The Need Of Sound Information System Information Technology Essay
Small to Medium Enterprise is an organization or business that only has a certain number of employees or revenues, different country has a different definition and standard for SME. In Singapore, SME need to have at least 30 per cent local equity and fixed productive assets not more than S$15 million and limit of only not more than 200 employees. In Australia, SME has a different category such as very small with only 1 to 9 employees, small with only 10 to 49 employees, medium with 50 to 149 employees and large with 150+ employees.
Information in SME is a really important asset, the loss or damage in any pieces of information will damage the company really badly. Lose in competitive advantage, customer’s loyalty is the consequences that may happen and a company in SME could be out of business if an incident like that happened. Even though information security can be applied to all kind of business, but there are differences between SME and large company when applying security. SME and large company have a difference kind of challenges when applying security. SME does not have big budget like large company, fewer qualified security personnel and resources. Challenges for large enterprises are often because of their large size. They are difficult to track their users because they have a large number of users and sometimes they have a lot of branches in different locations to maintain. SME also has advantage compared to the large company, SME which has a smaller number of employees than large company has a lesser threat by insider attacks.
One of the solutions for SME for security is outsourcing the security, but the problem occurred because of the price offered, some SMEs cannot afford the prices, so it comes again with the budget SME has. There is other solution offered to SME in security, some of the Internet Service Providers (ISPs) increasingly partnering with security vendors to offers SMEs standard security products.
The need of sound information system.
Information security management is a management that manages threats and risks to the organization’s information; it is applicable for all type of organization, from large to small organization. Information security management includes personnel security, technical security, physical security, access control, business continuity management and many other things. The standard of the requirement of information security management is ISO 27001; it is one of the ISO 27000 families. With this, it can help to make the information more protected and clients will also feel secured. ISO 27001 helps to protect all kind of information, information in soft copy or hard copy and even in communication.
There 3 important characteristics in Information security, Confidentiality, Integrity and Availability (CIA). Confidentiality ensures that only some authorized user may access the information, so different level of information can only be accessed by certain users. Integrity is a state where the information is complete, and uncorrupted. Availability ensures that the information is available whenever the authorized user accessed.
Information security management is needed because now information is the most vital asset for almost all the organizations. A lot of consequences when the information is destroyed, stolen or corrupted and the consequences may be very dangerous or even make the organizations fall down. Personal information is also vital to the people itself and also to the company, if the company do not handle the information carefully, it will be dangerous to the company because personal information can also be customer information and when it is not secured, the customers can lost their trust to the company and the company’s reputation will be affected also, these can also applied to the company’s staffs. There is this case study where some companies in London experienced loss of electricity because there was a problem in the London power company. Because of the loss of electricity, some of the companies have their data corrupted and also systems crashed, these incidents made the companies loss their clients, clean corrupted data, re input the data which cost them more and closed the business.
There are some of the topics that cover the information security management:
Biometric security devices and their use
Biometric Security is a tool to protect from intruder to access information but using part of the body to authenticate the authorized user instead of typing the password. The advantages are it cannot be borrowed or made and also it is more secured than inputting the password. Biometrics that is using physical body that is unique includes fingerprints, palm, retina, iris, and facial. For the behavioral characteristics include signature, voice, keystroke pattern and human motion.
This is a list of biometric and its uses. Fingerprints recognition is a biometric where it identifies by scanning fingerprints and looks for the pattern found on a fingertip. There are different kinds of fingerprints verification, some of them using pattern-matching devices; comparing the scanned fingerprints from database, they are also using moiré fringe patterns and ultrasonic. Palm recognition scan, measure the shape of the hand and look for the pattern on the palm. Some of the organizations use this for time and attendance recording. Retina recognition analyzing the layer of blood vessels located at the back of the eye. This biometric uses low intensity light and source through and optical coupler to look for patterns of the retina, so the user need to focus on a given point. Iris recognition analyze the colored ring of tissues surround the pupil by using conventional camera element and the users do not need to be close to the scanner. Face recognition analyses the facial characteristics and it requires digital camera to scan. Some organization like casino, scan for scam artists for quick detection.
Some of the company even government also using biometric security. Fujitsu Ltd. is now making the company desktop computer to use a palm recognition, it is not using fingerprints because it said that palm recognition is more secured than fingerprint. They are using infrared to scan the user’s palm, they look for the pattern of the vein in the palm and because they use infrared, they can see them. This technology is already in use in more than 18000 bank ATMS in Japan. Germany stores a digital fingerprints and digital photos in to the passport to fight organized crime and international terrorism.
