The Role of the Information Security Officer - Dissertation Example

The Role of the Information Security Officer Introduction Data are collection of unprocessed facts demonstrating events occurring in corporations or the physical location prior to they have been formed and changed into an arrangement that people can identify and utilize. On the other hand, information refers to data that have been changed into a form that is significant and purposeful to human beings (Norton, 2001, p.4; Laudon & Laudon, 1999, p.7). Additionally, at the present information has become an essential part of almost every organization. Thus, the security of this valuable asset is very necessary. Security refers to rules, actions, operations and technical measures used to stop illegal access or change, theft, and physical damage to data and information. In addition, the field of information security deals with the security of information against threats like illegal access, leakage of confidential information, interference between flows of information between organizations (e.g. hacking) to allow for business constancy, diminish business threats, and augment return on investments and business growth (Laudon & Laudon, 1999, p.507; Shelly et al., 2005; Dhillon & Backhose, 2001; Ray, 2004). This paper discusses the role of information security officer in implementing the information security. Information Security According to (Williams, 2007; Pesante, 2008), there are normally three broad categories of risks that must be taken into account when dealing with information security: Loss of Confidentiality When information is accessed or used by someone not allowed doing so. However, this is normally right for the organizations that use to store personal information for their clients for instance credit card companies, bank and loan companies, medical and insurance records (Williams, 2007; Pesante, 2008). Loss of integrity Integrity of the information is associated with the guarantee that information is not different from the intended structure. Additionally, it is about the consistency of information’s format. In addition, the hacking attacks can alter the information in some unexpected ways. Moreover, it is very critical for the systems involving transactions such as air traffic control, funds transfer and financial accounting (Williams, 2007; Pesante, 2008). Loss of availability This kind of risk is also very serious as information may not be available or accessible when one might desperately need that. This can be very dangerous in context of organization in which the task of department organization depends upon the information coming from some other department for instance supply chain system in which shipment or delivery of a particular order (task of shipping department) to a customer depends upon the information coming from billing department (Williams, 2007; Pesante, 2008). Impact of Information Security Threats According to (Williams, 2007; Pesante, 2008; Turban et al., 2005), there are some information security risks those can be faced by the users such as: They must be able to trust on the information which they are using. The information, they provide must be kept confidential according to their expectations. The information must be available to them when they need it. When they provide their information to the system, system must generate a timely response and should maintain their trust. According to CISSP forum and ISO27k implementer’s forum, there are certain outcomes that are caused by above mentioned risks, such as: (Turban et al., 2005; Ruiu, 2006) Disruption to corporation routine having negative impact on trading capabilities resulting in loss of income. Financial losses through information theft and fraud. Negative effect on customer relationship management causing a reduction in shareholder value and trustworthiness. Reputational damage causing lost customers and sales. Loss of trust in IT solutions as they tend to make organization effected by cyber crimes. Cost for recovery of original information. Loss of competitive advantage. Decrease in profit because of increased maintenance and recovery expenses of systems and information. The role of information security officer Information security is such a significant domain that, if taken into account, may cause a corporation to flourish or may make it bankrupt otherwise. So, in the light of aforementioned information security risks and their consequences corporations usually tend to appoint an Information Security Officer (ISO), who is in charge for the development and maintenance of a wide-ranging information security and privacy program in a particular corporation. The main duties of information security officer comprise: (Clarke, 2001; Lavassani et al., 2006; Johnson & Goetz, 2007) Creation of information security plan. Implementing security plan. Ensuring and maintaining end user privacy and security. Ensuring information security during organization growth. Compliance with legal requirements and regulations. Involving technology for enhancing information security. Trust management in context of virtual organizations. Development of an Information Security Plan The information security officer must set up an information security plan for a corporation, which aimed at improving information security to avoid any bad outcomes caused by vulnerabilities. It further requires an information security officer for following six phases (Clarke, 2001; Johnson & Goetz, 2007). Scope Specification The initial phase in this process is the definition of its scope, following things must be indentified while defining the scope for information security plan: (Clarke, 2001; Ryan & Ryan, 2008) The set of stakeholders that is related to corporation’s business. The interests of those stakeholders. The extent of significance of information security e.g. accessibility and/or secrecy of various categories of data. The extent of significance of unrestricted visibility of assurance of the system's security. Officially authorized requirements with which the corporation and its stakeholders comply, such as data protection and privacy policies, intellectual property, patent, copy right laws, and common law obligations such as the duty of confidence etc. Information security officer must define the