StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

The Role of the Information Security Officer - Dissertation Example

Cite this document
Summary
In the paper “The Role of the Information Security Officer” the author looks at the field of information security, which deals with the security of information against threats like illegal access, leakage of confidential information, interference between flows of information between organizations…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER98% of users find it useful
The Role of the Information Security Officer
Read Text Preview

Extract of sample "The Role of the Information Security Officer"

The Role of the Information Security Officer Introduction Data are collection of unprocessed facts demonstrating events occurring in corporations or the physical location prior to they have been formed and changed into an arrangement that people can identify and utilize. On the other hand, information refers to data that have been changed into a form that is significant and purposeful to human beings (Norton, 2001, p.4; Laudon & Laudon, 1999, p.7). Additionally, at the present information has become an essential part of almost every organization. Thus, the security of this valuable asset is very necessary. Security refers to rules, actions, operations and technical measures used to stop illegal access or change, theft, and physical damage to data and information. In addition, the field of information security deals with the security of information against threats like illegal access, leakage of confidential information, interference between flows of information between organizations (e.g. hacking) to allow for business constancy, diminish business threats, and augment return on investments and business growth (Laudon & Laudon, 1999, p.507; Shelly et al., 2005; Dhillon & Backhose, 2001; Ray, 2004). This paper discusses the role of information security officer in implementing the information security. Information Security According to (Williams, 2007; Pesante, 2008), there are normally three broad categories of risks that must be taken into account when dealing with information security: Loss of Confidentiality When information is accessed or used by someone not allowed doing so. However, this is normally right for the organizations that use to store personal information for their clients for instance credit card companies, bank and loan companies, medical and insurance records (Williams, 2007; Pesante, 2008). Loss of integrity Integrity of the information is associated with the guarantee that information is not different from the intended structure. Additionally, it is about the consistency of information’s format. In addition, the hacking attacks can alter the information in some unexpected ways. Moreover, it is very critical for the systems involving transactions such as air traffic control, funds transfer and financial accounting (Williams, 2007; Pesante, 2008). Loss of availability This kind of risk is also very serious as information may not be available or accessible when one might desperately need that. This can be very dangerous in context of organization in which the task of department organization depends upon the information coming from some other department for instance supply chain system in which shipment or delivery of a particular order (task of shipping department) to a customer depends upon the information coming from billing department (Williams, 2007; Pesante, 2008). Impact of Information Security Threats According to (Williams, 2007; Pesante, 2008; Turban et al., 2005), there are some information security risks those can be faced by the users such as: They must be able to trust on the information which they are using. The information, they provide must be kept confidential according to their expectations. The information must be available to them when they need it. When they provide their information to the system, system must generate a timely response and should maintain their trust. According to CISSP forum and ISO27k implementer’s forum, there are certain outcomes that are caused by above mentioned risks, such as: (Turban et al., 2005; Ruiu, 2006) Disruption to corporation routine having negative impact on trading capabilities resulting in loss of income. Financial losses through information theft and fraud. Negative effect on customer relationship management causing a reduction in shareholder value and trustworthiness. Reputational damage causing lost customers and sales. Loss of trust in IT solutions as they tend to make organization effected by cyber crimes. Cost for recovery of original information. Loss of competitive advantage. Decrease in profit because of increased maintenance and recovery expenses of systems and information. The role of information security officer Information security is such a significant domain that, if taken into account, may cause a corporation to flourish or may make it bankrupt otherwise. So, in the light of aforementioned information security risks and their consequences corporations usually tend to appoint an Information Security Officer (ISO), who is in charge for the development and maintenance of a wide-ranging information security and privacy program in a particular corporation. The main duties of information