The Necessity of Information Security in Modern Organizations - Term Paper Example

Information Security Graciela Campbell MGT327 Dr Angelia Williams  September 7, Information Security (Information security components, 2009) Nagarajan (n.d) has mentioned that credit card information of 40 million customers stolen till now and BPO scams can happen anywhere in the world. Moreover he also pointed out that “European companies to splurge on BPO services “Spend on financial services` Back office, procurement& customer care to rise to $ 35 billion by 2011” (Nagarajan n.d, p.1). The above information point towards the huge dimensions of the information security related problems we are facing now. The term Information security refers to the protection of information and information systems from unauthorized access. Based on the nature of the information, we can classify information into two board categories; private and public. Public information are open to anybody since it may not cause any harm to the public and hence it is not necessary to protect it whereas private information are intended for a specific group of people and hence it should be protected from unauthorized use. Private information can be manipulated, modified or misused in many ways for personal gains and such manipulations may cause immense problems to others and hence it is necessary to protect it from unauthorized use. Most of the current organizations store their information on computers. Staff details, client lists, salaries, bank account details, marketing and sales information etc are currently stored in the computers. If this volatile or sensitive information come in the hands of the competitors, an organization may suffer a lot. So, most of the organizations are currently spend enormous amount of money for information security. This paper briefly analyses the necessity of information security in modern organizations. Necessity of information security in modern organizations Computers, peripherals and networks are essential equipments in modern organizations for the communication and data/information storing purposes. No organization can survive in the current world without using computers and internet. But the major disadvantage in using computers for storing information is the possibility of leakage confidential information. There are people who accepted hacking as their main revenue source and they are capable of breaking the firewalls created for the protection of the information stored in a computer. It is easy for a hacker to break the firewalls and plant viruses inside a computer apart from taking out all the information he or she wants. Earlier information security solutions mainly focused on preventing the external threats. But currently organizations realized that internal threat is as important as the external threats. The employees can easily export sensitive company information through emails. “Many companies simply do not have the resources or appropriate policies in place to identify NPI and PII and avoid inadvertent, accidental mis-steps or malicious actions from within”(Kazeon Data Security solution, 2010). The employees of an organization can easily change the usernames, passwords etc and moreover they can reveal the sensitive company information to the competitors also. Apart from these, an employee can deliberately destroy the data stored in the company computer. The following incident point out how an employee can spoil the information stored in an organization’s computer. Makwana worked as a contract UNIX engineer at Fannie Maes office in Urbana, Md., from 2006 until he was fired on Oct. 24, 2008. Five days later, a Fannie Mae senior engineer discovered a malicious script embedded in a routine computer program. An investigation of computer logs, Makwanas laptop and other evidence showed that Makwana had transmitted the malware the day he was fired. The malware was designed to activate on Jan. 31, spread throughout the companys network and destroy all data (Former Fannie Mae contractor convicted in data destruction scheme, 2010) Even though computer can outperform human in many ways, it cannot operate without a humanly control. The human who controls the computer determines how the computer should be performed. In other words, even if an organization was able to store information secretly in a computer, human support is necessary for the organization to recover such secretly stored information. If the human who is working on a company computer have wrong intentions, then there is no guarantee for ensuring the safety, privacy and confidentiality of an information. Network security is a vital component in ensuring enterprise security. Network architecture, software and policies, VPNs, device management, network prevention and intrusion detection, wireless security etc are some of the elements which should be controlled properly to ensure the network safety. Nagarajan (n.d) has mentioned 9 principles or approaches for organizations to ensure the safety of their information. In his opinion, reviewing the principles given below will help an organization to formulate strategies for the information protection. CEO`s have an annual information security evaluation conducted, review evaluation results with staff and report on performance Organizations should conduct periodic risk assessment of information assets as part of risk management program Organizations should implement policies and procedures based on risk assessment to secure information assets Organizations should have a security management structure Organizations should plan and initiate action to provide adequate information security for networks, facilities, systems and information and test regularly Organizations should provide information security awareness, training and education to personnel Organization should create and execute a plan for remedial action to address any information security deficiencies Organization should develop and implement incident response procedures Organizations should use security best practices guidelines, to measure information security performance (Nagarajan, n.d) New security threats are developing every day against the information security because of the hardworking hackers and antisocial elements. So, it is important for the organizations to update or review their security related issues and policies periodically to defeat the efforts of the hackers and competitors. The organization should provide enough training to employees regarding the information security related matters as many of the information were leaked not because of the deliberate attempts of the employees, but the lack of knowledge of the employees about the procedures necessary for the information protection. Intruders or competitors can influence the employees in many ways and the employees should be aware of such modern tactics in order to defeat the attempts of the hackers or the competitors. To be most effective, information security must be integrated into the system development life cycle (SDLC) from system inception. Early integration of security in the SDLC enables agencies to maximize return on investment in their security programs, through: Early identification and mitigation of security vulnerabilities and misconfigurations, resulting in lower cost of security control implementation and vulnerability mitigation; Awareness of potential engineering challenges caused by mandatory security controls; Identification of shared security services and reuse of security strategies and tools to reduce development cost and schedule while improving security posture through proven methods and techniques; and Facilitation of informed executive decision making through comprehensive risk management in a timely manner (Kissel et al, 2008). Conclusions Information security is topic of growing concern for the current organizations. The convenience and facilities provided by the computers and internet is unavoidable for the growth of an organization, but these modern equipments offers many challenges to the organizations in protecting the information stored because of the human involvement in controlling the to and fro movement of information from the computers. The internal threat for information security is as important as the external threats. So, an organization should devise specific strategies for countering both internal and external threats against the information security. References 1. Former Fannie Mae contractor convicted in data destruction scheme. (2010). Retrieved from http://searchfinancialsecurity.techtarget.com/news/article/0,289142,sid185_gci1521538,00.html 2. Information security components. (2009). Retrieved from http://commons.wikimedia.org/wiki/File:Information_security_components_JMK.png 3. Kazeon Data Security solution. (2010). Retrieved from http://www.kazeon.com/solutions2/data-security.php 4. Kissel R., Stine K., Scholl M., Rossman H., Fahlsing J. And Gulick J. (2008). Security Considerations in the System Development Life Cycle. National Institute of Standards and Technology (NIST). NIST Special Publication 800-64 Revision 2 5. Nagarajan (n.d). Information Security Governance: What, How and Why of IS Security. Retrieved from http://www.intosaiitaudit.org/muscat/India-Information_Security_Governance.pdf Read More