Information Security Management - Research Proposal Example

? Information Security Management Supervisor] Contents Introduction 3 Justification for the need of an information security management system 3 Incident response management and disaster recovery 4 Components of an incident: 4 Incident response management: 5 Disaster recovery: 5 Control measures: 6 Common strategies used for disaster recovery: 6 Mobile device security management 6 Advantages of mobile devices at workplace: 7 Risks associated with the use of mobile devices at workplace: 7 Mobile security threats: 7 Security controls for mobile devices: 9 Linking business objectives with security 10 Biometric security devices and their use 11 Ethical issues and information security management 13 Security training and education: 13 Defending against internet based attacks 14 Industrial espionage and business intelligence gathering 15 Governance issues in information security management: 15 Personnel issues in information security: 16 Physical security issues in information security 17 Cyber forensic incident response 18 Accident response: 18 Processes involved: 18 Conclusion: 18 Reference List 20 Introduction The internet has had a huge impact on almost every aspect of our life and its rapid growth has seen numerous changes being brought about within the world of business. A large number of small-to-medium sized enterprises have and are investing a substantial amount of capital and resources into their business to cement their place within the world of business (eCom Advisor, 2000). The latest networking technology not only helps them achieve this but also allows them to expand their business and upgrade their SME into a large enterprise. This paper would take a look at the security threats that an SME faces online and its need of information security management to tackle these threats. Justification for the need of an information security management system As mentioned above a number of SMEs are making use of the facilities provided by the digital world to help them with the ever increasing competition. While using these facilities it is important to note that almost all the information that these companies have is converted into a digital format and stored in electronic devices (eCom Advisor, 2000). This exposes their data to threats such as phishing, Trojans, spam and viruses. These threats could have a serious impact on the daily operations of the business being conducted. Moreover these threats can even sometimes have long term effects that hinder in the company’s growth and become a reason towards the loss in the company’s productivity (GFI software, 2009). SMEs are usually restricted in terms of resources and finances. Any significant loss of data or leakage of secret information could destroy the entire business (GFI software, 2009). This means that data integrity is a vital component within a SME and can make or break its business. An effective Information security management allows businesses to implement various measures that would protect various data and assets that the business owns. Information security management not only allows an organization to tackle security threats that it faces but also allows it to measure the impact the attack would have on the performance of the business (Alexander, Finch, & Sutton, 2008). Incident response management and disaster recovery Components of an incident: Before the discussion of an incident management system it is vital to understand what an incident is and what the components of an incident are. An incident is an event that occurs due to an action that is executed by a person or an individual. Usually the purpose of these actions is to cause harm to the working of the system or to the data contained within the system. It is vital to point out here that incidents are a subset of events. An incident comprises of three components event, incident response team and incident investigation (Molino, 2006). An event is an activity that causes a deviation of the system from its normal working. An event is classified in one of the three categories normal, escalation and emergency (Molino, 2006). Events that fall under the category of normal are events that do not have any impact on the critical components of the system. To deal with such events do not require the involvement of senior personnel of the team. Events that are categorized under the heading of escalation usually threaten to have an impact on the critical components of the system. Usually the involvement of senior personnel is required in tackling escalated events. Emergency event may occur when there is a threat to the safety of an individual, threaten the working of systems that ensure the safety of an individual or when there is a breach in the security of critical components of a system. In an emergency event it is vital that all personnel follow a response plan (Molino, 2006). Incident investigation is a series of activities that help determine the nature of a particular incident. In most cases companies carry out an incident investigation of every event that occurs. The use of forensic tools, infected networks and collaboration with the proper authorities significantly speeds up the process of incident investigation (Molino, 2006). Incident response management: Incident response management is a combination of process that allows individuals to monitor any security related events that occur within a computerized system or computerized network and provides the proper guidelines that help in executing the necessary responses to the occurrence of that event (ISO, 2005). The basic