The Development of Security Domains - Term Paper Example

Information Security Management Introduction In the early 21st century, the rate of internet access has augmented at a significant pace in the globalcontext. In this regard, both large organisations and small and medium size enterprises (SMEs) depend on internet services in order to perform their operations more adequately. Moreover, in the present modern era ‘Information Security Management’ (ISM), has been one of the most crucial factors with the help of which organisations can ensure their efficiency and effectiveness. Thus, most of the SMEs and large organisations are interlinking system, which specifically aims towards safeguarding the digitized information from illegal access by unauthorised individuals. In this context, it can be asserted that unreliable access may significantly distort stored data of an organisation with respect to ‘crashing’, ‘modification’, ‘disruption’ and ‘disclosure’. As an effect, ‘Information Security Management’ has been applied by SMEs for managing data from decades (Dhillon & Torkzadeh, 2006; Whitman, 2004). In the present scenario, organisations are majorly concerned about the shifting market situation and competition. In this context, the concept ISM has been applied for confining organisational information from being imitated by competitors. Technological advancement has led to the development of digitization as well as e-commerce activities. Additionally, organisations are also identified to adopt innovation with the aim of transforming data in digitalised form in order to evaluate as well as store data effectively. In this respect, digitalisation of data has further raised issues relating to online security. Subsequently, organisations have focused on building individual security domains for managing data. The prime intention of developing domains is to preserve information privacy. Subsequently, the development of security domains has assisted in building better policy standards with the assistance of which the security level of data security and privacy can be maintained effectively. As an instance, it can be asserted that the development in the sphere of firewall security within every data storage facility of a business process has ensured data protection for a longer period. In addition, firewall security has proved its significance as well as effectiveness in the business context (Dhillon & Torkzadeh, 2006; Whitman, 2004; Bidkar, n.d.). The objective of the essay is to have a better understanding about ISS. Moreover, the report will also provide details about the procedure based on which information system and security issues are maintained. Additionally, the study will also emphasize the need for ‘information security management’ for SMEs and large organisations. Fig. 1: Sound Information Security Management System Source: (Ling & Masao, 2011) Discussion Justifying the Need for Sound Information Security Management in SMEs An effective ‘Information Security System’ (ISS) is required to be developed for managing data based on certain crucial factors that are provided hereunder. Preservation of Business Integrity. Presently, organisations are concerned about data security for improving businesses’ effectiveness and in this regard, organisations are identified to adopt different measures based on which integrity as well as confidentiality of data is maintained. In this competitive era, business organisations need to safeguard work related information to prevent competitors from imitation of a product and/or service. On the other hand, from a negative perspective, duplication of products and/or services by competitors may be a risk for a business process of being influenced relating to lose of market reputation as well as market share. Thus, the importance and essentiality of the ISS is identified for managing data. ISS assists to manage crucial data in order to safeguard the honour of an organization (Ling & Masao, 2011). Preservation of Customers’ Assets. In this contemporary business scenario, meeting the expectation of the customers is an important factor for better sustainable growth of an organisation. Contextually, technological advancement has led to the development of online transaction to improve convenience of both organizations as well as customers. For instance, e-banking is an innovation in the domain of conducting online transactions. In the present day context, business transactions between organisations and customers are conducted in an online manner for better convenience and ease. Respectively, the developments of online business operations have raise the occurrences of fraudulences and information theft to a large extent. In this context, the application of information system assists customers as well as banking organizations to ascertain safety and managing business process for mitigating the issue of data security. Subsequently, introduction of password protection policy is recognised as an effective measure for managing card transactions and online purchasing services, which has led to the development of ‘information security management’ (Boon, 2010). Preserving Customers’ Privacy. ISS also aids SMEs to safeguard private information relating to users and organisations. Apart from this, preserving confidentiality of data by ISS would also aid in building loyalty as well as trust amid customers. Thus, customers are identified to be cautious and concerned about maintaining safety as well as confidentiality of information. This is due to the fact that unauthorised access of such information may adversely affect the confidence level of customers, which