Knowledge and Information Security Plan - Essay Example

Running Head: KNOWLEDGE AND INFORMATION SECURITY PLAN Knowledge and Information Security Plan Client Inserts His/her Name Client Inserts Grade Course Client Inserts Tutor’s Name TABLE OF CONTENTS INTRODUCTION 4 HOLDINGS AT RISK 5 Physical Holdings at Risk 5 Data Alteration 6 Hard Copies Confiscation 6 Irretrievability of Data 6 Physical Destruction of Data by Natural Calamities 6 Access to Unintended Audience 7 Human Holdings at Risk 7 Electronic Holdings at Risk 8 POTENTIAL THREATS 9 Physical Threats 9 Human Threats 9 Employees 9 Human Error and Mistakes 10 Accidents and Ignorance 10 Hackers 10 Electronic Threats 11 Mobile Computing 11 Viruses 11 Spyware 11 Spam through Worms Networks 12 Trojan Horses 12 Phishing 12 Wire Tapping 13 STRAGETIC COUNTER-MEASURES TO MANAGE IDENTIFIED THREATS 13 Physical Counter-Measures 13 Environmental Hazards 13 Human Counter-Measures 13 The Issues of Delicate Employees, Human Errors and Accidents 14 Response to Hackers’ Threats 15 Electronic Counter-Measures 15 Mobile Computing 15 Destruction of Unwanted Information 16 Viruses 16 Spam 16 Trojan Horses 16 Spyware 16 Phishing 17 Wire Tapping 17 SECURITY EDUCATION AND AWARENESS 17 Methodology 17 Details 18 MECHANISMS TO DETECT EFFICACY OF THE PLAN 18 CONCLUSION 19 REFERENCES 21 INTRODUCTION Security of Knowledge and information for a particular organization is one of the priorities (Wood, 2000, p.43; CSU Bakersfield, 2012, p. 1). A proper security system is a sign of integrity in an organization and puts the organization in question at a higher competitive advantage (Wahle & Beatty, 2004, p.10). This paper proposes a strategic security plan for an organization recent security audit highlights prevalence of deficiencies in incident response, disaster recovery and business continuity, social engineering exploitation of personnel, an apparent lack of personnel awareness of the various threats to information, and poor password security. These deficiencies lay various organizational information holdings at risk. Various information holdings at risk have been categorized into physical, human and electronic and each of these has been elaborated further. Various threats to information have been correspondingly identified and classified into physical, human and electronic threats. Similarly, each of the threats has been further explained so as to determine proper remedies. The plan has suggested various counter-measures for each of the named threats to provide a means by which various threats may be managed. The greatest weakness in the security aspects of the organization of reference is the employees’ low awareness of what information security means to them and to the organization. This security plan has therefore suggested yearly employees’ training sessions’ approach details of which have been elaborated. Significantly, the necessity to strictly follow business policy has been highlighted throughout the plan. Any plan proposed must be at least effective (Wood, 2000, p.44; Danchev, 2003, p.7). The plan has identified post-audits using statistical trends and creation of short term goals as the best methods. HOLDINGS AT RISK Physical Holdings at Risk Some of information occurs in form of hard copies that are filed systematically in an organization or a government body. They include records of work, employees’ profiles, strategic plans, organizational policies, rules and regulations, data containing stratification of various employees, and other organizational classified data. Often, these printed documents exist as back-up information for electronic data (Gruener, 2004, p.27). One disadvantage of hard copy documents is that modern data protection methods cannot be applied (Stevens, 2000 p.21). For example, one cannot encrypt data or assign access passwords. However, there is an advantage; data cannot be attacked by electronic threats such as viruses among other malicious electronic programs (Carroll, 1996, p.24). Hard copies of data are at the risk of: alteration of the contained information; confiscation of information out of the organization information storage facilities say through smuggling of information (Stevens, 2000 p.15; Gerr & Kenniston, 2004, p.13); irretrievability due to lack of systematic storage methods (poor filing methods) (Gerr & Kenniston, 2004, p.14); destruction by natural calamities such as earthquakes, fire, floods and moisture; access to unintended audience (Hammond, 2005, p.8) within the management; and poor management of waste materials containing important data. Data Alteration Alteration of the information occurs when stored information is improperly guarded (CSU Bakersfield, 2012, p.1). Specifically, an incriminating data may be subject to alteration to keep employees or the organization safe from prosecution at the court of law (Molander & Riddile, 1996, p.25). This may be though altering soft copies of data and displacing the original hard copy with an altered reprint hard copy (Stevens, 2000 