Information Security Management System - Coursework Example

Name Institution Course Date Table of Contents Information Security Management System 3 1.0 Introduction 3 2.0 Information Systems Security Management 5 2.1 Information Security Management 5 2.2 Information security standard 6 3.0 Analysis of the literatures on the information security domains 7 3.1 Risk 7 3.2 Control 11 3.4 Standardization 12 3.5 Behavior 13 3.5 Technology 13 4.0 Research sponsors 14 4.1 Academic 15 4.2 Industry 15 4.3 Government 15 4.4 Military 15 5.0 Critical Review 16 5.1 Information System Security Management in the New Millennium (Dhillon & Backhouse 2000) 16 5.2 Critical Success Factors Analysis on Effective Information Security Management (Tu & Yuan 2014.) 17 Conclusion 18 Information Security Management System 1.0 Introduction Information has and continues to play a vital role in business environment. Wang (2008 p.761) writes that information is a major organizational asset. Decision making process relies solely on the amount and the accuracy of information which an organization has gathered. Wang (2008 p.767) indicates that relevant, specific and correct information can bring a massive difference to performance and efficiency of an organization. Business organizations rely heavily on gathered information to make marketing decisions and gain competitive advantages. However, information is susceptible to distortion and theft and the security of valuable information is a major aspect of an information systems management. In the 20th century, the security of information was not a major concern as most of data were transmitted and stored in hard copies. These copies could be stored in secured places hence protecting them from distortion and getting to wrong hands. However, in this information era, information is gathered, transmitted and stored online using electronic devices. Although this technology has hugely improved management of the information, the security of the data has become an increasingly problem in the recent couple of years. The number of security issues has become rampant in the past one decade and organizations have focused their attention on securing their data and information. According to a study conducted in 2014, information security issues have become daily phenomenon around the world (Yeh 481). Cybercriminals and internet hackers have and continue to utilize vulnerable aspects of information systems to access valuable and sensitive information. The research indicates that billions of dollars are lost every year due to online security issues (Yeh 482). Since the beginning of the 21st century, numerous research studies and literatures have been made to address information systems security management. Unfortunately, a large number of the research studies has been made by military organizations and have not been made available to public. In addition, some organizations are reluctant to reveal their research for security purpose of their data. This paper will analyze academic research studies undertaken in the 21st particularly in the various domains of information security management. The paper began the analysis by defining various terms used in information security management system and the threats associated with management information (Agnihotri 49). Organizations gather, process, transmit and store data which is relevant to their operations. According to Yeh (2014 p. 490) when a data is analyzed and presented in a useful manner, it becomes information. Therefore, information refers to the relevant and valuable data to an organization. This information requires to be protected from distortion or landing on wrong hands. Distortion of information can result to misinterpretation and confusion in an organization. Additionally, valuable information can be used by the competitors to gain competitive advantage in the market, hence the need to protect them. The management of the information systems is essential to ensure the security of the data. Yeh defines information system security management as protection of information from a wide of threats to maximize return and business opportunities, minimize business risks and ensure business continuity (2014 p. 490). The protection ensures that only the authorized individuals have the access to the information. In their article, Doherty and Harrison (2006 p.59) argue that the primary aim of information security is to protect the valuable information resources such as software, hardware and skilled employees. The security ensures that these resources are protected against any individual who may try to access confidential and valuable information of an organization. The application of information security measures protects the valuable information hence safeguarding the secrets of an organization. This protection is necessary to ensure the tangible, intangible, financial resources and reputation among other resources is secured from potential threats (Doherty & Harrison 61). 