Information Technology Security - Essay Example

Name Tutor Course Date Information Technology Security Introduction Information technology security is an essential human insight which is a bit challenging to define and enforce in the Information age. Business Continuity Planning (BCP) works to identify the organization’s exposure to the both internal and external threats and synthesize hard soft assets for the prevention and recovery of the information. Information technology security is a controlling access to sensitive electronic information to ensure that only those with legitimate needs of accessing it are allowed to do so. In the large organizations, information technology is looked at in terms of laptop and desktop computers, routers, switchers and servers which form a computer network. Illegal access to documents or phone conversations is still considered as informational security concern although much of the concern is protection of the computer networks. Contingency of information technology and Business Continuity Planning are some of the most essential aspects of for disaster recovery as well as computer security (Kvavik, p. 84). The essay below considers the key events that might lead to an IT related disaster and provides suggestions on ways through which effects of the disasters might be curtailed. Information Technology Security While the expansion of the market for the technological products and services is considered to be spectacular both at the individual and organizational levels, the knowledge of the ICT issues of security is still lagging behind. This because the individuals may not be aware of the risks associated with serving the internet in the computer sets at home. The aim of the security of the information through the computer is to protect the information or property described by it from theft, natural disaster or corruption. Realization of these risks may also cause the small organizations which are still growing from securing their systems. This is because of the concern to promote information security thus not many people are free to see or access the information (Kouns & Minoli, p. 267-273). The ICT environment is a changing rapidly after the introduction of the new products especially the mobile accessories like cellular phones, laptops and personal Digital Assistants for example that result to various challenges to either the infrastructures or the security of the data. The up-and-coming applications of the computing like e-finance and e-commerce may also end up in the creation of complex environment (Scholl pg f-1). The excess dependant on the digital and computer information systems is very common in the daily activities hence resulting to heavy losses and cessation of economic activities. The Windows operating system assumed to be the most affected since 99% of the malware is either direct or indirect affected. The programs get to the computers by a Trojan which are dangerous as they access and forward all the stored data without the knowledge of the original user. Thus there is need for the processors to be prepared to handle any kind of disaster hence minimize the effects they are likely to cause. Main threats of data disaster Improper use of information systems by the employees and other members of the organizations Viruses, worms and Trojan horses Loss of privacy Spam or mass advertisements through the e-mail Theft of the information Improper use of information systems by the third parties Poor quality of software Physical security According to Rahayu, (p. 175-183), the security of computer focuses on ways of ensuring that the availability and accurate operation of the system of computer without the idea of the data which is being stored or processed by the system. Any organization either government, corporations, military, businesses or financial institutions have a mass of confidential information concerning the management of their organizations that they need to protect from the intruders. Some of this information is what makes them to be unique from the other related organizations thus disclosing them may result to the down fall of the performance. Due to the advancements in technology most of this information are collected, processed and stored in the computers which are connected to the others through local or wide area networks (Tipton & Krause, p. 257-263). This makes it possible for anyone to access the information and should confidential information like the finances of the organization, customers, services or new products line fall in the hands of the competitors, may lead to lose of the job, law suits or bankruptcy. Therefore all the business is required to be keen on the ways of protecting their confidential information (Fink, p. 67). Information security is considered in terms of the challenges faced while trying to balance the demands of the users and the needs for the confidentiality and integrity. For instance the allowance of the employees to access the internet even in the most remote areas enhances the increment of the value of the network as well as the efficiency of the employee. This however can end up opening various vulnerabilities hence creation of difficult security challenges for the administrator of networks (Khosrowpour, p. 506) Ways of reducing risks It is essential to reduce the risks so as to reduce the occurrence of security information disasters which can damage or cause computer disaster. The management of the concern organizations should be aware of some of the most necessary recommendations. Checking the provenance of the email is essential because it helps to get an idea of the content or the origin so as not to open unsafe files. Avoid downloading materials from unsafe sites thus accessing materials which are likely to affect the system, the internet pages are safe and others like business, government and institution sites. The individuals should be always updated on the most recent happenings in information security so as to realize the existence of the most current risks and the possible ways of handling them. Regular backups should be performed on the systems for the security of the data loss which can be