p.13). Hard Copies Confiscation Vital business information may be stolen and smuggled out of the organization (CSU Bakersfield, 2012, p.1). Malicious employees may be lured by external entrepreneurs to find and smuggle out information that would be important for their respective organization(s) management (Wahle & Beatty, 2004, p.6). Therefore, it is important to develop a privacy culture among all stakeholders (Pick, 2004, p.71; Herath & Rao, 2009). Irretrievability of Data Stored information should be available (CSU Bakersfield, 2012, p.1) whenever needed. Often, hard copy information is kept in a filing system. Mostly, filing is done by subject, date, numerical codes or alphabetical codes. A combination of these may also work. As a head of security team, availability of data when heeded will be among the priorities. Physical Destruction of Data by Natural Calamities Natural calamities such as fire, floods, earthquakes and moisture must be taken care of. Ventilation can be used to counter effects of moisture (Calder, 2005, p.49). Anyhow, most natural calamities are rare. Access to Unintended Audience Access to classified organization’s information to unintended audience is possible what with the apparent lack of personnel awareness of the various threats to information (Calder, 2005, p.33; Herath & Rao, 2009, p.156). Also, most people forget to delete information from random access memory of a copier or a printing system which can be easily accessed or retrieved (Bureau of Consumer Protection, 2012, p.1). Human Holdings at Risk While focusing on the human holdings, two domains of information are at various risks. These include; personal knowledge transmission and smuggling of other forms of information out of an organization. An organization has expatriates who at any chance may spill their knowledge to other entrepreneurs for selfish reasons (Gerr & Kenniston, 2004, p.16; CSU Bakersfield, 2012, p.1). This may occur as the employees are apparently not aware of the necessity of loyalty to the organization’s privacy policy (Danchev, 2003, p.8). The organization’s competitive advantage is jeopardized in the long run. As aforementioned, humans (employees) may smuggle or confiscate vital information to the outside. Similar reasons as the ones given above apply. The remedy will certainly be to establish strategies to make employees as loyal to the organizational privacy policy hand in hand with improving information security utilities (Danchev, 2003, p.4). Surveillance alone will not function but it is a necessity for this role. Electronic Holdings at Risk The prevailing results of information and knowledge audit indicate deficiency in terms of response to incidences, disaster recovery, poor password security and inefficient privacy awareness among others. Electronic holdings certainly are at risk include electronic equipment, daily electronic operations utilities, electronic channels of information transmission and the data the electronic equipment hold (Calder, 2005, p.41). Equipment’s include computers and mobile electronic devices among others (Herath & Rao, 2009, p.155). They are subject to theft, physical damage, damage due to electronic attacks, natural failure and so on (Ogden, 2002, p.7; Gruener, 2004 p.17; Calder, 2005, p.36). An example is the Microsoft which is used in almost every part of the world. Microsoft is specifically prone to viral programs that interfere with its operation. Other threats include Trojan Horse, Malware and others. Electronic channels of information transmission are the most common targets by various malicious humans and electronic programs (Carroll, 1996, p.13). Simple passwords, the use of which is implied in this case, are easily hacked into (Gruener, 2004, p.21). Wiretapping is also common allowing unintended audience to eavesdrop other people conversations (Molander & Riddile, 1996, p.20/1). This is dangerous to an organization’s information security code (Hammond, 2005, p.7) because, many a times, wiretapping goes unnoticed or rather unsuspected. Electronic data are prone to various threats depending on the sensitivity of the information security system a particular organization works with (MTU, 2011, p.13). POTENTIAL THREATS Physical Threats Anything that could lead to putting physical holdings at risk of destruction or alteration is a physical threat (MTU, 2011, p.11). Most physical threats are related to the environment and they include lightning strikes, floods/moisture, fires, earthquakes, tsunamis, hurricanes, tornados and so on. For a detached building as in this case, fire threats possibilities are relatively low especially when it is a spread-fire. Recovery strategies must be in place in case the worst happens (Buchanan, 1999, p.10). This is called readiness to respond to incidences. Some are easy to control. For example, moisture slowly damages documents kept in piles but can be countered by air conditioning in the building and filing. Human Threats Employees Employees of any organization can cause high levels of