Information and Communication Technology Management and Information Security - Assignment Example

1. Different categories that can be used for sensitive information. When designing a system, how do you determine how many categories are necessary. Are there downsides to systems with too many or too few categories? The control of the access of knowledge and information which may lead to a disadvantage or even the level of its security incase it is disclosed to other people who are not trustworthy or who have very undesired intentions is called information sensitivity. It should be noted that unauthorized access to the sensitive information cause very adverse effects to an individual, institution, company or organization. For the safety of sensitive information, it is important for the information to be classified into categories. This is whereby information is either classified or unclassified. The classified is assigned levels namely the tope secret, the secret and confidential. The information that is not given any of the above labels is called the unclassified information (Kroenke, 2008). The information that it termed as declassified has all of it classification removed while the information that is labeled downgraded is the information that is definitely and automatically assigned a very low class but it is classified. The three labels for the classified information are as follows; secret refers to the information the need substantial protection and it should be noted that unauthorized access to such information could lead to damage of the national security. Confidential label entails the information that requires protection and it should be noted that unauthorized access would lead to security compromise. The top-secret label refers to the information that demands a high level of protection. When designing a system the determination of the number of categories needed for the information security depends on the type of information that is in the organization as well as the purpose of the organization or institution. The relevance of the information to the national security is also a factor to be considered (Kroenke, 2008). The downside of having many categories is that some vital information my not be easily accessed to some relevant people easily incase of an urgent call for action and few categories too could not guarantees the security of the information. 2. A scenario where the Brewer-Nash model as the best security architecture. Give reasons why this would be the best and discuss if other models would be suitable The specific scheme that is used for the purpose of security specification as well as enforcement of policies for a computer is what is referred to as security model. This is dependent on the computation models, right to access; distributed computing but also it can be based on no particular theoretical ground. The Brewer-Nash model was created for the purposes of providing a system with one of the best means of accessing information in the system under very tight security but mostly for the information that is bound to change dynamically (Marite, 2002). It was also meant for the purpose of ensuring conflicts as a result of self interest is avoided and mostly in the organizations that are of commercial value or function. In this case, this is a model, which will be perfect for an organization whereby the flow of information in the organization among the subjects and between them will creates no conflict. This is whereby the information among and between the employees as well as employees will create no conflict due to self-interest. The best scenario for such a model is a business organization. This is whereby the business organization needs to make a distinction barrier in the organization to isolate the persons and separate them to define the decision maker. This is whereby the firm will need to create information security such that no single person no matter their position in the firm will act out of self-interest hence compromising the position of the organization of firm. Most of the other models are not as efficient as this model because they do not have a very clear cut of who should act on which information or who should gain access to which information hence the model ensures that in the organization there is both integrity as well as privacy for the data (Marite, 2002). It is the only model that will allow for access controls that are dynamically changing hence no conflict of interest. 3. A list of information security metrics that could be collected for a small internet commerce company with ten employees. The company uses an outside vendor for packaging and distribution. To whom should the metrics be reported? A security information metrics refers to the process of mathematically applying standards for ensuring security of information. This particular company entails an outsider as a vendor and he takes responsibility in packaging and distribution of the products. The best person to report the security metrics to is definitely h information and management officer who handles issues of information in the company. The following is a list of the possible metrics that can be used (Kenneth & Jane, 2010): Confidentiality: This is whereby information must only be released to the authorized party. This will apply especially where the company will be involved in internet business suing credit cards. Integrity: This means that the information system should have a system that cannot be modified undetectively. Any modifications made in the system must be easily detected through a message alert Availability: this is whereby the needed information must be available when need be, meaning all the systems for controlling, storing and securing that information should have security controls to protect it. Authenticity: This is whereby in e- business data and information being exchanged, transacted, documented or communicated must be genuine. Both parties involved in the transaction must be validated and proved genuine. Password strength: This where all the inefficient, bad or weak passwords are identified and changed. Non-repudiation: This is whereby one part within the business transaction cannot be able to deny having received the transaction or the other party denies having sent the transaction. This is very important for the electronic commerce. Legitimate traffic of the email analysis: This involves the process of tracking all out coming and incoming traffic size, volume and flow of data and information among and between companies involved in business transaction. The company will be bale to map the information between the suppliers hence it will be in a position put in place excellent methods of tracing all the junk emails and the good emails the company is receiving. 