caused by viruses. A constantly updated antivirus should and scanning of the computer for the removal of viruses should be considered to keep the system safe from infections and destructions of the stored and processed data. For the maintenance of the operating system, the users should consider the security patches which are released by the manufacturers. The Windows are automated through the use of the Windows update which enables the connection to the Microsoft Website. While purchasing and installing the software, one should consider the licensed ones because the illegal ones are mostly the pirated applications and are at high risks of infection as they are carelessly handled. After installing new software, the program is opened together with the activation of the anti spy for the analysis and scanning of the entire system so as to detect any hidden files. Computer system security involves a collection of processes and mechanisms through which sensitive and most valuable information is protected from publication, tampering or collapsing by unauthorized applications like viruses (Ronald, p. 199). Handling disasters The planning assumptions of the disasters are made to be part of the strategies to manage the project. The most secure operating systems are based on operating system kernel which is assumed to provide certain security policies, for example the computer security policy. Various special microprocessor features of hardware are involved in the strategy of implementing security. This is the foundation of secure operating systems for the assurance of security of the information. The potential risks of causing the disasters should be well handled to prevent the occurrence of any disaster. Regular scanning and backup of the system should be constantly considered to prevent the occurrence of risks like viruses thus crashing the computer system. This may lead to distortion or loss of the important information. In the identification of the vulnerabilities, it is essential to de the timing well so that the managers can be able to plan well and be set to handle any disaster. Planning for the assumptions of disaster involves a pessimistic assessment of the assets which are associated with the project to ensure that they are always in a position to effectively perform their duties. All the workers should have critical knowledge of the operations of the systems so as to be able to detect an occurrence of any disaster hence handle it before the complication worsen Key security elements Logical security It is the requirement of each of the computer to possess the most available and suitable software security patches. For example, installations which support the allowance of the unhampered access of the resources must be configured with all the care that it deserves with the intention of minimizing the risks of the security. Adequate verification and authorization roles should be provided for appropriate use and acceptable levels of risks. Great attention should be given to both the large systems and small or single computers which would comprise a threat to the resources of campus and the off-campus; this includes the efforts to maintain the systems either for the small group or individuals (Dittrich & Saari, p. 245-248). Physical security Proper controls must be applied for protection of physical access to the resources, proportionate to the identified level of the accepted risks. These may differ in scope and complexity from the extensive security installations in the protection of a room or facility which acts as the location for the server materials. This is where the information can be protected from reaching the unauthorized personnel. Privacy and confidential All the applications must be well designed and the computers must be considered for the protection of the privacy and confidentiality of different types of electronic information that they process, this should be relevant to the applicable policies and law. The users who are allowed to access the information should be keen to ensure that it is protected as required by the law and policies, for instance, if sensitive information is moved from a well secured mainframe for the location of the user. Appropriate measures of security should be put in place at the destination computer for the protection of the data in the system. Some technicians are delegated the responsibility of ensuring that there is proper functioning and security of the electronic information, services and resources. The research subjects are not allowed to reach any information that they are not supposed to (Kumar, p. 445). Compliance with law and policies All the departments, units or groups in an organization should institute and maintain guidelines, procedures and appropriate standards for the security of their information. These aspects improve the provisions of this policy and that of the local or area connection of network. The information should be protected from external interference thus transmitting things which can distort the information like worms, viruses and other malicious software. Unauthorized servers should also be protected from accessing this information thus the management should be keen on the information released to the network (Khadraoui & Herrmann, p. 236-245). Basic principles Information security considers confidentiality, integrity and availability as the main principles of the information security (CIA triad). Other principles such as confidentiality, availability, integrity, possession, authenticity and utility were introduced by Donn Parker in 2002 as alternative for CIA triad but this has not been fully accomplished. Confidentiality This term is used in the efforts to prevent to unveil the information especially to the unauthorized people or systems, for instance, the transaction of the credit card in the internet requires the number of the credit card for the transaction from the buyer to the merchant then to the transaction processing network without exposing it to the unauthorized people. For the enforcement of the confidentiality, the systems try to encrypt the number of the cards during the transmission through the limitation of the