Abstract
Organizations must put control measures to protect their information systems from being accessed by unauthorized individuals. The top-level management of the organization must devise security mechanisms and policies. This enhances the effectiveness of such policies since it enables the organization engrain such policies in the organizational culture. Organizations also use other security mechanisms, such as passwords, that are secretive and recognize single users only.
However, passwords are not fully effective in protecting systems from being hacked. Passwords can be guessed or tampered with to allow access by non-authorized persons. The best alternative for security is for organizations to adopt a combination of measures. The measures include use of passwords and security questions to ascertain authenticity. Security measures must be revised constantly to provide full surety to the organization that its data is safe from any interference.
Introduction
Information communication technology is increasingly becoming a critical aspect for integration in organizations and businesses. The technology increases reliability in performance and enhances the speed of communication within organizations. However, IT can turn out to be a big security risk for organizations.
Access of data and other sensitive information about the firm by unauthorized persons poses a great danger to the organization and the closely held business secrets and practices. Thus, the issue of security for IT is important for all organizations to take charge and responsibility. This paper seeks to discuss how firms can develop information systems security and the necessary resources for information security.
How to initiate information security policy
Companies often employ a set of rules, practices, standards, as well as procedures to maintain security of their IT systems. This reflects an organization’s information security policy. An information system’s security policy requires proper drafting for it to be more credible. The development of a security policy on information acts as the initial step in preparing against internal and external attacks.
Top-level management support is a critical factor in policy development. Administrators and users must receive education about the system to avoid bad judgments. An organization should incorporate its policy to be part of the organizational culture to get employees observe the information security policy.
There are two major issues for organizations to observe when developing their Enterprise Information System. These include adapting the users to the system and getting the involvement of users through soliciting their input on ways of advancing the system.
Developing employee awareness
There is the risk of organizations losing their data and information to outside bodies. The first mechanism in averting such a crisis is by educating the workers. Organizations can achieve this by using awareness-raising initiatives such as emails, mouse pads, pamphlets, discussion groups, and formal presentations. Employee awareness is the first step for organizations willing to secure their data.
Education of employees begins with information security training, as well as management support. Training increases security awareness and participation of the workers. Employees who have enhanced understanding of likely consequences concerning security breaches will offer greater protection and understand clearly how to combat the breaches. The input of the top-level management is particularly important as it gives direction on the corporate decision.
Governing access control
Employee access to information ought to be limited for security reasons. The process is undertaken by companies to only allow workers to gain access to information that is relevant to them. One mechanism used by companies to achieve this objective is referred to as Role Based Access Control (RBAC). This system limits employees’ access by permissions, users, constraints, and roles. The organization arranges employees according to their roles and profiles in order to determine which employees can access specific information on the organization.
Companies must take the critical step of monitoring user access and detect any unauthorized access to data that is categorized as high risk. Security mechanisms should not only dwell on the IT system alone, but also extend to other physical aspects such as proximity.
Employees sitting arrangement, for instance, may provide an opportunity for workers to read data being worked on by a colleague whom they share the same office. Organizations can address this concern by organizing sitting arrangements such that any chances of unauthorized personnel peeping through such details are contained.
Getting support from the upper echelon management
The top-level management’s role is to ensure that information system security remains engrained within the corporate culture. This is important because support from top management enhances the preventive efforts made. Globalization is increasing the threat of organizations losing critical information through theft.
Information security decisions must squarely lie with the top-level management to manage the IT department properly. The management must handle aspects such as methods of implementing a security policy, where awareness-training programs for employees should take place, and how such trainings should be done.
The corporate governance of the information security ought to begin from the top to increase the chances of efficiency. A conceptual model for Enterprise Information System security (EIS) needs to protect the four critical pillars of security policy, access control, security awareness, as well as the top-level management support (TLMS).
Enterprise Information System Security.
Source: Chaudhry, Chaudhri and Reese.
The decisions made by the management of the company come from the base of the whole system, enabling it to dictate its stability. The pillars that rest on the foundation also support the roof. The four pillars represent the different processes that the management and other top decision-making organs of the organization choose from in order to implement and make the system secure. All the four pillars contribute towards making the enterprise information system more secure. Eliminating any of the columns is dangerous as it ends up affecting the security of the whole system.
Information System Resources
There are three major subsets of information systems resources, including information technology resources, abbreviated as ITR, relationship resources, abbreviated as RR, as well as IS infrastructure, which is abbreviated as IIS. The ITR reflect on the IS expertise that is possessed by the focal firm. Further, ITR has two distinct capability sets that include IT-business alignment capabilities, IBAC, and IT technical capabilities, ITTC.
RR is the extent to which an information department establishes a sense of collaboration with various functional units, such as finance or production. It also refers to the extent of collaboration with business partners such as suppliers and customers. RR has two dimensions of internal and external relationship resources; that is, the INR and EXR.
