Management of Information Security and Control

 
Money back Guarantee

Why Us

  • We offer the most reliable services in the market
  • Provision of custom written material
  • UK, US, Canadian, Australian writers
  • Our services are available 24/7
  • 100% satisfaction

Abstract

Information is a very important ingredient of any organization. This is because no business can operate without it. In the current business environment whereby the computer has interconnected businesses and transactions are no longer carried out through paperwork, information system has become a very important part of an organization. Therefore the management of information should one of the priorities if the organization is to be successful. However, the concern for information security has also risen in the recent past. In some business the need to protect information assets has even surpassed that of physical assets. This is so because any business in the current information environment that intends to be competitive and sustain growth must be ready to develop and exploit as well as protect its information assets (Kadam, 2002).

However, research has shown that most managers as well as employees do not regard information as a primary priority. Particularly because, it seems not to have a direct impact as effectiveness and efficiency. This calls for training to create awareness on its importance and its roles. Different levels of management should be given specialized training on the relevance of information security in their level. Then the link between the training and the organization needs at each level should be established. In addition the training should be customized to focus on specific security issues (Isaca, 2010).

Lastly an organization failures related to security can really be costly to a business. These costs can be recovery costs or even reputation costs. When an organization’s system is easily accessed by intruders, then it losses confidence from the public. As result customers will be reluctant to deal with them. Therefore it is important that an organization invest in designing and development of effective information system. This calls for an organization to develop an information security policy. This will define its information system, as well as the access to its information property. It will also explain the control measures that are appropriate for the organization. As a result the company will increase its efficiency in managing its information assets (Kadam, 2002).

 

Information Security Needs of an organization

This refers to reasons why an organization may find it necessary to have information security and control. They are as follows: To protect the functionality of the business, because when operations are interrupted, costs that could otherwise been avoided are incurred. Organizations need to have a system that ensures that operations are carried out smoothly which means there no interruptions and work also goes according to plan. Therefore the general manager and the IT managers need to design and implement an information system that cuts out intruders as well as human error that might interrupt operations (Whitman & Mattord, 2008)

Secondly, organizations need to ensure that its operation applications are safe. These applications include: electronic mail, operating system platforms as well as instant messaging. The laws governing information security award damages to the plaintiff and these damages are at times punitive. Therefore any organization needs to ensure that its information system cannot be used to infringe other peoples’ rights. As this will really cost the organization. This means that all information system applications need to be assessed to ensure that they do not pose a security threat to users (Whitman & Mattord, 2008)

Thirdly, there is the need for safeguarding technology assets in order to sustain growth. As an organization grows it needs to come up with secure software and infrastructure that helps it to sustain that growth. For instance an organization may develop innovations that help it to have an edge over its competitors. Therefore its networks must grow to be able to accommodate its changing needs. If not so the competitors will easily have access to its new technologies and use them to outdo the company. These include protection of manufacturing procedures, chemical formulae and technological innovations (Kouns & Minoli, 2010).

 

Fourthly, there is the need to protect data that is used by organizations. An organization cannot effectively plan and deliver value to clients if it losses its record of transactions. Any business entity, government agency or any other institution that is operating in the modern business environment, where responsive services depend on information systems to provide support to transactions, must protect its data. Therefore for that data to be reliable, the management needs to ensure that the processes of collection storage and usage cannot be interfered with. Otherwise the decisions made will not be effective or even beneficial to the organization (Kouns & Minoli, 2010).

 

Types of threats involved in the management of information security and appropriate control measures

Threats refer to any entity – person or object – that poses a security risk to an organization’s assets. There are various threats that face information, systems or people of an organization. Therefore the management needs to be aware of transport, processing and storage systems that need protection from threats. For instance when an organization connects to the internet then threats that originate from the external sources are bound to increase. There are various categorizations that show the types of threats and what in the organization is faced by that threat. However, each organization needs to find out the priority threats that it needs to deal will. The prioritization will depend on the security situation of its operating environment, the exposure levels of its assets and its risk strategy (Whitman & Mattord, 2008)

 