areas where it might be accessed whether in log files, databases, printed receipts, backups and many other computer facilities. A bleach of confidentiality is bond to occur if unauthorized individuals access information which they are not supposed to. These breaches of confidentiality may take many and differing forms, for example people who eavesdrop the information displayed on the screens of others are likely to get an idea of the most confidential information. Stealing of computers especially laptops containing most confidential information of an organization or individual is also a breach of confidentiality. This is because most of the people who steal or use the stolen computer are unauthorized to access the information contained in it. Some people are likely to bleach information through phone calls especially when communicating to those who are not permitted to get this information. This principle is essential although not enough for the maintenance of privacy of the organizations or individuals whose confidential information is contained in the system (Stolting, p. 117). Integrity The integrity of the security of information means that data is not modified or interfered with its initial form undetectably. This slightly defers with referential integrity considered in databases while it can be seen as a unique case of consistency as explained in transaction processing model. The principle of integrity is violated if a message is vigorously customized in transit. Therefore the systems of information security are supposed to typically provide the integrity of message as an additional of the data confidentiality (Youm, p. 318). Availability The information should be availability for any system to be able to achieve its purpose as required. That is the systems of the computer which are used in the storage and processing of the information, the security controls considered for its protection and the channels of communication considered to access it should be correctly functioning. High availability systems should always remain available every time for the prevention of disruptions of the services as a result of power outages, failures of the hardware as well as system upgrades. Ensuring of the availability also prevents the attacks of the services hence should be considered always (Oliva, p. 52). Authenticity E-Business and security of the information in computing is essential for ensuring that information, transactions, documents or communications are real. It is also essential for legitimacy to legalize the positions of the parties involved to be what they claim to be. Non-repudiation In the legal environment, non-repudiation implies the meaning of fulfilling obligations of an individual or system in a contract. This is especially in the control of the information transfer, that is a party does not deny any information which is sent or received because the system is able to monitor when the information is sent and who receives it. Through the use of technology such as digital signatures and encryption the electronic commerce is able to achieve and maintain non-repudiation and authenticity (Tipton & Krause, p. 318). Risk management According to CISA Review Manual 2006, risk management is the process considered for the identification of vulnerabilities and threats of the resources of information used in an organization for the achievement of the business objectives and decision of what countermeasures. This is done with the efforts of reducing the risks at least to an acceptable level depending on the value of the information resources in the organization. The process of management of the risks must be repeated indefinitely since the environment of business is highly changing with the changes in the technology thus bringing about threats and vulnerability come up almost on daily basis. The choices of the countermeasures or the computers considered in the management of the risks should be considered to strike a balance amidst the cost, productivity, efficiency of the countermeasure and the value of the informational assets which are being protected. Vulnerability is a weakness which could be considered to endanger the informational assets. A threat is anything either natural or manmade which bares the potential of causing harm. If the threat uses vulnerability for the infliction of harm it causes an impact. In the information security context, the impacts result to be a loss of availability, confidentiality and integrity or possibly resulting to other losses like loss of life, income or property (Zhou, p. 214). Security classification for information Hsinchun (p. 27) argues that the most essential factor of information security and that of risk management is the realization of the value of the information to be protected and the definition of the most suitable procedures and protection requirements of the information. It is a requirement for all the information to be allocated a security classification. The first step in the classification of the information is the identification of one member of the senior management as the source of certain information to be classified. Then a classification policy is formulated, this explains various classification labels, describes the criteria for the information and gives a list of the security controls against each of the classifications. The aspects considered in the determination of the classification information include: the value of the information to the organization or an individual concern, the sustainability of the information and whether it is obsolete and the requirements of law and other regulatory. The nature of the security of the information depends on the nature of the organization or the individual it concerns (Virginia. Council on Information Mangement, p. 75-991) All the departments and the members of the organizations must be trained on the classification schema and assurance of an understanding of the essential security controls and the processes of handling each classification. The classification of any particular information is assigned and should be regularly reviewed to ensure that the classification is still suitable for the