Information Security Plan - Case Study Example

Security Plan MIR [Pick the COMPANY INFORMATION Telemarketing are firms that direct market the product to the s, and sale representatives are hired to directly talk to the customers and sell the product. These include telephone conversation and web conferencing. In telemarketing the sale person take appointed by the client and call them at the appointed schedule. The company that we have selected is The Telemarketing Company, people who provide service to other organizations. They have a lot of information data available to them regarding different organizations. It becomes their duty to ensure that the data is protected all the time and no confidential information is leaked through their portals. INTRODUCTION Organizations are created by people, buildings and procedures, and these three ingredients can perform well only if they are assure of their security. Human Resource is exposed to external and internal environmental threats. These can include theft, suicide killers and natural calamities such as earth quakes and tsunami. Whereas, the information is the product or service produced by the company, products are stored in inventory stores and can be exposed to being stolen or destroyed by rain and other similar factors, the service which are the written procedures and stored in computer are exposed to risk of being stolen, corrupted and hacked. Corrective measures have to be taken by each organization to ensure that both the money making assets of the company are protected. With the introduction of information technology the risk of all above mentioned factors have increased. New information is continuously being added to the cyberspace. From the exchange of information for communication purpose to the exchange of secrets pertaining to the security of countries, cyberspace has become the medium of choice for everyone. (Von Solms, 2000, pp. 615-620; Von Solms, 2001, pp. 504-508; Thomson & Von Solms, 1998, pp. 167-173). Introduction of cameras on mobile phones have given access to thieves and criminals to access all the parts of the building, they can make videos and send images through internet and their web is connected all time online. Cyberspace has become extremely complex due to the existence of an enormously complicated web of connections that prevails between governments, people and organizations (Whitman, 2003, pp. 91-95). This complexity may be related to the development of advance softwares that allow such connections to prevail and flourish with the passage of time. Due to the extremely rich nature of cyberspace in terms of being knowledgeable, it has become a priceless service (Vroom & Von Solms, 2004, pp. 191-198). In order to deal with the changing environment and threats caused by external and internal environment companies have to devise strong security plans (Whitman & Mattord, 2011). The focus of security plan will be on reducing the risk with respect to the information stored by the company. OBJECTIVES Prevention and Reduction of Security Events: The purpose of developing a security plan is to minimize the chances for the occurrence of a security event (Volonino & Robinson, 2003). Designing and Establishing a Cost Effective Infrastructure: A sound infrastructure is always desirable, it not only eases out the path of development, but it also acts as an anchor for stabilizing the whole system. By establishing an efficient infrastructure, organizations may use it for revenue generation (Tipton, 2012). Assets Protection: To devise a plan which could provide protection to Human Resource, Buildings and Information of the company. To minimize the effects of threats and to ensure security of tangible assets. Eliminating Fraud: One of the objectives of security plan is to reduce fraud caused by the employees of the organization and use of internet. It is easy to identify threats which affect the organization from the outside but it is difficult to control threats from within. Therefore, elimination of fraud is among top priority objectives. Office Structures and Development: To construct operational structures that can be prevent any hardware damage to the systems and can protect them for theft and similar physical risks. Standardizing Protocol: Certified procedures should be adapted for preserving and managing information, so that no checks and balances could be measured and reproducible (Stallings & Brown, 2008). INFORMATION HOLDING AT RISK The information of the company is stored in hard and soft formats. The main aim is to ensure that all the information is protected from threats. The type of information holding that are at risk is defined below: PHYSICAL HOLDING: The physical holdings of information include any information that is in printed format, the papers that are processed for different procedures and other requirements. Once the information is printed it becomes the physical property of the company with respect to information. These carry highly confidential information and it is the job of the security team to ensure that these paper do not leave the premises of the company and to store the information within the walls (Hawkins et al, 2000). HUMAN HOLDINGS: The human holdings of information is the knowledge that is learnt by the employees of the company. These people learn about different aspect of the company which is not to be shared with public. This is the most difficult risk to prevent. Company has to take corrective measures to ensure that information is not travelled by the human resource. ELECTRONIC HOLDING: Electronic holdings include the hardware machineries, computers and laptops which have the information stored in soft form, these need to be protected internally, hacking and corruption