Management and Information Security - Assignment Example

Running Head: INFORMATION SECURITY Management and Information Security Client Inserts His/her Name Client Inserts Grade Course Client Inserts Tutor’s Name Question 1 In order to achieve full access control, with respect to information security, two approaches are taken simultaneously (ProProfs, 2005). These are what the subject knows and what the subject has (ProProfs, 2005). The ‘subject’ in this case refers to the people against whom the measure to protect the information are taken. In the consideration of what the subject knows, the subject is required to know particular secret information that serves as a key for him or her to access information of information holding facilities. These information keys include passwords, numeric keys, personal identification numbers (PIN numbers) and/or codes, secret questions and answers among others (ProProfs, 2005). For any organization, a particular protocol is observed. Specifically, for information security purposes, each end every employee and/or stakeholder is issued with one of the named secret personal information and may granted access to vital information as long as he or she has the required criteria (ProProfs, 2005). Considerations of what the subject has involve a physical perspective (ProProfs, 2005). In all organizations, physical structures or rather, operational sites where electronic and/or hard copy information storage facilities are kept (Kayem, 2010). In this approach, employees among other stakeholders are offered physical entry gadgets that allow them access at particular time and particular levels (Kayem, 2010). These physical gadgets include physical keys or membership cards, smart cards, and other physical devices (ProProfs, 2005). Each recognized member of an organization is given his or her devices to allow entry into the organizational buildings and/or compounds. Both approaches are simultaneously significant and serve to protect access to organization’s information and premises respectively. In other words, the two approaches complement each other (ProProfs, 2005). The idea is to distinguish eligible members from strangers who might have malicious intensions that may adversely affect the organization in question. When the approaches are properly implemented, there is always a guarantee that the information being secured remains intact (Kayem, 2010). However, these methodologies may put the information security efforts at jeopardy at any one time. For example, in the first approach, passwords are no longer reliable as they used to be during the initial stages of the electronic technology development (ProProfs, 2005). There are various reasons for this including the disadvantage of electronic technology as an absolute requirement (some organizations may not afford it) and the corrupting of simple and non-encrypted passwords through hacking and so on. A similar case faces the PIN numbers. Various banks and individuals have lost money through replication of access PIN numbers and passwords by malicious hackers (ProProfs, 2005). Secret questions and answers are mainly used in premises that have not adopted the use of electronic technology for security or are used on individuals who, either or not having the named access utilities, appear strangers or suspicious. Equal but somehow dissimilar risks face the use of physical keys for access. Physical keys in a particular company are most of the time similar and may easily be replicated (Kayem, 2010). Similarly, if they get on wrong hands, they may be used malicious and this poses a danger to the organization. Membership cards are mostly worn and they are highly replicable (Kayem, 2010). Smart electronic cards are quite complicated because they require a hidden code but again hackers are known to replicate them. Literally, physical keys are more dangerous because once they get into the wrong hands; they give direct access (Kayem, 2010). The sense of the two approaches being complementary to each other must seriously be taken into account when establishing security. For example, even though a person has a physical key to the premises, guarding and thus questioning of suspicious (Kayem, 2010) faces would heighten security levels. Similarly, a combination of a smart card, a thumb print reading and/or facial configuration would make security more sophisticated and thus highly reliable (Kayem, 2010), especially when highly classified information is being protected. Question 2 ISO 27001 Information Security Management System recommends a procedural approach in the process of establishing proper security to an organization’s information (ISO 27001 Certification, 2012). The procedure involves various stages considered as the most appropriate one for this role. These stages are; identification of gaps in an organization’s security efforts, risk assessment, system designation and testing, new system implementation, and training (ISO 27001 Certification, 2012). Identification of gaps is a comparative approach that measures the level of compliance and the efforts employed against a set control level (ISO 27001 Certification, 2012). Unknown to many organizational leaders, security of any form has never been complete. Before making decisions to introduce a new security system, it is critical to decide the levels of performance and corresponding efficiency and efficacy of the existing security system in an organization. This serves to provide the most appropriate angle of approach to organizational security system. At the same time, identification of gaps may serve an economical purpose of identifying where large amounts of resources may be used effectively, which is, essentially, making wise use of the available resources (ISO 27001 Certification, 