Evaluation Of Business Information System Security Policies: Case Study Of Government Departments - Coursework Example

? CCM2426: Individual Project Proposal ID Project Evaluation Of Business Information System Security Policies: Case Study Of Government Departments Table of Contents Table of Contents 1 Problem Definition 2 Global aim 3 Objectives Plans and Controls 4 Evidence of Requirement 5 General Context Description 7 Proposed Research Methodology 8 Product description 10 Deliverables 10 Testing the Outcome 11 Resources 11 Project Plan 12 Work Breakdown structure 12 Milestones 12 Project Time Schedule 12 References 13 Key words: Business Information System, Security Policies, Government Departments Problem Definition Beaver (2008) says that the security of business information must be given the highest priority by government departments irrespective of their size. Therefore, it is important that government departments are able to identify and prevent security threats on their business information systems. Kadiyala and Kleiner (2005, p. 164) add that government departments are finding it challenging to find the right expertise on the issue of business information security. Additionally these departments are less informed about the security issue that relates to business information both within the organization and externally and as a result less investment has been put on securing business information systems within these departments. Qing, Zhengchuan, Tamara and Hong (2011, p. 54) point out that the greatest challenge government departments face is adequate support from the government in enforcing security within their business information systems. Moreover, the management team within government departments is not portraying adequate commitment and support for security programs adopted by these organizations. Kokolakis, Demopoulos and Kiountouzis (2000, p. 107) says that an information system security policy is essential for developing and adopting appropriate security practices within organizations. Therefore the support of the management team for the information security policy is required to ensure successful endorsement and implementation of security measures. Business information policies within government departments must comply with nationally and internationally set standards. Additionally Rainer, Marshall, Knapp and Montgomery (2007, p. 102) assert that acquiring skilled security expertise to manage the security issues related to business information systems has become a challenge because of the shortage of skilled human resource in information security. Within government institutions, there is internal misuse of sensitive information which has a negative implication on the image of the organization and the morale of the employees. Rajendran and Vivekanandan (2008, p. 14) explains that security threats within organizations have caused misuse of valuable information and this situation is becoming worse with the increase in the size or organizations. Therefore an information security policy is necessary for government departments that will ensure that business information and data is sufficiently protected from unauthorized entry into systems and misuse. According to Beaver (2008), an information policy acts to demonstrate the holistic information security situation within an organization, the acceptable code of conduct for information security and behavior that is unacceptable in addition to the commitment of the management and the organization in general to the security of information within business information systems. Global aim The main aim of this project is to propose an evaluation model for the assessment of the business information security policies which would be applicable in the evaluation of the status and thus the effectiveness of the departments’ information security policies. The project also evaluates the security policies in relation to the international best practices and standards. Therefore during the project, the areas within government departments which do not meet the international standards for an information security policy will be identified. Through this project a research will be conducted which will provide adequate and valuable information to the government departments so that they would come up with proper policy strategies which will sufficiently secure business information within their information systems. Additionally, the project will be valuable in recommending or proposing the training needs for the staff within government departments so that they would be equipped with guidelines for complying with information security policies and therefore leading to securing of information within business information systems. Objectives Plans and Controls 1. To identify the security threats and the related countermeasures within business information systems of government departments 2. To study the international standards and best practices in addition to the structure of a business information security policy 3. To identify the evaluation models for proper assessment of the business information security policies within government departments. 