The Global Communication Enterprises Strategy on Information Security - Term Paper Example

Executive Summary 1 Introduction 3 Information Security Framework 4 Business Drivers in information security 5 Information Security Concerns 6 Risk-Based Decision Making 7 Information Security Process 7 Information Security Policies 10 Security Policies Drivers 10 Policy Management Challenges 11 Training and Awareness 11 E-Mail Hygiene and Trustworthy Messaging 12 E-Mail Filtering Process 12 Security for Mobile Devices 13 Recommendations and Conclusion 14 Executive Summary Information technology is an area that is fast growing today. Organizations that have invested in the industry have a great potential for growth. The organization admistration should be structured in such a way that relationship with external parties promotes an effective management policy to all information security aspects in the organization, for example, holding organization security information, processing facilities and any other facility that is accessible to external parties (Zanten, 1985). The aim of this paper is to share the GCE strategy on information security. This report main concern is on how information security within GCE will help the organization give protection to its newly developed product from its competitors (Zelkowitz, 2004). The prime goal underline the major steps that the organization need to adapt in order to provide security protection in the IT environments within the organization. The area that is highly venerable to these technological risks is the digital assets. Consecutively, to make security as an integral corporate culture in GCE, trustworthy computing initiatives must be introduced in the organization (Axelrod, 2004). Therefore, there is need to create an information security frame work based on leadership and culture which will help in processing risk based decisions. The framework foundation comprises of both security leaders and organizational culture. For example, all employees must be enlightened on the role that they need to play in order to protect the digital assets and the intellectual property. Global Communication Enterprises(GCE) should employ high risk based decisions in partnership with other information security organizations to be able to design the most relevant security controls that will help in the process of protecting their digital assets. This partnership will help Global Communication Enterprises(GCE) make informed decisions on the information risk that is facing its newly developed electronic product (ASIS International, 2011). It is notable that this paper does not address issues on physical security, and corporate security, but there are some technology based controls that are converging and play a vital role in the information and physical security. There are clear indications that most technological and technical solutions become successful once there is a concert with all stakeholders and process elements. However, all processes and technologies maturity is based on developing security necessities, and prospect strategic plans. Introduction The decision on whether to implement the newly developed electronic product is a crucial decision to the success of GCE in the technology industry. Therefore, to make up this crucial decision and implement the project that the device is anticipated to help undertake, many aspects has to be put into consideration. Some of these aspects include economic factors, market competition, product security, and technical feasibility of the product (Camp, & Lewis, 2004). This product may be technologically feasible if GCE is willing to spend large amounts of money on its development. On the other hand, once the competitors gets the product specifications, GCE is likely to lose a lot of as many of the competitors have a chance of modifying the product for their own benefits. In this case, the new product from GCE is making sense as its financial capability has been cooperated by the development cost. Alternatively, the invention of the new product is going to give a competitive advantage over all other competitors in the market. Many organizations have not been able to hold the secrets of their new developments because of a number of reasons .There are great technology advancements which facilitates information leakage (Qing, & Eloff, 2000). GCE new electronic product manufacturing techniques might leak to its competitors, which might result in product modification putting their product out market. These risks can be associated to traditional valuation methods that do not capture interface between technology and economics. There exist a diverse area of study in this area where some technical risks and market risks has been addressed. Most CEOs top most concern should be on security use of some devices in the organization which should form part of top priority. GCE new electronic product information is at a risk of leaking because the organization is using some sensitive devices in its communication processes. For example, use of smart phones that have become pervasive. GCE is embracing on these diversifying culture- changing tools (Deswarte, 2004). The organization once it uses these devices without control and care has a high potential of wreaking havoc as well as leaving the organization at a risk of information leakage. In spite of the continued data threat and potential business impacts there still exists a connection disabilities between the information security officers in the organization and those at the executive positions. According to a research conducted by CyLab from Carnegie Mellon University in 2012, it showed that 75 percent of all organizations don’t