Security Plan for ABC Information Systems - Research Paper Example

? Security Plan for ABC Information Systems No. of words Unit number: Study Period: DECLARATION This project is an original one and not a duplicate from a different system. No duplication or any reproduction of this security plan information system document should be done without permission from the author. Candidate…………………………… Supervisor………………………….. Sign…………………………………. Date………………………………. Table of Contents Title Page……………………………………………………………………..1 Declaration……………………………………………………………………2 Introduction…………………………………………………………………...5 Background information of ABC……………………………………………..5 System Environment…………………………………………………………..7 Objectives of the security plan………………………………………………...7 Availability…………………………………………………………….8 Integrity………………………………………………………………..8 Confidentiality………………………………………………………....8 Scope of the system……………………………………………………………10 Logical flow……………………………………………………………………10 Organization’s information holdings that may be at risk……………………….11 Physical holdings at risk........................................................................12 Human holdings at risk…………………………….....…………….…12 Electronic holdings at risk.............................................................…....12 Actual and potential threats to the organization’s information holdings……….13 Physical threats………………………………………………………….13 Human threats…………………………………………………………..13 Electronic threats……………………………………………………….14 Counter- measures against the threats facing information holdings……………..14 Physical counter- measures…………………………………………….14 Human counter- measures……………………………………………..15 Electronic counter- measures…………………………………………..15 Security education and awareness programme………………….………………..16 Conclusion…………………………………………………………………………19 Recommendation…………………………………………………………………..19 Security Plan for ABC Information Systems Introduction An information system forms a fundamental component in the provision of communication services to human beings. Based on the definition, it is quite prevalent that the input of raw data, output and feedback are some of the components of an effective information system (Bentley & Whitton, 2007). According to the discipline of computer sciences and information technology, an information system can be defined as the combination of software, hardware, telecommunications, human resources, procedures and policies used in the organization to convert data to useful business information and databases. This paper will discuss a probable security plan for ABC information systems. Background information of ABC ABC has a well established security team which aims at overseeing the security of the information systems in both deliberate and accidental threats. The implementation and maintenance of information systems within organizations is extremely expensive. However, adequate planning enables the organization to develop an effective information system. Research asserts that most organizations spend approximately 6% of their total gross income in developing and maintaining an effective information system (Goodrich & Tamassia, 2010). Therefore, most of the chief information officers in organizations are strictly monitoring the amount of funds, which are spent in the purchase of hardware and software in the organization. The planning usually entails clear identification of some of the needs of the organization. This is because the development of an effective information system aims at addressing a critical need in the security of information in an organization. Therefore, this proves that the planning and implementation of an effective security plan for information systems is quite similar to the strategic planning that is involved in business management. In the recent past, most of the information systems are developed as new technologies, which intend to solve data management and processing issues (Lawrence, 2002). The information security plan of an organization also states some of the policies that govern the IT practices and practices of the organization. In this case, the policies define the objectives, plans and protocols of ABC information system. Furthermore, the policies also maintain proper control over the information systems in the organization. The information provided highlights that the information security plan is typically designed to protect the critical information and data resources in an organization. If an information security plan is implemented in ABC information systems, the business is assured of continuity, minimized risks and maximum returns especially on investments (Lawrence, 2002). The federal agencies have a paramount responsibility of identifying some of the computer systems that contain vital information about ABC. This enables them to implement a plan for the safeguard and confidentiality of the data contained in the system (Lawrence, 2002). The federal systems comprise on high levels of sensitivity in an organization hence; ABC must be secured by the policies contained in a strategic security plan. According to federal law, the security plan, which is implemented to protect the information systems, is viewed as documentation of the structured procedure. The structured procedure reflects on the input from the management of the organization (Calabrese, 2003). This enables the security system to demarcate the responsibilities of the individuals who have access to the system. As stated above, the general purpose of the security plan comprises of the provision of an overview of the security of the information. In this security plan, there are various findings related to the security controls of ABC information systems that need to be corrected. System environment ABC is housed in a detached multi-storeyed building in the CBD of an Australian city. The control environment of the organization is significantly influenced by the operations of the employees in the organization. The executives in all the departments of the organization also form a local control environment which is a foundation for most of the components of an institution. The employees and the executive staff of ABC should also preserve