Biometric may be more secured but research says biometric like fingerprint recognition can be accessed by unauthorized users also. There is this mathematician named Tsutomu Matsumoto, he use a $10 ingredients; gelatin and plastic mold to reproduce a portion of finger and in four of five attempts, he can accessed to 11 different fingerprints recognition systems.
Incident response management and disaster recovery
Incident response is an organized plan or procedures to handle and counter some threats like security breach or attack. Incident response plan includes a policy that discusses how to response to a certain threats, reduces recovery costs and time. Some of incident response goals are reduce the impact, prevent future incidents, verify that incident occurred, maintains Business Continuity, and improve security and incident response.
There is incident response team in the organization that handles the incident response plan. Incident response team also needs another party in organization to help them, such as business managers, IT staff, legal department, human resources, public relations, security groups, audit and risk management specialists. Business managers make agreements with the team about their authority over business systems and decisions if critical business systems must be shut down. IT staff help the team to access the network for analysis purposes and improve security infrastructure if recommended by the team. Legal staffs need to review non-disclosure agreements and determine site liability for computer security incidents. Human resources help to hire the team’s staff and develop policies and procedures for removing internal employees. Public relations help to handle the media and develop information-disclosure policies. Security groups help the team to solve issues involving computer. Audit and risk management help to analyze threat.
There are a several steps to response to the incident. First, the organization needs to prepare the staff by having the staff to do some training; they need to be trained to response to the incident quickly and correctly and also educates the staff to update the security regularly. The response team has to identify whether it is a security incident or not and the team can also find some information about the current threats. Response team need to identify how far the problem has affected the systems and decide faster by shut down the affected system to prevent further damage. Then they need to find the source of the incident and remove the source. After that they need to restored the data from clean backup files, monitor them and upgrading the systems to prevent the same incidents in the future.
Mobile device security management
Mobile devices the staffs use also need some kind of security because they can contain pieces of information about the company, it can be the customer or staff information but it can be some kind of soft copy of some reports or documents. Some of IT staffs need to use mobile devices like PDA or smart phone to make business data. Mobile devices may look secure, free of viruses and malwares but they are not.
There are several threats to the mobile devices. Intruder can intrude the mobile devices and expose the information out of it through wireless network by using wireless sniffer. Mobile devices can also be stolen or lost and if the devices are not secured by putting a password, information can be dig out easily from the devices. Less than 500 mobile operating system viruses, worms and Trojans can be found. Mobile viruses can be a major threat, some of the viruses can clear the data; corrupt the data and several other problems. Viruses can intrude the devices when application downloaded to the devices. There is one virus called “911 Virus”, this virus cause 13 million I-mode user in to automatically call Japan’s emergency phone number. E-mail viruses affect the devices the same as e-mail virus affect regular PC. It makes the devices to send multiple emails.
There are ways to prevent the threat to happen. The easiest way is to put a password to the mobile devices, the password can only be attempted for a several times and if it failed, the devices will be automatically locked down. Using encryption techniques can help to protect intruder from intruding when exchanging data using wireless network. Back up the data regularly to PC if anything happens to the data. Install antivirus and putting a firewall into the devices can help to prevent viruses. Administrator can take control of the mobile device and also wipe the data on missing or stolen devices.
Linking business objectives with security
Linking business objectives with information security can be expensive process and risky. It can create frustration in both sides. There are several actions that can be used to improve both sides. Reflect the business objectives in information security; reflect them in information security policy, objectives and activities. Information security has to be consistent with the organizational culture, changing the culture of the business from information security is often not possible. Protect the information in business process by establish a security program. Follow the information security standard, following them will make the staff, customers and client feel that their data is safe. Increase the understanding of the need for security, security manager should explain the benefit of them by using business terms, so that everyone can understand more. Obtain the support from management; ensure that risk management is part of every staffs’ job description. The last thing is to use the resources wisely. Spend more resources when the problems are really occurred. With this plan, both business and security can improve and successful.
Ethical issues in information security management
IT security personnel are given the authority to access data or information about the individuals’ and companies’ networks and system. With this authority, they might use it in a wrong way which mostly is intruding someone’s privacy for example, scanning employee’s email just for fun or even diverting the messages, read others’ email and even worse, they can blackmail the employee. The IT personnel can monitor the websites that visited by the network user, they can even place key loggers on machine to capture everything that is displayed.