The categories of threats include: Acts of human error, which refers to acts done without malicious intentions. People are likely to do mistakes when using information systems. This may be due to inadequate training, making of assumptions that are incorrect or even working under fatigue. Employees features among the greatest security threats, because they use organization’s data on a daily basis hence making them the closest treat agents. This means that there mistakes can undermine the integrity, availability as well as the confidentiality of data. Their mistakes can pose a threat to the organization or to outsiders. For instance they can accidentally reveal classified information, delete or even modify data (Whitman & Mattord, 2008)

 

Most of mistakes can be prevented by carrying out continuous awareness activities, training and also setting up controls. The controls can range from the requirement that a user types an important command twice to the requirement that a particular command be verified by a second party. The second category of threat is debate act of trespass. This refers to an act where an unauthorized individual intentionally gains access o an organization’s protected information. Although some information gathering techniques are acceptable, some information gatherers use techniques that are beyond the legal or ethical threshold. Some of these attacks can cost the firm financially or dent its reputation with clients. This threat can be prevented by putting up controls that notify a trespasser whenever they try to access unauthorized areas. Valuable information and systems can also be protected by using sound authentication and authorization principles. Such controls use multiple factors or layers to prevent the unauthorized users from gaining access (Alberts & Dorofee, 2002).

Forces of nature or acts of God are another form of threats. These types of threats are very dangerous as they usually take place with little on no warning at all. They can interfere with data stored, its transmission or even its usage. They include the following: Fire, which can burn down the building that houses part or all of the information system. Secondly, there is floods which refers to water that is overflowing to areas that are expected to be dry under normal circumstances. This can end up destroying part or all of the information system. It can also prevent access to the building that houses system. Thirdly, there is earthquake, which refers to an abrupt shaking of the earth’s crust as a result of the volcanic activity below the earth surface. This directly affects the system as it can destroy part or all of the system, as well as the building where the system is housed (Vacca, 2009)

Lastly, there is lightening, which refers to a sudden natural electric discharge within the atmosphere. This also has a direct effect on the system, as it can destroy part or all of the system or its power components. All these risks cannot be controlled parse; however they can be mitigated by purchasing insurance policies that address each of the insurance risks (Vacca, 2009)

A software attack is another information security threat, and it involves an individual or group coming up with a malicious codes or malicious software to attack an organization’s information system. These programs are designed in such a way that they can damage the target systems or even deny access. They take various forms which include: Viruses, which are software that attach themselves on other programs and can destroy the system when activated. Viruses can be controlled by using anti-viruses which prevent them from accessing a computer system. Secondly, are worms, which are able to replicate themselves several times such that they fill the computer memory. Anti-viruses can also be used to control them, as they are capable of detecting them and inhibiting their performance (Vacca, 2009)

Technical hardware failure is another type of threat, whereby an organization purchases equipment that has a defect from a manufacture. The defect can be known or unknown. Such flaws can result in unexpected performance of the system such as unreliable service. These can therefore lead to losses to the organization, some which are irrevocable. The best control measure is to ensure that the organization purchases from reliable vendors who can offer products with guarantees as well as quality products. However, it is also important that regular check ups and service be done to the equipments, so as to be able to detect defects in advance and correct them (Vacca, 2009)

 

Risk management

Before defining risk management it is important to define the key terms that make up its definition. First, Threat, which refers to any event, object or circumstance which has the possibility and capability of adversely affecting an organization’s asset, through destruction, denial of service or unauthorized access. Secondly, vulnerability, which refers to the existence of a weakness in design or implementation or an error, that can result in undesirable or unexpected event that may compromise the security of the information system. Therefore risk management is a process, whereby vulnerabilities as well as threats and potential impacts that are as result of security incidents are evaluated against safeguard implementation costs (Alberts & Dorofee, 2002).

Risk management strategies are developed and implemented so as to reduce adverse impacts and to provide a framework that can be used to make consistent decisions, concerning the options of risk mitigation. Risk management is broadly divided in to two phases: The first one is risk assessment, which involves identifying threats and assessing the possibility and ability that the threats can exploit some vulnerability of the organization as well as the impact in the event that the threat happens. The second phase is risk treatment, which involves responding to the risks that have been identified. Risk management is important to the organization because it helps the management to determine the protection needed by various assets at the most efficient cost. Investment in risk management is beneficial both now and in the future and to everyone that deals with the organization (Alberts & Dorofee, 2002).

