Abstract
Information is a very important ingredient of any organization. This is because no business can operate without it. In the current business environment whereby the computer has interconnected businesses and transactions are no longer carried out through paperwork, information system has become a very important part of an organization.
Therefore the management of information should be one of the priorities if the organization is to be successful. However, the concern for information security has also risen in the recent past. In some business the need to protect information assets has even surpassed that of physical assets. This is so because any business in the current information environment that intends to be competitive and sustain growth must be ready to develop and exploit as well as protect its information assets.
Information Security Needs of an organization
Information security needs of an organization refer to reasons why an organization may find it necessary to have information security and control. They are as follows: To protect the functionality of the business because when operations are interrupted, costs that could otherwise have been avoided are incurred.
Organizations need to have a system that ensures that operations are carried out smoothly which means there are no interruptions and work also goes according to plan. As such, the general manager and the IT managers need to design and implement an information system that cuts out intruders as well as human error that might interrupt operations (Whitman & Mattord, 2008)
Secondly, an organization needs to ensure that its operation applications are safe. These applications include electronic mail, operating system platforms as well as instant messaging. The laws governing information security award damages to the plaintiff and these damages are at times punitive.
Therefore any organization needs to ensure that its information system cannot be used to infringe other peoples’ rights as this ends up costing the organization. This means that all information system applications need to be assessed to ensure that they do not pose a security threat to users (Whitman & Mattord, 2008).
Thirdly, there is the need for safeguarding technology assets in order to sustain growth. As an organization grows it needs to come up with secure software and infrastructure that helps it to sustain that growth. For instance an organization may develop innovations that help it to have an edge over its competitors.
As such, its networks must grow to be able to accommodate its changing needs otherwise the competitors will easily have access to its new technologies and use them to outdo the company. Some of the measures that can be taken to shield an organization from its competitors include protection of manufacturing procedures, chemical formulae and technological innovations (Kouns & Minoli, 2010).
Fourthly, there is the need to protect data that is used by organizations. An organization cannot plan effectively and deliver value to clients if it losses its record of transactions.
Any business entity, government agency or any other institution that is operating in the modern business environment, where responsive services depend on information systems to provide support to transactions, must protect its data. For that data to be reliable, the management needs to ensure that the processes of collection, storage and usage cannot be interfered with. Otherwise the decisions made will not be effective or even beneficial to the organization (Kouns & Minoli, 2010).
Types of threats involved in the management of information security and appropriate control measures
Threats refer to any entity – person or object – that poses a security risk to an organization’s assets. There are various threats that face information, systems or people of an organization. This means that the management needs to be aware of transport, processing and storage systems that need protection from threats.
For instance, when an organization connects to the internet then threats that originate from the external sources are bound to increase. There are various categorizations that show the types of threats and what in the organization is faced by that threat. However, each organization needs to find out the priority threats that it needs to deal with. The prioritization will depend on the security situation of its operating environment, the exposure levels of its assets and its risk strategy (Whitman & Mattord, 2008).
The categories of threats include acts of human error, which refers to acts done without malicious intentions. People are likely to do mistakes when using information systems. This may be due to inadequate training, making of assumptions that are incorrect or even working under fatigue.
Employees feature among the greatest security threats because they use organization’s data on a daily basis hence making them the closest threat agents. This means that their mistakes can undermine the integrity, availability as well as the confidentiality of data. Their mistakes can also pose a threat to the organization or to outsiders. For instance they can accidentally reveal classified information, delete or even modify data (Whitman & Mattord, 2008).
Most of the mistakes can be prevented by carrying out continuous awareness activities, training and also setting up controls. The controls can range from the requirement that a user types an important command twice to the requirement that a particular command be verified by a second party. The second category of threat is debate act of trespass.
This refers to an act where an unauthorized individual intentionally gains access to an organization’s protected information. Although some information gathering techniques are acceptable, some information gatherers use techniques that are beyond the legal or ethical threshold. Some of these attacks can cost the firm financially or dent its reputation with clients.
This threat can be prevented by putting up controls that notify a trespasser whenever they try to access unauthorized areas. Valuable information and systems can also be protected by using sound authentication and authorization principles. Such controls use multiple factors or layers to prevent the unauthorized users from gaining access (Alberts & Dorofee, 2002).
Forces of nature or acts of God are another form of threats. These types of threats are very dangerous as they usually take place with little on no warning at all. They can interfere with data storage, its transmission or even its usage. They include the following: fire, which can burn down the building that houses part or all of the information system. Secondly, there is floods which refers to water that is overflowing to areas that are expected to be dry under normal circumstances.