2012). As a matter of fact, it serves no purpose for instance, to invest in areas where security is already sufficient. Risk assessment means to identify the assets that may be at a risk (ISO 27001 Certification, 2012) and the financial obligation in this context. Importantly, there is a need to identify specific assets that require protection and the level of protection required. Obviously, the size of the organization and the corresponding security requirements for particular assets are important factors in this role. Small businesses require relatively lower levels of security systems than do large organizations. This partly due to the limited financial capability to execute high (and thus costly) level and large security systems and partly due to the security assets possessed (ISO 27001 Certification, 2012). Testing procedures are recommended to determine vulnerability of the security (ISO 27001 Certification, 2012). Measures are basically vulnerability and penetration levels (ISO 27001 Certification, 2012) of both the current and the proposed changes in the security system. The testing of the proposed interventional security system is done to determine its effectiveness (ISO 27001 Certification, 2012). Implementation of the proposed security system is guided by the set control levels that a particular organization’s security system need to always meet. Important are the determination of the capacity and the obligation of the organization to sustain security system adopted. Implementation involves procedures like document control, record control, policy requirements, management review, security objectives, internal auditing, corrective action and incident management (ISO 27001 Certification, 2012). Training procedures are also recommended to adapt to new and high level security systems. On the contrary, According to U.S. Department of Commerce, (USDC) (2009), the National Institute of Standards and Technology (NIST) documentation recommends rather direct and specific requirements for an effective security system. These include: audit and accountability, authentication, awareness & training, biometrics, contingency planning, encrypting and general IT security, incident response, maintenance and personal identity verification (USDC, 2009). There are no specific considerations for the size of an organization but flat and generalized criteria. Recommendations are that security systems must measure the indices of the above virtues (USDC, 2009). Both NIST and ISO 27001 recommend for international standards but not have the authority at national level to penalize (USDC, 2009) the organizations which do not reach the recommended levels of corporate standards control. Similarities between criteria set by ISO 27001 and NIST are the need to perform audit, ability to maintain and improve the adopted security system and training of the employees of an organization to well utilize and improve the specifications and the standards of security systems. Question 3 The process of measuring the efficiency or rather the success of implementation of the working information system program involves a number of processes. First is the process of developing a strategy to measure the required level of satisfaction from a security system (Pointlane, 2010). The process is complex and starts with an insight on the organization’s prime mission (Pointlane, 2010). Generally, an organization’s mission occurs in general form. There is evident challenge in determining the scoreboard for security levels with reference to the mission of the organization (California Office of Information Security and Privacy Protection [COISPP], 2008). The main problem is that the chances of say employees to breach information are continuous and exceedingly dynamic (Pointlane, 2010). Similarly, it is not easy to infer that the security of an organization is sufficient given the many threats emerging daily which occur at different levels. For example, while an organization may feel secure after a successful issuance of personal passwords codes, hacking threats open up (COISPP, 2008). The second recommendation for ensuring successful implementation of security measurement strategy is the development of security policy (Pointlane, 2010). This policy is intended to guide the employees and other stakeholders about the line of ethics and the necessity to reduce threats to the security of an organization (Pointlane, 2010). Generally, for a success of a policy, ingredients such as ensuring that the workforce and the community values maintaining high security levels for the best operation of an organization, resources, rewards and penalties. The process of locating a locus where a combination of these requirements would determine success is partly interfered with policy itself and the flexibility and skilfulness of the acting leader of an organization (COISPP, 2008), and partly by lack of the required resources for requirements such as training and rewarding. But many leaders of different organizations fail in these roles. Similarly, it is not quite definite how to which level the company requires security. According to Pointlane (2010), the development and growth of enterprises are very tightly connected with an increase in company's IT infrastructure, complexity and scales of which is constantly growing, generating new forms of threats, vulnerabilities and risks, which has its influence on the activity of organization. It is not in the right terms to solely depend on the IT sector for the entire implementation and measurement of the performance of an organization’s security system as many organizational leaders do (COISPP, 2008). The third recommendation for leaders is to establish visible control over the awareness index of the workforce about the working security