Impact of Data Security on Enterprise Information Security Planning - Case Study Example

Impact of Data Security on Enterprise Information Security Planning i. Executive Summary Advancement in technology affects each and every sector of life including information security of a given business firm. Technology influences the way organization store, process, use and transmit information from one person to another. Today, organizational managers have a critical responsibility to play in ensuring safety and security of their organization’s information. This paper utilized a qualitative research design to establish its findings. The paper collected relevant information concerning the effects of data security on enterprise security planning. This information came from secondary sources, which included books, journals, and scholarly as well as valid and reliable research projects found on different online and internet platforms. The findings of the study indicate that data security affects enterprise information security planning in a variety of ways. Primarily, data security demands all managers to develop a business data security plan also referred to as information security program. Data security also outlines and describes all the essential components of this program while elucidating on the roles that this element can play in achieving the desired organizational security. Lastly, the paper makes a succinct conclusion after analyzing different benefits that organizations benefit from creating the appropriate information security programs. 1.0. Introduction According to Bidgoli (2006), technological advancement effects cuts across all crucial areas of life including the manner in which people store, process and pass information from one source to the other. Increasing technological advancement has the effect of proliferating the fear of information safety leading to rising demands of data security. Modern organizational managers have a critical role to play in ensuring that their organizations’ information is safe and secured from mishandling. Data security demand has far reaching effects on the planning of information security in modern organizations (Wright, Freedman & Liu, 2008). Information exists as a valuable organizational asset that requires suitable protection like any other essential business assets. Primarily, information exists in the form of data before being processed through different techniques. Information may be written on plain paper, electronically stored transmitted through electronic means, illustrated through spoken conversation or via films. Despite the art used for sharing, storing or transferring data, information needs appropriate protection. Data security refers to the art of protecting information from various forms of threats to attain business sustainability, continuity, ensure the privacy of organizational information, and minimize susceptible risks while maximizing the returns on investments as well as increasing business opportunities (Robichau, 2014). Different organizations achieve information security through the effective implementation of appropriate set of controls encompassing processes, procedures, policies, firm’s structures and hardware as well as software functions. According to the Administration and Finance (2014), Organizations need to establish, implement, assess, monitor, review and enhance informational processes where necessary as a strategy towards meeting unique organizational and security goals. However, it is essential to execute this role alongside other business management processes. Data security affects enterprise information security planning in various ways. Data security dictates how security controls are applied, determines data ownership roles and responsibilities, and gives the direction for maintaining security infrastructure. This statement implies that data security will determine how the planning of information security in a business firm will occur, who will handle the information, and the processes through which information will follow to reach one person from s gave primary source (STDFAOR, 2014). It is, therefore, imperative to assess the impact of data security on enterprise information security planning. 2.0. Data Security versus Enterprise Information Security Planning ISPO (2016) hypotheses that the process of establishing a suitable organizational security plan occurs in different stages and requires appropriate utilization of organizational resources to achieve the desired outcomes. This process forms a long-lasting cycle of events and begins by identifying the corporate information security policy and essential requirements, training of users, administering compliance, and assessing the overall results. All successful companies in the current technological world, whether mid-market, enterprises or small-scale online based businesses have an increased risk of suffering data security breach. The increasing probability of suffering from information security threats calls for adequate security planning in organizations. Data security outlines information as an essential value of a given business firm. Therefore, an organization security plan has a critical role to play in protecting data and the business value. Poor management of data regarding providing security results in significant losses especially in firms controlled by the government and alternative regulations. Data security concerns different information aspects embedded in the form of product, financial and customer information. Protecting organizational data from unauthorized access protects its integrity, confidentiality, and sustainability regarding availability. Failing to protect data has far reaching consequences in the form of legal liabilities, increasing business losses as well as losing the company goodwill. According to Allen (2013), product information entails plans, designs, source codes, patent applications as well as drawings while financial data regards individual company financial records and market assessments. Conversely, customer information implies confidential details that a particular company holds on the behalf of its potential clients. A good example of how data security impacts enterprise information security planning lies in the consequences incurred by failing to protect organizational data confidentiality adequately. Poor data protection leads to stealing of customer’s credit card numbers with associated legal concerns and a loss of