The Rookie Chief Information Security Officer - Case Study Example

? The Rookie Chief Information Security Officer Overview Information Technology (IT) is essentially the execution of computers and telecommunication tools in order to store, transfer and operate data especially in large business organizations or enterprises. With the increasing advent of technology in the operational sector, it has become quite vital for every business to implement adequate measures that would facilitate to stop unauthorized access to the data stored in the organizations database. However, several industries are categorized under the IT sector such as computer hardware/software, internet, telecom and e-commerce. The introduction of IT in business has not only helped these industries to go global but has also facilitated people to get their desired products sitting in any part of the world. In the modern context, the word ‘IT’ plays a very important role as it is not only the businesses that are adapting the new method of storing data but healthcare industries and education sector as well are introducing new approaches of serving the customers with the aid of IT. Therefore, it is vital that adequate measures are taken as misuse of the resources stored in a database may result in causing considerable amount of harm to an individual. The main objective of this paper is to provide a well-designed IT security plan with modern security measures that would help in maintaining a proper database system in the organization (Stoyles, Pentland & Demant, 2003). Part 1: Organization Chart Fig: Organizational Chart With reference to the above mentioned chart, it can be viewed that the different personnel are divided according to the three values i.e. physical security professional, privacy professional and procurement professional. Part 2: Request for Proposal (RFP) Plan Request for Proposal (RPF) is a type of bidding solicitation in which an association declares that funding is obtainable for a particular program or project, where companies can place offers for the project’s completion. The RFP outlines the bidding process and contract terms to which the selected company must abide by during the contract. A RFP is typically open to a wide range of bidders providing the association to select the best from a wide range of options available. In the modern day context, RFP is considered to be one of the prime tactics of getting things done without wasting the resources of an organization. It is worth mentioning that every RFP contains qualifying criteria as they help in selecting the most appropriate vendors from the entire applicants (Window on State Government, n.d.). Two perspectives qualifying criteria that need to be carefully monitored while selecting the vendor for the new IT security in the organization are stated hereunder: Company’s Reputation and History The first criterion that is taken into consideration while choosing a vendor or an organization for the proposed RFP is the company’s reputation and the history. Assessing a prospective vendor company’s history and reputation in the current market helps the association in knowing the current capabilities and the future perspectives of the selected company. Another prime objective behind studying the goodwill of the vendor in the market is to calculate the performance of the organization in comparison with the competitors. It facilitates the association to estimate the time they may need to complete the proposed project (Sonoma State University, 2009). Quality Assurance Received By the Vendor: ISO Certified International Organization for Standardization (ISO) is a non-government organization composed of associates from the national standards based bodies of 163 nations. The main task of this body is to certify it members with its different titles that help to identify them within a number of similar organizations. The next criteria that would be vital for any association to fulfill the requirement of the RFP are an ISO certificate in quality management. The reason behind accepting the vendor on the basis of the mentioned criteria is that it would help the organization to be full dependent on the selected vendor as it already has excelled in the field (Sonoma State University, 2009). Selection of a supplier/vendor is considered to be one of the most vital aspects in an organization as it aids in forecasting the future prospects of the organization and the vendor. Though there exist a number of methods to evaluate and develop a qualified trusted suppliers list, two of the most common methods are mentioned hereby: Elimination Method: It is a process where the evaluation is divided into various levels. Each level states that different criteria need to be present in the selected vendor. It is worth mentioning that two rules do exist while evaluating the suppliers. Using the first rule i.e. ‘Conjunctive’ rule, the suppliers are eliminated on the basis of the requirement in each level of evaluation. In this process, the suppliers’ list satisfying the maximum level of the requirement is selected. In the second rule i.e. ‘lexicographic rule’, the suppliers are compared with the most significant criterion selected. This ultimately facilitates in selecting the suppliers’ list who meet those criteria much better than other suppliers (Benyoucef, Ding & Xie, 2003). Optimization Method: Optimization method of evaluation is a process where an objective function is improved consisting of mainly a single or a set of criteria upon which the suppliers’ list are evaluated (Benyoucef, Ding & Xie, 2003). Part 3: Physical Security Plan Telecom Rooms (TR) Telecommunication room (TR) is considered to be one of the most vital parts of an organization’s operational department as it consolidates all connectivity from the enterprise network. It also enables to build an effective control system and distribute it to pre-determined areas within the enterprise. The increasing rate of crime in the world has highlighted the importance of physical security plan in the industrial sector as the leakage of information would result in causing great harm to the organization’s employees and people associated with the organization. Considering the mentioned discussion, the measures that can be obtained to implement physical security in telecom