policy (Pointlane, 2010). Many leaders have failed to underpin the necessity of the security of an organization right at the point of hiring new employees (COISPP, 2008). This results in unequally informed workforce in terms of awareness and thus differing outcomes. Here, the major problem being emphasized is the role played by incompetence in the management that translates to shaky bases on which to analyse the effectiveness of a security system (COISPP, 2008) in a rational way. Low financial base and unwillingness to establish programs to train employees (COISPP, 2008) working in the security sector undermines rational conclusiveness about the implication of the prevalence of a security system. Similarly, different levels of commitments and discreteness of various employees at different levels, except for organizations that run by means of a computerized system and tracking of misconduct (COISPP, 2008), offer a platform upon which it is difficult to determine who defies the security policy and when he or she does this. Another suggestion is the establishment of the control over vulnerabilities as one of gateways to determining level of performance (Pointlane, 2008). When a leader of an organization successfully detects and fixes weakness loopholes in time, this is an indication of success of the working security system. But often, many leaders do not even set aside resources to respond to such incidences and hence failure. Question 4 For any kind of business, threats to information security are common and it serves the best interest of the manager to consider ways of keeping various threats abyss (COISPP, 2008). A small internet commerce firm certainly faces internet-borne threats (COISPP, 2008). Arguably, the small number of employees may suggest a selection of the most qualified workforce. The following list of threats may surround this kind of a firm; Human Error Any business may become subject to human errors at any given time (Whitman, 2003). This may occur in the form of failure of the management or the workforce (Whitman, 2003). Failure of the management may include buying poor quality working utilities such as computers, their various hardware components and software and also lack of proper security systems (Peterson, 2010). Failure of the workforce may be in terms of both intentional and unintentional accidents and mistakes such as loading giving away classified business information or physical damages to the assets and unwarranted manipulation (Peterson, 2010) of classified data. Again, errors such as compromises to intellectual properties including piracy and copyright infringement may occur (Whitman, 2003). Trespass Employees may also be determined to access unauthorized data and website pages (Whitman, 2003). According to Whitman (2003), this may include trespassing, impersonation, blackmail of information disclosure, vandalism and so on. Classified business information may then be transferred, damaged or altered which could turn devastating for the management. Theft Employees or other external illegal associates may be involved in illegal confiscation of equipment and/or vital information (Whitman, 2003). The failure of the management to install proper surveillance and workplace discipline may lead to such acts. This notwithstanding, malice among employees is not quite uncommon. While others maintain high level of discipline and workplace ethics, others are often tempted to take the advantage and confiscate private property unsuspected. Therefore, surveillance must be continuous. Deliberate Software Attacks If proper security cover is not put in place in advance, software attacks may prove the main form of threat to internet commercial firms. Malicious software programs are deliberately released to various web pages and, upon say download or simply access, malicious programs such as viruses, worms and macros may corrupt or damage various computer data permanently (Whitman, 2003). Defensive software programs such as anti-viruses need to be in place in advance to prevent such scenarios (Peterson, 2010). Forces of Nature These are natural threats which include things like earthquake and lightning (Whitman, 2003) among others. These are unpredictable. Unreliability of Service Providers Internet connectivity and power supply are quite inseparable for internet firms. Lack of one of these could lead to an immediate halt in production (Whitman, 2003). There is thus a need to work with reliable power and internet service providers for success. Failure of the Equipment Computers, sometimes fail like any other tool (Whitman, 2003). This may be due to poor quality computers, rarely updated operational computer programs among other technical errors (Whitman, 2003). Sometimes excess workload (Peterson, 2010) on computers may lead to immediate shutdown and this means shutdown of associated activities as well. Technological obsolescence (Whitman, 2003) may be another cause or may cause slowdown of vital business activities. In terms of rank, deliberate software attacks is certainly the most threatening (Whitman, 2003). This is due to daily exposure to unseen dangerous software via internet. Human error, failure of equipment and unreliability of service providers would rank second depending of the skills in management and the regional level of technology. The latter three are both highly possible and, together with software attacks, they may happen daily. Theft and trespass would follow. These are rare in highly supervised scenarios but could turn dangerous for the opposite (Whitman, 2003). The forces of nature may be equally dangerous especially in specific prone areas. However, these are unpredictable and thus collectively they may be assumed rare and less likely. Question 5 Microsoft Risk Management