2.0 Information Systems Security Management 2.1 Information Security Management There are considerably a large number of literatures that deal with management of information systems security. According to these literatures, information security management is an indispensable aspect of organization management. In this information era, organization are gathering large amount of information which are transmitted and stored in electronic devices. The management of the information is intended to identify the current security status of an organization and provide a broader view of the business risks. According to Doherty & Harrison (2006 p. 47), information system security management follows some specific procedures meant to ensure the integrity, confidentiality and availability of the valuable business information. The first procedure is to analyze and identify the risks that are likely to affect the information in an organization. This analysis is done repeatedly and a health report of the information system is developed. The second procedure is to examine the nature of the risks in the system and generate several solutions to redress the risks. The third procedure is to choice the best solution to deal with the risk and implement it. The implementation of the choice made is followed to ensure it address the risk. The security requirements should be aligned to business strategies to minimize friction in the organization (Doherty & Harrison 63). 2.2 Information security standard Information security standards are well documented in the academic sector. Initially, the focus of the security measures was on the technical aspects of information systems used to gather and store information. The systems were equipped with sophisticated technical security protections which eliminated vulnerability of the systems. However, system hackers changed their techniques to exploit weakness in human management and operational aspects of the systems. Today, information security standard is a comprehensive and a broad discipline that encompasses both technical and management aspects of risks management (Coles-Kemp and Theoharidou 47). The ISO standards provide the basic standard which any system should meet. The standards combine the technological and operational aspects of security management information. The ISO27001 standard defines the framework of an information security system. It provides the steps which should be adhered when developing a security system. The ISO/ IEEC 27002 standards encompass the operational or the management aspect of information systems security. A large number of organizations around the world base their information security on the ISO standards. However, the standards for an organization differ with another due to the fact that organization modifies their security standards to meet their unique security requirements (Coles-Kemp and Theoharidou 47). . 3.0 Analysis of the literatures on the information security domains Over the past one and half decades, different analysts have focused their research studies on different domains of information security management systems. The major domains of the security systems include risks, control, behavior, standardization and technologies (Solms 47). The domain of risks is arguably the most studied aspect of the information security system. The situation can be attributed to the increasingly need to protect information from internet hackers. This section will analyze the literatures in each domain mentions above. 3.1 Risk It is an undisputable fact that the primary purpose of information systems security management is to address potential threats or risks in information systems. It is not, therefore, surprising to note that this domain has attracted countless of research studies in the recent years. In this paper, 12 research papers are analyzed that capture a wide range of risk issues such as information security threats, risks management, emerging risk security issues and economic factors in the risk management. A research done by Hone in 2009 identified a number of information security issues. According to the research, information threats include money theft, theft of information distortion and alteration, theft of services, damage of software and trespasses (Hoy & Foley 11). Today, a large number of the computer hackers are targeting money transaction information. In these risks, money transactions are accessed by unauthorized individuals who alter the communication and stole money in the process. According to Hone (2009 p. 420) money theft takes about 44 percent of the total information security issues. The damage of software and data by use of viruses and worms also take a major percentage of the total information security frauds. Some computer hackers spread worms and viruses to other systems hence damaging software and data of different organization. Distortion of the information to suit some individuals is also a concern in the information security management. Figure 1: Types of information Threats (Hone, 2009 p. 420)) Risks management procedures have been comprehensively addressed in almost all the papers dealing with information security threats. Although the papers have some slight differences, the basic procedures of the risks management are merely the same. The process begins by identifying potential risks. This requires an expert in the area to identify the vulnerability or weakness of a system. The second procedure is to evaluate the magnitude of the risks and the consequences likely to occur. A corrective measure is devised and implemented accordingly to arrest the risk it occurs. The final procedure is to monitor the measures taken to ensure that they meet the intended objectives (Onyeji & Joseph 54). A number of studies pay some attention to the emerging security issues. In particular, nine of the twelve papers on