Successful information security management - Research Paper Example

? Full Paper Introduction Successful information security management involves an amalgamation of prevention, detection and response in order to deploy a strong security defense. Security has become an encircling issue for designers and developers of the digital world (Conklin, White, Cothren, Williams, & Davis, 2004). A system should also be able to counter incidents and raise proper procedures in case an information security incident occurs. Information security incident handling takes a stride forward in the information security management procedure. The aim is to provide a reference for the management, administration and other technical operational staff. If considering the Internal Revenue Service, focus on executing management actions is required to support the strategic goals of the organization. It has been calculated approximately half of the breaches to the security of the information systems are made by the internal staff or employee of the Internal Revenue Service (Bob). Security incident management facilitates the development of security incident handling and planning including preparation for detection and reply to information security issues. The standard of the incident management primarily relates to ensure the existence of processes rather than the contents of these procedures. The security incident of different computing systems will have dissimilar effects and escort to different consequences, bureau, departments the Internal Revenue Service need to tailor the security incident handling plan according to specific operational requirements. Internal Revenue Service invests enormous money to buy and install computing equipments for securing their networks. Information systems security is a challenge for executives and the information technology professionals. Internal Revenue Service focus on performance and efficiency of the security equipments (Bob). This is not enough, as human intervention and a proper plan need to be defined. The information technology professionals are not only responsible for securing the information systems, all the employees of the organization are responsible (Hasib, 2013). One needs to know what an incident is, before making a plan for dealing with the computer incidents. For organizations to be competitive with network incidents, they must lay a foundation within the Internal Revenue Service for incident handling. The procedure for incident handling incorporated an action plan that counters Distributed Denial of Service Attacks, Cyber-attacks, natural disasters such as fire, earth quakes, flood etc. likewise, the incident management process includes a six step process i.e. Prepare, Identify, Contaminate, Eradicate, Recover and the lessons learned from the past. The information security should be handled internally and externally by the employees of Internal Revenue Service. They will be supported by the security teams with high-powered information security officers. The employees who do not have insufficient skills in dealing with information security, they can perform well in reducing risk factors. In each major business unit, employees with set of expertise to conduct IT audit, project management and risk management are recommended to be an information security officers. However, interpersonal, communication and process improvement skills are essential. Likewise, the most prominent objective for this role is to spread awareness between every employee of the Internal Revenue Service, as the awareness will be related to information security threats and most importantly the associated risks with these threats to the Internal Revenue Service. If Internal Revenue Service is associated with the cloud computing services, non-disclosure agreements should be signed and service level agreements should also be made. 2 Security Incident Handling It is the information depletion that will be undesirable to the welfare of Internal Revenue Service. It is an adverse event in an information system or network that poses a threat to computing equipment or network security in reverence of availability, integrity and confidentiality. Incidents which are not within the capacity consisting of natural disaster, hardware or software collapse, data transmission failure, power interruption etc. are addressed by the disaster recovery plan of Internal Revenue Service. Security incidents involves unauthorized access, unauthorized utilization of services, denial of resources, interruption of services, conciliation of protected data, network system permissions, leaks of confidential data in electronic form, malicious demolition or amendment of data, information, dissemination and intrusion, misuse of computing equipments, computer viruses and fraud, and malicious scripts affecting set of connections of the systems or network. Security incident handling is the continuous process which prevail the activities before, during and after a security incident occurs. Security incident handling commence with the arrangement and preparation for the resources, and developing appropriate measures to be pursued, such as the escalation and security incident response processes. Internal Revenue Service must develop a security policy for handling incidents. The security policy exhibit management commitment for supporting information security. When a security incident is perceived, security incident response is prepared by the responsible teams following the predefined measures and actions to be performed. The team represents the behavior or actions carried out to deal with the security incident and to reinstate the system to normal operation. Precise incident response teams are usually created to perform the tasks of creating security incident retort. When the incident is handled, actions will be taken to follow up and evaluate the incident. This action is performed for strengthening security protection to prevent recurrence. The revision of planning and preparation task is completed and revised accordingly to make sure that there are ample information security resources. They include manpower, equipment, technical expertise and properly defined procedures to deal with potential incidents. 