of data through virus and externally, damage to the machine. Computers are easily hacked in information technology age, and data can easily be transferred from one computer to another. External damages are also easy to occur by breakage and short circuit (Gibson, 2004). THREATS TO ORGANIZATION’S INFORMATION ASSETS Information is perhaps the most valuable asset that a company can hold. Though our company is relatively smaller than other companies operating in Australia, but we intend to keep high level of professionalism in our conduct (Anderson & Moore, 2006, pp. 610-613). Therefore the company has decided to design information security plan to preserve its most useful assets. Fortunately, there has been no incidence of security event, however, the company wants to develop its defenses against various potential threats are out there damaging the cyberspace. These threats are briefly discussed in the following text. The company’s office is divided story wise on different floors of the same building. To avoid extra work, these departments co-ordinate with each other through intercom and data sharing via networking. The transfer rate of file is several times faster than the human transport, however, there are several risks attached to this mode of exchange of information. PHYSICAL HOLDING: The company deals in telemarketing, and telemarketing uses less information being shared through hard copies, most of the data is stored in computers, the calls are connected and the information is being provided though a software which upgrade the information in the system. HUMAN HOLDINGS: In case of third party interference the data may be obtained from this network and it can be used for illegal purposes. Further, the internet services that are currently used by the company are not protected, so there is a high risk for the loss of important information. Since, the company deals in telemarketing, there is a huge load of information that is being received by the office, and there is similar amount of information that is being exported to the clients. The information that the company is currently dealing in includes addresses, names, account numbers, credit card numbers, and other personal details. There are two main categories of risks that threaten the wellbeing of information security system. They are external threats, and the internal threats. In case of external threats, the acting forces are outside the organization, while in case of internal threats, the enemy lies within the organization. Most of the time, companies spend more money in fighting external threats, while internal threats are completely ignored. This is because generally companies’ trust their employees, and they assume that people within an organization will not create any mischief (Denning, 1999). Moreover, the reports of external threats are widely published; however, news regarding internal threats is mostly snubbed. However, if one closely look at the damage that is caused by internal threat is greater than the damaged caused by the external forces. Further, these two categories can be divided into two more branches. For instance, internal threats can be caused intentionally or unintentionally, same applies for the external threats (Von Solms & Von Solms, 2004, pp. 371-376). For example if an employee of a company is performing his office work at home, and transfers his data via unprotected internet, he is exposing the information to external world that can retrieve this data and use it for personal interest (Jain, et al., 2006, pp. 125-143). Similarly, if there are some grudges between employees, they can occupy other’s computer to feed invalid information. Hence one cannot suggest that what the main source of threat is. Therefore, the company has to develop an action plan to fight these threats to safe itself. Over the past 6-7 years, the company has recruited several new employees, and subsequently older employees had finished their contracts with the company. The ex-employees of the company have worked on the operating systems that were offered by the organization, and they are well aware of the information system architecture that the company owns. Even though, these employees were not fired, they left the organization on the completion of their contracts, and there were no grudges between the organization and them. However, the company has all the right to believe that the information carried by the ex-employees of the company is not safe. Therefore, the primary threat to the organization’s security system is from its ex-employees (Kissel, 2011; Kissel, 2013). ELECTRONIC HOLDING: Mismanagement is another threat to information security. Earlier it was believed that information security is a technical issue, however, it has more to do with management. Improper allocation of responsibilities and absence of accountability may expose the information assets of the company to various threats. Malicious hackers are always there they might not have any personal gains associated with company’s information, but they do have the habit of breaking the law. Moreover, the use of worms, viruses and other spywares has been reported as threat to company’s information setup. In the recent years cyber espionage has gained new heights, though these programs are mainly launched against the governments, they do act as a potential threat to information security of the company (Peltier, et al., 2005; Singh, et al., 2014, pp. 1072-1077). Apart from human elements there are several technical issues that may affect the information security system of the company. They include obsolete hardware, poor network connection, outdated software, and use of unsafe practices. The advancement in technology at a speed of light is a threat