risks to information and assets (Herath & Rao, 2009, p.158). The apparent lack of awareness of various threats to information makes careless employees to semiconsciously give away or smuggle out classified organization’s information and expertise (Herath & Rao, 2009, p.156). Exploitation of personnel may make lead to reduced trust among employees and towards the organization due to apparently unjust penalties. Such incoherence only increases the tendency of employees to do harm to the organization in question (Herath & Rao, 2009, p.157). It is easy for an employee to sell information out of the organization or confiscate information holding devices of an organization for personal use (Ogden, 2002, p.8; Hintzbergen & Smulders, 2010, p.16). Human Error and Mistakes Human errors and mistakes may occur naturally due to low sensitivity to the importance of keeping the privacy policy intact (Herath & Rao, 2009, p.159). Some of the errors include poor or incomplete destruction of data in waste materials, poor facilitation by the management (Gruener, 2004, p.24), use of simple passwords, failure to discard data from a copier’s memory after the required service, remote access of data from home through electronic means (Mattord & Whitman, 2005, p.26) and damages due to poor equipment or information handling among others (Bureau of Consumer protection, 2012, p.1). Accidents and Ignorance Accidents may occur during transportation of equipment or data transmission (Gruener, 2004, p.26). Due to ignorance, for instance, an employee may send data to the wrong audience either through physical means or electronically, or accidentally spilling water or a drink an electronic device making data held completely irretrievable (Mattord & Whitman, 2005, p.29). It is not easy to recover data thus lost without some levels of biasness (Hammond, 2005, p.8). Hackers These are people (both from within the organization and external) who access vital information of an organization through circumventing its security system. This makes the organization prone to hacking whereof vital managerial information leaks to the outside (Hintzbergen & Smulders, 2010, p.22). Electronic Threats In modern offices electronic threats are the most virulent and frequent. Electronic threats are both a threat to hardware and to software utilities of a computer. They include: Mobile Computing Mobile computing refers to the stance where computer devices are on transit while being used. This calls for ad hoc networking between the maiden organization and an employee far off (Schneier, 2000, p.23). Arguably, controlling spillage of information into unintended audience is less controllable especially with certain and definite means (Mattord & Whitman, 2005, p.19). Viruses Computer viruses are malicious programs that are spread through the internet (Carroll, 1996, p.16). They are solely meant to damage target soft documents in the computer or electronic devices holding information. They are also infectious from one electronic device to another through local area networks (Carroll, 1996, p.16). Spyware Spyware is commonly used to track various operations of an organization including spying on workers and their discharge of duties, their records, websites and business transactions without the knowledge of the management (Carroll, 1996, p.21). However, spyware may alter the functioning of electronic equipment and/or programming (Schweitzer, 2002, p.10). Spam through Worms Networks Spam refers to electronic messages sent to a recipient without his knowledge and thus they are irrelevant (Carroll, 1996, p.22). When sent through a viral or worms route, they allow the sender to access the recipient’s computer and even use it. This may lead to sabotage of vital information, lower competitive advantage and interfere with business operations (Schweitzer, 2002, p.18). Trojan Horses These are programs that are used by hackers to steal information from a company in a social engineering manner (Schweitzer, 2002, p.13/4). These programs appear harmless initially. For a workforce with little awareness of such trickeries may pose the organization to threat of losing data to hackers (Schweitzer, 2002, p. 21). Phishing Phishing is a malicious technology procedure used by hackers to access business information without actual consent. Hackers manipulate web pages to appear as a particular genuine company. Unknown to novice, uninformed or ignorant employees, they end up disclosing vital information to the wrong audience. This has happened in military and banks. Even large amount of money may be lost through false wire transfers (ICC, 2003, p.29). Wire Tapping Telephone communication tapping is maliciously used by a third party to eavesdrop other people’s conversations. Wiretapping is not readily suspected by a small company but large and sophisticated companies are sensitive. Unfortunately, it is somehow hard to detect illegal wiretapping. STRAGETIC COUNTER-MEASURES TO MANAGE IDENTIFIED THREATS Physical Counter-Measures Environmental Hazards