Information Systems Security - Essay Example

Information Systems Security Contents Introduction 3 Potential physical vulnerabilities and threats 4 Potential logical vulnerabilities and threats 5Impact of physical and logical vulnerabilities and threats on the pharmacy 6 Potential vulnerabilities in the network 7 Risk mitigation strategies for physical vulnerabilities 7 Risk mitigation strategies for logical vulnerabilities 8 Conclusion 9 References 10 Introduction The majority of organizations today rely on information systems to manage their business efficiently. While information systems help in streamlining work processes and increasing efficiency, the organization needs to evaluate and audit its security control mechanism for effective results. Many public and private sector information systems have failed to meet the desired security standards and protocols defined by IT compliance rules and regulations. The information systems are exposed to widespread risks, threats and vulnerabilities that can adversely impact the IT work processes. Risks reflect the possibility of data loss, failure to comply with IT rules and regulations, or loss of clients on account of ineffective work practices. Threats can result in potential damages to the system through virus attacks or malicious codes that corrupt data. Vulnerability indicates the potential weaknesses of the system and its impact on the system operations. All these can have negative impacts on the business operations and vital customer data can be easily accessed by fraudsters for potential misuse. Thus, it becomes essential for all organizations to efficiently and securely manage its IT systems and technology based applications. The key aspects of security involve confidentiality, system integrity and information accessibility. The security mechanism must restrict unauthorized access, prevent data misuse, and support relevant access to information for effective decision making. The report provides an overview of risks and vulnerabilities of the information system (IS) in the pharmacy. The IS maintains a complete database of the medications available in the pharmacy, sales and revenue statistics, customer purchase details and associated health records of the customers. Potential physical vulnerabilities and threats The information systems comprise of computer hardware, peripherals and networking systems. The networked systems include routers, modems, hubs and telecommunication media that contribute to the efficient transmission of data between computers. The hardware comprising of central processing unit, external hard disk drives, keyboards and monitors are an integral part of any information system. Together these devices enable the users to transmit, exchange and process vital data required for business processes (Champlain, 2003). Physical components of the information system are exposed to threats and damages in the form of fire, theft or any kind of physical damage that can result in loss of data. Theft of data storage components or unauthorized copying of data can result in potential misuse of vital customer data. Vacca (2009) in his works on physical threats to information systems highlighted three distinctive categories of risks – Natural disasters involving flood, earthquake, hurricanes, and lighting that might damage computer hardware, data storage media or electronic equipment. Environmental threats involving excessive humidity conditions, temperatures, chemical radiation, or fires that can affect data storage devices and other infrastructural facilities such as telecommunication and internet access. Technical threats involving fluctuating power supply, electromagnetic interference and power outages that can lead to loss of data or data corruption. Human caused threats involving the unauthorized copying of data, unauthorized entry into the system or deliberate damage to the system devices. The information systems at the pharmacy is exposed to threats from natural disasters, environmental threats, technical vulnerabilities and human risks, all of which can have a deep impact on the efficient running of the system, besides the added risk of data corruption, and potential misuse. The system is vulnerable to power outages, fires in the mall, unauthorized entry or damage of storage devices due to excessive humidity or temperature conditions. Unauthorized removal of physical storage devices such as external memory drives is possible within the shopping mall complex. This may also entail copying of vital data from the system for potential misuse (Vacca, 2009). Potential logical vulnerabilities and threats Unauthorized system access and malicious programming code can result in extensive damage and threat to the system database and valuable customer data. Logical threats of any information system can have serious consequences on the business processes and viable controls over its database. The system data can be vulnerable due to inadequate control over user access to information, unrestricted entry or modification to the existing database, and ineffective firewalls or password encryption codes that can enable outsiders to access the system database (Contos, Crowell, DeRodeff, Dunkel and Cole, 2007). System hacking is a potential threat that can cause potential threats to the IS and enable outsiders to access vital customer data. Computer hacking is the technique to take the administrative control of the personal computer through changes in the operating system or hardware configuration. The hacking happens through a software-code written to surpass the security of the personal computer without the knowledge of the real owner. Hacking software tools are written by the people who are having in-depth knowledge of the computer operating system and who have every detail of the architecture of the computer system (Kim and Solomon, 2012). There are many ways that the computer can be hacked. Few of the methods of hacking are: through a software-code or a software-program passed on to the PC through a file opened at a particular website or the file is transferred to the PC through a removable media or a file embedded within a file that the user copied or downloaded to his PC. Once the computer is hacked it can be fully hijacked by the hackers and the hacker keeps the control of the computer. The hacker uses the computer for doing criminal activities like distributing illegal files, sending spam emails, using the hijacked computer to attack other computers, stealing user identities and passwords etc (Kim and Solomon, 2012). Impact of physical and logical vulnerabilities and threats on the pharmacy The impact of vulnerabilities in information systems is reflected in more than one area of operations. Business loss in terms of customer confidence, viability of operations, and fraudulent activities for personal gains is just one aspect that covers the immediate impact such activities have on the business processes. Information systems and applications have become the lifeblood of organizations owing to increased dependence on the system for vital business data that assists in future planning and decision making on key operational issues. The extent to which the systems are vulnerable to criminal intentions have increased over the years with innovative malicious practices that is evident in the number of instances of cyber crime and misuse of vital customer data for for individual financial gains (Cullom, 2001). Potential vulnerabilities in the network Computer