Information security is one of the most crucial issues any enterprise running internet banking system should consider. The role of corporate security manager (CRM) is to ensure that the essential practices are applied to secure the company-sensitive information and data. In addition, it is the objective of the CSM to address the training needs of the company’s employees regarding the security measures.
Potential Threats
The possible menaces are linked with computers and telecommunications utilized in the company and other digital devices that carry important data of the company, clients, and so on. Such means as private unit exchanges or cellular phones should also be considered in terms of security (Fennelly, 2012). In that matter, the company might lose its valuable assets if the information system, which transfers, stores, operates, and presents the corporate information has not been secured properly.
Types of Information
It is essential that the CSM is aware of the major information types of the firm that require deliberate protection. There are three main categories to consider:
- company’s internal use only data
- company’s private data
- company-sensitive data
The first category includes such essential sources as regulatory documentation and corporate organizational charts. Telephone books can be added to this type of information as well. The second category covers personnel-sensitive information. For instance, medical records of employees, event calendar or remuneration information. The third type involves cost data, important hi-tech or IT developments and so on (Fennelly, 2012). Apart from that, it is necessary that such corporate documentation as researches and proposals or product details are protected from leakage or unsanctioned access. Overall, any information of financial, technical, and scientific character should be taken into consideration. Moreover, any materials (printed, photocopies, electronic) require security measures to take.
Value of Information
Notably, the CSM should define several criteria to understand whether a particular type of information has value. Initially, the manager has to evaluate how costly is the information and what amount of money will be needed to produce it. Then, it will be possible to determine the expenses if it has to be replaced. After that, it can be defined if this information is irreplaceable and whether the competitors benefit from obtaining this information or not. However, in cases when the law requires the protection, it is essential that the company complies with it (Fennelly, 2012).
In the current case, a brand new program has been introduced to store the data safely. If the information costs 2000 USD (presumably) including all the expenditures for personnel, records, and software while the use of it costs 100 USD, and the benefit for the company will be 4000 USD, the value can be calculated as follows:
Cost over three years = $2,000/3=$667
Cost of yearly utilization = $100×12=$1200
Yearly cost = $1867
Information Value = $4000 per year (quantifiable)
Total value: $4000+nonquantifiable agents
Thus, 1867 USD (yearly cost) is less than $4000+nonquantifiable agents -> cost is less than total value.
Tools to Protect Information
To protect the company’s data and information, it will be advisable to use a new security organization. For instance, Information Assurance and Protection Services (IAPS) is an approach that many corporations have applied successfully (Fennelly, 2012). Its aim is to track both unintentional and intentional violations in the system. The proposed security organization considers the four comprehensive domains, which are nonrepudiation, confidentiality, availability, and integrity.
Staff Training
Prior to the actual staff training, the employees should be knowledgeable of the information types that are considered a trade secret. The asset protection regulations should be provided and coordinated with the workers, and the relevant policies should be explained holistically. However, it is necessary that the security unit assists the staff members throughout the working process uninterruptedly. Regarding the training, the staff will be instructed on IAPS and on the procedures that are essential to follow (Fennelly, 2012). In addition, the employees should be well aware of the measures to protect the information without limiting the access to it when needed. Importantly, the IAPS training should include hardware and software evaluation in terms of IAPS compliance.
Reference
Fennelly, L. (2012). Handbook of loss prevention and crime prevention (5th ed.). New York, NY: Elsevier.