Management and Information Security - Assignment Example

RUNNING HEAD: MANAGEMENT AND INFORMATION SECURITY Management and Information Security Name Institution Date Question one Sensitive information is basically information that should not be compromised via alteration, corruption, misuse, loss or unauthorized disclosure. If compromised, the information can result into serious harm to an organization possessing it. Information is normally considered to be sensitive if the loss of privacy or integrity could be expected to have serious adverse effect on the operations and assets of an organization or individual (Aloise, 2010). Sensitive information can be categorized in various ways. The categories are normally based on personal and organizational aspects. Sensitive information can therefore be categorized as Personal information, routine business information, confidential business information and private information (Brown, 2008). Brown (2008) argues that Personal information is information about an individual employee that is normally considered to be sensitive in an organization. The information covers individual’s race or ethnic background, philosophical beliefs, sexual preferences and practices, criminal records, health information and political opinions. Routine business information incorporates information of the business that cannot be subjected to special protection and might be regularly shared with any person within and outside the organization (Pijpers, 2010). Private information is a wide range of information that if disclosed can cause damage to an individual. Sensitive information that is categorized as private normally relates to an individual. Confidential business information refers to information that if exposed can negatively affect the organization. Most trade secrets in an organization are normally considered as confidential business information (Martin, 2008). When designing a system, the required number of categories can be determined through classification process. According to Pijpers (2010), Classification process is a way of classifying things so as to look as if they are single unit. In determining the number of categories to be involved in a system, it is essential to understand how task and responsibilities are divided in an organization. Various Systems in an organization normally prevail so as to deal with certain problems and tasks in an organization (Martin, 2008). Systems that perform similar tasks can be categorized in one group and those with varying tasks placed in different categories. Therefore by classification, one can easily determine the required number of categories to be entailed in the system. A category of Information system is just a concept or an abstraction that has been developed to simplify complicated tasks via identifying communality’s areas among various things. Systems, therefore, with very few or very many categories does not have downsides (Pijpers, 2010). Question two Brewer-Nash model was established so as it can be used in financial sector. It normally attempts to protect the integrity and confidentiality of a data. The model normally tries to ensure that there are no conflicts of interests among the competing firms. According to the model, an analyst, who has inside information concerning a particular firm’s clients, is not expected to advise another competing firm about clients. The analyst, however, can advise any other firm that is not a competitor (Whitman & Mattord, 2010). Brewer-Nash model can be the best security model in a situation where the confidentiality and integrity of the firm’s information is required. For instance, consider a scenario in which there are three firms, F1, F2 and F3 and two users, U1 and U2. Let’s assume that the first company or firm is in conflict with the third company and not in conflict with the second company and that the second company is not in conflict with the third company. If the first user access information for firm F1 and F2, and the second user access information for firm F2 and F3, then the first user can easily access the information of the first company and take it to the second company. Similar information can be accessed by the second user in the second company F2, thus accessing the information that conflicts the one he or she already have. To avoid the unintentional disclosure of information by the users, it is important to control their access to information. This can be done by application of Brewer-Nash model’s property. The property suggests that users can only access information if the simple security rule permits them to do so. The model therefore permits the users to only access information that cannot be required in a particular company. Other models such as Bell-La Padula model and Biba can suit situation that needs confidentiality and integrity of a company’s information. A part from Brewer-Nash model, Bell-La Padula and Biba models are the best recognized security models. Bell-La Padula concerns most with confidentiality of the information. It normally considers two objects, which are subjects and objects. Subjects are entities that are active while objects are entities that are considered to be passive. The subjects and objects have a particular security designation. Biba model concentrate a lot on the integrity of the information. It normally uses two rules to determine if the subject can access the object or not. According to the Biba model, subject can only dominate objects that it dominates (Autores, 2011). Question three Information security metrics concentrates on the need to comply with information security and establishment of major control activities (Wilshusen, 2009). The most common suite of information security metrics incorporates the following: The workers and contractors getting security awareness training, The workers with essential security duties getting specialized security training, The size of the annually evaluated and tested systems The size of systems with tested contingency plans The size of agencies with full inventories of major systems The size of certified and accredited systems. The following list of