Analysis of the Case concerning Information Security Management - Essay Example

?INFORMATION SECURITY ASSIGNMENT C3 a) Three things which I would recommend Iris if I were Charlie: To emphasis the need for information security in the organization To make the top management as well as the other employees understand the importance of information security To make the management understand that there is a need for an information security policy. Nowadays, information security has gained so much popularity and in number of cases, it’s giving an extra advantage to organizations. Not only employees need to understand the importance of information technology but top management must be willing to adopt an IT environment in their organization (Chapter 3). Charlie must adopt some personal strategy to make top management realize the need and significance of information technology in their firm. He must explain them the benefits of adopting information security by comparing their firm with other firms. b) The most important advice to Iris: The most important advice is to make the top management understand the need for information security. From the illustration, it is understood that Random Widget Works gives the least priority to information security. Making the management understand its importance will let the management take initiatives for framing new policies and allocating ample resources to give security to data and information. C5 a) Confidential Information Confidential Information denotes the documents that should not be shared with anyone outside the organization. Example Documents that can be classified “Confidential’ Strategic Planning Document Technical documents Information about clients Sensitive Information: Sensitive Information denotes the set of documents that require special attention and have to be prevented from unauthorized access, use or disclosure. Sensitive information can be either confidential or public. However, a high level of integrity is to be maintained in case of sensitive information (chapter 5). Example Documents that can be classified “Sensitive” Annual Reports Financial performance reports Quarterly turnover reports Public Information: Public Information denotes the set of documents that can be accessed by general public. i.e., anyone outside the organization. These documents are open to all. These documents are issued exclusively released with the intention of giving the public some information about the company. Example Documents that can be classified “Public” Profit and loss account statement Balance sheet statement Registration details of the company b) Label scheme to associate with classification system: The security labels are a must for all documents in order to get security clearance. Any security label has the following four components. Security Policy. Classification. Categories Privacy Mark There are different labeling schemes followed by different organizations. However, for Random Widget works, the following schemes would be helpful. Confidential information: Confidential documents must be bound with white cover, with the text “CONFIDENTIAL”, stamped diagonally across the document in red color. Sensitive Information: Sensitive information has to be covered with white wrapper with the text “SENSITIVE” stamped diagonally across the document in yellow color. Public Information: Public documents may or may not have stamps labeled on them. However, a green color stamp will let the user easily identify that the document could be released for public use. C6 a) Incident or Disaster? The current occurrence was just an “Incident” as per Iris’s point of view. According to our case, both Joel and Harry had saved their documents and sent ‘to the print server. There were 80% chances of recovery of data. This would have been called a “disaster”, if there were no chances of recovery of data. Had it been a disaster Iris would have delegated responsibilities to Harry and Joel. Recovery of data holds great significance in organizations as most of the data are confidential and contains secure information that can cause a disaster if dispersed. Harry saved his documents and sent to the printer so there were 80% chances of recovery of data. b) The procedures that Joel could have taken to minimize the potential loss in this incident: Joel would have prevented this from happening, had she taken print out of the documents in advance, by completing them prior to the occurrence of the incident. At least she would have taken a back-up of the work, once she had smelt the occurrence of the incidence. Steps that had to be adopted by Joel, had it been a disaster: Had it been an incident, Joel would have required redoing all the work from the scratch. She would have, however, got an extension for submission of her work, by recording the disaster and the causes of the disaster. It would consume a lot of time if the joe starts work from scratch and they will be 100% chances for his other work to get disturbed. C7 a) Procedure to be followed by Iris in structuring information security policies The following are the three types of information security policies that every organization that intends to offer complete information security must formulate: Enterprise information security program policy Issue-specific information security policies Systems-specific information security policies This was the framework proposed by Mike to Iris. An alternative approach that could be adopted by Iris if the organization did not support the three tier structure is to define a new framework for the policies. This new framework should contain the key issues alone formulated as unique policies. There are several other procedures adopted by different organziation but policy should be designed by eeping an eye on organziation’s strategy, aim and objectives. By implemtning these policies, there would be better chances for getting a secured information system in the organization (Chapter 4). b) Assessment of HR policies by CISO It is the responsibility of an information security professional to be aware of the legal environment in which the workplace operates and how information security is achieved by means of various policies. In order to accomplish this, the information security officer must go through all the policies and procedures that support information security either directly or indirectly. Since Iris has been asked to change the wish list of HR policies, by Mike, she also has the rights and responsibilities to assess the HR policies, in order to, ensure that none of HR policies violate information security. The information security should be implemented properly in order to achieve best outcomes. Information security officer must go through all the policies and strategies while implementing information security system. C8 a) Elements to be considered by department managers