Network Security Risk Assessment - Term Paper Example

? Network Security Risk Assessment Network Security Risk Assessment Introduction Advancement in technology has resulted to the development of innovative computing systems which have facilitated the functions of various organizations and institutions. The increasing complexity of information systems has resulted to information security threats which have infringed the right of individuals to privacy of information. This paper gives a critical analysis and discussion of Fast Distribution, Inc. with a view of investigating its information assets, organizational risk, security posture and problems which leads to the recommendation of the ways that can be implemented in order to mitigate the information security problem within the organization. Organizational Assets Fast Distribution, Inc. has both human capital and equipment assets. These assets are important in facilitating the central role or functions of the organization. The necessity of the company assets is revealed by their role in helping the company to make its supply chain management business possible. The human resource as a valuable asset comprises of the more than 3200 employees who work for the company to make it achieve its objectives. The human capital also includes the management of the company which is engaged in making important decisions for the success of the company’s coordination of warehousing, distribution, staging, transportation in additional to the relationship with the wholesaler, Value Added Resellers and customers. In an information system, the people are the human resource and expertise who are involved in various organizational activities and processes. These include the clients, staff, management, suppliers and distributors (Dalanhese, 2007). Data or information is one of the most important assets of the company because it helps organization to function and survive in the business environment through its application to enhance all business processes and to compete favorably within the market. Since the company is automated, the information systems within its functional areas are also vital assets for the company. The operations of FDI depend on technology and thus the computing systems of the organization are crucial assets which make the business activities of the company possible and running in an efficient and effective manner. The networking within the organization illustrates various component assents of the company’s information system. An information system is a combination of hardware, software, procedures, policies, people, information and data which is involved in the management of organizational business functions with an aim of meeting organizational objectives and goals with efficiency and effectiveness. The hardware within information systems includes the physical aspects of the system such as computer components and the related equipment. The software is a set of applications that are used together with the hardware to effectively perform organizational or business functions. The software applications include information processing systems, finance and accounting packages, anti malware applications, statistical tools and word processing packages (Brown, 2003). The hardware assets of FDI include its terminals or computers, servers, switches, routers, application mainframes and bridgeheads. The software components of the organization help to make the hardware function. The software applications of the company are important assets and include the operating systems for its servers and terminals, database management packages, financial and human resource management systems. The software for management of the company’s information systems is an important asset for the company. The software assets include transaction processing systems which are a set of applications for the processing of the daily activities and processes of an organization. Decision supports systems are other examples of information systems that are important in the decision making process of organization and thus serve as an essential tool for the management team. Management information systems are commonly used technologies which facilitate the management process of all functional areas of an organization (Dalanhese, 2007). Additionally assets that are important for an organization include policies and procedures for the management of the information system to ensure that it is protected from possible security threats. Policies comprise of the set standards for proper management of the information system according to the internal and universal norms of organizational functioning. Procedures are the steps through which various activities and processes in within the systems should follow to ensure that efficiency is enhanced and thus achievement of high productivity (Saleh, Refai and Mashhour, 2011). Organizational Risk Assessment The organization is faced with a security risk within its networked environment and information systems. Within information systems, individuals desire to have data or information about them be kept safe from unwarranted, unauthorized access and use for malicious intentions. Additionally, organizational data must be safeguarded from business rivals or malicious system attackers who would take advantage of vulnerabilities within the information system to gain access with intentions of causing damage to the system or accessing sensitive information without being authorized to do so (Dalanhese, 2007). The company’s WAN span across 81 remote warehouses which are interconnected with networked environments for data processing which means that they would be prone to external attacks into the system with malicious intentions of accessing the accounts of the customers without being authorized to do so. The financial functions of FDI are located within a mainframe platform which has software applications for e-mail routing, HRIS and file storage. The proxy server which acts as a routing gateway for the information system’s internet connectivity illustrates possible vulnerabilities to security attacks to the system. The HRIS specifically and the database within the file storage would be possible targets of system attackers. The human resource information within the HRIS must be protected from potential threat to its privacy. Additionally the accounts of the company clients and data within the file storage must be safe from security threats. This