Information Security Management - Essay Example

TMA02- M886 Information Security Management Table of Contents Part A: Presentation of Findings for the Organizational Assessment of Information Security Risks- Report to Accounting Company Senior Manager 3 A. Description of Process 3 B. Explanation/Justification for Choices 5 C. Threats and Vulnerabilities Analysis 5 D. Gap Analysis 7 E. Treatment of Threats/Risks 7 Part B: Critical Assessment of the Process Used to Arrive at Assessment of Information Security Risks, and the Information the Process Has Provided About the Organization 9 A. Evaluation of Process 9 B. Evaluation of Results 10 C. Process Improvement Suggestions 11 D. Suggestions for Further Work 12 Works Cited 14 Part A: Presentation of Findings for the Organizational Assessment of Information Security Risks- Report to Accounting Company Senior Manager A. Description of Process The literature provides many approaches for information security risk assessment, and the challenge is to find a set of approaches or an approach that fits the unique circumstances of Accounting Company. The TMA01 evaluation reveals that the references to various vital aspects of an information security management document are shallow and in many areas lacking, and lacking rigor. On the whole, with the lack of rigor, one can say that the firm faces many different information security risks, and the challenge is to find an approach that best surfaces these risks for Accounting Company, given the state of TMA01 and the current circumstances of the firm. Taking a step back, there is value in situating a risk assessment process for Accounting Company in the context of a cycle for managing risks. The chart below situates this particular exercise for Accounting Company in terms of a cycle that includes the (1) assessment of risks and determination of needs; (2) the implementation of controls and policies; (3) the promotion of awareness; and (4) monitoring and evaluation; all occurring within the context of a central point of focus (United States General Accounting Office 6): Graphic Source: US General Accounting Office 6 Meanwhile, a compilation of risk assessment approaches for information security that is taken from best practices of many different top organizations in the US has distilled the most important elements of an effective security risk assessment as follows: (1) the identification of threats that could significantly impair crucial assets and operations; (2) estimation of the likelihood of the occurrence of such identified threats; (3) the identification and prioritization of assets and operations in order to determine the most crucial assets and operations to protect in cases of the occurrence of the identified threats; 4) the estimation of probable losses in the event of the occurrence of the threats, to included losses from the costs of recovery, for the most important assets and operations (5) the identification of interventions for risk mitigation, where the emphasis is on the cost-effectiveness of such interventions; and (6) the documentation of the results and the development of a plan of action (General Accounting Office 6). To be sure, while the above outlines a generic information security risk assessment approach that is the common denominator for all kinds of effective, best practice, approaches, the literature actually details many different kinds. Including a matrix approach (Goel and Chen), and many other different best practice approaches (General Accounting Office). For the purposes of this information security risk assessment for the Accounting Company firm, the chosen approach is the generic approach outlined above (General Accounting Office) B. Explanation/Justification for Choices The generic information security risk assessment approach outlined above is flexible enough for Accounting Company given the many different holes in the overall risk management document presented in TMA01, but also benefits from the insights gleaned by the literature on what has worked for many top performing organizations as best practices. Moreover, the generic approach chosen here benefits from being able to accommodate various different tools that are presented in the literature for the different stages of the process. For these reasons this proponent believes that the chosen generic approach as outlined above is best suited for this exercise. The techniques used here are part of the overall approach outlined in A, and are generally qualitative rather than quantitative in nature (General Accounting Office; Goel and Chen). C. Threats and Vulnerabilities Analysis For the purposes of this analysis, the process followed centered on identifying the most crucial information assets of the firm, as prescribed in our chosen approach and in the Open University Course M866 prescriptions as typified in sample case studies demonstrating a risk assessment exercise for a small firm (General Accounting Office; Goel and Chen; The Open University). The most critical processes are those tied to the delivery of services to the clients of the Accounting Company firm, and for safeguarding the integrity of the information related to the firm and to the firm’s clients and vital third parties, such as the government and the banks. The following is the list of the most crucial assets tied to these processes, in order of diminishing importance, with information on security requirements (The Open University 7; Goel and Chen; General Accounting Office): 1. Financial statements, bank accounts data – integrity, confidentiality, availability 2. Accounting and auditing data for client companies- confidentiality, integrity, availability 3. Client databases- confidentiality, availability, integrity 4. Electronic record management systems- confidentiality, availability, integrity 