Understanding IT security and its impact to organizations - Research Paper Example

?Understanding IT security and its impact to organizations IT Security is ensuring that the Confidentiality, Integrity and Availability of applications, software, data, records, information and knowledge are secured at all times. IT Security also encompasses the entire Information Technology infrastructure that would include hardware, firmware, storage systems, servers, network equipment and all other Information Technology appliance. Even the use of these equipments including the processes and policies implemented by organizations that impacts the use of the IT Infrastructure including what is stored in them are covered by IT Security. IT Security impacts organizations through the operation of the Sarbanes Oxley Act that involves all companies listed in the United States stock exchange, Gramm Leach Bliley Act for those involved in the financial industry and the Health Insurance Portability and Accountability Act for organization that provide health care services to name a few. The basic onus of IT Security is to secure the data stored within the IT Infrastructure and by extension the privacy of the people that owns those data. Contents Abstract 1 Contents 2 Introduction 2 Literature Review 5 Confidentiality, Integrity and Availability 6 Risk Assessment 8 Information Security Management System Framework 8 Analysis and Discussion 9 Confidentiality 10 Integrity 11 Availability 12 Risk Assessment 13 Information Security Management Systems 14 Conclusion 15 Bibliography 17 Introduction Information Technology Security before the onset of mandatory regulatory compliance is considered a feature that is nice to have amongst companies. One of the primary considerations of the luck luster implementation of Information Technology Security is the cost associated in setting up even the most basic IT security configuration, the cost of ownership including its maintenance and management. However, the growing sophistication of crimes related to information obtained from records stored in computers or Information Technology Infrastructure in general elicited a second look from stakeholders (Whitman & Mattord, 2011). Crimes such as identity theft and the funneling of large amount of money from one account to another have made Information Technology Security not only a cause of concern but rather the primary focus of congressional inquiries. The staggering amount of money involved may have caused the collapse of some companies if not the IT security threat have become the catalyst that started its demise. The cost of building the records of the company after a viral attack that deleted its entire archive is nothing compared to the losses that could set in if historical records of payments are not properly reconstructed. The cost of actual damages to clients that have become victims of identity theft because of negligent practices of safe keeping of records of a company’s clientele may include civil liabilities that can ran up to hundreds of millions and billions of dollars if put together. Information Technology Security Systems has been considered at the onset as a means to catch people with nefarious intent after they have committed the felonious act. It should be noted that the crime has already been committed in this instance. However, an in-depth study of this discipline with the implementation of a good Information Security Management System can be used to catch on the act, discourage and prevent Information Technology related crimes. The implementation of established frameworks of Information Security Management Systems combined with technology can be considered as a potent means of protecting organizations against white collar criminals. The potency or effectiveness of these Information Security Management System frameworks was even recognized by the United States Congress as a testament to its effectiveness. The frameworks have considered the employment of human assets, technology and organizational framework through the implementation of policies and procedures to fight any attempts to circumvent the security system of organizations. Using all accessible and available materials that can provide information related to existing Information Security Management Systems this thesis shall present how an Information Security Management System Framework can affect or impact an organization. This thesis shall also capitalize and make effective use of the experiences and knowledge obtained by other authors to form its own assessment of the practicality of implementing an Information Security Management Systems framework in an organization. Using the experiences of organizations as described by various authors in implementing Information Security Management System frameworks this thesis shall attempt to compare the effort with actual tangible benefits. The primary question that this thesis shall answer is the effort to implement Information Technology Security in organization worth the effort? Another question that this thesis shall attempt to answer is the investment spent to implement IT security worth it? However, due to the limited time and resources this thesis shall only dwell on theoretical applications and implementations of an Information Security Management System. Empirical data would not be used since the time is limited to obtain and verify the data gathered. Time constraints also prevents the gathering of meaningful and reliable data that can provide definitive and tangible data that can be compared with each other to provide a conclusion based on solid and concrete