Physical Threat to Organizations Information Holdings - Essay Example

? Security Plan Table of Contents Security Plan Table of Contents 2 Introduction 3 Objectives 3 Scope 4 Physical Threat To Organization’s Information Holdings 4 Theft 4 Sabotage 5 Human Mistakes 5 Environmental Distraction 5 Human Threats To Organization’s Information Holdings 6 Computer Fraud 6 Hacking 6 Human Errors 7 Unauthorized Access 7 Information Destruction By Dissatisfied Employees 7 Electronic Threats To Organization’s Information Holdings 8 Organization’s Actual Threat For Information Holdings 9 Security Plan 9 Physical Countermeasures 10 Electronic Countermeasures 12 Human Countermeasures 15 Information Security Education And Awareness Program 16 Updating The Education And Awareness Program 18 Measures Used To Test The Efficacy Of Plan 19 Conclusion and Recommendations 20 References 21 Bibliography 24 Introduction With the rapid improvement in information system and exceptional development of internet, the information security has become a critical issue for every organization. Information is acknowledged as an important monetary asset for organizations, thus, it needs to be secured consequently. In present days, organizations are becoming greatly dependent on information system which clearly manages serious portion of organization’s fundamental activities. The role of technology has transformed from a validation tool to the center of main business (Aoufi, 2011). As the technology has improved, people have also become more aware regarding possible threats for information theft, cybercrime and other fraudulent activities. Thus, there is a need to strengthen the information security system in every organization by identifying and removing potential threats. Objectives The objective of this study is to identify and describe the risks of organizations information holdings with respect to physical, human and electronic threats. The study also illuminates a security plan for physical, human and electronic counter measures for reducing the information threats of a business organization situated in an Australian city. Besides, there is need for adequate education and awareness program for minimizing risks in the information system. A comprehensive information security education and awareness plan is developed in this paper which can help to enhance the information security. Scope The scope of information security is to support the safety, control and administration of organization’s valuable information. This study covers the areas such as known threats for organization’s security and several countermeasures which can help people to gain insight about maintaining strong information system in organization. Furthermore, the study describes the methods for developing education and training to employees for increasing knowledge and skill to avoid security problems. Physical Threat To Organization’s Information Holdings In this digital information age, physical threats can have significant impact on the information holdings of organizations. Thus, physical threats need adequate attention besides other cyber threats. The scope of physical threat is much inclusive compared to other threats in terms of financial loss. Physical threat can arise at any form and at any time. An organization can face the following physical threats for their information holdings (Bidgoli, 2006). Theft Theft is regarded as one of most common risks for organizations’ information holdings. Digital information can be physically stolen by people who come from security and Information Technology (IT) background. Outsiders might break or sneak into any organization’s network and steal information. Insiders also can enter into a part of organization for accessing information which they have no right to access or they may abuse access rights which are part of their tasks. Furthermore, physical assaults against rational security can simply be executed by experts (Lindstrom, 2003). Sabotage Sabotage is fairly similar to theft. Sabotage is intentional damage of information holdings. Any individual who has antipathy against a company can become a risk of physical sabotage in relation to sensitive information (Lindstrom, 2003). Human Mistakes Human mistakes are considered as another common physical risk for information holdings. Humans can deliberately or unintentionally jeopardize information holdings through simple environmental threats. Along with the possible impact on obtainability and truthfulness, human actions of misuse might compromise of the privacy, validation and authorization of information. Misuse of information occurs by wrong people using any sensitive information illegally or by right people using information in wrong way (Lindstrom, 2003). Environmental Distraction Environmental distraction is one of the most dominant physical threats of information holdings for organizations. Fire and flooding caused by human beings or natural means can destroy building infrastructure, computer data and information. The lightning caused by storm can create fire and physically destroy digital data by volatile expansion. An electrical storm is able to generate vast magnetic field and cause destruction of computer equipments such as hard drive and modem among others. Satellite plates can be harmed by ice or snow and cause hindrance on information system of organizations. Earthquake is another risk for information holdings. It can destroy building and organizations’ machineries and equipments resulting in loss of information (Lindstrom, 2003). The above physical threats are common in almost every organization. These threats need to be evaluated against the risk of information holdings which can help to develop plan for physical measures (Lindstrom, 2003). Human Threats To Organization’s Information Holdings Human threats are one of the most important threats for information holdings security. Several surveys depict that humans are responsible for the majority of information security breaches in organizations security system (Garcia, 2007). The following human threats have been identified in an organization: Computer Fraud Computer fraud is an information threat caused by humans where data are altered illegally to cheat the organization. The computer oriented threat is widespread and the financial losses from this kind of threat are enormous. According to several assessments, the average loss organizations face for computer fraud can exceed 100,000 USD (Quigley, 2005). Hacking Hackers are other human threats for organizations’ information holdings security. Hackers are expert users of software and applications who can break through organizations’ intranet and access information. Hacking is also called as intrusions. Once hackers successfully bypass organizations’ information security, the data become vulnerable and they can easily control and steal those data (Quigley, 2005). Human Errors Human errors can occur if organizations’ information system is weak and employees are educated ineffectively regarding usage of system. Organizations always face major threats of information breaks because of human errors. Human errors can cause by either inadvertently entering improper data or unintentionally rescinding existing data. Human errors are considered as significant threat for accessibility, privacy and truthfulness of information (Mcleod & Schell, 2008). Unauthorized Access Majority of unauthorized access of information can be caused by internal employees of an organization. Organizations’ own human resources are always aware of the information system and thus, they can intentionally breach the system for unauthorized access. According to several surveys, almost 49% of organizations confront information security problems because of trustworthy employees. The external human threats also exist in organizations for unauthorized access. Outsiders such as terrorists, criminals and extremists can also possess threats for any organization’s information holdings (Mcleod & Schell, 2008). Information Destruction By Dissatisfied Employees Employees who are ignored for promotion or are merely provoked by a superior can become threats for an organization by destructing the computer system and information inside it, or leaking vital information of organization. Several organizations think that their commercial information security is at risk because of unsatisfied employees (Quigley, 2005). Electronic Threats To Organization’s Information Holdings Electronic threats represent electronic invasion on organizations’ information holdings system. Traditionally electronic invaders are interested to enter into organizations’ networking system just because of curiosity. But in present day, electronic invaders have dissimilar intentions and methods. The aspiration and curiosity of invaders are transformed into greed as invaders have realized that their skills are valuable and serviceable in exchange of money. The new invaders tend to be more technically capable to use further refined technology in cyber-attacks, and to be gradually dynamic in their attempts to conciliate the Public Switched Network (PSN). The potential impact of information threat of PSN comprises of rejection or interruption in service, illegal watching or leak of delicate information, unofficial alteration of network records or services, and several fraud activities, which can result in financial loss as well as loss of reputation (DIANE Publishing Company, 1998). Other electronic threats for organizations’ information holdings are viruses, Trojan horses and spywares among others. Virus is a program which can copy itself without being detected by system. Virus comprises of software and programs which contain binary codes that help to attack an organization’s information system and conduct illicit activities such as destruction of files and databases. On the other hand, Trojan horse is unable to copy itself but it can cause unwanted adjustments in the organization’s system functionality. Spywares have been developed in recent times which have the capability to gather information from an organization’s system (OECD, 2009). Electronic risks have amplified in terms of both regularity and superiority which pose critical threats to organizations’ information holdings. The electronic threat has the power to insinuate, influence or damage computer data as well as entire information network system (OECD, 2009). Organization’s Actual Threat For Information Holdings Organization’s actual threat represents the existing threats within information system. The identified actual threats of organization are: Actual Threats Physical Human Electronic Theft of information Human Error Viruses, worms, malwares, Trojan horses and spywares among others Environmental or accidental distraction Unauthorized access Intentional information destruction Security Plan It is important for an organization to recognize the threat scenario and take appropriate countermeasures for mitigating threats. Security countermeasures plan is the protection that an organization takes to decrease the information risks. The first task of an organization for decreasing the risk is to manipulate the physical atmosphere. In order to assess the physical security the following steps are useful: Authentication of Regular Physical Security Practices An organization needs to conduct a typical security assessment and implement any changes as needed. It can help to reduce the risk from usual physical information security threats (Tipton & Krause, 2007). Perform Physical Security Evaluation After assuring typical security, an organization needs to conduct another strict evaluation. This evaluation comprises of improved physical security devices. Nowadays, information securities experts essentially use their own creativity to implement standards for security (Tipton & Krause, 2007). Implement Suggested Changes As there are no identical standards for developing physical security in private organizations, they use their own technical devices for improving the physical security according to