account on security risks to the C-suite level. Information Security Framework GCE aim and focus on Information Security organization is to have a competitive advantage over other organizations in this market. The following elements can play a crucial role in making this strategy a success. These includes that GCE Information Security understands and manages the company’s information security risk (Salotti, & UCISA (Association), 2005). Leaders within the organization should be given a chance to manage information security risk procedures and make informed decisions at their levels of operation in the organization (Nozaki, 2000). The organization leadership should have ultimate responsibility for the security of all digital assets as well as managing their information security. The information security unit in the organization must empower the business units in GCE towards making informed risk decisions. Decisions on risks will allow the organization information security units align resources with the company’s policy. Therefore, resources allocation is based on risk, which can be dogged only in partnership with the business. These strategies will also help the company acquire information on how to mitigate and transfer risk. Risk mitigation is possible once security controls are applied through defense in depth policy. Consecutively, for information security in Global Соmmuniсаtiоn Еntеrрrisеs (GCE) to work towards its vision it is important to address short term and long term needs. Business Drivers in information security The information security drivers in GCE should be similar to those in other or the rest of the industry faces. These risk units in the organization main aim should be to manage risks into an acceptable level. This collaboration can be influenced by a number of drivers such as; Business, In this case security issues on information reflects the organizations business model as well as customer ,partners and suppliers relationship. Regulations As a result of regulations, and organization mandates, the Information Security and isolation teams continue be in close alliance. Technology A decentralized workforce can be achieved through Mobile devices and collaborative tools which help in changing the risk landscape. Information Security Concerns Computing is concerned with a connection on a global scale, which is a shift that introduces new additional concerns for GCE information security. There are several areas of concern which can be of great importance to the organization. These areas include. Authoritarian and statutory conformity. Enterprises must comply with a huge number of regulations that covers areas on integrity and privacy. This process can start over by designing standards based control set. This set allows the overlapping requirements to be effectively met. Data mobility. This area has its own set of concerns. Devices such as smart phones represent an opportunity for any data in the organization to move across traditional corporate boundaries. Therefore, the information security unit in GCE must come up with security measures to take care of data in transit, at rest, and in use, by employing technologies such as Information Rights Management (IRM) in order gain data protection ability. Unauthorized access to data. Controlling access to huge amounts unstructured and structured data is a big challenge. In this case people in the organization have access to a minimal number of data in order to perform their duties. Rights accumulation among the employees within an organization can be one of the most significant threats towards protecting data. Risk-Based Decision Making The organization management group is accountable for the definition risks that are acceptable and providing the information security unit with information in order to rank risks to the organization (Peltier, 2002). The security units after assessing the risks it then defines all the functional requirements that helps in mitigating risk into an acceptable level. The team may later collaborate with the IT groups in the organization in order to implement these operations Figure 2 is an illustration o a risk-based decision-making process GCE Information Security Process In GCE the process of risk base receives great support from the information security process which means measuring control effectiveness. This can be done inform of reports to the executive management (United States, 1999). The independent parties are also involved where they help in determine the effectiveness of certain security controls The information process comprise of the following: It should be an approach that is consistent and repeatable in determining the organizations information security posture. Measuring the state of the company’s information security stance. Provides operational guidance for the Information Security team to enable businesses with support information that addresses security risks in their environments and helps them make crucial security decisions. It is an effective method that helps in measuring objectives against safeguards and measuring Information Security’s level of success in providing due care. The process also helps in prioritizing efforts as well as direct resources contained in areas of highest risk and highest need. Figure 3 illustrates the phases of the Information Security process. The Information Security Process phases include: 1. Scope. This phase defines certain areas in the entire interface 2. Assess and validate. In this phase prospective program events and validation of the identified controls are addressed. It ensures that they are in place and mitigate or transfer risk 3. Prioritize. A relative prioritization of actions takes place in this phase. These actions again help in mitigation and risk transfer. 