data. Literature Review IT security is all about protecting the assets of the organization most especially their Confidentiality, Integrity and Availability (Peltier, 2001). By ensuring the confidentiality, integrity and availability of information assets within the company security is achieved. In the context of information technology, protecting the confidentiality, integrity and availability of information assets almost translate to the employment of anti-virus software, installation of firewalls and the creation of checkpoints such as username password combinations for each employees or users within the organization. Additional equipment such as redundancy systems and back-up systems including the installation of uninterruptible power supply and generators are also employed to ensure the continuous service of the information technology infrastructure (Nozaki & Tipton, 1999). Other elaborate security systems may also be included such as but not limited to biometrics, dual password combination. Layered access rights and secure application use are sometimes employed to ensure that only legitimate and allowed software are used within the company premises. Disabling USB ports and removable drives including the limitation of wifi and access points to frustrate errant signal from being sniffed by unauthorized portable computing equipment are also employed. IT security when implemented in a standard framework such as the COBIT, ISO/IEC 27002:2005 (Calder, 2008), and ITIL otherwise known as the Information Technology Infrastructure Library are always augmented by additional documented operational policies and procedures to ensure its potency and efficacy that need to be complied with. Not only are these documents created their compliance are monitored and made part of the Key Performance Indicator of the organizations. These Indicators are subject to review, audit and assessments regularly to ensure that non-compliance, security events are remediated and resolved. Normally a plan of action is accompanied by such findings to ensure that a plan of action is implemented (Raggard, 2010). Confidentiality, Integrity and Availability In the context of information technology is the employment of username and password combination to access and use computers, access servers including the applications and tools provided to the employees. This will include the layered or hierarchical access rights to information. To illustrate: Department managers are the only ones allowed to create users, transaction codes and override edits while regular employees are only allowed to create transactions. Owners of information are also assigned to ensure that any alterations, changes and update to the information are only made with the imprimatur of the owners of the information. Please note that confidentiality is to ensure that information that is not meant for public consumption is to be kept within the confines of the organization. The information classified as confidential by the organization should be protected from competitors, or the general public. However, not all information related to the company should be kept confidential. Therefore most information technology security framework recommends that proper classification that can be implemented should be considered. To illustrate: all marketing related materials cannot be helped to fall on the hands of competitors. Therefore, it is best to classify marketing materials as available to the general public. For memos and office policies and procedures, it is best to classify these as confidential since they pertain to the detailed operation of the organization. It is expected that these type of information are readily available to all employees but should not be available to people outside the companies. While Salaries, Employee Records including Customer Records are secret documents that should only be available to employees of the organization that is authorized to handle such information. Integrity pertains to the reliability of the data or information. Reliability includes that the information contained therein have not been accessed by parties that is not authorized to view such information. Integrity, most especially pertains to the assurance that the information has not been changed by parties not authorized to change the information contained therein. In the context of information technology security this will require the employment of anti-virus and anti-worm and anti- Trojan horse software. This will also include the installation of firewalls. Availability on the other hand in the context of information technology security pertains to the deployment of back-up systems and redundancy systems including hot availability systems. This is to ensure that in any event that would include equipment failure, the system can access the information stored within the IT infrastructure. There are instances that uninterruptible power supply and generators are deployed to ensure that the equipment is also always available to access the information. Risk Assessment The high investment cost associated with information technology security makes it imperative for an organization to conduct a Risk Assessment process (Wheeler, 2011). The process will ensure that priorities are created based on actual metrics that will measure the importance of the information assets. Information assets include the information technology infrastructure and its supporting equipment. It also includes the information contained and supported by the information technology infrastructure. The information assets are then rated based on its vulnerabilities and the