in turn may influence business sustainability as well as reputation (Ling & Masao, 2011; Boon, 2010). These factors evidently depict the importance of sound ‘information security management’ for SMEs to enhance the effectiveness of ‘information system security’ tools and measures in a business. Incident Response Management and Disaster Recovery During the last few years, lack of information sharing is one of the key problematic issues, which has observed at the time of disaster recovery phase. As an effect, many organizations have operated their own expertise technique in order to ensure their information security management. Unfortunately, situations and circumstances have changed during the 21st century. ‘Information security management’ has become one of the most crucial factors for the modern business organisations due to information sharing needs. In this regard, through the assistance of information security management it can be possible to share information with neighbours and other business associates. Apart from this, it can be also asserted that through the help of ‘information security management’, system information can be shared in a hierarchical basis in an organisation (Peters, 2008). Moreover, it can be also asserted that through the help of ‘information security management’ SMEs can improve disaster situation more efficiently. In this regard, rationally it can be affirmed that ISS generally describes about the systematic procedure, which is undertaking architectural policies and structure. ‘Information security management’ indicates response management as well as disaster recovery by defining security, objectives and appropriate risk assessment (Wiederhold, 1992). Mobile Device Security Management In the modern era, mobility trend has developed in a significant manner in relation to work culture. It can be affirmed that organisations have adopted mobile device technologies with the aim of ensuring better dissemination of information globally. At the same time, several large organisations as well as SMEs are relying on robust and user-friendly applications of mobile technologies for customers. Organisations are supporting mobile devices in order to conduct mobile computing operations in an effective manner. It has been identified that increasing capabilities of mobile device would assist organisations to meet the needs of consumers. Simultaneously, improvements in terms of hardware and software have enabled mobile devices to perform complex tasks. As an effect, the uses of mobile have increased among small and medium scale organisations (MacAfee, 2011). On the other hand, irrespective of their size, organizations are vigilant about data integrity along with regulations of data protection in order to reduce further operational obligations. Thus, modern mobile developer organisations have specially concentrated on higher levels of security and data protection techniques with the aim of securing mobile devices. Instead of that, sometimes unfortunately it has been observed that fraud entities are using mobile devices in order to access protected and secure data in an unauthorized manner. Thus, it can be evidently affirmed that organizations should have adopted measurable techniques to secure data properly with respect to mobile devices. Thus, it can be recommended that SMEs and larger organisations should have emphasized planning, acquisition, deployment, management and replacement in order to ensure secure data sharing and authenticity in terms of data storage (Cloud Security Alliance, 2012). Fig. 2: Mobile Device Management (Source: Cloud Security Alliance, 2012) Linking Business Objectives with Security In the early 21st century, global economy relied on ‘information security management’ for ensuring collaboration and online trade operations in organisations. In this regard, information security is recognised as an essential constituent for SMEs and larger business organisations. Thus, most of the business entities have been involved in the mechanisms of securing their business transactions. Apart from this, enterprises have adopted tools and technologies in order to protect the fundamental structure of information system, which has assisted business organisations to improving their efficiency and aligning business aim and objectives successfully (Johnson & Goetz, 2007). Fig. 3: Linking Business Objectives with Security (Source: ISACA, 2014) In this regard, in order to protect information, SMEs and larger organisations have taken into consideration information security policies and guidelines to secure business goals. Moreover, many enterprises have incorporated technology strategies for developing and understanding the procedure based on which organizations can improve the impacts and effectiveness of the business objectives in relation to ISS. At the same time, organizations have concentrated on organizational culture, governance and human factors in order to improve the ability of an organization to protect data from mitigating security risk (ISACA, 2014). In this context, organisations linking business objectives with security are able to ensure that business operations are conducted efficiently. Biometric Security Devices and Their Use Biometric security can be defined as a recognition technique, through which computers can identify the biological features of individuals more efficiently. Biometrics security is usually used for critical access control through physical evidences in case of information server. In this regard, it can be asserted that biometrics security can be established through the help of fingerprint, speaker (voice), retina and