the budget. An organization needs to measure the risks for possible threats to information, and make optional changes on the basis of evaluated risk. Preferably, these changes should be applied in the most efficient way (Tipton & Krause, 2007). Physical Countermeasures Physical security is a portion of information safety as all digital information needs to be physically protected. Conventionally, physical security is delivered by the general and mechanical supervisors who apply their own specific approaches and systems to arrange the physical security. In present times, the physical security engages a grouping of administrative, mechanical and electronic methods. The physical countermeasures for information security are: Equipment: Physical security comprises of protection of organizational equipments through air conditioning, maintaining wetness, using fire extinguishers and expending clean energy (Hintzbergen et al., 2010, p. 34). Storage Devices: For increasing physical security, an organization needs to control the usage of storage devices such as pen drive, USB hard drive and portable players among others. Particular procedures can be applied to certain equipments, for instance, obliteration of private information on the storage device when an employee leaves the office. Important information can be saved in mobile devices, memory cards and laptops. Thus, it is vital to check that workers return all organizational equipments before leaving the working place (Hintzbergen et al., 2010, p. 34). Electronic Access Management: Radio-frequency identification (RIFD) passes can be used for managing access to organizations computers. The following measures are useful for improving physical security to information: The security system and employees should be capable of checking whether electronic permit fits to the holder Each pass have one holder for determining the persons who accessed the organization’s facilities Employees need to garb the passes noticeably so that security personnel can identify and prevent approach of any person not having a pass Further security measures such as PIN code, thumbprint and iris identification system are also useful if the organization has special room for private information (Hintzbergen et al., 2010, p. 34) Invader Detection: Invader detection is one of the most expensive physical securities for server room protection. The common method for invader identification is infrared detection. In this system deceptive wave is detected when one heat (person) passes ahead of an infrared light with another heat (wall). Besides, an organization can arrange special rooms or areas where entrances of unauthorized employees are restricted (Hintzbergen et al., 2010, p. 34). Emergency Power: Digital equipment needs power to operate. Several natural disasters can cause power cut in an organization and hamper the information. Use of battery and generator is useful for saving information in the absence of power (Hintzbergen et al., 2010, p. 34). . Fire: Fire is one of the biggest threats for computer and machineries. The following physical measures are useful for protecting special room and servers: Smoke alarms Fire dousing tools Backup drives Anti-fire cables No chemical or inflammable materials in server room (Hintzbergen et al., 2010, p. 34) Electronic Countermeasures Electronic measures are applied in organizations for protecting information against illegal access and malicious attacks. The requirement for electronic measures has increased because of technical revolution in computer system and digital media. Through electronic measures, organizations can ensure safety of information electronically and decrease security weaknesses. The following electronic measures are useful for an organization to minimize potential damage and loss of information because of several invaders (Alshboul, 2010). Password Protection: The most common electronic measures for information security are password protection. A password is envisioned for restricting the use of information system except authorized users. In password protection system, employees need to enter keyword to gain access to the organization’s databases (Ghosh et al., 2002, p. 280) Firewall Protection: Firewall is another electronic measure for preventing internet threats. In the computer network system, firewall acts as a riddle and barricade which limits the flow of information between organization’s computers and internet. Through firewall, an organization can create a defense system for every computer in the network (Mcleod, & Schell, 2008). An organization can use several firewall systems as countermeasures for protecting their network which are described below: Circuit-level firewall: Circuit-level firewall lets an organization to have a high degree of verification and data filtering. Application-level firewall: In application-level firewall, the complete security check is conducted. This firewall system demands for additional validation (such as secondary password and ratifying user identity) after a request is already verified from approved network (Mcleod, & Schell, 2008). Proxy-based firewall: Proxy-based firewalls deliver a partition from the outside client to the local server. This firewall performs as a server and stores the inbound packets. The server has the ability to examine any message for appropriateness (Ghosh et al., 2002, p. 280) Encryption: Encryption is one of the best electronic countermeasures for defending the privacy of organizational information. Through encryption technique, an organization can shield information when it is becomes defenseless. Encryption supports an organization to protect information which goes through public network and internet by securing against the sniffers and hackers (Whitman & Mattord, 2011). An organization can use cryptographic controls for encrypting data over internet. If any unauthorized people gain access to organization network, the encryption makes information worthless towards them and thus inhibits misappropriation of information (Mcleod, & Schell, 2008). Rational Access Control: Rational access control is intended for inhibiting non-authorized persons from achieving reasonable access to any information which is valuable for organization. Organization can use several access control measures for protecting information such as: Discretionary Access Control (DAC): With the help of DAC the organization can describe what kind of access will be permitted to their information system irrespective of policy. It is a very flexible method from users’ perspective. With DAC system, organization can prove that data is controlled in contrast with organizational policies. Mandatory Access Control (MAC): In MAC system, people cannot outweigh security policies such as DAC system. In this method, the organizational information system is preserved by system supervisor. MAC uses characteristics such as authorization and cataloging which are connected to subject and object. In this system, information right is approved or denied by assessing if the characteristics of subject demanding access meet the necessities of object (Hintzbergen et al., 2010, p. 34). Human Countermeasures Human countermeasures generally include the utilization of human resources in an organization in every activity. Awareness: Human awareness regarding information security is one of the most vital human countermeasures. A well aware employee can help to reduce many information threats by proper understanding. An organization can provide education to every employee regarding information security risks and proper countermeasures. A good information security comprises of employees who perform conscientiously. An organization needs to treat employees as dependable and accountable so that they act in a responsible way (Hunter, 2001). Information Technology Employee: In an organization, there are several employees with different job duties. Through the help of electronic countermeasures, the access to information can be limited to specific users only. But, the same limitation might not apply for system administrators, system inventors and computer programmers. They are the technical employees and have the ability to access, change or delete information in organizational system. Organization needs to maintain the standard that if someone compels a break in company information system it will be observed and punished. Employees in technical fields need to be clean to the high degree of honesty, and they must not possess the sole right to use information system (Hunter, 2001). Recruiters and Leavers: This is the most vital human countermeasure for information security. New employees need to be informed and administered and their honesty must be judged completely before recruitment. All new employees must obtain a security session from a suitable administrator. It can help to make employees take the information security countermeasures carefully and employees will fulfill their security duty earnestly. An organization needs to make a simple manuscript which reviews the obligations and accountabilities of all employees towards information security (Hunter, 2001). While staffing, an organization must choose the type of information, employees will access for their position in the organization. The position sensitivity should be demarcated according to duty and information access powers. A proper background screening is useful for judging an employee for any particular position. An organization can monitor employees’ information access sanction when required. It is obligatory for an organization to sporadically review employees’ account, their level of information access and inspection of information access permissions (Swanson & Guttman, 1996). Information Security Education And Awareness Program To identify information threats and make the countermeasures successful, there is need for establishing an educational program for increasing the awareness of employees regarding physical, human and electronic threats. Many information security breaches in organizations happen because of: Unawareness about information security threats Incorrectly depending on other people to handle security measures Inadequacy to address security threats Ignorance of security issues Unfortunately, prospective invaders are very much conscious about above aspects and they can take complete advantage of the vulnerability of humans in organization. Proper information security education provides employees with the knowledge of several security events resulting in loss or exploitation of critical records (Payne, 2003). For developing education training, organization can use the following methods: Custom Discussion: Custom discussion is an operative method for establishing security knowledge to particular groups of people and persons throughout organization. Custom discussion or presentation provides employees the chance to discourse specific queries to company executives. Thus, through this method it is possible to address security concerns specifically and focus on vital security aspects within each executive’s experience (Payne, 2003). Handbooks: A handbook is a useful tool to introduce new comers, existing employees, and other staffs about security issues and their responsibilities towards it. Handbooks can be given by hardcopy as a part of information security awareness program and people can also view the electronic version through internet (Payne, 2003). Seminar and Workshop: Organization can arrange seminars or workshops to put emphasis on information security. Seminar session with high-profile lecturers can draw the attention of managers, IT supervisors, and other employees towards basic security subjects and motivate them to learn more. Seminars and workshops are specially intended for system managers and IT supervisors which is vital for every information security awareness program (Payne, 2003). Video: Videos are effective means for providing security education to employees. Through video streaming, organization can easily pull the attention of employees