Considering the Threats and Vulnerabilities of Information Systems: A Plan for Improvements - Coursework Example

Running head: PLAN FOR INFORMATION SYSTEMS Considering the Threats and Vulnerabilities of Information Systems: A Plan for Improvements Considering the Threats and Vulnerabilities of Information Systems: A Plan for Improvements While some of the Fort Lauderdale Police Department (FLPD) of Florida's modes of management aim to support the department in its efforts to protect citizens, the policies and procedures to protect its information systems require improvements. The occurrences of manmade and natural disasters along with the ever-rising threat of cyber-terrorism warrants continued development of risk management planning-an established effort to improve guards of information systems (BCF). As it offers added support in plans of action to eliminate or reduce risk (BCF; Wright, 1999), FLPD's Risk Management Division should plan and implement strategies to address imminent, internal, and external threats to information systems. The current use of forethought in risk management planning considers possibilities. However, current considerations should be examined to further scrutinize the consequential effects of internal and external threats. To combat internal and external threats and guard information systems, proposed actions include the following: enhancements to the hiring and promotion processes, implementing a contingency in job appointments, enhancing sustainability of basic technology. Guarding the Information System The interconnectivity of FLPD's Information Systems Unit provides secured information with added convenience. Interconnectivity of the system allows immediate responses to inquiries and eliminates lag time possible from manual efforts to retrieve information (flpd.org). When an emergency call is entered into the Computer Aided Dispatch System (CAD), the CAD instantly checks other databases supported by the ISU and instantly relays dependable and pertinent information. Thus, the efficiency of the ISU aids FLPD's Public Safety Communications Center in its quick responses to the emergency needs of its citizens. Without effective or secured informational systems, however, emergency operations may lack proficiency in their efforts to respond to citizens' needs. Time is a critical element of rescue efforts. Mishandled minutes or seconds may result in delayed responses, deaths, or even a crisis. One purpose of FLPD's Public Safety Communications Center's information systems is to decrease the opportunity of danger by retrieving dependable information for the purpose of responding to emergency needs of citizens. Not only does the ISU support FLPD's locally operating system, but it is also linked to databases that harbor critical information for other areas. For example, the ISU's informational contribution to Florida Crime Information Center Systems adds pertinent information to The National Crime Information Center Systems (SafirRosetti, 2006). Jeopardy FLPD's centralized information system renders extremely vulnerable. Information systems act as the nucleus of interconnectivity and efficient communication (ISACA). The absence of interconnected systems that work properly disturbs emergency operations. Thus, guarding FLPD's Information Services Division is imperative and requires the implementation of new policies and procedures that begin with the hiring process. Enhancing the Hiring Process The Fort Lauderdale Police Department (FLPD) recognizes the serious role of staff working in the Information Services Division, as it reports that "all personnel are mission critical" (SafirRosetti, 2006, p. 44). Thus, all staff members must be thoroughly screened and periodically evaluated. The police department assesses the credibility of candidates for employment through background checks, a series of interviews, tests, and extensive training (ci.ftlaud.fl.us/jobs). For applicants seeking positions within FLPD, the hiring process may seem strenuous or in-depth. For the FLPD, however, the process is the usual application, series of interviews, and/or background checks. Does the fact that an who applicant successfully completes an application, series of interviews, and background check prove his or her worthiness as a genuine applicant-one who has no concealed motives for which to apply Motivations to apply for a job within a police department fall inside a broad range, one that is too far-reaching for an application process to narrow and determine for each individual. Some individuals may seek a dependable job that helps the public. Others may be on the prowl hunting for a channel that provides opportunities to carry out malicious acts. Some individuals seek the most convenient and inexpensive method to destroy certain targets. While the application process may eliminate some applicants not suitable for positions within the police department, it has no definite way of determining the motives of those who appear more suitable. Even the most extensive application, background