IIS is the collection of assets that are based on IT on which different applications of business and services are developed. IIS is the management and technical architectures that support the focal organization development to offer information security.
Information Technology Resource (ITR)
The IT department requires knowledge about different computer languages to apply them in order to develop systems that optimize the organization demands. This offers the IT department greater capability to run the organization’s information systems effectively.
Systems are growing in complexity and functionality and, thus, organizations must in turn develop the skills to match these growing complexities in order to benefit fully from the advantages that come with the new systems.
As Kuo-chung and Chih-ping further point out, it is also critical to develop a capability in diagnosing systems problems. This capability provides the IS personnel with knowledge on analyzing the actual depth and scope of the specific problems that afflict the system. It, thus, offers an avenue of searching for appropriate solutions of the identified problems during system breakdowns.
IBAC refers to the knowledge on how to align the IT strategy with the existing business strategy. This can be done through the IT department outlining the IT strategies, plans, as well as technical investments, and implementing the IT technical architecture.
Alternatively, IT department having high IBAC enjoys a deeper understanding of the processes of business together with the organizational goals. This business knowledge provides the IT department with the expertise to develop highly effective IS strategies, as well as provide information services that accurately fit the organizational needs.
IBAC equally signify the potential ability by firms to identify as well as employ information technologies that are emerging as a way of transforming the organization to achieve competitive advantages. It may also enable the change of industry structure where the focal firm is situated.
Relationship Resources (RR)
RR comprises of the internal relationship resources (INR) and the external relationship resources (EXR). The former portrays the working relations that exist between the IT department and other departments in the same organization.
The EXR, on the other hand, portrays the working relation between the IT department of an organization and the organization’s existing business partners who are external, such as the suppliers and customers. This structure provides an avenue for social exchanges that exist between the firm’s IT department, on the one hand, and its various clients on the other hand. This results in achieving closer ties and developing mutual trust together with respect. This relationship, in turn, creates stronger bonding that allows the parties to share a common view and work towards achieving the objective easily.
Partnership between the IT and its clients also enhances the sharing of responsibilities between partners and contributing resources to achieve the common goal. Greater mutual coordination is easily achieved as a result of the good relationships, allowing adjustments that consider the counterparts’ needs to be undertaken.
One major benefit of the close interrelations is the containment of disputes. Even in instances where the disputes arise, it is easier for a resolution to be worked out between the parties because of the close ties in their working. Mechanisms for resolving any likely disputes have been developed well in advance.
IS Security Infrastructure
Information system offers a different perspective other than the technical issues that affect an organization since it involves the aspect of management of an IS architecture in order to influence greater achievements. The IS technical architecture (ISTA) concerns various IT-based assets, including software and hardware, which offer protection to information systems from security-related breaches.
The framework is made of seven components that include “information transmissions, access control, access rights authentication, encryption and decryption”. It also involves log analysis, malicious protection, storage and backup. The IS management architecture (ISMA) concerns the rules, as well as the regulations that are established by the organization in order to manage and offer control to its information system as far as issues on security are concerned.
The management mechanisms offer various precepts that control individual behaviors so that they can be in tandem with the information security requirements of the organization. In particular, they outline all the roles as well as the responsibilities that individual employees are required to follow in order to protect the information from being accessed by unauthorized personnel.
Security and Safety Measures: Students Familiarity and Actual Practice
Password
Systems are often protected from unauthorized access using passwords. This system protection mechanism involves “must-remember sensible” or “non-sensible” combination of characters that make up the alphabet or numerals. Such characters or numerals must be entered in their exact appearance as originally done in order for a user to gain access to the system.
Passwords can be considered either as simple or sophisticated. Simple passwords are those that can be remembered easily and may be guessed without much difficulty. Such passwords are also ‘non-hacker proof’, meaning that hackers may easily temper with the system using such passwords. Sophisticated passwords, on the other hand, may not be easily hacked by malicious people. They comprise of both letters and numbers and sometimes may also include special characters.
Generally, passwords can be tampered with algorithmically in efforts to gain access to protected data. This concept is a self-certifying means that needs conscious efforts in order to recollect. In this regard, passwords are generally less perfect and can be strengthened by using human characteristics, instead, to help in identification purposes.
Organizations need to make a more complicated process of selecting a password to ensure that the passwords or their pre-registration questions are not easy to guess. This would make the passwords tamper-proof and enhance the confidence of clients. However, this system has a disadvantage in the sense that answers to some easy questions may also be easily guessed by other people with malicious intents.
Security problems and the related pervasiveness
Students do not keenly take the required precautions when it comes to protecting their passwords. In most cases, students are seen to take the risky step of showing others their passwords yet the passwords should be secret. Although such practices may not be as grave in social engineering circles, they are dangerous when it comes to computer systems.
Organizations are awake to the risks that privacy invasion brings. Surprisingly, firms still do not heed to the need to use technology to reinforce privacy. Computer Crime Security Survey (CSI/FBI) indicates that “there has been an increase in security incident reporting from 20% to 25%.”