goodwill (Administration & Finance, 2014). Losing the confidential information of customers reduces the number of private customers an organization will have in future. Patel (2008) add that organizational failure concerning data integrity can lead to the embedment of a Trojan horse in the enterprise business software. This Trojan offers an ample opportunity for an intruder to access a firm's corporate secrets and pass them to competitors. The results of this assertions are the failure to determine the company’s real financial status. Establishing an appropriate security program in such an organization implies that such firms have incurred synergistic steps to not only mitigate but also control the probability of losing data in a different way. Also, establishing a security plan implies that the organization in question has a defined life cycle for efficient management of information security as well as technology within the business firm. 3.0. Components of a Good Security Plan According to Patel (2008), the demand for data security within an organization affects enterprise information security planning by insisting on essential qualities that a security plan will contain to ensure business success. An appropriate safety plan describes how the company will keep its data safe and secure. For instance, a proper security program encompasses a holistic approach that plays an essential responsibility in explaining how each every part of an individual business enterprise would be involved in the plan. This program should define the specific types of business data covered and what would remain uncovered (Seese, 2009). The program assesses the information security threats that a typical enterprise faces and how the organization plans to control and mitigate them. Nevertheless, an appropriate security plan indicates the number of times and the exact period when an organization will regularly evaluate its security program, update the entire manuscript and when to assess compliance with the set company goals. However, organizational managers and other stakeholders should understand that a security plan is not a guide used in handling incidents. Therefore, the plan does not detail the courses of action incurred by the management on detection of a security breach. The security program is not also an enterprise guide for executing periodic assessments despite its ability in dictating when to conduct a security assessment (Patel, 2008). The following are the constituents of a good security plan. 3.1. Designated Security Officer According to Wright, Freedman and Liu (2008), having a Designated Security Officer (DSO) in modern business enterprises is not optional but a fundamental requirement in most of the national and global security standards and regulations. An organizational security plan tasks the security officer with the role of coordinating, enforcing, and implementing the organizational security program. The security officer acts as the organization’s internal check and balance. Additionally, the incumbent reports to external information technology experts to attain, maintain, and sustain independence within the enterprise. 3.2. Risk Assessment IRMA (2010) cites effective risk assessment as an essential component of the security program in a given company. It assists in the detection, identification, and appropriate assessment of information security threats that the business firm aims to manage. Risk assessment is probably the most crucial component of the company security plan due to its ability to make organizational managers think about the specific risks that their enterprises of activities face. Also, this component allows managers to make viable decisions regarding the appropriate, cost-effective, and suitable approaches towards managing the identified business risks. It is important for enterprise managers to understand that they can only reduce but not mitigate risks (ISC, 2015). Therefore, assessing industry data security threats helps managers to prioritize them and decide on the appropriate, cost-effective countermeasures for risk minimization. 3.2.1. Types of Risks Included in the Assessment Plan According to Allen (2013), risk assessment includes several threats to enterprise data security such as unauthorized access, loss of data in physical terms, transit data interception, and corruption of data as well as inappropriate handling of data by other hands. Loss of data in physical terms implies risks that entailing missing relevant information due to lack of electric power and blackouts. Additional elusive reasons that may lead to physical data loss may include failure of the second disk as the RAID array recovery from the first (IRMA, 2013). Losing data in the form of allowing access to unauthorized individuals has tremendous adverse effects on the organization. ISPO (2016) states that losing client information in this perspective may entail loss of confidential customer information and may lead to often contractual obligation of protecting data as if it were personal. Risks involving transit interception of data may involve the process of transmitting data between sites of the different business enterprise. Additionally, this data loss may mean the loss of essential data when sharing with the company managers, partners, contractors, and employees while at home or other sites. Exchange of data freely with other hands such as the company sales channels, partners, and contractors can raise more risks for the business. Allen (2013) echoes that managers have a role in devising mechanisms that can protect data while in the hands of such enterprise third party members. Corruption of data may involve intentional dishonesty that might modify data to favor other parties that are indirectly involved in the management and functioning of the enterprise. A good example is the intrusion of keystroke loggers and Trojan horses on Personal Computers (PCs). However, unintended corruption may encompass the presence of a software error overwriting valid enterprise data. 3.3. Policies and Procedures STDFAOR (2014) chronicles that current organizational managers in modern organizations get a lot of worries while creating the risk assessment plan. The component of corporate policies and procedures drives away managerial concerns incurred when establishing the risk assessment program by providing them with the opportunity to decide what to do about them. Therefore, the security plan has to cover essential and influential