check, and interview can fail to notice the hidden motives of an individual such as a cyber-terrorist. A cyber-terrorist uses "cyber tools to shut down critical national infrastructures (such as energy, transportation, or government operations) for the purpose of coercing or intimidating a government or civilian population." (Watson, 2002, p.8) Working as part of a police department would not only provide a suitable disguise as one who helps, but it also provides an ample opportunity for the cyber-terrorist to implement a plan of attack without the department knowing that an enemy lies within. Cyber-terrorists aim to destroy while evading suspicion. For example, Robert T. Morris' 1998 Internet Worm wreaked havoc on numerous computer systems before Morris was pinpointed as the culprit. Even so, Morris' identification, trial, and conviction transpired only because he spoke of his creation to several people. Another cyber-terrorist of the 1980's, the author of the infamous Michelangelo virus, remains unidentified and escaped consequences altogether (Littleton, 1995). The great probability of successfully evading capture coupled with benefit of easily inhabiting restricted areas makes the crime of cyber-terrorism more appealing. Thus, the duty of operating and maintaining restricted informational systems provides a cyber-terrorist ample opportunity and may compel him or her to seek a position within FLPD's Information Systems Division. Unfortunately, a cyber-terrorist can gain access to a restricted area without physical occupancy within the Information Systems Division. The cyber-terrorists' sophisticated abilities enable them to "crack passwords or find a back door route through a security firewall" and show that hackers can easily use a simple act to corrupt data in high technology (Wilmot, 2004, p. 287). As their abilities of sophistication empower them, cyber-terrorists receive the same command over a computer system as a trusted systems manager (Morris, 2005). To combat the internal and external threats of cyber-terrorism, the Risk Management Division should implement new policies with regard to attaining and maintaining new positions and promotions. Contingency of Positions Once an applicant has acquired a desired position with the department, his or her continued job appointment should be contingent upon terms of a 90-day probationary period. The probation should include more frequent observations, additional interviews and evaluations by the supervisors. In addition, observations and evaluations should not be the only means to determine his or her job appointment, proficiency, or promotion. A ten-part phase similar to the probationary period should be required prior to an employee's promotion to the Information Services Division. Thus, the period of approximately five years would allow supervisors to assess the proficiency and trustworthiness of an employee prior to approving any promotions, especially ones to the Information Services Division. To further enhance the contingency process, supervisory positions require attention. The person in charge of managing FLPD's Information Systems Unit (ISU) observes and evaluates staff members who work with the information system (SafirRosetti, 2006). Since managing the ISU entails more duties than observing and evaluating staff members, observations and evaluations provide limited protection for the system. Performing a host of other duties undoubtedly interferes with supervisors' competence while evaluating subordinates. Wilcot (2004) points out the haphazard security of information systems: "In most agencies, security is relegated to someone in the information services (IS) department, who usually has many other duties." (p 291) In other words, the person who manages the ISU and those operating it has added responsibilities that may detract his or her meticulous guard of the system. Though FLPD implement plans to protect the information systems, the potential for internal threats still exist. Therefore it is imperative that supervisors have the sole and single responsibility of performing evaluations. Evaluating supervisors should not be held accountable for any other duties besides protecting the best interest of the information systems. Moreover, the current initiative for information security should create a new position a part from one managing the ISU. The new position should be high in the management hierarchy and occupied by the Director of Information Security Management (Wilcot, 2004). The director's sole purpose should be to evaluate and respond to threats of the information system. Streamlining duties will induce competence among system operators and enhance security of the information system. If enhancements of the hiring process, contingency of job appointments, or creation of the Director of Information Security Management do not completely remove applicants and/or employees with harmful intent, it will at least prolong time before their attaining a position within the Information Services Division. Implementation of the