Some companies object to reporting of security breaches citing the likelihood of the public losing trust with the organization. The public may end up viewing the organization as an imperfect persona. It may also influence the clients into instituting legal action against the organization. Clients may view this as negligence on the part of their organization to institute proper breach-control mechanisms, and use this as reason enough to incite other clients against trading with the company.
According to numerous studies conducted to ascertain the aspect of system security, simple passwords that are used by individuals for security purposes are preferred by up to 69% of the individuals. The users are extremely familiar with such passwords and actually use them on a daily basis as they access their computer systems. On the other hand, up to 64% of system users use such simple passwords more than half or 50 percent of the time.
From these findings, it is possible to deduce that knowing a simple password often translates into making use of it. Complex passwords are preferable to simple passwords in achieving effective protection against entry into computer networks and systems by malicious individuals. Findings on use of sophisticated passwords indicate that 87 percent of system users are not aware of such an existence. Thus, lack of knowledge about sophisticated passwords also means not using them.
Nevertheless, people get used to something before they start practicing it and becoming more experienced, thus it is understandable in this case. Computer system scans that occur on a daily basis each time a computer system is turned on are also critical security mechanisms that can be used to control access of unauthorized personnel.
Computer systems may also rely on anti-virus software to protect against viruses that are intentionally developed to harm stored information. Fifty-six percent of computer system users, however, are unaware about anti-virus software. A very small percentage of users, about 15%, use such software for protecting their systems.
Articles Review
Articles’ Strengths
- All the three articles have relied on surveys as well as statistical analytical tools in their researches. This has enabled the articles to provide reliable arguments.
- The articles have also drawn their findings from wide testing samples used in the studies. This gives more accurate findings compared to when such testing samples are drawn from a narrow perspective.
- All the articles include an extensive discussion at the end of the research seeking to expound on the research findings. This makes the researches more understandable.
- Further research direction has been offered in at least two of the articles. This gives hope for more elaborate research on the same area in the future.
Articles’ Weaknesses
- There are limited recommendations that are being offered by the authors of the articles. While the articles have offered an insight into these problems, they do not provide the reader with the perfect solution on the way forward.
- Some of the authors do not cite any limitations encountered while undertaking their studies. This makes it difficult to evaluate the authenticity of their answers.
Could the Articles be better?
The researches undertaken by all the authors in these articles are comprehensive enough and help the reader to clearly determine the main issue of concern that is being raised. Failure to include the limitations of research in two of the articles, however, makes it difficult to ascertain the true extent of the research findings. It is important to include the limitations for the research articles to be complete and more relevant.
Threats and Opportunities
The three articles show how organizations are becoming increasingly exposed to IS attacks. The danger of IS invasion due to recklessness of employees or the management is still a threat to the organizations. In addition, hackers are continuously developing severer threats to invade the highly secured systems.
This is a great threat to firms that do not have the capacity to install highly secured systems and employ personnel who have the capability to avert such security breaches. Organizations have the opportunity to avert infiltration of their information systems by investing more in research and development. Moreover, organizations have the opportunity to borrow IS technology from other organizations that already have enhanced security systems.
How Information System Security could be enhanced in the Future
Creating more awareness on the need to use anti-virus software is one of the biggest steps towards enhancing IS security. This comes from the realization that more than half of all computer users are not aware of the need to use anti-virus software. Organizations also need to develop a culture of upholding information security such that the current employees and those who join the organization later give priority to IS security.
Conducting regular system audits will also help organizations identify any loopholes in the system and devise ways of sealing the loopholes. Moreover, scheduled IS audit will help the IT personnel determine the effectiveness of the existing IS security measures.
Conclusion
Advancements in the information communication technology have provided an avenue for virtually all organizations to incorporate IT systems in their operations. However, IT systems face a great challenge of security breach that may lead organizations to lose their sensitive data to unauthorized people. Security mechanisms must be established in order to guard against such intrusion.
The top-level management of organizations must take the leading role in developing a culture that emphasizes on security. Employees must also be trained and made aware of the benefits of utilizing IS security measures. Several mechanisms exist, including blocking individual workers from accessing information from other departments that may not be useful to them.
Bibliography
Chaudhry, E Peggy, Chaudhri Sohail, and Reese Ronald. “Developing a Model for Enterprise Information Systems Security.” Economics, Management, and Financial Market 7 no. 4 (2012): 587–599.
Kuo-chung, Chang and Chih-ping Wang. “Information Systems Resources and Information Security.” Inf Syst Front 13 (2011): 579–593.
Lomo-David, Ewuuk and Shannon Li-Jen. “Information Systems Security and Safety Measures: The Dichotomy between Students’ Familiarity and Practice.” Academy of Information and Management Sciences Journal 12, no. 1 (2009): 29-47.