Information Security Management in the USA - Dissertation Example

SLP# 1: Information Security Management in the USA It is an admitted fact that information is extensively shared in almost all the business communication processes amongst associates, workers, clients, and other stakeholders. In this scenario, the technical potentials of the web based technology such as internet offer the facility for the information to be collected, shared, and dispersed, with relative easiness. In spite of the management lapse, customers are generally worried about the security of private information utilized by companies. In addition, customers’ issues produce the need for companies to manage information security in a proper and effective manner. In this scenario, organizations integrate a task to look after customer and governmental proprietary data and details by guaranteeing observance with the laws and regulations. Thus, an organized collection of procedures, people and information technology (IT) structure that protects decisive systems and information, and secure them from inside as well as outside intimidations is known as information security management (ISM) (Sipior & Ward, 2008), (Northern Illinois University, 2007) and (Grimaila, 2004). Security Issue The basic issue which I have chosen for this SLP is about information hacking. In our daily lives we often see this kind of security breach. People around us with negative intentions steal someone’s personal information in an attempt to make illegal use of it. This personal information could encompass various sensitive things such as computer passwords, email passwords, social security number, credit card number and a lot of others. The basic purpose of information hacking is to create problems for others. It could be intentional or unintentional. For instance, a hacker can hack a person’s billing information along with secret password and afterward can make illegal use of this information. This security is also very critical for the organizations since organizations can face a variety of information hacking issues. In this scenario, information hacking could be very harmful for the organization. The fundamental principles should be pursued to deal with this issue are: (Sipior & Ward, 2008), (Northern Illinois University, 2007) and (Grimaila, 2004) Information fortification, support and revitalization: Organizational information security measures, comprising systems, computer units, and data along with documentation arrangement, recognized by this rule, should be implemented in such a way that practically lessens the danger of inside or outside violations to the safety, integrity and confidentiality of organizational information. In addition, the users of information are anticipated to protect such private information in conformity with permissible responsibilities and managerial guidelines and measures, comprising confidentiality and exposure contracts. They should comprise tactics prepared to re-establish such information to guarantee the persistence of the crucial operations for the organization (Sipior & Ward, 2008), (Northern Illinois University, 2007) and (Grimaila, 2004). Information Integrity: Information security protectors should use appropriate confirmation and corroboration actions with the intention that the information, utilized in the search of assessment and decision making, might be expected to be correct (Sipior & Ward, 2008), (Northern Illinois University, 2007) and (Grimaila, 2004). Information Secrecy and Leakage: The importance of information like an organizational resource augments through its extensive and correct utilization on the other hand its significance reduces through mishandling, misconception, otherwise needless limitations to access this information. In addition, the capacity to access otherwise change information should be offered as required to the users of the company for official functions. Business users who are asking for access to information resources, or else gathering this type of information, should be entailed to confine the extent of those requirements otherwise assortments to merely the information needed intended for their legal practice. Moreover, the users of information security management should not reveal confidential information to illegal persons lacking a legal business motive intended for access to that particular information. State plus federal acts, laws and policies offer standards used for the sharing of diverse types of information related to the business critical areas (Sipior & Ward, 2008), (Northern Illinois University, 2007) and (Grimaila, 2004). Information Utilization: The utilization of constrained information intended for recognition, verification, or any other intention should be abolished at any time probable. Past proceedings holding constrained information should be properly upheld as well as ruined in line with lawful along with dogmatic standards, moreover the principles described in this guidelines (Sipior & Ward, 2008), (Northern Illinois University, 2007) and (Grimaila, 2004). SLP 2: Belief & Culture: Build Awareness Culture has always been denoted as common principle, prospects and standards found inside states, areas, public groups, trade corporations and even branches and teamwork inside a corporation. As a result, “Cultural standards form people’s viewpoint, thoughts and conduct their manners. In this scenario, the information security management assumption and implementation that consider simply ISM responsibilities and ISM performers, ignoring the cultural affect, will not be able to inevitably produce a successful result of the established information security mechanism. In addition, a lot of evaluation results provide the confirmation of the crucial influence of culture on information security. Thus, the issue that has been selected in the above section