4. Design. In this phase architectures, conceptual designs as well as solutions are generated. 5. Implement. This is a phase that helps in deployment of approved solutions and safeguards into the production environment. 6. Evaluate. This phase entails continuing monitoring of the manufacture environment. Efficacy of solutions is calculated at this step and the key outputs in this section are the business and operational security scorecards. Information Security Policies These policies provides organization management with support and direction for information security measures across the organization in the electronic and hardcopy devices. Therefore, certain subsidiary information security policies are taken as part of this process and have an equal standing. Security Policies Drivers These policies help in defining organizations values as well as desired behaviors. They help in ensuring regulatory compliance and position in line with the organizations standards that are important for conducting the internal audits. These audits help in analyzing the overall security health of the organization. It is notable that without policies that govern the corporate infrastructure an intellectual property loss is likely to occur (Blackley, 2005). Therefore, an organization should try and reduce exceptions for policy observance because they introduce a risk degree that is not present. This information can be illustrated in the following figure. Figure 3 How Microsoft uses information security policies Policy Management Challenges In order to ensure credibility in the security policies GCE must enforce all its unique security policies. Key executives should be involved in the process as a way of lending credence and influence (Kakalik, 2007). On the other hand, introducing a reputable process helps in making sure that suitable roles, responsibilities, and managerial measures are in place. Training and Awareness A strong security in an organization is a factor that enables improvement in productivity as well as granting protection to assets. For Global Communication Enterprises awareness is a key primary tool in achieving a strong information security. However, to raise the security awareness among the employees it is a big challenge (Mtenzi, 2010). According to a study conducted by the Global Information Security Survey in the year 2004, it was made clear that 70% of all manager who were questioned failed to list security awareness as a main concern (Raggad, 2010). Therefore, to have successful security efforts the following elements must be addressed technology, people, and processes. However, once there are clear and effective polices an integral part of security promotion and compliance is enhanced. E-Mail Hygiene and Trustworthy Messaging It is notable that viruses and other software’s that are malicious and which are sent through email can be a threat to Global Communication Enterprises environment. These risks can be addressed through an evolutionary process that contains a flexible responsive approach. There are various methods of filtering spam and viruses such as having a multiple network location where several layers of protection are provided (Tudor, 2001). These methods also help in email hacking procedures where important organization data leaks to the competitors. This method is effective because it helps in minimizing the amount of incoming mail that are permitted past the network ,which helps in securing the messages though the use of IRM. In addition, scanning documents attachments before sending them and removing software’s that are malicious helps in reducing information threat and exposure. Additional scan of messages at the client level is an important approach that reduces risks. It can be employed through the use of multiple technologies administered by messaging administrators. E-Mail Filtering Process This is an important process that will help in controlling the recipients who receives the email messages sent by the GCE manager. There are a series of mechanism that helps in filtering a huge number of messages submitted in the organizations gate ways (Wylder, 2004). The amount of spam messages is reduced and only authorized parties have access to these messages. This will reduce the risk of information about the new GCE product leaking to the competitors, media and other unauthorized parties. Figure 4 illustrates a multilayered approach to e-mail filtering which can be adopted by GCE Security for Mobile Devices In this modern society there is an evolving mobile environment which has a strong trend towards the use of mobile devices. Smart phones are an example of mobile devices that are widely used. There is need to ensure that assets information is handled in line with the enterprise security policy (Mattord, 2003). The device must be able to take place in the security control framework which helps in governing the data protection at reset or in use. The security concerns on the mobile devices in many enterprises stems from the available gap in the security control panels. The device must be in a position to take place in the organization management infrastructure for policy enforcement. As per as mobile devices are concerned issues on user impersonation is a crucial concern when these devices gets access to very sensitive data. Data protection when using the mobile phones can be achieved once the following considerations are made. The mobile device should be a in a position to provision encrypt high value data that is automatically destined for the onboard and removable memory software’s. The device must be able to provision