Information Technology Security Strategies - Essay Example

Information System Security Student’s Name: Instructor’s Name: Course Code and Name: University: Date of submission: Information System Security Introduction Managing continuity and planning contingency are essential in every business and unavoidable; especially if the business has incorporated Information technology (IT) in their daily running. The creation of strategies that will deal with the possible occurrence of these problems is an undertaking that is complex and multifaceted. It is vital that an organization have an adequate understanding of the risks that underlie their IT functions and, the possible impacts of a plausible disaster (Noakes-Fry & Diamond 2001, pp. 2-11). This knowledge forms the framework upon which contingency and business continuity planning puts together for the purpose of computer security and disaster recovery. With the adequate knowledge available, a sensible and effective plan can be a reality. This paper will present an academic discourse into the subject of information technology security with specific focus on the importance of contingency and business continuity planning for disaster recovery and computer security. This presentation will be in a description of events that may lead to a disaster that relates to IT with ways of curtailing the worst effects of such a disaster suggested. Almost all organizations in the world have adopted the use of information technology in their daily running. With this type of investment, comes a new form of threat where IT opens up risks and opportunities for the organizations involved. The subject of this paper is, thus, important as it provide information for organizations that will aid them in their contingency and continuity planning (Schwartau 2000, pp. 395-397). Knowledge is the major weapon against an IT disaster. The success of contingency and continuity planning has heavy basis on information that is available to the organization at the time of planning. By gaining adequate knowledge on the events that may result in a disaster related to IT, ways of averting the worst effects of the disaster are constructible. Definition of terms Disaster: an event that leads to a significant destruction and disruption of the activities and computer information activities that operate a certain organization (Noakes-Fry & Diamond 2001, pp. 2-11) Disaster recovery plan: A design or a plan whose purpose is to ensure that a business keeps functioning even after a disaster (Noakes-Fry & Diamond 2001, pp. 2-11) Body Background The level of reliance that a business has on IT, is directly proportional to the consideration that unexpected disastrous occurrences get. External and internal issues can affect the IT system in an organization. The external issues include those that are outside the control and manipulation of the system such as fires, electrical disruptions and theft. Internal issues or events include those such as viruses and malicious and intentional attacks on the system. In order to gain a better understanding the events that may lead to disasters and, the ways that one can avert the impact of these disasters; it is important to place a historical perspective that explains the importance of such plans (Leatherby 2007, pp. 2-4). The increase in focus on contingency plans and recovering from disasters that has been popular over the past decade was especially, ignited by the attack on the world trade center in New York City in September 2001.Americaln businesses began to subject their plans to a different set of scenarios and disaster became a reality for most of the businesses. The technology basic in companies are the major focus of such scrutiny with a focus on whether the organizations can recover their operational basis (Noakes-Fry & Diamond 2001, pp. 2-11). When a disaster like the September 11 one occurs, rebuilding the infrastructure is often simpler than getting back the technological basics that were assistive in running the businesses. Information technology systems are part of the damages and, their recovery is the main challenge for the affected businesses. The usefulness of contingency and continuity plans is visible in the way that businesses were able to continue with their activities in different areas since some of them had their IT systems prepared for disaster. As businesses all over the world witnessed what happened in the world trade centers, contingency and continuity plans needed upgrading and review. There is a great need to understand and have information about the disasters that an organization’s information system is susceptible to and, to be knowledgeable about ways in which organizations can recover from the effects of the disasters (Leatherby 2007, pp. 2-4). This is especially applicable to the information systems owing to the fact that businesses use computer information systems in their running. The aftermath of terrorism, natural disasters, and equipment breakdown, have highlighted the need of having a plan of continuance more than ever. These plans are almost exclusively inclusive of possible events that may lead to disaster and the ways of dealing with the effects of the disaster. With this type of contingency and continuity plan at their disposal, companies can meet the increasing demand of continuous service provision. Aspects like e-commerce have driven expectations of system availability with people expecting service for twenty-four hours a day and three hundred and sixty five days a year. Expectations push such requirements and, these expectations include, the clients