function of incident response management is to develop a set of basic steps that are easily understood by everyone and can help respond to threats that may endanger data within a system. An incident coordinator is responsible for assembling and heading a team. The team usually comprises of individuals with different set of skills each set necessary to ensure proper assessment of the incident and the correct implementation of the response to tackle the situation. The incident coordinator holds regular meetings with the team members to review reports and in case of an event initiation of the correct response (NIMS, 2004). Disaster recovery: Disaster recovery is a combination of a set of processes, policies and activities that aid in the planning of recovery of data and technological infrastructure from either a natural disaster or a human made hazard (George Town University, 2004). Disaster recovery usually relates components of a computerized system that is business oriented and supports various business related activities. Disaster recovery aims at trying to maintain all operations of a business in the case of a disaster (George Town University, 2004). Control measures: A disaster recovery plan usually comprises of control measures. Control measures are a number of activities and mechanisms that help in mitigating and sometimes even eliminating threats that an organization faces. Control measures of a disaster recovery plan can be classified into one of the following three categories. Preventive measures are a collection of control measures that aim to prevent any kind of event from occurring within the system. Detective measures are a collection of control measures that are used to locate any unusual events that may occur within a system or a network. Corrective measures are a collection of control measures that help in the restoration of a system in case of a disaster (Akpeninor, 2013). Common strategies used for disaster recovery: Usually a company decides upon the strategy that is needed for a disaster recovery plan. This decision is usually taken after a thorough cost-benefit analysis. However, the most common strategies that are implemented for a disaster recovery plan includes backups made on magnetic disks that are moved to different locations, use of cloud computing as a disaster recovery system and making use of a Storage Area Network technology to replicate all the data of a business (Akpeninor, 2013). Mobile device security management The past few years have seen a great deal of changes in mobile technology. Mobile devices in modern world play a significant role in ways we communicate and live. The adaptation of mobile devices has not just been limited to social life but Smart phones and tablet PCs are being used as tools to increase productivity within the working environment. The increasing trend seen in the use of mobile devices is not likely to decrease anytime soon. With mobility of such smart devices comes a great deal of advantages and risks for enterprises (Kao, 2011). Advantages of mobile devices at workplace: The use of mobile devices allows employees to easily access company data and files from any remote location. This in turn allows them to work from any corner of the globe and help them communicate with their peers. Employees that interact with company clients on a regular basis could improve the service they provide to those customers by reducing the response time that is offered. This results in an increase in customer satisfaction. Lastly by allowing employees to use their personal devices at workplace an enterprise could significantly reduce their costs on the purchase of expensive hardware equipment (Kao, 2011). Risks associated with the use of mobile devices at workplace: It is vital that enterprises treat mobile devices just as they would treat any other hardware equipment and apply the necessary security protocols. However professionals across a number of companies are finding it difficult to secure mobile devices. This is because the varying operating systems that each mobile devices support. The security model for every operating system used by these devices differs from one another. Another reason is that there a large number of applications available for these devices that can easily spread malware within the device significantly affecting the integrity of data present on the device. Mobile devices can easily be lost or stolen by anyone endangering the corporate data that rests within that device. Moreover, mobile technology is evolving day by day making it difficult for most enterprises to implement the use of mobile devices at their workplace (Kao, 2011). Mobile security threats: Hackers have taken advantage of compromised security measures of corporate mobile devices and hacked into these systems to obtain the corporate data that resides within such devices. Moreover the ability of latest Smart phones to access data through a number of channels make them even more vulnerable to these threats. The figure below shows the paths through which a security threat may occur (Kao, 2011). (Kao, 2011) The most common threats that mobile devices face are described below Theft: As mentioned above small size and portability make loss and theft of mobile devices a highly probable occurrence. According to a report in 2010 for every 20 mobile devices 1 device was either reported stolen or lost (Juniper Networks, 2011). When a mobile device is lost there is always a risk that the corporate data on that device might fall into the wrong hands. Malware: The number of Malwares for mobile devices has significantly risen in