hand geometry among others (Dell Inc, 2006). During the biometric authentication process, first of all the biometric data is registered in the system and then the system usually verify the enrolled biometric data for accessing into the system. In each case, the biometric data sample is usually securely stored into the system for future matching or verification purpose. During the biometric data sample comparison, the enrolled data is matched with the stored data and accordingly, the system recognizes the authentic user and approves the access on the system. On the other hand, if the compared biometric data is not matched with the stored data, then automatic access on the system is denied (Dell Inc, 2006). The following graphical representation is highlighting the biometric security process: Fig. 4: Biometric Authentication Process (Source: Dell Inc, 2006) Biometric authentication technology has become most essential instrument through which organizations are protecting and securing their confidential and essential information more appropriately. With the help of biometric authentication technology, SMEs and larger organizations are maintaining information security management. At the same time, it has been also recognized that enterprises are incorporating biometric authentication technique in mobile devices. Additionally, it can be also identified that biometrics security device is a cost-effective tool, which offers numerous benefits to the enterprise i.e. security-consciousness (Jain, 2009). Ethical Issues in Information Security Management In order to maintain the ethical issues in information security management, several SMEs and larger organisations have stored entire confidential and essential data within the main servers of the master domain. Apart from this, in order to ensure prevention against data mismanagement, several organizations have increased their security protocol. At the same time, organisations have concentrated on the central security system with the aim of reducing the risk involvement of unauthorized access on the essential information. On further note, most of the organisations have introduced encrypted text and password mechanism in order to keep the privacy of the sharing information (Tiwary, 2011; Rasmussen, 1997). In a similar perspective, it has been observed that technological advancement have also influenced cyber criminals to hack unauthorized data, which has affected the business performance in recent days. It has been identified that development in the field of technology can benefit an individual or a society as a whole. On the contrary, advancement of technology has been identified to increase complexities and is detrimental which include privacy as well as security issues (Olumoye, 2013). Advanced mechanism and techniques of ‘information and communication technology’ (ICT) has affected the modern society globally owing to privacy related challenges. In addition, cybercrime is recognised to influence the operations of an organisation in worldwide market segments, which has indirectly affected the performance of an economy (Sembok, 2003). However, the rapid growth of ICT is also identified to raise issues with respect to online transactions. At the same time, the issues and increasing proportion of crime through online transactions have negatively affected the growth of e-commerce and online transaction system (Sembok, 2003). Respectively, to prevent these kinds of threats, a new set of judicial rules as well as laws have been incorporated to maintain reliability of ‘information technology’. According to the viewpoint of Tiwary (2011), ISS can certify suitable use of internet network in order to overcome security issues amid organisations (Tiwary, 2011). Fig. 5: Ethical Responsibility (Source: Tiwary, 2011) Thus, it can be recommended that SMEs and large organizations can maintain ethical issues in ‘information security management’ by ensuring ethical responsibilities by evolving apposite working environment, reducing crime and minimising privacy issues. The aforementioned factors have affected the vulnerabilities of ‘information system’ and raised the issues of information privacy to a large extent (Tiwary, 2011). Security Training and Education In case of SMEs and larger organisations, security training and education are highly essential to maintain the adequacy of information security management. Thus, organizations should execute information technology security program for their employees and stakeholders (United States Coast Guard, 2013). In this regard, organisations should have concentrated on three steps that are illustrated below: Awareness. Information security awareness is highly essential before conducting the information technology security program. With the help of adequate awareness, individuals can recognize the need of information security management. At the same time, it will also enhance the security concerns and responses accordingly (Owens, 2009). Training and Education. Apart from this, with the help of adequate security related training, it can be possible to grow needed security skills and capability among the workforces of the SMEs and larger organisations, which will facilitate organisations to implement security practices more effectively. Apart from this, it will also assist organisations to accomplish organisational goal and enhance the productivity. Furthermore, it can be also affirmed that through the help of adequate security training and education, organisations can reinforce their intent and scope more efficiently (Owens, 2009). Sensitive Information. Losing any information or illegal access to