of a certain organization will expect it to keep on supplying them continuously or to resume their operations rapidly in case of any problems. In addition, the organization has to keep operating on the managerial level to satisfy the stakeholders (Cerullo & Cerullo 2004, pp. 70-78). Additionally, the employees of the organization need to see that their livelihoods remain protected at all times, even during disasters. In addition, those who supply the organization do not want their revenue channels to face any hindrance. No matter the situation, agencies that regulate the operation of businesses expect that the organizations will strive to meet their requirements. These expectations relate to the information systems in an organization, therefore, highlighting the need for information on this area of business operations. Some of the events that can lead to disaster in businesses include failures in communications and hardware, external and internal sabotage, cyber and physical terrorism and fires, flash floods and disruptions of supply chain relationships. Possible events and ways of curtailing the worst effects In the event of a fire, the computer center in an organization may be inaccessible to the organization. With this lack of access, the organization’s network connectivity and data processing capabilities will also fail. This is one of the worst effects of a disaster because the organization will not be able to communicate the nature of the situation to interested parties or arrange for alternative deals for those counting on them. In this scenario, the equipment in the computer room are nor recoverable and, the telecommunications abilities that are critical to the organizations are lost (Leatherby 2007, pp. 2-4). This type of effect after a fire disaster is possible, as fire will destroy the physical components of the computer room. The fire destroys these physical equipments like computer hardware and electrical circuits. Because of this destruction, the company will not be able to carry on with their duties since the infrastructure that supported the running of the organization is no longer available. In the vent of such a scenario, the worst effects can include the organization losing all its clientele and, losing the trust of its stakeholders and clients. In addition, the entire supply chain of the organization may suffer disruption to an irreparable level. One effect leads to another in that, when the communication capability of an organization ceases to function, the organization will be unable to let its clients, suppliers, and stakeholders, know of the situation and thus, they may think that the organization is incompetent (Cerullo & Cerullo 2004, pp. 70-78). The organization should immediately transport all information that is stored off site to a single location where disaster recovery can carry on. Organizations always have some information and equipment in an offsite storage unit, and it is the information that is useful in helping the organization. In addition, the organization should provide the space that is required and, transfer the critical operation base to the recovery center. This activity is by the attempt to recover the applications that are critical to the organization and the applications that need to restore the connectivity to the networks. This recovery of connectivity will help in the resurrection if the system so that the clients can continue business online (Leatherby 2007, pp. 2-4). All these recovery activities are possible because organizations using computer systems in their running always have back up for their operations. All companies stand a risk of natural disaster striking such as floods, earthquakes and hurricanes. These events occur at any time and on a regular basis in parts of the world. These events result in disaster of the IT system in the organization. The potential causes of IT disasters in organizations are multifaceted to include other factors such as human error, which may lead to human error and, disruptions to the utility like power outages. Other than that, there can be rival companies and organizations that may orchestrate a malicious attack like setting a virus on the system (Noakes-Fry & Diamond 2001, pp. 2-11). The impact of these threats expands even more when the company uses computer systems to run their daily activities. It is important that the actions taken after a company suffers any kind of disaster be swift and fast so that the recovery process begins before the worst effect takes hold of the organization’s system. The survival of the organization depends on how fast it can recover from the effects of the disaster that affects its information system. One of the most effective ways of recovering from such a disaster is to develop an effective and sensible disaster contingency recovery plan (DCRP). The advantage that DCRP has over other types of contingency plans is that it aims to reduce the impact of the disaster that may occur by establishing certain measures before the event occurs (Cerullo & Cerullo 2004, pp. 70-78). This happens through the reactive control approaches that are part of the DCRP. These controls are also known as to as corrective controls because they are those that will work immediately after the disaster occurs. In this case, the organization appoints certain people who will make up the primary and alternate response to the disaster with each team having a specific duty to fulfill. These duties include coordinating alternative areas of conducting business and notifying relevant parties of the organization’s situation. In addition, they