in order to evaluate cost incurred in achieving password privacy In order to comply with the new policy related to password privacy, all employees must undergo ample training. Therefore, each department manager must estimate the cost incurred in training the sub ordinates of their department, depending upon the number of subordinates in their department. Besides considering the size of the department the department managers must also evaluate the security personnel budget and security capital budget that is required for implementing password privacy. b) Impact of privacy laws on RWW: It is the rights of an employer to protect the work done by its employees. Laws on privacy affect will require Random Widget works to revise its existing policies. The information security protection policies such as patenting, licensing and copyrights create extra overheads to the employer. The employer must ensure that none of the employees violate the privacy laws. Employer holds complete right on his employees work and once the employee receives his compensation, the work becomes the property of an employer, employee losses the right to reuse his work(Chapter 11). Laws that affect privacy in workplace Federal and state laws affect privacy and secrecy in the workplace. The laws related to intellectual property protection create a great impact on privacy in the workplace. Some specific laws that would affect privacy at Random Widget Works is listed below: Federal Privacy Act of 1974 Electronic Communications Privacy Act of 1986 Health Insurance Portability & Accountability Act Of 1996 Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999 Freedom of Information Act of 1966 Georgia Computer Systems Protection Act Georgia Identity Theft Law C9 a) Model from which Iris drew the checklist The model from which Iris drew the checklist was Role Based Access Control Model. There are several models available but few still have a room of improvement. Iris developed a checklist named Role Access Control Model. He designed checklist by keeping an eye on current policies and the needs of information security in the environment. Iris model contains all essential areas that need to be covered in order to achieve a best output (Chapter 6). b) Next step to be taken by Iris Once Iris receives the completed checklist, she has to find out best practices adopted by each department. She has to record the best practices and circulate it to the other members of the team. She has to identify the areas that need improvement and isolate them. She has to take steps in correcting the weak areas of information security implementation and ensure that sufficient resources are available to accomplish the same. Group communication and team work is the key to success. Without team and proper communication, organizations get failed. Until and unless, employee feels relax in the enviornment, he cannot give his best. After receiving operated checklist, Iris must communicate with the team about the weakness and strengths of the environment. She must takes the team in confidence and let them know which areas needs improvement and how. What participation will be required from team members. She must consult with her top management and let them know all the weaknesses and strengths, must discuss with top management about all points. C10 a) To-do-list of IRIS The To-do-list of IRIS will contain the following items: Evaluation of the current risk management document Identify the areas that are more specific to information security Manipulate the gap between the available and required resources Remove from the existing document, the risk management strategies that are specific tom information security Create a new risk management document that can be applied to the organization on the whole. The above to do list is designed keeping an eye on current needs and requirments of the organization. The to-do list gives an opurtunity to deal with all identified risks, weaknesses and gives a chance to maintain the strengths while using all availbale resources. The to-do-list is defiend by taking in account all available resources (chapter 8). b) Resources that IRIS call upon Iris can make use of information security resources such as hardware, software and other organizational assets, if any. Besides, Iris can also make use of people working in the organization, in order to; revise the existing risk management plan (Chapter 9). C11 a) Process that would have simplified the consolidation of Asset Valuation Worksheet I would have advised Mike to create a worksheet that has some common parameter for calculating Asset value of an Informational Asset. I would have asked Mike to form a standard for the employees to follow in order to find their asset value and train them accordingly. This would have allowed all the managers to calculate the asset value applying the same procedure. Worksheet helps in keeping all track in a sequence, it gives a clear understanding to new ones checking the sheet. If Mike creates a worksheet, it will surely help him a lot in training his employees as per need. By keeping a record he can track the changes and needs required by the employees. Maintaining standards for employees also helps a lot in keeping track on updated changes. Worksheet is easy to maintain and allows a manager to compute asset value for employees. b) Proceeding with the current worksheet With the current worksheet Mike and Iris have to meet each manager in person and identify from them the methods they used for asset valuation. After that they have to convert all the values into some unique form and merge them into uniform list of information asset. There are some parts which consumes time in current worksheet. Mike and Iris work in step with the current worksheet, this time can be saved by developing a new worksheet for various tasks. C14 a) Reply to Cheryl’s question If I were Iris, I would have said Cheryl that he was wrong. I would have insisted him to show me all the applications. Cheryl’s perception towards certification is totally wrong. It doesn’t mean that one who is certified is said to possess a thorough knowledge of a subject. b) Relationship between certifications and experience Certificates stand as important criteria in evaluating a candidate’s application. However, it does not mean that a candidate is said to possess exceeding skills in information security if he or she possesses a certificate. It is that experience that adds value to an individual. Certificates can be cleared by anyone who has the ability to by heart books and code of conduct. However, experience gives the practical knowledge that a person must possess. Only interviewing a candidate in person will let a recruiter evaluate his or her skills. Certificates can serve as value addition to a candidate but do not reflect the candidate’s actual proficiency in job. Read More