recent times. A large number of mobile devices are vulnerable to such Malwares because their operating systems are unable to detect such malicious pieces of software. Malware can easily destroy data on the device and could even render the device unusable. Once a Malware is on a mobile device it can easily find its way from there on to the company’s network (Kaiser, 2013). Spam: The increase in the popularity of text messages has also seen an increase spam. Spam is not only an annoying activity but is also an increasing security threat. A report suggests that majority of spam is targeted at individuals as a means to obtain financial gain through a fraudulent manner. More than 70% of spam contains messages about some kind of a fake financial service (GSMA, 2011). Phishing: Phishing through mobile devices is almost the same as it is on desktop computers. The victims are given a provided a fake website to log into either via an e-mail or a text message. Through the website the attacker extracts personal information of the user such as name, social security number in order to hack into their bank accounts or to gain access to their company accounts (Robinson, 2011). Security controls for mobile devices: When considering security regarding mobile devices an enterprise must focus on the following security controls must be considered. Confirmation of ID: To ensure there is no unauthorized access to the company’s network the organization must enforce strict policy to encourage employees to use strong passwords. The use of two factor authentication can also help secure the link between a website and the user (Kao, 2011). Data encryption: Encryption of data is necessary when it comes to mobile devices. Data that is stored within the device and data that is being transmitted via a transmission medium must be encrypted. Moreover it is an even better idea to enable a feature within the device that allows users to wipe data from the device via some other computer (Kao, 2011). Reliability of applications: To ensure that applications containing malware do not enter a mobile device it is vital that only those applications are installed that are provided by the authorized vendor. In addition employees must monitor all the applications installed on their devices and must remove application that perform malicious activities or that seem untrustworthy (Kao, 2011). Installation of protective software: To enable the detection of malware in the mobile device it is vital that users install antimalware software and run it regularly to ensure that the device remains malware free. For additional security it is also a good idea to install firewall to ensure that unauthorized access to the device is blocked and data entering and leaving the device can be closely monitored (Kao, 2011). Mobile devices would significantly help SME with their daily operations. However the technology hasn’t matured enough to be deemed as reliable. As seen above a number of security issues arise when employees make use of mobile devices. Only after a proper analysis could the decision regarding the use of mobile devices at work place can be taken. Linking business objectives with security Usually in small-to-medium enterprises the head of the IT management is not be as skilled in strategic development as those found in large corporations. In some cases the head of such small businesses do not consider the role of Information security as an important one in the achievement of their business goals. Sometimes little effort is seen on the part of the management to provide a proper communication channel to the IT and business groups of the company (Zaino, 2007). For a SME to flourish within the business industry it is important that business objectives must be linked to the business goals of the enterprise. Linking security with security helps companies manage risk, enhance their market share and emphasizes on cost efficiency (Hertzberg, 2002). It is vital that the management of a business must have a clear view of the security situation of the company to ensure that all security measures are aligned to the enterprise’s business objectives. Companies usually have to go through five steps to ensure that security and business objectives of the company are linked together. Those five steps are assessment, analysis, strategize, alignment and communication. In assessment the enterprise has to define the role of security within the company and what role it would play in the near future. Analysis describes the collection of information about the size of investments to be made and in what areas the company needs to apply its resources. Strategize helps convert the information into a proper strategy that defines achievable goals. Alignment helps link this strategy with business goals on a regular basis bringing about a change in the business environment. Communication requires the exchange of a business’s security status with relevant personnel of the company (Quinnild, 2005). Biometric security devices and their use One of the biggest questions that companies are facing these days related to security is the use of biometrics. Biometric basically use a person’s physical trait for their authentication. The reason biometrics is gaining so much popularity is because it is one of the most reliable methods of authentication there is. Passwords and key cards can be cracked or stolen and can be misused by anyone. Authentication traits used in biometrics on the other hand can neither be stolen nor replicated (Liu & Silverman, 2001). Before the installation of a biometric authentication system a company has to analyze