4. To evaluate the information security policies within government departments in relation to the international standards The plan for the achievement of the project objectives include making a well designed questionnaire which will be based on the projected outputs of the research. The designed questionnaire will also be based on the international security policy standards and the models for the evaluation of the information security policy. The objectives will also be met through a plan of a sample for the interviews and questionnaires. The controls which will act as guidelines for meeting the research objectives are the internationally accepted information security policies from the standpoint of which the policies of the government departments will be evaluated during the research project. Evidence of Requirement According to Kokolakis, Demopoulos and Kiountouzis (2000, p. 109), computer systems provide an efficient and effective method of managing business information and as a result government departments have found business information systems to be essential and very valuable tools for business functions. Despite the advantages that the information age and the application of information systems have brought to government departments, there are many potential security threats to the organizations, the staff and the society in general. Kadiyala and Kleiner (2005, p. 167) illustrates that the security threats to the security of information within business information systems include privacy issues, computer crimes, ethical concerns, virus attacks and unauthorized access and misuse of information. Rainer, Marshall, Knapp and Montgomery (2007, p. 103) emphasize that information security is the most important issue in the transactions within any information system. Moreover, managers play a vital role of facilitating the promotion of information security within organizations. Salmela (2008, p. 185) demonstrates that an information security policy is a very important tool which acts as a guideline for organizations in overcoming the security threats and challenges which are associated with the use of information systems. According to Rajendran and Vivekanandan (2008, p. 15), government departments have been the target of information system attackers and as a result they have experienced increasing rate of security attacks and breaches to their business information systems which calls for the need to determine whether their information security policies are adequately sufficient. The security policies of many government departments have often failed to safeguard the sensitive information within the information system databases because they do not meet the recommended international standards as explained by Myler and Broadbent (2006, p. 43). There have been numerous attacks of information systems within government departments such as virus attacks and unauthorized access to private information of public sector employees which has portrayed a negative image on the government sector departments. As a result, it is important that the government departments’ information security policies are evaluated to determine if they cover all the necessary areas of information security in addition to finding out if they meet the international standards. Information is perceived by Qing, Zhengchuan, Tamara and Hong (2011, p. 57) as the most important asset of business organizations including government departments. The power of business information is demonstrated by its use in attaining a competitive advantage over rival business organization. The ability of an organization to adequately utilize its information resources determines its success within the business environment. The value of information therefore shows that it must be safeguard from the possible security threats through an elaborate information security policy. Government departments are less competitive as compared with business organizations within the private sector. This can be attributed to the inadequate use of information resources for facilitating organizational success and the vulnerabilities of the information within its systems to security attacks. Tejay (2008) says that presence of a security by itself does not mean that an organization is protected from the security threats which target its information systems. A security policy should first meet the required standards, be supported by the management and implemented in ensuring security of information that is contained in business information systems. General Context Description According to Salmela (2008, p. 185), information security describes the process of protecting individual or organizational information including its critical elements form security threats. The security of information within business information systems include protection of computer hardware and business application software from damage or theft and the prevention of misuse of the information or data contained therein from misuse. An information security policy should cover aspects of information security such as controlled systems access, proper management of the information system user accounts and protecting the systems from malware as illustrated by Tejay (2008). In addition, an information security policy should provide for the services which ensure that systems are secure from both internal and external attacks. These services include confidentiality, availability and integrity and they are the basic parameters which are used to evaluate an information security policy to ensure that it meets international standards. An information system policy must ensure that organizational information within information systems id confidential. Myler and Broadbent (2006, p. 44) explain that confidentiality of information means that measures are put in place to ensure that it is only the authorized users who are given the authority of accessing specific information within an information system. Integrity of information on the other hand means that it is freed from all forms of corruption, destruction, disruption or damage and hence it must remain in its authentic state. Violation of information integrity may emanate from within the organization or from external attackers and it involves unauthorized access and misuse of