There is ethical issues called real world ethical dilemmas, it is where the IT security personnel happened to see the company secrets and may print the documents, it can be use to blackmail the company or even trade the information to the other company. They also may encounter where they see a document where it showed that the company do some illegal things. With this crucial information, the company is in danger, not only the company but also the security personnel themselves.
There are ways to prevent the people in internet that want to intrude user’s privacy, one of the articles said that when the author access a website, he saw advertisement in the website and the ad said about an event and it takes place at the author’s area, and so he tried to change the location of the computer and when he click the ad again, it shows a different area, area where the his computer set up, this kind of ad using the user’s IP address to track the user, so he figure it out by hiding or masking IP address using some software, this way, the user can protect their privacy effectively
One article talked about how IT security personnel deal with sensitive information in right way, first thing to do if to check whether they have signed a non-disclosure agreement that required them to protect information that they overheard, if there are then protect it, second things to do is to ask themselves whether it is reasonable to the host company to expect them to hold such overheard conversation in confidence. If so, they should not spread the overheard information to anyone.
Security training and education
With many organizations are using internet, many users including unauthorized can access and dig out information. They need to train or educate their staff to protect organization’s information by creating a system to secure the information from unauthorized users. Certified Information Systems Security Professional (CISSP) educates the staffs about how information security works, secure the information, and maintain the information safe and secured.
Network security will have the staffs quickly respond to defend the attacks and have countermeasures. Following by investigate the weakness of the systems. It is not easy to protect network security which is why they need to be trained. CISSP education consists of learning about database security, how the intruders intrude the systems, and the right countermeasures for a certain attacks.
There is a survey regarding the intrusion to the US companies, the unauthorized intrusions to their network increased 67% this year from 41% last year. The cause of intrusions mainly because of hacker attack, lack of adequate security policies, employee web usage, virus, employee carelessness, disgruntled employee, weak password policy, lack of software updates and software security flaw. IT managers also take part of the survey about which is the biggest intrusion in the future and they identified that viruses, spyware, Trojan, worms and spam are the biggest risk, followed by hacking, uneducated user about security, sabotage, and loss of information.
A group called QinetiQ North America’s Mission Solution Group, it provide security education and training to the users but before they train their user, they need to identify individual’s required training objectives, plan, develop and validate training materials and then they conduct an effective training to the personnel and at the end evaluate course effectiveness.
Defending against Internet-based attacks
Internet-based attacks can be very dangerous to the company; a research said companies are losing an average of $2 million in revenue from internet-based attacks which disrupt the business. The average of 162 companies said that they are suffered one crucial incident a year from worms, viruses, spyware or other security-related causes, and for each attack the systems were down an average of 22 hours. The threats will grow as the companies increase their use of internet.
Defend against the internet-based attack can be done by using intrusion prevention and detection, they can detect the attack and the company can quickly defend against them. IDS will be looking for the characteristics of known attacks. IPS can recognize the content of network traffic and block malicious connection. Wireless intrusion prevention monitors the wireless networks, detect unauthorized access points and provide reporting and analysis. There are also basic things like firewalls and antivirus that can be used to defend and there are many things that can be used to defend these kinds of attacks.
Industrial espionage and business intelligence gathering
Incident response is an organized plan or procedures to handle and counter some threats like security breach or attack. Incident response plan includes a policy that discusses how to response to a certain threats, reduces recovery costs and time. Some of incident response goals are reduce the impact, prevent future incidents, verify that incident occurred, maintains Business Continuity, and improve security and incident response.
There is incident response team in the organization that handles the incident response plan. Incident response team also needs another party in organization to help them, such as business managers, IT staff, legal department, human resources, public relations, security groups, audit and risk management specialists. Business managers make agreements with the team about their authority over business systems and decisions if critical business systems must be shut down. IT staff help the team to access the network for analysis purposes and improve security infrastructure if recommended by the team. Legal staffs need to review non-disclosure agreements and determine site liability for computer security incidents. Human resources help to hire the team’s staff and develop policies and procedures for removing internal employees. Public relations help to handle the media and develop information-disclosure policies. Security groups help the team to solve issues involving computer. Audit and risk management help to analyze threat.
There are a several steps to response to the incident. First, the organization needs to prepare the staff by having the staff to do some training; they need to be trained to response to the incident quickly and correctly and also educates the staff to update the security regularly. The response team has to identify whether it is a security incident or not and the team can also find some information about the current threats. Response team need to identify how far the problem has affected the systems and decide faster by shut down the affected system to prevent further damage. Then they need to find the source of the incident and remove the source. After that they need to restored the data from clean backup files, monitor them and upgrading the systems to prevent the same incidents in the future.
