Security as a management or technological issue - Essay Example

Security As a Management OR Technical Issue Security, Privacy and Data Protection 15 Table of Contents Introduction~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Page 2-3 Information System Types and Coordination ~~~~~~~~~~~~~~~~~~~~~~~~~~ Page 3-6 Technical System Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Page 6-8 Formal System Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Page 8-9 Informal System Security ~~~~~~~~~~~~~~~~~~~~~~~~Page 10-11 Data Privacy in E commerce ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Page 11-12 Conclusion ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Page 12 References ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Page 13 1 Introduction Information system security is becoming a dominant and challenging factor for organizations, as it leverages many risks that are constantly changing. Every now and then, there are new security breaches resulting in massive losses in terms of customer confidence, as well as revenue. As information technology is now considered as the fundamental function, every organization acquires information systems for business automation. Moreover, electronic commerce has also introduced many businesses that are only virtually present. For instance, Amazon that is an online store for selling books generates revenue from the Internet. Customers pay via credit cards for the purchased books that are delivered to them. In this scenario, any sort of security breach may inject an SQL injection or cross site scripting attack on the website can affect the business as well as customer confidence. Therefore, securing the systems as well as data communication on the web is essential to protect. This also implies to personal or customer data that is maintained and managed by the organization. For instance, E- commerce based organizations stores information of their customer related to credit card numbers, telephone numbers, address, bank details etc. It is the responsibility of the organization to protect and secure data privacy. However, there is not a single law that states how to handle customer information. For this reason, organizations sell or trade customer information with business partners and even to third parties. Likewise, sometimes the sole purpose of this personal data exchange is funds. Although, every online organization has a privacy policy which states how they will handle and secure customer data but at the same time there is no verification criteria. In the following sections, we will discuss the technical as well as the managerial aspect of these three domains i.e. Information system security, privacy and data protection. Likewise, we will also discuss our main thesis i.e. is it a technical issue or a managerial issue for effectively handling and managing these issues in an organization. The first section will emphasize on all the technical aspects followed by all the managerial aspects and lastly comparing these two aspects for conclusion. 2 Information System Types and Coordination Organizing information systems is defined as the series of activities that are associated with information handling. Organizations expand their business gradually. For instance, strategic plan for any financial institution is to open a branch on every quarter of the year depending on stable revenue and defined achieved objectives. Similarly, the expansion of the organization create more risks and increase the workload for handling information because the maintenance, storage and exchange of information has now become more than ever before. Information handling takes place on three levels i.e. formal level, informal level and technical level (Dhillon 2007). The formal information system is associated with communication from third parties, suppliers, contractors, clients, regulatory authorities and financial sectors. As the word formal says for itself, it is a process in which rules are followed for making standardization of business practices and following standards is important for any organization. However, it terms of non-compliance, it may become a threat itself to the business. Organizations tend to automate all formal processes and procedures for defining a standard as well as effectiveness and efficiency but it is not sufficient. The informal information system is the second type of information handling that occurs in the organization. The informal information system demonstrated a culture within a culture i.e. sub culture that defines the purpose of understanding. Likewise, it is the system where consensuses are made and beliefs are recognized. Moreover, employees get to know due care and due diligence for performing their responsibilities and tasks. However, modification and changes are also made at the same stage, as informal system facilitates the formal system by a natural way. Moreover, different groups of people can be created, as the organization continues to expand, resultantly, creating more conflicts in opinions, objective, goals and internal politics. Lastly, the third is the technical information system, where processes, procedures, standards and guidelines are automated via computerized systems. Likewise, the automation is conducted by the assumption of a formal information system and support is also provided. After defining these three systems, there is a requirement of defining the coordination criteria that gives a complete picture of the coordination framework. (Dhillon 2007) illustrates a very good coordination model by comparing it with a fried egg. The yolk represents the technical information system, the outer layer of the egg yolk represents the formal information system and the third that is the remaining egg white, represents the informal information system. After reviewing the state coordination analogy, we can say that the technical system is steadily fits itself to the center that is surrounded by the formal information system that contains rules and regulation. Moreover, the technical system is demonstrating a submissive role that is a result of adding more controls, policies and procedures to the formal information systems along with their relationships to the informal information systems (Dhillon 2007). In terms of security, these three systems must be protected by implementing information system security. Likewise, integrity should be intact of all three systems by implementing appropriate controls. However, security management includes deployment of series of controls for each threat and vulnerability. The definition of controls is stated by (Ycesan, 2002) as “the use of interventions by a controller to promote a preferred behavior of a system being controlled”. As per (Dhillon 2007), there are three types of controls that will address the three systems i.e. formal, informal and technical. Example of each one of these is illustrated as: Formal control: Modifying organization structure Informal control: Security awareness Technical control: Restricting unauthorized access Formal controls provide assistance to technical controls, as they govern and address issues of integrity in application and data that may lead to high risk and cost. Likewise, in order to