Threats to Information Holdings - Essay Example

Running Head: Security Plan Security Plan Name Number Lecturer Date Table of Contents Table of Contents 2 Introduction 3 Objectives 3 Scope 4 Organizational information holdings at risk 4 Physical holdings 4 Human holdings 5 Electronic holdings 6 Threats to information holdings 7 Physical threats 7 Burglary 7 Natural calamities 8 Disruption 8 Human threats 8 Misplacement and carelessness 8 Unauthorized access 9 Errors 9 Electronic threats 10 Security Plan 10 Physical counter-measures 10 Human counter-measures 11 Electronic counter-measures 12 Information security education and awareness program 13 Innovative and tested processes 13 Measures for testing the plan’s efficacy 14 Conclusion and Recommendations 15 References 17 Security Plan Introduction Information security refers to the assortment of technologies, policies, standards as well as management practices, which are used to keep information safe. In the current technology environment, firms are depending more on their information databases. Members of the public that are doing business with some organizations are more and more concerned regarding the correct use of their personal data. A wide range of threats to organizational information systems relating to terrorists and criminals are on the rise. Therefore, most organizations recognize information as a functional area that should be protected through the use of effective security plans and systems. Efficient and effective information security plans need commitment and direction from both senior management and subordinate staff (Khosrowpour, 2001, p.141). A recent review of an organization’s information security control system established some deficiencies in certain key areas including, incident response, business continuity and disaster recovery, social engineering use of personnel, lack of employees’ awareness on the range of information threats, and defective password security. In this paper, a security plan will be designed based on this audit. Objectives The general objective of this research is to develop a security plan to address the current and potential threats to the organization’s information. The specific objectives of the research include; To identify and elucidate the physical, human and electronic information holdings of the organization that may be at risk. To find out and describe the real and potential physical, human and electronic threats to the information holdings of the organization. To devise a security plan that expounds the physical, human and electronic measures to control the information holdings’ threats. To set up detailed information security awareness and education program including tested and innovative processes to enhance security and measures to assess the plan’s efficacy. To give recommendations on any necessary changes that may need to be done to the security plan to improve the organizational information security in the future. Scope This research will cover the information holdings of the organization that could be facing threats including physical, human and electronic holdings. It will also talk about the real threats that these holdings face. In addition, a security plan will be developed that will aim at countering the identified threats. The plan will also be based on the organization’s information security audit findings which comprise of incident response, social engineering use of personnel, business continuity and disaster recovery, lack of employees’ awareness on the range of information threats, and defective password security. Moreover, the research will cover an education and awareness program on information security for the organization which is to be used by the management, employees and contractors. Organizational information holdings at risk Physical holdings There are several physical information holdings for the organization that are at risk. To start with, a big percentage of organizations use computers to record and analyze information. According to Quigley (2005, p.35), such computers are at risk of being either stolen or people can access them without permission. In addition, servers are used in organizations to distribute information to the different functions within and outside the organization. The heads of the functions then distribute information to the personnel working under each function as well as to stakeholders that have business links with the organization. Servers are physical information holdings which are at risk of illegal access. Moreover, the organization use office telephones to communicate both within the organization and also to make external calls. Different employees are charged with receiving and making calls for different purposes. However, there are cases where some employees may receive calls that are not meant for them and thus end up receiving information that they have no permission to. Another physical information holding is UPS which is used to avoid computer data loss from unexpected power failures and computer breakdowns. People with intentions to tamper with the information of the organization may interfere with the UPS to facilitate data loss. Furthermore, organizational information that is in hardcopy is at a very high risk since it can be stolen, read or amended. Besides, organizational information is stored in offices or rooms which can be broken into. Thus, such storage areas are at risk. Human holdings One of the human information holdings that may be at risk is files that contain employees’ personal data such as marital status, health, age, and ethnicity and education level. In most cases, when employees get hired by the organization, they must provide their personal information. Such information is normally kept in files and thus such files face risks of misplacement, theft or unauthorized access. Moreover, the organization employs different professionals on different employment terms and thus different employees work under varied employment contracts. Information on those contracts should only be known to the human resource personnel and individual employees, but there are risks of other employees not under the HR function accessing such information. Moreover, interpersonal relations through social networks and forums may be at risk of hacking where people tend to attend to social forums without invitations (Whitman & Mattord, 2010, p.246). Electronic holdings Rao & Upadhyaya (2009, p.505) maintains that, electronic information holdings face a higher risk as compared to physical