Security Plan- Human, Electronic Information - Essay Example

 With greater automation of business processes, the potential threats to the organization’s physical, human and electronic information holdings have also increased multi fold. To focus on threats to electronic information holdings first, there is no doubt that the frequency of computer related fraud and crime had grown in the past few years. One of the rampant and challenging problems is surreptitious access to an organization’s strategic information, upon which its competitive advantages lie. The particular threats vary slightly depending on the industrial sector of the organization. To take the example of digital media industry, the following observation by Craig Kuhl, points out the prospects and problems facing the industry in light of threat from piracy and copyright infringement: “The stakes are high: Worldwide online video revenue is expected to exceed $4.5 billion by 2012, up from $1.2 billion in 2008. And by 2012, according to In-Stat, 90% of U.S. households will have access to broadband, with 94% watching online video. An IMS Research study estimates that by 2013, 255 million TV households worldwide will be watching HDTV and the number of unique HD titles increased by 161% over the first six months of this year, and the number of on-demand orders jumped to 3 billion in 2007. Meanwhile, the Motion Picture Association of America puts annual losses to film piracy at a whopping $18 billion”. (Craig Kuhl, 2008, p.22) Surely, 18 billion dollars is a significant loss to an industry that is also vulnerable to several other risk factors. Threats of a similar magnitude are also identified with our organization. These threats to computer systems come in the form of viruses, worms and Trojan horses. The issue of financial and information losses from these software programs have reached such proportion worldwide that computer security is a $30 billion industry now. One of the leading players in computer security industry is McAfee, which has recently announced a revamp of its anti-malware technology in a bid to retain its leadership position in this segment. As part of the Security Plan, I intend to implement the McAfee security software to eliminate obvious threats in the form of viruses, worms, etc. Since our organization is increasingly moving toward dependence on technology for all its operations, it requires a robust security system to mitigate potential threats. Let us now discuss in detail the threats posed by software such as Viruses, Worms, Trojan Horses, etc to our organization. These are malicious software that are designed with the intention of corrupting or disrupting the functioning of the target computer system. The attackers discreetly embed into sources of information such as hard disks and servers, with the intention of corrupting or manipulating the data. If a computer system is infected with any of this software, which are collectively called as malware, then information stored in its memory could be spoiled. There is a new variant in malware software called sypware, which attacks vulnerable computer systems not so much to corrupt data as to access important and confidential information, which could later be misused. A virus is a malicious program that attaches itself to a program or file in a computer so that it can spread to other computers when copied to them. But worms differ slightly from viruses in that they don’t need help from human beings to transport them unawares from one system to another. A Trojan Horse on the other hand is more complex than viruses and worms. A Trojan Horse will appear to be a benign software program, but once opened will display its hidden intent, which is not so much to corrupt data as to annoy users by playing pranks with the desktop interface. Of course, there are some varieties of Trojan Horses which do damage the system. The other perceived threat to our organization’s functioning can come in the form of a denial-of-service attack. A denial-of-service (DoS) attack occurs when an attacker (also known as hackers) successfully break into a security system and prevent legitimate users from accessing information stored therein. This can cause total disruption to the functioning of the organization. By targeting the key servers and their supporting telecommunication networks, the essential information websites of the organization are made inaccessible. This means that frequently used services such as emails, online banking accounts, etc are denied access. The Denial of Service attacks come in a few variations. The most common of them is the “information deluge” attack, where an attacker floods a particular network with more information that it is designed to handle. This results in crashing or hanging the host server, thereby resulting in a denial of service. Whenever one of the employee types a website address in internet browser, this request to the server is intercepted by the attacker, who floods the server with copious connection requests. The host server, which is programmed to handle a certain volume of data is then overloaded and hence made indisposed (Brown & Sethi, 2008). At this point, the particular website being requested is not available for any of its other users as well, causing loss of