Information Security Management In Organisations Information Technology Essay
First of all, you need to understand what exactly does the term “Information” means to the organisation. Information is an asset like any other and this is something which needs to be realised in order to ensure that the company’s interests are well looked after (Leo Davie, 2010). It is an asset like any other important business assets as it may contains highly sensitive data. Lastly, you need to know why information is important. Nowadays, business no longer can function without information or information which is unreliable as everything is going computerised.
Assume that you do not have information security management in place for your organisation. What will happen? A typical scenario to explain the rationale behind it is imagined your IT system being hacked. Some examples of effects after being hacked are such as leakage of confidential information, loss of client data which will result in loss of shareholders confidence, company reputation affected, etc. It does not matter whether the security breach is a small scale or large scale breach as even the smallest scale security breach can cost a dire effect on the organisation.
With proper information security management in place within the organisation, you will be able to minimize the risk of loss of information. This will be able to help the clients to build more confidence with the organisation as the organisation will be able to protect their confidential information.
Carli C (2009) says “Your business vulnerability is also your reputation, so don’t assume that you can ignore the importance of information security management. In this day and age, being as secure as you can is vital.” Therefore information security management is important to any organisation be it SME or large organisation.
What is SME and how do you define SME? SME means small and medium-sized enterprises. SME can be defined in terms of the number of headcount in the enterprise. However, different country may have different definition of SME. Some countries take into the consideration of turnover rate of the enterprise to define SME. Tang Puay Eng (2010) says “Statistical definition of SMEs differs from each country, according to the number of employees or value of assets.” For small enterprises, you will only be expecting up to no more than 50 employees whereas medium enterprises, you will be expecting a minimum of at least 50 employees and no more than 250 employees.
The main reason why information security management in SME and large organisation is different is because of the scale and complexity of support for the overall IT environment and the security tools safeguarding it (Angela Moscaritolo, 2009). As a result, in SME and large organisation, each has their own security management problems to handle. For SME, they do not have the luxury of having dedicated personnel to perform the role of the security expert due to the lack of manpower. Unlike SME, large organisation is able to have dedicated personnel to perform the role of the of the security expert due to the fact that large organisation has much more manpower than SME. However, in SME, they are able to adapt changes to the security management when entering new markets whereas large organisation is not able to easily adaptable to changes in security management due to the large amount of employees needs to be re-trained each time if entering new markets.
Incident response management is the ability to provide management of computer security events and incidents. It implies end-to-end management for controlling or directing how security events and incidents should be handled. This involves defining a process to follow with supporting policies and procedures in place, assigning roles and responsibilities, having appropriate equipment, infrastructure, tools, and supporting materials ready, and having qualified staff identified and trained to perform the work in a consistent, high-quality, and repeatable way (Georgia Killcrece, 2005).
In order to handle incident response, a computer security incident response team (C.S.I.R.T.) is formed to react in a timely fashion, to intrusions, types of theft, denial of service attacks and many other events that have yet be to executed or considered against their company. The CSIRT will be responsible for investigating and reporting on malicious insider activity, internet spam, human resource violations and copyright infringements (Tim Proffitt, 2007). According to Mason Pokladnik (2007), there are a total of six steps of incident management stated by the SANS institute.
Preparation – To be well prepared in handling any incident.
Identification – Determines whether incident has occurred by gathering data and analyse it.
Containment – To prevent any further damage such that it cannot spread to other data, systems or networks.
Eradication – Removal of any malicious code and data left by the intruder.
Recovery – To return operation to normal either by rebuilding from scratch or rebuild from a backup.
Lesson learned – Evaluate the incident after it is over.
Due to the fact that SME do not have dedicated security expert, SME will not have full time dedicated personnel for C.S.I.R.T. According to Mason Pokladnik (2007), there are four particular area of constraint inclusive of personnel constraint.
Personnel – Requires that positions that may exists separately in a large company to be combined in smaller ones.
