Essay PreviewMore ↓
So how do we get executive support for our information security initiatives? First we need to start the discussion with senior management. Our goal is to get their attention on the importance of good information security policy. We can do this by communicating the need for compliance, the consequences of noncompliance, and finally the company’s responsibilities to the customer. These are all factors meant to entice management’s support of our security policy.
Compliance issues that affect our corporation should be expressed to our management. These can arise from laws at the state, federal, and international level. The Sarbanes-Oxley ACT, the Electronic Fund Transfer Act (EFTA), Massachusetts 201 CMR 17, and the Fair and Accurate Credit Transaction Act (FACTA), are just some of these laws that require a well-supported information security policy. Regulations including the Payment Card Industry Data Security Standard (PCI DSS) or the Red Flags Rule can drive the need for compliance. Industry specific guidelines including the Federal Information Security Management Act (FISMA), the Health Insurance Portability Act (HIPAA), and Title 21 CFR part 11 Electronic Records also impact our compliance policies.
The fear of what noncompliance brings can also entice management’s support. At the very least noncompliance can damage a company’s reputation. Data breaches continue to haunt Target, Sony, and TJ Maxx to name a few. An effective information security policy can limit the damage to our reputation by laying out a course of action to take if a breach occurs. Poor security controls can also incur monetary damages through fines and remediation costs.
How to Cite this Page
"Information Security." 123HelpMe.com. 17 Feb 2019
Need Writing Help?
Get feedback on grammar, clarity, concision and logic instantly.Check your paper »
- ... A common technique of providing facts assurance is to have an off-site backup of the records in case one of the cited problems arise. It is obvious that the reason why those organizations value information security so high, due to the condition to be a hacker is getting simpler and simpler. As of nowadays internet environment, some factors that might contribute to the increasing vulnerability of information resources: 1. Today’s interconnected, interdependent, wirelessly networked business vulnerability; 2.... [tags: Computer, Computer security, Information security]
983 words (2.8 pages)
- ... Social media has grown dramatically in the last decade and this gives hackers just one more route to get to personal information. A great way to eliminate information being taken advantage of by unwanted attackers is the use of a little something called The CIA Triad. When you hear the term CIA, you probably automatically think of the Central Intelligence Agency. But in this particular instance, we are going to be talking about Confidentiality, Integrity and Availability. The CIA Triad is a venerable, well-known model for security policy development, used to identify problem areas and necessary solutions for information security (Perrin, 2008).... [tags: Computer security, Information security, Security]
732 words (2.1 pages)
- A Career in Cybersecurity In the modern world, almost everyone has a computer whether it is in their pocket or on their desk at home. Passwords might protect our electronic devices; however hackers have found ways to get around these barriers to steal private and personal information not only from average citizens but also the government and large corporations. This is where information security analysts step in to protect our information that, if fallen into the wrong hands, can cause serious issues.... [tags: Computer security, Information security, Security]
1229 words (3.5 pages)
- The famous cryptographer Bruce Schneier once said that “[p]eople often represent the weakest link in the security chain and are chronically responsible for the failure of security systems” (Schneier, 2000). The practice of Information Security Management is employed by businesses through a variety of standards, best practices, and frameworks to combat this issue. Their adoption of best practices in the public domain allows businesses to strive for improvements through their own interpretation. These best practices are sourced from standards such as ISO/IEC 27000, proprietary knowledge and public frameworks such as COBIT, Six Sigma, or ITIL.... [tags: Information security, Security]
1160 words (3.3 pages)
- ... And today it remains extremely valuable asset especially in the serious businesses. Inexperienced users can work with back up programs to recover information. On the other hand, this applies only if the software failures. But if there is a mechanical failure, recovery of system problems without the involvement of outside experts who will have access to confidential material itself is not possible. A decade ago online payments were considered a risky thing to do and people who dare to do it did it with great care.... [tags: Information security, Computer security]
701 words (2 pages)
- As relates to the Issue of Information Security programs, the Department of Health and Human Sciences has formulated various different policies aimed at governing information handling and security as concerns all the departments’ resources. Common in the list of policies are the Policy on Information and Technology security for Remote Access which was established to ensure the information and technology departments resources are appropriately protected during the authorization of remote accessibility to the automated information and system of the department of human and health services.... [tags: Information security, Security, Confidentiality]