viruses are programs or codes that cause some kind of harm to the system files or different file types or the computer system resulting in damage or malfunctioning of the computer. There are many different kinds of viruses on the Internet that gets downloaded into the user system without the knowledge of the user and the extent of damage that it can cause. Viruses enter the system through email messages or online messaging applications. They come as attachments in the messages and get downloaded once the user opens these messages or attachments. It can also spread through applications downloaded onto the system from the Internet. These viruses can corrupt or delete computer files and applications and sometimes even erase data on the hard disk (Vacca, 2009). Risk mitigation strategies for physical vulnerabilities Information security and control mechanism is the process by which the organization seeks to prevent or limit the scope of potential risks and threats to the information system. The process begins with an evaluation of the existing system tools, applications and networking features. Risk mitigation strategies for physical vulnerabilities involve the assessment of internal and external resources that define the information systems, identify potential challenges and risks to the system in terms of physical loss of data or damage to computer hardware systems. Once the assessment has been done, the risks and vulnerabilities need to be documented and a mitigation plan outlined to address each area of concern. The plan should include preventative measures that protect the equipment from natural, environmental or technical threats, minimize the scope of theft of storage devices, and a contingency plan for retrieving lost data in the the instance of some unfortunate incident (Vacca, 2009). The company must secure the physical components through adequate locks that will prevent theft of storage devices and install surveillance mechanism that monitors physical access to the system, adequate protection against technical threats such as power outage by installing an uninterrupted power supply (UPS) system to prevent data loss from frequent power cuts or interruptions. Though there is not much that can be done to prevent loss of data from natural disasters, the company must ensure that data backup is taken at regular intervals. Networking cables and power supply cables must be taken out before shutting the shop and a log of users must be maintained to identify the people who have used the system during the day. Security protocols and policies for computer usage will be provided to each and every employee and monthly audits will ensure that the system security mechanisms are in place. Risk mitigation strategies for logical vulnerabilities Programs like viruses or hacking software can be prevented from being downloaded into the computer system through the use of firewalls, adjusting browser settings and installing anti-spyware protection applications. Most of the computer users are unaware of the dangers or potential abuse related to these applications and can cause extensive damage or increase the chances of fraud or identity theft or damage to the computer systems and files. It is a challenging task to prevent cyber crime owing to the unlimited expanse and the use of the Internet that provides extensive scope to fraudsters. The logical security controls will ensure that each system operator is assigned distinctive privileges that restrict his or her access to the system. User level access control will be monitored by the IT manager who will also be responsible for ensuring that the operators change their passwords on a monthly basis to prevent hacking. The system will also support password encryption programs to prevent unauthorized hacking and access to the system. The operators will be responsible for data entry only and limited view of the database in the context of their job responsibilities. In addition, only the systems manager will be allowed to update or modify the database. This will ensure that the database access controls are not violated (Weiss and Solomon, 2010). Each employee will be obligated to sign a declaration stating the significance of information security and data protection issues and failure to comply with these policies may result in termination. The systems department will conduct monthly audits to ensure that security protocols are being followed by each employee. Internet access within the shop premises will be limited to work related applications that include email access and vital information pages related to pharmaceuticals. The system will keep a log of the online visits along with the duration of browsing and operator identity. Any action found to violate the security conditions of the IT system will result in thorough investigation and suspension of the employee from services. Conclusion Since our society has become reliant on technology, it has also become important for individuals and organizations to endow themselves with the knowledge of information technology. Scientists, engineers, and programmers always come up with new inventions and technologies which sometimes, too fast for ones to keep themselves up-to-date on what is happening around them. However, people realize and greatly understand that those technologies make life convenient like never before. As the world moves towards expansion in terms of globalization and technology advancements, security systems are becoming even more important to any organizations than ever. Since securities such as PIN numbers, key card accesses, and passwords could be easily stolen and hacked several security mechanisms and governance controls have been introduced to prevent loss or theft of vital customer data. At present, computers play an important role in everyone’s life, and without computers, life could be a lot different. As same as in many organizations, without computers, organizations could never exist, or it could mean bankruptcy. Since most important information is being stored in computers, an excellent security system is then required in order to keep information safe from any issues that might lead to the company loss. The security systems such as PIN numbers, key card systems, signatures and passwords are just a basic security system installed in almost any organizations, but this could be easily stolen, faked, and hacked before ones even realize they are attacked. Those problems are happening every day. Physical and logical security control mechanisms can help in mitigating some of the risks to which information systems are exposed. The report has outlined the basic threats and system vulnerabilities along with risk management controls that can help the pharmacy reduce the information security threats. References Champlain, J. (2003). Auditing information systems. John Wiley & Sons. Contos, B.T.., Crowell, W.P., DeRodeff, C., Dunkel, D., and Cole, E. (2007). Physical and logical security convergence powered by enterprise security management. Syngress Publishing. Cullom, C. (2001). Computer crime, vulnerabilities of information systems, and managing risks of technology vulnerabilities. Ridgetop Information Solutions LLC. Kim, D., and Solomon, M.G. (2012). Fundamentals of information systems security. Jones and Bartlett Learning. Weiss, M., and Solomon, M.G. (2010). Auditing IT infrastructures for compliance. Jones and Bartlett Learning. Vacca, J.R. (2009). Computer and information security handbook. Elseiver Inc. Read More