Information Security Program Development - Case Study Example

The Importance of Information and its security Information is an asset most important to an organization. Without information, an organization cannotuse its other resources efficiently and effectively. In order to make a strategy it is vital that the organization possess the intangible asset of knowledge and information that the company can use to create bundles of resources that provide a sustainable competitive advantage to the organization when market is large and competition is immense (Hisrich, Entrepreneurship). Strict adherence to a properly defined security system for information systems is extremely important for several industries’ and as they have a huge amount of critical and sensitive information which is valuable to the organization and its stakeholders and the information is such that it can be easily manipulated or tampered with. While organizations have a reactive approach to such systems, that is they recognize the need for such systems only after they have incurred a loss of valuable information, smarter companies use a proactive approach and develop systems before hand to mitigate the damage that the company faces due to loss and corruption of such data. (Maybelline , 2010) For an organization to ensure that its objectives become a driver for its survival and profitability information is of paramount importance. It is the fundamental requirement and a business deeply depends on knowledge and information no matter how big or small a company is or what its information requirements are, all information or raw data lies in the organizations computer system which is highly prune to being violated and misused if proper security measures are not adopted. (Gabrielson,1994) For Example an Insurance Company’s can improve the quality of the products it provide to its customer if they have in depth information on the customer base that they are serving to. The more knowledgeable they are about an organization, the easier it will be for them to provide products that satisfy consumer needs. Information like the number of children within each household that the insurance company caters to can provide them with an idea to come up with insurances for college students, or savings funds for young children. The information that Insurance companies have is vital to their profitability. They hold important information such as social security numbers and other information of their customers which need to protect against infiltration and corruption as any leakages in such data can cause damage to the company’s reputation. Case in Hand We will discuss the case BIC Insurance Company which has decided to migrate to an up to date and modern information security system. Initially, this company was using very old fashioned methods of securing its important information such as corporate data and consumer data. The damages to the data could have been severe as the exposure to the data to outsiders was very high. The company decided to come up with a project to identify all the important information was to the data and then formulate a plan through which a new strategy to secure data could be implemented. This involved starting the development of an inventory system that would include all the information assets, creating new information and also help the company make groups or sets of people who could be granted different permissions for accessing different data. Training was also given to all the employees on how to implement the new security system which made the process smoother as all the security such as IDs and Passwords given to each according to their roles and position to access data were made to understand through extensive training and usage of manuals. Mini boot camps were also set up for the trainers who were further going to train the employees at BIC and more staff and personnel were hired for support purposes.( Case study,BIC) Vulnerabilities and Threats The insurance Company under scrutiny, BIC has a great use of communication systems as well as complex computer and information systems such as telephone lines, LANS, WANS etc. Because these systems are not only connected within the organization but also physically connected outside the organization’s boundaries it is quite vulnerable to risks existing both internally and externally. If proper methods of protecting the data are not used it is highly possible that critical data and information that the organization relies on for its success and competitive advantage could get corrupted or even lost. Information as important as business strategies, business plans and information regarding customers, suppliers and other stakeholders could be easily destroyed. Viruses that jam systems and hackers who can easily get into the system and erase all information is a constant threat to all organization and with the technology so rapidly changing, any method used to protect data could be easily attacked and intrusion into the company systems could be done even by an amateur no matter how secure the organizations data is. For example the insurance company in discussion, initially only a very basic online security system was being used to protect vital information such as their corporate data which was prone to threats both internally and externally as the system was accessible through outside resources. There was no way to stop anyone outside the framework of the organization and any amateur with the basic skills of programming could easily disrupt the system. Such are the threats for an organization that has so much of important and private information, if proper methods and steps are not implemented to ensure full security of data. Now with BIC, there is always confusion between what should be given more priority, the core operations of the company such as the marketing function, the sales function the finance function or the security of important information. What should be realized is that all these functions generate the information that is required for an organization to gain competitive advantage and that security for this data is vital as this data has to be unique, difficult to imitate and non substitutable. Most of this data is so sensitive that the only way to keep the edge is to give it the right kind of protection. (David, 2007) This is BIC and other firms need to have a formal security plan and security controls as it is the wisest decision to make even if there is a trade off between cost and benefit. A little added cost reps huge benefits in the long run and these benefits can later be quantified by the increased profitability and success of the organization. This not only brings tangible but intangible benefits to the organization through building customer trust and satisfaction with the organization. “Businesses that successfully lead in the information age will be those that efficiently find the balance between protecting corporate and customer information, and making sure good ideas and creativity are not "pent up" and made ineffective.” (Ramana) Risk Assessment Risk is anything that causes negative externalities to a business. Business Risk is a risk that causes the profitability and the cash flow of an organization to decrease and it defines uncertainty that exists within the organization with regard to its operations where there is uncertainty of realization of the returns expected in the future (hjventures.com) Risk assessment refers to a formal and structured process through which an organization decides the critical factors that could act as threats to the organization’s information and lead to the vulnerabilities that could be easily exposed within the system and how detrimental it could be for the organization if the data is exposed or corrupted. The Three major Information Assets that BIC had were: 1. Corporate Information 2. Customer information 3. Product information e.g. health insurance, life insurance packages etc. During the risk assessment four kinds of major threats