This can end up destroying part or all of the information system. It can also prevent access to the building that houses the system. Thirdly, there is earthquake which refers to an abrupt shaking of the earth’s crust as a result of the volcanic activity below the earth surface. This directly affects the system as it can destroy part or all of the system, as well as the building where the system is housed (Vacca, 2009).
Lastly, there is lightening, which refers to a sudden natural electric discharge within the atmosphere. This also has a direct effect on the system as it can destroy part or all of the system or its power components. All these risks cannot be controlled per se; however they can be mitigated by purchasing insurance policies that address each of the insurance risks (Vacca, 2009)
A software attack is another information security threat and it involves an individual or group coming up with a malicious code or malicious software to attack an organization’s information system. These programs are designed in such a way that they can damage the target systems or even deny access.
They take various forms which include viruses, which are software that attach themselves on other programs and can destroy the system when activated. Viruses can be controlled by using anti-viruses which prevent them from accessing a computer system. Secondly are worms, which are able to replicate themselves several times such that they fill the computer memory. Anti-viruses can also be used to control them as they are capable of detecting them and inhibiting their performance (Vacca, 2009).
Technical hardware failure is another type of threat whereby an organization purchases equipment that has a defect from a manufacturer. The defect can be known or unknown. Such flaws can result in unexpected performance of the system such as unreliable service. These can therefore lead to losses to the organization, some which are irrevocable.
The best control measure is to ensure that the organization purchases from reliable vendors who can offer products with guarantees as well as quality products. However, it is also important that regular check ups and service be done to the equipments so as to be able to detect defects in advance and correct them (Vacca, 2009).
Risk management
Before defining risk management it is important to define the key terms that make up its definition. Threat: refers to any event, object or circumstance which has the possibility and capability of adversely affecting an organization’s asset, through destruction, denial of service or unauthorized access.
Vulnerability: refers to the “existence of a weakness in design or implementation or an error that can result in undesirable or unexpected event that may compromise the security of the information system” (Alberts & Dorofee, 2002 p. 28). Therefore, risk management is a process whereby vulnerabilities as well as threats and potential impacts that are as result of security incidents are evaluated against safeguard implementation costs (Alberts & Dorofee, 2002).
Risk management strategies are developed and implemented so as to reduce adverse impacts and to provide a framework that can be used to make consistent decisions concerning the options of risk mitigation. Risk management is broadly divided in to two phases: the first one is risk assessment which involves identifying threats and assessing the possibility and ability that the threats can exploit some vulnerability of the organization as well as the impact in the event that the threat happens.
The other stage involves risk treatment; where an organization responds to the risks identified earlier. Risk management is important to the organization because it helps the management to determine the protection needed by various assets at the most efficient cost. Investment in risk management is beneficial both now and in the future and to everyone that deals with the organization (Alberts & Dorofee, 2002).
Risk Assessment
This process has various stages which include: first identification of assets where the assets of the organization are identified and their value is determined. Secondly, there is threat identification and assessment of threats. This involves identifying the categories of threats and the adversaries that pose the threats as well as their motives.
Such threats can be terrorists who want attention, political activists fighting for some rights or disgruntled employees who feel wronged by the company. The next step in assessment of threats is determining the adversary’s capability, how frequent the threat can occur and the extent of damage it can cause on the related asset (Kouns & Minoli, 2010).
When documenting the adversaries it is important to consider technical and human capabilities as well as their modes of operation. These include even those parties that are able to cooperate with them as well as how easy they can communicate with them. Being that threat is the most difficult to assess, it is important that both facts and assumptions are recorded.
Lastly there is the determination of vulnerability level of each of the assets that need protection. Here an in depth knowledge of the capabilities of countermeasures that an organization has is important. As a result an appropriate scale can be developed for measuring (Kouns & Minoli, 2010).
The third stage of risk assessment is analytical risk management. Here the threats and vulnerabilities are evaluated in regard to the respective assets so as to provide an expert opinion on the possibility of loss and the impact as guideline for action. In order to asses the risk effectively and to determine what to prioritize in asset protection one should do the following: first, estimate what level of impact the undesirable events have compared to each target asset.
This involves reviewing the impacts based on the information acquired on vulnerabilities and threats. As a result the ratings can either increase or reduce (Calder, Watkins & Watkins, 2010). Secondly, estimate how likely an attack can happen from the potential threats. This involves evaluating the adversary’s capabilities, his intentions and other details of their history.