areas to attain sustainable enterprise data security. The primary area covered by the security plan is the physical security documents (Administration and Finance, 2014). The plan should explain the strategies that the business enterprise will employ in protecting all the three essential C-I-A aspects of the firm’s data from being accessed by real personalities. Seese (2009) ascertains that the policy and procedure component entails authorization, authentication as well accountability requirements which set procedures used in the processes of revoking and issuing of accounts. This component assists in specifying password creation and aging requirements, audit trail maintenance as well as how users authenticate different information. Security awareness that each and every user obtains a copy of the organizational acceptable and recommended use policy. Besides every user understanding their roles, security awareness ensures that all business firm’s Informational Technology (IT) employees take a lead role in enforcing the company’s IT-specific policies. According to Allen (2013), organizational risk assessment procedure outlines how regularly the company manager would reassess the IT security potential hazards as well as updating the firm’s security program. The company’s data safety and procedure component have incident response techniques. These methods define how the organization will be responding to information security threats. These risks comprise of potential events including unauthorized port scanning and actual ones where an action of compromised security occurred. The virus protection component describes how the firm will protect itself from viruses. Such mechanisms may comprise of appropriate maintenance of products based on the workstation as well as scanning email, Web content, and transfer of files suspected to contain malicious content. Administration and Finance (2014) ascertains that an additional component of the organizational security policies and procedure is the continuity planning in the business. This element describes different approaches that the organization will use when responding to different natural and man-made disaster scenarios when planning for data security. These practices entail the establishment of suitable systems, backup sites, and data, and ensuring that responsible organizational members keep them updated. Additionally, these components must be ready to function within the defined recovery time. (STDFAOR, 2014). Lastly, it is important for organizations to establish a mutual and sustainable relationship with partners and vendors. This practice helps in defining the types of organizations one's company is dealing with, the kinds of data that the two can exchange, and the provisions to include in the transaction contract for helping to protect data. However, the establishment of a sustainable rapport between the organization and its vendors as well as partners is an often abandoned data security aspect. This assertion is real considering that the responsible IT organization may have had a weak association with the company regarding vendor contracts (Bidgoli, 2006). Organizational managers, therefore, need to take synergistic measures such as evaluation potential business partners’ ability to protect their data and emphasize the need for establishing efficient security practices. 3.4. Awareness of Organizational Security According to ISC (2015), Organizational security community cites human factor as the weakest aspect as opposed to technology. Additionally, this component of data security faces a high degree of assumption despite its weakness. Overlooking human factors which have a direct connection with organizational security awareness has far reaching consequences. Each and every stakeholder of an organization including employees should be conscious of his or her roles and duties regarding safety issues. For instance, even employees or casual workers who do not get direct contact with computers on a daily basis should also participate in programs aiming to create data security awareness because they can easily act as social-engineering attacks target. Such individuals can easily compromise the organizational, physical security. Bidgoli (2006) ascertains that the National Institute of Standards and Technology (NIST) emphasized on the significance of ensuring that all levels of organization aware, sensitized and educated on their duties and responsibilities on security matters. NIST addressed all these details in the Information Security Handbook starting from the 80th to 100th publication. Nonetheless, all data users should have security awareness training. However, individuals who deal with IT systems directly require more training that specifies their roles. ISC (2015) echoes that practical training will not only equip IT specialists with relevant functional and professional skills but also give them the technical experience for handling challenging data security concerns. The IT organization tasked with the role of enforcing a continuous cycle of assessment, acquisition and operation of security-related software and hardware requires, needs a higher level involvement level (Wright, Freedman & Liu, 2008). This perspective should take a direction from the individual security specialists and those hired by the organization as consultants. 3.5. Compliance with the Current Regulatory Standards IPSO (2016) asserts that data security impacts enterprise information security planning by demanding that the organization adheres and complies with the existing regulatory standards to achieve safety and security. Despite adhering to the individual security program, the company in question need to operate within one are more standards established by external parties. This organizational security program component assists in outlining the specific rules to comply with and explains how the organization can efficiently adhere to them. Bradley and Burton (2007) describe some of the regulatory standards that pose synergistic challenges to the enterprise data security to include Gramm-Leach- Bliley, PCI, HIPAA, FISMA, and Sarbanes-Oxley. PCI helps in the process of preparing customer credit cards, HIPAA for managing patient’s details and FISMA concerns contractors as well as governmental agencies. The Gramm-Leach- Bliley and Sarbanes-Oxley are essential regulatory frameworks used in enforcing and complying with financial management in the corporate. 