the risks management acknowledge the rapid increasing security threat of cybercrimes. It will be therefore, fairly to give an analysis of this emerging trend as it is and continue to be a major security threat to information systems. In his article, Anderson writes that the information security is not only a concern in business environment but also in the national governance (Anderson 28). Cybercrime and cyber warfare have become major aspect of information security management as nations focus on information wars. According to a study conducted in 2013, cybercrime is a daily issue with more than ten cases reported every single day (Ouedraogo & Holland 67). Banks, financial institutions and government institutions record millions of dollars lost as a result of cybercrime. In addition to the cybercrime, cyber warfare has gradually take shape as military agencies intrude to other countries information systems to steal security information and innovative developments. China has been accused countless time of intruding in the national information systems of the USA and stealing large amount of information ranging from security information to intellectual property. Today, the two countries are invariably cautious of each other. Over the years, the US has also been notorious in this cyber warfare to tame most of aggressive countries such as Iran, Russia and Korea. In 2010, information systems contain Iranian nuclear plant details were attacked by Stuxnet worm. Onyeji and Bronk (2014) write that the number of cases of cyber warfare among the countries is considerably high but the details of the cases have been hidden from the public for security purpose. All the paper dealing with the security issues conclude by stating the need for an aggressive and comprehensive risk management procedure. Figure 2: Percentage rise of cybercrime since the year 2000 (Onyeji and Bronk, 2014 p. 67) 3.2 Control Control of information systems security is as important as the risks domain of the systems. It is not therefore, surprising that there are numerous research studies addressing this domain of the information system. This paper analyzed ten research papers done in the past one decade. The papers cover a wide range of control aspects such as mitigation techniques, control of information security management, and policies of security requirement. Tanaka and Sudoh (2005, p.40) define control as the policies, procedure and mechanisms used to ensure that the management responds to potential risks. Control activities mitigate the effects of risks. There are numerous types of preventive, detective, corrective and internal control. Anderson writes that, due to the advanced technology which has swept across information sector, control of information systems has become more sophisticated. However, he argues that effective policies and procedures which integrate both operational procedures and technical measures can enhance control of the information systems. The most common form of control in the information security system is use of logs in, firewalls, antivirus and proxy setting. Passwords and usernames are used to restrict people from accessing organizations’ information. Authorized individuals can assess the information by logging into their systems. Anderson (Anderson, p.130) writes that logs in are the basic control measures and can be also of risks as human beings are prone to errors. However, when the right procedures are adhered, this control method is effective and less costly. The increasingly cases of hackers circumnavigating around systems and bypassing passwords in the recent years has raised concern over the effectiveness of the method. Other method used to control information system includes system administrations who monitor the statues of the system periodically to ensure that no threat in the system. Experts are in the process of developing automatic, more effective and cost effective control mechanism (Anderson 169). 3.4 Standardization There are numerous industry sponsored research papers that address the domain of the standardization of information security management and this paper analyzed six research papers dealing with standardization of information systems security management. The most common standardization systems include ISO 27001, NIST 800-26, HIPAA and PCI-DSS. ISO 27001 has been used widely in standardizing information management security systems in the past one decade (Cone &Thuy 58). The system helps information security experts to identify and mitigate a wide range of information security threat. The standardization provides the adequate security controls give confidence to the customers and other stakeholders of an organization. Some of the areas addressed by this standardization include asset management, human resource security, security policies and information security acquisition, development and maintenance. NIIST is another major standardization system used by many organizations to protect their information. The standard was developed by federal agency in US. Commerce Department’s Technology Administration. The administration has developed the security measures over the years to meet military and commercial needs. Today, a good number of commercial as well as government agencies are basing their security management on the guidelines outlined by the NIIST (Cone & Thuy 67). The other standardization systems are also used by different organization to meet their specified security requirement. All the research papers in the domains seen to support standardization of the information security system management to enhance the security of the data stored (Boddy & Steven 138). 