After this, rating is done to determine the most and least likely threat. Thirdly, estimate the probability that a given vulnerability will be taken advantage of by a given threat. Here a review is done on the vulnerability ratings that were done previously. Armed with information from all the ratings done, an overall level of risk of the information system is done. As a result suggestions of measures to be taken are made (Calder, Watkins & Watkins, 2010).
Risk Treatment
This is the ultimate goal of risk management as information from the assessment stage is used to determine the appropriate treatment measures that will be implemented. There are various options available in treating risk. It can be reduced, avoided, accepted or even transferred.
However a combination of more than one option is also possible. There are various factors that determine which options to pick and these include the cost incurred each time the event associated with the risk happens, the expected frequency with which it will happen, the attitude of the organization concerning risk, availability of resources and the current priorities of the organization concerning technology (Roper, 1999).
When an organization chooses to reduce risk, it will have to choose whether to reduce the chances of occurring or reduce the chances of the adversary exploiting vulnerability or even reduce the effect of the threat should it successfully occur. The organization can also choose to accept the risk when reducing is not possible.
This includes lack of appropriate measures to be implemented, whose costs outweigh the losses to be prevented. In cases where the risk cannot be reduced to acceptable levels it can be transferred to a third party, for instance to an insurance firm by buying a policy to protect the property against the threat (Roper, 1999).
Risk avoidance is another option, whereby the firm chooses to avoid all business dealings that are associated with the risk. After identifying the risk treatment decisions to use, the next step is implementing the decisions. This is later followed with monitoring and reviewing stage, which is a continuous process as long as the organization is in operation.
However, risk cannot be eliminated completely and instead it can only be minimized to acceptable levels. What remains after minimization is referred to as residual risk. There are chances that the residual risk can grow to unacceptable levels and this shows another importance of monitoring and reviewing (Roper, 1999).
Importance of information security and control management
Research has shown that most managers as well as employees do not regard information as a primary priority particularly because it seems not to have a direct impact as effectiveness and efficiency.
This calls for training to create awareness on its importance and its roles. Different levels of management should be given specialized training on the relevance of information security in their level. Then the link between the training and the organization needs at each level should be established. In addition the training should be customized to focus on specific security issues (Isaca, 2010).
An organization’s failures related to security can really be costly to a business. These costs can be recovery costs or even reputation costs. When an organization’s system is easily accessed by intruders, it ends up losing confidence from the public. As a result customers will be reluctant to deal with them. Therefore it is important that an organization invest in designing and development of effective information system.
This calls for an organization to develop an information security policy which defines its information system as well as the access to its information property. It also explains the control measures that are appropriate for the organization. As a result the company increases its efficiency in managing its information assets (Kadam, 2002).
In addition, an information system that has effective security and control measures in place can be an area of competitive advantage to an organization. This is because in such a system customers’ and suppliers’ documents will not be lost or be destroyed. Particularly because access to the system is controlled and incase part or all of the system is destroyed, back ups are available.
Stakeholders are therefore attracted to such an organization as they feel that their documents will be secure. On the other hand the organization is able to plan how to better meet the stakeholders’ needs using the reliable information (Kadam, 2002).
Conclusion
Every organization has a need for information security and control. Therefore, when designing and implementing the information system the management must ensure that it meets those needs. An assessment of the organization should be done to find out the needs and get information that will help in addressing the needs effectively.
The assessment includes assessing the assets of the organization, the threats it is facing and its vulnerable areas. As a result the organization becomes equipped with adequate information that can help it come up with effective treatment decisions and in the end these decisions are implemented. In addition, the system should be monitored and evaluated continuously to ensure that the system is actually meeting the objectives which it is meant to.
References
Alberts, C. J. and Dorofee, A. J. (2002). Managing information security risks: the OCTAVE approach. Upper Saddle River, NJ: Pearson Education.
Calder, A., Watkins, S. and Watkins, S. G. (2010). Information Security Risk Management for ISO27001/ISO27002. Cambridgeshire: IT Governance Ltd.
Isaca. (2010). CISA Review Manual 2011. Rolling Meadows, IL: ISACA.
Kadam, A. (2002). Why Information Security is important for your organization: Network Magazine. Web.
Kouns, J. and Minoli, D. (2010). Information Technology Risk Management in Enterprise Environments: A Review of Industry Practices and a Practical Guide to Risk Management Teams. Hoboken, NJ: John Wiley & Son.
Roper, C. A., (1999). Risk management for security professionals. Burlington, MA: Butterworth-Heinemann.
Vacca, J. R. (2009). Computer and information security handbook. Burlington, MA: Morgan Kaufmann.
Whitman, M. and Mattord, H. J. (2008). Principles of Information Security. Boston, MA: Cengage Learning EMEA.