time, money, network resources and frustration for the employee. In light of this significant threat, my security plan includes measures to counter such contingencies. Finally, one crucial source of threat to the competitive advantage of our organization can come from our competitors in their efforts to gather strategic information. In other words, Business Intelligence is the gathering of relevant information about a product, service, competitor, market, etc, which can help decision makers to initiate profitable business manoeuvres. It is also distinguished by the fact that all means of gathering information are within the legal bindings of business corporations. Industrial Espionage methods can also be employed, wherein the operation carried out is discreet and clandestine against a competitor, with the hope of gathering some vital information beforehand. The means of these Industrial Espionage operations are almost always unethical and if exposed, the perpetrators could be tried in court. For example, a beverage manufacturer might attempt to get hold of the secret recipe of a more popular beverage from a competitor. This could be an infringement on the patent rights and proprietorship of the particular recipe or formula and attempts to get access to this information is punishable under law. Provide an outline of the security policy guidelines for staff that describes a full range of protection measures: Data access security: As part of the Security Plan for our organization, I have perused the book by Michael Erbschloe, titled ‘Trojans, Worms, and Spyware: a computer security professional’s guide to malicious code’, for it provides “practical, easy to understand, and readily usable advice to help organizations to improve their security and reduce the possible risks of malicious code attacks” (Erbschloe, 2005). The book also contains practical suggestions for dealing with various types of malware. The threat to information systems of our organization posed by these malware have evidently not subsided. That is why “information systems security remains one of the more in-demand professions in the world today. Further, with the widespread use of the Internet as a business tool, more emphasis is being placed on information security than ever before” (Erbschloe, 2005). Disaster recovery: The following passages give a broad outline of the Disaster recovery and Business continuity program that I have incorporated as part of the Security Plan. While it is preferable to have tailor-made plans for a particular Disaster Recovery requirement, the following stages of planning serve as a general template. Stage 1: Project Initiation Activities Here, a general assessment of the existing and projected digital environment of the organization is made, so that the project team is later able to refine and adjust the scope of the project and the associated work program; draw project schedules; and identify and address any scenarios that might have an effect on the implementation of the recovery program. Stage 2 - Vulnerability Assessment and General Definition of Requirements In this stage, internal security and control of the organization are considered. It is preferable to focus on activities that have a mitigating effect on a possible disaster situation, rather than concentrating wholly on counter measures. In other words, this stage should ideally lead to measures that minimize the probability of disaster occurrence (Coleman, 1993). Stage 3:- Detailed Definition of Requirements During this crucial stage of planning, an outline of disaster recovery requirements is made, which will consequently be perused for analyzing alternative recovery strategies. This outline should ideally include hardware (mainframe, data and voice communications and user terminals), software (third-party as well as in-house), documentation, outside support (public access internets, etc), office infrastructure, human resources and other considerations. Time scales for the recovery strategy are also defined herein (Berenson, 2003). Stage 4 - Plan Development This is the most important stage of Disaster Recovery planning. In this phase, the constituent elements of the recovery plan are defined and plans documented in detail. This stage also includes “implementation of changes to user procedures, upgrading of existing data processing operating procedures required to support selected recovery strategies and alternatives, vendor contract negotiations (with suppliers of recovery services) and the definition of Recovery Teams, their roles and responsibilities. Recovery standards are also be developed during this phase” (Edwards, 2006). The last few stages of the Disaster Recovery plan are as follows: Stage 5- Testing/Exercising Stage 6 - Maintenance Stage 7 - Initial Plan Testing and Implementation Security breach notification: For proper enforcement of Data Security Breach Notification procedures on organizations that use unauthorized information, the Privacy Amendment Bill of 2007 represents a significant improvement on the Commonwealth Privacy Act of 1988 by introducing a requirement that organisations and agencies notify affected individuals/organizations of a breach of data security where their personal/confidential information is accessed by, or disclosed to, an