the protected information can negatively affect an organisational interest. According to the ‘Privacy Act under section 552a of title 5, United States Code’, unauthorized access to secured information as enforced by the federal and legislative law is also judicially punishable. In this regard, it can be asserted that through implementing the information technology security program, SMEs and larger organisations can increase the sensitiveness of information among the employees and the stakeholders (United States Coast Guard, 2013). Thus, it can be recommended that organisations should concentrate on the implementation of information technology security program for their employees and stakeholders in order to enhance the essentiality and sensitiveness of the information security management. Defending against Internet-based Attacks In the present modern era, most of the larger organisations and SMEs are facing several threats regarding unauthorized data loss and hacking related issues. Several organisations have faced unpredictable challenges such as loosing of confidential data during the information sharing process. Apart from this, several organizations have experienced data corruption and unethical data modification on the system server, which has initiated larger difficulties for the global organisations and has also negatively affected the reputation of organisations (Bynum, 2008). Thus, in order to prevent the internet-based attack, it will be required to take few measurable steps that are highlighted below: Prevention. In this stage, every organisation can recognize the threat of the internet based attack and existing loopholes within the system. During this stage, it will be required to take under consideration of users of the system as well as business operations for effective ascertainment of security loopholes. Moreover, it will require reviewing the assessment of security related risks and security patches and system updates in more adequate manner, which usually helps organisations to prevent the internet based attack and also assist to take measurable actions in order to manage ‘information security management’ (Cavusoglu et al. 2004). Detection. The stage comprises factors that are required to be accepted as well as rejected by an organization in context to ‘information security’ requirements’ decisions. The decision-making procedure is about the selection of appropriate tools for establishing an effective ‘information security control system’. For instance, effectiveness of ‘information security control system’ can be developed by installing appropriate firewalls, data storage applications, routers and activity logs maintaining digital tools among others (Cavusoglu et al. 2004). Containment. This stage is about reducing information damage or loss with respect to online attacks. It is also followed up by formulating suitable strategies that may minimize negative impact on an organization due to the breach in ISS (Cavusoglu et al. 2004). Investigation. In this stage, investigation as well as analysis is conducted with the aim of having a better understanding of online attacks. In the investigation, certain steps are required to be followed for tracing evidences. Furthermore, based on the investigation, security decisions are made with the aim of managing internet-based attacks (Cavusoglu et al. 2004). Resolution and Reporting. In a ‘security breach handling procedure’ of the internet-based attack, resolution and reporting is the final step. By adequately maintaining this step, it can be possible to prevent any future attacks. Moreover, through resolution and reporting process, varied legal rules and regulation scan can be framed for protecting the information from the internet-based attacks (Cavusoglu et al. 2004). Industrial Espionage and Business Intelligence Gathering Information system security does play a specific role in terms of industrial espionage and business intelligence gathering within organizations (Crane, 2010). In this regard, SMEs and larger organizations require collecting information from every department, through which business efficiency can be improved for possessing a better competitive market position (Crane, 2010). In this regard, organisations should take some effective measures in order to gather competitive intelligence. Thus, during information gathering process, organisations should consider the legal and ethical issues more actively (Higgs, 2005). In this context, organisations should adopt certain steps in order to retain an effective information security management. The steps are described hereunder. Published Sources. In order to gather industrial espionage and business intelligence news of the competitors, SMEs and larger organisations can rely on traditional publications such as newspaper, articles and business directories among others (Higgs, 2005). Observational Methods. Similarly, industrial espionage gathering can be also conducted through observational methods such as noticing the each and every movement of the competitors minutely. Apart from this, it can be also conducted through visiting the operational place on a random basis (Higgs, 2005). Opportunistic Methods. On the other hand, opportunistic method can be referred as an array of traditional and non-traditional techniques. In this regard, industrial espionage information can be gathered by discussing with suppliers, existing customers or with the ex-employees, who can offer better competitive intelligence insights about market conditions and business requirements (Higgs, 2005). Governance Issues in Information Security Management In order to enhance the