Information Security Issues - Essay Example

Information Security Issues intertwined with newer Technologies at Organizations Word Count: 2958 Contents of the Report: Introduction Security Issues Security Management Security management and Responsibilities Security Assessment Security Planning Security Implementation: Administrative Policies Summary of the Report. Introduction Information Technology is evolving at a fast pace. Information technology has set new trends in the generation of computers. This Trend has imbibed various technologies that improvise the life style and business aspects of every individual in accordance with technology. As the technology enhanced it brought in some technological issues such as Information Security Risk. The Security Risks involved with the various information systems need to be addressed in order to better the performance of the organization in the dynamic global market. The management of Information Security Risks and to implement various methodologies to mitigate the security risks is a growing challenge in the filed of Information technology. The battle is on for finding out the efficient ways and design methodologies that can analyze the security risks and implement the appropriate mitigation solutions. As, every event or technique has various technologies involved that speed up the business processes there are also prone to increase risks of computer intrusion, fraud, disruption and many more. Security Management A successful organization not only relies on finding innovative solutions or products but also on the effective implementation of those solutions. Here, technology plays a major role as these technological developments can make the implementations simpler, providing a wide range of choice. But the question arises so as to which is the right choice This can only be answered by thorough research on the cost, stability and reliability of the technology to be used (WALSHAM, 1993). The Information System of the firm should be able to process this task by taking the external (technology functionality) and internal (business environment) entities into account. Thus, the understanding and integration of technological innovations plays a key role in the modeling of any Information System to support the business goals and strategies. The organization has to analyze all the possibilities and provide the solution that is technological stable and cost-effective, to implement, maintain and modify in future. Security Management and Responsibilities Data Owner Each Line Department of the company, with its own computing facilities will appoint a senior member of the staff as Data Owner. Those systems which are operated throughout the company should also have a designated Data Owner. Data Owners across the company will be advised by the Head of ead HeadInformation Compliance and Policy. With the existing systems, advice is available to help data owners meet their responsibility in complying with the Information Security Policy. Systems Development All systems must comply with the main IT strategy developed for the company by the IT team. Mark Walker, a senior systems analyst, states that an IT strategy is the single most crucial factor for the success of an organization dependent on IT for its operations (Walker, 2000). All system developments must include security issues in their consideration of new developments, seeking guidance from the Head of Information Technology. Management Responsibilities The management plays the most important part in building a successful IT infrastructure (Royce, 1998). Management's responsibility goes beyond the basics of support. They are the ones responsible for setting the tone for the entire security program. Generating awareness is the most important activity of the management. The management must instruct the staff of their security responsibilities. Managers should determine the authority of individuals with respect to access to specific information systems. The level of access to specific systems should be on a job function need, irrespective of status. The aim of management decisions must be to minimize the risk of exposure of the company's systems to fraud, breach of security. Staff Responsibilities Although the management is responsible for setting the tone of the overall security program, it is the staff that actually uses the IT systems which is responsible for implementing the security in their departments. Each staff must ensure that information security is not breached under any circumstance as a result of their actions. If any breach of security is identified, the staff must report it to the appropriate officials so that security can be restored without any damage. Security Assessment: Sharing Data with Branches and other Companies An organization might constantly work with several partner companies on a daily basis in most of its domains. Apart from partner companies, the organization might constantly share data in between the numerous branches. Data of high sensitivity has to be shared between the branches of organization. The information here enables the branches to keep each other updated on production, sales, managerial decisions, issues and any other relevant updates within the company branches. Sharing Data with Non-Partner Companies A company receives regular requests for personal data. Organizations and individuals requesting such information include Worldwide users access the publicly available website of the company hosted on the Internet. Others are Insurance companies, Banks, Solicitors. Whilst such requests may be legitimate, the Company needs to ensure the use of such information is not abused and is in line with all the data protection acts. No information about an individual shall be released without the individual's prior consent. Securing the Flow of Information To ensure that the company uses electronic, postal and verbal communications appropriately and securely, the following guidelines will have to be borne. The company must hire third party specialist security professionals to audit their networks for security. Email should be used according to the conditions described. Use of the Internet may be monitored. Assessment of potential risks to IT security is the corner stone of a successful IT security framework. Considerable time and money must be invested in assessing the potential risks. Unless all the potential risks are known, the company can not proceed to mitigate those risks. Although all elements of the risk management are important, risk assessment provides the foundation for all other elements of the mitigating process (GAO, 1999). Security Planning: Risk of Data: Data is the most crucial asset of a company. The recent organizations produce tones of data on a daily basis that need to be stored, transported and represented in a secure manner. Remote Data Backups Inc, a leader in data security mentions the following possible reasons for