3.5 Behavior This domain has become a major focus in the risk management. Five research papers on this domain were analyzed in this research paper. According to Al-Salihy (2008, p.717), management of information security systems combines both the technical and operation aspects of the management. The behavior domain focuses on the information security risks resulting from employees’ behavior or action. Today, organizations around the world have established an organization culture that pay a lot of attention on security of information at all times. The employees are encouraged to be cognizant of the potential risks and adhere to the set guidance to avoid compromising the information system Schlienger &Teufel 136) 3.5 Technology Advanced technology has swept across all aspects of human life and the information security management system has not been exceptional. Four research papers on technology domain of information security management system are analyzed in this paper and wide range of issues emergency. Technology has hugely affected various aspects of information ranging from system controls, vulnerability management, cloud computing security, virus and worm attacks and firewall and intrusion. Shapiro (2010 p.200) indicates that there are numerous technological inventions that are current under study and are likely to bring huge changes in the information security management systems. Despite the numerous technological advancements, the major emerging issues in the sectors include cloud computing security and industrial control systems security. Cloud computing has become a major technological invention in information management system. The technology refer to a kind of computing that depend on sharing computing resources instead of personal devices or local servers to handle various application. The technology provides a platform through which consumers and organization can access data without storing them in their network. Cloud computing security is based on unidentified location of data and hence difficult to alter the information (Vermeulen & Solms 116). However, there is a growing concern over the security of the data when in transmission. Most of the industries have become computerized and information about the operation of various aspects of the industries are shared and stored in electronic device. The information systems in these industries are connected with internet. In the recent years, sensitive industrial plants have been target of security issues and the industrial control systems security was invented to protect the data and ensure continuity of the operation of the business operations (Shapiro 38) 4.0 Research sponsors The aim of conducting any research study is to provide solutions to existing problems or bring to the attention of the people a challenge that need to be addressed. However, the motivating forces behind research are different from one research to another. Students in institutions of high learning are motivated to carry out study by academic forces. In the industrial, organizations assign some experts the responsibility of conducting a research in a specified topic. Governments and military agencies are invariably conducting research studies to deal with the numerous issues affecting the nations and security. These four sectors become the major sponsors of the research studies in modern society. 4.1 Academic Fifteen papers used in this research paper are academic sponsored. These papers were conducted by students and experts for academic purposes. Other individual involved in the studies include professors and lecturers working in these institution of high learning. 4.2 Industry Business organizations often hire expert or send their employees to perform research study about some issues affecting business environment. These studies are done for business and are financed by the business organizations. These papers are said to be industrial sponsored research papers. Eleven papers used in this research paper are industry sponsored research study papers 4.3 Government Governments’ agencies are invariably conducting research studies to collect information about various variables, useful for national planning. There is numerous science and research centers funded by the government and are responsible for all governments’ research studies. A number of the government research papers are used in this research. 4.4 Military A large number of the research are done by military departments especially issue dealing with security and technology. Unfortunately, these research studies are not availed to the public due to security concern. However, this paper has analyzed a few of military sponsored research studies. Figure 3: Various sponsors and the number of the papers in each category used in this paper. 5.0 Critical Review This section will review two research papers from collection of information management security systems. The chosen papers include Information System Security Management in the New Millennium (Dhillon, 2000, 128-152) and Critical Success Factors Analysis on Effective Information Security Management (Tu & Yuan 2014.) 