1094 words (3.1 pages)
- ... Section 2.1 gives introduction to information security and CIA triad. Section 2.2 presents the fundamentals of information security containing several factors. The discussion of various aspects studied in literature review are linked together in Section 3 and vital elements are given more gravity. Finally, Section 4 concludes the paper and references are presented in Section 5. Keywords: Information security, threats, standards, IS culture. 2. Literature review 2.1 Information Security As per US Law (2013, as cited in Andress, 2014), Information security means “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruc... [tags: Security, Information security, Computer security]
1368 words (3.9 pages)
- ... Because new generation fully educated with technology and revolutions. The technology has set the main goal on to youth of the every nation in all around the world because they are sharp minded. Objectives Understand the definition of information security Comprehend the history of computer security and how it evolved into information security Understand the key terms and concepts of information security Outline the phases of the security systems development life cycle Understand the roles of professionals involved in information security within an organization The History of Information Security Began immediately after the first mainframes were developed Groups developing code-bre... [tags: Security, Information security, Computer security]
1381 words (3.9 pages)
- ... The security analyst can earn$66K annually. What is Information Security. This is the implementation stage where the information is protected against unauthorized access, fraud, disclosure, disruption, and destruction. This information is protected from Attackers accessing our networks with no permit, viruses, cyber frauds, and terrorism. How do we know at what point we can consider our environment to be secure. Our environment is secure when all components of the Parkerian Hexad (PH) are to function as expected.... [tags: Information security, Computer security, Security]
911 words (2.6 pages)
- Why do we need management’s support for information security. Doesn’t IT own information security. The technical side is important, but management’s role cannot be overlooked. Thornton states that management has to drive information security. Why does management need to drive this policy. The management team is legally responsible for any breaches that occur. Plus, senior management has a fiduciary responsibility to the company’s assets. Our management can provide the necessary resources, including finances and personnel, needed to implement policy.... [tags: Information Security Essays]
2590 words (7.4 pages)
We should emphasize our duties to our customers as another reason for management to support our security policy. We want to create customers and a data breach could harm our customer’s loyalty to us. We can point out that securing customer’s data is the ethical thing to do. Customer relations are the final motivator for obtaining executive support. Good policy shows we care about our customer’s privacy and that we are taking the necessary steps to protect them. Also by protecting our customer’s we protect our company’s viability.
These are issues designed to peak management’s support for information security policy. You cannot emphasize enough that management owns this and that their support is key to the success of it. You also cannot give up easily as it is a long road to a mature information security implementation. Continue to have discussions with other stakeholders to help create good policies based on their input. In future meetings with the executives describe how these policies will protect the company and customers. Prepare to provide alternative policies designed to anticipate objections. An example is a policy that is low cost when management objects to the expense. Another common objection is lack of knowledge but this is remedied through a training initiative. Educating employees creates a happier and more aware employee. Ask support for implementing small obtainable policies that will easily succeed. We should recognize that these small successes are necessary to build larger support and enthusiasm for any information security policy.
The proposed changes to our firm brings about several issues that should be addressed in our company’s information security policy. We should perform a risk assessment for the proposed outsourcing of our company’s development and manufacturing. I propose a risk assessment process that examines what likely threats exist, the possible consequences of the threat, the likelihood of it happening, and possible risk mitigation strategies. Our current policy should be reviewed upon completion of the risk assessment to address any short comings.
What are the probable threats to our company if we make these changes? Threats are anything that can cause harm to assets such as our proprietary designs, software, data, processes, and reputation. We also have to consider both internal and external threat sources. I will list some threats that I have identified in the following paragraphs.