Training – Entire incident team may not be able to attend due to they have other tasks for their original position to be done.
Tools – Lack of budget to purchase high end security software.
Time – Do not have the luxury to work on a single project from start to completion.
Although SME do not have dedicated personnel for C.S.I.R.T, they are also using the six steps of incident management
Disaster recovery is the ability to continue work after any number of catastrophic problems, ranging from a computer virus or hacker attack to a natural disaster such as flood, fire, or earthquake (J. S. Petersen, 2010).
Example: In SME, due to their lack of budget, they will only have one server for file storage (Mike Talon, 2005). Without having a proper backup, the organization may go out of business due to loss of data. According to a three-year-old study from Price Waterhouse Coopers, 70 percent of small firms that experience a major data loss go out of business within a year (Gerry Blackwell, 2010). Although small and medium organizations have fewer options when it comes to disaster recovery as compare with large organization, with the help of the right tools, they still will be able to find something that is able to cater to their needs when required for disaster recovery.
Michael Cobb (2009) says “Smartphone has quickly become yet another indispensable part of modern business. Features such as wireless email, Web browsing, personal information management and network access to corporate resources allow for quicker and better decision making and greater productivity.”
Although mobile devices are not the primary target of cyber criminals, this does not mean that mobile device will not be targeted by cyber criminals in the near future. Example on the recent mobile attack on July 2010, Android mobile user downloaded malicious mobile software which resulted in sending of personal information found from inside of the mobile phone to selected servers in China. This clearly proves that mobile devices are not immune to attack. Therefore, there is a need for mobile device security management.
Michael Cobb (2009) and Andy Gambles (2009) have recommended a list of mobile security policies to minimize the risk of loss of information from mobile device such as device passwords with a minimum length, complexity and update frequency, data encryption – depending on its sensitivity or classification level, only store essential names, numbers and documents on your mobile phone, enable the “Automatic Lock” function on your device, and set the lock period to the minimum time, etc. Besides having those mobile security policies, one of the most important policies is all mobile devices must be assessed before granting full access to the internal network and the mobile devices must be able to support remote wiping of mobile devices information. The best recommended mobile device to be used is Blackberry device as Blackberry is able to support remote wiping and it has already been in used by various large organisations.
Why do we link business objectives with security? The reason why we need to link business objectives with security is because security plays an important part in terms of securing confidential business information and it helps business to prioritise efforts to address security risks. Another reason is without linking business objectives with security together, you may up compromising both the business objectives and security objectives when handling of projects.
How does it work? Organisation needs to identify which are the important information assets. After identifying which are the important information assets, organisation needs to review the threats and vulnerability to the assets. Once identifying and reviewing is completed, organisation will be able to understand and prioritise efforts to address the security risks.
What are the benefits by linking business objectives with security? One of the benefit as mentioned earlier on is the organisation will be identify the risk. This will help the organisation to come up with a disaster recovery plan before the risk happens. According to Carole Le Neal, (2010), another benefit is able to invest in the right systems, software, hardware, and competencies at the right time. This helps the organisation to reduce the cost required rather than investing on everything other things to find the right systems, software and hardware. Another benefit being mentioned by Carole Le Neal, (2010) is it can help to ensure that critical changes can be delivered on a timely basis, with an overall view to their impact on both existing assets and future demands. This helps to ensure that whatever things that the organisation is planning for will take into consideration of the impact for business and security.
Biometric security devices works by using a person’s physical or behaviour characteristics such as fingerprint, signature and voice scan etc for authentication purposes such as granting door access. It is difficult to duplicate it as each person is unique which makes it more secure than passwords or access cards.
How exactly biometric security devices works? It can be classified into three steps: Enrolment, Storage and Comparison (Tracy V. Wilson, 2005). Enrolment – stores your basic information such as name or identification number. Depending on the type of biometric device is used; it will also capture and store your unique physical or behaviour characteristic. Storage – it does not store a complete trait of your physical or behaviour characteristic as it only stores what has been analysed to your trait and convert it into a code or graph. Comparison – comparing your trait during authentication with the copy that was first registered. Only upon successfully matching both traits, the access will be granted.