would have similar viewpoints from different cultures. In other words, information hacking would be considered as an illegal activity according to almost all the cultures and beliefs. In the coming paragraphs we will see how cultural values and beliefs could be used to manage these issues (Herold, 2010), (Feng, 2003) and (Kuusisto & Ilvonen, 2003). Disappointing consequences by means of IT (Information Security) are generally due usually to a meager accordance with the existing culture or/and a malfunction to make a culture to hold up transformation. Accordingly, we consider extremely robustly that state culture should be entrenched in information security management. By considering this perspective, nationwide culture would develop into the 3rd aspect of information security management, alongside ISM responsibilities as well as ISM performers. In this regard security culture differs from traditional culture. Security culture refers to the activities within a business that divide the security of information, data and knowledge. In this scenario, the managerial culture could be an important factor in information security management; because it may well defy transform or guide what forms of transformations will happen. Information security culture is extended in the end by altering the manners within a business to the preferred way. In addition, this occurs together by formalizing the structure of information security and by affecting to the psychological paradigms, approach, incentives, open and particularly implied awareness of human resources (Herold, 2010), (Feng, 2003) and (Kuusisto & Ilvonen, 2003). Therefore the creation of information security and confidentiality knowledge along with guidance plan is not an easy job. It is frequently a provoking job. It is frequently a confronting responsibility. Furthermore several times, unluckily, it is frequently an unappreciated job. Conversely, offering our employees with the safety and privacy details they require, and ascertaining that they know and pursue the necessities, is a vital element of business achievement. On the other hand, if an organization’s personnel do not recognize or comprehend how to uphold privacy of information, or else how to protect it correctly, they not only experience threat of encompassing one of organization’s most precious business resources (i.e. information) misused, improperly employed, otherwise acquired by illegal personnel, however as well threat being in nonconformity of a increasing number of severe acts as well as laws that need definite kinds of information security in addition to privacy understanding and guidance programs (Herold, 2010), (Feng, 2003) and (Kuusisto & Ilvonen, 2003). SLP 3: Politics & Legislation The troubles those are found under the influence of a political system that incorporates authority plus control by the system are meager open data storehouses as well as a shortage of viable marketplace knowledge. Consequently, the political backgrounds within diverse states need extra consideration for information security management, as the political background is able to influence unusual IS connected aspects and areas, for instance the legislative technology proposals, performance in addition to implementation of principles, technology savings as well as technology exploitation additionally. In addition, all through the former few decades there has been growing importance in the influence of culture dissimilarities on improvement as well as utilization of information as well as data communication technologies extensively. The world is definitely moving in the direction of international marketplaces by means of communications among members of diverse cultures. Actually, worldwide actions are assisted as well as upheld to a huge degree through modern communications and information technologies and various contrivances. Consequently it is imperative to realize the affect of cultural divergences on these actions. The security issue which has been discussed in above sections can also involve political factors. For instance an opponent or competitor firm can hire a hacker to hack the information of the company. In this scenario, a company hacks the information of other company and takes benefits of that information. Thus, it can cause massive loss of a competitor (Huotari, 2010), (Hu, Dinev, Hart, & Cooke, 2008), (Adamski, 2010), (Yeganeh, 2007) and (Knapp, Marshall, Rainer, & Morrow, 2010). The approval of the rules as well as procedures those are printed into the corporation’s information security policies (ISP) is the sole task of executive management team (EMT). Seeing that the information security policy is considered to be the prime tool intended for administrating information security, it is as well the tool designed for normalizing the functions in the company’s information security management. However, the information security policy should not simply be a paper in support of the administration; it should moreover be a simply available principle for the overall human resources of a business to avoid information security associated threats. In addition, all the workers of a business should have an obvious understanding and knowledge of the fundamental threats associated with information security management areas prior to get admittance to the systems. In this scenario, the information security policy outlines these threats since it is the major paper used for information security management. Thus, all the information technology structures or solutions must be arranged and acknowledged through the rules and regulations of the Information Security Policies (Huotari, 2010), (Hu, Dinev, Hart, & Cooke, 2008), (Adamski, 2010), (Yeganeh, 2007) and (Knapp, Marshall, Rainer, & Morrow, 2010). The standard of legitimacy and justice in gathering and dispensation of private data for illegal