performance of information security management, measures are undertaken with the aim of maintaining the privacy of information systems. At the same time, it has also strengthened the security of the SMEs and larger organisations. Thus, it can be recommended that small and medium enterprises should incorporate information security management into its corporate governance efforts, which can assist organisations to accomplish their goal more adequately. Apart from this, it can be asserted that ISS is an integral part of core business operations through which SMEs and larger organisations can be able to raise operational effectiveness in order to reduce the tendency of hacking and unauthorized access on the ISS (US Department of Homeland Security, 2004). In this regard, it can be recommended that by following or incorporating few strategic measures information security can be improved. For instance, government should establish a significant legislative and regulatory regime in order to enhance the information technology security along with this it will require consider additional actions for the unethical cyber access. Apart from this, it will need to adopt information security governance framework with the aim of ensuring information security for organisations. Moreover, by changing the governance policy, employees’ behaviour and mind-set organizations will be able to encourage their employees to follow the information security rules and can ensure the security of information system in an organization (Corriss, 2010). Personnel Issues in Information Security With globalisation, the image of personnel function has changed in a significant manner during the last couple of decades. Workforces of an organisation are now considered as a most valuable resource or asset in the present modern business scenario. In this regard, it can be asserted that changing legal rules and norms have affected the personnel practices of organisations in relation to the information security management. It has been also recognised that most of the organisational workforces have specific legal and ethical responsibilities while conducting their operations such as hiring and termination of employees and trade secrets among others (Goh, 2003). Thus, in order to maintain the information security, SMEs and larger organisations should improve the environment of organisations by conducting absolute confidentiality, security, and personal ethics. Apart from this, organizations should have practiced ethics during personnel issues such as hiring among others. Moreover, SMEs and larger organisations should emphasize trade secret related matters. In this context, it can be asserted that by keeping the trade secret, organisations can develop and protect their information assets, which can assist organisations to maintain long term sustainability in competitive market situation (Freeman, 1982). Physical Security Issues in Information Security Physical security defines the equipment and facilities, which are related to safeguard information security. In this regard, it can be asserted that organisations should emphasize physical safeguard issues in order to protect the electronic information system (Pelham, 2010). Moreover, it can be identified that physical security can be implemented more adequately by following measures that are provided hereunder. Contingency Operations. By incorporating contingency plans, administrative safeguard can be ensured. As an example, a guard on the entrances of a palace ensures the safety of the place (Department of Health and Human Services, 2007). Facility Security Plan. The facility security plan can be defined as an administrative safeguard through which protection of the facilities can be ensured. For instance, the faculty security plan helps SMEs and larger organisations to maintain the information privacy and to reduce the threat of tampering and theft (Department of Health and Human Services, 2007). Access Control and Validation Procedures. The actual aim of physical safeguard is to access the information of an organisation with a validate security plan. As an example, an organisation only allows validate users to access on ISS, who are having a proper proof of identity with pictures and name encrypted (Department of Health and Human Services, 2007). Maintenance Records. Physical security can be maintained in case of information security management by maintaining a record of entry and exist. Apart from this, physical security can be maintained by changing the password for the security system. Moreover, it can be also implemented by installing advanced security techniques that include routine check among others (Department of Health and Human Services, 2007). Cyber Forensic Incident Response ‘Cyber forensics’ or ‘computerized forensics’ is the modern tools as well as techniques, through which it can be possible to acquire, retrieve and present data on an electronic format in order to conduct investigations and prosecutions more effectively. Moreover, it can be asserted that computer forensic science has the potentiality to identify civil or criminal case from a large information base. Apart from this, it can be also asserted that cyber forensics has the efficiency of identifying criminals on evidence basis. Thus, during the modern era, cyber forensics has been utilized in case of identifying financial fraud, embezzlement, sexual harassment and for recognising theft of trade secrets cases (SANS, 2014; Meyers & Rogers, 2003). Conclusion From the above discussion, several facts have been revealed about the various aspects of information security management. It can be comprehended