5. Governance arrangements- confidentiality, availability, integrity Having identified the most crucial assets in order of decreasing importance, we go to the vulnerabilities and threats that are tied to these vital assets. We see that from a security requirements point of view, all of the crucial assets have the most stringent requirements tied to availability, integrity and confidentiality. Accounting Company being in the business that it is, confidentiality is an important requirement, as breach of confidentiality can put itself and its clients in danger. That said, the threats and vulnerabilities can be considered severe given the scant documentation on the security measures in place. We list three threats based on a simulation, with two threats coming from internal employees and from third parties, respectively, both deliberate, and with the outcome being loss of confidentiality and disclosure of the data to malicious third parties that can do harm to the firm and to its clients; and a third threat coming from acts of God, non-deliberate in the case of natural disasters that can destroy the assets, and the outcome being the destruction of the data (Open University 12-13). Meanwhile, there are two such vulnerabilities related to these security requirements (Open University 7-8; United States Accounting Office 6-8; Goel and Chen): 1. For the top three assets, there are no measures in place to physically secure the assets. The three identified threats are relevant. 2. There are no measures in place to secure backup copies of the important assets. The three identified threats are relevant. D. Gap Analysis One can say, from the state of the risk management policies in place as reflected in the TMA01 document, that there are large gaps in terms of what the vulnerabilities and threats are for Accounting Company’s most crucial assets, on the one hand, and the level of preparedness of the firm to deal with the threats and vulnerabilities. Another way to put this is to that the threats and vulnerabilities are substantial, and the gaps are in terms of the firm not having safeguards in place to deal with the threats and to buttress its vulnerabilities with relevant measures. The gap analysis process in this case is comparing what needs to be done, as implied in the preceding threats and vulnerabilities analysis, and what is in place at present, as reflected in the TMA01 document. The gaps are large and need to be further substantiated. The vulnerabilities are actual vulnerabilities (United States Accounting Office 6-8; Goel and Chen). E. Treatment of Threats/Risks The threats are large, and reflect real risks on the part of Accounting Company. The loss of data from internal and external threats can mean operations stopping, and clients suing Accounting Company, even as the clients themselves become vulnerable to similar consequences. Interventions are needed in order to buttress the identified vulnerabilities. Measures have to be put in place in order to secure the physical safety of the crucial assets, and to produce backup copies of the assets in case of the occurrence of the threats. The vulnerabilities are all to be controlled (United States Accounting Office 6-8; Goel and Chen) Part B: Critical Assessment of the Process Used to Arrive at Assessment of Information Security Risks, and the Information the Process Has Provided About the Organization A. Evaluation of Process The literature provides us with a very sound and a very positive overall assessment of information security risk assessment approaches that are centered on the best practices approach that has been employed for this exercise. One can see from the preceding exercise too that there are many overlaps between the prescribed generic approach adopted here, from the US General Accounting Office, and the steps in the analysis of threats and vulnerabilities that are outlined in the Open University text. For one, in both cases there is the prescription to rank assets in terms of their criticality, in terms of how crucial they are to the most important organizational outcomes. In the case of Accounting Company, for instance, that means those assets that are most important for supporting its most crucial and critical business processes. Continuity of the business, and the integrity and confidentiality of its accounting and auditing work on behalf of its clients, are synonymous concerns. Where the integrity of its client data and related work is compromised, and where the confidentiality of such data assets are breached and compromised, the expected result is that Accounting Company would cease to be a viable concern. Apart from the lawsuits and the loss of business that come with such breaches in confidentiality and integrity of the assets, Accounting Company would suffer a blow to its reputation as a reliable provider of accounting services in its geographies of operation. Thus one can say that the business processes most crucial to Accounting Company are tied to protecting its most vital assets, as prioritized in the preceding exercise. In both the generic approach employed for this exercise, and in the Open University text, there is agreement with regard to the need for that step in the process where the importance of the assets are correlated with how crucial the assets are to the most vital processes of the firm. In this case, prioritization and ranking in order of diminishing importance relative to the crucial firm processes become important. In this sense one can say that the process too, is effective overall, and corroborates the findings of the GAO relating to how such a generic approach has been proven by top firms to work. The process is after all a distillation of best practice approaches by top firms relating to the conduct of information security risk assessment (United States