for the companies, because they have to keep themselves updated and secured. This happens because hackers might have a much faster system that could actually derail the whole process of information preservation. Using outdated software is also a crucial thing to look out for; companies must not use unregistered software, or copied versions of software to process the data. Pirated versions of software are prone to exploitation, and they can be easily deciphered by unknown enemies. Companies that do not use protected internet networks are often found complaining about their information security setup. In unprotected networking there is no surety, and the information transferred on these channels can be interrupted, and consequently it can be abused. Further, in case of unprotected internet, there is a greater risk of disconnection that interrupts the flow of information, and affects the efficiency of exchange of transfer (Kaufman, et al., 2002; Siponen, 2000, pp. 31-41). Power shortfall or load shedding of electricity supply is another threat to the information security setup. An abrupt loss of signal can leave the information hanging in no man’s land. This information can then be acquired by unauthorized users. Moreover, unguarded Wi-Fi signals also allow a path for entry into the companies’ setup. INFORMATION SECURITY PLAN PHYSICAL COUNTER MEASURE: The company intends to develop a paperless environment, for the purpose of decreasing the risk of information being leaked and to invest more funds on the correct areas of threats. HUMAN COUNTER MEASURES: The company intends to develop a high standard of trust among all its employees, and discourages personal grudges, but just assuming that everything is fine is not the right thing to do (Hall et al., 2007). Information can be lost by the current employees by various means, for instance if they forget to shut down their desktop, and leave it unattended, or while using company’s laptop at home without security settings. Moreover, people who are not employees, but are customers can also let information security being compromised by practicing careless activities, for instance keeping their accounts logged in yet unattended (Wells, 2011). Using Various Methods of Information Preservation The company is involved in upgrading its information preservation mechanism. It plans to test all the available methods that are used for preserving information, and gaining access (Elmarie & Von Solms, 2005, pp. 277-287). After the test trial the company will use the most suitable option. Some of the shortlisted methods include encryption, programming, and using biometric sensors for identification, and offering access. Guidelines for Non-technical Staff 1. Avoid using company’s internet for personal use. 2. Do not let your office laptop to be used by your family members or friends at home. 3. Do not leave your desktop at office unattended, always use password for logging. 4. Hide your files from the access of others. 5. Act professionally in all sorts of scenarios. 6. In case of emergency or any technological fault, ask the help of IT department. 7. Upgrade your skills by attending training sessions. 8. Do not hide your weaknesses; discuss them with HR managers for finding solutions. 9. If you find someone misusing his or her authority at the office, kindly report it to the disciplinary committee. Deleting Company Accounts of the Ex-employees Every six months the company renews its contracts, and recruits new individuals, similarly it also says good bye to those who have completed their tenure. The regular influx and the efflux of employees has increased the number of internet accounts owned by the company. Therefore, to get rid of extra load the company has decided to delete all the accounts that are owned by its ex-employees. This will allow the company to improve its efficiency (Gibson, 2011). Access Management The company plans to improve its information security system by enhancing its access management. The company wants the management team to collaborate with the department of information security to find the best possible solution for controlling access management. ELECTRONIC COUNTER MEASURE Establishing Database for Preserving Information The first step that the company plans to take towards upgrading its information security setup is that it aims at developing a database. This data base will have restricted access that only concerned people will be allowed to retrieve or submit the information. Employees who do not have the access to the database will have to request the higher officials of information security department to retrieve data on their part. Using Protected Internet The company plans to install protected network facility for its official purposes. Employees will not be allowed to transfer the information on unprotected networks. Further, bandwidths will be preserved by the company to ensure rapid flow of information without any interruption. Protected networking will also prevent the data transfer from being exposed to different threats present in the cyberspace. Moreover, it will act as a first line of defense against any interference from the unauthorized parties (Vacca, 2014). No to Unregistered Software Another important step that company plans to take in upgrading its security system is to get rid of unregistered software that are available for free on the internet. Therefore, it has decided to purchase the original copies of the software for the official use. As mentioned earlier unregistered software is prone to errors and viruses that can create unwanted circumstances for the company (Kaufman, et al., 2002; Siponen, 2000). Restricting Access to Useless Sites The company plans to block the access to useless sites