govern formal controls, assignment of jobs and responsibilities is vital, as this allocation of duties and responsibilities will set alignment with business objectives. Formal controls are associated with management aspect that will deploy strategic security management practices. The security management will select employees from all departments of the organization where necessary. Moreover, the security management will address data protection legislations, security audits, regulatory compliance, legal and insurance issues, hiring criteria for employees, misconduct, risk assessment, incident management and response etc. Informal controls are associated with security awareness programs considered as the cost effective tool used to aware employees for ‘do’s and don’ts’ while accessing data or information resources. As risk environment I constantly changing, a comprehensive education and security awareness program is extremely important that will conduct periodic awareness sessions for new employees, or new technology or any relevant risk that needs to be addressed. Therefore, the security awareness program should be considered as a ‘common belief system’ (Dhillon 2007). Lastly, the technical control that is not limited to authentication of a user along with assigning proper rights on an application or operating system. In order to apply confidentiality to data, encryption, hashing, encoding methods are adopted by organization. Likewise, smart card is the most popular one (Dhillon 2007). Moreover, for preventing non repudiation, digital signatures are deployed by a third party certificate authority. However, the cost of technical controls must be justifiable and cannot exceed the cost of an asset. After implementing technical controls, the job is not finished yet. For instance, if a technical control is applied on a network segment for detecting electronic eaves dropping, it may be possible that an employee can hear a confidential conversation from a backdoor of his senior manager’s office. However, there are no significant cases available but a risk element is always present. In order to address residual risk, standards must be created that are also considered as the minimum acceptable security. 3 Technical System Security Before defining the security architecture or strategy, one question every organization must ask itself i.e. why I need information system security. After identifying the purpose, there is a requirement of identify weaknesses or vulnerabilities along with impact and types. Organizations have to consider the backdoors and the week points that may allow or trigger any threats to disrupt business operations by compromising an asset or information system. Moreover, a holistic approach is required to address all risks and vulnerabilities, as every minor vulnerability can expand by cascading other risks in the system. At a technical standpoint, what needs to be protected hardware, applications or data? That is a question that must be addressed by organization itself. The summary of this question can only be encountered by identifying and categorizing threats. As per (Dhillon 2007) threats are categorized as Modification, Destruction, Disclosure, Interception, Interruption and fabrication and implies on hardware security, data security and software security. Modification is associated with changes in data or alteration in data with or without purpose. This modification can be performed by an employee or by software as well. Effective change management and configuration management procedures along with documentation are the most effective controls for minimize security vulnerabilities that may arise from incompatible modules or hardware modification from the system. Destruction is associated with physical damage to a hardware device, network device or software. Destruction of a hardware or network device includes spilling of water, inadequate configuration, voltage variations etc. Whereas, software destruction can be from a malicious code, Trojan or unintentional deletion of a kernel of any application etc. Similarly, data can also be deleted intentionally or unintentionally and can also be cause by malfunctioning device. Disclosure of data is proportional to confidentiality i.e. need to know basis. Data is easy to be stolen because the original copy still seems intact, in spite of the data theft. Data types can be classified in to many types, again depending on organizational requirements. For instance, trade secrets, upcoming financial results or long term strategic plans of the organization can be classified as top secret, whereas, customer information can be classified as confidential. Organizations conducting business online collect customer information via websites. Data can also be intercepted by unauthorized access to computing and electronic resources. Moreover, unauthorized remote can also result in accessing information from a remote location. Interruption can also cause system availability that may result from malfunctioned hardware or power outage. Moreover, interruption of services can also be caused from broadcast storm or network congestion that may cause denial of service. Lastly, fabrication refers to a penetration of transactions to a database. Fabrication is often conducted by unauthorized parties in a way that is difficult to identify the authentic and forged transaction. One of the examples of fabrication is called as ‘Phishing’. However, in order to implement technical system security, encryption is the best control up till now for preventing integrity of data. Encryption encapsulates the data by ciphering it to another form by public and private key encryption. Likewise, asymmetric and symmetric encryption techniques are considered as per requirements. Moreover, non-repudiation can be prevented by third party certificate authorities. The file system of a system can be prevented by keeping the system updates current, maintaining and updating antivirus, unnecessary accounts and services must be disabled. Likewise, access management of a system can be maintained by a strong password policy, deactivate administrative account on critical systems, applying account lockout policy etc. furthermore, network security can be implemented by deploying an efficient software or hardware based firewall, installing anti spyware/adware, deactivating remote access etc. 4 Formal System Security Management of information system security requires a development of organizational structure and processes for ensuring adequate protection and integrity. Likewise, for maintaining adequate security, an appropriate relationship organization is required for maintaining integrity of roles and responsibilities. Moreover, a major strategy and policy is required to maintain and manage information system security. However, information system security will not be effective if the organization does not realize that information security must be considered as a top level management responsibility. Likewise, information security management must be derived by the board of directors and must be aligned with corporate governance. Corporate governance is defined as “the system by which the corporations are directed and controlled” (R. von Solms, Von Solms