5.1 Information System Security Management in the New Millennium (Dhillon & Backhouse 2000) The aim of this paper is to bring to the light the importance of protecting organization information in the current technological world. Advanced technology has improved processing, transfer and storage of information in the business environment. However, the technology has come with technology concern as hackers and viral attacks have increased rapidly in the recent years. In the article Tu & Yuan, address the principles that need to be achieved in order to enhance the security of the information systems as the technology becomes advanced. The first principle is maintaining the confidentiality of the information through control methods that restrict data access. The second principle is maintaining the integrity of the data stored and transferred by an organization. The third principle discussed by the paper is responsibility of the every individual in an organization towards information security management systems. Employees in an organization should ensure that they act responsibly in order to mitigate the potential risks. Other principle includes trust and ethicality principles. The study conclude that in order to deal with the information threats that come with the advanced technology, organizations need to focus on some human principles such as integrity, confidentiality, responsibility, trust and ethicality. This paper focuses on human and operational aspects of information security management rather than the technical aspects of the systems. These principles are usable in the industry and should be embraced to deal with the information security risks. 5.2 Critical Success Factors Analysis on Effective Information Security Management (Tu & Yuan 2014.) Tu and Yuan focus their study on the risk domain of information system security management. They began by stating the potential threats in the sector namely data loss, viruses and warms and various types of hackers. These possible threats compromise confidentiality, integrity and availability of the data. The paper discusses the factors that contribute to the successive information security system. According to the article, the factors that contribute to successful information security management include organizational support, business alignment, organizational awareness, IT competencies, and performance evaluation. Management decisions and organizational structure around information security management plays a major in enhancing security of the information in an organization. Aligning business objectives and information security objectives reduces the friction in an organization and hence is a factor of an effective information systems security management. Human factors that affect the employees in relation to information security management need to be addressed comprehensively. IT competencies refers to the capacities of an organization necessary to fulfill the IT and business objectives. Performance evaluation is necessary to determine the effectiveness of a system. This paper reveals some practical features of an effective information systems security management. Every organization should ensure that their systems meet these features in order to protect their information. Therefore, these features will help organization to determine whether their systems have the necessary requirement. Conclusion This paper has analyzed thirty seven academic research studies undertaken in the 21st particularly on various domains of information security management. Information is a vital asset of an organization and is necessary to protect it to ensure continuity of business operations. The advanced technology has made management of information sophisticated as the number of online hackers and viral attacks continue to increase. In order to address the problem, analysts have undertaken numerous studies on various domains of the information security system management such as standardization, control, risks, behavior and technology. Risk domain has attracted numerous analysts who have provided valuable information about risk management in information systems security management. Standardization and control have also been major areas of research among the analysts in the information systems security management. Employee behaviors are increasingly attracting researchers as they affect the security of information systems. Lastly, advanced technology has continued to affect information security systems and analysts have continued to focus on its impact in the management. These research studies have contributed significantly to the development of the information systems security management. The sponsors of these studies include government, military, industries and academic institutions. Most of the researches are academic while the military sponsored are limited due to security issues. Works Cited Al-Salihy, Soria. “Effectiveness of information systems security in IT organizations in Malaysia”. Proceedings of 9th Asia-Pacific Conference on Communication (2008) 2 (4), p.716-720. Print Anderson, Kelton. “Convergence: A holistic approach to risk management”. Network Security, (2007) 5 (7) p. 4-37. Print. Agnihotri Newal. "Training and Information Technology Issue, 2005." Nuclear Plant Journal (2005) 3 (7), p. 47-78. Print. Coles-Kemp, Lizzie, and Marianthi Theoharidou. "Insider Threat and Information Security Management." IEEE Security & Privacy (2010), 7 (2) p. 37-89. Print. Boddy, Mark