To control unpredictable environmental hazards, a test of possibility of occurrence will be a priority. Moisture detection utilities will be deployed in every office. Room air conditioners and ventilators continuous activity in every storey will be ensured. Fire fighting gas holders will be placed at areas accessible to everyone in each storey. Cases of flooding are rather rare for a management compressed in a multi-storey building. However, hazards such as earthquakes, hurricanes, tsunamis, terrorism and tornados are of note (Ogden, 2002, p.6). Data back-ups will be established at a different location if possible in both soft copy and hard copy forms (Buchanan, 1999, p.14; Gruener, 2004, p.22). This will enhance quick recovery of data (Stevens, 2000 p.19). Human Counter-Measures The Issues of Delicate Employees, Human Errors and Accidents The limited awareness of the necessity of information security among various employees is the principle reason for carelessness, vulnerability to smuggling of information among other mistakes (Mattord & Whitman, 2005, p.14). The first counter-measure to curb this is to conduct a comprehensive review of the privacy policy of an organization (Danchev, 2003, p.3). In a systematic manner, an information security policy must cover all areas of human weaknesses (Danchev, 2003, p.4) in this context. The policy will then be availed to every employee. The policy will importantly include rules and regulations regarding loyalty to the organization and the regulation of the flow of information. There will be a need to give the employee all information regarding his or her clearance level of access (HCC Information Security Plan, 2009, p.1) together with reasons thereof. Each employee will then sign an agreement of loyalty and accountability to other employees and to the organization (Danchev, 2003, p.6). The best way to implement information security system is ensuring instant response (Buchanan, 1999, p.15) to violation of policies and therefore timelines for penalties must be met (Nichols, 2001, p.6). But penalties alone cannot guarantee a loyal workforce due to negative feedback, attitudes and the prevalent weakness of social engineering (Nichols, 2001, p.7). Therefore, there will be a need to establish training programs to underpin the necessity of secrecy in an organization (Mattord & Whitman, 2005, p.11). To integrate privacy policy into the organization culture is important (Danchev, 2003, p.9) particularly because enrolment of employees is a dynamic process (Gerr & Kenniston, 2004, p.16). As a leader of the security team, it is important to highlight necessity of keeping information secure at every meeting, motivating achievers and punishing losers in this context. Similarly, technology changes from time to time need a continuous training program (Gerr & Kenniston, 2004, p.11). Response to Hackers’ Threats Hackers often use various programs to access classified data without the owner’s consent. Important information will be encrypted. Use of strong password codes will be employed. Again, important permanent managerial data can be separated with random data. Each employee can be given codes of identification to particular levels only and personal websites (Hammond, 2005, p.6) instead of an employees’ database that is easily accessible. Surveillance cameras may be utilized too so as to monitor daily operations (Bennet & Regan, 2004, p.6). Electronic Counter-Measures Mobile Computing Despite being a necessity at times, the situations that may encourage mobile computing will be gradually kept minimal to a halt. This can be done by ensuring various duties are completed in time within the premises. External access can then be restricted by deactivating access of an employee at unauthorized times and/or tracking and penalizing access during unauthorized times of the day. There will be also restrictions against access of personal social websites including emails to prevent uploading of information (Schneier, 2000, p.19). There will be workplace emails for each worker which cannot be accessed at any other place. Destruction of Unwanted Information Electronic devices holding information must be completely destroyed if no longer needed (Bureau of Consumer protection, 2012, p.1). Microchips, hard discs, magnetic tapes and ribbons, CDs, cassettes and floppy discs must be incinerated (Calder, 2005, p.37). Viruses Installation of anti-viruses to every computer in operation will be a necessity. This is to prevent destruction of data and computers by the viruses (Calder, 2005, p.43). Necessarily, the known viruses-prone websites may be avoided if they are not necessary. Spam There is no rigid way to reduce spam incidences. However, getting rid of viruses and worms discourages chances of a hacker to access data. Data filtering software will also be used. Trojan Horses While these are social engineering programs that are downloaded from internet together with the target downloads, employees must be warned against installing programs whose application