With the help of biometric security devices, employees will no longer need to remember dozens of different passwords and PINs, will not be worrying about forgetting their passwords and PINs, losing their access cards or tokens.
There are currently many types of biometric security devices available in the market such as fingerprint security, hand geometry, retina scanners, iris scanner, face recognition, signature analyzer and voice authenticators. Depending on the organisation budget, organisation should be able to find some at least one of the devices suitable for usage. Generally for SME, if they wish to uses biometric security devices, they should go for fingerprint security or signature analyze as it is does not cost much and it is efficient.
Why ethical issues happen in information security management in the organisation is because the people, not the information itself. It depends on how the people are using the information which may result in ethical issues. However not all people are aware of ethical issues related to information security. According to the survey done by Wanbil W.Lee & Keith C.C. Chan (2008), less than 10 percent of the students are aware of computer ethics and more than 60 percent claimed that they were not sure if they carried out their work ethically and, conversely, about 30 percent claimed that they thought they carried out their work ethically.
According to Richard O. Mason (1986), there are four main classifications of ethical issues of concern which are privacy, accuracy, property and accessibility also known as PAPA. In terms of privacy, the key of concern is what type of information should be divulged and under what situation. In terms of accuracy, the key of concern is who is responsible for the authenticity, fidelity and accuracy of information that is provided. In terms of property, the key of concern is who owns the information. In terms accessibility, the key of concerns who has the permission to obtain the information and under what condition.
In order to resolve ethical issues, Association for Computing Machinery (ACM) has adopted a guideline on the code of ethics in 1992. The code of ethics are made up of 24 imperatives formulated as statements of personal responsibility, identifies the elements of such a commitment. This set of guideline has been used by various organisations to serve as a basis for ethical decision making in the conduct of professional work.
Why security training and education is important to every organisation is because through training and education, one can easily disseminate information which is required to do their jobs. BIAC & ICC (2003) stated “All employees should receive mandatory security training and education at a level and frequency appropriate to their role, the type of information they have access to and the business needs”.
The purpose of security training is to create awareness to employees of potential risks of breaching the code of ethics and to ensure employees understand security standards, practices, guidelines the company uses, how employee role help keep the company secure and understand their roles in security.
For example, your organisation does in-house development of application. Without sending your employees for security training, when your employees developed the application, they will design and develop based on what they think is correct. This may compromise to the security standards, practices, and guidelines used by the company. As a result, the end product may be less secure or even have to redevelop the whole application.
In SME, due to lacks of funds, time and specialised knowledge to coordinate conduct security training and education (Furnell, 2000, Dimopoulos, 2004, Gupta & Hammond, 2005). SME can adopt a different approach which is absolute free. The National Institute of Standards and Technology (NIST) have a publication on “Building an Information Technology Security Awareness and Training Program (SP 800-50)”. It is a set of templates and guides for what should go into a security awareness training program. As long as the SME can spare one or two employees to build a training program based in the NIST guidelines, is should be sufficient enough cover all the necessary security training (Jeol Dubin, 2007). However, this is not a foolproof solution. If the employees misinterpret the NIST guidelines, wrong things will be taught to the other employees. Another approach will be purchasing a web-based training and it is not costly.
Why is there a need to defend against internet-based attacks for SME? The reason is because SME is highly dependent on the web as they use the web to integrate part of the business (GFI White Paper, 2010). Other than using as part of the business, SME also uses the web for employees to communicate, collaborate and succeed. If SME does not have any defence against internet-based attacks, when a hacker attacks the them, the consequence will be dire. As mentioned earlier on, SME uses the web to integrate part of the business, if SME is not able to use the web due to the hacker’s attacks, it will means losing a business. In long terms, it may result the organisation to go burst.