information when it is being created, saved or transferred along communication systems. According to Qing, Zhengchuan, Tamara and Hong (2011, p. 60), availability of information means that an information system should be able to provide relevant information to the authentic users at any time when the information is desired or needed. Moreover, availability implies that authorized users of information or data within an information system are protected from obstruction or interference when they attempt to access or use the information. Therefore an information security policy is an essential tool which provides guidelines for ensuring that information within business information systems id confidential, available and full of integrity. According to McGee, Bastry, Chandrasekhar, Vasireddy and Flynn (2007, p. 41), the international standards for an information security policy stipulate that it must cover three major aspects and these are standards which cover administrative, physical and technical controls. Standards which cover the physical environment of information systems such as systems which protect computer systems from unauthorized access should be contained in an information security policy. Technical controls include policy specification of the standards through which sensitive data can be accessed and used over computer networks. The administrative controls are provisions of an information security policy which ensures that the human factors which include organization personnel are appropriately managed in relation to priorities in accessing information contained in business information systems. Tejay (2008) explains that the provision of these controls in an information security policy ensures that confidentiality, availability and integrity of information are guaranteed within business information system services. Proposed Research Methodology The proposed research methodology of the project involves the appropriate approaches that will enable the research to attain its objectives and the problems stipulated within this project proposal. A case study methodology will be employed in the study in which government departments will be a centre of focus or the project. According to Myers (2011) and Schniederjans, Schniederjans and Schniederjans (2009), case studies are suitable research designs because they narrow down the focus of a study to ensure accurate data is obtained which is used to come up with general inferences about a specific topic or problem. The proposed research will employ a study design that is aimed at evaluating government departments in relation to the effectiveness of their information security policies in ensuring that their business information systems are adequately secured. A random sampling technique will be used to select 15 government departments for the study. This technique is suitable because it ensures that there is no bias in the selection of the government departments and hence various departments will be selected randomly from all sectors of the economy which include education, agriculture, health, tourism, public works and municipal government. The collection of data for the information security policy evaluation project will be collected using a survey questionnaire. The questionnaire is will be used as the most appropriate method of collecting data from Information Technology staff within the selected government departments. It is through the survey questionnaires that the IT personnel will adequately express their opinions and views on the commitment of the departments to the issue of information security. Moreover telephone interviews will be conducted which will target IT staff in the selected government departments. The telephone interviews will be used because they are the most appropriate means of verification of facts and information on the study topic. Through the questionnaires data will be collected from information security managers and IT officers within the selected government departments to determine the compliance of the organization to the international standards of information security within their policy. Product description The product of the project includes facts and opinions that are gathered by the data collection tools. The facts obtained will be related with the objectives of the project and thus will include a list of information security threats within government departments’ business information systems. Factual information on the provisions of the international standards organizations on the best practices and structure of an information security policy will be provided in the project. Opinions of the IT personnel within these departments on the compliance of the departments to the international standards of information security are also included in the products of the project. Deliverables The project will produce both qualitative and quantitative data on the information security policies of government departments’ business information systems. The use of questionnaires as the project methodology will produce quantitative data which will be analyzed through statistical analysis tools. According to McGee, Bastry, Chandrashekhar, Vasireddy and Flynn (2007, p. 45) quantitative data as a product of a qualitative research is important in the determination of facts and testing of theories. Additionally, quantitative data helps a researcher to analyze statistical data so that relationships can be drawn between related concepts. The deliverables of this project include facts on the international standards on information security policies and the relationship of the information security policies of the government departments with the provisions of the international standards