threats associated with the vulnerabilities. The risk these information assets are exposed are then listed and the possibility of its occurrence are also rated and measured. Based on the numbers generated a priority based on the need of the organization can now be constructed. Based on this priority the investment associated in the installation and deployment of risk mitigation equipment can now be justified (Watkins & Calder, 2010). Information Security Management System Framework Without an active framework that will guide the implementation of information technology security efforts, investment related to security may come to waste. Since almost always it will only become a silent witness to security events that will only be discovered after the fact. Sarbanes, Oxley Act, Gramm Leach Bliley Act, and the Health Insurance Portability and Accountability Act (American Medical Association, 2009) including FISMA or the Federal Information Security Management Act (Data Protection Act, 1998) mandate that a structured framework is implemented along with the information technology security infrastructure. Information security management system framework makes sure that all security related events are logged and monitored until it is resolved. ISMS also ensure that the compliance of all the employees of the organization to the policies and procedures are monitored as well. Key performance indicators are not only gathered but reviewed regularly to ensure that non-compliance will be resolved (Blackley, Peltier, & Peltier, 2003). ISMS always require that policies pertaining to information security are created, not only are the processes are updated to take into consideration the security aspect of the process. But check points are also created to ensure that security is imbedded in the process. Most of the time monitoring systems are employed to ensure that incidents relating to policy non-compliance are logged and resolved. Most of the time the Plan-Do-Check Act associated to the implementation of ISO (Humphreys, 2007) standards is included in the implementation strategy. Analysis and Discussion Information assets not only include documents, but it also includes the storage bins or cabinets that store these documents. Therefore information asset also includes the computers, servers, network equipment and cables that transport signals representing the bytes of data that is passing through these cables. Information assets also include the uninterruptible power supply and the generators including the power supply system that powers each computers of the organization. Confidentiality The impact of document or information classification to ensure Confidentiality of information to organizations is the inconvenience of obtaining information for cross functional teams. Information security normally sacrifice flexibility due to the limitations imposed on who can access and the people responsible for the information. To illustrate: Cross functional teams normally comes from different departments with each department having their own processes including being in-charge of specific information assets. Since cross functional teams are only representatives from each department’s access to information assets essential to the edict of the cross functional team may not be accessible to the representative. This will prevent the cross functional team to immediately perform their function. However, confidentiality is an essential part of information technology securing information from people who are not authorized to such information may result to losses to the company. To illustrate: information about upcoming products including the details of how it will be launch when obtained by competitors may rush the launch of its own product to frustrate the marketing strategy of the organization. Some competitors may choose to copy the functionality of the product if not highlight the flaws of such functionality. These nefarious strategies could result to losses for the company (Andress, 2011). Integrity Ensuring the integrity of information assets includes ensuring the integrity of the information contained therein. As indicated ensuring that the information is what it should be and what it was when it was created is the primary focus of integrity. Prevention of any kind of tampering and access that may compromise the efficacy of the information is another aspect of integrity that needs to be considered. To illustrate: Information about the iphone5 is stored in a secure storage system of Apple Inc. If details of the information including the launch strategy are to be made public before iphone 5 is launched the efficacy of the information that will be made public may not have the desired impact marketing wise. On another note, if the information about the functionality of the iphone5 has been tampered with, interjecting additional functionality that is not there, or deleting functionalities that are there and the tampered information are made public as an official communique from Apple Inc. The backlash, including the image and public relation damage may not be recoverable that could result to millions of losses for Apple Inc. The impact of ensuring the integrity of information in an organization is the responsibility of the creator of the information. A higher premium and respect is accorded to whoever is responsible for creating the information. Since the creator himself can authenticate and validate the authenticity and veracity of the information he created. Extending the ownership of the information is the organization where the creator of the information belongs to. The information