threats to data (RemoteDataBackups.com, 2007): Hard Drive Failures Viruses System Changes Power Failure Media Degradation Human Errors Natural Disasters Risk of Computer Crime A computer crime or an electronic crime is regarding activities that are illegal where a computer or often a network is the one seriously affected for that crime (Jacobson, 2002). Basically all the criminal activities have a detrimental affect to variants in the field of Information Technology and its infrastructure. These include unauthorized access, inception, illegal transmission of data to/from a computer (interruption), damaging, alteration or deletion of data, which is interference which can be both through data and system, forgery, misusing devices and the list goes on. (Ronald, 2002) This general listing can be categorized as: Theft of data transfer, Unauthorized Access/Misuse of computer time, Theft of Output, Forging Desktop, Intentional False Programming. Apart from these other risks are spamming, spoofing, theft of intellectual property, materials, spreading viruses/worms etc are a few computer crimes (Ronald, 2002) associated with a business organization. Risk of Viruses Biggest security risk for any business is that of a virus infection. A computer virus is a software program that can copy itself without intervention from the user or any other person (Eric, 2005). However, it may happen that the virus might modify itself or modifies its copies. A virus generally spreads over a network when a user carries files from an infected system to an uninfected system through floppies, compact discs, USB drives or Internet. Risk to Company Networks Primarily the company's networks can be classified based on the level of access. These are access at the company's Intranet level, access to the company's Information at the Extranet and Access to public Internet. Intranet This can be defined as a personnel network of the organization. It uses Internet protocol and uses the network connectivity to share the details of the company with the Employees (Randy, 1997). Intranet provides many advantages to the organization, it provides competitive edge over other competitors, Enhances productivity, reduces the net time taken by any activity, improves communication and facilitates for business operations and decision making. However it poses a considerable amount of threat with respect to the Integrity, Reliability, Availability and Security of data. Intranet connected to External world with Internet and those without the Internet connection pose Risks. In the former case the sensitive information of the organization runs in the Intranet. This when connected to the internet invites hackers, crackers and criminals to steal the sensitive data (randy, 1995). Lack of proper security policies and improper security panning in most of the companies leads to significant damage to private data. Improper Authentication systems and static passwords are of no use to have shield from external attacks. Use of Nave firewalls that have low resistance eventually end up in exposing the entire Information of the company. Spoofing and Identity theft are common risks associated with the Intranet connected with Internet. Intranet connected through Internet will be prone to attacks from Viruses, Trojans, Worms and even salami's to a great extent. Leakage of private data within the organization and knowing of passwords and other credibility issues are common here. Extranet An Extranet is a private network similar to an Intranet and uses a private network that works using the Internet Protocol and also renders its services to the Customers and suppliers (Victor, 2002). That is, it provides the company's information for its customers, suppliers and others. Extranet can be simply thought of as the part of a website that only registered users can see. Apart from the threats that Intranet poses, Extranet has other risks too. Improper Authentication systems, Static Passwords at the customers end facilitate the crackers to break into the system easily. Crackers can fool the server pretending to be the customers of the organization and they can also pretend to be the server and interact with the customers to collect information from them. Information between the server and the end user is easy to intercept as most of the times the data is not encrypted. Hijacking of the customers and pretending to be servers themselves is a commonly found attack in this case. (Victor, 2002) Lame Firewalls provide open highways to restricted portions of company's information. Denial of service to the customer by pretending as the organization itself is a risk associated with the Extranets. Internet A publicly accessible interconnected network of networks is known as the Internet. It uses the Standard Internet Protocol (Lech, 2000). There are Millions of users of the Internet and the spectrum of its uses range from domestic users, government bodies to many business organizations. Various applications like the E-mail, chat application, file transfers etc have made the lives of millions easy (Lech, 2000). As a publicly available network, the risks associated with Internet are more. Risk of Virus attacks: Employees browsing the Internet are lured into attractive ads on certain web pages that automatically have access or .exe files downloaded into the host systems. This is how viruses attack the computer. Trojans, mal ware are introduced in a similar fashion. Logic bombs are special programs that have an intension behind them. They drop into the system with other executable files when downloaded and cause deletion of data/records and malfunctioning of the system. Risk of access to sites that capture information about the host computer: Simple scripts run and get downloaded onto the desktop of the host system, providing all the information to the crackers like the Static IP's and the passwords to the restricted areas in the private network. Also it is very difficult to recover from the damage caused by them. (Lech, 2000) Lack of proper protection to the Internet connection paves way to all the above mentioned risks. Risk of spam and other material that unnecessarily occupy the memory of the system, lack of proper Authentication systems and browsing and exchanging data with insecure sites that do not use the Https protocol etc are few risks associated with the access to public Internet. Security Implementation: Administrative Policies The most essential point to be noted after a loss or problematic attack is to mitigate the catastrophic situations of the attack. An immediate action needs to be taken so as to prevent further damages to the confidential information of the company. In this technological world Information is the most crucial asset for any company. As their might be business deals like tenders being assigned to companies over the Internet. There needs to be a proper setup to protect the confidential data pertaining to the company. The