Safeguarding Your Data - Literature review Example

Risk Assessment Information and data security is always a top concern for any company; however, in the case of our company it is even more vital since we design specialized programs which have important applications in industry and research. There are a number of threats which we face with regard to an illegal physical or an internet intrusion into our database of records from hackers, bored teenagers, viruses, worms and malicious software. Since there are a number of threats which can affect our digital security; therefore, a risk assessment is a good way to see what can possibly harm the integrity of our database. The biggest risk we face is unawareness on our own part that the system we have might be insecure. The Maginot mentality must be avoided in all cases so we must not think that the security protocols and mechanisms we have in place are enough. Unless we are perfectly aware of our own security situation as recommended by Schwarz (2006), we can not expect to figure out and locate various holes in the database system that need to be patched up. Our monitoring system must be up at all times to study network traffic which goes in and out of our database. It must be noted that the viruses and hacker techniques used today are not as dependent on signatures and call signs but rather on behavioral patterns. A signature based approach to detect intrusions or malicious software may suffice for a home user but when it comes to protecting the designs of our software or the work we have done for various clients, it would be more beneficial if we adopt a behavioral detection approach (Schwarz, 2006). While we can make the external access to our network as strong as we humanly can, we would be taking a great risk if we do not have a security plan in place for situations which come from internal intrusions. Before we jump to conclusions about disgruntled employees and start using words like ‘inside job’ we must consider that such an intrusion could simply be an accident or a novice not knowing what exactly they are doing with their system. Such negligence or lack of training could expose our company to several risks. It can be expected that the IT personnel and the software designers would have a much better idea about security and information protection, but other departments may require a few training sessions so they know exactly what to do in certain cases. The HR department for example or the finance department may have members who are not well versed in terms of which software they can install on their systems and how to deal with a computer which appears to be infected with a virus. The risk is not only in terms of losing information, it is also a great financial risks since courts may hold those who lose information or do not provide adequate information security to be liable for any losses (Feig, 2005). The records of our clients are important for them since they base the code of their software on our designs and the illegal distribution or theft of this information could lead to a lawsuit which could possibly put us in a dire situation where we have to pay a lot of money for something which could have been avoided by a few simple precautions. Rather than have one single tool for network and database security testing, it would be better to have several software tools and mechanisms which allow us failsafe methods to scan and get baseline figures for network traffic at any time. Multiple tools and software will also let us compare results from different sources so it could be possible to detect an intrusion even if the hacker manages to fool one or two of the security software tools (Scheraga, 2005). The IT department must keep their eyes and ears open for any new vulnerability found in the operating system or our database software so it can be patched at once. In fact, it would be better if we can have one person responsible for locating security flaws and another person responsible for correcting these flaws. If we assign the same person for both these tasks there is a chance of falling into a relaxed situation where we think that the system is secure and unbreakable. An evaluation system for the way our company acquires, transports, stores and retrieves information is also vital since that will give us means to both check for security flaws and methods to improve our efficiency otherwise (Schwarz, 2006). If we were asked to pick one central risk to our information security, it would have to be miscommunication. Members of the company must be clear on the protocols we need to follow physically and logically secure our information and any ambiguity must be clarified with the IT department at once. It would also help to curtail the risk if we establish weekly or bi-weekly security sessions to keep the members abreast of developments in security as well as tell them about any general patches or plugs they need for their computers. In certain cases, it would be prudent to ‘take over’ the computer systems of various company members so emergency vulnerabilities can be handled on the spot or the computer can be disconnected from the network if suspicious activity is seen. Again, communication with the members regarding these methods of remote control and methods by which they can ask for help is very important or they might unknowingly put the information security as well as the company at unwanted risk. It is understood that security is often inconvenient, but we can not look at false economies and have convenience at the expense of data security. While every possible effort must be made to make life easy for the members of the company, making something too convenient can also make it vulnerable and available to the wrong parties. The employees of the company must not see security as a roadblock; rather, they have to see it as something which protects them and their livelihood (Scheraga, 2005). Overall, the security systems which we need have must be based on layers, i.e. a physical layer which restricts access to certain terminals which are in secure locations and a digital layer which itself can have many levels. For instance, certain areas of the database can be blocked from access depending on the level of the user and the kinds of rights given to them. Additionally, these rights can also restrict the nature of changes they can make to the database and further help to secure vital information. Scheraga (2005) uses the example of military security and compares it to data security. The more sensitive a base is, or the more important the equipment is to the military, the more checkpoints and barriers does one have to go through to actually access them. With this idea in mind, it would be a great risk for our company to let every employee or user of the network to handle vital information without checks and barriers. In the final analysis, no amount of preparation or safety may be enough, consider the example that the most well protected and guarded man in the world is the president of the United States yet even he has been a target several times. However, security is all about preparation and knowing that things can go wrong (Lucas, 2004). Even though our network may be secure, we need to have backups and continuity plans in place to handle. Such plans can not be made to reasons we know our security can fail but for reasons we do not know. Works Cited Feig, N. (2005). Those Responsible for Data Breaches Should Bear The Costs. Community Banker, 14(12), 12-13. Lucas, M. (2004). One Year Later, IT Prepares for Next Disaster. Computer world, 38(31), 1-12. Scheraga, D. (2005). Firewalls Are Not Enough. Chain Store Age, 81(12), 83-86. Schwarz, E. (2006). Safeguarding Your Data. Chain Store Age, 82(1), 16-17. Word Count: 1,342 Read More