a number of factors. Cost is one of the highest priorities that are taken into account. The cost of hardware required for biometric system and maintenance of that system is quite high. Companies usually are reluctant to install such devices because of their high costs. Moreover it is important to understand that biometric devices can be affected by the environment in which it is being used (Liu & Silverman, 2001). (Liu & Silverman, 2001) Large corporations have implemented biometric systems for some time now. Retina scanners have been implemented by these companies to ensure that their critical data remains safe from any unauthorized access. Budget constraints within SME can reduce the types of devices that these businesses can afford. Recent developments however have seen a significant decrease in the cost biometrics systems. Fingerprint scanners and voice recognition systems can be implemented by SME to ensure that critical data of the business remains safe at all times (Liu & Silverman, 2001). Ethical issues and information security management In a professional environment there are a number of rules that one has to follow to maintain an ethical environment within the workplace. Doctors and lawyers all follow these codes of ethics and violations of such codes could result in the cancellation of their practice. Like all other fields information security management provides some sort of ethical guidelines that need to be followed. IT professionals handle personal and confidential data on a regular basis. Such data can be easily manipulated by IT professionals for their personal gains or can be abused in some other ways. As mentioned above there are a number of ethical codes available for IT professionals however, these codes are not mandatory to be followed on caused a great deal of debate amongst a number of security experts across the globe (Shinder, 2005). With the absence of standard ethical codes there is a need for SME to employ their own set of ethical codes that would ensure that privacy of customer data is maintained at all times. To ensure that these rules are strictly followed upon the organization must encourage a culture of ethics to flourish within the organization and hand out severe punishments to individuals who violate these codes. The use of personal data of a customer by an employee of the company could result in the company facing law suits. The law suits in turn could hurt the image of the company and could lead to a loss in customers (Shinder, 2005). Security training and education: Education regarding security of a network is extremely vital to an SME. Most hackers in the world of technology tend to focus on the weakest point within the security of a business and that is the users of the system. Social engineering is one such tool that has aided hackers into obtaining the required information that helps them hack into the company’s system (Whitman & Mattord, 2012). Social engineering is basically a process in which the perpetrator uses techniques to manipulate his or her victim in order to extract sensitive information from the victim. The process of social engineering is usually carried out over the internet, phone and in some rare cases in person (Whitman & Mattord, 2012). The only way to defend the company’s system from such attacks is to prepare and educate employees to identify social engineering when it is being used. Making security training a mandatory part of an employee’s basic training could significantly mitigate the threat of social engineering attacks and improve the overall security of the company (Whitman & Mattord, 2012). Defending against internet based attacks To defend a system from internet based attacks it is necessary that Small businesses take a great deal of precaution and ensure that there is no area of weakness within the system that can be exploited by anyone. Three areas need to be addressed in order to ensure that internet based attacks are repelled software, personal precautions and backup of data. Companies must ensure that software that is being used is updated and functioning properly. Moreover software such as antivirus and firewall must be installed in every terminal that is connected to the company’s network. Personal protection encompasses a number of steps that employees can take to ensure that the company’s network and steps are safe from external threats. Employees must take caution when visiting websites and under no circumstances download any program that is being offered to them by an unreliable source (Marlin, 2004). Moreover employees can use difficult passwords that would be difficult to crack. Employees must also discard emails from individuals that they do not know. Usually such emails either provide a link that aid hackers in the process of phishing or contain Trojans that provide a back door for hackers to enter through. It is vital that the company makes regular backups of all its data. Ideally it would be feasible if a company makes backup at the end of each working day. Backup saved on the magnetic disk must also be encrypted using an encryption algorithm (Marlin, 2004). Industrial espionage and business intelligence gathering Organizations across the globe try and obtain as much information as they can about their competitors and all other organizations that are a operating within that industry. This information is obtained through a number of ways which include industry profiling, reviewing local newspapers, thoroughly examining company websites and using corporate publications. The process of obtaining such information is known as business intelligence