and human holdings owing to the advancing technology. More so, much of the organizational information is stored in electronic form. Passwords to organizational sites, email addresses, computer systems and databases are the mostly affected electronic source holding. This is because; such areas are accessed by different employees and thus passwords are known to many people. In addition, the organization’s information relating to things like copyrights, trademarks, licenses and contracts face risks of forgery and imitations. Moreover, information on credit cards, mobile numbers and social security numbers of employees, customers and suppliers may be interfered with either by the employees of the organization or outsiders through information sharing. Other electronic information holdings that may be at a risk include organizational articles, white papers, press release and marketing software. Information can be used as a competitive strategy by the organization over its rivals. Therefore, access to the organization’s business strategies and marketing software by its competitors can lead to the collapse of the organization due to stiff competition. Furthermore, the research and development function of the organization is a key area that enables the organization to be up to date with the prevailing conditions and changes in the market. In that case, survey data in relation to the market which is gathered by the marketing personnel, faces some risks. If the information was to leak to rival firms, they can use it to devise marketing strategies that are similar or superior to those of the organization (Backhouse & Dhillon, 2000, p.125). Threats to information holdings Physical threats Burglary Drawing from Tudose (2012, p.77), burglary mostly affects physical and human information holdings. Information storages and remitters such as computers, UPS and telephones may be stolen from the organization’s premises by either dishonest employees or outsiders. In case a computer is stolen, the information that is stored in it may be lost. A person stealing the computer may have different intentions like, he or she may be in need of the computer or the information that is stored in it. Additionally, if a UPS is stolen, organizational information may be lost indirectly. This is because; it provides back up power supply to prevent loss of data particularly unsaved data in case of a power failure. As a result, such data is lost if a power shortage or breakdown occurs when the UPS is missing. Theft is also a threat to information stored in office files, books of account, vouchers and receipts. A person with malicious intention may break into an office and carry files containing employees’ information or general organizational information like debtors or creditors’ information. The loss of such data may have adverse effects on the operations of the organization which may in turn lead to financial losses. Natural calamities These may include earthquakes, floods, hurricanes and infernos which cause massive destruction to property. Information loss as a result of natural calamities may occur if the organization’s premises are destroyed. In most cases, earthquakes and hurricanes cause collapse of buildings and thus, any form of information that might have been stored in such buildings whether hardcopy or softcopy may be lost. Infernos in organization’s building may result from electricity faults. Information loss can only occur if people do not respond to the incident on time or equipments for putting out fire are lacking, leading to total destruction of the building (Tudose, 2012, p.78). Disruption Tudose (2012, p.78) further asserts that, this is a situation where an individual or a group of individuals incite the employees of an organization in order to cause a temporary stop to the operations of an organization. Disruptions involve incitement to destroy property and to cause tensions within an organization. They pose threat to physical and human information holdings where looting may take place or some office equipment like computers, telephones and files are destroyed. Human threats Misplacement and carelessness Drawing from Ciampa (2005, p.112), organizations especially large ones receive and keep huge amounts of data and thus have a number of files, documents and records. Therefore, instances of misplacing files and documents are very high. The case is made worse, where the personnel in charge of information documentation are careless. This may cause information loss since the files may not be found. Moreover, misplacing files and documents may lead to supply of very sensitive information to people who should not access such information. This poses a threat to the organization’s information privacy. Unauthorized access This forms one of the biggest threats to all information holdings in the organization because, it takes different forms and interferes with the privacy of the organisation. Unauthorized access to organizational information may result from hacking the information systems of the organization. Hacking is mostly done by outsiders who may be rivals of an organization. Moreover, exchange of passwords among employees within the organization or between employees and outsiders may result to unauthorized access to organizational information. Misplacement of files and documents can cause illegal access where the files or documents land in the wrong hands (Ciampa, 2005, p.115). Errors Ciampa (2005, p.115) argues that, human errors in the organization may occur when recording information, typing, making calls, posting letters or when sending emails to colleagues, suppliers, customers or shareholders. Errors pose a threat to human and electronic information holdings. Typing or recording errors may result in conveyance of wrong messages or wrong information. It can also lead to sending of emails or mails to the wrong people where wrong email addresses or post office addresses are used. This prevents accuracy in the internal as well as external distribution of information in the organization. Electronic threats One of electronic threats to the information of the organization is breakdown of computer application, windows and storage systems. During such breakdowns, the computer systems are formatted and data which is stored in storage areas other than local disk D may be lost. Moreover, unexpected power shortage poses a threat to electronic data especially data which has not been saved in the computer. Another threat to electronic information is interruption. This