Role of Security Manager - Essay Example

? Full Paper Introduction Security is becoming a dominant and challenging factor for organizations, as it leverages threats associated with physical security, system security and personnel. Every now and then, there are new security breaches resulting in massive losses for businesses in terms of customer privacy invasion, stolen credit card numbers, information leaks and revenue loss. As information technology is now considered as the fundamental function for business automation, every organization acquires information systems for business automation and better provision of value added services for gaining competitive edge. On the other hand, security is also becoming paramount with the complexity of systems and applications. Organizations are now seeking for both technical and management experts for managing security. A security manager must establish policies, standards, procedures and guidelines to make a repeatable and documented security practices within the organization. Security breaches are constantly happening and there is a requirement of periodic security risk assessment to address potential vulnerabilities and mitigate threat by implementing controls. Moreover, security governance is considered as a pre-requisite before establishing a security management program within the organization. Security governance facilitates in creating awareness at the senior management and board of the organization. Once the advantages are understood, the security management program will be successful to some extent and management will actively participate in every day security functions, as security is a responsibility of all personnel. We will discuss the role of a security manager in three different domains along with responsibilities and associated tasks. Role of Security Manager Organizing information systems is defined as the series of activities that are associated with information handling. Organizations expand their business gradually. For instance, strategic plan for any financial institution is to open a branch on every quarter of the year depending on stable revenue and defined achieved objectives. The security manager creates security strategy that must be aligned with the business strategic plan and addresses security issues. Similarly, the expansion of the organization create more risks and increases the workload for handling information because the maintenance, storage and exchange of information has now become more than ever before. The security manager analyzes configuration management and change management activities to eliminate any security weakness and loopholes. Information handling takes place on three levels i.e. formal level, informal level and technical level (Dhillon, 2007). The formal information system is associated with communication from third parties, suppliers, contractors, clients, regulatory authorities and financial sectors. As the word formal says for itself, it is a process in which the security manager ensures that the rules are followed and establishes security baselines and standards for business processes that must be followed. As non-compliance may become a threat to the business or critical assets. Likewise, the security manager automates all the formal processes and procedures for defining a standard as well as effectiveness and efficiency but it is not sufficient. The informal information system is the second type of information handling that occurs in the organization. The informal information system demonstrated a culture within a culture i.e. sub culture that defines the purpose of understanding. Likewise, it is the system where security manager establishes consensuses and beliefs that are recognized by liaising with key stake holders. Moreover, employees get to know due care and due diligence for performing their responsibilities and tasks. However, modification and changes are also made at the same stage, as informal system facilitates the formal system by a natural way. Moreover, different groups of people can be created, as the organization continues to expand, resultantly, creating more conflicts in opinions, objective, goals and internal politics. Lastly, the third is the technical information system, where processes, procedures, standards and guidelines are automated via computerized systems by the security manager. Likewise, the automation is conducted by the assumption of a formal information system and support is also provided. After defining these three systems, there is a requirement of defining the coordination criteria that gives a complete picture of the coordination framework. (Dhillon, 2007) illustrates a very good coordination model by comparing it with a fried egg. The yolk represents the technical information system, the outer layer of the egg yolk represents the formal information system and the third that is the remaining egg white, represents the informal information system. After reviewing the state coordination analogy, we can say that the technical system is steadily fits itself to the center that is surrounded by the formal information system that contains rules and regulation. Moreover, the technical system is demonstrating a submissive role that is a result of adding more controls, policies and procedures to the formal information systems along with their relationships to the informal information systems (Dhillon, 2007). In terms of security, these three systems must be protected by implementing information system security. Likewise, integrity should be intact of all three systems by implementing appropriate controls. However, security manager deploy series of controls for each threat and vulnerability. The definition of controls is stated by (Ycesan, 2002) as “the use of interventions by a controller to promote a preferred behavior of a system being controlled”. As per (Dhillon, 2007), there are three types of controls that will address the three systems i.e. formal, informal and technical. Example of each one of these is illustrated as: Formal control: Modifying organization structure Informal control: Security awareness Technical control: Restricting unauthorized access Formal controls provide assistance to technical controls, as they govern and address issues of integrity in application and data that may lead to high risk and cost. Likewise, in order to govern formal controls, security manager must assign jobs and responsibilities, as this allocation of duties and responsibilities will set alignment with business objectives. Formal controls are associated with management aspect that will deploy strategic security management practices. The security management will select employees from all departments of the organization where necessary. (Institute,W.Krag Brotby and IT Governance, ) Moreover, he will also address data protection legislations, security audits, regulatory compliance, legal and insurance issues, hiring criteria for employees, misconduct, risk assessment, incident management and response etc. Informal controls are associated with security awareness programs considered as the cost effective tool used to aware employees for ‘do’s and don’ts’ while accessing data or information resources. As risk environment is constantly changing, a comprehensive education and security awareness program is extremely important that will conduct periodic awareness sessions for new employees, or new technology or any relevant risk that needs to be addressed. Therefore, the security awareness program should be considered as a ‘common belief system’ (Dhillon, 2007). Lastly, the technical control that is not limited to authentication of a user along with assigning proper rights on an application or operating system. In order to apply confidentiality to data, encryption, hashing, encoding methods are adopted by organization. Likewise, smart card is the most popular one (Dhillon, 2007). Moreover, for preventing non repudiation, digital signatures are deployed by a third party certificate authority. However, the cost of technical controls must be justifiable and cannot exceed the cost of an asset and the security manager must conduct cost benefit/analysis for each control to justify its presence. After implementing technical controls, the job is not finished yet for the security manager. For instance, if a technical control is applied on a network segment for detecting electronic eaves dropping, it may be possible that an employee can hear a confidential conversation from a backdoor of his senior manager’s office. However, there are no significant cases available but a risk element is always present. In order to address residual risk, standards must be created that are also considered as the minimum acceptable security. References Dhillon, G. (2007). Principles of information systems security: Text and cases . Hoboken, NJ: John Wiley & Sons. Institute,W.Krag Brotby and IT Governance. Information security governance: Guidance for information security managers Isaca. YCESAN, E., Proceedings of the 2002 Winter Simulation Conference December 8-11, 2002, San Diego, CA, U. S. A.: WSC'02 [New York, N.Y. : Association for Computing Machinery ; c2002. Read More