on company owned network. This will also improve the efficiency of the staff as they will not be allowed to access the sites of personal interests during the office hours. Moreover, the information will be preserved more efficiently. Some of these blocked sites include web social media, video streaming, and other websites that require membership or deal in personal information. Arranging Information Security Education and Awareness Program Computer usage and knowhow of information technology has become necessary in the modern day businesses. Therefore the company has decided to upgrade the skills of its employees regard computer and information technology. Training is compulsory for implementing the proposed plan (Gordon & Loeb, 2002, pp. 438-457). Arranging Power Back-up To avoid uninterrupted transfer of information, and for the prevention of information losses occurring due to power short fall, the company has decided to install automatic power generators, and uninterrupted power supply (UPS) in the company’s office. As a result of this power back-up plan the company will improve its efficiency, and will minimize the risk of losing information. INFORMATION SECURITY EDUCATION AND AWARENESS Companies which are high dependent on information technology needs to update its employees accordingly. They need to train them with respect to usage of information and software and also need to be given due awareness about the potential risk and how they can be prevented (Shin, 2003). Buying new hardware, updating software, and installing new equipment is useless without skilled labor. Information security plan cannot be implemented or followed without having a team that knows how to deal with tools. Therefore, an important element of information security policy is to train the individuals, and provide them with skills that are required to implement the plan on individual basis. Another reason for including information security education into company’s policy is quality assurance; because until the staff is not trained to apply the prescribed protocol, there is no way that the company could meet the certified standards of operations (Eloff et l, 2000). Therefore, the company has decided to evaluate the existing skills possessed by its employees, and to train them for upcoming challenges. The following text offers an outline for arranging an information security awareness and education plan: 1. Analyzing the current level of skill that employees possess: For this purpose human resource department will conduct a survey, and analyze the level of skills possessed by the team members. This analysis will allow the information security department to design information security awareness program. 2. Assessment of tools and equipment: To make awareness procedure more productive the company will analyze the systems that are being used. If any updates in the hardware or software are required, the company will ensure to upgrade its operating systems. Moreover, if the company decides to add in new technology, it will also ensure that employees at the company are taught the use of it. 3. Duration of training session: The company plans to conduct three months learning session, however, the exact duration will be decided once assessment of staff has been performed. 4. Compulsory for all: All the employees in the organization will be asked to take the training program seriously, and non-serious attitudes from the employees will not be encouraged. 5. Initiating training: After forming categories of the employees based on the skills that they possess, the information security department will introduce the awareness program. 6. Human error: In management systems, human error is one of the major sources that create issues; therefore, the training program will focus on minimizing the losses caused by human error through proper training. 7. Changing habits: Modifying the habits of staff members will be another focus area in this information security education program, because most of the times people commit errors due to the habits that they have acquired over the years. 8. Enhancing intra organization communication: In this awareness program the employees will be trained to enhance their intra organization communication skills, so that they could discuss their problems associated with information security with the specialists at the department of information security. 9. Stimulate Environment: To construct similar office environment to deal with physical hazards and to educate the employees how to deal with situation and control the damage to minimum. The stimulator will provide the employees with a better understanding of the potential risk and their prevention methods. 10. Motivation: The purpose of arranging this awareness program is to motivate the individuals to practice standard procedures, to prevent irrecoverable losses of information. 11. Continuous Learning: The company needs to ensure that the employees are updated with respect to the risk and prevention measure, it should continuously look for potential threats and their prevention and educate their employees accordingly. 