Information System – Security Assurance

 

 

 

 

 

 

Information System – Security Assurance

 

 

 

 

 

Abstract

Information systems security is one of the greatest concerns of business organizations and government agencies. A secure information system would guarantee the organization control to access and protection of the integrity of the system. It will also ensure availability and confidentiality of information. The paper focuses on Risk Management/Assessment (General Topic Area) and Policy Implementation framework (Research Topic Area) in managing various security challenges to information systems of the executive management of various corporations as well as government agencies and departments. The study examines and analyzes the risk management processes, risk analysis, theoretical framework, and five basic steps to risk assessment. It also assesses various organizational policies, implementation procedures, the importance of implementing policies and challenges facing policy implementation.

 

 

 

 

 

 

 

 

 

1. General Topic Area: Risk Management/Assessment

Introduction

Risk Management refers to identification, assessment, and prioritization of risks affecting an organization. Risks can originate from accidents, legal liabilities, project failures, financial markets, credit risks, and natural disasters. Organizations have varied mechanisms and strategies of dealing with risks that might even threaten a shutdown of the organization if the organization does not take appropriate and practical action (Marsh, 2009). Risk avoidance, reduction of the probability of risk occurrence, transferring risks to another party, acceptance of the actual or potential consequences, and curbing the negative effects of risks, are some of the strategies that executive management of corporations employ to manage risks. The cost of mitigation would depend on the nature of the risk, size of the organization, and the departments or agencies affected. Risk management aims to enhance exchange of information as well as expertise across the departments, agencies, and countries (Marsh, 2009).

Organizations have distinctive policies that inform and influence the steps they take to mitigate negative repercussions related to the risk. The bottom line is that organizations have varied challenges hence the risks and possible mitigation procedures would show slight or total variation (Lange, 2007). Transportation challenges, inferno, credit risks, legal liabilities, and occurrence of natural disasters among others, are potential problems or risks, which might sometimes end up causing the organization to suspend or shut down operations. Through proper management of risks, the corporation is in a better place to promote good practices as well as generate ideas for those involved in the management of risks. As part of risk management strategies, the organization will assess the risk cautiously and decisively since the consequences might be dire. In case of occurrence of natural calamities such as earthquakes, tsunami, flooding, and drought, the organization might experience many difficulties that could eventually compromise operations (Lange, 2007). Lost opportunities, loss of reputations, and loss of business altogether are some of the devastating problems emanating from risks of huge magnitude.

Creating an Effective Risk Management System

The critical part to the process of managing risks is the understanding the qualitative distinctions between types of risks that organizations face. There are three categories of risks. Risks are not only fatal to company’s strategy but also its survival both in the short run and in the long term (Lange, 2007).

Category 1: Preventable Risks

Preventable risks arise from within the organization and are controllable through internal mechanisms of the organization. Different organizations have practical systems and means of avoiding or eliminating preventable risks altogether. Illegal, unethical, incorrect, and unauthorized, or inappropriate actions as well as risks from the breakdowns in routine operational processes mainly resulting from actions of employers and employees are examples of preventable risks. Companies should have suitable zone of tolerance for errors or defects that would otherwise cause severe damage to the enterprise. Since such risks do not provide any tangible benefit to the organization or clients of the organization (Aven & Vinnem 2007). It should avoid leaking sensitive information to its employees or members of the public through unnecessary press releases as this might compromise the credibility of the executive or negatively paint the reputation of the corporation (Aven & Vinnem 2007).

Category II: Strategy Risks

A company would voluntarily accept some risks in attempt to generate superior returns from its strategy. Such risks usually come in handy with researches and development activities. For instance, commercial banks offer credit facilities in the hope that the client would repay together with total interest earned (Aven & Vinnem 2007). Certain institutions usually find themselves in an awkward position owing to defaults in payment. Thus, financial institutions have initiated strategies such as insisting on use of collateral and issuing penalties to defaulters. Strategy risks are quite different from preventable ones as they are in most cases desirable and project good returns for the business organization. However, strategy risks require risk management system specifically designed to reduce risks of occurrence of the assumed risks (Aven & Vinnem 2007).