that was brought before the bar of public perception is subject to scrutiny and examination. Ownership of the information once established creates that perception that the information good or bad can be attributed to the creator or the organization where the creator belongs to. Availability Availability of information not only refers to the actual presence of the information in the system but the ability of the system to provide the information when it is needed. In information technology availability of information can be threatened by a simple computer virus that will deny access to the network. By infecting the file or corrupting a few of its header bytes can corrupt the information within the file and render the data in the file inaccessible. Another area that will impact the organization when information technology security is implemented is the amount of policies and procedures that will have to be documented in order for all employees to comply. In order for all employees to be informed, including the new ones, a policy and process orientation has to be performed as soon as an information security framework has been adopted. Another impact that would be felt by the organization in ensuring the availability portion of information technology security is the cost associated that will assist in ensuring availability of information. This would include anti-virus software, firewall appliance and managed routers. These items are not only costly they normally require skilled manpower to administer and manager them. Ensuring availability also means creating redundancy and back-up systems. These items normally double the cost of infrastructure, without the added benefit of actual tangible returns operation wise. Without a strategy in place to ensure that the redundancy system can also benefit the production environment, redundancy and back-up systems are white elephants that only come into play during disaster recovery. To counter act such disparity and wastage in terms of investments to implement information technology security the following are normally conducted first by organizations. Risk Assessment The cost of implementing an information security framework requires that a risk and vulnerability assessment be conducted to ensure that a balance can be achieved with regards to the cost of acquiring appliances and software that will compose the information technology security infrastructure. The process will valuate each information assets in terms of dollars and cents. The required amount of security needed by each asset will also be assessed to ensure that it is amply protected including its cost. With this information it is now easy to prioritize what information is worth securing and at what cost in order for it to make sense. The impact of the risk assessment process including its result is the re-orientation and focus of each owner of information assets in terms of protecting information. Since actual values are given to each information assets employees of organization will now know which information are worth protecting and which information are not worth to be protected. Asset owners are more conscious of how they keep the information that is entrusted to them by the organization. The risk assessment process may also educate the employees of an organization that not all security strategy needs to be costly. To illustrate: by simply stopping to play online games or access social networking sites during office hours a lot of security threats can be averted if not avoided all together. By simply leaving the each employees desk clean with all documents stored in drawers security can be achieved already. By simply displaying the IDs on the lapel of each employee’s proper identification that will prevent unauthorized people to enter the organization’s premises can be achieved already. Information Security Management Systems Several security frameworks have been introduced by this thesis that will help in protecting the information assets of organizations. These frameworks will provide checkpoints that will ensure compliance to the most rigid laws such as the Sarbanes Oxley, Gramm Leach Bliley Act for and the Health Insurance Portability and Accountability Act. COBIT of ISACA, BS 7799 or ISO 17799 and its latest version ISO/IEC 27002:2005, ITIL are frameworks that can be used to implement information technology security in organizations. These frameworks are compliant to ENISA (European Network and Information Security Agency) and FISMA (Federal Information Security Management Act) directives, memorandums and guidelines. Certifications to at least one of the frameworks almost translate to compliance to IT security governance directives of the laws that pertain to information technology security. However, the impact to organizations of such frameworks when implemented almost translates to a paradigm shift in terms of culture and operation. Information security when implemented within a framework calls for the overhaul of the processes, policies and procedures of the company. The culture is almost instantly shifted from operationally centric to security centric. To ensure the acculturation of the security frameworks into the culture of the organization, compliance to the new policies and procedures are not only monitored but checked as part of the organization’s Key Performance Indicators. Metrics are also gathered including events that impact the security or violates the security policies that are being implemented in the organization. Regular security audits are scheduled to monitor the performance of the organization to ensure that previous events