The first major threat is to our intellectual property. Our IP is at risk both internally and externally from this proposed change. Internally, we will have disgruntled employees with access to our IP. We face an external risk in sharing our IP to the outside development and manufacturing partners. We face outside theft of our IP if our partners have poor information security policies. This is manifested in a lack of access controls, poor physical security to our data, lack of network security, and poor password management. The possible consequence is severe as we could find our IP used by competitors and thus lose market share to them. The probability of IP theft or loss is high as we have two foreign partners in countries with lax laws. A majority of information related crimes are from the inside and staff resentment is a strong motivator. Possible mitigation strategies include creating confidentiality agreements for our employees and our partners. We should define who owns our confidential information and what will our partners do to protect it. We should also examine our partner’s security policies and see that they at least imitate ours. We need to have GLBA provisions added to our partner’s agreements, which should identify the areas they will store our confidential data. We might also require that our intellectual data be encrypted to help prevent loss due to outside theft. This agreement should also touch on what penalties should happen if these policies are broken as well as provide a means for us to audit their security.
Another facet of IP loss is from our Chinese manufacturing partner taking our products and reverse engineering them. They have easy access to our manufacturing process since they will be building them. The consequence here is our manufacturing partner now becomes our competitor with all of our knowledge. There is a low to moderate probability given other examples of Chinese IP theft. We can mitigate this with the same strong confidentiality agreements from above and by picking a partner with a good track record of not stealing IP.
The second threat is possible loss quality control to our product. This new manufacturing partner may not have the personnel or processes to manufacture our products to our standards. The development staff in India may not have the expertise to effectively design new innovative products. The consequence is loss of profit due to returned products, degrade our competitive edge, and damage our reputation. The likelihood of this threat is low to moderate provided that our partners are experienced in development and manufacturing. We can mitigate this with strong service level agreements that incur penalties for poor quality control. Also this should provide provisions for us to monitor factory conditions and for us to demand workers be trained to acceptable standards. We must include a provision for our partners to audit their change controls during software development. We need to be able to track these changes incase issues arise.
A third threat is manufacturing delays from our Chinese partner. There is no guarantee that this partner can produce our goods in a timely fashion. Late deliveries can severely impact our vendor relationships, lose potential customers, and hurt our revenue stream. The probability of this occurring is high because of our new relationship with this manufacturer. Also our smaller size means we won’t have as big a production run and we could get pushed back due to larger companies using this same manufacturer. This threat might be mitigated with a good service level agreement that incurs penalties if products are not delivered on time.
A fourth threat is to our software data due to loss. This loss could occur from power outages due to India’s poor infrastructure. Power loss to our developer’s computer network could create data loss. This can impact our development cycle and cause product delays. This risk is moderate given the size of India’s historical blackouts. The mitigation strategy should include a good backup strategy as well as an alternate power source contingency.
A fifth threat also involves loss of future capabilities due to outsourcing. We could find ourselves unable to manufacture our software and products. Even worse is losing our ability to innovate from outsourcing our development. The consequences are drastic as it would weaken our future viability. This likelihood is moderate to high given the historical track record of lost manufacturing capabilities of other companies. Mitigating this risk is not allowing too much of our IP to go outside and to keep some of our design talent in house.
The proposed move has opened the door to some risks we have not faced before. The consequences entailed from of some of these risks could prove catastrophic to our company, but with proper planning, communication, and direction from management we can mitigate the damages if these threats are ever realized.
How do we move into a more mature information security management system? Does just having a policy make us secure? The policy needs to have the awareness of all those involved for real effectiveness. As a senior manager we have a responsibility to visibly support our information security initiatives. We can drive several steps to move from a check the box type of compliance to creating a culture of information security. This involves examining our policy and making sure we set rules that can succeed and conform to our company’s culture.
One step we can take in reviewing our policy is to meet with the key stakeholders, such as IT personnel and other senior managers. IT personnel would include those involved directly with the systems or infrastructure requiring PCI compliance. Senior managers will help identify other personnel that are stakeholders in this. HR and legal counsel are other stakeholders that will need to be engaged as well. Each of these groups play a part in the overall composition of a sound information security policy that will become more functional.
The stakeholders will examine the areas of the policy that pertains to their expertise. This review identifies areas of the policy that are not relevant or need improvements. Subject matter experts from IT could examine policies that address data security and data segregation. IT will also be responsible for finding all the sensitive data we have out there. IT can make recommendations to protect any unprotected data. They can also perform any encryption of our IP and customer data as well. HR might review any punishments related to employees violating policy. HR might also provide a training schedule to educate employees in our policy. Each stakeholder should be made to feel important in this process of refining the policy.
