Information Systems Development - Assignment Example

ICT Management and Information Security Name Course Name and Code Instructor’s Name Date 1. Categories that can be used for sensitive information Information sensitivity refers to the act of controlling the access to knowledge or information, which may lead to the loss of some kind of security level or advantages in case it is accessed by other with unknown or a low level of trust or even undesirable intentions (Aviason & Guy, 2006). It should be noted that unauthorized, modification, misuse or loss of sensitive information might negatively affect the welfare or privacy of the business trade secrecy, organization’s security or individual privacy. This means that for security to assured then the information must be categorized. Classified information refers to that information that is subject to some special security measure. There are two main categories used for sensitive information as follows: a) Non-classified Public information: this is the information that is a matter of public knowledge or record. Personal information: This is information belonging to an individual but the person has shared it with other like contact information and address. Routine business information: information about a business and it is not in any way protected and it is shared with anyone from outside or inside the company Private information: It is information associated with a particular individual and mostly can be of danger if shared like credit cards numbers. ­confidential businesses information: this is information whose disclosure can lead to a great harm to the business. b) Classified Confidential: this information requires protection Secret: it requires a high level of protection and unauthorized gaining of access can lead to a great damage to the national security, wrongful disclosure of such information may cause disruption of the relationships. Top secret: This is the information that calls for the greatest level of protection. Unauthorized access can lead to severe damage. How to determine the different categories Determination of the different categories of information depends on the relevance of that information to the national security. In addition, the name by which the project that is involved goes by determines the level of security for the information and that is why most of the police force that deals with matters of national security has a secured information system (Aviason & Guy, 2006) Downsides of a system with few or many categories A system with a few categories is easily prone to unauthorized access to information. This is because some information may not be classified yet it is subject to great level of security. On the other hand, a system with many categories may be slow in functioning since access of information is very limited. 2. A scenario Brewer as the best model for security architecture A security model for a computer refers to the specific scheme used to for the security enforcement and specification of the policies. It can either be based on the rights to access, distributed computing, computation model or even under no particular theoretical ground. This Brewer and Nashal kind of model is an architecture that was created to ensure the system is provided with the best access control for the information security especially that is bound to change dynamically (Beynon-Davies, 2009). It was to provide some control that prevents some form of conflict of interest especially in the commercial organization. It is usually built in a form of information flow model. This is whereby the flow of information from, between or among subjects as well as the objects creates no conflict of interest at all. The best scenario for such a model is a business organization. This is whereby the business organization needs to make a distinction barrier in the organization to isolate the persons and separate them so that there can be a clear cut of the person that is supposed to make decisions. By doing so, the possibility of conflict of interest will be avoided. Also in a scenario where a firm is develop, enforce and implement some procedures and policies to safeguard all the inside information as well as to ensure that illegal trade does not occur can use this model. It should be noted that all the adopted practices should be made formal through writing but be sufficient and appropriate. The procedures must be in such a way that they address some of the following issue clearly: trading surveillance, transaction restriction, security of inside information and the employee’s education (Beynon-Davies, 2009). This model is fit for such a scenario because it ensures no one acts out of conflict of interest in the organization. Most of the other models cannot fit because there is no clear cut of who is responsible for what and no laid down procedures for the same. The model ensures that in the organization there is both integrity as well as privacy for the data. It is the only model that will allow for access controls that are dynamically changing hence no conflict of interest. 3. Information security metrics that can be collected for company that is small internet commerce and made up of 10 employees This company uses a vendor that is an outsider for the process of distribution and packaging. A security information metrics refers to the mathematical application of standard for the security of information. The metric should be reported to the information manager who is responsible for the information management in the company (Gregory et el, 2009). The following are the information security metrics that can be used. I. Coverage of baseline defence: This is for the antivirus, firewall and antispyware among others. This refers to how best the enterprise has been protected against the most threats of the security like leakage of the most important information by the vendor to the outside especially the companies competitor. The tools must be at the range of 95%-99% secure. The scan should be done every time a new device is introduced since the vendor may have used the device outside meaning it has a virus (O'Brien, 2003). II. Patch latency: This the time that is usually between the release of a patch and the successful deployment of the patch. It actually indicates the level the company has reached in its patching discipline and in its ability to react or respond to the exploits. This will be useful especially for the company to link to the suppliers the vendor obtains the products from. This will help in showing the entire machine connected and name outdated patches or missing patches. It is operated by running the patch management option of scan on all of the devices to discover the missing patches in each of the involved machines used by the ten employees (O'Brien, 2003). III. Password strength: This ensures the risk is eliminated or reduced by identifying all of the bad or less effective passwords as well as making them much hard to be broken. It also helps in tracing all the point at which there is weakness in the system that use default password. By doing so, the access of the information in the computer will be limited to the right people. It doe that very methodologically first by attacking the desktop, followed by the server and then the admin. IV. Legitimate traffic of the email analysis: This involves tracking of the incoming and the out coming traffic volume, the size and the flow of the that is existing between the company and the any other company in connection with the company. In this case, the vendor may be forced to provide a clear flow o the information between the company and the suppliers. The company by mapping the information that is between it and any other competitor will be in a position to employ the best intellectual divulging property (O'Brien, 2003). It helps in tracing the good and the junk emails that the company is receiving. 