4. Threats to the information security of a small internet commerce company with ten employees. This company uses an outside vendor for its order fulfillment. Once the list of threats has been generated, assign a likelihood score to each threat. This company being an internet commerce related company and with ten employees as well as a vendor who is an outside. The system can be easily logged into, monitored, tracked or stores in different locations (Beynon-Davies, 2009). This means that there are a number of threats that are expected in the company which are as follows: The negligence by the management whereby it may undermine the need for installing good security in the information system The possibility of having weak points in the organization’s information system - this is because the employees can get a chance of creating alternative passwords or the backdoors password which they can later use when they leave the company or used the employees in the company to gain access to vital information or even carryout transaction Formers employees may retain the passwords for the organization hence can have a chance to gain access to the system Stolen password can be easily used by unauthorized users to gain aces to the internet and carryout transactions Threat Score Stolen passwords 10% Password retained by formed employees 50% Weak points in the information security system 40% negligence by the management 70% 5. Research the Microsoft risk management approach and write a report describing each of the four phases in the security risk management process. Risk assessment: This is the process whereby the risks are identified. Then priorities are set, data gathered and finally plans are laid done by preparing the guides to be used. Then risk data is gathered and the question here is in outlining the processes of data analysis and collection (Olegas, 2005). Finally the risk prioritized by outlining descriptive steps to quantify and qualify those risks. Basing support on decisions conducted: This involves the use of a cost reduction process in the evaluation and identification of solutions that will lead to reduction of business risks. Control implementation: This involves incorporating different other people, process for solutions and technologies as one of the main wholesome or all rounded way for implementing the approach for best results. Measuring the programs effectiveness: This stage, a scorecard is developed and it enables the system to understand the risks to be able to measure the effectiveness of the program. This will also entail the process of evaluation to check out all the available opportunities to improve to ensure the success of the approach (Olegas, 2005). A list of questions or concerns I have with the described approach. a) What is the level of security guaranteed by the system? b) Can the approach be used for the rest of the company’s life bearing in mind that technology is changing and there is a possibility of is being incompetent? c) What are some of the indicators that can be used to show success in the approach? d) What are the key indicators that the approach is sustainable? 6. Discuss the difficulty in estimating the probability of a threat or attack occurring. Describe methods that can be used to make these estimates. The achievement of information security is hindered by difficulties, which are experienced in the process of risk estimation. An effective information system should be tailored in such a way that it creates value, considers the account of the human effort, address all the uncertainties and assumptions. Be set up with regard to the best available piece of information, be dynamic, iterative, responsive and must be in such a ay that it can be improved or enhanced when need be (Aviason & Guy, 2006). The following are the main factors that hinders the process of risk estimations Incase the company does no have standard to be observed with reference to ensuring security of the information system When the system fails to meet the media criteria When the system lacks collaboration and coordination between and among credible sources When the approach does not leave a room for public participation who are very helpful in recognizing the possible risks for the company When the company doesn’t not provide a channel for receiving anonymous risk reports When the system lacks a live maintenance of the project database especially for the purposes of risk identification with these attribute; importance. Probability, Short description, open date and title If the system lacks an organized management of the risks as far as the projects are concerned. This is mainly when the plans lacks budget, activity, management risks and responsibility References Aviason, D., & Guy, F. (2006). Information systems development: methodologies, techniques and tools. Toronto: McGraw-Hill. Beynon-Davies, P. (2009). Business Information Systems. Palgrave: Basingstoke. Kenneth, C., & Jane, P. (2010). Management information system. Ontario: Pearson prentice hall Kroenke, D. (2008). Experiencing MIS. Upper Saddle River, NJ: Prentice-Hall Marite, K. (2002). Information systems development: advances in methodologies, components, and management. Oxford: Oxford University Press. Olegas, V. (2005). Information systems development: advances in theory, practice, and education. London: Spring. Read More