unauthorised person, and for related purposes. As it is, the Privacy Act 1988 does not presently have a stringent requirement that makes it mandatory for agencies and organisations to notify affected individuals/organizations whenever there has been a breach in data security. As reported in an article in the Sydney Morning Herald this year, “the results of research conducted by the IT Policy Compliance Group which show that more than two-thirds of Australian organisations experience six losses of sensitive data each year. Further, the report states one in five organisations lose sensitive data 22 or more times a year. They include customer, financial, corporate employee and IT security data that are stolen, leaked or inappropriately destroyed” (www.privacy.gov.au, 2008) . In light of this threat to our organization, the Security Plan will try to comprehensively implement the updated Privacy Act in order to streamline Data Security Breach Notification processes. Distributed responsibility: The Security Plan has also taken into threats in the form of denial of service attacks, wherein when malicious spam emails are inadvertently opened by en employee; it will corrupt the user email account, putting in jeopardy confidential information. Email accounts provided by private employers as well as publicly accessible portals such as Yahoo or Lycos are equally vulnerable to such attacks. In either types of account, each user is assigned a maximum limit on the number of requests he/she can send to the mail server (Zhao, 2008). The denial of service attack occurs when this limit is artificially induced by the hacker. Hence, it has been decided to install special security features as part of this Security Plan to order to mitigate such malicious attacks. The idea here is to distribute the workload across several server stations so that when one server is clogged with service requests, others are able to continue serving legitimate requests. Personnel security: Security to Personnel can be interpreted as comprising their physical well-being and economic stability. A major threat to this security is the influx of illegal immigrants to Australian shores, thereby competing with legitimate citizens for their jobs as well as perpetrating subversive activities such as terrorism. While the government recognizes the genuine need to accommodate asylum seekers and other refugees, it is against illegitimate infiltration of foreign nationals into Australia. Cases of corruption in the immigration department have forced law-enforcement authorities to make use of state-of-the-art technology in citizen identification. According to the website of Department of Foreign Affairs and Trade, the ePassport initiative is in response to the numerous cases of identity fraud and fraudulent misuse and tampering of passports, etc that have been reported over the last decade or so. The Office of the Privacy Commissioner is a government agency that is responsible for maintaining confidentiality of citizen demographic information and health history. When the agency conducted an online survey a few months back, it found out that privacy is a major issue for net users in Australia. The concerns expressed by citizens include “a lack of transparency regarding the use and disclosure of personal information by websites, the tracking of an individual's activities at websites and concerns about the security of personal information in the Internet environment. It is widely considered that individuals need to trust that their privacy will be protected before they make significant use of the Internet for services such as Electronic Commerce and Electronic Service Delivery” (www.privacy.gov.au, 2008). As a result of this finding, the Office of the Privacy Commissioner has issued security guidelines for all Federal and local government websites in Australia. The National Archives of Australia (NAA) is another government body whose objective it is to inform citizens, public administrators and business owners about their legislative obligations in the area of content security. The Privacy Act and Electronic Transactions Act were particularly conceived to tackle the growing concern over misuse of government records in recent years. The Archives Act is also an important piece of legislation in that it empowers the NAA to preserve actual accounts of Australian history by keeping original de-classified documents. As part of the Security Plan for the organization, it is imperative that these legal safeguards for personnel security are properly enforced within the confines of the organization. Further, these new legislations and procedures for citizen identification will be adopted in employee identification processes, in order to make the Personnel security more robust. Physical security measures: The infrastructure of the organization can be subject to attacks. Although not very frequent, they can occur in a variety of business contexts, usually precipitated by the pursuit of huge financial stakes by competitors. The proposed Security Plan will seek help from Australian government agencies for coordinating security efforts. The government institution Australian Security Intelligence Organization (ASIO) plays a key role in protecting classified government records, as well as