scope in a formal way, and then must expose it to relevant top management executives and commit to it. It then sets the framework for ensuring information security. Threat Assessment Information security officer must look at the sensitivity of information from the perspectives of a variety of stakeholders, and its attractiveness to other parties. Additionally, this needs to be followed by examination of the environment, cause and effect of threats. The nature of threats are of a variety of kinds, as mentioned above for instance loss of confidentiality, loss of integrity and loss of availability, modification and its destruction (Clarke, 2001; Ryan & Ryan, 2008). . Identifying the Sources of Threats Information security officer must examine different sources of the threats. It may include several types: (Clarke, 2001; Ryan & Ryan, 2008) A person who is authorized to access the information, however for a reason different from that for which he is currently accessing it. An intruder, who is not authorized to access the information however, still trying to access it using some illegal sources An unlawful receiver of data from an intruder. Identifying the Location of Threats Information security officer must be able to recognize the location that is “to-be” affected by the threats. It may include a number of locations: (Clarke, 2001; Ryan & Ryan, 2008) Within processes where information will flow. Data storage, where information will be stored. Organization’s computing and communications facilities (network and devices), including software that retrieves, stores, renders and transfers information and enables access to the information. Mechanism of transmission including discrete media (e.g. diskette), and transmission over LAN or WAN. Within staff's computing and communications services, for instance a workstation that is cracked by a hacker or there may be some inadequately protected machines that are hacked and then employed to initiate denial of service (DOS) against corporation’s server. Risk Assessment Information security officer must be able to find out the amount to which cost on safeguards is acceptable in order to make available, an adequate protection against the identified threats. Additionally, in most of the business circumstances, the risk of each particular damaging effect is not all that higher than the expense of risk mitigation, on the other hand, may be very high. Thus, it is the responsibility of an information security officer to determine different costs associated with risks including: (Clarke, 2001; Ryan & Ryan, 2008) Planning and control time. Operational staff and computer time, for regular backups. Service loss during back up. Need of additional media for data storage. Training time for operational staff. Contracted support from other parties. Risk Management Strategy and Security Plan Information security officer must adopt a range of alternative approaches relative each threat. These can be: (Clarke, 2001; Ryan & Ryan, 2008) Proactive Strategies Prevention from the use of a risk-prone technology or course of action. Deterrence such as signs, threats of dismissal to damaging person, publicity for hearing to the court. Prevention using guards and backup power sources; quality equipment, media and software, staff training, properly allocated tasks and actions to maintain self-confidence and staff termination measures. Reactive Strategies Estimating the recovery expenses for instance investment in resources, staff training, and amount payable to other parties that were hired. Examining Insurance for instance policies with insurance firms, joint arrangements with other corporations, and protection agreements with suppliers. Information security officer must then devise a risk management strategy that can involve the following: (Clarke, 2001; Ryan & Ryan, 2008; Ray, 2004) Choosing a mixture of operations or measures that reflects the effects of the aforementioned threat and risk assessments. In addition, it includes using technical safeguards that support the invention of the happening of threatening actions, help examine these actions, and examine the condition for signs of probable future threatening events. Applying policies and rules: However, these are managerial operations, in the form of structural arrangements, task allocation, process descriptions and specifying the rules for the exchange of information. Creation of a security plan: whereby the safeguards will be applied and the policies and procedures will be put into place. Resourcing for the implementation of the security plan. Adopting and implementing controls, to recognize security events and to observe and deal with them, and to observe if all elements of the security plan are in place and are in operation. Involving performance measurements, with the intention of sometimes assessing the safeguards, the policies and procedures, the real procedures that are being employed and followed, and the execution of the designed controls. Implementing the Security Plan Information security officer needs to focus on project management in order to implement the security plan. Additionally, the policies need to be articulated and communicated. In addition, automatic and sometimes manual procedures need to be variously developed and altered, in order to comply with the strategy, policy and other legal requirements. Moreover, safety measured need to be built, checked, updated and deployed (Clarke, 2001; Ryan & Ryan, 2008). Furthermore, the implementation of a security plan also requires growing consciousness among staff such as staff training sessions, education in the about technical safeguards, and training in the particulars of the approach and measures required by them. However, this usually requires a change in organizational culture (Clarke, 2001; Ryan & Ryan, 2008). Ensuring End User Security and Privacy The information security officers (ISOs) must provide end users with the security, they can understand, and privacy they can manage. Additionally, there are two new trends in information security that must be dealt by information security officer are: First, even an experienced user can face trouble in understanding accurately what facilities or services his/her device presents right now on the network and what controls and configuration