security officer comprise: (Clarke, 2001; Lavassani et al., 2006; Johnson & Goetz, 2007) Creation of information security plan. Implementing security plan. Ensuring and maintaining end user privacy and security. Ensuring information security during organization growth. Compliance with legal requirements and regulations. Involving technology for enhancing information security. Trust management in context of virtual organizations. Development of an Information Security Plan The information security officer must set up an information security plan for a corporation, which aimed at improving information security to avoid any bad outcomes caused by vulnerabilities. It further requires an information security officer for following six phases (Clarke, 2001; Johnson & Goetz, 2007). Scope Specification The initial phase in this process is the definition of its scope, following things must be indentified while defining the scope for information security plan: (Clarke, 2001; Ryan & Ryan, 2008) The set of stakeholders that is related to corporation’s business. The interests of those stakeholders. The extent of significance of information security e.g. accessibility and/or secrecy of various categories of data. The extent of significance of unrestricted visibility of assurance of the system's security. Officially authorized requirements with which the corporation and its stakeholders comply, such as data protection and privacy policies, intellectual property, patent, copy right laws, and common law obligations such as the duty of confidence etc. Information security officer must define the scope in a formal way, and then must expose it to relevant top management executives and commit to it. It then sets the framework for ensuring information security. Threat Assessment Information security officer must look at the sensitivity of information from the perspectives of a variety of stakeholders, and its attractiveness to other parties. Additionally, this needs to be followed by examination of the environment, cause and effect of threats. The nature of threats are of a variety of kinds, as mentioned above for instance loss of confidentiality, loss of integrity and loss of availability, modification and its destruction (Clarke, 2001; Ryan & Ryan, 2008). . Identifying the Sources of Threats Information security officer must examine different sources of the threats. It may include several types: (Clarke, 2001; Ryan & Ryan, 2008) A person who is authorized to access the information, however for a reason different from that for which he is currently accessing it. An intruder, who is not authorized to access the information however, still trying to access it using some illegal sources An unlawful receiver of data from an intruder. Identifying the Location of Threats Information security officer must be able to recognize the location that is “to-be” affected by the threats. It may include a number of locations: (Clarke, 2001; Ryan & Ryan, 2008) Within processes where information will flow. Data storage, where information will be stored. Organization’s computing and communications facilities (network and devices), including software that retrieves, stores, renders and transfers information and enables access to the information. Mechanism of transmission including discrete media (e.g. diskette), and transmission over LAN or WAN. Within staff's computing and communications services, for instance a workstation that is cracked by a hacker or there may be some inadequately protected machines that are hacked and then employed to initiate denial of service (DOS) against corporation’s server. Risk Assessment Information security officer must be able to find out the amount to which cost on safeguards is acceptable in order to make available, an adequate protection against the identified threats. Additionally, in most of the business circumstances, the risk of each particular damaging effect is not all that higher than the expense of risk mitigation, on the other hand, may be very high. Thus, it is the responsibility of an information security officer to determine different costs associated with risks including: (Clarke, 2001; Ryan & Ryan, 2008) Planning and control time. Operational staff and computer time, for regular backups. Service loss during back up. Need of additional media for data storage. Training time for operational staff. Contracted support from other parties. Risk Management Strategy and Security Plan Information security officer must adopt a range of alternative approaches relative each threat. These can be: (Clarke, 2001; Ryan & Ryan, 2008) Proactive Strategies Prevention from the use of a risk-prone technology or course of action. Deterrence such as signs, threats of dismissal to damaging person, publicity for hearing to the court. Prevention using guards and backup power sources; quality equipment, media and software, staff training, properly allocated tasks and actions to maintain self-confidence and staff termination measures. Reactive Strategies Estimating the recovery expenses for instance investment in resources, staff training, and amount payable to other parties that were hired. Examining Insurance for instance policies with insurance firms, joint arrangements with other corporations, and protection agreements with suppliers. Information