3.6. Compliance Plan for Audit Whitman and Mattord (2010) acknowledge a compliance audit program as a significant component of the security plan. This element helps the organization in determining the number of terms organizational director in collaboration with the company auditors will audit its data security. It also stipulates how often the organization auditors will assess and review the adherence of the firm with internal and external security programs and regulatory standards respectively. There are different security issues that an organization will enforce on their auditing frequently varying from daily to an annual basis. Periodic and progressive assessment of the organization on safety compliance basis are relevant (ISPO, 2016). They can assist an organization to establish whether there are any issues of data security breach. Robichau (2014) adds that information security assessments enable the organization in question to remain competitively at the top of new threats to safety with the establishment of appropriate staff and technology training. Periodic assessments of organizational security compliance can also assist the business enterprise to achieve beneficial investments by helping managers to prioritize and lay great focus on items with high impact on the organization achievement list. It is always difficult to achieve a security program in a given organization since the entire process occurs in the form of a cycle (Whitman & Mattord, 2010). The organizational Information Technology remains in the process of iterating through the program’s life cycle for all the defined areas. According to Wright, Freedman and Liu (2008), data security planning process involves continuous risk assessment, establishing risk mitigation plans, setting and enforcing solutions, monitoring the solutions to ensure that they are meeting the expected outcomes and utilizing the information gained as a form of feedback for the firm’s succeeding assessment phase. Likewise, the organizational security plan document must contain this essential life cycle built into it. This assertion will help the cycle to specify the number of times the corporate directors may re-assess the risks that the organization is prone to face and to ensure that it carries out program updates accordingly. 4.0. Conclusion The growing need for data security in modern business organizations impacts enterprise security planning in many ways. Data security requires business managers to engage in effective planning strategies to achieve sustainability of safety and security of their information security. Additionally, data security requires these firms to create an appropriate data security plan referred to as an information security program with appropriate elements discussed above. The length of the information security plan does not matter what is important in any organization is the presence of the program and its utilization in the process of addressing the safety of the company. The plan should use a comprehensive, organized, and holistic approach to achieving this requirement. The impact of data security on enterprise security planning requires each and every organization to have security program as explained in this paper. The program helps managers to maintain and sustain their focus on the security of information technology. Additionally, a security program helps the enterprise management to identify and adhere to the regulatory standards affecting how the organization uses and manages its data components. A security plan keeps the business manager on the correct track with its clients as well as the company product and service customers. This achievement allows the company to meet not only its legal but also contractual responsibilities. The life cycle of the plan involves several critical stages that assist in ensuring that the firm continues to adapt to continuously transforming IT environment where the enterprise operates. Therefore, protecting data security of a given company is the correct thing to engage in as it the same defending an essential business asset. 5.0. Bibliography Administration and Finance (2014). Enterprise Information Security Standards: Data Classification. Commonwealth of Massachusetts. Retrieved on May 15, 2016 from: http://www.mass.gov/anf/research-and-tech/cyber-security/security-for-state-employees/security-policies-and-standards/enterprise-information-security-standards.html. Allen, J. H. (2013). Security Is Not Just a Technical Issue. Retrieved on May 15, 2016 from: https://buildsecurityin.us-cert.gov/articles/best-practices/governance-and-management/security-is-not-just-a-technical-issue. Bidgoli, H. (2006). Handbook of Information Security Volume 1. Hoboken: John Wiley & Sons. Bradley, T., & Burton, J. D. (2007). PCI compliance: Implementing effective PCI data security standards. Burlington, Mass: Syngress Information Resources Management Association (IRMA) (2010). Electronic services: Concepts, methodologies, tools and applications. Hershey, PA: Information Science Reference. Integrated Security Committee (ISC) (2015). Facility Security Plan: An Interagency Security Committee Guide Retrieved on May 15, 2016 from: https://www.dhs.gov/sites/default/files/publications/ISC-Facility-Security-Plan-Guide-2015-508.pdf. IT security and Policy Office (ISPO) (2016). Enterprise Information Security Program Plan. The University of Lower. Retrieved on May 15, 2016 from: http://itsecurity.uiowa.edu/resources/faculty-staff/enterprise-information-security-program. Patel, D. R. (2008). Information security: Theory and practices. New Delhi: Prentice-Hall of India. Robichau, B. P. (2014). Healthcare information privacy and security: Regulatory compliance and data security in the age of electronic health records. Seese, M. (2009). Scrappy information security. Cupertino, CA: Scrappy About. State of Tennessee Department of Finance and Administration Office for Information Resources. (STDFAOR). (2014). Enterprise Information Security Policies: Information Security Program. Retrieved on May 15, 2016 from: https://www.tn.gov/assets/entities/finance/oir/attachments/PUBLIC-Enterprise-Information-Security-Policies-v2.0_1.pdf. Whitman, M. E., & Mattord, H. J. (2010). Management of information security. Boston, MA: Course Technology, Centage Learning. Wright, C., Freedman, B., & Liu, D. (2008). The IT regulatory and standards compliance handbook: [how to survive an information systems audit and assessments]. Burlington, MA: Syngress Pub. Read More