Category III: External Risks

These risks are a result of external forces hence beyond influence of control of the company. Natural disasters, political upheavals, macroeconomic shifts, and change in government policy have fundamental effect on the operations of the company in most cases pose great risks its success (Marsh, 2009). Despite the immense challenges from external forces/risks, different organizations have initiated appropriate strategies to combat such problems. Since the organization lack the capacity or authority to control such happenings, all they need to do is to identify the risks and propose practical mitigation mechanism. Earthquakes and flooding have devastating and costly effect since they might lead to collapse or total destruction of premises of the corporation. In effect, the corporation would have to suspend operations or minimize the production rate. Similarly, the information system security shall have faced serious damages that might further pose security threat to such information (Marsh, 2009).

Theoretical Framework of Risk Management

According to the cultural theory as proposed by Douglas (1978) and Wildavsky (1982), the social interactions among individuals and groups would interrupt or intrude the systems of symbols they use to enhance better understanding of the world (Dobson & Hietala 2011). In effect, people apply certain concepts to understand the world much better and such concepts have a bearing on the social structures or constraints people subject themselves. Risk perception reflects the way humans distinguish society alongside alternative opinions regarding risks and the world flow from varied patterns of social structure (Dobson & Hietala 2011).

Perspectives of Cultural Theory

Stability and mobility stand out as the fundamental perspectives of cultural theory. According to the stability view, individuals tend to be consistent in a cultural bias (Davis, Jarvis & American Bar Association 2007). Society expects individuals to attach themselves to social structures with almost similar type of cultural bias in all spheres of life. Individuals would therefore conform to this dominant bias over given period and in disregard of social context (Davis, Jarvis & American Bar Association 2007). Risk management refers to the process of identifying possible or potential hazards and analyzing the probable happenings in the event that a hazard occurs. A number of hazards are to consider with every hazard presenting possible scenarios that could eventually unfold (Davis, Jarvis & American Bar Association 2007). Occurrence of such scenarios would however depend on the timing, location, and magnitude of the hazard.

Steps to Risk Assessment

Five steps would help in the process of assessing risks incurred by individuals as well as organizations. They include Identification of the hazards, making decision as to who might be harmed, evaluating the risk, recording the findings and implementation them, and reviewing the assessment and updating where necessary (Aven & Vinnem 2007). The corporation must identify the hazard before taking any actions. Once identified, the enterprise will begin to examine and analyze the extent of damages caused depending on the type and magnitude of the hazard (Aven & Vinnem 2007). Security assurance on information systems is one crucial factor that most organizations need to consider since they are in possession of large amounts of data.   Leading computer institute accentuate that risk management be in consideration when tackling security management issues at organizational levels. Risk management necessitates a number of practices that come along with diverse views as well as descriptions. Through the risk mitigation process, people have a chance of keeping an eye on the suggested control measures and assessing the efficiency of the same risk control measures (Zhou & Nunes, 2008).

Risk Analysis

Under risk analysis, there are processes that are significant where one has to identify the possible risks that the information system faces, then determine the estimation of the risk, and finally evaluate the impact of the risk on the system. On the identification of the risks, there is need to consider risks that are malicious to the information system. It is appropriate that the risks have a link to the organizations system to ease the process of developing control measures to the risks that the system faces (Lange, 2007). Identification of the assets that require securing is one of the most important factors of risk analysis under risk identification. After determining the assets that are at risk one has to come up with a list of possible suggestion of risks that are possible to affect the system plus their vulnerability.

Risk Mitigation

This procedure comes immediately after risk analysis where three activities take place starting with the design process, then implementation, and finally is monitoring. On designing, there is measurement of security purposes alongside determination of protection procedures in addition to steps that are reliable to controlling the risks achieved. Monitoring is efficient during mitigation since it is a method to establish if the control measures applicable are relevant. Organizations have to ensure that they consider these factors fanatically to ensure that they get the most appropriate results on the security systems that they choose to secure documented data on their systems.