also come up with strategies of keeping the organization operational during the disaster. These strategies include coming up with a list of vendors and functions that they each perform for the organization at the time of the crisis (Cerullo & Cerullo 2004, pp. 70-78). In this case, they will are available and will keep on with the functions of the organization as while it is gradually returning to normal functioning. Because of the nature of the functions that DCRP performs, its incorporation into any contingency and continuity plan of an organization is possible. It is, therefore, not a plan on its own but an integral part of other contingency plans that has specific designs to deal with the immediate effects of a disaster that affects the information technology in an organization. It is important to ensure that the plan undergoes testing severally before its actual implementation. Another measure that can curtail the effects of a disaster is a business continuity plan (BCP) the organization establishes before the disaster occurs. These plans have a role to play in either avoiding or mitigating organizational disasters that affect the information technology sector of the business. These plans also help to reduce the time that the organization takes to return its operation to normal running (Cerullo & Cerullo 2004, pp. 70-78). The BCP that is developed should be dynamic and ready to evolve with the environment so that when the situation changes, the organization can still use the same path and effectively recover. In addition, the BCP should fit in even when the type of technology that the organization is dependent on changes its nature (Cerullo & Cerullo 2004, pp. 70-78). The BCP works in steps with the first one being to identify the various risks that make the organization is susceptible. Secondly, developing a plan that will help to mitigate the effects of the risks that the organization has follows. The third and last step involves testing out the plan and training the employees as often as possible and running drills so that when the disaster strikes, they will be prepared to deal with the problem effectively. Another unpredictable risk that plagues information technology systems in organizations is susceptibility to cyber crime. A report published early 2010 found that more than 2000 businesses suffered a 75% breach of computer system security in 12 months (Martin 2002, pp. 1-10). The anonymity provided can make individuals do things that they would not normally do if they had to explain themselves afterwards. This goes to show that cyber security needs serious consideration. An effective cyber security strategy should address psychological, organizational and cultural aspects of cyber security in a system. Most cyber crime results in getting money. The funds generated from cyber crime come in many ways. There are various varieties or classes of cyber crime. Information service theft is a common occurrence in cyber crime. Three decades ago, “phone phreakers” set a trend that has become a huge industry in cyber crime. The perpetrators hack or get someone to hack into information services networks and get themselves free calls. When established they sell the call services to third parties at cheaper rates. Cyber communications are of use in furthering criminal activities. This can be especially damaging for companies that are involved in telecommunications or those that carry out communication services over the internet (Garg, Curtis & Halper 2003, pp. 22–34). Companies that are legal and legitimate have their own websites and networks to communicate with their employees and clients. Criminal organizations also have the same to communicate with their counterparts. The anonymity in the cyber world provides a place where they can use aliases, subsequently avoiding capture. Child pornography is one of the criminal activities involving the internet whose many perpetrators have eluded capture. Cyber criminals use their networks to access and sell media containing children exploited sexually. Organizational networks are of use because they provide cyber criminals with a place where they can mask their activities as legal. In this case, cyber criminals can front their activities as legal ones by using shadow websites that look like the legitimate ones (Martin 2002, pp. 1-10). When the police find the criminal activities that going on in the organization’s network, their systems will stop working because they are shut down while since they are suspects. While their operations are down, the law enforcement may also proceed in destroying their IT resources Piracy of telecommunications is easier because of digital technology. Exact replicas of multimedia files and other relevant files are available for personal use or for business. This happens to sell to others at lower prices. Money laundering is electronically perpetrated. It is easier to conceal the origin and destination of funds that are electronic in nature. Blood money is transferred and without the knowledge of authorities. Payouts on hits happen without recognition by relevant authorities. Individuals with malicious intent do electronic terrorism and vandalism. Planting viruses on other people’s computers to erase or sabotage their work is common. An organization with important information on their computer system will be highly inconvenienced (Garg, Curtis & Halper 2003, pp. 22–34). Investment and sales frauds are easier to plan and get away with. Anything can look real in the cyber world. Individuals may usurp a legitimate company’s website for crime then ask people to