illustrates the importance of information security personnel within the company. The concept of information privacy is closely interrelated to security because it is through secure systems that information privacy is made possible. Therefore in the design, development and maintenance of Information Systems, information security must be considered because the cost of loss of data to a business organization is immense. Security breaches into private information held by organizations results into lawsuits, fines, insider trading, credit card fraud and a damaged reputation to an organization (Brown, 2003). The increased traffic across the company’s DMZ whose origin has not been defined reveals a situation of security concerns for the company. Moreover, there are security concerns about the relationship that the organization’s data and its operations. This is revealed by the reports from the company’s warehouses of slow network performance, problems associated with network latency and application timeouts. The inefficiency within the company’s information system is an indication of security concerns. Malware would spread from the internet and attack the company’s information system leading to its slowed performance or an ultimate loss of functionality. Jacobson, the COO of the company oversees a situation where the integrity, confidentiality and availability of FDI’s information systems are compromised and it worries him that it would lead the company into its knees. Confidentiality of the information will be ensured if the design of Information Systems aims at making information confidential and therefore hidden from all but the intended viewers (Amancei, 2011). Securing computer networks is essential in ensuring that data and information on transactions, in records, databases and communications are confidential, authentic and integral. Availability of information to the intended users in any information system is the most important aspect of the system because it reflects its functionality and ability to perform its intended purpose or goal. Therefore the security breaches to information systems which prevent the users of the system in accessing the information would cause unimaginable damage to the company. The accessibility of the company’s databases through the internet by user accounts would lead to security breaches over the internet by attackers. Hackers may access information systems and company websites and destroy their functionality which bars users from accessing useful information. Inability to find the required information at the required time will definitely cause los of clients (Licari, 2005). The continuity of business activities and processes is made possible only if an organization’s information system is functional (Dalanhese, 2007). Damage to information systems as a result of security breaches would result into loss of functionality and thus cause the organization to incur losses. Moreover, failure of an information system usually leads to the loss of customer and investor confidence in the organization. These arguments illustrate that the issue of information privacy and the need for provision of security measures within information systems is a very important area of consideration by all organizations (Saleh, Refai and Mashhour, 2011). Security Posture and Problems in FDI The company seems to have no clearly defined information security policy and procedures which will define the manner in which information and data exchanges take place with a view of ensuring that its authenticity, functionality and availability is not violated. Moreover, the organization has limited management support for internal information technology expertise as illustrated by the CEO who prefers to outsource these services. The management of organizations and staff play a big role in prevention of security breaches by driving security messages, policies and procedures to ensure that access and use of information is authorized secure and in accordance to the principles of information privacy. Information security within computer systems aims at safeguarding and protecting the integrity of information that is contained in the databases of organizations. Security measures which aim at protecting the integrity of information function to prevent alteration of data or information through deletion, insertion or modification (Brown, 2003). PDI is lacking adequate IT competence and expertise and as a result it has been outsourcing these services. Moreover, the company has inadequate IT staff that would regulate the transfer of data within the various functional areas of the company so that authentication of data could be properly done to prevent security threats. There is also an increase in the demand for data as the clients of the organization increases in number. However, the IT posture within the organization has inadequacies and thus limited capability of handling the large amount of data transfer in a secure manner. Companies should have an internal department which secures its information system from both internal and external attacks (Amancei, 2011). The lack of a defined IT security functionality within the company means that roles for the securing of the company’s information systems are not defined. Therefore nobody is liable for taking responsibility of upholding privacy and security of information within the company databases and user accounts. The physical, operational, communication and personal security measures are inadequate within the FDI’s information system. Operational security for a company means that networks should be safeguard from sabotage of the business functions and thus ensure that business operations proceed without interruption (Dalanhese, 2007). Physical security involves securing the physical components of an information system from possible threats or danger. The physical components include the computer hardware and equipment. Computer components such as hard drives which contain sensitive information must be secured from theft, catastrophes, fire, vandalism and all forms of damage. The securing of these systems is meant to ensure that the information therein is free from unauthorized access and also safe from possible damage (Saleh, Refai and Mashhour, 2011). Information security in information system communication means that systems should be secured from communication of immoral or malicious content while personal security means that people