Background
Security management within the context of information systems “needs a paradigm shift in order to successfully protect information assets” (Eloff & Eloff, 2003). Due the rapid increase in information security threats, security management measures have been taken to proactively remedy the growing threat facing information security. As a result of this, security management “is becoming more complex everyday, many organization’s security systems are failing, with serious results” (Fumey-Nassah, 2007). To remedy the increase threats to information security systems, organizations are seeking alternatives to network vulnerabilities from malicious attacks. There are several management measures that organizations must take to fully understand the vulnerabilities at stake.
There are dominant security management frameworks that encompass security management models for information systems. Therefore, in order to fully analyze the topic of security management we must first understand the security management models that form the foundation of security management practices. There are several models that structure information security mechanisms in an enterprise organization. In general “information security models are standards that are used for reference or comparison and often serve as the stepping-off point for emulation and adoption” (Mattord & Whitman, 2010). If we analyze security management within the context of access controls we find that access controls are needed to regulate “the admission of users into trusted areas of the organization. Access controls in security management are needed to restrict different levels of access to things like assets, information and other resources of information systems infrastructur...
... middle of paper ...
...tists and information technologists on Enablement through technology, 130-136. Retrieved from http://dl.acm.org.ezproxylocal.library.nova.edu/dl.cfm?CFID=53035382&CFTOKEN
=79931029.
Fumey-Nassah, G. (2007). The management of economic ramification of information and network security on an organization. Proceedings of the 4th annual conference on Information security curriculum development. doi: 10.1145/1409908.1409936.
Grimaila, M. (2004). A novel scenario-based information security management exercise. InfoSecCD '04 Proceedings of the 1st annual conference on Information security curriculum development. 66-70. doi: 10.1145/1059524.1059538.
Mattord, H., & Whitman, M. (2010). Management of Information Security. Boston: Course Technology.
Motiwalla, L., Thompson, J. (2011). Enterprise Systems for Management 2nd Edition. Upper Saddle River, NJ: Pearson.
Security helps the organization meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets through the selection and application of appropriate safeguards. Businesses should establish roles and responsibilities of all personnel and staff members. However, a Chief Information Officer should be appointed to direct an organization’s day to day management of information assets. Supporting roles are performed by the service providers and include systems operations, whose personnel design and operate the computer systems. Each team member must be held accountable in ensuring all of the rules and policies are being followed, as well as, understanding their roles, responsibilities and functions. Organizations information processing systems are vulnerable to many threats that can inflict various types of damage that can result in significant losses (Harris, 2014). Losses can come from actions from trusted employees that defraud the system, outside hackers, or from careless data entry. The major threat to information protection is error and omissions that data entry personnel, users, system operators and programmers make. To better protect business information resources, organizations should conduct a risk analysis to see what
The article “Security at Center Stage” depicts five secrets to a CSO’s success; it outlines the attributes needed to obtain success in the evolving field of security management. With the evolving role of a CSO there is a great necessity to satisfy all levels of need in the security and business setting. According to the article “Security at Center Stage” a CSO’s success is contingent on being “more that the average techie”, having a “focus on business”, being a “relationship builder”, requiring “an eye toward pervasive security”, and implementing a “dual reporting structure.”
In this article, the author discusses the benefits of employing Role Based Access Control (RBAC) as an Access Control. Galante makes many valid points and has demonstrated how using RBAC has many benefits to an organization. A few cases differentiate RBAC and the simple access control model. Although the author suggest RBAC as an optimal solution; RBAC certainly isn 't a cure all, however, it is ideal for a variety of circumstances. When RBAC is deployed properly and in the ideal situation, it can compensate the organization with financial, security and responsibility benefits.
Haag, S. & Cummings, M. (2008). Management information systems for the information age (Laureate Education, Inc., custom ed.). Boston: McGraw-Hill/Irwin.
This paper includes the comparison between access control models Mandatory Access Control (MAC), Discretionary Access Control (DAC) and Role Based Access Control (RBAC) and explores the advantages and disadvantages of implementing the subjected models. They provides the fundamental policy and rules for the system level access control. . Role-based access control has been presented alongside claims that its strategies and working are common enough to integrate the customary access control models: mandatory access control (MAC) and discretionary access control (DAC).the aim is
As electronic commerce, online business-to-business operations, and global connectivity have become vital components of a successful business strategy, enterprises have adopted security processes and practices to protect information assets. But if you look at today's computing environments, system security is a horrible game of numbers: there are currently over 9,223 publicly released vulnerabilities covering known security holes in a massive range of applications from popular Operating Systems through to obscure and relatively unknown web applications. [01] Over 300 new vulnerabilities are being discovered and released each month. Most companies work diligently to maintain an efficient, effective security policy, implementing the latest products and services to prevent fraud, vandalism, sabotage, and denial of service attacks. But the fact is you have to patch every hole of your system, but an attacker need find only one to get into your environment. Whilst many organisations subscribe to major vendor's security alerts, these are just the tip of the security iceberg and even these are often ignored. For example, the patch for the Code Red worm was available some weeks before the worm was released. [02]
Whitman, M., & Mattord, H. (2010). Management of information security. (3rd ed., p. 6). Boston, MA: Cengage Learning.
Principle of Security Management by Brian R. Johnson, Published by Prentice-Hall copyright 2005 by Pearson Education, Inc.
Security includes several areas such as personal security, organizational security and among others. Security access control is an important aspect of any system.it is act of ensuring that an authenticated user accesses only what they are authorized to and no more. Nearly all application that deal with financial, privacy, or defence include some form of access control .Access control is concerned with determining the allowed activities of legitimate uses mediating every attempt by a user to access a resource in the system.
National Institute of Standards and Technology. (2012, March/April). Basing Cybersecurity Training on User Perceptions. (IEEE Report 1540-7993/12). (pp. 40-49). Retrieved from University of Maryland University College IEEE Computer Society website: http://www.computer.org.ezproxy.umuc.edu/portal/web/csdl
Threats to an organization come in a variety of forms, for example from hacking, viruses, and simple human error. The types of threats change constantly, so management must sponsor, design, and implement business and technical processes to safeguard critical business assets. To create a more secure business environment the organization must:
Information security policy is crucial to information safety. Lack of a security policy is an evidence of lack of direction and amounts to anarchy. The areas that should be touched by security policies include business and operations. The senior management is required to back securities policies and ensure it is succinctly written in order to avoid marginalization of information security efforts (Puhakainen, 2006). If senior management fails to openly support the policy, implementation may be difficult because it is the management that provides funds and guidelines for further
As the usage of technology and the Internet increases, businesses depend on the security of the IT infrastructures and the data within them. However, a threat to a business’s infrastructure can challenge the systems security. There are four different types of security threats such as, unauthorized data disclosure, incorrect data modification, Denial of service and Loss of infrastructure.
Johnson, B. R. (2005). Principles of Security Management. Upper Saddle River, NJ: Pearson Prentice Hall.
The first thing that we must consider about Information Security is that there is not a final destination at which we can arrive. IT Security is an ongoing set of processes and activities that requires attention and expertise on a daily basis. It is important to understand that systems are not secured by themselves and it is our responsibility to maintain and improve them periodically as required. It is of vital importance to establish the appropriate mechanisms and requirements in order to support the company’s CIA triad. The following report will provide you guidance about auditing and hardening techniques applied though the 7 Domains by utilizing IT Security Best Practices.