actively seeking intelligence from abroad to mitigate possible threats to the nation’s security. It also comes under ASIO’s purview to provide physical security guidelines for business organizations in Australia. Also, the ASIO endorses a list of Security Equipment for installation in government premises and corporate offices. These are essentially technologically advanced security systems that erect fool-proof security barriers against potential attacks. The Australian Institute of Criminology (AIC) is another organization that comes up with security strategies for tackling information theft, copyright infringement, protecting government records from misuse, etc. The guidelines suggested by AIC to thwart physical breaches of security are also being incorporated into the Security Plan. Risk Management: One of the important developments in the area of information storage has been the rise to prominence of Information Lifecycle Management (ILM). Proper implementation of ILM translates into sound Risk Management in practice. The Security Plan being implemented will take into account the potential risks at each stage of ILM and tries to minimize their occurrence. As more regulatory rules are made to govern its practice the number of instances of disaster recovery implementations will also increase. It is important that stringent security measures are applied at each stage of the Information Lifecycle. For example, in the initial assessment phase of ILM, information managers can peruse and apply storage resource management (SRM) technologies so that possible security risks can be taken care of. For the convenience of the managers, most of these tools also generate detailed reports outlining data usage patterns and frequencies of information security mishaps. In the next phase, the department heads, and the groups collaborate to understand data usage patterns come together to determine how this data will be used in a real business situation and how vital is its security to the strategic advantage of the business. In the classification phase, data is prioritized based on business requirements – for example, mission-critical, business-sensitive, departmental, etc) so as to “determine where data should live through its lifecycle and assist in creating policies to migrate data to the proper storage class over time. IT must work with department heads to set up a classification schema for the company” (Storesletten, 2004). By classifying data into logically disparate categories such as type, organization, age, value, etc, the security risk can be mitigated. In the automation phase, Software tools such as Automated Data Migration (ADM) can be utilized to automate the data migration process from “one storage class to another based on user-defined policies” (O'Leary, 2000). This tool will also help address common security issues at this stage of the ILM. Standards, Policies and Guidelines: The Security Plan will incorporate the guidelines and principles set forth by a set of laws that were enacted in Australia. One of the prominent sources of gaining access to these security legislations is through the official website of the Office of the Privacy Commissioner, wherein are articles describing in detail the evolution of the Federal Privacy Act. We learn from the article that the act contains a total of 11 Information Privacy Principles (IPPs) that are applicable to all Australian and ACT governmental agencies. Another interesting article from the same website deals with the National Privacy Principles, which is essentially a set of recommendations directed toward the private sector in Australia including such organizations as hospitals. The article also explain the regulatory functions of the Privacy Commissioner under other legislations such as the Telecommunications Act 1997, National Health Act 1953, Data Matching Program (Assistance and Tax) Act 1990 and the Crimes Act 1914, etc. Taking into consideration the imperative of information security standards in the digital age, the Privacy Commissioner’s website also contains information on topical IT and internet related issues that may have an impact on citizen’s confidential information. As part of its initiative to inform the citizens about precautionary security measures, the commissioner’s office has released a set of guidelines for handling workplace e-mails, web browsing and privacy. Information of a generic nature has been produced by this Office on how to protect privacy on the Internet and software tools are also provided for doing so. These guidelines and directives issued by the Privacy Commissioner come in very handy for this Security Plan and will be incorporated into the security manuals of the organization. Another interesting article in the website deals with the proliferation of uses of personal information issues, some of these have major implications for the privacy of individuals. For instance, the inherent limitations of paper-based systems provide a certain level of privacy protection. The Internet makes it easy to solicit and collect information. But the migration of records of personal information to computerized digital systems has made added additional risks to security while also providing a far greater range of uses. Other Security Measures: Another area of