information thus assurance of the security control as per the requirements of the classification (Isaca, p. 320). Access control This should be considered in the efforts to protect the information from the persons who are not authorized to access the information. Not all the computer programs should be allow the access of the information but those that are allowed in its processing should be authorized to access it and not rely it to the others. It is therefore essential for all the mechanisms to be in place for the protection or control the access to the protected information. The sophistication of these mechanisms should be relevant to the value of the information that is being protected: that is the strength of the mechanism should reflect the sensitivity and value of the information being secured (Kingsbury, p. 234-254). Business Continuity Planning Business Continuity planning (BCP) identifies the exposure of the organization to internal and external threats and synthesizes soft and hard assets in the provision of effective prevention and recovery measures of the information of the organization. This is intended to establish and maintain the continuity of the business even with the existence of a disaster which can be a threat to business. Initially before January 2000, the government anticipated the failures of the computers and called it Y2K problem in the public utility infrastructures like power, banking, telecommunication, financial and health firms. It therefore required the supporting members to exercise operational continuity practices for the protection of the information which bears confidential information concerning the organization (Sangubhotla, p.124-126). The continuity of the business is an activity which is performed mostly by the management of the organization to ensure that the significant functions of the business are and will in future be available to the consumers, regulators, suppliers and other essential business entities that must have access to the functions. This is the information of all the information of the organization including the daily chores like the management, change control, helps desk and system backups. This cannot be implemented only during the time of disaster but should be done on daily basis for the maintenance of services, consistency and recoverability of the business (Fulmer, p. 87). The foundations of this process are program development, standards and supporting policies; guidelines and good procedures are required for the assurance of a firm continuity of the operations of the business irrespective of the adverse events or circumstances. All the systems of the organization should be based on the foundation so as to enhance the efforts of achieving the Business continuity, the recovery of the disaster or the support of the system. Business Continuity Planning is a process of determining the methodologies which should be considered in the efforts to ensure business continuity or conducting the day to day activities of an organization (Doughty, p. 265-273). Standards There are many measures which have come up to test the quality of the services which are offered or considered for the continuity of the business. These are considered to replace the local standards which assess the quality of the services compared to the local expectations of the local government, and the other commissions formed to audit the quality of any activity taking place in organizations (Hiles, p. 123-145). The ISO (International Organization for Standardization) is one of the measures put across to check the qualities of the services in comparison to the international standards thus the qualities are internationally accepted or rejected. The auditing of the services is regularly done to either certified or reject their qualities thus the organization is able to take the necessary action against the outcome or report. These and others like the British Standards Institution (BSI), BS 25999 is a Business Continuity Management (BCM): BS 25999-1: 2006 BCM of Practice and BS 25999-2:2007 BCM for the implementation, operational and improvement of the Business Continuity Management System (BCMS) which are documented with the aim of describing only the requirements which can be objectively or independently audited (Blyth, 257-262). BC/BCM Plan is the components of the Business Continuity methodology which is required into the plan documented include: instructions, procedures and documents which enable the business to respond to the disasters and emergencies. It is also known as a resumption plan or disaster recovery plan. BC/BCM Planning is the task of identifying, testing, developing or documenting the necessary resources to ensure the continuity of business (Heng, p.1). Ways in which the worst effects of the disasters might well be curtailed Business continuity planning and the disaster recovery planning are essential to the well being of the organization. They are meant for ensuring continuity even with the expectation of the unseen difficulty circumstances. The process of planning for recovery of the disaster is not easy and requires good planning with consideration of Business continuity directory which gives guidance on the procedures to follow while considering the efforts to prevent the occurrence or effects of any disaster which is likely to affect smooth running of the operations of an organization (Blokdijk, p. 149). Any Business Continuity Plan is essential for the protection of the well being of an organization. The BCP policies should be considered to guide the workers on what to do so as to plan in case of an occurrence of a disaster. They identify the essential practices and culture throughout the activities of the organization with the intentions of disaster recovery. According to Mintzer, (p.142), there are a number of aids and resources which serves to plan and prepare for the occurrence and ways of overcoming disasters. The following sections can be considered: disaster recovery kit helps in the efforts to design or audit the contingency arrangements for the business continuity plan. It may contain checklists, questionnaires and many other materials essential