There are many different types of internet-based attacks which will result in web security threats. According to another GFI White Paper article on Web-Based Security Threats, there are 4 different types of internet-based attacks. They are phishing, web browser exploits, third party add-ons and download.
How should SME defend against the 4 different types of internet-based attacks? In order to defend against the internet-based attack, SME can enforce security policies, conducting security training and create awareness to the employees, installing anti-spam and anti-phishing software and content filtering to prevent accessing of unknown website, downloading of content which has virus.
Industrial espionage gathering is the gathering of confidential information from other organisation through illegal and non ethical means. According to an article by Technolytics (2009), it stated that a report stated 60 percent of SMEs are victims of industrial espionage as they have little investment in security.
How can SME prevent from being targeted by industrial espionage? One of the options is to employ professionals to conduct regular counter surveillance programmes in order to ensure confidential business information remains secure (Nicola Brown, 2010).
Business intelligence gathering is the gathering of information on own organisation to analyze and understand information relevant to the history, current performance or future projections for a business (Laurie McCabe, 2010).
Why business intelligence gathering is important to SME? Without having business intelligence, SME repeat the same mistake again, the consequences will be dire. However, with the help of business intelligence, SME can easily avoid repeating the same mistake as the SME will be able to understand the market trends for their products and services (Anand Bondre, 2004).
Issues concerning good governance within and between SMEs form an important part of a functioning democracy in a modern industrial society (Colin Gray, 2006). Generally, governance issues for SME are because of the amount of resource and time required for information gathering and regulatory compliance. In order to conform accordingly to good governance practice, it requires not only the completion of paperwork but also the management of various stakeholders.
In order to deal with governance issues, according to a white paper by European Commission (2001), there are five principles that define good governance which are Openness – Work in a more open manner, Participation – Ensure wide participation throughout policy claim, Accountability – Roles and processes must be clearly defined, Effectiveness – Policies must be effective and timely and delivered based on clear objectives, Coherence – Policies and action must be coherent and easily understandable.
Each of the principle is important by itself. Therefore, once the five principles are achieved, the governance issues will be resolved.
To address personnel issues in information security, it should start as early as possible from the recruitment stage to identify the need for security. Background checks should be conducted for potential new employees regardless for what type of position to prevent any security incidents. Employment agreements and contracts with new employee should include appropriate confidentiality (non-disclosure) obligations and requirements for the implementation of security practices (BIAC & ICC, 2003). The moment employment starts for the employees, security awareness and education should be reinforced.
Actions such as termination or disciplinary action against employees may result in threats by providing confidential information to rival organisation or hostile acts (Robert Macpherson & Bennett Pafford, 2010). It should be carefully planned and should only be carried out as appropriate for each situation.
Physical security is actions you can take to protect buildings, property and assets against intruders (William Deutsch, 2010). Physical security is important because any breaches in physical security can easily result in loss of confidential information, loss of services, etc.
According to a White Paper published by GFI in 2009, in SME, physical security issues of information security are often neglected partially due to lack of dedicated security experts. One of the options that SME can do is to outsource their information security.
Russell Morgan (2008) stated that protecting physical and technical assets is not enough. Anything that security issues are involved is always a human factor. According to FBI statistics in 1993, the statistic indicates that 72% of all thefts, fraud, sabotage, and accidents are caused by a company’s own employees. Another 15 to 20% comes from contractors and consultants who are given access to buildings, systems, and information. Only about 5 to 8% is done by external people (Tom Peltier, 1993).
Therefore, all employees must attend the security awareness and education that is supposed to be conducted to them.
Cyber forensic is also known as computer forensic. Computer Forensics is the process of investigating electronic devices or computer media for the purpose of discovering and analyzing available, deleted, or “hidden” information that may serve as useful evidence in supporting both claims and defences of a legal matter as well as it can helpful when data have been accidentally deleted or lost due to hardware failure (Kevin Cohen, 2008).
In SME, they should use each application independently rather than getting software which has all the features as it cost more than it is worth (Brett Pladna, 2008).Order Now