As a senior manager it is our duty to show support for this policy and to encourage our fellow executives to support it as well. This support is critical to encouraging employees to embrace our policy. We will encourage and allocate resources as needed. Senior management should also provide direction to the policy where ever there are conflicts.
We can also research successful security policies from firm’s that operate in our space. We can do a gap assessment on our policy versus their policy and fix ours if needed. We can employ an outside expert to audit our PCI compliance even though it is not required. Testing our breach recovery procedures and improve what any processes that are not up to standards.
We need to ensure that the policy is not encumber some or too punitive. We also need to test our security plan and confirm that it meets our needs. We want to continually review at least every 2 years to update our policy. I want to continue conversations with key stakeholders to keep information security awareness high. Our key stakeholders should then continue the conversation with employees to educate them on why we are doing these things. They need to listen to feedback as well and keep the discussion open. Our policy should include a period of adjustment where users who violate policy are sent back to training to learn the new policy. In order for us to move into a culture of information security our policy should be a living document that is continually reviewed and improved from the key stakeholders involved.
The first focus area that will be covered is Physical and Environmental security. Company X has 2 data centers, 5 hub sites, and both large and small end sites. There are both strengths and weaknesses in Company X’s implementation of physical and environmental security.
Company X performs well in this area at the data centers. Access closets are card key locked an accessible to a few authorized personnel. Server cabinets are also secured in an area accessible only by two factor authentication using a card key and a retina scan. Only those who work with servers or networking are allowed into the area that holds the servers and network equipment. Further these cabinets are key locked with only 2 keys to given to 2 different individuals and 1 key that can be received through security sign in by authorized personnel. Even if you have access to the area where the servers and network gear are located you need to have one of those keys to access the hardware. Facilities like hub sites and end sites typically have locked cabinets or locked closets, but there are some facilities with open access to infrastructure equipment. Even facilities with locked closets have non IT staff with keys to access them for other needs. If the locked closet doesn’t have a locked rack then this staff would have access to IT equipment. Improving this would require adding locking racks to all closets to protect against unauthorized access. Also the keys to those racks should only belong to the IT organization in charge of supporting them.
Each data center also has key card entry into the building and policy dictates no piggy backing. All other facilities require badge ID and some have key cards. One weakness is that there is no single ID badge across Company X. Each facility can be managed by different divisions and there is not a single vendor for access. Improving this would be to use a single badge ID key card vendor across Company X.
Cabling security is another concern. There is a lot of exposed cabling in all buildings. This cabling could be protected by adding a cover plate over them. The data center has exposed cabling in open user areas in ceiling ladder racks. They would require a 12’ ladder to access them but they are still exposed. A possible solution is to not allow unauthorized personnel to have a ladder near those cables.
The other focus area that will be examined is asset management. Company X has documentation employee laptops and computers. These devices are standardized, patched, firewalled, and have appropriate antivirus. But, there is a lot of bring your own devices at Company X. Personal laptops are not required to have antivirus up to date or patches. There is policy to have personal laptops to access the network through VPN. Fortunately, the company employs a VPN solution that requires a host checker to examine these personal laptops for antivirus and patches. There has not been a clear policy in place for certain mobile devices. This policy needs to be created soon and lay out clear guidelines to what is permissible
There is also a policy to notify the proper staff in case of theft or loss of equipment. Company owned laptops are encrypted though and protect sensitive data in case of loss or theft. Company owned iPhones can be remotely wiped but there is no policy on encrypting phones. A possible solution is to implement mobile device encryption software. An issue is that personal laptops or phones with data from Company X are not protected by encryption. Policy could rectify this by requiring personal users to encrypt any sensitive data stored on their personal devices.
IT equipment at the Data Centers and some of the larger facilities require authorization to remove equipment. Most other facilities do not require such authorization. IT staff can remove equipment without any documentation or authorization. Improving this process might require IT staff to notify the facility management that gear will be removed, and that the manager would confirm when the gear is moved.
Company X does perform well in these focus areas but there is room for improvement. Overall most of the improvement is to recognize that we have areas to improve and to start the discussion to mitigate those risks.