security officer must then devise a risk management strategy that can involve the following: (Clarke, 2001; Ryan & Ryan, 2008; Ray, 2004) Choosing a mixture of operations or measures that reflects the effects of the aforementioned threat and risk assessments. In addition, it includes using technical safeguards that support the invention of the happening of threatening actions, help examine these actions, and examine the condition for signs of probable future threatening events. Applying policies and rules: However, these are managerial operations, in the form of structural arrangements, task allocation, process descriptions and specifying the rules for the exchange of information. Creation of a security plan: whereby the safeguards will be applied and the policies and procedures will be put into place. Resourcing for the implementation of the security plan. Adopting and implementing controls, to recognize security events and to observe and deal with them, and to observe if all elements of the security plan are in place and are in operation. Involving performance measurements, with the intention of sometimes assessing the safeguards, the policies and procedures, the real procedures that are being employed and followed, and the execution of the designed controls. Implementing the Security Plan Information security officer needs to focus on project management in order to implement the security plan. Additionally, the policies need to be articulated and communicated. In addition, automatic and sometimes manual procedures need to be variously developed and altered, in order to comply with the strategy, policy and other legal requirements. Moreover, safety measured need to be built, checked, updated and deployed (Clarke, 2001; Ryan & Ryan, 2008). Furthermore, the implementation of a security plan also requires growing consciousness among staff such as staff training sessions, education in the about technical safeguards, and training in the particulars of the approach and measures required by them. However, this usually requires a change in organizational culture (Clarke, 2001; Ryan & Ryan, 2008). Ensuring End User Security and Privacy The information security officers (ISOs) must provide end users with the security, they can understand, and privacy they can manage. Additionally, there are two new trends in information security that must be dealt by information security officer are: First, even an experienced user can face trouble in understanding accurately what facilities or services his/her device presents right now on the network and what controls and configuration files are required to change or to guide those services into a more adequate condition, that may make their information more consistent. However, this situation will merely get worse as we continue to expand the study to beginner user with respect to the complicated, computing environments threatening just around the corner (Smith & Spafford, 2004). Secondly, the information security officer can manage privacy by making free choices about the actions and strategies. On the other hand, moving action/process into a networked computing environment, with machines and software representing lots of stakeholders makes it much complicated to classify accurately what is engaged in these actions/processes. Therefore, it becomes hard to classify that where is confidential information being transmitted? Is it known that information is also being transmitted/transferred somewhere else? Integration of these trends and solving them is a major challenge for the information security officer (Smith & Spafford, 2004; She & Thuraisingham, 2007; Grimaila, 2004). Therefore, an information security officer must make sure the secure operation of end users by preparing certain user manuals and helping material regarding the security if information by the proper utilization of user’s work station or device capability. In addition, the end users must make balanced choices regarding their computing actions; however they would be unable to do so if they would recognize the systems. In this scenario, the information security officer must provide all stakeholders with complete negotiations about the range of privacy and information security policies for computing device (Smith & Spafford, 2004; Song, 2009). Ensuring Information Security during Organization’s growth In case of multinational corporations where the rate of organizational growth is significantly higher, the information security officer is responsible for keeping the corporation and its vital information secure in times of speedy growth. Additionally, with the increase in the scope and size of the organizational processes, it has turned out to be really complicated to implement and maintain the reliability and security of information in opposition to against the law accesses and modifications. In addition, the condition turns out to be really complicated to be tackled when corporation’s management decides to outsource some of its services to outside parties and tries to set up relationships with external partners. Moreover, the management sometimes makes business decisions about expansion without first consulting the security group concerning possible risks introduced via that decision. Therefore, it is the duty of information security