rooms are stated hereby: The first factor which needs to be considered while preparing a physical security plan for a telecom room is it size. Generally, the TR room should be built approximately 1.1% of the area its serves. Secondly, floors, walls and ceilings must be treated to eliminate dust. It is worth mentioning that dropped ceilings should not be installed in TR, or the TR room should not be merged with electrical and mechanical room. The room should also be equipped with adequate number of racks to place all the paraphernalia’s in order. Unshielded twisted pair patch panels should be installed adjacent to the racks as they are considered to be the most commonly used panels in comparison with its substitutes. Every TR should also be equipped with room climate control as moisture or liquid in the room may affect the functionality of the installed equipment. Above all the TR should always be connected to backup electric equipment that can provide electrical supplements to the equipment in case of power failure in the association. The lighting of TR room should also be mounted at a minimum of 9 feet not more or less than that (Department of Defence, 2007). Employee Protection for Employee Only Areas Employee protection is considered to be one of the most important aspects in any organization as the employees are the prime factor which makes an organization productive and successful. With the rising rate of crime on a global context, it is not only the infrastructure that requires physical security but the employees should also be considered while taking such initiatives by any organization. It has been viewed that officials are often targeted for theft, kidnapping or any other unlawful activities. Thus, the measures that can be implemented to provide physical security to its employee include: The organization/business should be designed in such a way that there exist separate rooms for receiving, opening or distributing items to the outsiders Installation of Closed-circuit television (CCTV) in all sensitive places like IT rooms, parking spaces and canteens would also help in decreasing the scope of crime in the organization Improving the metal locks and keys with electronic access based devices like swipe cards would aid in providing physical security to its employees Installing lighting system and alarm system within an organization also would provide adequate physical security measures to its employees Using electronic access device would also aid in restricting access to secure location (Turner, n.d.) Manufacturing Facilities Manufacturing facilities are considered to be the vital source of income for any business that mainly deals with manufactured products. It is not only the IT or banking sector based industries that are adapting the modern techniques of securing their boundaries from the outside world but manufacturing industries are also viewed to adapt the new changes. It is vital that the manufacturing facilities of any firm are bestowed with proper physical security as any interruption or unauthorized access in the plant may result in causing delay in the work process which would in turn result in a massive amount of losses for the firm. The different measures that can be implemented to provide physical security in a manufacturing plant are listed hereunder: The manufacturing plant must be installed with electronically locked system that would lock all the exit points and entries within the plant when all the employees are out. For instance, card reader or barometers are such devices that automatically activate the locking mechanism Installation of CCTV camera in an around the campus also helps in providing adequate physical security as it has been measured that industries that have adequate cameras installed in and around the campus are less prone to attacks Sensors and alarm systems should be installed in all the doors and entry gates that would inform the security guards of any illegal/unauthorized entry in the manufacturing facilities (PCI Security Standards Council, LLC., 2013) Part 4: Enterprise Information Security Compliance Program Issues related to proper management of data has been witnessed in a number of organizations in the modern day context that the Board of Directors of any organization is out to be concerned. The increasing trend of hacking and other factors such as negligence of employees while recording the data in the database is highlighting the importance of implementing modern policies that could be developed and practiced within the organization for data security assurance (U.S. Department of Health and Human Service, n.d.).A few of the specific plans and control objectives that could be adopted to address the known issues are stated hereunder: Negligence While Recording Data: It has been observed that there is at times negligence while recording data especially in research programs where the data need to be recorded in accordance with the accepted standards. Therefore, the prime objective that can be implemented in the organization is to implement new devices and plans that can help the employees to record data more efficiently (U.S. Department of Health and Human Service, n.d.). Hacking: Another prime issue which can be viewed in any organization is illegal access to the data stored within the database of the organization generally known as hacking. Considering such a vital aspect, the organization can adapt a new plan that would be based upon developing a program using modern technological aspects. It would greatly enable to stop illegal entries into the organizational database (U.S. Department of Health and Human Service, n.d.). Data Not Maintained At The Institution: This issue mainly occurs when there is a collaboration in which one collaborator is liable for maintaining the data. In this scenario, researcher might maintain data separately which can create a problem for the other users to access the stored data. Therefore, a plan can be implemented to merge the data into a single database which can be assessable by all the personnel associated with the job of maintaining the data (U.S. Department of Health and Human Service, n.d.). Three Information Security Policies That Could Be Developed and Practiced within the Organization for Data Security Assurance The policies that the