wire funds to the accounts. The perpetrators steal all this money. Communication is a private matter and some people use the internet to intercept electronic communication. This happens to get personal information about individuals concerning, say, finances of an organization. Calls and electromagnetic signals are also the subject of interception and malicious intent. The information from this communications can be of use in gaining access to restricted areas in the organization’s computer system. In order to help avert the effects of such events, the entire organization should be involved in embracing a more cyber secure culture. The organization should strive to remain strong and resilient in the face of an attack. This will be easier if earlier measures are put in place to combat an attack. The efforts made are numerous. The vice president of innovation and technology in Verizon, Peter Tippet said that efforts of cyber security are heading in the right direction (Cyber policy 2002, pp. 1-29). An organization can teach its employees to understand hidden threats like the corrupt software that seems easy to download. The organization should make itself knowledgeable about urban myths and hoaxes in the cyber world. They should be able to identify them and not fall for too good to be true hoaxes like winning the lottery. Organizations should strive to recognize and avoid spyware and social engineering. Organizations should have system back-ups and software that help to recover from virus, Trojan horse and worm attacks (Friman 2001, pp. 25–32). They should be able to deal with cyber bullies who may try to extort them. Plausible and effective measures installed will help in preventing and responding to identity theft. Virus checks should be as frequent as possible to identify any glitches in the system. The choosing of passwords should be wise, and they should change as often as possible to protect from hackers and crackers. These passwords also need protection. E-mail filters are of use to prevent hazardous attachments and e-mail from getting into the system. These filters monitor incoming mail and immediately delete any suspicious looking e-mails reducing the chances of spoofing or bombing. The organization should strive to understand firewalls to put in place settings that will protect their systems from harm while surfing on other networks (Friman 2001, pp. 25–32). Caution is useful with e-mails and attachments to protect the system from logic bombs, Trojan horses and other harmful software. Instant messaging and chat room conferencing should have monitoring software to safeguard them. The organization should inform its employees about staying safe in social networks and keeping personal information private (Garg, Curtis & Halper 2003, pp. 22–34). Wireless networks should have gate-keeping software to prevent viruses from uploading wirelessly from other sources. Effort to understand computers and browsers should be a company endeavor. People can then evaluate browser settings and configure them to secure their browsers in the best way. Software with link scanners should be available to make online shopping safe. Individuals, especially company employees, should understand active content to make recognizing any wrong thing easy (Giacomell 2004, pp. 387–408). People should strive to understand ‘cookies’ and, what it means to accept or not accept them. People should be familiar with internationally recognized domain names like .com, .co.ke. pop-ups and links unrelated to particular websites should be avoided. As one goes about browsing, he should avoid copyright infringement. Yet another security issue that organizations may face is that information that pertains to the organization and its operations get to people outside, most of who are rivals and competitors. This is ex-filtration. If this happens, it could lead to the revealing of the company’s trade secrets, such as the processes involved in developing their products to finished goods and, it will affect the security goal of protecting confidentiality of information (Giacomell 2004, pp. 387–408). Confidential information may be lost if someone from inside the company with malicious intentions and correct credentials decides to transfer this information to others outside over some time by using e-mail and crafted text transfer requests that have the information encoded in them. Therefore, the technique that is effective to ensure that confidentiality of information is safe is internal access point placements (Hamid 2003, p. 9-12). This would work by the company placing firewalls outside of all databases or files that contain any form of corporate confidential information. In addition, these firewalls need customization to respond to trigger words that are similar to information that is confidential. For instance, as soon as someone types a company password using any form of encryption, the firewall comes up and blocks the site. Any attempt to access or disseminate the information will stop owing to the firewall (Hamid 2003, p. 9-12). To avert this problem, employees and other staff members who may possess vital inside information about the company should not make any dealings whose decisions to do so have resulted from possessing the knowledge. For those who may wish to do so, they should convey news of their intention to the official and, should only proceed if given permission to go ahead. All employees in the IT department are responsible for the security of the company. They should be aware of the information that needs to be a secret and, advised of the possible scenarios