The Organizations Physical, Human, and Electronic Information Holdings That May Be at Risk - Research Paper Example

Security Plan Table of Contents The Organization’s Physical, Human, and Electronic Information Holdings That May Be at Risk 2 Physical Holdings at Risk 2 Human Holding at Risk 3 Electronic Holding at Risk 4 The Actual and Potential Physical, Human, and Electronic Threats to the Organization’s Information Holdings 5 Physical Threats to the Organization’s Information Holdings 5 Human Threat to the Organization’s Information Holdings 6 Electronic Threat to the Organization’s Information Holdings 7 Security Plan for Counter-Measures That Will Manage the Threats 8 Physical Counter-Measures 8 Human Counter-Measures 9 Electronic Counter-Measures 10 Information Security Education and Awareness Program for Use by Management, Staff Members and Contractors 12 Information Security Evaluation Tactic 13 Technological Evaluation Technique 14 Measures 15 References 16 Bibliography 19 The Organization’s Physical, Human, and Electronic Information Holdings That May Be at Risk Physical Holdings at Risk In today’s situation, scrutiny of the physical security of services and properties has turn out to be an even extra serious feature of an organization’s information security and industry stability preparation. Set up addresses this prerequisite by means of a group of skilled persons who are capable to unify their expertise and experience to provide emphasis on the significant aspects of physical security that effect an organization’s computing situation. The physical inspection of facilities and operations will provide a better understanding upon the issue. Through resources being protected and procedures covering physical security, operations will gain benefit by an enhancement in security on the physical risk to the information. This will provide an enhanced understanding of the level of protection needed and desired for a given situation or location. The key areas for physical risk that needs to be analyzed are: Facility Security: access point, information hub, user and sensitivity environments, admittance power and monitoring policy, protector personnel and cabling closets. Internal Company Personnel: Control and accountability for jobs, use of equipments, security procedure compliance, awareness and use of break areas and entry points. External Visitor and Contractor Personnel: Control and accountability, use of equipment, security procedure compliance and use of break areas and entry points. Computer Systems and Equipment: Workstations, servers, backup media, PDAs and modems and physical access points (visual ID only). Sensitive Information and Data: Control, storage and destruction (Green 2008). Human Holding at Risk System reliability is very important when controlling who can access confidential information. Even if a business places responsive information on a virtual local area network (VLAN), other networks can silently access the information as they can liberally direct information between each other unless they are filtered. As such, VLANs are wide open for anyone to access sensitive and valuable data. Security expertise has significantly progressed in a substantial manner over the recent years and now it integrates with user qualifications, prohibiting right of entry to confidential information. There are products available that can observe and administer exactly who has the right to use exactly what data, and also who has the right to access the confidential folders. These products can secure shared drives and prevent them from containing arbitrary information. The most important aspect of identity authentication is that it educates users to be more aware of locking down desktops and portals. In an organization when a staff or an employee have access to valuable and sensitive data if proper security measures are not taken, it may open up a range of data breach liabilities. All organizations must ensure their staffs are made aware of the security risks involved in their day-to-day work and implement an ‘acceptable use policy’ that details what information they do or do not have rights to access (Morris 2010). The most successful technique of minimizing these vulnerabilities contains a number of input process and hazard assessments. These include: mapping and modeling networks and import regulations from numerous devices; important risk genesis; and making differences in the assets based on significance to the organization. This system recognizes the vulnerabilities representing the maximum risk to an organization and provides access to remediation and shield of its mainly significant possessions. Electronic Holding at Risk It is normally acknowledged in recent times to facilitate company’s electronic information assets, i.e. its information dealing out networks and systems, as well as the information and facts stored on, transmitted and, processed by these systems, are company’s significant possessions. The electronic information risk occurs when these possessions are handled in a negligent manner and it needs to be governed with appropriate measures (Prof Basie von Solms 2001). The major risk that can occur as per electronic risk is during the phase of storage, transmission and processing. During the storage procedure, information stored incorrectly will generate the wrong information. During transmission due to faulty process system, it might get tampered and generate wrong facts. Processing with incorrect facts will lead to incorrect outputs. The other electronic risk may be due to (1) IT sabotages: An insider disrupts data or system to cause certain damage to an organization. (2) Theft of intellectual property: An insider steals sensitive information or certain confidential facts. (3) Fraud: An individual(s) try