administrative policies of the company have to be formulated to adhere to all the issues that arise due to an attack. All the issues covered here involve the various risks in the range inclusive of mild and critical attacks. These policies involve the administrative area as the whole that when diversified includes every area of the company that deals with Information Systems. There are various affects associated with the Information Security Risk pertaining to a particular Company. As the Information Security risks are broadly classified into the prominent risks. Risks can have variant effects that can be differentiated with the intensity they have over three major clusters. We shall now have an individual analysis of organization and finally (iii) the organization as a whole. Customers associated with the Organization The most crucial role played by a customer has a very high impact on the success of the organization. The company makes profit with the number of contacts it establishes with the customers. The customers perform numerous transactions on a daily basis. All the business transactions are executed online. There are various executions being carried out every second, so the information related to the various account types needs to be stored immediately and the data needs to be updated as soon as possible so that the changes are present for the various customers spread out in the global world( IPM,2006). There are the fundamental issues that are related with individual customer associated with the organization that might be affected. The data regarding their business transactions that have been executed is lost or misplaced. This brings in a lot of chaos in the history, thus leaving no clue to the customers of the various business transactions that had taken place in the past. If the customer is not satisfied with the various services provided by the company then the customer might as well not wish to associate with the organization in future. This can lead to the closure of numerous business transactions in the specific organization. If the number of closures increases, then the reputation of the organization goes down in the market, which will in turn affect the new customer's relationship with the company. Employees of the Organization Employees are considered as the main pillars of any organization. They are the strong base of the entire build of the infrastructure on which the organization rests. Employees play such a crucial role in the success of the organization, that all the various activities are executed by them. The security policy itself generates some discomfort in the employees currently working for the company. When a security breach takes place, all the employees are warned and asked to take up the immediate risk mitigation processes (John. L. Reuter, 2006). The risk authentication process is carried, which is a threat to the employees if it misleads the risk originating point towards them. A security check might be required to be performed which causes a lot of inconvenience to the usual schedule of the employee. This sort of reaction might as well effect the employees thought and the honesty levels that he/she has embedded throughout their dedicated services towards the organization. If the employees do not show enough interest and enthusiasm while they carry out the various tasks that they are assigned, it will affect the overall performance of the company. If the organization starts loosing out on their performance then the market value of the organization starts declining in the market economy. This is a serious threat that needs to taken care of immediately by the organization; else it might also lead to the closure of the organization as an end result. Organization as the Whole The various factors effect the organization at the various levels. The organization has to face a lot of competition to attain certain position in the market economy. To attain an advantage over the competitors, the company has to perform excellently and customer satisfaction makes a greater impact on the overall reputation of the company. If a security breach takes place at a particular branch of the organization, it will also have certain amount of impact on other branches associated with the organization. Generally the customers do not tend to trust the organization, if there are any bad experiences associated with it. The historic records of the organization make a greater impact towards luring the customers. Customer relationship makes equal impact when compared to the employee retainment strategy (RSM, 2007). The organization has to recover from its security issues as soon as possible so as to accommodate the tasks that have to be accomplished everyday. Summary of the Report As the technology keeps evolving, organizations will be swirled in the information security tornado. Based on the above specifications and methodologies, it is essential to implement various security management principles. These guidelines support the successful functionality of the entire organization. It is very essential for the organization to implement a security policy that is most appropriate to the company's framework. Security policies enable successful functionality of various IT tasks in the organization, which in deed enhances the performance of the organization in association with the partners. References: 1) Computer Viruses: From Theory to Applications - Page 3 By Eric Filiol - Computers - 2005 2) General Accounting Office of United States of America (GAO, 1999), "Information Security Risk Assessment: Practices of Leading Organizations", Online Article Found at: http://www.gao.gov/special.pubs/ai00033.pdf 3) Hinrichs, Randy J., "Intranets: What's the Bottom Line" SunSoft/Prentice Hall, 1997. 4) IPM, 2006, Research Journal: "Why is customer satisfaction important". Research journal, Institute for Polling and Marketing. 5) Jacobson, "Computer Crimes", (2002) Vol. 39 American Criminal Law Review, 273. 6) John. L. Reuter, 2006, Journal: "Creating revenue in the last mile of connection to the customer". B2B Marketing magazine. 7) Lech Janczewski., "Internet and Intranet Security Management : Risks and Solutions".,2000 8) Mark Walker (2000), "The Importance of IT Strategy", Miller Freeman Inc, Available at ProQuest Information and Learning Company. 9) RemoteDataBackups.com (2007), "Articles on Data Risks and Solutions", Online Web Content Found at: http://www.remotedatabackups.com/why/risks.htm 10) RSM, 2007, Journal: "What are the emerging employee retention practices",Bank Notes: A timely Information and Idea statement. 11) Standler,Ronald B., "Computer Crime", (2002) 12) Victor K., "Complete book on remote access: Connectivity and Security", 2002 13) Walker Royce (1998), "Software Project Management - A Unified Approach", Addison-Wesley Professional. 14) WALSHAM, G. (1993), "Interpreting Information Systems in Organizations". Wiley, Chichester. Read More