organization can develop and practice for data safety assurance are stated hereunder: Firstly, the organization can implement and develop the policy of recording data. The separately stored data should be recorded in a web database so that other members are aware of the work that has/her employees are working on. Secondly, the policy of security measures should be modified. New equipment should be implemented that would maximize the benefits of the users on the basis of their designation. Thirdly, the policy of security measures introduced in the TR should be replaced with modern techniques that would maintain 24x7 surveillance, recording every activity that is happening within the TR (UTS, 2000). Security needs have become a vital part of every organization as it helps in maintaining a proper coordinated relationship amidst its employees and its stakeholders. It is vital that adequate training is given to its employee associated with the security aspects of the organization. In this aspect, the employee should be given classes to explain the different equipment related to the security aspects of the organization. The employees should also be taught regarding the different laws associated with the measurement that can be taken against the offenders. The organization should also recruit new employees having keen knowledge in the field of security needs of the organization and should be provided training on the basis of the requirements of the organization (The University of Iowa, 2013). Part 5: Risk Management Plan Risk management is essentially the process of developing plans to mitigate risk on the basis of their identification. It is a common process of overcoming risks that may rise in the near future due to certain changes in the environment. Risk management in IT sector is an important aspect as negligence in the working process may affect the firm by a considerable extent (Stoneburner, Goguen & Feringa, 2002). Three possible risk management efforts generally known as risk assessment that could be used to measure threats and unknown issues are listed hereby: System Characterization: It is the first step that is generally followed to measure threats and unknown issues is the identification of the IT systems along with the resources. Classification of IT system creates a major scope to identify all the threats that may help in defining the risks (Stoneburner, Goguen & Feringa, 2002). Threat Identification: Threat identification is considered to be the second risk management effort that is used to measure threats and unknown issues. The goal of this effort is to identify potential threats along with assembling them into a list which can be applicable to evaluate the threats in the system (Stoneburner, Goguen & Feringa, 2002). Vulnerability Identification: Vulnerability is usually the weakness in system security measures and controls that may result in security fissure of the system’s security policy. Ex-employees, company’s firewall or the vendors that supply all the necessary security equipment of the company are considered in this effort of risk management (Stoneburner, Goguen & Feringa, 2002). Defining priorities is regarded to be a vital part of any method, as it not only helps the organization in characterizing the vital threats that may cause great harm to the company but it also provides an opportunity to the organization to take necessary measures that would prevent such negative aspects (Stoneburner, Goguen & Feringa, 2002). Monitoring risk is also another important aspect of any organization as it helps in detecting all the risks that are being generated with the changing time. A few of the specific technical and management controls that could be enacted in order to monitor risks accurately are stated hereunder: SWOT Analysis: Strengths, weaknesses, opportunities and threats are considered to be amid the most common methods of identifying risks in the modern day context as it helps an organization in identifying the risks by highlighting its weakness and threats. It also facilitates to determine that the opportunities that can be adapted by the company to maintain a secure IT database (O'Reilly Media, Inc., 2012). Checklist Analysis: Checklist analysis is also regarded to be another prime method of monitoring risks. In this method, a set of questions are prepared in a questionnaire format. Moreover, these questions are forwarded to be responded by the targeted members within the functionality of the department. It is also considered to be an easy way of collecting primary data that can be utilized in the future for further evaluation (O'Reilly Media, Inc., 2012). References Benyoucef, L., Ding, H., & Xie, X. (2003). Supplier Selection Problem: Selection Criteria and Methods. Institut National De Recherche En Informatique Et En Automatique. pp. 1-35. Department of Defence. (2007). Telecommunications Building Cabling Systems Planning and Design. Unified Facilities Criteria (UFC). pp. 16-19. O'Reilly Media, Inc. (2012). 11 Project risk management. Retrieved from http://www.headfirstlabs.com/books/hfpmp/hfpmp_ch11.pdf PCI Security Standards Council, LLC. (2013). Payment Card Industry (PCI). Physical Security Requirements. 1(0). pp. 1-43. Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology. 800(30). pp. 1-40. Sonoma State University. (2009). Information security vendor policy. Retrieved from http://security.sonoma.edu/policies/04-107.shtml Stoyles, P., Pentland, P. & Demant, D. (2003). Information technology. Minnesota: Black Rabbit Books. The University of Iowa. (2013). Enterprise information security program. Retrieved from http://itsecurity.uiowa.edu/resources/infosec-plan.shtml Turner, D. (n.d.). Are you running with scissors? Physical security: what you should be doing now! Retrieved from http://www.bankersonline.com/security/runningscissors.html UTS. (2000). Information technology security policy. Retrieved from http://www.gsu.uts.edu.au/policies/itsecurity.html U.S. Department of Health and Human Service. (n.d.). Example of problems. Retrieved from http://ori.hhs.gov/education/products/rcradmin/topics/data/tutorial_12.shtml Window on State Government. (n.d.). The RFP process. Retrieved from http://www.window.state.tx.us/procurement/prog/training-cert/training-resources/RFP_Process_Workbook.pdf Read More