to information and data were found: In general, there are four kinds of computer security threats: interruption, interception, modification and fabrication. Interruptions: this is a threat that occurs when the information processing or information transfer from one place or another encounters delays and disruptions. This in turn effects the daily business operations adversely. Attacks on the systems through viruses can manipulate important information and delay its process. This could be damaging to the company as insurance relies on timeliness and accuracy of the data being processed therefore a risk like this will make the daily operations of the business hinder. Interception involves access to the information by people who are not officially authorized to do so. This can lead to outsiders such as competition manipulate and use the data against the company. People who browse through databases and intercept phone lines are said to be intercepting information. Life insurance policies of the company usually sell their new products through phone call. They have a list of customers that they target and these lists have been generated through means that should not be revealed to the competitors. Through interception it becomes easy for the competitors to take a look at your information without having the authority to do so in private networks, you have issues with the insiders; who have been blamed for most of the incidents of such sort. Modification involves hacker or other unauthorized users changing the hardware components or the software components of the systems and sometimes even changing the data making the authenticity and the accuracy of data void. For example if an outsider changes data within your corporate client profile of BIC it will be very difficult for the organization to sell the right kind of product to the right kind of people Fabrication is one of the major threats to the existing information assets of the insurance company business. It involves counterfeiting the data and modifying and changing it in such a way that it benefits the outsider. An example of fabrication could be changing of insurance claims by a customer so that they receive more than they actually should. (Gabrielson, 1994) Risk control strategy The most appropriate way to come up with a security plan that involves the entire organization is shown in the diagram below. (Gabrielson, 1994) The best control Strategy in the case of BIC where transaction of information through external sources takes place often. Steps like firewalling web sites and giving individual ID’s and passwords to all the employees within the organization to a centralized database where all the information regarding the customers their background will be stored can be accessed by them. Given their roles and positions in the organization, they will be given the authority to perform certain task that is based on their positions, they will be able to use and manipulate the data to the use. Also the approach used to develop the strategy will be to use Managed security service providers who are outside third parties that provide security services. There are many advantages of using mss providers. First of all it has major cost advantages. Outsourcing throughout the world has reduced the cost of organizations through letting them focus on their core competencies; also they provide their excellent skills and expertise that the organization sometimes may lack. These providers also give the advantage of facilities as they have SOC’S (specialized security operation centers), that have all the latest technologies to provide excellent services. ("A Business case,") Also implementing a resource access control facility that allows control the flow of information and adheres to compliance is preferable (IBM, 2003) OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation Approach”) OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is systems approach that uses a unique set of tools, methods and techniques to develop strategies for organizations that have valuable information and provides a guide for risk based assessment and planning. (CERT). OCTAVE provides three different approaches for three different kinds of aspects an risk management in information based organizations such as OCTAVE original which forms the foundation for the body of knowledge and OCTAVE small which provides guidance for small businesses as their needs are separate from large organizations and multi nationals and OCTAVE-Allegro which is a streamlined approach to assess the security measures needed for an organization. There are several benefits of using the OCTAVE approach to securing data and information within an organization and these features add value to the process and implementation of this process. The OCTAVE method using self directed teams comprising individuals from each of the important functions of the organization. These teams work across all the business units and involve the information technology employees who together devise strategies that cater to the information and security needs of the organization. These teams have all the empowerment to make decisions best suited for the organization. This flexibility is not just restricted to the decision making process but to the methods that are available within the OCTAVE framework. Each organization can tailor the methods to suit their requirements of risk mitigation and can allow the organization to use tools that are best suited for the kind of employees they have their level of expertise and technical skills. Another advantage of OCTAVE is that it is an ever evolving process. It has changed the perception of securing data and information in the organization from a very technical aspect to a business perspective to risk based modeling. OCTAVE is a fairly eay process to implement in any organization. In an insurance company, there are several departments where data is collected sorted and then analyzed for further decision making. (CERT) For example, for health insurance collection of data take place where the customers gives his or her medical information to the company, the company then sorts out the information and then decides what kind of insurance should the customer receive depending on age, Severity of illness, work background etc. Teams can be developed from separate functions of the organization that can judge the data and see what kind of security is required according to the expertise and technologies available. Also if MSS providers are used then these teams can work in collaboration with these providers for sound implementation of the OCTAVE methods within the working network of the organization. Proper control methods and appropriate use can be learned through training of employees in using different techniques and methods of OCTAVE. . 1. Ramana, S. V., “Securing the Enterprise” Network Magazine, January 2003. http://www.networkmagazineindia.com/200301/cover9.shtml 2. Definition of Business Risk, HJ Ventures, http://www.hjventures.com/valuation/Business-Risk.html 3. Gabrielson, Bruce C. (1994). Information security program development. Retrieved from http://blackmagic.com/ses/bruceg/progmgt.html 4. Hisrich, R. (2002). Entrepreneurship 7th edition. Mcgraw Hill. 5. Benton, R. (2005). Case study in information security, securing the enterprise. Retrieved from http://www.sans.org/reading_room/whitepapers/casestudies/case-study-information-security-securing-enterprise_1628 6. Computer Security - information on security systems http://shine.yahoo.com/channel/none/computer-security-information-on-security-systems-1253385/ 7. David, Fred.R. (2007). Strategic mangement. South Carolina: Mcgraw Hill. 8. A Business case for Managed Security Service. CGI solutions. Retrieved (2010, ) from http://www.cgi.com/cgi/pdf/cgi_whpr_50_mss_e.pdf 9. CERT, OCTAVE, http://www.cert.org/octave/ 10. www.cgi.com 11. IBM. “Resource Access Control Facility”. November 2003. http://www-1.ibm.com/servers/eserver/zseries/zos/racf/ Read More