information security can be gathered from a small internet commerce company with ten employees. Role Name Responsibility Person (s) Owner Handles everything, including employment Accounts Receivable, and Information Security. Martin Smith Manager for the store Handles all the things that are assigned by the business owner Victor Anderson Manager for information security Review and up date the information security plan quite regularly. Train new recruits and refresh training of every employee on information security. Audit employees and vendor on information security compliance on regular basis. Harry Lewis Deputy Store Manager Execute duties assigned by the store manager and delivers checks to the bank. Michael Bruce Store Staff Suppose to attend to customers, undertake financial transactions, respects the Information Security Plan and other organization’s policies. Many Accounts Receivable Billing. Business Owner, Store Manager, Bookkeeping Service, CPA Firm Employment Staff Keeps and transmit the records of employment. Store Manager and business owner Computer Helping Company Install software. Repair computers.  Consult on matters concerning computers or security. Computer Care And Learning CPA Firm Audit financial statements and give advice on financial issues.   Bookkeeping Service Maintain financial records, prepare financial reports and issue bills.   Business Advisor Gives advice on matters relating to business.   Legal Counsel Advise and represent the company on legal issues.   Payroll Service Gives payroll as directed by the business Owner and manager of the store.   The metrics should be reported to the information security manager. Mendling (2008) concluded in his study that Metrics concern transforming metrics into activities and measuring of organizational performance. Metrics are normally reported so as to determine how good policies, procedures and controls are working, and whether the expected performance results are being attained. Metrics measures the effectiveness or status of control. It does not measure the fundamental risks that the controls are planned to mitigate (Wilshusen, 2009). Question four Information security of a small internet commerce company with ten employees can be affected by various threats. The threats can be categorized into environmental or physical threats, natural threats, human threats and technical threats. Human threat in a small internet company includes data entry errors or omissions. Data entry errors or omissions are mistakes of overlooking important information that can easily affect the resources of the system. The most common data entry errors that can be easily identified in a small internet commerce company with ten employees are failure to delete unwanted accounts such as visitors’ accounts and allowing unauthorized workers to access sensitive information, entering wrong values for sensitive information such as financial data that can result into inconsistency of the data and inconsistency in spelling that can cause accurate reporting impossible (Whitman M. E. & Mattord, 2010). Carelessness is another threat to the information security of a small internet commerce company with ten employees. Carelessness, in a small internet commerce company, significantly affects the confidentiality, integrity and availability of the information. It can be looked at as unintended activity that causes degradation in system performance. The most common carelessness threats that can be identified in a small internet commerce company are programming and development errors that result into software vulnerabilities, erroneous operations of database synchronization procedures that result into information errors, incorporating deletion, entry and corruption errors. Environmental threats such as environmental conditions, electromagnetic interference, physical cable cut and hazardous material accident are easily identifiable threats to information security of a small internet commerce company with ten employees. Environmental threats primarily impact the confidentiality and system’s availability. The environment conditions, such as, leaking of water in server rooms can result into equipment damage. Extra and in inadequate humidity within the computer room can threaten the system reliability. Overheating within computer rooms can cause computers to fail. Hazardous material accident impacts system availability. It is normally viewed as unanticipated spill of poisonous material. Hazardous materials are materials that are believed to be flammable, explosive or corrosive. Cleaning an office with flammable materials can cause fire or an explosion if spilled or not placed within a required temperature. The most likely threat to occur among the mentioned threats is carelessness, followed by data entry errors. Environmental threats such as environmental condition and hazardous material accident are less likely to affect the information security of a small internet commercial company (Calabrese, 2004). Question 5 Microsoft risk management can be described as a hybrid method that combines elements of qualitative and quantitative approaches. According to Microsoft, risk management is not a stand alone process that only allows organizations to make better decisions, but rather the major objective of the process is to effectively manage security risk. Another major objective of the process is to compute the numeric values every component. Based on the fact that the process of security management is on going, the cycle begins with every new risk assessment. The rate of reoccurrence of the cycle differs from project to another or from one organization to another (Whitman& Mattord, 2010). Microsoft introduced four phases of risk management. The phases include; Risk Assessment This particular phase is similar to the first step undertaken in the OCTAVE method which involves identifying and prioritizing the risks that are facing an organization. The risk assessment phases entail a combination of both qualitative and quantitative risk assessment methods. The qualitative method is used to speedily triage the whole record of security risks. The risk that is