files are required to change or to guide those services into a more adequate condition, that may make their information more consistent. However, this situation will merely get worse as we continue to expand the study to beginner user with respect to the complicated, computing environments threatening just around the corner (Smith & Spafford, 2004). Secondly, the information security officer can manage privacy by making free choices about the actions and strategies. On the other hand, moving action/process into a networked computing environment, with machines and software representing lots of stakeholders makes it much complicated to classify accurately what is engaged in these actions/processes. Therefore, it becomes hard to classify that where is confidential information being transmitted? Is it known that information is also being transmitted/transferred somewhere else? Integration of these trends and solving them is a major challenge for the information security officer (Smith & Spafford, 2004; She & Thuraisingham, 2007; Grimaila, 2004). Therefore, an information security officer must make sure the secure operation of end users by preparing certain user manuals and helping material regarding the security if information by the proper utilization of user’s work station or device capability. In addition, the end users must make balanced choices regarding their computing actions; however they would be unable to do so if they would recognize the systems. In this scenario, the information security officer must provide all stakeholders with complete negotiations about the range of privacy and information security policies for computing device (Smith & Spafford, 2004; Song, 2009). Ensuring Information Security during Organization’s growth In case of multinational corporations where the rate of organizational growth is significantly higher, the information security officer is responsible for keeping the corporation and its vital information secure in times of speedy growth. Additionally, with the increase in the scope and size of the organizational processes, it has turned out to be really complicated to implement and maintain the reliability and security of information in opposition to against the law accesses and modifications. In addition, the condition turns out to be really complicated to be tackled when corporation’s management decides to outsource some of its services to outside parties and tries to set up relationships with external partners. Moreover, the management sometimes makes business decisions about expansion without first consulting the security group concerning possible risks introduced via that decision. Therefore, it is the duty of information security officer to remain in touch with management executives and keep himself aware of such decision’s so he may consider these possibilities while defining and implementing information security policy and planning for safeguards and measures to tackle with the risks with unsecure information (Johnson & Goetz, 2007; Smith & Spafford, 2004; Turban et al., 2005). Compliance with legal requirements and regulations It is a very complicated and challenging task for some corporations to follow lots of government laws and policies of different countries, for instance “Sarbanes-Oxley Act” and the “Health Insurance Portability and Accountability Act (HIPAA)”, as well as industry standards, such as “Payment Card Industry Data Security Standard (PCI-DSS)”. In addition, the multinational corporations have other challenges of fulfilling the requirements and regulations in particular countries of operation. In this scenario, the information security officer must prepare and carry out certain agreements and contracts that may compel a user or external partners to comply with authorized requirements such as information security and privacy policy, patents, copy right etc. In addition, special care must be taken while creating the agreements for multinational corporations for the reason that in that case an information security officer must also consider the operational rules of a respective country (Johnson & Goetz, 2007; Smith & Spafford, 2004; Turban et al., 2005). Involving Technology for enhancing information security An information security officer must be responsible for providing the corporation with the latest information security technologies and solutions. Additionally, the corporation’s top management increasingly demands information security officer to provide automated governance, policy development, and consultancy-type functions. In this scenario, the information security officer can make a very good use of technology for making the exchange of information more secure and reliable and for supporting the decision making process for taking certain measures in order to make information more secure. For instance, he can make use of different cryptography techniques to avoid the information being interpreted by some intruder in the same way digital signatures can make information accessible to identified users only. In addition, with the help of artificial intelligence certain decision support systems can be developed that can help information security officer to make decisions regarding the choice of appropriate safe guards and measures for secure communication of information (Johnson & Goetz, 2007; Dhillon & Backhose, 2001; Borasky, 1999). Trust Management in context of Virtual Organizations Virtual organization is a new emerging paradigm in which a group of organizations collaborates to attain a specific objective by selling their respective services and products. Additionally, the idea of information security is very significant to virtual organizations in which the communication of correct information to authorized users makes sure the success of overall mission. In addition, the trust management of information security is important aspect within a corporation. Moreover, it involves relationships among staff and networked computer between corporations. Furthermore, in virtual organizations it is even more significant to set up trust with respect to information security where cross organizational activities are involved (Au et al., 2001; McKnight et al., 2002; Baker & Wallace, 2007). In a virtual organization, an agent might be playing a role of information security