Principles Of Information Security And Governance Information Technology Essay
The progress and expansion of the field of information technology and worldwide network has given birth to the issues like, violation of information security, hacking and virus attacks. Information security governance play vital role in providing regular protection of information from a wide range of threats to ensure business continuity. It helps minimize risk factors, maximize profits, investment returns, and boost the reputation. Virus attacks, hacking and information theft are some of the basic dangers faced by many organizations, and the solution lies not only in the hands of technology but management as well. Information security failure or poor management lead to business and financial loss and reputation damage. I will be shedding light upon the principles, risk factors, privacy threats and then the required strategies, policies and procedures for administration and management of an information security and governance program in my organization.
Information Security Governance
A structured framework of policies, procedures and authority of handling, sharing and recording information securely and confidentially is termed as information security governance (NHS, 2005). A successful information security governance in an organization ensures the ‘confidentiality, integrity, availability, authentication and identification, authorization, accountability and privacy’ (Whitman and Mattord, 2009, p. xvii) of information and data related to security and reputation of an organization. Information governance in an organization requires teamwork, where all the staff members are aware of the importance of the confidentiality of information. This framework makes sure that the information and data is secure with accuracy and also that the information are shared and recorded in compliance with all the legal and lawful procedures and proper set of rules and guidelines (Simmons, Scott, et al., 2006).
Information security governance compliments the Information technology and corporate governance and is an important segment of both. Most of the companies in order to provide a contemporary environment to the information system of governance are using internationally recognised frameworks like; COBIT and ISO 17799. The Control Objectives for Information and related Technology (COBIT) is a framework designed in 1992, by the IT Governance Institute (ITGI) and the Information Systems Audit and Control Association (ISACA). This framework works for the IT management in implementing and developing the Information security governance on a wider platform. It includes the threat analysis, risk assessment, cost estimation as well as countermeasures and future (Solms, 2005).
Figure 1 : Proposed Integrated IT Governance Framework (Dahlberg and KivijÃ¤rvi, 2006).
Figure 1 shows a proposed integrated IT governance framework. A successful information governance structure ‘builds on the integration between the structural and processes perspectives of IT governance, business-IT alignment, and senior executives’ needs’ (Dahlberg and KivijÃ¤rvi, 2006, p. 1). The framework requires the involvement of the management board, executive and subject steering committees, service delivery teams and all the staff members related to the networking, systems, applications, desktops and cross functional works (Richardson, 2010, Q 3).
Implementation and administration of IT security are carried out by the Information security management of the organisation which help identify the levels of requirements. Information security management follows a methodology or framework which include top management commitment and information security policies (Ghonaimy, El-Hadidi, et al., 2002). Information security governance ensures that the information security management establish, implement, monitor, and review these procedures and policies in order to meet the business objectives of the organization (Pironti, 2008). The Information security team is responsible for handling security issues regarding the safety and confidentiality of company’s information and data protection. It also helps maintain the integrity and availability of information. Information security management deals with the security team, organisational culture, change management, assessment risk factors, people and risk behaviour. It is responsible for the development of strategies, policies and procedures to reduce threats, risks and attacks. The Security team presents to the management team the security analysis, reviews and implementation plans (Parker, 1981).
Information Security issues and risk factors
‘A hack, a virus or a denial-of-service attack may have the effect of halting business operations’ (Ross, 2008, p 1). The main dangers faced by many organizations include, identity theft, leakage of personal information, data manipulation and modification and improper access to security passwords and secure areas. Widespread IT security risks include; malware, hacking the system, terrorism, extortion, people and non compliance behaviour of the staff and mangers. These dangers can affect the overall reputation of the company and stakeholders become concerned. Main losses and threats include; loss of Confidentiality, integrity, availability, authenticity and reliability of information, which require protection (Stoneburner, Goguen, et al., 2002).
Confidentiality threat means the unauthorised access to secure information. The breach of confidentiality can occur in number of ways, like the absence of the screen savers on the personal computers and laptops would invite dangers like leakage of data information as staff members or any external visitor with bad intentions can easily access them. Similarly, the post-it notes with id and passwords reminders would pose the same violence of confidentiality. Secondly, the direct access to the server room key would be like inviting security theft and accessibility of the unauthorised person (Stoneburner, Goguen, et al., 2002).
Integrity implies unauthorised modification and manipulation of data. Unauthorised access implies leakage of important information which could mean that anyone can steal or misuse the confidential information of the company and this could lead to the distribution; alteration and stealing of personal data and identities of key personnel and hacking and virus attacks on the organization secure system. An employee can misuse the data information by changing the main figures, mistyping or deleting important information by accident or on purpose. When members of staff take the official laptops home with unencrypted personal information, this could mean the leakage and distribution of confidential data going in the wrong hands (Stoneburner, Goguen, et al., 2002).
Availability means providing accessibility only to the authorised users. Loss of availability of data could be caused by attacks like hacking, virus or hardware failure. Unavailability of system to the end-users could mean for example affecting the productivity time and hence affecting the organisational goals of the company (Stoneburner, Goguen, et al., 2002).