professional and personal integrity to maintain competence hence, accomplishing the assigned duties and also understanding the importance of developing proper internal controls (Bill, 2011). This ensures that they are liable for the activities of ABC which enhance the achievement of the organization. Objectives of the security plan for ABC information systems The main objective of system security planning is based on the improved protection status of IT resources in ABC. Therefore, the security plan will provide a basic overview of the information system of ABC by defining the controls and some of the critical elements that have been implemented in the organization. The information system security plan of ABC is supposed to follow some of the critical guidelines that are presented by several organizations and departments. It has been discovered and calculated that information categorization relies on three main security objectives. These objectives include availability, integrity and confidentiality (Bill, 2011). Availability This objective ensures a timely and dependable access to the use of information. If this objective is disrupted, then, access and use of information can have a diverse effect on various aspects in the organization. For example, the general operations of the organization will be affected significantly hence; the assets of the organization are placed at a risk (McCarthy, 2009). This can also affect the employees of the organization who are considered as information resources. Integrity This objective mainly deals with securing the organization and the information system against improper information modification or even destruction. Therefore, this ensures that the information is authentic and not repudiated. However, if there is unauthorized disclosure of the information to other sources, the authenticity of the information is altered entirely. This is because the organizational assets and operations are affected by the modification of the information system (Bill, 2011). Confidentiality This aspect of confidentiality preserves authorized restrictions on information access and disclosure to other individuals. Confidentiality ensures that personal privacy and proprietary information are strictly enhanced (Reynolds, 2009). Therefore, unauthorized information disclosure has a catastrophic effect on the general operations of the organization. Systems which have a section for personal identifiable information also enhance the security of information (Reynolds, 2009). The information policies should also be implemented in support to the goals and objectives of ABC to satisfy the ethical and legal issues in correlation with the IT resources. These policies also serve as overarching guidelines that enable the management and implementation of information security in ABC. The security team that was set up by ABC is supposed to protect the information holdings of the business organization. The business organization consists of a staff of sixty employees. The strategic vision of this security team is correlated with the objectives of the information technology department. The security team will enable ABC to meet the requirements of their customers and also the legal objectives. These objectives must be established prior to the management of risks by the executive members of the organization (McCarthy, 2009). In overall, the objectives are directly related to the efficiency and effectiveness of achieving the financial goals and also safeguarding the information resources against any damages or alterations (Glen, Maister & Bennis, 2002). As stated in the introductory section, the security team of ABC has a crucial role of overseeing the security of information from deliberate and accidental threats. According to a recent audit of the information security system in ABC, it was discovered that the security team was deficient in certain areas (Vacca, 2009). Some of these areas include incident response, disaster recovery and business continuity, social engineering exploration or personnel, poor password security and an apparent lack of personnel awareness on the various contemporary threats to information. This proves that the security team needs an enforcement program to implement the information security plan in ABC. In addition, the audit also examined the technical systems in ABC. According to the compiled report, it was quite clear that the technical systems were effective in maintaining the database of the organization. This is because the document management security was occasionally serviced by the IT team of the organization (Tipton & Krause, 2003). Scope of the system The proposed security plan of ABC is applicable in all the departments of the organization. The scope of the system also entails the software, hardware and the information resources. The individuals who are within the scope of ABC’s policy are responsible for complying with the policy of the organization to boost proper security of the information resources. The ineffective nature of the security team should trigger ABC to widen the scope of privacy and security protection of the information (Tipton & Krause, 2003). This is because the current security status of ABC might have resulted from a random or ad hoc approach. Logical flow The logical flow of information in ABC should be enforced critically. The information system should be controlled according to the policy of the organization. In addition, the arrangement of the data in this documentation is also supposed to be presented logically in order to support some of the contentious topics related to the security plan of ABC. This research paper consists of several topics, which substantially talk about the security plan of the information systems in ABC (Tech Target, 2002). The ideas in this research paper have been arranged logically to explore the value of the information systems. The last part of the essay summarizes this study and also presents the conclusion of the research information related to the information systems of ABC. This paper uses several sources of secondary research information including