takes place when the user of a computer network is not in a position to access it like in service denial. Furthermore, interception threatens information security. This occurs when a person copies information which is stored in the computer systems of an organisation or when the data is being transferred to other users (Dhillon, 2006, p.34). Security Plan Physical counter-measures According to John (2000, p.23), to help manage physical threats to organizational information, several physical measures will be used. In the first place, the use of security walls will assist in preventing people from breaking into the premises of the organization. In addition, alarm systems will be installed especially in rooms where sensitive information is kept. Thus, access to those rooms will be done by only the authorized employees. Moreover, installation of CCTV surveillance will be used together with the alarm systems to watch over the movement and activities of employees. If a certain individual tampers or mishandle organizational information, he or she will be held accountable since the surveillance will provide concrete evidence. Besides, natural calamities cannot be prevented and thus measures will be put in place to mitigate the extent of damage that may result from calamities. In case of infernos, smoke detectors and fire extinguishers will be put in place to facilitate a quick response to fire outbreaks in the organization’s premises in order to avoid massive destruction. John (2000, p.25) further maintains that, the threat of disruption will be controlled by having open forums for employees to air their needs and views on the organization’s policies. This will help avoid incitement resulting from employee dissatisfaction and lack of involvement in the decision-making process of the organization. Physical threats to information holdings will also be controlled through entry controls. Access to places with sensitive information should be under restrictions. This will be made possible by installing access control devices to substantiate access and make sure that only authorised people enter such places. Human counter-measures According to Schou & Shoemaker (2006, p.67), identification will be used to name or assign an identity to each system or individual in order to help in the making of decisions regarding access levels which ought to be given. The identification is made in such a manner that, the identity of each user is different from those of other users. In addition, remote access will be applied to the organisation’s information resources such as computers, routers and switches as well as to confidential or sensitive information. This is will achieved through the use of authenticated, centrally-controlled and secure access techniques. The organisation’s systems containing sensitive personnel, customers and financial information will be availed for off-site distant access via a centrally controlled VPN which presents secure authentication and encryption. Threats to human information holdings will also be controlled through separation of organisational duties. Duties that relate to key business processes will be done by specific individuals. The responsibilities of system administrators, programmers as well as database administrators should not overlap except when the data owner authorizes it. Responsibilities and duties will be assigned in an orderly manner to several employees in order to ensure that effective balances and checks exist. Furthermore, a good and orderly filing system will be used to facilitate easy retrieval of files and vouchers. Personnel working in the record keeping function should be held accountable in case of files’ misplacement. This will help control the frequency of misplacing files, which will in turn lessen the possibility of files and documents being accessed by unauthorised people (Schou & Shoemaker, 2006, p.69). Electronic counter-measures Network attacks that are launched through the internet or the organisation’s networks may cause substantial harm and damage to the organisation’s information holdings including unauthorised revelation of sensitive information. To provide defensive controls against such attacks, network filtering and firewall technology will be applied in a consistent and structured manner. Intrusion detection structures and firewalls will be set up around the organisation’s electronic information holdings. More so, intrusion control systems will be installed in the organisation’s central services to supplement normal security controls to avoid denial of attacks to services, malicious code and other traffic which puts the network system at a risk. Viruses pose threats to the organisation because infected computers can convey confidential data to unpermitted third parties, give a ground for unauthorised right of entry or using internal network, contaminate other devices that are connected to the network or interfere with the organisation’s IT services. The spread of viruses will be controlled through limiting the access sites within the organisation’s network as well as through the use of anti-virus software. Back-up source of power will be provided in order to avoid loss of unsaved information from unpredicted power shortages (Kumar, Park, & Subramaniam, 2008, p.241). Information security education and awareness program Innovative and tested processes Drawing from Kolb & Abdullah (2009, p.103), the information security control team should assess the existing procedures and policies to make sure that they are up to date and adequate. It should also assess the strengths along with the weaknesses of the current policies. In case there are no adequate policies for information security, new policies ought to be developed. The policies should include a scope, target audience, a realistic disciplinary action relating to the breach of the policy as well as clear instructions. This will help ensure that information security policies are effective since any weaknesses identified will be addressed through the development of new policies or amendment of the existing policies. More so, effectiveness will be facilitated by the inclusion of disciplinary actions for non conformity with the policy. This is because; employees will be a bit reluctant to breach the policy because of fear of attracting liability. Besides, a survey will be done on the employees of the organisation with questions that relate to the present information security procedures and policies. The main objective of the survey will be to ascertain