Conclusion

Risk management being one of the most appropriate methods that an organization can employ to handle security issues relating to information system is in practice by several firms. It offers significant methods of handling security of information systems despite the fact that their lacks a single solution to all security problems. Every problem that concerns security assurance of an organizations information system has its own method that one can handle it meaning they vary. Research confirms that the risk management process is upgradeable to heights that are in favor of the information system that one is trying to secure from external or internal destructions or loss of data. In order for an organization to upgrade its risk management strategies, there are areas that require consideration such as some of the social factors that manipulate the risk management process in addition to the results from the process.

There exist cultural factors that act as tools for sensitizing discernments by stakeholders on the issue of risks facing the information system. In addition to the paper, various steps covering the methods under risk management are evident to act as guidelines. In application of these strategies, an organization will be in a better position to deal with numerous problems arising that may insecure the information systems. Organizations have to ensure that they strategies on the various steps that they will employ on their risk management process without tempering with the systems efficiency. The decision making process is very sensitive in that it will determine the effectiveness of the risk management process to guarantee security within the organizations information systems. Risk management is essential for any organization working to ensure that their data systems are always in secure state at all times, and it prepares the organization to deal with any forms of threats that may affect the system.

1. Research Topic Area: Policy implementation

Introduction

This research paper will focus on different policies implementations in information system securities. The paper will also identify various tasks of the policies, which include legitimating achievements of the policies that are being implemented that is, whether the policy change are accepted as worthy or the policy can champion constituency building. The paper will identify the steps, which are needed during the identification and mobilization of those that support the policies and repel the criticism of those individuals who oppose policies implementation and accumulation of resources. An important aspect during policy implementation is the human resources and financial aspects that are required in helping the implementation of the policy change.

The paper will be divided in three different aspects thus, the policy implementation process, the approaches of policy implementation and the policy implementation tools. From there, the paper will deal with various tasks, which include, working through structures of implementing agents and organizational designs. The paper will also focus on action mobilization, development, and monitoring systems. The issues regarding policy implementation include where and how the policies will be made and a discussion on the emergence of private-public relationship working on policies reforms. The paper ends by outlining the prospective of adopting policy implementation in information system securities.

Regarding the issue of information security program, the article will address the elements, which makes up a successful information security program. It will also address the role an organization play in information security program and the benefits of the information to an individual.

Background

The Process of Policy Implementation

Policy Implementation is the general application realization or a plan, model, idea or design execution. In information system securities, policy implementation entails the realization of technical specifications. It may also mean algorithm as a software component, program or computer systems through deployment or programming. Most of the implementations exist for a given standard (Dube, 2005).

Development of strategy

The successful growth of any organization depends on perfectly formulated methods and strategic purposes of their reaching. It is normal to presume that financial indices such as the achievement of specific markets shares can emerge as such purposes. In most cases, few business and organization owners give little attention on questions regarding long-term planning in information security field. The current conditions of conducting a business depicts that, with the presence of illegibly formulated information security strategies; financial indices will then be unattainable.

To have a perfect information security program, the institution must first create the necessary awareness to its employees. The institution may also create training program in order to address procedures, policies and tools. Learning entails three different elements thus: awareness, training and education. Awareness is used to motivate, stimulate and remind a particular audience on what other people expect from them. Training is the process, which teaches an individual skills or how to use the skills while education is the specialized or an in depth schooling which is required to support the implementation tools or the career development process (Dube, 2005).

Information security policies, procedures, standards and guidelines development is the start of a successful information security program. Effective security architecture will be regarded less successful if there was shady process in place. Security professionals often implement a perfect security program system but are then surprised when the systems fail. This is because they usually forget to market their products to some of their constituents. In order to flourish, the information security professional should always sell their products to their customers.

Policies in information securities usually introduce employee’s expectations concepts especially during the use of enterprise assets. The policies messages are usually included in contract language. This is done so that the third parties will be familiar about their responsibilities.

An organization can implement different procedures and policies in order to benefit the company in establishing behaviors, which are expected of the personnel granted access to the company’s assets. There are seven different steps of policies implementation and procedures. The seven steps during policy implementation include, studying, taking into the account of the results of the risk assessments, optimizing and aligning the involved documents and structuring the documents. Other steps include, writing the documents, approval of the documents and employee training and awareness.