et al., n.d ). As, it is the responsibility of the board of directors, if a top down approach is not followed, there will be no effective security governance within the organization. Moreover, considering information security solely as a technical will result in a failure of an information security program. As technical controls can only prevent threats and vulnerabilities via a specific set of technical configurations, there is a requirement of information security management that will demonstrate the performance and measurements of security metrics. Some of the examples include dashboard, balanced scorecards etc. that will show the current and required information security state of the organization. However, implementing information security governance at the top level cannot resolve issues, as it is a multi-dimensional discipline. This is because information security management is a complex issue that must be reviewed and maintained on a periodic basis. Moreover, effective risk management should be in place so that organization wise risks are identified in order to establish an effective information security management plan. Organizations must maintain a minimum acceptable standard that will be considered as the recommended best information security management practices. However, corporate information security enforcement is essential that will act as a management control and define purpose, scope, ownerships, standards, configuration requirements, enforcement and revision history. Likewise, this policy will demonstrate comprehensive details and will include all aspects of protecting information of the organization. Furthermore, in spite of information security governance, risk management, policy and policy enforcement, user awareness is essential. As risk environment is constantly changing, every employee must be aware of practices effective procedures for information security. A comprehensive training and awareness program by NIST address three levels of users i.e. beginners, intermediate and professionals (Whitman, Mattord , n.d). Each group is addressed by customized user awareness training sessions that also includes computer based testing environment. 5 Informal System Security Informal system security supports the formal system security naturally within the organization. Formal systems cannot be workable alone unless employees accept them. Likewise, user acceptance is directly linked with user acceptance. For instance, if a biometric attendance system is installed as a physical security control, user acceptance is necessary or else, the control will not be effective. However, the severity level of an improper informal system is not high as compare to formal and technical security. It is a fundamental concept that humans are resistant to change. Few of the examples for factors that may introduce issues to information security management are: department is now becoming computerized deployment of a ERP changes in management changes in reporting In the above mentioned examples, there is a possibility that most of the employees may encourage changes and some may not. However, to address these issues is importantly because if an employee is repelling to change, there is a possibility that he/she may handle information security procedures inadequately, resulting in an introduction to security risk for the organization. Although, training sessions must be conducted targeting group of people to minimize these issues. The three systems i.e. formal, informal and technical, and their coordination, demonstrated technical, management and human interaction and management factors. However, in protecting data and information in an organization is a collaborative effort i.e. technical systems acts as a core, including all the technical aspects, formal systems acting as a management aspect and informal system dealing with human element. The next section will address issues and acts related to data privacy and protection. 6 Data Privacy in E commerce Every organization that maintains and process personal data including living persons, data subjects and direct or indirect identifiable information is applicable for laws and regulations incorporated in 1998 Act of UK. Likewise data protecting principles states conditions that are illustrated below (Flaherty, n.d ): Any personal data must be stored and utilized as per the law. In case of holding and utilizing data, justification must be given to the information commissioner. The personal data can only be used or disclosed to the people who are already mentioned as a registered entry. The justification mentioned in the register must be comparative to the amount of data held. Moreover, the registered must be organized and updated. The information that is held must be safe and secure. Moreover, there is no permission for holding the data for a longer period of time unless necessary as per register. The files must not travel cross borders of European Economic Area. These principles must be adhered by every organization involved in personal information handling and storage. Organizations address personal data privacy issues by implementing technical controls, formal and informal controls. For instance, to protect a database maintaining personal records, database encryption, surveillance cameras, security policy and user awareness sessions will be most effective. 7 Conclusion The report concluded that technical, formal and informal systems are the three fundamental information handling systems within the organization. The technical system is identified as an egg yolk, formal system is considered as a boundary for the technical system and informal systems are associated with human factors. In this report, we have discusses all aspects for data security and privacy within an organization and the conclusion for considering security as a management or technical issues is visible. Technical issues cannot provide information security assurance within an organization, as information security management measures and monitors information security performance within an organization. Moreover, information security governance is extremely essential for managing an information security management program for any organization. Buy-in from the senior management is essential for security expenditures and importance at the upper level. Lastly, informal systems are addressed by awareness training programs targeted to specific groups that may minimize internal risks associated with humans, as humans are the biggest risk. References DHILLON, G., 2007. Principles of information systems security: text and cases Hoboken, NJ: John Wiley & Sons. YCESAN, E., Proceedings of the 2002 Winter Simulation Conference December 8-11, 2002, San Diego, CA, U. S. A.: WSC'02 [New York, N.Y. : Association for Computing Machinery ; c2002. WHITMAN, M.E. and MATTORD, n.d,H.J., Management of Information Security Course Technology. FLAHERTY, n.d, D.H., Protecting privacy in surveillance societies: the Federal Republic of Germany, Sweden, France, Canada, and the United States Chapel Hill ; University of North Carolina Press, 1989. R. VON SOLMS, VON SOLMS, S.H. and VON SOLMS, R., n.d, Information security governance New York ; Springer, 2009. Read More