12. Measuring improvement: To determine the effectiveness of this training program the company will take the assistance from a consultancy that will evaluate the progress of the organization in understanding the information security, and its applicability. CONCLUSION Information technology does not only relate to exchange of information; it plays a pivotal role in matters of administration of organizations as well. A malfunctioning of the security measures pertaining to information security can be detrimental to the organization as a whole. For this reason, maintaining security of the sensitive information is essential for the existence of any organization. Development of information security, implementing it effectively and then sustaining its functionality are therefore important. It is essential for every organization to focus on the CIA triad when devising its information security policy. The use of the latest technology to achieve this aim is necessary. By utilizing the latest technology, it is possible for any organization to keep pace with the latest trends and in doing so maintain its security. Information protection can be achieved by utilizing technologies like encryption, programming and access control; the choice of these technologies will however depend upon the nature and type of work that an organization performs. The purpose of devising information security plan is to back the information security policy formulated by the company. Stress has been laid on improving company’s information profile by training staff member, upgrading its office with latest available technologies, and to minimize the cost of preserving information. All of this is possible, only if the management of the company performs its function efficiently. Recommendations Based on the above discussion, the following may be recommended; Educating the staff regarding risk of information theft and its importance for the organization. Staying up to date regarding the prevailing trends among criminals. Developing security plans based on the information derived from the study of real-life scenarios and incidents. Continuous monitoring of the online activities of employees should be practiced. Back-up of the important information should be carried out at regular intervals and this should be done automatically. The employees should be informed about any emerging threats and the measures that need to be taken to ensure security. Effective measures should be in place to prevent the access of ex-employees to the sensitive information of the company. References Anderson, R. & Moore, T., (2006). The economics of information security.. Science, 314(5799) Denning, D. E. R., (1999). Information warfare and security. Reading MA: Addison-Wesley.. Elmarie, K. & Von Solms, S., (2005). Five non-technical pillars of network information security management. In: Communications and Multimedia Security. s.l.:Springer. Top of Form Eloff, J. H. P., Qing, S., International Federation for Information Processing, International Information Security Conference, World Computer Congress, IFIP TC11 Annual Working Conference on Information Security, IFIP World Computer Congress, ... WCC 2000. (2000). Information security for global information infrastructures. Boston [u.a.: Kluwer Academic. Bottom of Form Gibson, D. (2011). Managing risk in information systems. Sudbury, Mass: Jones & Bartlett Learning. Gibson, P. (2004). Administrative Office Management, Complete Course. Cengage Learning. Gordon, L. A. & Loeb, M. P., (2002). The economics of information security investment.. ACM Transactions on Information and System Security (TISSEC), 5(4). Hall, D., Raffo, C., Chambers, I., & Jones, R. (2007). Business studies. Ormskirk: Causeway Press. Hawkins, S. M., Yen, D. C., & Chou, D. C. (2000). Disaster recovery planning: a strategy for data security. Information Management & Computer Security, 8(5), 222-230. Jain, A. K., Ross, A. & Pankanti, S., (2006). Biometrics: a tool for information security.. Information Forensics and Security, IEEE Transactions on, 1(2). Kaufman, C., Perlman, R. & Speciner, M., (2002). Network security: private communication in a public world.. s.l.:Prentice Hall Press. Kissel, R., ed., (2011). Glossary of key information security terms.. s.l.: DIANE Publishing.. Kissel, R., (2013). Glossary of Key Information Security Terms, NIST Interagency/Internal Report (NISTIR)-7298rev2, Gaithersburg: NIST. Peltier, T. R., Peltier, J. & Blackley, J., (2005). Information Security Fundamentals. New York: CRC Press: Auerbach Publications. Shin, N. (2003). Creating business value with information technology: Challenges and solutions. Hershey, PA: IRM Press. Singh, A., Vaish, A. & Keserwani, P. K., (2014). Information Security: Components and Techniques. International Journal of Advanced Research in Computer Science and Software Engineering, 4(1), pp. 1072-1077. Siponen, M. T., (2000). A conceptual foundation for organizational information security awareness.. Information Management & Computer Security, 8(1), pp. 31-41. Stallings, W. & Brown, L., (2008). Computer Security (No. s 304).. s.l.:Pearson Education.. Thomson, M. E. & Von Solms, R., (1998). Information security awareness: educating your users effectively.. Information management & computer security, 6(4), pp. 167-173. Tipton, H. F. &. K. M., (2012). Information security management handbook.. s.l.:CRC Press. Vacca, J. R. (2014). Network and system security. Amsterdam: Syngress. Volonino, L. & Robinson, S. R., (2003). Principles and practice of information security.. s.l.:Prentice. Von Solms, B., (2000). Information security—the third wave?.. Computers & Security, 19(7), pp. 615-620. Von Solms, B., (2001). Information security—a multidimensional discipline.. Computers & Security, 20(6), pp. 504-508. Von Solms, B. & Von Solms, R., (2004). The 10 deadly sins of information security management.. Computers & Security, 23(5), pp. 371-376. Vroom, C. & Von Solms, R., (2004). Towards information security behavioural compliance.. Computers & Security, 23(3), pp. 191-198. Wells, J. T. (2011). Corporate fraud handbook: Prevention and detection. Hoboken, N.J: Wiley. Whitman, M. E., (2003). Enemy at the gate: threats to information security.. Communications of the ACM, 46(8), pp. 91-95. Whitman, M. & Mattord, H., (2011). Principles of information security.. s.l.:Cengage Learning.. Read More