officer to remain in touch with management executives and keep himself aware of such decision’s so he may consider these possibilities while defining and implementing information security policy and planning for safeguards and measures to tackle with the risks with unsecure information (Johnson & Goetz, 2007; Smith & Spafford, 2004; Turban et al., 2005). Compliance with legal requirements and regulations It is a very complicated and challenging task for some corporations to follow lots of government laws and policies of different countries, for instance “Sarbanes-Oxley Act” and the “Health Insurance Portability and Accountability Act (HIPAA)”, as well as industry standards, such as “Payment Card Industry Data Security Standard (PCI-DSS)”. In addition, the multinational corporations have other challenges of fulfilling the requirements and regulations in particular countries of operation. In this scenario, the information security officer must prepare and carry out certain agreements and contracts that may compel a user or external partners to comply with authorized requirements such as information security and privacy policy, patents, copy right etc. In addition, special care must be taken while creating the agreements for multinational corporations for the reason that in that case an information security officer must also consider the operational rules of a respective country (Johnson & Goetz, 2007; Smith & Spafford, 2004; Turban et al., 2005). Involving Technology for enhancing information security An information security officer must be responsible for providing the corporation with the latest information security technologies and solutions. Additionally, the corporation’s top management increasingly demands information security officer to provide automated governance, policy development, and consultancy-type functions. In this scenario, the information security officer can make a very good use of technology for making the exchange of information more secure and reliable and for supporting the decision making process for taking certain measures in order to make information more secure. For instance, he can make use of different cryptography techniques to avoid the information being interpreted by some intruder in the same way digital signatures can make information accessible to identified users only. In addition, with the help of artificial intelligence certain decision support systems can be developed that can help information security officer to make decisions regarding the choice of appropriate safe guards and measures for secure communication of information (Johnson & Goetz, 2007; Dhillon & Backhose, 2001; Borasky, 1999). Trust Management in context of Virtual Organizations Virtual organization is a new emerging paradigm in which a group of organizations collaborates to attain a specific objective by selling their respective services and products. Additionally, the idea of information security is very significant to virtual organizations in which the communication of correct information to authorized users makes sure the success of overall mission. In addition, the trust management of information security is important aspect within a corporation. Moreover, it involves relationships among staff and networked computer between corporations. Furthermore, in virtual organizations it is even more significant to set up trust with respect to information security where cross organizational activities are involved (Au et al., 2001; McKnight et al., 2002; Baker & Wallace, 2007). In a virtual organization, an agent might be playing a role of information security officer. Additionally, it can take part in establishing and maintaining trust in information exchange between different member organizations by using a token based approach in which a token can be allocated to some member organization which wants to use the information. In addition, a token may be a key of trust and if a member does not have such token and is attempting to access the information then it will not be a trustworthy relationship. Therefore, the information security agent must not allow that member corporations to access the information (Au et al., 2001; McKnight et al., 2002; Baker & Wallace, 2007). . Conclusion This paper has presented the information security aspects of organizations. This paper has discussed various threats that can occur because of inconsistent information security within and between the organizations. The information flows between organizations must be kept confidential, consistent, and available up to the required extent. Additionally, the a illegal authority must not be able to access the information with unfair means and legal laws and requirements such as copyright, patents etc must be strictly followed. And if such security aspects of information are ignored, these can produce bad impact on organization’s business causing bad customer relationship management, unsatisfied customers, loss of income, decrease in profit and overhead of costs for recovery of original uncorrupted information. So an information security officer is usually hired by the organizations to deal with such problems. Duties of an information security officer must include development and implementation of a thorough security plan to cope with the dangers to the