integrity objectives means that data must be acquired in a legal manner that is conforming to technical regulations which describe the restrictions of allowed infringement by diverse managers of the country beside personal concern of the people. However, it is not a simple job to obey this constraint in the information era. Additionally, the lawful requirements on the purity of data and information communications may perhaps not offer enough foundation for the security and secrecy of an electronic mail in addition to extra types of electronic data communications. In addition, the emergence of electronic supervision and the utilization of computer systems to data corresponding and sorting, such as, exchange interrupts have augmented so quickly, that the authorized system cannot be capable to act in response effectively to circumstances produced by these latest practices (Huotari, 2010), (Hu, Dinev, Hart, & Cooke, 2008), (Adamski, 2010), (Yeganeh, 2007) and (Knapp, Marshall, Rainer, & Morrow, 2010). Since associated with the safety, one of the main purposes of the government should be to augment the entire security consciousness of the people. So if the people are more responsive to what can take place such as information hacking, security attacks, viruses, worms, malwares, phishing, DDoS attacks, and afterward perhaps they will consider twice regarding downloading an e-mail attachment. Moreover the most excellent approach to establish is to educate the people working inside the corporation. Moreover, both a case act and a realistic perspective, the legislation connected to information security is sadly insufficient. Furthermore, privacy, secrecy, and accessibility, and prosecution for identity pilfering and denial of service attacks, are typically impractical with the existing values of legislation. In this scenario, the implementations of laws like that FISMA, Common Criteria, HIPPA, and authorized audit conformity, except the market gives least concentration or insincerity to these necessities. Although there are numerous systems influencing security inside definite marketplaces for instance healthcare and monetary, a widespread law is leading the security of decisive infrastructure businesses would assist in facilitating consistent security across numerous businesses and could reorganize the rising number of regulations related to the security (Huotari, 2010), (Hu, Dinev, Hart, & Cooke, 2008), (Adamski, 2010), (Yeganeh, 2007) and (Knapp, Marshall, Rainer, & Morrow, 2010). SLP 4: Economics: Cost/benefit & Incentive Design In this technology based age economics has a great influence in information security management. We usually visualize information security like a dilemma of technology, however frequently information security management systems collapse on account of omitted economic incentives. So the persons who have the ability to make a system secure are not the genuine ones who experience the expenses of collapse. A number of the most divisive cyber policy concerns as well meet evenly between information security as well as economics. Such as, the problem of digital privileges administration: Is copyright law also preventive otherwise not preventive extensively to increase people resourceful productivity? And if it needs to be more restrictive, will DRM technologies benefit the music industry or the technology vendors? Several efforts to reply these queries turn out to be quickly entrapped by means of together information security as well as economic influence. On the other hand, it is valuable to initially explain the subsequent fundamental economic principles that pertain to information security: (Schneier, 2006), (Guerra, 2009) and (ITManagersInbox, 2010) The Cost and Benefit Principle: Apply no action except its subsidiary advantage is as a minimum as immense as its subsidiary expenditure. This is often related to information security management attack reports. The scarceness Principle: Including more of one high-quality objectives typically signifies having fewer of an additional. This is as well recognized as safety transactions. The Incentive Principle: Cost‐benefit evaluations are applicable not simply for classifying the assessments that coherent people ought to build however as well for forecasting the concrete judgments they do generally formulate. These principles facilitate to clarify diverse collapses related to information security management. In this scenario, scarceness and cost‐benefit facilitates to explicate why information security usually does not find the same distribution of resources like further IT human resources. The incentive principle gives an insight into why information security is frequently lacking from big products, for instance untimely iteration of Windows Operating system. It is estimated that IT product suite will be intrinsically vulnerable. Safety in products is an effective approach. On the whole, protected products are identical from vulnerable products; consequently businesses are less incentivized to offer protected products since the customer is incapable to clarify the difference between different products at marketplace (Schneier, 2006), (Guerra, 2009) and (ITManagersInbox, 2010). SLP 5: Security via Technology Now this section discusses the solution of above discussed security issue by using latest security technology. A lot of researches have been conducted about information security technologies which signify that the most of the businesses now make use of security technologies like that anti-virus software, firewalls, some sort of substantial security to protect their computer systems as well as information resources or some procedures of controlling the access to technology based IT systems. So the technologies for instance biometrics and virtual private networks by means of a fingerprint are expected to develop very quickly, as