Policies and Procedures for Washington Posts Information System - Case Study Example

Evaluation of the Current Policies and Procedures for Washington Post’s Information System Current Setup of Washington Post’s IT System The purpose of employing Information System processes for the company is to streamline procedures and synchronize the different tasks assigned to the different departments within Washington Post. This is done to ensure that the company remains on the edge or forefront of publication industry. Part of the management approach is the decentralization of its operation, each division having its own identity, workplace culture and way of doing business yet sharing common goals and values (The Washington Post, 2006). Sharing of information is still vital among divisions and this can be possible with the help of IS. The Information System Department manages the information flow, and interconnectivity of the different divisions. They implement two core information systems – the Management Information System (MIS) and Knowledge Information Systems (KMS). The MIS includes information that is accessible only by the members of the top management and is facilitated to assist them in the decision-making process (Laudon, and Laudon, 2005). On the other hand, the KMS provides technical help to the end users or employees that would be requiring solutions for their systems and data management. KMS is accessible by almost everybody within the company. Assessed Risks and Deficiencies in IS Security With the current setup of the IS department, it is very easy for anyone within the organization to access the data, which is immediately available in their servers or info bank. One risk would be if competing companies would see an opportunity to send someone who can infiltrate the company and be allowed access to the system, if there is no internal policy limiting users in saving documents on flash disk, floppy disks or any other forms of handy data storage, confidential information may leaked. Thus a need for a more stringent procedure in recruitment should be developed. As the Organization for Economic Co-operation and Development (OECD) emphasized in their Guidelines for the Security and Information Systems, the nature, volume and sensitivity of information that is exchanged has expanded substantially (Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, 2002). Internal factors like employees who are not responsible enough in sharing information with contacts outside the organization, maliciously or even unaware of an act of misappropriation may result to loss of substantially confidential matters that may affect the management of the organization and its functions. Thus, several organizations have been established to safeguard the confidentiality of information exchanged over the net. This is being addressed by the Generally Accepted Information Security Principles (GAISP), under the “Pervasive Principle” wherein it addresses the parameters of confidentiality, integrity and availability of information, as shown in the following guidelines developed by GAISP; The Pervasive Principles provide general governance-level guidance to establish and maintain the security of information. These principles form the basis of Broad Functional Principles and Detailed Principles. Security of information is achieved through the preservation of appropriate confidentiality, integrity, and availability. Confidentiality is the characteristic of information being disclosed only to authorized persons, entities, and processes at authorized times and in the authorized manner. Integrity is the characteristic of information being accurate and complete (as expected) and the information systems’ preservation of accuracy and completeness. Availability is the characteristic of information and supporting information systems being accessible and usable on a timely basis in the required manner. The Pervasive Principles are founded on the Guidelines for Security of Information Systems, developed by the Information Computer and Communications Policy (ICCP) Committee and endorsed and published by the Organization for Economic Cooperation and Development (OECD). (OECD, p.12) Another threat to the security of the company’s IS data are external factors that are best known as hackers. They secure information for purposes of selling looted data or in the case of Washington Post, competitors may use information that pertains to marketing strategies and functional operations of each division and imitate plans before the company was able to implement it and be known to its clients. The timeliness of information and freshness of articles being released to the public is significant for this industry. It ensures that clients will be satisfied with the validity of information or news released. This, in turn creates credibility for the Washington post. However, with the nature and type of technologies we have nowadays to facilitate information and communications among varied points of the global businesses, with wireless and mobile devices and increase access on connections, the risk of losing pertinent information also increases. The nature, volume and sensitivity of information that is exchanged has expanded substantially ( http://www.oecd.org/dataoecd/16/22/15582260.pdf, OECD, p.8.) Another danger of a company being always on-line would be the proliferation of viruses, should there be no security measures for the continuous upgrade of released viruses and Spywares over the net. These devises or destructive Software are increasing in its numbers. Thus, ISD must be in constant alert of new released viruses and Spywares. The people in the information department must be doubly vigilant of new malicious items being released in the web. The design of security and implementation of both technical and non-technical safeguards and solutions are required and should be in proportion to the amount of information released in the company’s networks. http://www.oecd.org/dataoecd/16/22/15582260.pdf, OECD,p.13) Content management is another concern that the organization must take heed of. There are systems employed by many businesses practicing the same approach in decentralization of information but still, the effectiveness and usage of this system is still questionable. Is the IT department responsible for the increase usage of information employed in the organization? Does KMS serve the purpose that it is designed for? As quoted in the write-up Why Content Management