 

During the studying of the requirements, the management of the organization is required to go through the requirements very carefully. In case the study has any legislations or contracts with different clients, then the management needs to deal with them.

Taking into consideration about the results of the company’s risk assessment, the organization’s management will have to determine the issues to address in the document and to what extent. The organization may decide to whether to classify the information according to the confidentiality of the information or whether the management needs certain levels of confidentiality (Dube, 2005).

Optimizing and aligning the documents entails determining whether to write the numbers and the pages of the document. This step entails writing the document and aligning it. When structuring and writing the document, the organization will have to observe the organization rules especially during formatting the document. The thumb rule applies while writing the document. After writing the document, the organization can then get the document approved. This is an important aspect. Finally, the organization can train its employees on the policies that have been implemented (Lucas, 2009).

Benefits of Policy Implementation

Information security program Policy implementation in any given organization is always advisable in most organizations. With implementation of policies and program awareness, the organization can seek court relief because the organization will have assurances of its assets protection. In most cases, policies are beneficial in establishing behaviors, which are expected of the personnel granted access to the assets (Warkentin,2006).

Generally, system and policy implementation are beneficial from high levels of management support and user involvement. User involvement in the operation and designs of information systems produce various positive results. In case the user is involved heavily in system designs, they have the opportunity to shape up the systems depending on their own priorities and requirements of the business. The user also has the opportunity to control the results. Secondly, the users will most likely react positively to the changing processes. Integrating the user expertise and knowledge will lead to better results and solutions.

The bond that exists between the information systems specialists and the users has traditionally been a challenging aspect for the implementation of information systems efforts. Information and users specialists will tend to have diverse interests, priorities and backgrounds. This is known as user-designer communications gap. These differences can result in different organizational loyalties, approaches to crisis resolving and vocabularies (Lucas, 2009).

Policies implementations are beneficial in offering comprehensive security policies information and different frameworks, which can be beneficial for the organization. Implementation of policies about Information security program is important in addressing soft skills, which are required during policy implementation. It also addresses the technical knowledge of a given organization. Policy implementation governs, regulates mandates, drives businesses, and help the organization when it comes to legal aspects. Finally, policy implementation offers an excellent starting point for Information Technology security framework creation (Lucas, 2009).

Problems associated with policy implementation in an organization

Despite the positive results and aspects due to policy implementation in an organization, the process itself can be challenging for any organization practicing it. Growth and development of organizations are tightly attached with the increasing organizational IT-infrastructure of the growing scales and complexity. These can then generate vulnerabilities, risks and threats, which can then influence the organization’s activities (Lucas, 2009).

Appearance of Information security problems and difficulties can lead to reputation losses and financial difficulties. With the company suffering from financial difficulties and poor reputation, there is the chance that the company will perform poorly and end up losing its customer base. With an increasing in threats and vulnerabilities, organization may suffer many consequences and in some cases, it may lead to closure. In such a situation, the most important task of the organization’s management is to try to avoid some of these threats. The management of every organization is tasked with the responsibility of ensuring that not every activity the company is participating affects negatively to the company. In case this happens, the management will have to ensure minimal risks to the company and a proper safety in the company’s IT-infrastructure (Warkentin,2006).

The security systems under all circumstances require guidelines and implementations in order to come up with the better defense details (Budnik, 2012). The policies in place call for regular checks in order to ascertain that they are in an excellent state. The implementations come in three procedures such as the threat assessment, data collection and organization, analysis and visualizations of the materials and interpretation of the information. Implementations are necessary in order to become successful in whatever field. In this case, the policies appear convoluted because they have to function to prevent the collapsing of the security systems.

The security systems of the various information centers need to always confirm and change the passwords that lead to the access of the material. The passwords help restrict the unnecessary people from accessing the private information. However, the passwords do not block the system hackers from synchronizing into the systems. The security systems require better installation of the latest devices that protect the system devices from access by intruders. Internet access has opened up all the connections and this makes it easier for the hackers to penetrate through to the machine without leaving trace that will lead to their identification. Removable devices such as the hard disks and flash disks should store the information and prevent it when the whole system crashes (Dalton, 2004). The government policy plays the largest of them all, this is because the government has list of “misconduct.” This statement peacefully prevents the fighting of two parties since the machine will sound a warning before crashing therefore it becomes easier for a person to obtain the resources he or she requires from the machine.