to create, add, delete and modify data from database. This also involves individual or group of person who try to steal large portion of information and data from an organization for various intentions and sells that data or shares the information to external parties. This can be reduced with security management at different level for creating a protection against this risk (Carnegie Mellon University 2010). The Actual and Potential Physical, Human, and Electronic Threats to the Organization’s Information Holdings Physical Threats to the Organization’s Information Holdings The threat generates when there is lack of well established personal security policy. The lack of proper system administrator in employing personal security policy is important as it covers the physical security of the terminal. Even this leads to security breach within the organization. Physical non security of workplace and terminal leads to danger of undesired intension relating to data malfunctioning and information loss. This occurs when there is possibility of having access to the terminal and workplace (Danchev 2006). The log in and log out system for the terminal if not developed properly then it becomes a risk factor for the organization. The timing is vital as it provides the security to the terminals. If the terminal is working without the proper log in and log out, then it might not be known who accesses the terminal and when. This will generate a risk to the organization in terms of information being in the wrong hands (Danchev 2006). Physical connection to networking increases the risk. Most of the systems are connected to the internet without proper security auditing and thus it invites risk of accessing information and data. The administrator mostly depend on the actuality that the system is new and information of such is not known and no one knows its reserved IP, thus breaking the code is not possible, this thought represents a threat to any organizations (Danchev 2006). Human Threat to the Organization’s Information Holdings The actual human threat occurs from the areas such as, access to server rooms, control system rooms, telecommunication rooms and motor control centers. Server rooms are high secure zone where the authority to entry and exit is a matter of high risk. Unauthorized person access can make the zone unsafe and risky for the facts and information to be at a threat to the organization. Control system rooms are the one which controls the overall system in the organization. Any misplacement or misconduct with the control system can lead to leak of information outside the organization which will stand to be a risk for the organization. Telecommunication rooms are vital as they help in maintaining enhanced communication internally as well as externally through services like internet and telephone. Misuse of the system of communication will breach the perimeter of security and data and information will free flow which will lead to access of information easily from outside and inside the organization that increases the risk more. Motor control center include programmable controllers, variable frequency drives and also the electrical service entrance for the building (organization) which is crucial as entry for unauthorized personnel in different zones of the organization can tamper the information security intentionally or accidentally causing it to be at a risk (Idaho National Engineering and Environmental Laboratory 2004). Electronic Threat to the Organization’s Information Holdings The electronic threats to the organizations are done through malware and anonymous techniques that will lead to risk of current security control. Signature based malware, antivirus solutions and perimeter-intrusion detection are providing modest defensive system to information but it is becoming obsolete as now for hacking data and information people are using encryption technology to avoid detection (Deloitte Development LLC 2010). Online investing, trading, banking and intellectual property distribution presents numerous opportunities for fraud, theft, misappropriation and misdirection of data and information. This increases the risk to the organization (Deloitte Development LLC 2010). Having access to sensitive information, data and system without proper liability to such data will lead to risk. There are violations of the organizations security policy through malicious attack and various ways. The effect of these activities can be distressing to the whole organization. Downloading from the internet, through not trust worthy web sites endangers the security of the organization. Downloading from these websites helps the spread of malicious program in the entire internet system. Once contaminated by means of several kind of malicious program the infection will cause serious consequence on the organizations performance and it might lead to other networks also getting affected (Danchev 2006). Firewall application in use of security software at certain point of time does not function properly and does not protect data and information in maintaining security of the organizations. This might fail in providing security when certain malicious program attacks the system (Danchev 2006). Security Plan for Counter-Measures That Will Manage the Threats Physical Counter-Measures There are steps to be followed in developing a proper integrated physical security plan. The operations from day-to-day management of the capability covering all from deliveries to shifts to preservation and utilities should be improved in accessing for the enhancement on providing better secure system of operations in the organization (Philpott and Einstein n.d.). The internal and external communication system needs to be made stronger in access point for stopping the loss of information. Information