Risk Assessment

This process has various stages which include: First identification of assets. Here the assets of the organization are identified and their value is determined. Secondly, there is threat identification and assessment of threats. This has steps; identifying the categories of threats and the adversaries that pose the threats as well as their motives. For instance; they can be terrorists, who want attention. Political activists fighting for some rights or disgruntled employees who feels wronged by the company. It can be a criminal whose primary goal is money or a psychotic whose motive is unclear. The next step in assessment of threats is determining the adversary’s capability, how frequent the threat can occur and the extent of damage it can cause on the related asset (Kouns & Minoli, 2010).

When documenting about the adversaries it is important to consider technical and human capabilities as well as their modes of operation. These include even those parties that are able to cooperate with them as well as how easy they can communicate with them. Being that threat is the most difficult to assess, it is important that both facts and assumptions are recorded. Lastly there is the determination of vulnerability level of each of the assets that need protection. Here an in depth knowledge of the capabilities of countermeasures that an organization has is important. As a result an appropriate scale can be developed for measuring (Kouns & Minoli, 2010).

The third stage of risk assessment is analytical risk management. Here the threats and vulnerabilities are evaluated in regard to the respective assets, so as to provide an expert opinion on the possibility of loss and the impact as guideline for action. In order to asses the risk effectively and to determine what to prioritize in asset protection one should do the following: First, estimate what level of impact the undesirable events have compared to each target asset. This involves reviewing the impacts based on the information acquired on vulnerabilities and threats. As a result the ratings can either increase or reduce (Calder, Watkins & Watkins, 2010).

Secondly, estimate how likely an attack can happen from the potential threats. This involves evaluating the adversary’s capabilities, his intentions and other details of their history. After which rating is done to determine the most and least likely threat. Thirdly, estimate the probability that a given vulnerability will be taken advantage of by a given threat. Here a review is done on the vulnerability ratings that were done previously. Armed with information from all the ratings done, an overall level of risk of the information system is done. As a result suggestions of measures to be taken are made (Calder, Watkins & Watkins, 2010) .

Risk Treatment

This is the ultimate goal of risk management as information from the assessment stage is used to determine the appropriate treatment measures that will be implemented. There are various options available in treating risk: It can be reduced, avoided, accepted or even transferred. However a combination of more than one option is also possible. There are various factors that determine which options to pick; the cost incurred each time the event associated with the risk happens, the expected frequency with which it will happen, the attitude of the organization concerning risk, availability of resources and the current priorities of the organization concerning technology (Roper, 1999).

When an organization chooses to reduce risk, it will have to choose whether to reduce the chances of occurring, or reduce the chances of the adversary exploiting vulnerability or even reduce the effect of the threat should it successfully occur. The organization can also choose to accept the risk when reducing is not possible. This includes lack of appropriate measures to be implemented, whose costs outweigh the losses to be prevented. In cases where the risk cannot be reduced to acceptable levels it can be transferred to a third party. For instance to an insurance firm, by buying a policy to protect the property against the threat (Roper, 1999).

Risk avoidance is another option, whereby the firm chooses to avoid all business dealings that are associated with the risk. After identifying the risk treatment decisions to use, the next step is implementing the decisions. This is later followed with monitoring and reviewing stage, which is a continuous process as long as the organization is in operation. However, risk cannot be eliminated completely. It can only be minimized to acceptable levels. What remains after minimization is referred to as residual risk. There are chances that the residual risk can grow to unacceptable levels, and this shows another importance of monitoring and reviewing (Roper, 1999).

Conclusion

Every organization has a need for information security and control. Therefore, when designing and implementing the information system, the management must ensure that it meets those needs. An assessment of the organization should be done to find out the needs and get information that will help in addressing the needs effectively. The assessment will include assessing the assets of the organization, the threats it is facing and its vulnerable areas. As a result the organization will be equipped with adequate information that can help it come up with effective treatment decisions. In the end these decisions are implemented. In addition the system should be monitored and evaluated continuously. This will ensure that the system is actually meeting the objectives which it is meant to.

 

Get a 10 % discount on an order above $ 200
Use the following coupon code :
theRUSH

Order Now

We Guarantee

satisfaction-guaranteed

Our Benefits

  • 100% plagiarism FREE
  • Guaranteed Privacy
  • FREE bibliography page
  • Fully referenced
  • Any citation style
  • 275 words per page
  • FREE amendments