3 Importance of Incident Handling Internal Revenue Service must develop a security incident handling plan. The plan is vital for the effective operations of the computer environment. Internal Revenue Service need to ensure for the required resources are available for handling the incidents occur. All parties must know regarding their responsibilities and have a clear understanding related to the task they will perform if any incident issue occurs. They must follow a pre defined procedure. The teams should perform actively for handling the security incident for recovering the issue in minimum downtime. The response activities should be co ordinate with each other with clear understandings. Reduce the probable impact of the incident in terms of information breach and system interruption etc The experience of how the incident has been solved and what expertise was utilized needs to be shared between each member of the incident response team. The prevention of further attacks and damages Tacking the legal issues 4 Key Elements to be protected Computing equipments having external connection, e.g. Internet Databases having critical financial data and information Mission critical systems Other systems having a highly adverse impact if a security incident takes place. An incident management team is required for managing network incidents via a proper plan. Incident response teams consist of groups of professional responsible for eliminating information security incidents when they take place. The group of people consists of customer support specialists, system administrators, information security managers, Information security officers, and chief information officers. 5 Role of the Information Security Officer Security management is essential for Internal Revenue Service. It is the ultimate goal of the incident management security team to minimize the downtime of the incidents. The information security officer has key responsibilities. The security officer plays a vital role because the escalation initiates from this point. The information security officer is responsible for reporting an incident which has occurred in the Internal Revenue Service. The Internal Revenue Service needs to identify the skills of the employees suitable for handling the incidents occurring on the systems, network, database, and applications. Employees of the Internal Revenue Service consisting of the account staff, receptionist, sales team, office boys etc. The information is everywhere in the Internal Revenue Service, in the form of files and cabinets. The Internal Revenue Service cannot reply on staff to rely on, until they are not security experts. In order to protect financial data, which is the lifeblood of any organization it is not enough. The current staff will not be able to handle security incidents due to insufficient skills. Security team with experts is required to take place. The information security officer must have the expertise to thoroughly analyze the incident report and activate the security team. The information security officers will also assist and identify any resource which will help in assisting the security team. After the incident identification and reporting, the information security offices will report the computer security incident to the information security manager and chief information officer. For legal issues, the local police will also be reported. Identification and reporting of legislative issues within the network is also the responsibility of the information security officer. The information security officer then creates a report by gathering the required issues occurred related to the incident. The report is submitted to the chief information officer including all the details regarding the incident. 5.1 Constraints Constraints will be the technology, time and resources should be considered. These elements will impact on a high level while handling the incident management process. An example of this would be no expertise present for any specific incident; consultants will be notified regarding the issue. The guidelines need to be defined by the information security officer previously for the smooth functioning of the process. 5.2 Reports The information security officers create steps and processes before escalating the reports. All the members of the team need to be informed in a timely manner. The report should consist of comprehensive contact details so that the partners of the incident management team can communicate effectively with each other. The contact information may contain the hotline for office house, hotline for “non-office” hours, email addresses, cell phone numbers, and backup telephone numbers are mentioned in the report. To maintain consistency, the post incident report is also prepared by the security officer. This report also includes the information which is collected during the security incident reporting process. The reporting procedures are created in advance for eliminating the miss communication between incident management partners. All the partners already have the report format, the information required and whom they will report regarding the incidents on the network. 