publications, internet-based articles and other periodicals that have the relevant information in information systems. These information sources have been used to address the deficient areas in the security team. This will enable the security team of ABC to oversee information security against any threats (Tech Target, 2002). Identify and describe the organization’s information holdings that may be at risk In the contemporary business world, information is considered as the main aspect of an organization. The information assets provide most of the data that defines the general activities of an organization. In ABC, there are several information holdings that are at a risk due to the incompetent nature of the security team. As the head of the security team in ABC, the management requires a proper security analysis and planning to improve the security of information in the organization. Therefore, the main task is to identify and describe the physical, human and electronic information holdings that are a risk to damage or modification (Ponemon Institute, 2009). This will involve a clear description of the actual and potential physical, human and electronic threats to the information holdings of ABC. In addition, the task also entails the development of a security plan which describes some of the counter measures which will manage some of the threats which place the information of the organization at a potential risk (Ponemon Institute, 2009). Therefore, this research paper will include a comprehensive information security awareness programme that can be used by the management, staff members and contractors of ABC. In ABC, some of the information is stored in business records. However, most of the crucial information is stored electronically in several file shares and data repositories. Most of this information is used to sustain and facilitate the operations of ABC hence, supporting most of the predictive information such as planning and budgeting. Physical holdings at risk Physical security involves proper design and use of measures to prevent unauthorized access to most of the assets of ABC. In addition, physical security provides various measures, which safeguard the employees from violence (Australian Government, 2012). Research asserts that some of the information in ABC is stored in the business records. Therefore, the business records are significantly affected by several threats. Human holdings at risk The human resources are also affected in several ways. Therefore, ABC should be responsible for the health and safety of their employees. This will also protect the information possessed by the human resources who in this case are employees of ABC (Bill, 2011). The responsibility of ABC also extends to a situation whereby the employees are placed under various threats. The evaluation of some of the risks posed to the employees enables ABC to protect their employees against any threats from outside parties. Electronic holdings at risk In most organizations, the official information is stored in the electronic media. In most cases, this form of information is unstructured stored and unmanaged. Individuals are supposed to determine the significance and the value of the information assets in order to determine some of the potential risks. According to the security policy in several organizations, the material assets are extremely vital in the organization (Kindon, 1984). The electronic information holdings are at a great risk of damage compared to physical holdings and human holdings. The electronic holdings of ABC have several types of information including trade secrets and technical information regarding the organization. This information is confidential to the authorized employees of the organization. This is because any form of disclosure of this information has several side effects to the company. For example, the business can suffer financial loss or gain depending on the situation. This information may also interfere with some of the negotiations with a third party hence, affecting business deals (Queensland Government, 2011). To avoid this, ABC can set up electronic access control mechanisms to validate authorized staff only. In severe conditions relating to data disposal, ABC should ensure that the data is properly disposed. Identify and describe the actual and potential threats to the organization’s information holdings Physical threats There are numerous threats, which are posed to the physical holdings. Some of the most common threats posed to physical holdings include theft, fire, temperature, bomb threats, hazardous materials, power failures, evacuations, water, humidity and civil emergencies among others (Queensland Government, 2011). ABC should develop a strategic plan to heighten the safety in case of any emergencies in the organization. This will minimize the risk of information and threats of any equipment being made inaccessible. Human threats Some of the threats facing human holdings include violence, stalking, assault, threatening messages, terrorism and receiving of potentially hazardous materials. The current notion of the government in most countries states that organizations should evade the use of human and financial resources as additional safeguards for information. This will prevent the information against bias, human errors, mischief and inattention to some of the critical procedures (Turban, 2010). The organization can also conduct an assessment to ensure that the risks and the threats posed to the employees in the organization are minimal. Electronic threats These electronic information holdings comprise of computers and network facilities that provide off-site storage for most of the critical media (McNab, 2004). This is because issues related to the management of records extend beyond the business processes. Mismanagement of the electronic information holdings also poses a catastrophic effect on the operations of ABC. Document management procedures enable the employees of the organization to manage the electronic and physical records effectively. The implementation of security measures in the electronic holdings also creates a business