There are number of other issues and risk factors regarding information security that can threaten the Information security governance. Lack of professionalism of the employees can generate many high risk issues, for example, sending unofficial emails within the organization indicate improper use of internet, which is wrong and unethical. Plus if someone is incharge of company’s high risk or sensitive data information then internet browsing or emailing can easily invite virus attacks or hacking.
Information Security Strategies, Policies and Procedures
These risk factors and security issues require proper security policies and advanced framework. Although the HR department already possess a set of security policies and procedures but they are seldom implemented.
The information security governance program works with the risk management program with strategies, security policies and procedures to work effectively in providing a completely secure environment. Information governance ensures application of all the security policies (Nagarajan, 2006). Risk analysis is very important before implementing information security rules, strategies, policies and controls. Risk analysis forms the basis of risk management system.
Implementations of information security in an organization comprise six major activities: Policy development, understanding roles & responsibilities, suitable information security design, regular monitoring, security awareness, training and education. Now in order to achieve reliable information security essential elements of control within the organization is required. Security controls include technical and non-technical controls.
Technical control provides logical protection by implementing protective software into the system. This includes; access control mechanisms, identification and authentication mechanisms, data encryption, access control list and intrusion detection system, plus other software and hardware controls. Computer security can be achieved by creating strong passwords, updated anti-viruses & anti-malwares, firewalls, screen savers, proper encryption and creating backup files (Stoneburner, Goguen, et al., 2002). Keeping in minds that the passwords should be strong and well protected and employees must not share them with anyone and these passwords should be changed periodically. Organisations must have incident response procedures which include the backup generators for electric failure and off-location data centres in case of natural disasters or accidents.
Management control – include management and administration of security policies, operational measures, risk assessments and training and education. Management control is responsible for educating staff members to guide them in handling the case sensitive data and information through a suitable security awareness program. HR team should conduct a proper background check on the employees and especially on the ones who are incharge of handling confidential information in addition to providing proper training to the staff members. The administrative control should also inform employees the UK legislation and laws of data protection that are in place. Internet threats can be handled by educating staff member and creating an awareness of confidentiality, prohibiting web browsing, chatting and useless emailing within the computers containing confidential information and downloading software from unknown or unprotected sources. Moreover, their level of computer literacy must be analysed in order to identify their capabilities in handling information. It must also administer the authorization and re-authorization of the system (Stoneburner, Goguen, et al., 2002).
Security awareness program should provide security training and must also analyse the level of computer literacy in each employee. Information security officer must administer and implement information security awareness program, which should include providing training and awareness to the senior management, staff and employees involved in handling data information as well as educating the end-users or the clients. Involvement of all the users within the organisation is essential (Ghonaimy, El-Hadidi, et al., 2002).
Operational control – include physical control and environmental security. It plays a vital role in implementing administrative and technical controls. Operational security ensures the quality of electric supply, humidity, temperature controls and physical facility protection system. Some examples include; backup generator, physical intrusion detection systems like alarms and motion detectors. This system also monitors and controls physical accesses to the secured areas, some examples include; locks, doors, cameras, security guards and fencing (Stoneburner, Goguen, et al., 2002).
The HR department should provide security awareness training to the staff members and must make sure that when appointing a new employee, the contract of employment must include the security policies and procedures. These security controls should be revised and renewed annually in order to achieve successful information security. All these essential controls and security awareness program must be implemented by the Human Resource department.
Information security culture
Peoples’ behaviour and attitude towards their working atmosphere forms the organisational culture of the organisation. Information security culture evolves from the behaviour and attitudes of the people towards confidentiality, integrity and availability of the organisational information and knowledge. It includes ‘people, training, processes and communication’ because ‘the inside behaviour poses a more serious threat to the security of information than outside behaviour’ (Ghonaimy, El-Hadidi, et al., 2002, p. 204). It is therefore essential to understand and analyse the organisational and corporate culture of the organisation as well as the need to change the security culture within the organisation. Threat analysis would indicate how much the organisational culture contributes towards the violation of security and it should be changed accordingly by educating staff members (Ghonaimy, El-Hadidi, et al., 2002).
Figure 2 describes a proposed information security culture in an organisation.
Figure 2 : A proposed information security culture (Ghonaimy, El-Hadidi, et al., 2002).
A healthy security culture is achieved when people in the environment are trained to handle the clients’ confidential information securely and are completely aware of the threats and dangers around them regarding information theft; hacking and virus/malware attacks and they should be trained to handle these situations with confidence and responsibilities (Richardson, 2010, p. 3). Information security culture can change the organisational culture in a positive way. For example, the staff must understand that if servicing or repairing is required than this should only be handled by an authorized person. Security culture depends upon the managerial attitude, including the top management, security awareness and training and awarding of security conform behaviour (Ghonaimy, El-Hadidi, et al., 2002).
Risk Management System
However, the information security policy alone cannot be counted upon to effectively eliminate these threats because it ‘narrowly focuses on the use of technology to mitigate threats’ as the nature of threats and attacks have changed to become ‘highly targeted, highly effective and nonadvertised’ (Pironti, 2008, p. 1). Therefore a proper risk management model is compulsory.