officer. Additionally, it can take part in establishing and maintaining trust in information exchange between different member organizations by using a token based approach in which a token can be allocated to some member organization which wants to use the information. In addition, a token may be a key of trust and if a member does not have such token and is attempting to access the information then it will not be a trustworthy relationship. Therefore, the information security agent must not allow that member corporations to access the information (Au et al., 2001; McKnight et al., 2002; Baker & Wallace, 2007). . Conclusion This paper has presented the information security aspects of organizations. This paper has discussed various threats that can occur because of inconsistent information security within and between the organizations. The information flows between organizations must be kept confidential, consistent, and available up to the required extent. Additionally, the a illegal authority must not be able to access the information with unfair means and legal laws and requirements such as copyright, patents etc must be strictly followed. And if such security aspects of information are ignored, these can produce bad impact on organization’s business causing bad customer relationship management, unsatisfied customers, loss of income, decrease in profit and overhead of costs for recovery of original uncorrupted information. So an information security officer is usually hired by the organizations to deal with such problems. Duties of an information security officer must include development and implementation of a thorough security plan to cope with the dangers to the security of information. It may involve different phase with the main objective to identify the threats and risks, deciding the safeguards and measurements that must be taken to make information more secure, specifying the policies and procedures and finally devising different strategies to implement the information security plan successfully. Information security officer must also consider the privacy and security of the information of end users and must assure their confidentiality and trust. Information security officer must make sure that the specified policies and security plan is consistent with organizational growth and organization is complying with legal agreements and requirements. Technology must also be involved in order to make exchange of information more secure, confidential and legal. Moreover, different techniques can be used for this purpose such as cryptography; digital signature etc. and decision support system can be developed to get help in decision making process. Finally we have considered the role of an information security officer in an emerging paradigm i.e. virtual organization, where an information security agent (playing the role of information security officer) can establish trustworthiness between member organizations. Bibliography Au, R., Looi, M. & Ashley, P., 2001. Automated cross-organisational trust establishment on extranets. In ITVE; Vol. 13, Proceedings of the workshop on Information technology for virtual enterprises. Queensland, Australia, 2001. IEEE Computer Society Washington, DC, USA. Baker, W.H. & Wallace, L., 2007. Is Information Security Under Control?: Investigating Quality in Information Security Management. IEEE Security and Privacy, 5(1), pp.36-44. Borasky, D.V., 1999. Digital signatures. Online, 23(4), p.47. Clarke, R., 2001. Introduction to Information Security. [Online] Available at: http://www.rogerclarke.com/EC/IntroSecy.html [Accessed 15 July 2010]. Dhillon, G. & Backhose, J., 2001. Current directions in IS security research: towards socio-organizational perspectives. Information Systems Journal, 11(2), pp.127-53. Grimaila, M.R., 2004. Maximizing Business Information Security's Educational Value. IEEE Security and Privacy, 2(1), pp.56-60. Johnson, M.E. & Goetz, E., 2007. Embedding Information Security into the Organization. IEEE Security and Privacy, 5(3), pp.16-24. Laudon, K.C. & Laudon, J.P., 1999. Management Information Systems, Sixth Edition. New Jersey: Prentice Hall. Lavassani, K.M., Movahedi, B. & Kumar, V., 2006. Identification in electronic networks: characteristics of e-identifiers. In ACM International Conference Proceeding Series; Vol. 156, Proceedings of the 8th international conference on Electronic commerce: The new e-commerce: innovations for conquering current barriers, obstacles and limitations to conducting successful business. Fredericton, New Brunswick, Canada, 2006. ACM New York, USA. McKnight, D.H., Choudhury, V. & Kacmar, C., 2002. Developing and Validating Trust Measures for e-Commerce: An Integrative Typology. Information Systems Research, INFORMS, 13(3), p.334–359. Norton, P., 2001. Introduction to Computers, Fourth Edition. Singapore: McGraw-Hill. Pesante, L., 2008. Introduction to Information Security. [Online] Available at: http://www.us-cert.gov/reading_room/infosecuritybasics.pdf [Accessed 13 July 2010]. Ray, R., 2004. Technology Solutions for Growing Businesses. New York: American Management Association (AMACOM). Ruiu, D., 2006. Learning from Information Security History. IEEE Security and Privacy, 4(1), pp.77-79. Ryan, J.J.C.H. & Ryan, D.J., 2008. Performance Metrics for Information Security Risk Management. IEEE Security and Privacy, 6(5), pp.38-44. Shelly, Cashman & Vermaat, 2005. Discovering Computers 2005. Boston: Thomson Course Technology. She, W. & Thuraisingham, B., 2007. Security for Enterprise Resource Planning Systems. Information Systems Security, 16(3), pp.152-63. Smith, S.W. & Spafford, E.H., 2004. Grand Challenges in Information Security: Process and Output. IEEE Security and Privacy, 2(1), pp.69-71. Song, Y., 2009. The Application of XML Security Technology in E-commerce System. In Second International Symposium on Electronic Commerce and Security., 2009. IEEE. Turban, E., Leidner, D., McLean, E. & Wetherbe, J., 2005. Information Technology for Management: Transforming Organizations in the Digital Economy. New York: Wiley. Williams, R.H., 2007. Introduction to Information Security Concepts. [Online] (1.7.12.7) Available at: http://www.rhwiii.info/pdfs/Introduction%20to%20Information%20Security%20Concepts.pdf [Accessed 12 July 2010]. Read More