The Key Areas of Risk and Compliance - Essay Example

The Key Areas of Risk and Compliance: Developing Information Security Policy That Meets Legal and Financial Requirements, and Protect Customer Confidentiality Submitted to …………………………………………..…. By …………………………………………………….. On 10 April, 2008 1. Abstract Information systems security is increasingly becoming a concern in the millennium. Organizations are faced with various information security risks ranging from infrastructure vandalism and failure to fraud, theft, sabotage and emergency occurrences such as fire, flood, and terrorism. In this regard, organizations need to have sound Information Systems policies in place to ensure that its information as well as that of the stakeholder is secure. Regardless of the need, governments have laid down legislations that oblige organizations to have such policies. These regulations, in addition, present risks in case of failure to adhere to them. Moreover, the legislations allow the law enforcement officers to access information available in information systems anonymously with the aim of ensuring national security. However, these officers may collude with criminals hence data risks. The regulations have several effects to the Information Systems Management Systems (ISMS). These include limitations to an organization scope of operations and lawsuits and court fines. 2. Introduction Security threats associated with computer systems is an increasingly important topic in the millennium. As organizations depend on technology to operate their businesses, linking the enterprise systems to various organizations and stakeholders to execute business transaction, security is turning out to be a concern for Information System managers. Organization, thus, are faced with an array of security threats, ranging from human errors to equipment failure, fraud, theft, vandalism, sabotage, fire, flood, as well as terrorism. Therefore, organizations need to draft an Information System Security policy to safeguard its information as well as those of its stakeholders. This document will explore the key areas of risks and compliance that organizations need to consider while drafting an Information System security policy. A case in consideration is a multinational organization that uses a Business to customer business model as well as networking and data storage technologies. These technologies include Completely Anonymous Email Client (CAEM), Enterprise Resource Planning (ERP), and Storage Area Network (SAN) – data is contained in two mirrored data centers. Moreover, the organization has a sales order management system that store financial information of its customers. 3. Justification a) Key areas of concern in creating an Information Security Management System It is crucial that an organization establishes Information Security Management System (ISMS). There are three main areas that a company should be concerned with in putting up an Information Security Management System. One area is risk assessment of the organization. The process of risk assessment should consider the overall business objectives and strategy of the establishment. Out of this process, threats to assets are recognized, susceptibility to and probability of risk incidence is assessed and possible impact is projected. The second area is the satisfaction of the “legal, statutory, regulatory, and contractual requirements” by an organization, its contactors, trading partners, and service providers as well as their socio-cultural setting. The third area is the specific set of objectives, principles and business requirement for an organization’s information processing created to prop its operations. Risk assessment is useful in guiding and determining the suitable management activity and precedence for management of the security risks as well as for implementation of controls that are suitable in mitigating these risks (British Standards Institution, 1995, 5). The Enterprise Resource Planning (ERP) business system, for instance, covers many department of an organization. Therefore, it would be important to critically perform a comprehensive risk assessment that unearths risks that are not could not have otherwise be realized by a single department. Furthermore, the several systems available in the organization such as the Storage Data Networks, sales order management system and Completely Anonymous Email Client (CAeM) requires harmonization in management practices. Periodical risk assessments are vital in addressing modification in security requirements and changes in the state of risk; for instance, in assets, impacts, vulnerabilities, threats, risk evaluation, and in occurrence of major changes (British Standards Institution, 1995, 5). In any country, there are legal, statutory and regulatory requirements that must be met by a business enterprise. In this case, these requirements are diverse since the organization operates in several countries. Moreover, the organization is under legal obligations to respect the terms of engagement with the technology development partners and its service providers. Lack of careful addressing these requirements may lead to grave consequences including lawsuits, court fine as well as eventual closure of the business. Information Security Management Systems should strengthen the principles and support the objectives of an organization’s information possessing. For instance, the use of Completely Anonymous Email Client, Storage Area Network, and ERP is useful to the organization hence presents various levels of risks to the organization. In this regard, the organization needs to address this area of objectives, principles and business requirements so as to have a system that is useful in realizing the advantages of these systems while mitigating security risks (National Institute of Standards and Technology, 1998, 30.) b) Major areas of operational risk in the area of customer confidentiality The organization is presented with several areas of operational risks in maintaining customer confidentiality. Confidentiality, which is one of the vital aspects in information security, refers to an assurance that information is only accessible to the people with authorization (Calder & Watkins, 2003, 