The ever changing faces of attacks and dangers on the information security require proper risk management system which must be understood and supported by the senior management and business leaders of the organization, to identify and finalize investment levels utilizing proper information protection and risk management capabilities. Moreover, regular reporting is essential to demonstrate the effectiveness of the Information Risk management practices. This model will definitely improve the efficiency of the information security team in following the Risk management team’s decisions, which is made by the higher officials, who can have the valuable approach towards information infrastructure and can make these decisions effectively. The corrective approach of a successful risk management program depends upon the presence of a single team leader (Pironti, 2008).
Information risk management program helps in characterizing and analyzing whole system of company’s information highlighting risk factors and information infrastructure. It combines individual functional capabilities into one single well managed and well oriented organization enhancing business strategies. It increases the efficiency of security teams. It produces a bridge of confidence and communication between the team and the leaders. This program provide protection against wide range of threats in terms of security theft not by limiting access but by evaluating appropriateness and requirement of extent of that access, which in turn does not stop an organization to achieve their targets (Pironti, 2008).
In order to achieve a level of satisfaction in terms of confidentiality, integrity and availability of company’s case sensitive information and data protection, reliable information security governance is required. This framework must include the implementations, renewal and revision of the strategies and policies within the organisation, understanding the need to change the organisational security culture and monitoring and management of the information security team with the supervision of the top management. However with the expansion of global network day by day, there are major risk factors of viruses and malware which require a risk management system as well. These policies, strategies and procedures must be implemented through the HR department including hiring and training of security officers and staff members with the approval of the top management.
Appendix A: Summary of the paper presentation
Key Elements of an Information Risk Management Program
As part of our MSc assessment we were asked to take part in a paper presentation on the key elements of an Information Risk Management system based on a paper written by “John Pironti”, which was published in 2008 in the Information Systems Control Journal, Volume 2.
Information security has become more challenging with the ever-changing and evolving faces of threats in the information processing. The adversary creates a new threats as soon as the defender develops and implements the defensive controls. The defenders get affected by the ethics, rules, knowledge, time, and lack of investment and resources. The adversaries can only be defeated by a suitable Risk management approach by using available assets, resources and potential. Policies, procedures and processes complemented by technology prove far more effective in mitigating security threats than the technology alone. Information security only relies upon the technology to create defences against threats that can easily be downloaded or purchased. The reason is that these components require proper implementation and operation.
The organization’s Information Risk Management approach identifies which information to protect and the level of protection required to align with organizational goals. It must be understood and supported by the senior management and business leaders of the organization, to identify and finalize investment levels utilizing proper information protection and risk management capabilities. Team Structures in most of the companies today have segregated leaders with the title ‘chief’, which is of no significance as the main chief has limited access to the senior positions and business strategies. In order to meet current challenges, all these independent capabilities must be united on a single platform as Information Risk Management program.
Information Risk Management Program helps in characterizing and analyzing the whole system of company’s information highlighting risk factors and information infrastructure. It combines individual functional capabilities into one single well managed and well oriented organization enhancing business strategies lead by the ‘Chief Risk Officer’. The leader becomes the focal point to produces a bridge of confidence and communication between team and leaders regarding all communications about risk identification, mitigation and management. This program provide protection against wide range of threats not by limiting access but by evaluating appropriateness and requirement of extent of that access, which does not stop an organization to achieve their targets. This team leader has regular access to higher officials to provide them correct and update information regarding risk factors and business strategies.
Key performance indicators are essential measurement tools for the performance of a business function, process or capability. These indicators need to be assigned thresholds to ensure that they are working within normal limits. The key elements of risk management program include; presence of a Chief Information Risk Officer, Information security, Physical security, compliance, privacy, financial risk, market & strategy risk, business operations risks, risk methods, practices, key performance analysis & effectiveness, cultural awareness, training, communications, strategy & governance and risk oversight board and committee.
Information Risk Management serves as a mature progression of information security. The Risk management program structures the Risk management, utilizing existing capabilities and provides a 360 degree holistic view of security risks within the organization.
Appendix B: Discussion generated from the paper presentation
Q. What do you mean by the holistic view of risks that affect productivity and success?
A. A holistic view implies focusing from a high perspective and ensuring that all the organisational requirements are met with relevant policies, processes and procedures complimented by technology rather than certain technical area on which the information security team focuses on.
Q. How would you convince the businesses that such a wide model of Risk management program can get implemented with the requirement of so many resources?
A. This program probably applies mostly to the larger organisations with more number of people involving different levels so that they are able to map on this new mature model, explaining the benefits and understanding why change the structure of the information governance. Another key element to highlight would be that this model re-uses the existing resources within the organisation.
Q. Who decide the key performance indicators in the policy and standards maintained by the Risk Management program?
A. Normally it would be something which is discussed by all the actual relevant departments rather than the IT department telling you what your KPI should be. It will be coming from a higher level and senior management.