or users of computer networks and information systems should be protected from possible hazards that would result from the use of computing technology and related equipment (Amancei, 2011). These security measures should not be lacking within an organization which has implemented the use of information technology and systems. Mitigation Strategy Security breaches and infringement of the privacy of individual information have negative consequences that would be avoided and thus organizations must endeavor to protect the confidentiality, integrity and make information within their information systems available to clients through proper protection of these systems from security threats. The management of organizations should recruit and retain employees who have professional qualification and proper ethical conduct so that security policies are followed (Brown, 2003). Therefore it is recommended that FDI takes precautions to mitigate the security challenges that are faced within its information system. FDI must create and internal information system security functionality or department that will be responsible for security its system from possible security threats. Information security considerations in a networked environment should ensure authentication of information and use of safeguarding technology such as firewalls, digital signatures and encryption to protect information from unauthorized access, use and modification (Licari, 2005). This will be made possible in FDI if expertise with information security knowledge and experience are hired to provide security for the company’s information system. Encryption of information the company’s expertise will help the organization to safeguard the information within their databases from unauthorized access and misuse of sensitive information. Additionally, it is important for the management to make sure that there is someone who keeps track of new developments in information security, including new vulnerabilities and attacks. The individuals responsible for information security can then hire independent auditors to evaluate the level of information security in the organization and use the auditor’s recommendations to ensure that information is secure. The security breaches which occur in organizations are usually attributed to the poor awareness of staff members on issues related to information security and privacy (Amancei, 2011). Therefore there is need for PDI to train its personnel on the legal, social and ethical aspects of information security and privacy. Training will enable employees to have sufficient skills and knowledge in protecting information from possible security violations. The integrity of information will be ensured within an Information System if its administrators are trained and qualified with skills that will help them to detect possible security breaches and alterations to information so that appropriate measures are put in place to prevent more security and privacy violations. Therefore the management of the organization should advocate for training of its employees and create awareness on reasons why their role in information security is critical. As a result, internal threats from employees on the security of information can be determined and monitored. Operational, communication, personal and physical protection measures must be employed by FDI through its created information security department. The protection of the physical components of information systems is an appropriate security consideration that will allow the organization to incorporate a physical security plan to safeguard its information system from security threats. A security plan will provide for the responsibilities of various employees in promotion of information security. A good security plan for information systems will allow information security managers to ensure that the sources, collection, accuracy, storage and access to information follow the information security and privacy principles of the organization. The management team of FDI can prevent security breaches of its information system by launching and supporting internal campaigns in the organization to spread the word about information security. The top executives should also partner with information security officers to ensure their internal practices lead to security of information and safeguard of individual privacy (Brown, 2003). Moreover, the managing team of the organization should determine the level to which the organization is compliant to the regulations and requirements of the industry on matters of information security. Furthermore, the management of the company should prevent future security breaches by ensuring that new employees are fully aware of information security policies and regulations. This will enable them adhere to professional ethics in the use of information systems and thus reduce the risk of theft, misuse of data by employees and at the same time prevent external attacks. Conclusion Fast Distribution, Inc should ensure that information within its information system is protected from unauthorized access, recording, use, disruption, disclosure, perusal, modification, inspection or destruction of individuals’ private information. This could be made possible through the support of senior management for creation of internal information system security functionality within the organization. Information technology experts of the company will effectively implement physical, operational, personal and communication security within the company’s information system. Additionally, drafting and implementation of a security policy and catering for training of staff on information security issues will be enabled through IT security function within the company. References Amancei, C. (2011). Practical methods for information security risk management. Informatica Economica, 15(1), 151-159 Brown, T. (2003). Securing your clients E-information. Computer and Internet Lawyer, 20(10), 13-14. Dalanhese, R. (2007). Information Security Program: How to develop an effective information security risk assessment. The RMA Journal, 90(1), 35-37 Licari, J. (2005). Securing the information workplace: Managing threats to enterprise E-mail, IM, and document sharing environments. Information Security Journal, 14(4), 45-50 Saleh, Z. I., Refai, H., and Mashhour, A. (2011). Proposed framework for security risk assessment. Journal of Information Security, 2(2), 85-90 Read More