General Accounting Office; Goel and Chen; The Open University). The five positive things about the approach method chosen are that 1) it is based on best practices; 2) it is applicable to the Accounting Company; 3) it is thorough; 4) it is aligned with the approaches discussed in the class texts; 5) it lends itself to accurate assessment. The five negatives are that 1) it is not specific enough; 2) lacks tools as it is; 3) may be too generic; 4) does not improve data quality; and 5) is dependent on quality inputs (United States General Accounting Office; Goel and Chen; The Open University). B. Evaluation of Results The results show further the effectiveness of the chosen approach to identify the most crucial vulnerabilities and threats facing Accounting Company, en route to being able to assess the risks facing the firm as far as information security is concerned. The most substantial portion of the TMA01 document for the firm has to do with the breadth of its inventory of assets, while lacking depth in terms of the details concerning the different asset items. For instance, while all relevant assets seem to have been identified in the general sense, there is lack of depth in terms of identifying just what constitutes the electronic data, residing in what systems, and in what servers. This translates into a lack of rigor in terms of being able to identify the risk mitigation measures already in place, and prior to that, the kind of measures that are in place to alleviate the glaring holes in the security processes in place for the crucial assets. Taking a step back, it is noteworthy that the process was able to identify the most crucial assets in the inventory. On the other hand, the results of the vulnerabilities and threats analysis show the lack of detail in the nature of the threats, which is a reflection of the general lack of depth in the documentation provided in TMA01. The same holds for the results of the gap analysis, where the lack of depth in the asset inventory and in the processes tied to the assets has resulted in a lack of depth in identifying the gaps in the processes related to securing the assets and to making sure that the assets are backed up and protected from damage and breach of confidentiality (United States General Accounting Office; Goel and Chen; The Open University). C. Process Improvement Suggestions Having gone through this exercise, there are many improvements that can be gleaned from hindsight. The most glaring weakness of this current analysis stems from the weak foundation on which the analysis is based, and that foundation happens to be the inputs provided from the previous exercise. The biggest process improvement that can be made, outside of the generic approach outlined and prescribed here, is to make sure that the process for drafting TMA01 is substantially followed. This improvement will make sure that there are sufficient inputs, with adequate depth in the data and in the preceding analysis, to do the gap analysis and the threats and vulnerabilities analysis properly. Within the prescribed approach here, meanwhile, as outlined earlier, there are also several areas for improvement. As discussed earlier, for instance, the general approach used here can benefit from specific techniques and tools that are made available for different stages of the approach or process. To be specific, there are aspects of the matrix approach to the analysis of vulnerabilities and threats provided in Goel and Chen that can be used to make that part of the process more rigorous and robust. Again, such an exercise would benefit from the rigorous provision of necessary data inputs for such a matrix analysis to be effective, and that necessary data would ideally come from sufficient inputs from TMA01. The GAO paper further presents other best practices tools and techniques that can substantiate the general approach used here even more. The suggestion to improve the process is to make use of these tools as necessary (United States General Accounting Office; Goel and Chen; The Open University) Another suggestion to improve the process would be to follow the prescription in the general approach over the process prescribed in the Open University text. The disparity is that in the general approach provided in the GAO text, the step to prioritize the most important business processes come prior to prioritizing the most crucial assets. By following the GAO prescription one is sure that the prioritization of assets is tied to which assets are most relevant to the most crucial business processes (United States General Accounting Office; Goel and Chen; The Open University) D. Suggestions for Further Work One suggestion for further work has to do with making the preceding discussion more rigorous, by employing more tools within the general framework specified in the chosen approach for this risk assessment exercise. This means making use of more tools to substantiate the analyses. This also means going back to the previous exercises and making the data more rigorous and complete. This exercise can also benefit from trying out different analytical perspectives and approaches as used by other top companies in the GAO best practices text (United States General Accounting Office; Goel and Chen; The Open University). Works Cited Goel, Sanjay and Vicki Chen. “Information Security Risk Analysis- A Matrix-Based Approach”. University at Albany, SUNY/General Electric Energy. 2005. Web. 2 February 2013. < http://www.albany.edu/~goel/publications/goelchen2005.pdf> US General Accounting Office. “Information Security Risk Assessment Practices of Leading Organizations”. GAO. 1999. Web. 2 February 2013. The Open University. “Information security risk assessment”. M866 Unit 2 Postgraduate ICT and Computing Information security management. 2008. Read More