security of information. It may involve different phase with the main objective to identify the threats and risks, deciding the safeguards and measurements that must be taken to make information more secure, specifying the policies and procedures and finally devising different strategies to implement the information security plan successfully. Information security officer must also consider the privacy and security of the information of end users and must assure their confidentiality and trust. Information security officer must make sure that the specified policies and security plan is consistent with organizational growth and organization is complying with legal agreements and requirements. Technology must also be involved in order to make exchange of information more secure, confidential and legal. Moreover, different techniques can be used for this purpose such as cryptography; digital signature etc. and decision support system can be developed to get help in decision making process. Finally we have considered the role of an information security officer in an emerging paradigm i.e. virtual organization, where an information security agent (playing the role of information security officer) can establish trustworthiness between member organizations. Bibliography Au, R., Looi, M. & Ashley, P., 2001. Automated cross-organisational trust establishment on extranets. In ITVE; Vol. 13, Proceedings of the workshop on Information technology for virtual enterprises. Queensland, Australia, 2001. IEEE Computer Society Washington, DC, USA. Baker, W.H. & Wallace, L., 2007. Is Information Security Under Control?: Investigating Quality in Information Security Management. IEEE Security and Privacy, 5(1), pp.36-44. Borasky, D.V., 1999. Digital signatures. Online, 23(4), p.47. Clarke, R., 2001. Introduction to Information Security. [Online] Available at: http://www.rogerclarke.com/EC/IntroSecy.html [Accessed 15 July 2010]. Dhillon, G. & Backhose, J., 2001. Current directions in IS security research: towards socio-organizational perspectives. Information Systems Journal, 11(2), pp.127-53. Grimaila, M.R., 2004. Maximizing Business Information Security's Educational Value. IEEE Security and Privacy, 2(1), pp.56-60. Johnson, M.E. & Goetz, E., 2007. Embedding Information Security into the Organization. IEEE Security and Privacy, 5(3), pp.16-24. Laudon, K.C. & Laudon, J.P., 1999. Management Information Systems, Sixth Edition. New Jersey: Prentice Hall. Lavassani, K.M., Movahedi, B. & Kumar, V., 2006. Identification in electronic networks: characteristics of e-identifiers. In ACM International Conference Proceeding Series; Vol. 156, Proceedings of the 8th international conference on Electronic commerce: The new e-commerce: innovations for conquering current barriers, obstacles and limitations to conducting successful business. Fredericton, New Brunswick, Canada, 2006. ACM New York, USA. McKnight, D.H., Choudhury, V. & Kacmar, C., 2002. Developing and Validating Trust Measures for e-Commerce: An Integrative Typology. Information Systems Research, INFORMS, 13(3), p.334–359. Norton, P., 2001. Introduction to Computers, Fourth Edition. Singapore: McGraw-Hill. Pesante, L., 2008. Introduction to Information Security. [Online] Available at: http://www.us-cert.gov/reading_room/infosecuritybasics.pdf [Accessed 13 July 2010]. Ray, R., 2004. Technology Solutions for Growing Businesses. New York: American Management Association (AMACOM). Ruiu, D., 2006. Learning from Information Security History. IEEE Security and Privacy, 4(1), pp.77-79. Ryan, J.J.C.H. & Ryan, D.J., 2008. Performance Metrics for Information Security Risk Management. IEEE Security and Privacy, 6(5), pp.38-44. Shelly, Cashman & Vermaat, 2005. Discovering Computers 2005. Boston: Thomson Course Technology. She, W. & Thuraisingham, B., 2007. Security for Enterprise Resource Planning Systems. Information Systems Security, 16(3), pp.152-63. Smith, S.W. & Spafford, E.H., 2004. Grand Challenges in Information Security: Process and Output. IEEE Security and Privacy, 2(1), pp.69-71. Song, Y., 2009. The Application of XML Security Technology in E-commerce System. In Second International Symposium on Electronic Commerce and Security., 2009. IEEE. Turban, E., Leidner, D., McLean, E. & Wetherbe, J., 2005. Information Technology for Management: Transforming Organizations in the Digital Economy. New York: Wiley. Williams, R.H., 2007. Introduction to Information Security Concepts. [Online] (1.7.12.7) Available at: http://www.rhwiii.info/pdfs/Introduction%20to%20Information%20Security%20Concepts.pdf [Accessed 12 July 2010]. Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(The Role of the Information Security Officer Dissertation, n.d.)
The Role of the Information Security Officer Dissertation. Retrieved from https://studentshare.org/information-technology/1739919-the-role-of-the-information-security-officer
(The Role of the Information Security Officer Dissertation)
The Role of the Information Security Officer Dissertation. https://studentshare.org/information-technology/1739919-the-role-of-the-information-security-officer.
“The Role of the Information Security Officer Dissertation”, n.d. https://studentshare.org/information-technology/1739919-the-role-of-the-information-security-officer.
  • Cited: 0 times