Approach Microsoft has been one of the most developed businesses in the world. It has had a good reputation ever since it started its operations in 1975. According to Boyer (2012), the company is currently operating in over 107 countries worldwide and therefore, in better terms, it is a multinational entrepreneurial investment. However, the road to success has not been without various challenges. Boyer (2012) says that the success of Microsoft has involved complex cash and risk management requirements plus a diverse fast changing nature of its business. Most importantly, Microsoft has thrived well using its strict privacy policy. According to Boyer (2012), Microsoft Treasury has strongly been committed to effective, practical risk management so as to protect the business and its various shareholders. In what may be termed as accountability to all stakeholders, Microsoft’s business policy has been priority in privacy but high quality computer products (Boyer, 2012). The workplace culture has taken conservative (Boyer, 2012) tone and this means that even the workers are resilient and secretive. The Four Phases in the Security Risk Management Process The process of security risk management takes four phases. These phases are: assessing risk; conducting decision support; implementing controls; and measuring program effectiveness MCSE MCITP Certification, (2012). According to MCSE MCITP Certification (2012), these four phases summarize the Microsoft security cycle. The first phase, assessing risk, is done to identify and prioritize the risks that are likely to face a particular business (MCSE MCITP Certification, 2012). Data collection plans are made to determine areas of concern and that may attract particular risk types. After this, the possible process of collecting and analysing the data is suggested. Then the expected risks are characterized in terms of quantity and quality (MCSE MCITP Certification, 2012). This is to ensure that the data collected will be useful and will make analysis possible. The second phase, conduction of decision support, requirements for remedying the identified risks are determined whereof the possible control solutions are hypothesized and laid down. The hypotheses serve to control the process and also assist in making of audits in future. The prepared solutions are reviewed so as to draw a feasibility relationship. Estimating the achievable risk reduction and the possible cost then follows. A mitigation strategy is then laid out whereof a complete cost-benefit analysis is done. The main idea is to determine the most economical yet effective remedy to adopt (MCSE MCITP Certification, 2012). The third phase involves implementing the controls. The function of the strategist in action is to integrate the workforce, the process and the technological inputs available to effect the entire process successfully. This is called integration of all the required resources to a common purpose. Then the strategist must organize the implementation of the entire process (MCSE MCITP Certification, 2012). The final phase, measuring program effectiveness involves performing a complete audit of the entire security risk management process (MCSE MCITP Certification, 2012). The performance index of the process must be precise and indicative of the performance. For example, he or she may develop a performance scorecard (MCSE MCITP Certification, 2012). After an audit, the failures recorded need to be revisited so as to seal various loopholes (COISPP, 2008). Questions of Concern Throughout the security risk management procedure above, in recognition of the rapidly changing technology, why hasn’t there an inclusion ways to handle the near future risks in the anticipation of new technology by say, a firm? Why hasn’t the process addressed the consideration of long term goals, maintenance and sustenance of a successful security risk management? While appreciating the fact that all the current undertakings are meant for the current and the future conditions, would it be significant or not to consider including long term goals, maintenance and sustenance strategies in the current plan? List of References Boyer, P. (2012). A Practical Approach to Risk Management at Microsoft: An Interview with Patrick Boyer, Group Manager, Treasury Controllers Group, Microsoft Treasury. Retrieved http://www.treasury-management.com/article/4/128/1116/a-practical- approach-to-risk-management-at-microsoft.html 22/09/2012. California Office of Information Security and Privacy Protection, (COISPP). (2008). Information SecurityProgram Guide for State Agencies. Retrieved http://www.cio.ca.gov/ois/government/documents/pdf/info_sec_program_guide.pdf 22/09/2012. ISO 27001 Certification. (2012). ISO 27001 Certification Support. Lunarline. pp. 1-3. Kayem, V.D.M. (2010). Advances in Information Security. A Presentation of Access Control Methods. Pp.11-18. MCSE MCITP Certification. (2012). The Four Phases of the Microsoft Security Risk Management Process. Retrieved http://www.vibrantbootcamp.com/mcse_notes/techsol/The%20Four%20Phases%20of%2 0the%20Microsoft%20Security%20Risk%20Management%20.htm 22/09/2012. Peterson, R. (2010). Threats to Your Information Security. Infosec Island. pp.1-6. Pointlane. (2010). Development and Implementation of Information Security Management Processes. Retrieved http://www.pointlane.com/process/ 22/09/2012. ProProfs. (2005). Access Control. Retrieved http://www.proprofs.com/mwiki/index.php/Day_2:_Access_Control 20/09/2012. U.S Department of Commerce, (USDC). (2009). Guide to NIST Information Security Documents. Retrieved http://csrc.nist.gov/publications/CSD_DocsGuide.pdf 22/09/2012. Whitman, M.E. (2003). Enemy at the Gate: Threats to Information Security. Communications of the ACM, 46(8), pp.91-5. Read More