Fails, “In a report published last year, Jupiter Research uncovered some startling findings. Of just under 100 companies … only 27 percent of companies surveyed planned to continue using their Web content management systems as they do now.” According to Veen, One problem was that content management worked fine, but nobody wanted to use the software once it was available because people doesn’t want to change the way they do things, specifically the knowledge worker (Jeffrey Veen, 2004). If the same goes with employees of Washington Post, then it is forfeiting the purpose of decentralizing the divisions and streamlining their operations through employment of IS. To avoid such receptive reaction to the current management approach, ensuring that everyone in the organization is well-oriented on the functions of the KMS may solve this issue. Also, to have any chance of success, a content management project must follow the same user-centered design practices as any other project - Task analysis, rapid prototyping, usability testing — all of these methods are crucial to a CMS rollout (Veen, 2004). In absence of existing Laws that governs the risks faced by the industries practicing IT in their operations and businesses, there are several projects and global institutions that recognize and identified guidelines that would help or assist information owners in securing their data. One association is the ISSA of Information Systems Security Information – The Global Voice of Information Security. This organization developed the Generally Accepted Information Security Principles (GAISP). It aims to promote practices, from the boardroom to the information security professional, that will ensure the confidentiality, integrity, and availability of organizational informational assets (GAISP, 2003). The Washington Post may benefit from assistance given by ISSA. Registering as a member of the said organization will help the IS department to draft guidelines and procedures in securing the information sharing in the organization. Also, the OECD guidelines may provide insights on how one would be able to approach the risk assessment requirement of the organization. The National Institute of Standards and Technology (NIST) under the Technology Administration of US Department of Commerce drafted a recommendation for a Guide to Intrusion Detection and Prevention (IDP) systems as measures against malicious wares released on the net. OECD specifically mentioned that accountability and responsibility for the IS falls not only to the IS department’s staff but also to all participants in the company. It mentioned awareness of each member of the risks that they may face from internal and external factors. An orientation of the different risks must be given to new entrees as well as the senior members. Accountabilities for security measures involved all end-users and consciousness of the threats must be instilled to each one. Promotion of a culture of security will require both leadership and extensive participation and should result in a heightened priority for security planning and management, as well as an understanding of the need for security among all participants. .( http://www.oecd.org/dataoecd/16/22/15582260.pdf, OECD,p.9) With all of the above being considered, management have a lot to consider in securing the IS. One would be to run a Risk Assessment for the current setup. Also, in the selection process of personnel for the company, guidelines in determining the right people and being consistent with the background investigation would help in lessening internal risks. As for software and other devices that answers to the need of Intrusion Detection and Prevention, an inventory and continuous update must be done. The procedure of monitoring the events within a computer network of the company to identify possible threats to the systems and standard security policies is well discussed and tackled by the draft of the IDP guide by NIST. IDPs typically record information related to observed events, notify security administrators of important observed events, and produce reports (Kent & Mell, 2006). NIST also identified four (4) different types of IDPs that can be used by organizations depending on the types of current network setup. The said types may be Network-Based, Wireless, Network Behavior Anomaly Detection and/or Host-Based. The following are the description of the said processes: 1 􀀟 Network-Based, which monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity 2 􀀟 Wireless, which monitors wireless network traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves 3 􀀟 Network Behavior Anomaly Detection (NBAD), which examines network traffic to identify threats that generate unusual traffic flows, such as DDoS attacks, scanning, and certain forms of malware 4 􀀟 Host-Based, which monitors the characteristics of a single host and the events occurring within that host for suspicious activity. (Kent & Mell, 2006) The use of the above recommendations will assist Washington post to ensure implementation of IDPs as done in the U.S. Government Departments. A copy of the said draft is readily available at http://csrc.nist.gov/publications/nistpubs/index.html. REFERENCES GAISP – Generally Accepted Information Security Principles Currently available: Generally Accepted Systems Security Principles (GASSP) consisting of Pervasive Principles (PP), & Broad Functional Principle (BFP), June, 1999. Detailed Principles are under development (ISSA). Retrieved September 21, 2006 from http://www.issa.org/gaisp/_pdfs/v30.pdf Laudon, Kenneth C. and Laudon, Jane P. (2005). Management Information Systems: Managing the Digital Firm (9th Edition). New York: Prentice Hall. Kent, Karen & Mell Peter (August 2006) NIST 800-94 Guide to Intrusion Detection and Protection (IDP) Systems (Draft). U.S. Department of Commerce. Retrieved on September 22, 2006 from http://csrc.nist.gov/publication/nistpubs/index.html OECD (2002) Guidelines for the Security of Information Systems and Networks (9 pervasive principles for information security upon which several other guides are based.) September 22, 2006 from www.oecd.org/document/42/0,2340,en_2649_33703_15582250_1_1_1_1,00.html The Washington Post Company (2006). Management Approach. Retrieved on September 19, 2006 from http://www.washpostco.com/company-approach.htm Veen, Jeffrey (2004). Why Content Management Fails. In Adaptive Path, LLC. Retrieved on September 21, 2006 from http://www.adaptivepath.com. Read More