Governance issues in information security management
Security governance is a system that directs and control information security. Governance itself means setting the objectives of the business and ensures them to achieve the objectives.
There are several examples of governance issues, CEO of health south corporation said that more than 85 counts that include fraud and signing off on false corporate statements that overstated earning by at least US $1.4 billion. Senior vice president and CIO of the company with the 15 other plead guilty. Another incident happened in an Ohio-based company that handles payroll and other human resources functions on a contract business which is already bankrupt, and they left their 3000 staffs without paychecks and reportedly that the company’s client list has been sold.
Personnel issues in Information sec
Personnel security focuses on the employees involving policies and procedures about the risks the employees accessing the company information and prevents them from taking it. Threats in organizations are not only from the outside but also from the inside, which can make severe damages and costs.
There are ways to prevent this from happening. Pre-employment checks are an act where the company will check whether the candidates have the qualification for employment, this way they will know whether the candidates have revealed important information about themselves. National Security Vetting determines whether the candidate is suitable to be given the access to sensitive information which can be valuable to the rival company. This process is usually included in the pre-employment checks.
There are also responsibilities for each of some roles that involved in personnel security. Director has to publish and maintain policy guidelines for personnel security, decide the security access requirements and ensure that all the employees have been checked on their background and trained. Information Security Officer prepares the personnel security policy, monitoring the policy, and ensures that all the staffs are trained in computer security responsibilities. Supervisor need to speak with the user about the security’s requirements, monitor the policy, ensures that all the staffs are trained in computer security responsibilities, informs ISO when the staff’s access need to be removed, tracking the staffs’ accounts when they create or delete the account. System Security Officer monitor compliance with the security policy, have the authority to delete system’s password if the employee no longer need access, tracking users and their authorizations. Users need to understand their responsibilities, use the information for only certain events, response quickly by informing the supervisor if there is intruder access the data and abused the information.
Privacy issues in the company are also personnel issues. Organization is also responsible of the privacy of the staffs, because all the staffs’ records are kept in the organization. Personnel records cannot be seen by other staffs or outsider without the holder’s permission. Social Security Numbers are not allowed to become private password like email password. Eavesdropping needs to be limited, eavesdropping to the telephone conversation and voicemail are not allowed. Monitoring is allowed as long as the purpose is to keep the employees work, employees need to be informed early that they will be monitored. Medical records and background information are confidential; no one can access them without permission excluding the holders themselves.
Physical security issues in Information security
Physical security is a security that focuses on protecting the information, personnel, hardware and programs from physical threats. Threat that can cause a lot of damage to the enterprise or building is also things that need to be aware in physical security, for example, natural disaster, vandalism, and terrorism. Physical security can be intruded by a non technical intruder.
There are a lot of ways to protect from physical threats. Security can be hardened by putting difficult obstacles for the intruder including multiple locks, fencing, walls and fireproof safes. Putting surveillances like heat sensors, smoke detectors, intrusion detectors, alarms and cameras. There are key areas that need to be focused on. In facility security, they are entry points, data center, user environments, access control and monitoring devices, guard personnel and also wiring closet. For the company staff and the visitor, they need to be focused on control and accountability, use of equipment, awareness, security procedure compliance. Workstations, servers, backup media, and mobile devices need to be protected. Control, storage and disposal of information also need to be focused on.
Physical security also issues hospitality industries. Example of hospitality industries are resorts, hotels, clubs, hospitals and also many other things. Physical threats that occurred in these industries are mainly theft, followed by assault, burglary, auto theft, robbery and sexual assault. If these industries experience this kind of threats, the industries can contribute to poor public relations.
Company like IBM also offers physical and IT security. IBM Internet security Systems (ISS) products secure IT infrastructure with threat and vulnerability management, enabling business continuity and cost-effective processes. IBM integrate video surveillance and analytic technologies, the products can help reduce time and cost to collect and store video and it also enable analysis of surveillance data. IBM also provide products for intrusion prevention, mail security; protection of messaging infrastructure, and also security intelligence which provide information about the threats that can affect the network.
Cyber forensic incident response
One of the primary objectives in incident response plan is to contain the damage, investigate what happen, and prevent it from happening again in the future. It is a bit the same as computer forensic because they need to reduce the damage and investigate the cause of it. By understanding how the data is accessed and stored can be the key to find the evidence that someone has tried to hide, erase, or destroy. The investigator needs to take care of their evidence, make sure that it is not lost, destroyed or changed.
Order Now