5.3 Escalation The information security officer defines a way which may help the incident management partners to take decisions in a prompt manner. The severity of the incident will be measured by the security officer. The severity depends on the impact of the system on the Internal Revenue Service’s business processes. For example, the system in the security department crashed. The bio metric system is now not working because the system connected to it is not working. The Internal Revenue Service will not be able to record the timings, and working hours of the employees. This type of incident should be marked ‘critical’. 5.4 Knowledge Base The information security officer maintains a knowledge base for all the incidents occurring in the Internal Revenue Service. The knowledge base can be shared among the incident management partners for better understanding and analysis of the incidents which take place frequently. The officer can re use the knowledge base for reporting and escalation issues which occur on a frequent basis. The reports and escalation mechanism is used for escalating issues in an efficient way. 6 Conclusion The Internal Revenue Service can train internal employees for performing certain tasks related to incident management security. It is also predicted that 50% of the security breaches are held by the internal staff of the Internal Revenue Service. For administrative and complex tasks, security professional with the required skills is required for handling the issues. The Internal Revenue Service must define a policy and a plan in order to eliminate issues through a well defined process. The information security officer initiates and escalates the issues to the incident security manager in a well defined process. The information security officer must align and inform the related teams in order to minimize the time. The information security officer then escalates the incident to the information security manager and the chief information officer. A formal report with the complete details is send and a copy is maintained by the information security officer. For legal incidents, a local police is informed to carry out the operation. Worksheet: Information Security Program Survey Security Area Responsible Party / Office of Primary Responsibility (OPR) Known Vulnerabilities / Risks Countermeasures / Risk Mitigation Strategy Acquisition (systems/services)  IT Manager Acquired systems not aligned with business requirements   Major stakeholders Involvement in the decision making Asset management Asset Manager Asset theft, Asset misuse   Assign assets as per roles, assign asset owner Audit and accountability Audit Manager Vulnerabilities available on system, non- compliance with policies Surveillance audits, quarterly audits, non-compliance communication to major stake holders  Authentication and authorization  IT Security and Risk Manager Unauthorized access to systems, premises, critical assets and information Assignment on the basis of JD and role in organization Business continuity  BCP Manager Interruption in business  Develop a BCP Plan and test it. Compliance management  Compliance Manager  Vulnerabilities available on system, non- compliance with policies  Surveillance audits, quarterly audits, non-compliance communication to major stake holders  Configuration control  Configuration Manager  No tracking of configurable items in the I.T infrastructure Configuration management tracking tool or excel sheet Data  Data owners Unauthorized access, data theft, data corruption, deletion  Define Backup strategy Hardware  Asset owners Malfunction, theft, misuse Define Critical/ non-critical Asset Handling procedures Identity management  IT Security and Risk Manager  Identity misuse Define Identity management policy Incident management Incident Response Manager  Business loss, business interruption, reputation loss  Establish an Incident Response team Maintenance procedures Process Manager Outdated procedures, not aligned with current business requirements  Review of procedures on quarterly basis Media protection and destruction  I.T Manager  Unauthorized access, data theft, data corruption, deletion  Media retention and disposal policy Network  I.T Manager  Hacking, virus infection, unauthorized access, loss of data, loss of business and reputation  Network Infrastructure policy Planning  IT Security and Risk Manager  If not aligned with business, planning will not be effective Information Security Steering Committee Personnel  IT Security and Risk Manager Embezzlement, espionage Background checks Physical environment  IT Security and Risk Manager  Unauthorized access, data theft, data corruption, deletion, risk to critical assets Surveillance Policy  IT Security and Risk Manager No information security culture Infosec Policy Operations  IT Security and Risk Manager Hacking, virus infection, unauthorized access, loss of data, loss of business and reputation,  data theft, data corruption, deletion Infosec Governance Outsourcing  IT Security and Risk Manager  Hacking, virus infection, unauthorized access, loss of data, loss of business and reputation,  data theft, data corruption, deletion  Non-Disclosure Agreement Risk assessments IT Security and Risk Manager  Hacking, virus infection, unauthorized access, loss of data, loss of business and reputation,  data theft, data corruption, deletion  Infosec Risk Analysis and Risk Assessment Software  IT Security and Risk Manager  Hacking, virus infection, unauthorized access, loss of data, loss of business and reputation,  data theft, data corruption, deletion  Implement relevant controls Training  IT Security and Risk Manager  Phishing scam, password sharing, file sharing  Infosec Awareness Trainings References Hasib, M. (2013). Impact of security culture on security compliance in healthcare in the united states of america: An information assurance approach Conklin, W. A., White, G., Cothren, C., Williams, D., & Davis, R. (2004). Principles of computer security: Security+ and beyond McGraw-Hill Education. Bob, J. (n.d.). Retrieved from website: http://www.irs.gov/ Read More