gathering. Business intelligence gathering is a legitimate process that is used in all parts of the world (Crane, 2005). Industrial espionage on the other hand is an illegal act that is used to collect or pass on information of companies that is obtained using illegal methods such as hacking or through the use of malware. The two terms of business intelligence and industrial espionage are usually used together because there is little to differentiate the two. It is made even more difficult to define the difference when ethical issues are taken into account (Crane, 2005). SME must be careful of the methods they employ to gather intelligence on their rivals as there are some methods that can be deemed illegal. Moreover SME must always be alert as their rivals could use illegal methods to obtain the sensitive documents off the company’s network. Governance issues in information security management: As seen above in this paper the importance of protecting vital information is of extreme importance to a business and the paper also discussed the ever rising need for strengthening the security measures that organizations take to ensure that company data remains secure at all times. It is important to point out here that lapse in SME security measures occur from within the company either due to a technical error or from neglect of one of the employees (Accenture, 2009). To decrease the number of occurrences of such events and to mitigate their effects it is vital that processes of effective security governance are implemented within the SME. Security governance is defined as a collection of different responsibilities and activities performed by the top management of an organization in an attempt to ensure that the company’s aims are met, risks are properly managed and that the resources of the enterprise are being used appropriately (RICOH, 2012). Setting policies regarding the use of passwords is an example of a governance issue. Enterprises must implement policies that make it compulsory for employees to use strong passwords and use caution when sharing passwords to sensitive information. Personnel issues in information security: For a small-to-medium enterprise terminating an employee is always a tricky issue. The company has to make sure that the terminated employee would not carry out any illegal activity after his or her termination. There are contracts and agreements reached between the two parties that ensure that the employee would not disclose any information about the company that he or she has gained while working for the company. However, in some cases individuals find ways to get around those contracts and leak vital information of the company to its competitors. To tackle such a situation SME must ponder over the idea of retaining employees rather than letting them go. Evidence even suggests that it is much cheaper to retain and rehabilitate employees than replacing them with other individuals (TechRepublic, 2006). In the event where an enterprise has to axe an employee they must do so in a proper manner. The company’s HR department could provide proper briefing to the exiting employee and help him or her with obtaining another employment opportunity. This would ensure that the employee leaves the enterprise in good faith and reduces any ill feelings he or she has against the company (TechRepublic, 2006). Before hiring a new employee to work for the enterprise the HR department must complete a thorough background check on him or her. It is essential that the company avoids hiring an individual that can potentially harm the future of the enterprise. Moreover the company must provide a structured system procedure that would ensure that the employee meets the entire legal obligations that are presented to him or her. The employee could be briefed on emphasis the company puts on the importance of security and how vital security practices are to the company. Physical security issues in information security Physical security encompasses the protection of the physical components of an organization’s IT structure. Physical components of an organization include the company’s computers, servers, hard drives and magnetic disks. Physical security of the company’s assets protects them from any kind of physical damage that the devices could sustain or from any occurrence of theft of a device (NIST, 1996). Small enterprises usually make use of small IT equipment which comprise of personal computers, mail servers, routers, magnetic tapes and switches. For security purposes, such equipment is usually locked away in a room and only authorized personnel are allowed to access it. Moreover, portable devices such as tablet computers and laptops are assigned on the basis of an individual’s responsibility within the enterprise. Individuals that handle sensitive information on a daily basis are not assigned such devices as their theft could endanger the data of the organization. One method to integrate physical security with logical security is with the use of smartcards (Nigriny, 2009). The use of smartcards allows the enterprise to have a strict control over the access of the company’s resources. In addition the use of smart cards also allows the company to keep track of individuals that have accessed the resources by maintaining a log (Nigriny, 2009). Cyber forensic incident response Accident response: Cyber forensic incident response is a series of structured responses that an individual can perform to help with the process of forensic investigation. These responses can generally be classified into three main categories collection of evidence, preservation of evidence