CHECK THESE SAMPLES OF The Role of the Information Security Officer

Harmony and Security in the Society

The process may not have resulted to the said person being arrested but the fact that she refused to cooperate with the officers, after she allegedly refused to stop at the request of the officers and the pulling of her arm from the restraining arm of the officer, may have raised suspicion hence arising the need to conduct more investigation on her innocence.... It is however important to note that the code also allows an officer of the rank of superintendent and above to do away with the rights but only if they have reasonable grounds to do so, which are stipulated in the code of conduct paragraph 6....
4 Pages (1000 words) Essay

The Role of Chief Information Officers and the Challenges They Face

the role of the CIO requires one to know all the different departments within the HCO.... Their responsibilities are not those of the information Technology Manager or even the Information Systems Manager.... the role of Chief Information Officers and the Challenges They Face Name Institution the role of Chief Information Officers and the Challenges They Face The 21st century has brought several changes into the health system....
4 Pages (1000 words) Essay

Police Roles: Media Perceptions and Treatment

There is a distinct social servant role implied in the larger role of a police officer.... A police officer is, to be sure, a member of the community in which he lives and works.... In addition, as a police officer, he is also seen as the community's Good Samaritan.... This is because this story simply relates a plan, some factual information, and refers to the goals of the police effort.... The author concludes that most imagery in the press is associated with the news story involving the crime fighter role....
6 Pages (1500 words) Essay

A Critique of Federal Agencies Prior to the September 11

As a result of this individual officers were less concerned with the Bin Laden case and this meant that the New York office held all the information regarding al Qaeda.... The failure by institutions to prevent terrorism led to the 9/11 bombing,some of the reasons why these institutions failed include the failure to share information among agencies, failure to prioritise terrorism and the use of outdate technology … The failure by institutions to prevent terrorism led to the 9/11 bombing, some of the reasons why these institutions failed include the failure to share information among agencies, failure to prioritise terrorism and the use of outdate technology and techniques in preventing new forms of terrorism....
7 Pages (1750 words) Essay

The Role of the Custody Officer

Basically, police organisations are tasked with the role of enforcing policies and the law that are meant to safeguard the security of the citizens.... These are responsible for the They are also concerned with recording all the information pertaining to the detention and they are expected to objectively dispense their duties so as to ensure fairness in the delivery of justice.... In order to fully understand the aims and objectives of a custody officer in a police organization, it is imperative to begin by defining the concept....
12 Pages (3000 words) Essay

Training Plan

A well laid out plan is imperative prior to the establishment of an institution and in this The medical office is to have 126 employees that will majorly work with the information Technology perspective.... The training of these employees will ensure increased safety of the other employees and the information in the medical office.... For the optimal results of this strategy, the information Technology officers in the medical facility should communicate with the officers guarding the gates physically....
5 Pages (1250 words) Thesis Proposal

How to Minimize Human and Material Losses in Case of Fire, Earthquake, Flood, or Act of Terrorism

Almost all departmental heads in the organization should do the survey because not only the security officer is responsible for the safety; it is teamwork headed by the senior security officer.... Crime rate and other disasters are on the rise and therefore it is great to conduct a thorough security survey.... It should be done regularly to help you understand the level of security in your firm and give you a better indication of the areas you should address....
5 Pages (1250 words) Research Proposal

Security Officer Training Philosophy

The paper “security officer Training Philosophy” analyzes a security officer who ensures the protection of people and their assets.... Most security guards are issued with duties that entail protection of lives hence training helps in endurance and tolerance of the officer is highly proposed.... security officers can be employed in private or public organizations.... Various philosophy theories and principles explain the training approaches for security guards among other workers....
5 Pages (1250 words) Assignment
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us