Team Formation and Assigning Roles - Case Study Example

Running Head: Master Plan Report Case study: Perth Information System Ltd Name Institution Date Workshop 1 Team Formation and Assigning Roles Perth Information Systems Ltd (PISL) provides services to oil and gas companies in seismic data acquisition as well as developing software and hardware for those companies. There is an information system which is made up of components that collect store and process seismic data the company it serves. The company has a team which is involved with the information security. For information security governance to be effective, the senior management has to be involved. Information security governance at PISL involves the CEO, the Chief Security Officer, Chief Information and technology officer who are the senior management. This team heads the information security governance and their work involves approving policies and monitoring of how information flows. It goes down to the other staff involved to the security officers at the gate. Forming a team in this company is guided by the knowledge that the personnel required should have the understanding of seismic information security policy, the standards to be met and the procedures involved (Craig, 2005). He observes that it is the people involved and not technology that is the weakest link in the security of information. California Office of information security and Privacy Protection (2008) agree that people can either make or break your business. To effectively manage information security requires that the management hires people with the right qualifications to execute the management program. Terry Hancock, the CEO of Easy I Group says that, “The complexity and criticality of information security and its governance demand that it be elevated to the highest organizational levels.” (IT Governance Institute, 2006). The security plan starts from the management and goes down to the systems level. The main aim of the security plan is to position staff into the key roles. The main aim in deciding who goes to which team and the roles each person is to play has a goal to develop a human firewall. They should understand the organization security requirements. This is because the personnel should understand the security implications to future business plans that Perth Information System Ltd. There is a risk because should the competitors understand the software and the information they are in a position to use the information as a competition tool. Before the personnel can take on any role, PISL ensures that they are trained and they understand the sensitivity of the kind of information the company holds. The roles involved have to do with the protection of the software and the seismic data that is protected. The team is concerned with protecting against the unauthorized access to the server room, the wiring closet and the processing room which contains the servers and workstations of the processing department. All new staff members are given accounts which will have passwords created for them. They are required to adhere to the IT policies that require them not to write their passwords in plain text and also to keep changing the passwords periodically. They are allowed minimum access to important information until their credibility is established. Workshop 2 Defining physical resources at risk The security for the physical infrastructure of the organization, including people, the hardware, physical products in print form and the buildings is established. Security will follow four main steps of avoidance, reduction, sharing by insuring and outsourcing and retention by accepting and budgeting for security. This mainly will include a network of people’s activities to support the organization operations. The security will entail the key role of the administration, the support staff and the security department. This will be systematically divided according to the organization layout, facilities, level of control and capabilities. The process involves appointment of security team comprising of key members, identification of niche of operation, evaluation and monitoring through continuous reporting (Parker, 2006). At administration level, two people; the director and assistant director will be in charge in charge of compiling organization current and additional infrastructure. They will also direct facilities in storage for repair upgrading system. The list will be assessed every end week from various departments to confirm that al facilities are available and in order. They will ensure confidentiality; integrity and availability (CIA) the organization software, hardware and communication system will be integrated to enhance security standards for personal, physical and organizational prevention and protection. They will monitor the security system and determine the duration of work for each team in the organization. The support staff includes all levels of services using the facilities, rooms, laptops, handed computer, books, storage devices and other physical facilities. The policies will be established in each department for locking up of server room, promote occupants making good use of locks, rooms doors. Regulate entry and access to personal workplaces for specific time like lunch, occasional breaks, late and out-office hours, policies will also promote locking rooms and facilities when unoccupied. Every department will set the responsible persons to have the key and key codes to use certain critical machines and laptops. This is central, to avoid enormous damage so access to server switches, routers, other devises cables will be regulated within. The team comprises the designer, user, operator and other humans such as repair and maintenance team. Security department will include the routinely outsourced staff from security firms. They will be responsible for continuous security throughout, at specific assigned places and facilities, when requested by staff members. They will direct and regulate the activities of outsiders at the doors, lifts, packing bays and internal open areas (Kumar, Telang, & Mukhopadhyay, 2007). In connection with security guards, other mechanism that established and will be regulated are physical control systems comprising of doors, locks, fire alarms in case of fire outbreak, fire suppression systems, barricades, camera, and fencing. Printers and caskets will be fixed and bolted to avoid hacker. Security guards will secure deserted places and unused workstations. Physical control like networks and servers will be separated from workplaces. The organization will identify, select and implement an appropriate control, assessing and recovery method through insurance regulations and government laws that safeguard industrial sectors activities and properties against such threats (Mouratidis, & Giorgini, 2004). Workshop 3 Defining technical resources at risk The technical resources at risk include data, processes and technology. The software, people having the information and processes operators are in the category. The administrative and management policy will integrate human resource department to communicate security norms. The people, IT specialists, database administrators, network engineers, end-users of data will know the standards, and sanctions for misconduct to prevent actions and control threats. This is through specifying actions that safeguard confidentiality of the organization processes. Lack of accountability or misuse of authority to those delegated will lead to application of penalties and sanction. To reduce vulnerability internal duties separation will control the cycle of task completion such as having different people as programmer, administrator, and database administrator. The set up surveillance will contribute to great prevention. In case malicious person breaks into or misuse the surveillance mechanism will establish. A different person assigned should have the badge and certification from the authorizer. A log book that people can sign in will be established at the entry. A better authentication system such as use of smartcard and biometric scan to unlock the doors and ensuring access to data will be appropriate. An internal video camera will make it hard for persons to find, disable or tamper with gadgets, devices and information. This will be an advantage since it provides a continuous monitoring. They can also be enabled to detect motion and report through alert and emails in case a person is noted in wrong place and time (Desouza, 2009). The facilities for data capturing, transmission, storage, retrieval, manipulation, and displaying information will be protected. Locking up the vulnerable devices and protecting the portable facilities such as handheld computers and laptops will promote security. The management will consider disabling drives in some machines to avoid removable media which employees can copy information. Such actions include the removal of floppy drives, to discourage access by external drives and at USB ports. In such laptops the ports may be permanently blocked with sticking glues. Internal gadgets for disk locks will lock usage of other diskettes. The organization will protect printers posing security risks whose on-board memories store documents content. To avoid hacker to access the information from the memory and making copies of the recent work and documents printed such printers will be locked when not in use. Other printers in workstations and servers with storage of important information will be locked in secure locations, bolted to avoid people walking away with them. Extra copies, those that are imperfectly printed or left in the printers will be sorted before final disposal. Key responsibility will involve risk management aspects to reduce risks to acceptable levels. This is through informing employees and other involved about the changes made in the organization. Others include protection from threat, identifying the vulnerability to assets. Risk assessment and management will be done by government officials and regulatory authority in connection with (if the organization management allows) the staff and security agents. Outsider interactions will be regulated through establishing loyal maintenance and repair agents who can be accessed easily in case of threat. Finally data will be stored in multiple modes and locations to avoid and mitigate data losses (Parker, 2006). Workshop 4 Human resources at risk. Information system refers to the unique combination of information and technology and the people’s roles and activities that support management, operations and decision making in the organization. The information systems consist of five major components. First is the hardware. This consists of the physical aspects of the information system which includes computer parts, servers and peripherals. The second part is software. This includes the main system software, the application software and finally the utility software. The third part is the data. This is all the knowledge and the data bases that are in the information system. The fourth part is the networks. This includes the communication media and the entire network support. The fifth and one of the most important parts of the information system is the people who work on the system. They are mainly, information technology specialists who include database administrators, network engineers, and various end users. The end users include data capture clerks. The human resource is a risk to the information system of the company. Most of them are experts in their fields and as such they can get any information they need from the company. As such, various contingency and counter measures are supposed to be put in place to protect the company from this risk. With the daily and constant interaction with the system, the human resource can attack the information system in the following ways. One of the ways is by accessing confidential information about the company by hacking. This is done especially to the future plans and financial data of the company. This data can then be sold to the main competitor who also has a 40% stake in the market share. As such there are vital data that should