and to enforce password policies on the start up an when hibernating or exiting. A provision on the mobile device should be possible to enable it erase internal memory after a specified period of time through a remote command from a management console. Recommendations and Conclusion The GCE IT and Information Security teams are on rare management of risk in the process of providing security to the organization. Having a solid framework, policies as well as roles and responsibilities that are clear ,GCE security unit can prioritize, identify and risks in a proactive way . This evaluation process provides the decision makers in the organization with relevant data that is crucial in making business decisions that are more informed The decisions enables in risk balance alongside the costs of security controls. Risks is one of the most inherent sections in a computer network and in the technology environment at large. Therefore, emerging and new generations of software’s that are malicious to important information poses a big threat to the security of organization in the globe from a multiple of directions. It is clear from the report that traditional methods that are employed to curb and provide security for the network are no sufficient enough. Therefore, by adopting to risk management framework that is comprehensive enough the organization can be able its roles and responsibilities easily (Vacca, 2009). The organization will be able to identify available priorities, am threats mitigation and as a result be able to address possible security vulnerabilities. Therefore in order to address these security needs in today’s evolving information technology environment To address the needs of today's evolving IT environment, GCE needs to a constant adjustment to its security strategies as well as advances in technologies in order to address remote access, mobile devices, policy awareness, among others. For example, the organization has made a new electronic device that is going to help the organization in the brink of a technological breakthrough . Although individual security needs will vary, any organization can employ the al the addressed security measures highlighted in this report to managing risk or use the IO Model as a roadmap to transform its security controls from reactive to proactive. References Aalders, J. C. H., Herschberg, I. S., & Zanten, A. (1985). Handbook for information security: A guide towards information security standards. Amsterdam [etc.: North-Holland. ASIS International. (2011). Information security. Alexandria, VA: ASIS International. Axelrod, C. W. (2004). Outsourcing information security. Boston: Artech House. Camp, L. J., & Lewis, S. (2004). Economics of information security. Boston: Kluwer Academic Publishers. IFIP TC 11 International Conference on Information Security, Yngström, L., Carlsen, J., & International Federation for Information Processing. (1997). Information security in research and business: Proceedings of the IFIP TC11 13th International Conference on Information Security (SEC '97). London: Chapman & Hall. IFIP TC11 International Conference on Information Security, Von, S. S. H., Eloff, J. H. P., & International Federation for Information Processing. (1995). Information security -the next decade: Proceedings of the IFIP TC11 Eleventh International Conference on Information Security, IFIP/Sec '95. London: Chapman & Hall on behalf of the IFIP. IFIP TC11 Working Conference on Information Security, Qing, S., & Eloff, J. H. P. (2000). Information security for global information infrastructures: IFIP TC 11 sixteenth annual Working Conference on Information Security, August 22-24, 2000, Beijing, China. Boston, MA: Kluwer Academic. IFIP World Computer Congress, & Deswarte, Y. (2004). Information security management, education and privacy: IFIP 18th World Computer Congress : TC11 19th International Information Security Workshops, 22-27 August 2004, Toulouse, France. Boston, Mass: Kluwer Academic Publishers. Nozaki, M. K., & Tipton, H. F. (2000). Information security management handbook. Boca Raton, FL: Auerbach. Peltier, T. R. (2002). Information security policies, procedures, and standards: Guidelines for effective information security management. Boca Raton: Auerbach Publications. Peltier, T. R., Peltier, J., & Blackley, J. A. (2005). Information security fundamentals. Boca Raton, Fla: Auerbach Publications. Raggad, B. G. (2010). Information security management: Concepts and practice. Boca Raton, FL: CRC Press/Taylor & Francis. Salotti, P., & UCISA (Association). (2005). Information security. Oxford: UCISA. Shoniregun, C. A., Dube, K., & Mtenzi, F. (2010). Electronic healthcare information security. New York: Springer. Stamp, M. (2006). Information security: Principles and practice. Hoboken, N.J: Wiley-Interscience. Tudor, J. K. (2001). Information security architecture: An integrated approach to security in the organization. Boca Raton, Fla: Auerbach. United States. (1999). Information security risk assessment: Practices of leading organizations : a supplement to GAO's May 1998 executive guide on information security management. Washington, D.C. (P.O. Box 37050, Washington, D.C. 20013: The Office. Vacca, J. R. (2009). Computer and information security handbook. Amsterdam: Elsevier. Whitman, M. E., & Mattord, H. J. (2003). Principles of information security. Boston, Mass: Thomson Course Technology Wright, M. A., & Kakalik, J. S. (2007). Information security: Contemporary cases. Sudbury, Mass: Jones and Bartlett. Wylder, J. (2004). Strategic information security. Boca Raton, Fl: Auerbach Publications. Zelkowitz, M. V. (2004). Information security. Amsterdam: Elsevier Academic Press. Read More