continuity plan. An interruptible power supply also affects the storage of information in real-time. Design a security plan that describes counter- measures that will manage the threats to the organization’s information holdings Physical counter- measures ABC should employ fire detection systems that can be activated automatically to notify the employees in the event of a fire (Australian Government, 2012). ABC should also set up an automatic emergency lighting system which is activated automatically whenever there is a power disruption. In addition, the organization is supposed to maintain a reasonable amount of temperature and humidity levels within the facility. Lastly, the information can be protected from water damage by ensuring that there are no broken plumbing lines and that the shutoff valves are working correctly. Human counter- measures ABC can also apply some of the stringent prevention methods to its employees to protect the information. This ensures that the information can only be accessed by sanctioned personnel. In this case, all the authorized individuals are supposed to wear an identification badge that is visible (Australian Government, 2012). The badge is supposed to have a passport size picture and detailed background information about the employee. These access rights should also be reviewed regularly and updated by the security team of ABC. ABC should identify all the potential threats posed to the human resources of the company. On the other hand, the employees are also supposed to report any incidents which threaten their livelihood to the management of the company and to the law enforcers (Bill, 2011). This will enable ABC to extend their protection and support to the close relatives of the employee against any harm by outside parties. Employees who request access to the data center of ABC can be enrolled in a structured and documented procedure to ensure the integrity of the individual. Electronic counter- measures In this case, the computers and electronic media are properly sanitized prior to disposal. The electronic communication networks can also be protected to ensure maximum security of information (Leedy & Ormrod, 2005). This includes backup protection, boundary protection, encryption of data and protection of the information system against any malicious codes. Proper operations management prevents the computing resources of ABC from loss or any compromise. This also includes storage media, the processing equipment and the printers among other devices. Some of the contemporary data protection strategies include backup and recovery, remote data movement, storage system security, data and information lifecycle management. These methodologies are supposed to be employed together to form a strong and effective data protection strategy. Backup and recovery is the protection of crucial data through making offline copies, which can be restored in case the data is corrupted (Anderson, 2001). These methods of data protection ascertain the complex and critical nature of information security. This is because most of the organizations in the world including ABC claim that information must be treated like an asset for success and sustenance of the organization. ABC can also consider setting up an alternative power supply to counteract power interruptions. The organization can also identify a potential storage site in the event of a disaster which affects the information. Develop a comprehensive information security education and awareness programme for use by management, staff members and contractors An effective awareness and training scheme is quite essential for the protection of the information of ABC. As stated previously, the primary goal of the information security management system is to ensure that all employees in ABC have prior knowledge concerning the security policy that has been deployed by the security team. ABC does not have the capability to safeguard the veracity of its information due to the highly networked environment (Hoffer, George & Valacich 2010). Therefore, the security team that has been employed has a mandate of managing the information by the organization by ensuring that the information is not revealed to the outside parties. The management, staff members and contractors in ABC should have a generalized understanding of the security community that is aimed at protecting the IT resources. This information security training and awareness program aims at defining all the responsibilities of all the personnel members involved in the security program. The security team will maintain and manage an information security training and awareness program for ABC (Vacca, 2009). The security team has set up a system which will secure sensitive and digital data. This includes the use of electronic media storage devices, laptops and communication via the internet. In all the departments of the organization, the department managers are recognized as the owners of the information. Therefore, they are entitled to maintaining the policies and standards of information security as defined by the security team. The information user has a responsibility to comply with the procedures, policy and standards of information security as presented by the department managers (Kindon, 1984). The successful information security system of ABC consists of several stages including the development of an IT policy which reflects the business demands. The system also ensures that the information users are informed about the security responsibilities as per the security policy. Lastly, they are supposed to establish processes for maintaining and reviewing the functionality of the system. In this case, the awareness program is not any form of training or education to the employees. Rather, awareness should be viewed as the first step in the development of a fully secure culture in the organization. According to various scholars, security awareness is crucial in ensuring that individuals are able to understand the role they play in the organization (Whitman & Mattord, 2010). This should enable the employees to understand some of the advantages