be protected. The other way is through bugging the offices of the company. Through this, outsiders can get to know classified information about the company. The main thing that is to be protected in the company’s is the information system. The data of the programs and projects that the company is planning should be protected. The code for the software and other applications of the company should also be protected. Some of the ways through which the company can protect its information systems from the human resource threat is through the CIA Triangle (Confidentiality, Integrity and Availability). The security systems of the company should be up to date and of the highest security levels. There should be security levels of the human resource personnel. The passwords set for the personnel to access various data and information should be encrypted and change after a specific period of time. This will ensure that hacking is hard. According to the policy of the company, an independent Human Resource company is responsible for recruiting both permanent and temporary staff of the company. As such, the company should ensure that the people recruited are of the highest integrity possible. They should be people with no criminal records and trusted. When the employees are oriented into the company, they should sign a confidentiality clause in their contracts to ensure that they don’t leak company information. Incase such an event occurs, there should be strict penalties that will follows. Prosecution in the court of law should be followed through. People with low level security should not be allowed to access some information. The software and the data bases of the company should be encrypted with the highest possible security features to ensure that hacking chances are next to impossible. However, all these measures should be within legal and ethic limits set by the constitution of the country. Workshop 5 Process and procedures at risk Processes and procedures refer to a particular course of action that is intended to achieve a specific result. In the company, there are numerous processes and procedures that are followed in the daily running of the company. The security procedures involve those checking the cars, visitors, staff and the equipment of the company. These procedures that are at risk are the checking of staff and computer systems. The policies and procedures that are put in place are intended to keep the company safe and the security systems from any possible attack. First of all, all the cars in the basement and at the car park entrance are to be inspected. The company should ensure that the security personnel should ensure all the cars are not bugged or provide any security risk to the company. Secondly, the people who are entering the company’s premises should be authorized to be there. The visitors should be inspected and the personnel ensure that the visitors do not access the places they are not authorized to be. The visitors should be in the building for only official functions and no personal issues. The process of obtaining new members of staff should also be strictly conducted. As such, all the staff must be scrutinized extensively and their roles clearly outlined for them. Conflict of interest should be avoided at all costs. In the company, the cleaning services are outsourced from a contractor. As such the members of staff of the contractor company should ensure that the cleaning staff sticks to the rules and regulations that are stipulated by the company. As such they will not visit unauthorized places or access classified data. The process of developing the software that is used for the business should specific and particular to the company. As such, there will be not threats to the information of the company. The people involved in the development and upgrades should sign a confidentiality document not to spill the secrets of the company or the product. Before the implementation of the system, the process of patenting the applications software and systems should be implemented. The patenting will help in securing the information of the company and the trade secrets. The process of research and development should also be well structured. The people being consulted for the work should be adequate and trust worthy. The other option to be included in the procedure is of research and development is total minimization the number of people involved. This is from the consultancy to the implementation of the plan. As such, the risk of the process being infiltrated and insecure will be slim. In case of failure of any of the processes and procedures involved in the security of the system of the company, there should be contingency measures. These many include legal action against people who go against the process and procedures. There can also be an emergency procedure to over ride any of the failing process. However, the processes, procedures and the contingency measures should be within the legal and ethical frameworks of the law. References California Office of information security and Privacy Protection. 2008. Guide for the Role and Responsibilities of an Information Security Officer within State Government. Available on http://www.cio.ca.gov/ois/government/documents/pdf/iso_roles_respon_guide.pdf IT Governance Institute. 2006. Information security Governance: Guidance for Boards of Directors and Executive Management 2nd Edition. IT Governance Institute. United States. Wright, C. 2005. Implementing an Information Security Management System (ISMS) training process. SANS Darling Harbour. Desouza, K. C. (2009). Securing information assets: The great information game. Business Information Review, 26(1), 35-41. Kumar, V., Telang, R., & Mukhopadhyay, T. (2007). Optimally securing interconnected information systems and assets. Public Policy, 1-28. Mouratidis, H., & Giorgini, P. (2004). Analysing Security in Information Systems.Procs of the Second International Workshop on Security In Information Systems WOSIS 2004. Parker, D. B. (2006). Ethics of Information Security. Information Systems Security, 5(1), 20-23. Read More