that exposed vulnerabilities have been remediated if not resolved to ensure that it is not repeated again. Conclusion Information Security do no provide tangible benefits since it is prospective, it prevents potential threats that could cause millions if not billions to the company if the threats actually comes into fruition. However, there are instances wherein actual potential cost can be computed. By using data gathered from other companies of actual attacks of viruses and use the damage to these companies to model the actual impact to the organization the following cost can be determined: Cost of rebuilding the records, the opportunity lost while records are being rebuilt. In instances where the threat or possible outcome of an Information Technology Security event is identity theft, the potential damage to the organization is its image and liabilities from legal actions from victims of the identity theft. A more systematic way of conducting cost benefit analysis is to conduct a risk assessment that can define and measure the threats that has greater possibility of happening. Risk mitigation can then be done on risk and threats that are critical and have the most likelihood of happening. The Sarbanes Oxley Act, Gramm Leach Bliley Act and the Health Insurance Portability and Accountability Act have one thing in common. These laws mandate the companies within the industry affected by these laws to comply with several Information Technology Security requirements or face both administrative and legal sanctions. These laws not only mandate companies to comply and follow certain criteria, these laws also requires companies to submit themselves to regular Information Technology Security Audits that will become the basis for a compliance certificate. The wisdom of these laws is to prevent Information Technology related crime from happening that could potentially affect the economy or stability of the nation. To illustrate, the Enron incident precipitated an economic crisis that lead the entire United States Corporate Environment to question the actual values of their stocks. With potential losses affecting the savings of millions of individual stock certificate holders at the losing end a compelling argument for the passage of stricter governance rule to ensure that the conduct of corporate America are aligned with the laws. Its effect to employees and to the organizations in general however, most specifically the new processes and procedures that were made to ensure compliance to the new laws can at times be considered restrictive. Checks and Balances were established to ensure that the correct figures are reported and that executives do not treat the corporate treasury as their own pocket if not wallet. A veil of secrecy also surrounds each corporate bits of information that should not be made public. More protection to company resources and information are given and more transparency is given to stakeholders. To answers the questions pondered at the onset of this thesis. Is the effort to implement information technology security framework worth it. Given the potential threat that could run to millions if not billions of dollars it is worth the effort. In light of the above discussion with regards to the compulsory nature of the laws with regards to compliance and the consequences for non-compliance, the answer to this question is a resounding yes. To answer the second question: It is not practical to spend a thousand dollars, worth of security to protect an asset that is worth only a dollar. As articulated information technology security implementation should make sense. By conducting risk and vulnerability assessment a proper balance can be achieved to ensure that the right kind of protection is employed to protect assets that are worth protecting. Therefore, to answer the second question: The cost spent on information security implementation can be practical and worth it if the proper balance is achieved. Bibliography American Medical Association. (2009). Understanding the HIPAA Standard Transaction: The HIPAA Transactions and Code Set Rule. Retrieved December 15, 2010, from American Medical Association: http://www.ama-assn.org/ama1/pub/upload/mm/368/hipaa-tcs.pdf Andress, J. (2011). The Basics of Information Security: Understanding the Fundementals of InfoSec in Theory and Practice. New YOrk: Elsevier. Blackley, J. A., Peltier, J., & Peltier, T. R. (2003). Information Security Fundamentals. Boca Raton, FLorida: CRC PRess. Calder, A. (2008). ISO27001/ISO27002: A Pocket Guide. Cambridge Shire: IT Governance Publishing. Data Protection Act. (1998). Data Protection Act 1998. United Kingdom Parliament. legislation.gov.uk. Humphreys, E. (2007). Implementing the ISO/IEC 27001 Information Security Management System Standard. Norwood, MA: Artech House Inc. Nozaki, M., & Tipton, H. F. (1999). Information Security Management Handbook 4th edition Volume 1. New York: Auerback Publication. Peltier, T. (2001). Information Security Polices, Procedures and Standards: Guidelines for Effective Information Security Management. United States: CRC Press LLC. Raggard, B. G. (2010). Information Security Management: Concepts and Practice. Washington DC: CRC Press. Watkins, S. G., & Calder, A. (2010). Information Security Risk Management for ISO27001/ISO27002. Cambridgeshire: IT Governance Publishing. Wheeler, E. (2011). Security Risk Management: Building an Information Security Risk Management Program from Ground Up. New York: Syngress (Elsevier). Whitman, M. E., & Mattord, H. J. (2011). Principles of Information Security. Boston: Cengage Learning Products. Read More