aforementioned strategies would enhance FLPD's current methods that address internal threats with added protection for its information systems. Enhancing Sustainability of Technology Like internal threats, external circumstances also endanger the basic feature components of information systems. Unforeseen events such as natural disasters and terrorist attacks detrimentally affect information systems critical to public safety. Communication within and among agencies at various levels is a critical element of any rescue effort (FRC, 2006; Golden, 2006). However, the attack on September 11, 2001 (9/11) and Hurricane Katrina devastated communication efforts and significantly delayed rescue efforts (FRC, 2006). Thomas Kean, co-chairman of the 9/11 Commission, the First Response Coalition illustrates that the call for action is the same now as it was several years ago: "On September 11, people died because police officers couldn't talk to firemen. And Katrina was a reenactment of the same problem" (FRC, 2006, p. 7). To prevent a repetition of crises caused by 9/11 and Hurricane Katrina, established systems should be enhanced to sustain interconnectivity and interoperability through unforeseen events and/or natural disasters. Since major failures of technology resulted in the 9/11 attack, directing improvements toward ensuring sustainability of basic technology is plausible. To avoid manual restoration of services, however, The Risk Management Division should consider creating a virtual command center for FLPD (Turoff et al, 2003). A virtual command center would continue to utilize the efficiency of basic technology. In the event that the technology is disabled, it could be restored without the human presence at a particular site. As a result, the reinstatement of power and rescue efforts could be expedited. According to Littleton (1995), the versatility of information systems provide systems' operators with multiple opportunities to implement change. Adding a compatible link onto established systems would implement the modification necessary to enhance information systems. Protecting Without Disruption The aforementioned strategies would not only enhance security, but their implementation would also cause little disruption to the established policies and procedures as well as information systems. If implemented properly, the Risk Management Division would succeed in its efforts to support FLPD's responsibility of responding to and providing for the needs of its citizens. References Broward County Florida. Risk management division. Retrieved January 16, 2007, from http://www.broward.org/riskmanagement/welcome.htm. First Response Coalition. (2006, April). The imminent storm 2006: Vulnerable emergency communications in eight hurricane prone states. Retrieved January 19, 2007, from http://www.firstresponsecoalition.org/docs/Hurricance-Interop-Paper.pdf. Fort Lauderdale Police Department. Communications center. Retrieved January 7, 2007, from http://www.flpd.org/commcenter.html. Fort Lauderdale Police Department. Fort Lauderdale Police Department human resources. Retrieved January 7, 2007, from http://ci.ft.aud.fl.us/jobs/employment/info.html. Golden, C. (2006, September). A clear message: As a firefighter at Ground Zero, and now with GSA, Michael Pena pushes for better emergency communications. In Government Computer News. Retrieved January 5, 2007, from InfoTrac OneFile via Thomson Gale: http://find.galegroup.com/ips/printdoc.do&prodid=IPS &userGroupName=lirn_main&doc ISACA: Serving IT Governance Professionals. ISACA overview and history. Information Systems Audit and Control Association. Retrieved January 3, 2007, from http://www.isaca.org/PrinterTemplate.cfmsection=overview_and_History&Template=Co... Littleton, M. J. (1995). Information age terrorism: Toward cyber terror. Retrieved January 13, 2007, from http://www.fas.org/irp/threat/cyber/docs/npgs/terror.htm. Morris, D. A. (2005). Tracking a computer hacker. United States Department of Justice. Retrieved January 8, 2007, from http://www.usdoj.gov/criminal/cybercrime/usamay2001_2.htm. SafirRosetti (2006) Staffing Study of Fort Lauderdale Police Department. Retrieved January 5, 2007, from http://ci.ftlaud.fl.us/documents/safir_study071505.pdf. Turoff, M., Chumer, M., Van de Walle, B., & Yao, X. (2003). The design of emergency response management information systems (ERMIS). Retrieved January 17, 2007, from http://web.nijt.edu/turoff/Papers/cmcrdesignfinaljitta.html. Watson, D.L. (2002). Congressional testimony: The terrorist threat confronting the United States. The Federal Bureau of Investigation. Retrieved January 8, 2007, from http://www.fbi.gov/congress02/watson020602.htm. Wilmot, R. (Ed.) (2004). Domestic and international terrorism. Boston, MA: Pearson Custom Publishing. Wright, G. C. (1999). Operational Risk Management. Mobility Forum: The Journal of the Air Mobility Command's Magazine. Retrieved January 16, 2007, from Academic Search Premier: http://web10.epnet.com/DeliveryPrintSave.asptb=1&_ug=sid+ABD96D7B-0CD4-4E45-9... Read More