they don’t know. Alternatively, disallowing the computers to automatically install programs may be an option. Spyware The strategy will be to avoid usage of spyware. Phishing The awareness of the employees about the threats of phishing in a particular industry is the principle strategy (Pick, 2004, p.69; Jordan & Silcock, 2005, p.12). Business associates will ensure special coding and secret works or phrases only known to them are established (Mattord & Whitman, 2005, p.24). Employees in doubt can verify communications and transactions through confirmation of say secret words through telephone. Wire Tapping Wiretapping cases will be reduced by ensuring secure lines of telephone communication. Scrapped lines can be used when communicating vital information. SECURITY EDUCATION AND AWARENESS The security policy will include employees training programs (Mattord & Whitman, 2005, p.13) on issues concerning keeping information security. Annual training sessions will be adopted. Methodology There will be an annual training of all the employees. They will take the form of seminars where each employee will be expected to attend. Later, issuance of certificates of participation a indicating will be given so as to empower trainees to acquire achievement feeling. This will be part of capacity building (ICC, 2003, 20). Different groups of employees can be trained on a different date. For example, the information and technology security team have special training (Jordan & Silcock, 2005, p.16) relevant to their specific career. Similarly, other employees are generally taught importance of maintaining privacy and dealing with threats above. Details Objectives – As a leader of security team, it will be important to gives the aims of security system to indicate its necessity (ICC, 2003, p.26). Comprehensive plan – The entire active plan is then explained step by steps. This will include the reasons why different employees have different access to information and their respective roles, advantages and potential penalties (Jordan & Silcock, 2005, p.23). It will be important to point that we do not like to punish but rather promote loyalty and teamwork. The idea is to make employees feel that information breach is betrayal of the self (Gerr & Kenniston, 2004, p.23/4). Real examples of effects of information breach need to be collected, told and put in writing in provisional pamphlets. Issuance of written procedures – written copies of the policy and the procedures including penalties must be given to each trainee. In essence, every employee needs to know his role and the repercussions thereof upon violations (Kassner, 2010, p.1). Instant penalties – penalties upon identified information breach should be imposed in time (HCC Information Security Plan, 2009, p.1). This will ensure the employees’ values keeping an organization’s information secure (Mattord & Whitman, 2005, p.22). MECHANISMS TO DETECT EFFICACY OF THE PLAN After a successful implementation of the plan, performance audits for the plan must be performed (ICC, 2003 p.7; Kassner, 2010, p.1). Audits will cover all the loopholes that were initially evidently loose (Tan & Wei, 2003, p.7). Use of trends of statistics is the best way. The relationship between say the number of cases of information breach for different years may be useful to detect progress index (Nichols, 2001, p.8; Tan & Wei, 2003, p.10). For example, a positive index regarding failures to social engineering must be in proportion with the level of induced awareness (Bennet & Regan, 2004, p.10) and respective security measures in the same context. Similarly, human errors must indicate a reducing trend while electronic attacks such as viruses, wiretapping, Trojan Horses among others indicate little to no prevalence. Creating short term goals is another way of detecting progress (Tan & Wei, 2003, p.12). While the plan’s main objectives may be as long term as several years, a security team leader may create short term goals only known to him or her. Arguably, such a leader also needs motivation and this is acquired through achievement of short term goals. The latter serves to assure the team leader that his or her plan is on a positive trend. However, failure of a short term goal may be discouraging and therefore creation of short term goals may be optional but highly recommended (Tan & Wei, 2003, p.12). Anyhow, at each level of the plan, cost-effectiveness must be ensured (Danchev, 2003, p.11; Mattord & Whitman, 2005, p.16). CONCLUSION With the aforementioned holdings at risk and the recommendations put forth in this security plan, it can be concluded that employee empowerment through information security management is paramount to its success. It is therefore important that clear organization policy be defined and set aside with regards to the organization’s information security. Subsequently, this policy information should be made accessible to all the employees in terms of the do’s and the don’ts as well as how to react to certain scenarios encountered