and Steven Harp. "Course of Action Generation for Cyber Security Using Classical Planning." Computers & Security (2005), 8 (4) p. 67-123. Print. Bornman, Werner, and Les Labuschagne. "A Framework for Information Security Risk Management Communication." Computers & Security (2005), 38 (5) p. 121-178. Print. Cone, Benjamin  and Thuy D. Nguyen. "A Video Game for Cyber Security Training and Awareness." Computers & Security (2007), 5 (6) p. 47-121. Print. Eloff, Jan H., and Mariki Eloff. "Information Security Management: a New Paradigm." IEEE Journal on Selected Areas in Communications (2003), 5 (6) p. 121-281. Print Doherty, Nelson., & Fulford Harrison .”Aligning the information security policy with the strategic information systems plan”. Computer and security (2006) 28 (4) p.55-63. Print Dhillon, Gurpreet.” Challenges in managing information security in the New Millennium”. Information Security Management: Global Challenges in the New Millennium Hershey, 2001. 9 (8) pp 128-152. Print. Dark, Melissa J. "Civic Responsibility and Information Security: an Information Security Management, Service Learning Course." Information Management & Computer Security (2004), 21 (5) 48-129. Print. Gillies, Alan. "Improving the Quality of Information Security Management Systems with ISO27000." The Tqm Journal (2011), 58 (5) p. 98-118. Print. Hoy, Z., & Foley, A. A Structured approach to integrating to audits to create organizational efficiencies: Total Quality Management $ Business Excellence, 2009, 10 p. 1-13. Print. Hone, Kelvin “information security policy: what do international security standards say?” Computer and security, (2009) 21 (5) p 402-429. Print. Julisch, K., & Hall, M. (2010). Security and Control in the Cloud. Information Security Journal A Global Perspective, 19 (6) p. 299-309. Print. Kwon, Sungho, Sangsoo Jang, and Jaeill Lee. "Study on the General Defects in the Information Security Management System (ISMS)." Isa Transactions (2006), 32 (5) p.42-67. Print. Khidzir, Nik Z., Azlinah Mohamed, and N. H. Arshad. "Information Security Risk Management: An Empirical Study on the Difficulties and Practices in ICT Outsourcing." Computers & Security (2010),8 (6) p. 57-78 Print. Nnolim, Anene L., and Annette L. Steenkamp. "An Approach to Information Security Management." Isa Transactions 8 (3) 16-34. Print. Niekerk, Liesl V., and Les Labuschagne. "The Peculium Model: Information Security Risk Management for the South African SMME." Computers & Security (2006), 4 (3) p. 48- 98. Print. Onyeji Bazilian & Bronk,Joseph. “Cyber Security and Critical Energy Infrastructure”. The Electricity Journal, 2014 27 (2) p.52–60. Print. Ouedraogo Mourince., & Mouratidis, Holland. “Selecting a Cloud Service Provider in the age of cybercrime”. Computers & Security, (2013) 38, 3–13. Print. Liu, Waka, “Empirical-Analysis Methodology for Information-Security Investment and Its Application to Reliable Survey of Japanese”. Firms, Regular Paper, IPSJ Digital Courier, 3: 585–599. Print. Purser, Samuel. “Improving the ROI of the security management process”. Computers & Security, (2004) 23(7), 542–546. Print. Parkin, Simon E., Aad P. Moorsel, and Robert Coles. "An Information Security Ontology Incorporating Human-behavioural Implications." The Tqm Journal (2009): 2 (1) p. 3-16 Print. Papadaki, Katerina, and Nineta Polemi. "Towards a Systematic Approach for Improving Information Security Risk Management Methods." Computers & Security (2007), 4 (5) p.45-67. Print. Ralston, Graham, and Lieb Herb. "Cyber Security Risk Assessment for SCADA and DCS Networks." Isa Transactions (2007), 5 (6) p. 127-178. Solms, Rossouw V. "Information Security Management: Why Standards Are Important." Information Management & Computer Security (2000), 3 (9). P 58-128. Print. Solms, Rossouw V. "Information Security Management (3): the Code of Practice for Information Security Management (BS 7799)." Information Management & Computer Security (2001), 3 (12), p. 37-129. Print. Shapiro Varian “ Information Rule”, Harvard Business School Press, 2010, 8 (7) 187-205. Sundt, Ceros . “Information Security and Law” Information Security Technical Report, 11(1) pp. 7-18. Print. Schlienger, Thomas, and Stephanie Teufel. "Information Security Culture: The SocioCultural Dimension in Information Security Management." Computers & Security (2002):, 8 (5) p.69-129. Print. Stepanova, Daria, Simon E. Parkin, and Aad P. Moorsel. "A Knowledge Base for Justified Information Security Decision-making." The Tqm Journal (2009), 8 (5) p. 67-121. Print. Tanaka Matsuura & Sudoh, Obara. “Vulnerability and Information Security Investment: An Empirical Analysis of e-local”. Government in Japan, Journal of Accounting and Public Policy, Elsevier, 2005 (24): 37-59. Print. Tu Cheng & James. Yuan. Critical Success Factors Analysis on Effective Information Security Management. Business information management, (2014) 6 (7) 109-121. Wang Song, “Towards an optimal information security investment strategy, IEEE Conference on Networking”. Sensing and Control 2008 , April 6 (7) pp. 756 – 790. Vermeulen, Clive, and Rossouw V. Solms. "The Information Security Management Toolbox - Taking the Pain out of Security Management." Information Management & Computer Security (2002), 7 (4) p. 67-120. Print. Yeh Change. “Threats and countermeasures for information system security”. A cross- industry Study. Information and management (2014) 44 (7) 480-512. Print Read More