towards information security subjects. As employees are quite busy in their regular tasks in organization, video is a suitable way to take information security as a center of consideration (Payne, 2003). Articles: Institutional articles are perfect medium for increasing information security knowledge and spread it among other people. Articles can provide advice and instructions that are inexpensive and can be used in various events of organization such as employee orientation success events (Payne, 2003). Updating The Education And Awareness Program To accomplish the objectives of information security education and awareness program, it should be updated continuously to be informed regarding emerging threats. Even a strident and strong organization can lose the security efficiency unless their education and awareness program remains up-to-date with latest information (Payne, 2003). Security Alerts: Information regarding latest viruses, malwares and other threats must be integrated in the program because they can spread quickly in the information system of organization. There is also need to update information regarding possible countermeasures for new threats constantly (Payne, 2003). The information security education and awareness program consists of three elements which are shown below: Information security education and awareness program Awareness Education Training Objective Know basic information regarding security Gain insights about information security Increase skill to deal with security issues Method Videos Seminar Workshops Articles Handbooks Lectures Source: (Whitman & Mattord, 2011). Measures Used To Test The Efficacy Of Plan For testing the efficacy of plan the following measures will be useful: Information security education and awareness program Education program Training program Awareness program Measures for testing efficacy Comprehensive Testing Problem Solving Aptitude Multiple Choice Questions Interpreting Knowledge Practical Skill Testing Quiz Competition Source: (Whitman & Mattord, 2011). Conclusion and Recommendations The study highlights the possible information security threats an organization can face and actual security risks of organization. It is the responsibility of IT department to assess the risks involved in information security and take appropriate measures. To make a security plan successful, organization needs to examine it occasionally. It can help to classify security faults rapidly and solve them instantly. Risks are inevitable in an organization, thus through strict measures organization can protect its data and records from illegal access, leaking, disruption, modification, examination, coping and damaging. As majority of data are processed electronically, now-a-days, it is important for an organization to keep track on employees behavior as internal threats are much typical than external threats. New technology and methods are developing constantly, thus up-to-date information is needed and the education program should be improved to deal with the security issues in organization. References Aoufi, S. E. (2011). Information Security Economics. UK: The Stationery Office. Alshboul, A. (2010). Information Systems Security Measures and Countermeasures: Protecting Organizational Assets from Malicious Attacks. Retrieved October 11, 2011, from http://www.ibimapublishing.com/journals/CIBIMA/2010/486878/486878.pdf Bidgoli, H. (2006). Handbook of information security, Volume 3. US: John Wiley and Sons. (p. 28). DIANE Publishing Company. (1998). Electronic Intrusion Threat to National Security & Emergency Preparedness Telecommunications. US: DIANE Publishing. Garcia, M. L. (2007). Design and Evaluation of Physical Protection Systems. UK: Butterworth-Heinemann. (p. 26). Ghosh, T. K., et al. (2002). Science and Technology of Terrorism and Counterterrorism. US: CRC Press. (p. 280). Hintzbergen, J., et al. (2010). Foundations of Information Security Based on Iso27001 and Iso27002. Netherlands: Van Haren Publishing. (p. 34). Hunter, J. M. D. (2001). An Information Security Handbook. US: Springer. (p. 35 – 39). Lindstrom, P. (2003). Let’s Get Physical: The Emergence Of The Physical Threat. Retrieved October 11, 2011, from http://www.netbotz.com/library/Physical_Threat_Security.pdf Mcleod, R., & Schell, J. G. P. (2008). Management Information Systems, 10th Edition. India: Pearson Education India. (p. 251 – 252). OECD. (2009). Computer Viruses and Other Malicious Software: A Threat to the Internet Economy. Retrieved October 11, 2011, from http://www.oecd.org/document/16/0,3746,en_2649_34223_42276816_1_1_1_1,00.html Payne, S. (2003). Developing Security Education and Awareness Programs. Retrieved October 11, 2011, from http://net.educause.edu/ir/library/pdf/eqm0347.pdf Quigley, M. (2005). Information Security And Ethics: Social And Organizational Issues. US: Idea Group Inc (IGI). (p. 242-243). Swanson, M., & Guttman, B. (1996). Generally Accepted Principles and Practices for Securing Information Technology Systems. Retrieved October 11, 2011, from http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf Tipton, H. F., & Krause, M. (2007). Information Security Management Handbook, Sixth Edition. US: CRC Press. (p. 1378). Whitman, M. E., & Mattord, H. J. (2011). Principles of Information Security. US: Cengage Learning. (p. 209, 391). Bibliography Hight, S. D. (2005). The Importance Of A Security, Education, Training And Awareness Program. Retrieved October 11, 2011, from http://www.infosecwriters.com/text_resources/pdf/SETA_SHight.pdf Roper, C. A., et al. (2005). Security Education, Awareness, And Training: From Theory To Practice. UK: Butterworth-Heinemann. Schultheis, R., & Sumner, M. (1999). Management Information Systems: The Manager’s View. India: Tata McGraw-Hill Education. Ulieru, M. (2011). Persistent Information Security: Beyond the E-Commerce Threat Model. Retrieved October 11, 2011, from http://independent.academia.edu/MihaelaUlieru/Papers/394278/Persistent_Information_Security_Beyond_the_E-Commerce_Threat_Model Read More