Introducing more tools in the system curb technique cases such as the identification and recording any exchange of information. For instance, when a person downloads or sends any vital document it will remain on the security systems. The security system detects almost all activities across the systems (Dalton, 2004). This system will trace exactly the origin and the end of the transaction. Most people crash their systems immediately after the interruption leading to loss of track. The vital documented files within the computer require having a number of other documents in other folders or even stored in other places without access (Kulczycki, 1997). Installation of an active antivirus that keeps upgrading and updating the system prevents entry of any malware into the computer making the documents safe from the system intruders. The regular user has always to avoid the opening of the any email and sites that commonly used this accounts may contain viruses that will infect your documents or will open up for the intruders to attack and access documents they want at any time.

At first, when the security system is attacked the entire system should shut down to cut off the access. This majorly occurs when dealing with high secretive official documents in that when the information leaks then the whole company is at risk (Maddry, 1997). This is best and final procedure after an attack because the machines have to remain off and this helps to lose the access with the attacker. The company should come up with solutions before the systems get back to power. Although the access of the people to the security systems is inevitable, we can still control over their activities and manage to come up with more ways to control them that will eventually lead to the decreased cases of insecurity in our systems (Budnik, 2012).

Approaches to Policy Implementation

            One perspective necessary for the implementation process is the top-down approach. This is possible after doing an assessment of the state of information system. In this approach, the policy makers are responsible for the formulation of the policies and setting up the mechanisms useful for the success of the policies. The top-down approach has clearly set goals, and the execution of the goals is more organised. The policies are set-up in stages, and the implementation should be systematic. It is also systematic in the utilization of resources for the attainment of efficiency (Kadam, 2007).

The commitment of the executive in the implementation of the information security programmes determines its effectiveness in the organization. The executives should have an understanding of the internal and external structures, the organizational culture, the legal structures, the regulatory requirements, financial requirements and policies. The presence of an authoritative structure form the executive will make sure that the achievement of the information security policies is possible (Jacqueline, Shahram & Thomas, 2011).

Having a team of skilled personnel is essential for the success of the organization. Apart from having this team, classifying the assets of the organization and establishing a technological process is equally essential. The documentation of the business process is vital for developing a systematic approach that would enable the organization to conduct the business activities effectively. This would help the organization to meet its objectives by following the critical process in the documentation. Information security treats the critical process as an asset for use by the organization (Jacqueline, Shahram & Thomas, 2011).

Having internal control levels is also beneficial for the verification of the auditors. By monitoring the internal controls regularly, the organization will ensure that the risk of exposure is minimal. The implementation of the internal controls ensures that the risks associated with the business process are minimised (Kadam, 2007). The top-down approach is more appropriate to use to meet the security requirements of the organization. This approach ensures compliance by the members of the organization across the hierarchy.

In the creation of a strong information security programme, organizations should align their methods with the some of the international standards. These frameworks, which determine the international standards on information security, act as a guide for the organization in adopting the best practice. One of the international standards used internationally is SO/IEC 27002. It guides the implementation of the information security. For the effectiveness of the information security systems in an organization, the domains specified in this approach are vital. These domains include the management of business continuity, the acquisition of business systems, the management of incidences in information security, and the security of human resources among other controls. It is possible to prevent disparities in the programmes for information systems by using some of the internationally set standards (Jacqueline, Shahram & Thomas, 2011).

Conclusion

Policies regarding information security in an organization are vital for carrying out secure practices. These policies define the rules that people in the organization should adhere to, and their implementation is necessary. Each member of the organization has a defined role that he or she undertakes, but the performance of his or her roles should not compromise the security of the information that the organization holds. To comply with the policies, the individuals in the organization should understand the policies and know their responsibility in the organization.