of protecting the information of ABC. In addition, the security team also asserts that no staff member is supposed to go against the policies of the security system. Firstly, the awareness program should enable employees to understand the scope, goals and objectives of the system (Anderson, 2001). The main objective in the awareness of the information system is to ensure that the employees maintain an appropriate level of information protection. Secondly, it is also crucial for the stakeholders of ABC to include some of the main representatives of the organization in the enforcement of the security plan. The selected staff members who also act as trainers are supposed to have detailed knowledge regarding the policies and standards of the organization (Ward & Peppard, 2002). Thirdly, the security team should assess the needs of the organization and its employees. The training and educational programme must also be segmented based on the role of the employees in the organization (Anderson, 2001). Fourthly, the employees should understand how the programme benefits the organization. This should boost the attitude of the employees through motivating them to embrace the information security system (Anderson, 2001). Lastly, the security team can implement the information system after conducting a research on the current state of the information security in the organization. Also, violation of the policies set by the security team usually results to a disciplinary action that can include termination of employment or suspension of the duties of the violator. In severe cases, the disciplinary action can include a criminal prosecution (Whitman & Mattord, 2008). According to a recent audit that was performed in the organization, it was discovered that the technical systems were relatively efficient because they were serviced by the IT team. Conclusion In conclusion, the security team of ABC provides guidance in the development of the information systems. The security plan for ABC information systems addresses several needs that are lacking in the security team. As stated above, this security plan will address the issue of incident response, disaster recovery and business continuity, poor password security, social engineering exploitation of personnel and an apparent lack of personnel awareness of the various threats to information (Anderson, 2001). Therefore, the security team must also address some of the weak points established in order to enforce the information security of the organization. Recommendations 1. ABC should develop a computer backup storage 2. The security team of ABC should implement the policies and procedures for information security in the organization. 3. ABC should also identify some of the probable threats posed to the information of the organization to enhance its security. References Anderson, R. (2001). Security engineering: A guide to building dependable distributed systems. New York: John Wiley & Sons Press. Australian Government. (2012). Australian government physical security core policy. Retrieved from http://www.protectivesecurity.gov.au/physicalsecurity/Pages/default.aspx#Protection Bentley, L., & Whitton, J. (2007). Systems analysis and development (3rd ed.). Boston: McGraw-Hill Publishers. Bill, W. (2011). Protect, maintain information integrity to reduce business risk. Retrieved from http://content.arma.org/imm/May-June2011/IMM0511garpprotectmaintaininformationintegrity.aspx Calabrese, T. (2003). Information security intelligence: Cryptographic principles & applications. Wales: Delmar Cengage Press. Glen, P., Maister, D., & Bennis, W. (2002). Leading geeks: How to manage and lead the people who deliver technology. Boston: Jossey-Bass Publishers. Goodrich, M., & Tamassia, R. (2010). Introduction to computer security. California: Addison-Wesley Press. Hoffer, J., George, J., & Valacich, J. (2010). Modern systems analysis and design (6th ed.). New York: Prentice-Hall press. Kindon, J. (1984). Agendas, alternatives and public policies. Boston: Little brown publishers. Lawrence, S. (2002). Security in computing (3rd ed.). New York: Prentice Hall Press. Leedy, P., & Ormrod, J. (2005). Research and strategic communication (2nd ed.). New York: Prentice Hall Press. McCarthy, J. (2009). Risk management. Retrieved from http://www.cio.com/archive/111501/where.html McNab, C. (2004). Network security assessment: Know your network. New York: O’Reilly Publishers. Ponemon Institute. (2009). Electronic health information at risk: A study of IT practitioners. Retrieved from http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/Electronic%20Health%20Information%20at%20Risk%20FINAL%201.pdf Queensland Government. (2011). Information risk management best practice guide. Retrieved from http://www.qgcio.qld.gov.au/SiteCollectionDocuments/Architecture%20and%20Standards/Information%20Standards/Current/riskmanagementbpg.pdf Reynolds, G. (2009). Ethics in information technology. Texas: Course Technology Press. Rhodes, M., Bragg, R., & Strassberg, K. (2003). Network security: The complete reference. New York: Mc-Graw Hill Press. Rusell, R., Grand, J., & Craig, T. (2004). Stealing the network: How to own a continent (Cyber-fiction). New York: Syngress Press. Tech Target. (2002). Security standards: Standard practice. Retrieved from http://infosecuritymag.techtarget.com/2002/mar/iso17799.shtml Tipton, H., & Krause, M. (2003). Information security management handbook (5th ed.). Boston: Auerbach Publishers. Treasury Board of Canada Secretariat. (2012). Security organization and administration standard. Retrieved from http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12333§ion=text#tphp Turban, E. (2010). Business intelligence. New York: Prentice Hall Press. Vacca, J. (2009). Computer and information security handbook. Arizona: Morgan Kaufmann. Ward, J., & Peppard, J. (2002). Strategic planning for information systems. New York: Wiley Press. Whitman, M., & Mattord, H. (2008). Principles of information security. Boston: Cengage Learning Press Whitman, M., & Mattord, H. (2010). Management of information security. Boston: Cengage Learning Press. Read More