identified to be the most serious is then scrutinized in amore detailed manner through the use of the quantitative method. A short list of the most important risks is then developed after detailed examination (Whitman& Mattord, 2010). Conducting Decision Support This phase basically involves identifying and evaluating the available controls that exist in the organization. The approaches applied here should include both quantitative and qualitative methods, cost benefit analysis also being considered (Whitman& Mattord, 2010). The phase involves; The definition of functional requirements The selection of possible solutions for control, this is undertaken by outlining methods that can be used in the identification of solutions for mitigation Reviewing the identified solutions. This is done in order to understand the probability of reduced risk. Estimation of the solution costs Implementing Controls This third phase involves mitigation. This is where the owners in actual sense put in place control solutions. Measuring the Effectiveness of the Program This particular stage is used to make verification of whether the implemented controls are actually giving the expected level of protection. In addition the changes that exist in the environment are also evaluated, these include attack tools or business applications which may assist in reducing the risk profile of the organization. In addition the revelation of current controls is also undertaken for similar or newer controls that can be more effective based on the fact that changes frequently occur in technology and the process of security protection (Whitman& Mattord, 2010). Question six Estimating the probability that a threat might occur in information system is not always that easy. The scarcity of frequency data normally makes it hard to estimate probability of threat occurrence. The data that can assist in estimating the probability of an attacker accessing the confidential information of a customer in a company’s data base is usually very scarce. The scarcity of the information might be due to the fact that the company has ignored the collection of enough information that concerns such attacks. Collection of sufficient data normally enables an organization to estimate the probability of threat’s occurrence by basing on the frequency of the occurrence. Companies, therefore, normally find themselves with little occurrence data, thus making it hard to estimate the probability of a threat occurring (Whitman & Mattord, 2005). Determining the number of times attacks have occurred undetected is always hard. Many attacks on information security normally occur without being detected, making it hard to get adequate information to estimate probability by basing on frequency models. Establishing similar events from the prevailing data of an industry is not usually easy. It is always to determining, for instance, if the information concerning previous attacks in the banking sector can apply in other organizations such as manufacturing organization. These factors therefore normally make probability frequency-based estimation difficult and time consuming. Estimating the probability of a threat occurring is normally hard due to the fact that people rely a lot on their experience to make knowledgeable guesses about the probability of attacks occurring. People normally make guesses on how an attacker is motivated, the types of attacks that can affect crucial assets and the way the computing infrastructure is vulnerable (Garcia, 2005). The estimates can be done by applying both the frequency and subjective probability in risk analysis activities of OCTAVE method. Three activities need to be done when estimating probability in OCTAVE method. It is important to describe threats’ probability to crucial assets, develop likelihood assessment criteria and evaluate threats’ likelihood to crucial assets. Collecting of information that relates to factors contributing to probability determination need to be done when describing the threats’ likelihood to critical assets. It is essential to consider if the crucial assets are probable targets of human threat actors, the available company’s historical data for threats and the motive, means and chances of all human threat actors. The criteria for developing probability evaluation measure against evaluation every threat so as to establish a qualitative likelihood value for the threat. Evaluation criteria normally display how often threats occur over a common time period. In evaluating the likelihood of threats to crucial assets, one needs to evaluate threat profiles for every crucial asset and the criteria for assessment. References Aloise G. (2010). Managing Sensitive Information: Actions Needed to Prevent Unintended Public Disclosures of U. S. Nuclear Sites and Activities. New York: DIANE Publishing. Autores V. (2011). Availability, Reliability and Security for Business, Enterprise and Health Information Systems: IFIP WG 8. 4/8. 9 International Cross Domain Conference and Workshop, Vienna, Austria, August 22-26, 2011, Proceedings. New York: Springer. Brown C.P. (2008). Implementing SOA: total architecture in practice. New York: Addison- Wesley Professional. Calabrese T. (2004). Information security intelligence: cryptographic principles and applications. London: Cengage Learning. Garcia M. (2005). Vulnerability assessment of physical protection systems. Berlin: Butterworth- Heinemann. Martin, E.S. (2008). Freedom of information: the news the media use. New York: Peter Lang. Mendling J. (2008). Metrics for Process Models: Empirical Foundations of Verification, Error Prediction, and Guidelines for Correctness. Springer. Pijpers G. (2010). Information Overload: A System for Better Managing Everyday Data. New York: John Wiley and Sons. Whitman M. E. & Mattord H. (2010). Management of Information Security. London: Cengage Learning. Whitman E.M & Mattord H. (2005). Principles of Information Security. London: Cengage Learning. Wilshusen C.G. (2009). Cybersecurity: Continued Federal Efforts are Needed to Protect Critical Systems and Information: Congressional Testimony. New York: DIANE Publishing. Read More