that development of ICT played imperative role towards the expansion of data sharing procedure on a global context. However, ICT has also raised the issue of data loss and data intruding. The issues relating to data security has influenced growth as well as sustainability of business operations. In this respect, organisations are required to adopt effective measures with the aim of preserving data for better economic growth along with decision-making. Subsequently, ISS is identified to assist in managing data. Based on these aspects, it can be asserted that the possible opportunities along with risks associated with ISS have been recognised in this paper. Thus, in order to implement an effective ISS different security related policies are to be considered for protecting data authenticity. Moreover, the importance and need of information security management in case of SMEs and larger organisations has been recognized for smooth business operations. ISS is an effective measure with the assistance of which data privacy is maintained. Correspondingly, SMEs adopting ISM are able to perform their desired business operations in accordance with organisational policies as well as objectives. ISM is important in the present competitive business scenario for ascertaining that business activities are operated with efficiency as well as competitive advantages. References Bidkar, P. (n.d.). What are some types of organizational firewalls? Retrieved from http://smallbusiness.chron.com/types-organizational-firewalls-71276.html Boon, O. C. (2010). The need for good information security management in small to medium size enterprises (SMEs). Retrieved from http://java.sg/paper/the-need-for-good-information-security-management-in-small-to-medium-size-enterprises-smes/ Bynum, T. (2008). Computer and information ethics. Retrieved from http://plato.stanford.edu/entries/ethics-computer/ Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9(1), 69-104. Corriss, L. (2010). Information security governance: integrating security into the organizational culture. Barry University, 35-41. Crane, A. (2010). In the company of spies: When competitive intelligence gathering becomes industrial espionage. Business Horizons, 48, 233-240. Dell Inc. (2006). The role of biometrics in enterprise security. Retrieved from http://www.dell.com/downloads/global/power/ps1q06-20050132-Tilton-OE.pdf Department of Health and Human Services. (2007). Security standards: Physical safeguards. CMS, 2(3), 1-17. Dhillon, G. & Torkzadeh, G. (2006). Value-focused assessment of information system security in organizations. Info Systems J, 16(3), 293-314. Freeman, E. H. (1982). Information security and personnel practices. Retrieved from http://www.ittoday.info/AIMS/DSM/82-01-05.pdf Goh, R. (2003). Information security: the importance of the human element. Academia, 1-401. Higgs, B. (2005). Industrial espionage – the legal way. Media Strategy, 76-77. ISACA. (2014). An introduction to the business model for information security. Retrieved from http://www.isaca.org/Knowledge-Center/BMIS/Documents/IntrotoBMIS.pdf Jain, A. K. (2009). Biometric system security. Retrieved from http://danishbiometrics.files.wordpress.com/2009/08/biometrics_security_japan_jan06.pdf Johnson, M. E., & Goetz, E. (2007). Embedding information security into the organization. Managing Organizational Security, 16-24. Ling, A. P. A., & Masao, M. (2011). Selection of model in developing information security criteria on smart grid security system. Introduction, 91 – 98. MacAfee. (2011). Securing mobile devices. Retrieved from http://www.mcafee.com/in/resources/solution-briefs/sb-securing-mobile-devices.pdf Meyers, M., & Rogers, M. (2004). Computer forensics: The need for standardization and certification. International Journal of Digital Evidence, 3(2), 1-11. Olumoye, M. Y. (2013). Ethics and social impact of information systems in our society: analysis and recommendations. International Journal of Science and Research, 2(11), 154-158. Owens, J. B. (2009). United States patent and trademark office. IT Security Education Awareness Training Policy, 1-8. Peters, J. M. (2008). Critical incident response & disaster recovery assistance. Retrieved from http://www.nist.gov/tip/wp/pswp/upload/1_critical_incident_response_disaster_recovery_assistance.pdf Pelham, T. (2010). Physical security for computer protection policy. State of Vermont, 1-5. Rasmussen, J. (1997). Risk management in a dynamic society: a modeling problem. Safety Science, 27(2), 181-213. SANS. (2014). FOR508: Advanced computer forensic analysis and incident response. Retrieved from http://www.sans.org/course/advanced-computer-forensic-analysis-incident-response Sembok, T. M. T. (2003). Ethics of information communication technology (ICT). Regional Unit for Social & Human Sciences in Asia and the Pacific, 239-324. Tiwary, D. K. (2011). Security and ethical issues in it: An organization’s perspective. International Journal of Enterprise Computing and B International Journal of Enterprise Computing and Business Systems 1(2), 1-13. US Department of Homeland Security. (2004). Information security governance: A call to action. Corporate Governance Report, 1-43. United States Coast Guard. (2013). Security education training and awareness (SETA) program. Retrieved from http://www.uscg.mil/directives/cim/5000-5999/CIM_5528_1A.pdf Whitman, M. E. (2004). In defense of the realm: understanding the threats to information security. International Journal of Information Management, 24(1), 43-57. Wiederhold, G. (1992). Mediators in the Architecture of Future Information Systems. Stanford University, 25(3), 38-49. Read More