and analysis of the evidence (Information Security and Forensics Society, 2004). Processes involved: Collection of evidence begins with securing the area where the forensic team expects to find evidence. The process of securing involves sealing off the area so that unauthorized personnel cannot have access to the area physically or logically. The process of identifying a piece of equipment that can be categorized as evidence is a crucial phase of the entire investigation. Moreover it is important to preserve the area in the manner it is that is devices that are off must not be booted and photographs must be taken of devices that are already on. Small to medium enterprises usually lack the necessary equipment needed to perform cyber forensics. In most cases a third party is involved. Conclusion: Small-to-medium enterprises and large enterprises operate and tackle problems in different ways. The main factors behind this difference are the amount of human and capital resources that the two enterprises have at their disposal. These factors also contribute to the difference in security the two can implement in their businesses. Security of a company’s digital data however, doesn’t just depend on the capital that the company spends on it but depends upon a number of factors that combined together provide a secure system. It is through these measures that sometimes enable small-to-medium enterprises to outperform large enterprises when it comes to information security. Proper planning, education of employees, disaster planning and the right governance are all as important as the software and hardware implemented. Reference List Accenture. (2009). How Global Organizations Approach the Challenge of Protecting Personal Data. Dublin: Accenture. Akpeninor, J. O. (2013). Modern Concepts of Security. Bloomington: AuthorHouse. Alexander, D., Finch, A., & Sutton, D. (2008). Information Security Management Principles: An ISEB Certificate. Swindon: BCS, The Chartered Institute. Crane, A. (2005). In the company of spies: When competitive intelligence gathering becomes industrial espionage. International Centre for Corporate Social Responsibility , 233-240. eCom Advisor. (2000, June 4). MEs: Australia's Business Backbone. Retrieved September 19, 2013, from ecomadviser.au : http://host.ecomadviser.au George Town University. (2004). Disaster Recovery. Retrieved September 20, 2013, from http://continuity.georgetown.edu: http://continuity.georgetown.edu/dr/ GFI software. (2009). Security Threats: A Guide for Small and Medium Businesses. San Gwann: GFI software. GSMA. (2011). GSMA Outlines Findings from Spam Reporting Service Pilot press release. GSMA. Hertzberg, J. (2002, June 12). Aligning Security Initiatives & Business Goals . Retrieved September 21, 2013, from technologyexecutivesclub.com: http://www.technologyexecutivesclub.com/Articles/security/artAligningSecurityInitiatives.php Information Security and Forensics Society. (2004). Computer Forensics. Hong Kong: Information Security and Forensics Society. ISO. (2005). Information technology - Security techniques - Code of practice for information security management. Geneva: ISO copyright office. Juniper Networks. (2011). Malicious Mobile Threats Report 2010/2011. Juniper Networks. Kaiser, T. (2013, June 26). Beware of Malware: Mobile Threats Increase by 614 Percent in Last Year. Retrieved September 20, 2013, from dailytech.com: http://www.dailytech.com/Beware+of+Malware+Mobile+Threats+Increase+by+614+Percent+in+Last+Year/article31842.htm Kao, I. (2011). Securing mobile devices inthe business environment. Armonk: IBM. Liu, S., & Silverman, M. (2001). A Practical Guide to Biometric Security Technology. Baltimore: IT-Pro. Marlin, D. (2004). Cyber Defense Staying Safe on the Internet. Gainesville: University of Florida. Molino, L. N. (2006). Emergency Incident Management Systems: Fundamentals and Applications. Danvers: John Wiley & Sons. Nigriny, J. (2009, December 28). 5 Tips for Managing IT and Physical Access. Retrieved September 21, 2013, from technewsworld.com: http://www.technewsworld.com/story/68956.html?wlc=1289802044 NIMS. (2004). NIMS - The Incident Command System. Washington D.C.: Department of Homeland Security. NIST. (1996). Generally Accepted Principles and Practices for Securing Information Technology Systems. Washington D.C: NIST. Quinnild, J. (2005). How to Align Security With your Strategic Business Objectives. Delaware: PricewaterhouseCoopers LLP. RICOH. (2012, June 3). Information Security & Governance - Overview. Retrieved September 21, 2013, from mds.ricoh.com: http://mds.ricoh.com/change/information_security_governance Robinson, D. (2011, January 4). Mobile users more vulnerable to phishing scams. Retrieved September 20, 2013, from http://www.v3.co.uk: http://www.v3.co.uk/v3-uk/news/1952295/mobile-users-vulnerable-phishing-scams Shinder, D. (2005, August 2). Ethical issues for IT security professionals. Retrieved September 21, 2013, from computerworld.com: http://www.computerworld.com/s/article/103564/Ethical_issues_for_IT_security_professionals?pageNumber=1 TechRepublic. (2006). Foundations of Personnel Management: Personnel Issues. Retrieved September 21, 2013, from techrepublic.com: http://articles.techrepublic.com.com/5100-10878_11-6097076.html Whitman, M. E., & Mattord, H. J. (2012). Principles of Information Security. Boston: Cengage Learning. Zaino, J. (2007, October 25). This Job Synchs: The Importance of Aligning Business and IT Goals. Retrieved September 21, 2013, from informationweek.com: http://www.informationweek.com/this-job-synchs-the-importance-of-aligni/202601618 Read More