3). Operational Risks refers to the risk of loss resulting from inadequacy of internal processes, systems and people or from external events that should safeguard confidentiality (Basel Committee on Banking Supervision). There are three main areas of operational and compliance risk that are seen in the organization under study. The people or human resource (Jones, 1995, 236) Equipments and the physical environment (Jones, 2001, 236) Communication processes and systems (BS 7799) Fig 1: Major contributors to operational risk (Jones, 1995, 236) Jones (2001, 237), for instance, observed that people are a major risk factor in regard to customer confidentiality since they are responsible for the systems. Moreover, people are the one who handle customer information. In this respect, there is the risk of misrepresentation or loss of data in case personnel attempts a malicious activity. The organization vests so much responsibility to its remote staff which is further made worse by the use of anonymous communication through CAeM. In such a scenario, a disgruntled employee may reveal clients information to an unauthorized person or criminal. Equipment is another major area of operational risk (Jones, 2001, 236). Maintenance is usually done on equipments which can be through outsourcing. Therefore, this justifies equipments as another main area of risk in respect to customer information confidentiality. Moreover, people interact with the business management and processes through equipment. Communication presents another area of operational risk. For instance, the marketing and sales staffs who are remotely located communicate to the office through the private network as well as the internet. There are is the risk of customer information being accessed by unauthorized personnel or criminals through hacking the networking systems. b) Major areas of compliance risk in meeting legal requirement In addressing compliance risk organizations must meet legal and statutory requirements and regulations (Krishnamurthy, 2003). One area of compliance risk in the organization involves financial transaction. The Gramm-Leach-Bliley Act, for instance, is a legislation that must be observed by any organization that is dealing with customer financial information. The organization business model is vulnerable to security breaches that might expose a customer’s financial information. This is due to the fact that it is networked and on the internet, a platform which has not been without complains of security breaches (Paul, 2001). Another area of compliance risk includes the use of infrastructure and equipments that support the organizations information system. The relevant legislation that ensure safe infrastructure include The Computer Fraud and Abuse Act, Computer Security Act of 1987, and The Data Protection Act of 1998. Other areas of compliance risk are vested in meeting the following legislations:, The Freedom of Information Act 2000, Regulation of Investigatory Powers Act 2000, Copyright, Designs and Patents Act 1988, Communications Act of 1934, Economic Espionage Act, Electronic Communications Privacy Act of 1986 and U.S.A. Patriot Act of 2001 – H.R. 3162 C. The impact of relevant legislation and other legislative instruments on the achievement of full compliance Compliance to The Gramm-Leach-Bliley Act as well as the other legislations discussed results to increased security in the information systems and organization as a whole. However, these compliances are not without financial implications which means the organizations spends more on ensuring that these legislation requirements are met. Further, the compliance increases responsibility of the information management systems personnel. Economic implication may go to as far as an organization making losses due to high cost of implementing and maintaining secure systems. 4. Conclusion Operation and compliance risks in organizations are a reality and a growing concern for many information security manager and company’s executives. Despite various measures to mitigate these risks, including legislation by governments, there are many areas in an organization that are usually under the threat as well as present fresh challenges. Moreover, networked organization’s systems are at a greater risk (Haag, Maeve, Donald, Alain, and Richard, 2004; Paul, 2001, 1). Connolly (2001) agrees that an absolutely “secure network system is one that is disconnected from a network, encased in concrete, and lying at the bottom of the ocean.” The compliance to the regulation and legislation requirements presents some impacts which are not favorable to for efficient operation of the business enterprise 5. Recommendation My recommendation is that the organization needs to implement a comprehensive information security policy that addresses all aspect of security risks including the human resource, equipments and communication. The codes for developing information security policy should be observed as guidelines making sure not to deviate from the organizations core business and objectives while observing the legal and statutory requirements. A critical analysis of the financial position of the organization should also be done in developing the information security policy. References Calder, Alan, Watkins, Steve. (2003): IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 17799. Kogan Page, New York. Connolly, P.J. (2001): Security protects bottom line, InfoWorld, April 9; Volume 23, Issue 15; page 47 Cyber Space. (2008) Information security. Retrieved on 1st April 2008 from www.cyberspace.org Haag, Stephen, Maeve Cummings, Donald J. McCubbrey, Alain Pinsonneault, and Richard Donovan. (. 2004). Management Information Systems: For the Information Age. 2nd (edn). McGraw-Hill Ryerson, New York Jones, B. Richards (1995): Risk-based management: A reliability-centred Approach; Practical, cost-effective methods for managing and reducing risk. New York: Gulf Professional Publishing. Krishnamurthy, Sandeep. (2003). E-Commerce Management. Mason, Ohio: Thomson/South-Western. Paul, Baino. (2001): Evaluation of security risks associated with networked information systems. School of Business Technology Faculty of Business. Royal Melbourne Institute of Tecnology. Read More