in information security. With proper security education and awareness for the employees, it can be projected that in future, the organization’s information will be more secure. The annual training proposed will not only educate employees but enable them be more cautious when handling delicate information. The performance audits to be conducted will also enable the security team identify possible loopholes as well as strengthen the security plan and design it to properly suit the organization’s information security. By creating short term goals, the information security team is able to know whether the plan is working or not and the adjustments needed to full suit the organization’s information security needs. All in all, each individual in the organization should feel part and parcel of this initiative and strive towards its success. It’s only through employee cooperation that the plan will be able to achieve its short term and long term goals. REFERENCES Bennet, C.J. & Regan, P.M. (2004). Editorial: Surveillance and Mobilities. Surveillance & Society 1(4), pp.2-11. Buchanan, S. (1999). Emergency salvage of wet books and records: technical leaflet emergency management. Pittsburgh: University of Pittsburgh. pp.3-19. Bureau of Consumer protection. (2012). Copier Data Security: A Guide for Businesses. Retrieved on October 2, 2012 from http://business.ftc.gov/documents/bus43-copier-data- security Calder, A. (2005). A Business Guide to Information Security: How to Protect your Company’s Assets, Reduce Risks and Understand Law. Great Britain: Creative Printing and Design. pp.1-124. Carroll, J. (1996). Computer Security. (3rd Ed.). Butterworth: Heinemann. pp.3-27. CSU Bakersfield. (2012). Information Security. Retrieved on October 2, 2012 from http://www.csub.edu/infosecurity/isplan.shtml Danchev, D. (2003). Building and Implementing a Successful Information Security Policy. Retrieved on October 2, 2012 from http://www.windowsecurity.com/pages/security- policy.pdf Gerr, P. A. & Kenniston, S. (2004). Information life-cycle management: myths and realities. Milford, MA: The Enterprise Storage Group - InfoStor. pp.4-25. Gruener, J. (2004). What's in store: debunking information life-cycle management promises. Boston: The Yankee Group. pp.14-31. Hammond, K. (2005). Report of an inquiry into unauthorized access and disclosure of confidential personal information held on the electronic databases of Public Sector Agencies. Perth: Corruption and Crime Commission of Western Australia. pp.3-9. HCC Information Security Plan. (2009). Information Technology Security Plan. Retrieved on October 2, 2012 from http://www.howardcc.edu/about_hcc/pdf_documents/Security%20Plan.pdf Herath, T. & Rao, H.R. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47, pp.154-65. Hintzbergen, J. & Smulders, A. (2010). Foundations of Information Security. (2nd ed.). Zaltbommel: Van Haren Publishing. pp.2-31. International Chamber of Commerce (ICC). (2003). Information Security Assurance for Executives. Paris, France: International Chamber of Commerce. pp.2-39. Jordan, E. & Silcock, L. (2005). Beating IT risks. Chichester: John Wiley & Sons Ltd. pp.5-32. Kassner, M. (2010). Five tips for securing company data. Retrieved on October 2, 2012 from http://www.techrepublic.com/blog/five-apps/five-tips-for-securing-company-data/392 Mattord, H. J. & Whitman, M.E. (2005). Principles of information security. (2nd ed.). Boston, Massachusetts: Thomson Learning. pp.7-37. Michigan Technological University (MTU). (2011). Information Security Plan. Security plan Review, 3, pp.4-21. Molander, R. C. & Riddile, A.S. (1996). Strategic information warfare: a new face of war. Santa Monica, CA,: Rand. pp.3-37. Nichols, K.L. (2001). Implementing an Information Security Program. SANS Institute InfoSec Reading Room, pp.1-10. Ogden, S. (2002). Technical leaflet emergency management: leaflet 1 protection from loss: water and fire damage, biological agents, theft, and vandalism. Andover, MA: Minnesota Historical Society. pp.2-10. Pick, C. (2004). Turning people into the first line of defence. In Mattord, H.J. & Whitman, M.E. (Ed.). Management of information security. Boston, Massachusetts: Thomson Learning, Inc. pp.61-78. Schneier, B. (2000). Secrets and lies: digital security in a networked world. NY: Wiley Computer Publishing. pp.5-29. Schweitzer, D. (2002). Securing the network from malicious code: a complete guide to defending against viruses, worms, and Trojans. Indianapolis: Wiley Publishing, Inc. pp.6-23. Stevens, M. (2000). Data storage looms as next boom area. Perth: The West Australian. pp.3-26. Tan, B.C.Y. & Wei, K.K. (2003). An integrative study of information systems security effectiveness. International Journal of Information Management, 23, pp.3-14. Wahle, T. & Beatty, G. (2004). The emergency management guide for business and industry. Washington, D.C.: Federal Emergency Management Agency (FEMA). pp.2-11. Wood, C. C. (2000). Integrated approach includes information security. Security, 37(2), pp.42- 45. Read More