Insurance-Based Model' 2017, IEEE Access, Access, IEEE, p. 732, IEEE Xplore Digital Library, EBSCOhost, viewed 21 July 2018.

'Why cyber-insurance contracts fail to reflect cyber-risks' 2013, 2013 51St Annual Allerton Conference On Communication, Control, And Computing (Allerton), Communication, Control, And Computing (Allerton), 2013 51St Annual Allerton Conference On, p. 781, IEEE Xplore Digital Library, EBSCOhost, viewed 21 July 2018.

Gai, K, Gai, K, Qiu, M, & Hassan, H n.d., 'Secure cyber incident analytics framework using Monte Carlo simulations for financial cybersecurity insurance in cloud computing', Concurrency And Computation-Practice & Experience, 29, 7, Science Citation Index, EBSCOhost, viewed 21 July 2018.

Gold, J 2012, 'PROTECTION IN THE CLOUD: RISK MANAGEMENT AND INSURANCE FOR CLOUD COMPUTING', Journal Of Internet Law, 15, 12, pp. 1-28, Computers & Applied Sciences Complete, EBSCOhost, viewed 21 July 2018.

24

25

25