related to sources and data should be secured with application of proper access to this information. Unauthorized access of such information can be prevented through securing the access point of operation (Philpott and Einstein n.d.). To make certain about the security and safety of the facility and critical assets inside the organization and without the everyday operational procedures being affected, strategy should be implemented by the use of IDPS (Intrusion Detection and Prevention System). Incorporated physical security development must not be undertaken in isolation. Security experts and respondent of the system should be involved in the process of developing integrated security planning (Philpott and Einstein n.d.). There should be a proper physical structure in protecting the security system, as risk can occur in terms of natural and physical hampering events. A cautious harmonizing act between what can be done and what needs to be done should influence the best interest of the normal everyday operations and facility (Philpott and Einstein n.d.). Human Counter-Measures The personnel should be given training and development programs that will increase the level of sense of security and maintaining of data privacy in the organization. It should provide everybody with clarification on why it is so significant to pursue the Security Policy, as we as converse to the possible damages of violating the Policy (Danchev 2006). Staff members must keep the software download updated, in occasions they require a precise application, it is suggested that they make contact with the IT Department as an alternative of downloading the program from not trust worthy websites. This will go a long way in securing the system (Danchev 2006). The management needs to understand the basic perceptive of what a firewall can able to do and what it is incapable of doing, how useful it can be in certain cases, and also a proper understanding of the capabilities of a virus scanner and antivirus program has to be judged which will be able to take them towards the right direction in terms of security planning (Danchev 2006). The different requirements in this aspect are gaining awareness of the requirements to defend organizational resources; increasing skills and information in order to aid computer users to execute their jobs more securely and structuring in-depth awareness, as desirable, to intend, execute, or to function security programs for organizations and systems. Avoiding mistakes and errors from the personnel will reduce the risk and build stronger security facility in the organization (Danchev 2006). Electronic Counter-Measures Contingency planning (CP) is the complete preparation carried out by the organization to arrange for, respond to and make progress from proceedings that terrorize the security of information and information possessions in the organization, and the succeeding re-establishment to standard business procedures and operations. The IT groups of people have to recognize the strength of information security in all functions and also their responsibility in the IT role. They have to regulate job descriptions and recognize practices consequently. The application of software in the system should be decided for purchasing from recognized vendor or developing the software as per the safety and security of the organization. The implication of such software will reduce the attack of malwares. The proper implementation of data access password system will enhance the security system of the organization. The right to access the information through developed software will make limited access and control over the system. Such development need better system administrator in designing the success, modification and restoration of data. Management should use the protected software in maintaining internal as well as external communication for securing the flow of information and data. The loopholes in this process need to be identified with the intention that information does not get communicated to unauthorized person and outside of the organization. Information Security Education and Awareness Program for Use by Management, Staff Members and Contractors The information security education, awareness and training should be provided for system development management, staffs members and contractors with the skills they will require to design the system in a regimented manner and develop the information security controls. The information technology staff with these skills needs to run computer networks and installations correctly and implement information security controls. The management users’ need the skills to utilize the system correctly and implement information security control. The information security specialists with the skills require understanding the organization structure, processes, and business, run information projects, performing expert information security behavior and also have to be able to communicate it effectively to all members, staffs and management (University of Cincinnati 2008). The implementation tool set for a range of innovative and tested processes aimed at enhancing security contains management awareness and information that will help in diagnosing information control. This specific activity need to be performed for promoting information security awareness. This will avail the information security requirement of an organization which will help in taking the security responsibility and act accordingly. The management, staff members and contractors need to be provided with guidance to assist them in understanding the importance and meaning of information security (safeguarding of confidential data, availability of information and proper integrity of data), the consequence of complying with procedures/ standards and policy of information security. Information Security Evaluation Tactic Recognized and repeatable security evaluation tactic is useful when: A structured and consistent testing is done to the security mode which will reduce the risk. Preceding the alteration of new evaluation staff will bring down the security leakage and addressing resource constraints connected with security assessment will lead to enhanced security of information (Scarfone and Souppava and Cody and Orebaugh 2008). Scheduling: For the successful security development this phase is used to collect information required for evaluation for threats to security and security control to stop such threat. Implementation: This phase will be undertaken for the actions that are related with the proposed appraisal technique and practice (Scarfone and Souppava and Cody and Orebaugh 2008). Post-Execution: This phase will focus on analyzing the recognized purpose of origin, establishing improvement recommendation and developing an ultimate statement structure for security solutions. Technological Evaluation Technique Assessment techniques: This technique is used to appraise system networks, applications and possible vulnerabilities conducted manually. Target recognition and analysis techniques: This technique is used to appraise system networks, applications and possible vulnerabilities conducted manually as well as by means of automated tools. Target vulnerability validation techniques: These test techniques support the survival of vulnerabilities, and can be performed manually as well as through automatic tools. It depends on the precise system used and ability of the assessment team (Scarfone and Souppava and Cody and Orebaugh 2008). It is not possible by application of one technique to provide an entire representation of the security of a system or network. Therefore organizations should merge suitable techniques to guarantee vigorous security assessments (Scarfone and Souppava and Cody and Orebaugh 2008). Measures Audit Consequences: These are conducted periodically for assessing vigilance and formative procedures that might be implemented to enhance the efficiency of information security operations. The security scorecard and other tools are used for the audit purpose of security appraisal (Chapple 2010). Lost Efficiency: It is used to compute effectiveness of maintaining programs. It will help in getting the information of lost data due to information precautions issues. It evaluates the success of anticipatory preservation protection program. By this the allocation of resources towards security can be judged (Chapple 2010). User Contentment: As the interaction of the end-user is high, satisfaction level will provide the measurement course towards security system. How satisfactory the service is, and also the effectiveness and impact of the system in evaluating the entire process (Chapple 2010). User Awareness: Evaluating its usefulness provides the prospect to guarantee that users are receiving the appropriate information they require for doing their jobs securely and successfully. It will help in designing assessable information security objectives in budgeting (Chapple 2010). References Chapple, M. 2010. Four ways to measure security success. Security Tips. http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1070102,00.html (accessed September 28, 2010). Carnegie Mellon University. 2010. CERT Team Examines Health-Care Security Risks. Software Engineering Institute. http://www.sei.cmu.edu/newsitems/healthcare_threats.cfm (accessed September 28, 2010). Danchev, D. 2006. Reducing "Human Factor" Mistakes. Windows Security. http://www.windowsecurity.com/articles/Reducing_Human_Factor_Mistakes.html (accessed September 28, 2010). Deloitte Development LLC. 2010. Cyber crime: a clear and present danger combating the fastest growing cyber security threat. Center for Security & Privacy Solutions. http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/AERS/us_aers_Deloitte%20Cyber%20Crime%20POV%20Jan252010.pdf (accessed September 28, 2010). Green, J. 2008. Building Global Security Policy for Wireless LANs. Aruba Networks. http://www.arubanetworks.com/pdf/technology/whitepapers/wp_Global_security.pdf (accessed September 28, 2010). Idaho National Engineering and Environmental Laboratory. 2004. Control Systems Security and Test Center. Personal Security Guidelines. http://www.us-cert.gov/control_systems/pdf/personnel_guide0904.pdf (accessed September 28, 2010). Morris, S. 2010. Comment: Maintaining data integrity for your organization. Info security. http://www.infosecurity-magazine.com/view/7291/comment-maintaining-data-integrity-for-your-organization-/ (accessed September 28, 2010). Prof Basie von Solms. 2001. Corporate Governance and Information Security. Rand Afrikaans University. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.103.1168 (accessed September 28, 2010). Philpott, D. and S. Einstein. n.d. The Integrated Physical Security Handbook. The Five Steps. https://physicalsecurityhandbook.org/downloads/IPS%20Extracts.pdf (accessed September 28, 2010). Scarfone. K and M. Souppaya and A. Cody and A. Orebaugh. 2008. Technical Guide to Information Security Testing and Assessment. National Institute of Standards and Technology. http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf (accessed September 28, 2010). University of Cincinnati. 2008. Information Security Awareness and Education. Information Technology. http://www.uc.edu/infosec/policy/Policy_Security_Awareness_and_Education.pdf (accessed September 28, 2010). Bibliography McGuffey, J. 2010. The How and Why of Security Risk Assessment. Mid-Atlantic Consultants Network. http://www.maconsultants.com/2010/03/09/the-how-and-why-of-security-risk-assessment/ (accessed September 28, 2010). Read More