focus in this Security Plan is thwarting attempts of Industrial Espionage. Gillian Dempsey of AIC, in his discussion of trends and issues in Industrial Espionage, suggests a multi-pronged legal approach to deterring industrial espionage activities. For instance, in light of existing Australian legal safeguards against industrial espionage being considered inadequate, greater use of criminal sanctions, such as those recently introduced in the United States, might be appropriate. It balances a number of considerations, including deterrence, compensation and incentives to innovation, and cautions against uncritical adoption of overseas innovations. While suggesting that stricter measures are called for to thwart industrial espionage activities, author Gillian Dempsey adds that essential civil liberties of Australian citizens should not be infringed in the process. In conclusion, he says that a balanced approach is the best way forward: “A sensible compromise for Australia would be to combine an education program to create awareness of the potential for harm or loss with a federal codification and simplification of trade secrets protection. Federal codification would provide greater consistency as all other intellectual property measures (with the exception of passing off) are enacted under s.51(xviii) of the Constitution”. (Dempsey, 1999) Hence, fortification on the security systems front, as proposed by the Security Equipment Catalogue issued by the ASIO along with legal remedies in the form of stringent anti-espionage legislation for business corporations would comprise an ideal counter-measure. According to author Tresa Baldas, “A blend of edge technology, increased litigation and rising fears about trade secret theft and financial fraud is driving law firms and corporate counsel to the doors of former FBI agents and prosecutors with a knack for solving crimes... on a wide range of problems, including: corporate espionage, intellectual property theft and workplace discrimination claims” (Baldas, 2008). The above quotation suggests that cases of Industrial Espionage are on the rise in recent years, with perpetrators always adopting cutting-edge technology to break into the security barriers erected by the target company. The process of gathering Business Intelligence, on the other hand, is not liable to trial in a court of law, as it is completely legitimate to peruse published information such as previous annual reports, etc. With businesses relying heavily on technology and e-commerce increasingly becoming the normal mode of conducting business, new concerns have emerged. As Andrea Vanina Arias points out, “The more that virtual-world activities affect real-world economics and property interests, the more that virtual worlds will require legal regulation...a Senior Economist for the Joint Economic Committee commented that to a certain degree the law has fallen behind because you can have a virtual asset and virtual capital gains, but there's no mechanism by which you're taxed on this stuff” (Andrea Vanina Arias, 2008). Hence, corporate law should constantly be reviewed to curb Industrial Espionage operations. Details of measures necessary to enhance information security through an education, training and awareness programme and description of the desired specific objectives: The education, training and awareness programme will attempt to inform the employees about safe and secure working practices. It also includes educating the employees about the organization’s Intellectual Property rights and work practices that will safeguard it. Intellectual property, in simple terms, translates as the property of mind or intellect. Applicable to both individuals and organizations, it is also referred to as proprietary knowledge. The following are some of the various types of Intellectual Property rights that are offered by the Australian government. Patents are given to protect innovative products or processes from commercial impropriety. Trade marks are another type of intellectual property right that are given for “letters, words, phrases, sounds, smells, shapes, logos, pictures, aspects of packaging or a combination of these, to distinguish the goods and services of one trader from those of another” (McKeough, 1991). Similarly, ownership over particular designs is given for individuals and organizations. Copyrights are another form of intellectual property rights that are handed to creative artists and enterprises for original works in the fields of literature, fine arts, performing arts, motion pictures, television productions, and even computer software. In Australia, electronic equipment manufacturers can apply for circuit layout rights. A few other specialized intellectual property rights are issued for plant breeders (for protecting information regarding their breeding processes) and confidentiality rights (that includes processes and other propriety information). The aforementioned types constitute the major categories within intellectual property rights in Australia. Each right comes with its own provisions for exceptional cases. For example, copyright and circuit layout rights are automatically awarded by the governing authorities, but formal application need to be made for claiming ownership for other intellectual