in the planning to overcome a disaster. A bookshop is also essential for the provision of the information concerning ways of overcoming disasters (Levitt, p. 208). Gregory (p.17) argues that the disaster of the insecurity of confidential information concerning the operations of an organization can be handled by ensuring that all the unauthorized persons are prevented from accessing the confidential information of an organization. This is made possible by ensuring that all the materials and systems for monitoring the movement of the information from one party to the other thus it is possible for the management to account for various sources and receivers of the information. The confidential information of an organization or an individual should be protected from the unauthorized persons (McEntire, p. 324). Conclusion The process of Business Continuity Planning to overcome various disasters in an organization and Information Technology Security Contingency are currently considered as essential factors in the recovery of the disasters as well as the protection of the information processed by the computer systems. Information Security is essential in the enhancement of the effort6s to prevent the unauthorized persons from accessing information which is termed to be confidential about an organization or an individual. This is made possible by formulation and implementation of an effective plan for the continuity of the operations of an organization. Various aspects like the standardization measures are considered in the plan and implementation of the activities of an organization considering the ways of achieving the set goals and objectives. Work cited Scholl, Matthew. Information Security: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule. New York: DIANE Publishing, 2009. Tipton, Harold & Krause, Micki. Information Security Management Handbook, Volume 2: Information Security Management Handbook, (2) 2; 2008. Khosrowpour, Mehdi. Managing information technology resources in organizations in the next millennium: 1999 Information Resources Management Association International Conference, Hershey, PA, USA, May 16-19, 1999, Salt lake: Idea Group Inc (IGI), 1999. Dittrich, Klaus & Saari Juhani. Computer security and information integrity: proceedings of the Sixth IFIP International Conference on Computer Security and Information Integrity in Our Changing World, IFIP/Sec'90, Espoo (Helsinki), Finland, 23-25 May, 1990, Volume 1990: Computer Security and Information Integrity: Proceedings of the Sixth IFIP International Conference on Computer Security and Information Integrity in Our Changing World, IFIP/Sec'90, Espoo (Helsinki), Finland, 23-25 May, 1990, Klaus R. Dittrich (1990) 3;2008 p. 245-248. Stolting, Karen. Contingency Planning and Disaster Recovery in Florida State Government, New York: DIANE Publishing, 2007. Oliva, Lawrence. Information technology security, advice from experts, Salt lake: Idea Group Inc (IGI), 2004. Fulmer, Kenneth. Business continuity planning: a step by step guide with planning forms on CD- ROM, New York: Rothstein Associates Inc, 2004. Doughty, Ken. Business continuity planning: protecting your organization's life, New York: Auerbach, 2001. Sangubhotla, Latha. Business continuity planning: concepts and cases, Indiana: Indiana University Digitized, 2010. P.124-126 Blyth, Michael. Business Continuity Management: Building an Effective Incident Management Plan, New York: John Wiley and Sons, 2009 p. 257-262 Blokdijk, Gerard. Disaster Recovery 100 Success Secrets - It Business Continuity, Disaster Recovery Planning and Services, Tagum: Lulu.com, 2008. Heng, Moh. Implementing Your Business Continuity Plan, Dubai: BCM Institute, 2004. Hiles, Andrew. Business Continuity: World Class Business Continuity Management, New York: Rothstein Associates Inc, 2004. Kumar, Madan. Natural and Anthropogenic Disasters: Vulnerability, Preparedness and Mitigation. Salt Lake: Springer, 2009. Levitt, Alan. Disaster planning and recovery: a guide for facility professionals, New York: John Wiley and Sons, 2007. Mintzer, Irving. Confronting climate change: risks, implications, and responses, Cambridge: Cambridge University Press, 2002. Gregory, Peter. IT disaster recovery planning for dummies, New York: For Dummies, 2007. McEntire, David. Disciplines, disasters, and emergency management: the convergence and divergence of concepts, issues and trends from the research literature, Forest: Charles C Thomas Publisher, 2007 p. 324 Kvavik, Robert. Information technology security: governance, strategy, and practice in higher education, Johnson: ECAR, 2003. Fink, Dieter. Information technology security: managing challenges and creating opportunities, Australia: CCH Australia, 2007. Virginia. Council on Information Mangement, Information technology security, Pages 75-991, NSW:Council on Information Management, 2005. Rahayu, Siti. Information technology security, New Jersey: Pearson/Prentice Hall, 2006. Khadraoui, Djamel & Herrmann, Francine. Advances in enterprise information technology security, Vatican: Group Inc (IGI), 2007. Hsinchun, Chen. National security: Volume 2 of Handbooks in information systems, (2) 2; 2007 p. 27. Kouns, Jake & Minoli, Daniel. Information Technology Risk Management in Enterprise Environments: A Review of Industry Practices and a Practical Guide to Risk Management Teams. New York: Wiley-Interscience, 2010. Tipton, Harold & Krause, Micki. Information Security Management Handbook, Volume 3 Information Security Management Handbook, (3)2: 2009, p. 316). Youm, Heung. Information Security Applications: 10th International Workshop, WISA 2009, Busan, Korea, August 25-27, 2009, Revised Selected Papers, Salt Lake: Springer, 2010. Kingsbury, Nancy. Information Security: IRS Needs to Continue to Address Significant Weaknesses, New York: DIANE Publishing, 2010. Zhou, Jianying. Information security: 8th international conference, ISC 2005, Singapore, September 20-23, 2005 : proceedings, Boston: Birkhäuser, 2005. Isaca. CISA Review Manual 2011, Kansas: ISACA, 2010. Ronald, Joel. On risk and disaster: lessons from Hurricane Katrina, Pennsylvania: University of Pennsylvania Press, 2006. Read More