where people may trick or attempt to trick them into giving up information. Employees should strive to protect their privacy in online endeavors so that they are not susceptible to attacks. Individuals should protect their privacy on network systems. Individuals should strive to understand encryption and use it when need to protect information from getting into the wrong hands (Giacomell 2004, pp. 387–408). Histories on browsers and computer systems need effective erasing to prevent suspects from getting information easily. One should understand patches to avoid misleading software to downloading harmful things. One should also strive to understand communication protocols to notice if anything is amiss. Users should review end user licenses to know what they are getting into. One should strive to understand their computer, that is, the operating system, software, and hardware. When a cyber attack is committed, it is usually so that one side meets certain objectives. Some of the objectives of cyber attack include inducing or enhancing the loss of integrity in that information that is contained in a network is modified improperly. In addition, loss of availability is induced where information systems that are critical to missions are made unavailable to the authorized users of the network (Bagchi & Udo 2003, pp. 1–29). In addition, the loss of confidentiality is engendered such that information that is critical is disclosed to users who are unauthorized. Other than that, some of the information systems that are affected results in the creation of actual, and very physical destruction, especially through commands created to result in deliberate malfunction. Recent changes that have come about from the merging of computing and communications are amazing. They are already used in many important areas like air traffic control, banking, healthcare, and education. More and more households, therefore, have a need of getting computers for use at home. Though this is a good thing, we are more susceptible to cyber crime now more than before (Erbschloe 2001, p. 174). Soon, everything may depend on software. With these new and amazing developments in telecommunications comes a new strain of crime. Cyber security should be taken seriously to protect institutions and families. Information technology is producing opportunities for some of the brightest criminals ever. If we are to have a chance at beating cyber crime, knowledge and information are the key (Schwartau 2000, pp. 395-397). Information and knowledge will give us the power to protect ourselves from cyber crimes and criminals. If you do not know how a computer behaves when it has a virus, then you will not recognize the change in computer behavior. If when recognized, knowledge on what to do about it is needed. Living involves communication, if it is compromised, then so are our lives. We need an assurance that as we communicate to our friends and family over the internet, our privacy is guarded (Friman 2001, pp. 25–32). The electronic information highway is shaping our lives and destinies, and it needs to be kept clean and safe. If we are armored with the information, it will be difficult for cyber crime to prevail much more than it has. If everyone took an initiative to protect him or herself, it would spill over to other areas using telecommunications including organizations Conclusion Organizations are as multifaceted as the risks that they may face. For an attack that has been staged to be successful, it is required that that the network being used remains intact unless the effectiveness of the attack results from the shutting down of the network. The threats that have been identified in this paper include natural disasters, power outages, fires and cybercrimes with malicious intent, each of these crimes have a different way that they are dealt with (Schwartau 2000, pp. 395-397). These threats have different ways that the effects can be curtailed. The measures that are taken need implementation before the crime takes place. The contingency and continuity plans need plans that are implemented before the disaster strikes. List of References Bagchi, K & Udo, G 2003, An Analysis of the Growth of Computer and Internet Security Breaches, Communications of the Association for Information Systems, vol. 12, no. 46, pp. 1–29. Cerullo, V & Cerullo, MJ 2004, Business Continuity Planning: A Comprehensive Approach, pp. 70-78, viewed 10 Oct 2011, “Cyber crime”, Silicon Times, Vol.2, Issue12, December 2002. Leatherby, D 2007, IT Disaster Recovery and Business Continuity Tool-kit: Planning for the Next Disaster, pp. 2-4, viewed 10 Oct 2011, Erbschloe, M 2001, Information Warfare- How to Survive Cyber Attacks, McGraw-Hill Companies, New York. p. 174. Friman, H 2001, A Systems View of Information Warfare, Journal of Information Warfare, vol. 1, no. 1, pp. 25–32. Garg, A, Curtis, J & Halper, H 2003, The Financial Impact of IT Security Breaches: What Do Investors Think? Information Systems Security, vol. 12, no. 1, pp. 22–34. Giacomell, G 2004, Bangs for the Buck: A Cost-Benefit Analysis of Cyberterrorism, Studies in Conflict & Terrorism, vol. 27, no. 5, pp. 387–408, viewed 10 Oct 2011 Hamid, RA 2003, Wireless Lan: Security issues and solutions, viewed 10 Oct 2011, pp. 9-12 Martin, BC 2002, Disaster Recovery Plan Strategies and Processes, pp. 1-10, viewed 10 Oct 2011, Noakes-Fry, K & Diamond, T 2001, Business Continuity and Disaster Recovery Planning and Management: Perspective, pp. 2-11, viewed 10 Oct 2011, Schwartau, W, 2000, CyberShock. Thunder’s Mouth Press, New York, NY. pp. 395-397. Read More