property rights. Or else, the individual or the organization will have to resort to the clauses under Australian common law to prove ownership and prior use for their non-registered IP. Also, IP rights taken in Australia are not valid outside the country. It is also required of the proprietor of IP to make necessary safeguards to protect their intellectual property. In certain cases, certain ideas or innovations need to be given protection under more than one right category, so that all loop holes are eliminated. A description of measures used to test the efficacy of the plan: Testing the Security Plan serves an important purpose for the simple fact that irrespective of how thorough the designed plan may have been, the nature and complexity of the digital business environment with software running in different platforms, complex interfaces, integration of third-party modules into the system, alongside other ad hoc contingencies mean that a robust testing system is essential for the success of the Security Plan. Consequently, our Security Plan testing will try to balance the operational and security demands of the volatile threat and risk digital business environment. Some of the measures undertaken to test the efficacy of the plan include: 1. Testing the company intranet routinely and making it an integral part of the system and network operations and administration. 2. Testing the central and important systems first. Ensuring that the plan fulfils the needs of the organization 3. Incorporation features of security testing into risk management process. 4. Making sure that the IT team is also briefed about the security measures undertaken. Bibliography: 1. Craig Kuhl, Putting a Mark on Content Security., Multichannel News 0276-8593 Sept 8, 2008, v29 i35, p22, 2008,ISSN 0276-8593 2. Wright, Charles, Cyber)crime fighters, Intheblack (Prahran, Vic.), v.76, no.8, Sept 2006: 49-51, 2006 3. Hauser, Christine, Camera Phones Are Enlisted To Fight Crime.(Metropolitan Desk, The New York Times 0362-4331 Sept 10, 2008, v157 i54429, pB1(L), 2008, ISSN 0362-4331 4. Michael Erbschloe, Trojans, worms, and spyware: a computer security professional's guide to malicious code, 2005 5. Ben Worthen, McAfee Redesigns Tools in Fight Against Malicious Software, Wall Street Journal; Eastern edition; New York, N.Y. Sep 8, 2008 p. B.6, 2008 6. Mike Williams, PC Tools Internet Security 2008, Personal Computer World; London Sep 2008 p. n/a. 7. Department of Foreign Affairs and Trade – Issue of ePassports, retrieved from 8. Office of the Privacy Commissioner, retrieved from 9. National Archives of Australia, Relevant Legislations, retrieved from http://www.naa.gov.au/records-management/im-framework/requirements/law/index.aspx 10. Baldas, Tresa, Companies keeping watch, covertly, New Jersey Law Journal 0028-5803 Sept 1, 2008, pNA, retrieved from 11. Andrea Vanina Arias, LIFE, LIBERTY, AND THE PURSUIT OF SWORDS AND ARMOR: REGULATING THE THEFT OF VIRTUAL GOODS, Emory Law Journal; Atlanta 2008 57; 5 p. 1301-1345 12. Belton, Catherine, An uneasy pact made. (COMPANIES - OIL AND GAS), The Financial Times 0307-1766 Sept 5, 2008, p19. ISSN 0307-1766 13. Security Equipment Catalogue, Australian Security Intelligence Organization, 14. Dempsey, Gillian., Industrial Espionage: Criminal or Civil remedies, Australian Institute of Criminology 15. Australian Federal Police official website, 16. Brown, T.X & Sethi, A., Potential cognitive radio denial-of-service vulnerabilities and protection countermeasures: A multi-dimensional analysis and assessment, Mobile Networks and Applications 2008: 13(5) 516 17. Allot Communications Ltd; Allot Launches ServiceProtector to Guarantee Service Continuity and Ensure Network Integrity, Science Letter; Atlanta Oct 7, 2008 p. 3035 18. Zhao, W., Detection of variations of local irregularity of traffic under DDOS flood attack, Mathematical Problems in Engineering 2008. 19. Berenson, Lawrence. "Ready for Anything: Business Continuity, Disaster Recovery, Preparedness." Security Management, February 2003, 96. 20. Coleman, Randall. "Six Steps to Disaster Recovery." Security Management, February 1993, 61+. 21. Edwards, Frances L. "Businesses Prepare Their Employees for Disaster Recovery: Local Government Can Learn from the Business Community Preparation for and Response to Hurricane Katrina." The Public Manager 35, no. 4 (2006): 7+. 22. M King Ji Leape, Asset Accumulation, Information, and the Life Cycle, - NBER, 1987 23. DE O'Leary, Enterprise Resource Planning Systems: Systems, Life Cycle, Electronic Commerce, and Risk, 2000 24. K Storesletten, CI Telmer, A Yaron, Consumption and risk sharing over the life cycle - Journal of Monetary Economics, 2004 25. Office of the Privacy Commissioner, Government of Australia, official website, http://www.privacy.gov.au, retrieved on 8th November 2008. Articles: Guidelines on Workplace E-mail, Web Browsing and Privacy Guidelines for Federal and ACT Government Websites Protecting Your Privacy on the Internet Privacy Act Regulations Public Interest Determinations 26. The Patents Guide: The Basics of Patenting Explained, IP Australia, 1999 27. J McKeough, A Stewart, P Griffith, Intellectual Property in Australia, 1991 28. P Drahos, A philosophy of intellectual property, published in 1996 Read More