well as other technologies are yet rising. In this scenario, the most modern adaptation of an intrusion detection system designed on open-source Snort 2.0 encourages an elevated performance multi-pattern website search engines through an anti-denial of service policy. Conversely, noticing disseminated denial-of-service (DDoS) is yet rising because of the complication of technological troubles not acknowledged to develop protections against this sort of web based attack. Modern technologies are not proficient enough for extensive attacks, plus broad solutions should comprise attack deterrence as well as preemption, attack discovery in addition to cleaning network traffic, plus source of attack and recognition. Moreover, we can implement the following technologies that would influence information security management for the possible protection and these include: (Adamski, 2010) and (Hentea, 2011) Passwords Technology Passwords are considered to be the most frequent methods of preventing access to an information security system. So to be successful in the application of their function, passwords must be given to a person as well as it must be reserved confidential. Additionally, a password should be separate from the client identification. Moreover, the password should be altered on regular basis, as a minimum 40 days (Adamski, 2010) and (Hentea, 2011). Firewall Technology Firewall is one of numerous techniques of securing one or more information security management system from one more suspected system. Additionally, it is considered as entirely crucial for the web based clients who are executing their personal World Wide Web site. Usually, firewalls are organized to defend against illegitimate interactive log-ins attempts from the external system. Moreover, they facilitate us avert intruders from making their entry into information security management system on the network. Additionally complicated firewalls stop communication traffic from the external to the internal system; however it allows users on the internal end to communicate freely with the external system (Adamski, 2010) and (Hentea, 2011). Encryption Technology Encryption is the conversion of data into a structure that is illegible through anybody lacking a confidential decryption key. The basic purpose of encryption is to ascertain confidentiality by keeping the data and information secreted from anybody for whom it is not proposed, yet those who are able to witness the encrypted data and information. So encryption technology facilitates the information security and it is widely employed technique all over the world (Adamski, 2010) and (Hentea, 2011). References Adamski, A. (2010). Information Management: Legal and Security Issues. Retrieved March 25, 2011, from http://www.uncjin.org/Other/korebo/chapter5.pdf Feng, X. (2003). Information Systems Management and Culture: Experiences from a Chinese perspective. Retrieved March 25, 2011, from http://alexandria.tue.nl/extra2/200410651.pdf Grimaila, M. R. (2004). Maximizing Business Information Security's Educational Value. IEEE Security and Privacy , 2 (1), 56-60. Guerra, P. (2009). How Economics and Information Security Affects Cyber Crime and What It Means in the Context of a Global Recession. Retrieved March 21, 2011, from http://www.blackhat.com/presentations/bh-usa-09/GUERRA/BHUSA09-Guerra-EconomicsCyberCrime-PAPER.pdf Hentea, M. (2011). Information Security Management - OVERVIEW, SECURITY THREATS IMPACT, EMERGING SECURITY TECHNOLOGIES, SOLUTIONS, SEM MODEL REQUIREMENTS, CONCLUSION. Retrieved March 24, 2011, from http://encyclopedia.jrank.org/articles/pages/6625/Information-Security-Management.html Herold, R. (2010). Why Information Security Training and Awareness Are Important. Retrieved March 26, 2011, from Information Security Today: http://www.infosectoday.com/Articles/Security_Awareness_Training.htm Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2008). TOP MANAGEMENT CHAMPIONSHIP AND INDIVIDUAL BEHAVIOUR TOWARDS INFORMATION SECURITY: AN INTEGRATIVE MODEL. Retrieved March 25, 2011, from http://is2.lse.ac.uk/asp/aspecis/20080111.pdf Huotari, P. (2010, August 20). Basics of Information Security Politics (ISP). Retrieved March 26, 2011, from http://www.ictstandard.org/article/2010-08-20/basics-information-security-politics-isp ITManagersInbox. (2010). What the Economic Crisis Means for IT Security and Risk Management. Retrieved March 22, 2011, from http://itmanagersinbox.com/663/what-the-economic-crisis-means-for-it-security-and-risk-management/ Knapp, K. J., Marshall, T. E., Rainer, R. K., & Morrow, D. W. (2010). The Top Information Security Issues Facing Organizations: What Can Government Do to Help? Retrieved March 24, 2011, from KnowledgeLeader.com: http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/dce93ca8c1f384d6862571420036f06c/f009e0f0945175cc88257219007ea736/$FILE/Top%20Information%20Security%20Issues.pdf Kuusisto, T., & Ilvonen, I. (2003). Information Security Culture in Small and Medium-Size Enterprise. Retrieved March 25, 2011, from http://www.ebrc.fi/kuvat/431-439.pdf Northern Illinois University. (2007, May 11). Northern Illinois University (NIU) Information Security Policy. Retrieved March 22, 2011, from http://www.niu.edu/CEET/audience/pdfs/niu_info_security.pdf Schneier, B. (2006, June 29). Schneier on Security. Retrieved March 25, 2011, from http://www.schneier.com/blog/archives/2006/06/economics_and_i_1.html Sipior, J. C., & Ward, B. T. (2008). A Framework for Information Security Management Based on Guiding Standards: A United States Perspective. Issues in Informing Science and Information Technology Volume 5, Issue 1, pp. 51-60. Yeganeh, M. E. (2007). The impact of national and organizational culture on information technology (IT). Retrieved March 24, 2011, from http://www.nlai.ir/Portals/2/files/faslname/69/en_content.pdf Read More