4. Threats for the information security of a small internet commerce company It should be noted that threats in a company that has been involved in online activities is common. These are very important factors that a business should be keen in, because the security of the business could be at stake. This company has been using a kind of public system internet for all of its transactions and so it can be a serious threat to the business. These transactions can be easily tracked, monitored, logged, and stored in many locations (Kenneth & Jane, 2010). This means that is very necessary for a company to understand better the any possible threats of to that business. There are a number of threats of the internet commerce company and their source in the company may be from within or even from the outside source. The following are main possible source of threat of information for the small company 1) Some internal users who are not authorized to gain access to the information that is confidential by the use of some stolen password. The main aim for that is to be able to commit fraud or even theft. One or more of the ten employees can do this. 2) Some former kind of employees who may still be having the passwords to the information resource systems whereby they can also have created some other alternative passwords or what is called backdoors passwords for the computer system. This can also be done indirectly via the former co-workers. 3) Some available weak points to the information infrastructure as well as security, which can easily expose the company’s information as well as the secrets of its trade. 4) If the management undermines the importance of having good information security, it can also be a risk itself to the business. threat score 1 70% 2 60% 3 30% 4 50% 5. Microsoft risk management approach The following a report on a survey of the risk management practices by the Microsoft. It should be noted that the process is characterized by four main phases (Marite, 2002). Assessing the risk: this is the first phase. It involves the process risk identification. After the risk has been identified, it is very important to prioritize it to the business. In this phase, data gathering is planned whereby keys to the success as well as preparation guides are discussed. Then risk data is gathered and the question here is in outlining the processes of data analysis and collection. Finally the risk prioritized by outlining descriptive steps to quantify and qualify those risks. Conducting decisions for support: this involves the identification and evaluation of the solutions that will reduce the business risks in the form of a structure that is of cost-reduction process. This phase entails definition of the functional requirement in the process of risk mitigation, selection of the best possible control solutions, reviewing of those solutions, estimation of the reduction, estimation of the cost of solution and finally the strategy for the mitigation. The phase of implementing the controls: This entails the search for the holistic approach by incorporating other people, technologies and processes in mitigation solutions. In addition, defence-in-depth is used for organization whereby solutions for mitigations are organized across the business. The phase of measuring the effectiveness of the program. This entails development of the risk scorecard, which will help one to understand the stand of the risks and measurement of the effectiveness of the program, which deals with evaluations of the program of risk management to master the opportunities to improve. Questions I. Does the approaches guarantee total security II. Can the approach be used in any other software other than Microsoft? III. What are the indicators of successful implementations? IV. What is the benchmark or standard against which the success of implementation can be measured? 6. Difficulty in estimating the probability of a threat attack Risk estimation is faced by a number of difficulties, which may be the greatest obstacle to the achievement of security in the information system (Kroenke, 2008). A good risk management system must create value, be tailored, consider the human accounts, be inclusive and transparent, and be based as per the best information that is available. Moreover, it should explicitly address the assumptions and the uncertainty; it should be based on the best information that is available, dynamic, responsive, iterative and with an ability of continual enhancement and improvement (Olegas, 2005). The following are some of the issues that may make it difficult for the estimation of risks in the company: If there is no laid down plan for the management of the risks especially with reference to a particular project. This is whereby the plan lacks responsibility, budget, activity and management risks. Where there is no officer assigned to monitor the risks in the company When there is no live maintenance of a project database for the risks with the following attributes; short description, importance, probability, title and opening date Where there is no anonymous channel for risk reporting created When there is no provision for receiving the public involvement When there is no coordination and collaboration with the credible sources When one does not meet the needs of the media When the company has not created some standards that are to be observed as far as the issue of information system security is concerned. References Aviason, D. & Guy, F. (2006). Information systems development: methodologies, techniques and tools. Canada: McGraw-Hill. Beynon-Davies P. (2009). Business Information Systems. Palgrave: Basingstoke. Gregory, W., Papadopoulod, G., & Wita, W. (2009). System Development: Towards a Service Provision Society. London: Spring. Kenneth, C & Jane, P. (2010). Management information system. Ontario: Pearson Prentice Hall Kroenke, D. (2008). Experiencing MIS. Upper Saddle River, NJ: Prentice-Hall Marite, K. (2002). Information systems development: advances in methodologies, components, and management. Oxford: Oxford University Press. O'Brien, J. (2003). Introduction to information systems: essentials for the e-business enterprise. Boston, MA: McGraw-Hill. Olegas, V. 2005. Information systems development: advances in theory, practice, and education. London: Spring. Read More