the employees’ knowledge level on the current policies. The survey questions will address things like, awareness of computer viruses, presence of computer viruses through the use of the internet, dissemination of spyware or viruses and data classification levels. Another process will relate to educating the end-user which will start with a two-hour training session. Each employee taking part in the training will be given a completion certificate. This will assist in ensuring that, all employees undergo the training since the contribution of every employee is needed in enhancing information security within the organisation. The agenda for the session will include a talk about the awareness program of information security, the commitment of the organisation to the security of its information as well as current threats to information security. Moreover, continuous awareness campaigns will be carried out on a monthly basis since a single education session is not adequate in promoting information security awareness. Workers ought to be continuously reminded on the present information security risks and acceptable conduct in different situations. This will be done through sticking posters on notice boards that are located in high traffic parts of the organisation like elevators, cafeterias and hallways (Kolb & Abdullah, 2009, p.104). Measures for testing the plan’s efficacy Drawing from Bulgurcu, Cavusoglu, & Benbasat (2010, p.523), a number of measures will be used to evaluate the efficacy of the security plan. To start with, the effectiveness of physical counter-measures will be assessed through the number of break-in incidences reported in a given period. After the installation of surveillance cameras and security walls, incidence of unauthorised persons breaking in to offices or organisation’s premises should be very few if any. High rate of break-in will imply lack of effectiveness of the measures and thus some amendments will need to be done on the security plan. In addition, the time taken to retrieve information from stored files and documents will be used to measure the efficacy of the organisation’s filing system. It will also be used to check whether the rate of misplacing such files has been reduced. Moreover, a certain limit will be set on the number of employees carrying out duties relating to the organisation’s information resources. If the number of workers exceed the limit, that will be an indication of ineffectiveness of the plan. This is because; having many employees handling information related duties pose a high risk to the organisation’s information resulting from unauthorised access, interception and interruption. Conclusion and Recommendations Information forms a central part of an organisation and different threats to the information of organisations are on the increase. Thus, there is need to protect organisational information. The physical information holdings at risk include computers, servers, UPS, information storage areas and office telephones. The human information holdings at risk comprise of files, employment contracts and interpersonal relations through social networks. Electronic holdings at risk are passwords to the organisation’s websites and email, trademarks, licenses and contracts. Physical threats to organisational information are burglary, natural calamities and disruption, while human threats include misplacement and carelessness, unauthorised access and errors. Physical measures for controlling the threats are security walls, CCTV surveillance, smoke detectors and fire extinguishers and entry controls. Human threats will be managed through identification, remote access, authentication codes and separation of organisational duties. Electronic counter-measures include network filtering and firewall technology, intrusion control systems, limited access, and back-up source of power. From the information security systems’ audit and the security plan, it is clear that, the electronic information holdings of the organisation are the mostly affected as compared to physical holdings and human holdings. This is because; most of the organisation’s information sources, storage and information transfer systems are in electronic form. As a result, it is recommended that, the organisation’s information security plan and policies should mainly concentrate on managing the threats to electronic information holdings. Computer software should be up to date to ensure maximum protection of information. For the information security awareness and education program to be effective, the security management team should ensure that it gets a strong support from the top management. This is because; they are responsible for the formulation of the organisation’s strategies and policies. References Backhouse, J., & Dhillon, G. (2000). Information system security management in the new millennium. Communications of the ACM, 43(2), 125-128. Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance: an Empirical Study of Rationality-Based Beliefs and Information Security Awareness. MIS Quarterly, 34(3), 523-529. Ciampa, M. (2005). Security+ Guide to network security fundamentals. Boston: Course Technology. Dhillon, G. (2006). Principles of information systems security: Texts and Cases. Hoboken: Wiley. John, L. W. (2000). COBIT: A Methodology for Managing and controlling Information and Information Technology Risks and Vulnerabilities. Journal of Information Systems, 14(2), 21-25. Khosrowpour, M. (2001). Managing information technology in a global environment. Hershey: Idea Group Publishing. Kolb, N., & Abdullah, F. (2009). Developing an Information Security Awareness Program. International Management Review, 5(2), 103-107. Kumar, R. L., Park, S., & Subramaniam, C. (2008). Understanding the value of countermeasures portfolios in information systems security. Journal on Management Information Systems, 25(3), 241-279. Quigley, M. (2005). Information security and ethics : social and organizational issues. Hershey: IRM Press. Rao, H. R., & Upadhyaya, S. (2009). Information assurance, security and privacy services. Bingley, UK : Emerald. Schou, C., & Shoemaker, D. (2006). Information assurance for the enterprise: A roadmap to information security. NY: McGraw-Hill Irwin. Tudose, M. (2012). Identifying The Risks Towards Critical Information and Communications Technology Infrastructure. Buletin Stiintific, 17(1), 77-85. Whitman, M. E., & Mattord, H. J. (2010). Management of information security. Australia: Course Technology Cengage Learning. Read More