Having the policies as a document is not enough to ensure that the people in the organization comply with the requirements. A mechanism of ensuring compliance should be in place. An information management structure should guide the whole implementation process. For the realization of this, it would be beneficial to design programmes that focus on making people aware of the implementation process (Kadam, 2007). It is necessary to assess the state of information security in the organization first, to be able to set targets. Many organizations are aware of the state of their information security, but the challenge is setting a target on the state of information security they would wish to achieve. The process of establishing the target is difficult but vital for the improvement of the state of information security (Jacqueline, Shahram & Thomas, 2011).

References

Aven, T., & Vinnem, J. E. (2007). Risk management with applications from the offshore     petroleum industry. Berlin: Springer.

Budnik, K. (2012). Information security: Are we safe? Accountancy SA, , 38-39. Retrieved from http://search.proquest.com/docview/1009905810?accountid=35812

Dalton, P. (2004). Information security. ABA Bankers News, 12(26), 1-2. Retrieved from http://search.proquest.com/docview/209674112?accountid=35812

Davis, A. E., Jarvis, P. R., American Bar Association., & Center for Professional Responsibility            (American Bar Association). (2007). Risk management: Survival tools for law firms.     Chicago, Ill: American Bar Association, produced jointly by the Law Practice         Management Section and Center for Professional Responsibility

Dobson, I., Hietala, J., & Open Group (Reading, England). (2011). Risk management: The Open       Group guide. Zaltbommel: Van Haren Pub.

Drake, J. R., & Byrd, T. A. (2006). Risk in information technology project portfolio      management. JITTA : Journal of Information Technology Theory and Application, 8(3),    1-11. Retrieved from http://search.proquest.com/docview/200036415?accountid=45049

Dube, D. P., & Gulati, V. P. (2005). Information system audit and assurance. New Delhi: Tata         McGraw-Hill Pub. Co.

Information security. (2004). CMA Management, 78(1), 6-6. Retrieved from http://search.proquest.com/docview/197791160?accountid=35812

Jacqueline H. Hall, Shahram Sarkani, Thomas A. Mazzuchi. (2011). Information         Management & Computer Security Volume: 19 Issue: 3. Retrieved from  http://www.emeraldinsight.com/journals.htm?issn=0968-                                                           227&volume=19&issue=3&articleid=1941526&show=html

Kadam, A. W. (2007). Information security policy development and implementation.                            Information Systems Security, 16(5), 246-256. Retrieved from                                           http://search.proquest.com/docview/229509775?accountid=35812

Kim, D., & Solomon, M. (2011). Fundamentals of information systems security. Sudbury, MA:       Jones & Bartlett Learning

Kulczycki, G. (1997). Information security. Management Accounting, 79(6), 18-24. Retrieved from http://search.proquest.com/docview/229792318?accountid=35812

Lange, S. (2007). Moving forward: Risk management meets the information age. Risk   Management, 44(9), 43-47.

Lucas, H. C. (2009). Implementation: : The key to successful information systems. New York:       Columbia University Press.

Lucas, H. C., Ginzberg, M. J., & Schultz, R. L. (2009). Information systems implementation:           Testing a structural model. Norwood, N.J: Ablex Pub.

Maddry, T. (1997). Information security. Security, 34(1), 82-82. Retrieved from http://search.proquest.com/docview/197780658?accountid=35812

Marsh; marsh launches global risk management information system for commercial real estate     firms. (2009). Real Estate Weekly News, , 25. Retrieved from       http://search.proquest.com/docview/215451652?accountid=45049

Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2006). Formulating information      systems risk management strategies through cultural theory. Information Management &     Computer Security, 14(3), 198-217. doi: http://dx.doi.org/10.1108/09685220610670378

Warkentin, M., & Vaughn, R. (2006). Enterprise information systems assurance and system            security: Managerial and technical issues. Hershey, Pa: Idea Group Pub.

Zhou, L., Vasconcelos, A., & Nunes, M. (2008). Supporting decision making in risk     management through an evidence-based information systems project risk checklist.         Information Management & Computer Security, 16(2), 166-186. doi:     http://dx.doi.org/10.1108/09685220810879636