organization. Qualitative information will be obtained from the interviews as research tools and this includes the information collected from the participants of the research. The qualitative data will include the opinions of the IT managers and information security personnel on the implementation of standardized information security policies within the government departments. Testing the Outcome Testing the outcomes of the research project includes the analysis of the qualitative and quantitative data to enable accurate evaluation of the information security policies within government departments. Testing the project outcomes will be possible through the determination of the proper evaluation models of information security policies. The models used for testing the outcomes are the international standards on the structure of an information security policy. Comparison of the information security policies of the government departments with that provided by the international standards organization will be the best way of testing whether the departments are compliant. Analysis of the statistical data which is obtained from the IT personnel through the questionnaires will help in the evaluation of the state of information security policy and its effectiveness in ensuring that information resources are kept confidential, available and its integrity is maintained. According to McGee, Bastry, Chandrashekhar, Vasireddy and Flynn (2007, p. 41), the integrity, confidentiality and availability of information within a business information system is used in the testing of its effectiveness in ensuring that the information is secured from both internal and external attacks. Resources The resources that will make the project possible include the information obtained from the IT managers and information security officers within the selected government departments. Additionally, the international standards organization will provide the accepted standards of information security policy including the structure of the policy. The data collection methods that will make the collection of information from the identified resources possible are the questionnaires and interviews which will provide both quantitative and qualitative data. Project Plan Work Breakdown structure Level 1 Level 2 Level 3 Business Information System Security Policy 1.1 Initiation 1.1.1 Evaluation and Recommendations 1.1.2 Project Sponsor Reviews 1.2 Planning 1.2.1 Create Preliminary Scope Statement 1.2.2 Determine Project Team 1.2.3 Develop Project Plan 1.3 Execution 1.3.1 Project Kickoff Meeting 1.3.2 Initiate Project 1.4 Control 1.4.1 Project Management 1.4.2 Project Status Meetings 1.4.3 Risk Management 1.4.4 Update Project Management Plan 1.5 Closeout 1.5.1 Preparation of Project Report 1.5.2 Presentation of the Report Milestones Accessing the information technology managers and information security would be difficult because of the sensitivity associated with their work. Difficulties in accessing documents such as security policies of the government departments are likely to be experienced because access requires a bureaucratic approval by senior officers. Project Time Schedule The project was conducted in a span of six weeks with the various activities being represented by the project schedule in the Gnatt Chart below. Activities/Weeks Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Initial Preparation Obtaining Consent Data Collection Data Analysis Preparation of the Project Report Presentation of The Project References Beaver, K. 2008, Making the Business Case for Information Security, Cygnus Business Media, United States, Fort Atkinson. Kokolakis, S.A., Demopoulos, A.J. and Kiountouzis, E.A. 2000, "The use of business process modeling in information systems security analysis and design", Information Management and Computer Security, vol. 8, no. 3, pp. 107-116. Kadiyala, R. and Kleiner, B.H. 2005, "New Developments Concerning Business Information Systems", Management Research Review, vol. 28, no. 11, pp. 164-170. Myler, E. and Broadbent, G. 2006, "ISO 17799: Standard for Security", Information Management Journal, vol. 40, no. 6, pp. 43-44. Myers, G.T. 2011, "Research Methodology by Numbers - a teaching tool", Electronic Journal of Business Research Methods, vol. 9, no. 1, pp. 66-77. McGee, A, Bastry, F, Chandrashekhar, U, Vasireddy, S, and Flynn, L 2007, 'Using the Bell Labs security framework to enhance the ISO 17799/27001 information security management system', Bell Labs Technical Journal, 12, 3, pp. 39-54. Rainer, R.K., Marshall, T.E., Knapp, K.J. and Montgomery, G.H. 2007, "Do Information Security Professionals and Business Managers View Information Security Issues Differently?", Information Security Journal, vol. 16, no. 2, pp. 100-108. Rajendran, R. and Vivekanandan, K. 2008, "Exploring Relationship between Information Systems Strategic Orientation and Small Business Performance", International Journal of E-Business Research, vol. 4, no. 2, pp. 14-20. Salmela, H. 2008, "Analyzing business losses caused by information systems risk: a business process analysis approach", Journal of Information Technology, vol. 23, no. 3, pp. 185-202. Schniederjans, M.J., Schniederjans, A.M. and Schniederjans, D.G. 2009, "Operations research methodology life cycle trend phases as recorded in journal articles", The Journal of the Operational Research Society, vol. 60, no. 7, pp. 881-894. Tejay, G.P.S 2008, Shaping strategic information systems security initiatives in organizations, Virginia Commonwealth University. Qing, H, Zhengchuan, X, Tamara, D. and Hong, L 2011, 'Does Deterrence Work in Reducing Information Security Policy Abuse by Employees?', Communications Of The ACM, 54, 6, pp. 54-60. Read More