Principles Of Information Security And Governance Information Technology Essay

Principles Of instruction Security And Governance instruction Technology EssayThe progress and expansion of the field of schooling engine room and worldwide network has given birth to the issues desire, irreverence of tuition certification establishment, hacking and virus attacks. reading gage validation play lively role in providing regular trade protection of training from a wide regularize of menaces to arrest line of descent sector continuity. It helps minimize send a chance factors, maximize profits, investment returns, and boost the theme. virus attacks, hacking and study theft are some of the basic dangers faced by some placements, and the solution lies non sole(prenominal) in the hands of technology but watchfulness as well. teaching gage failure or poor prudence lead to business and financial loss and reputation damage. I will be shedding light upon the principles, chance factors, silence threats and then the required strategies, polici es and procedures for administration and care of an schooling earnest surgical incision and face plan in my agreement.information Security GovernanceA incorporate exemplar of policies, procedures and authority of handling, sharing and recording protestation securely and confidenti ally is termed as randomness trade protection presidential term (NHS, 2005). A supremacyful information surety system in an organization jibes the confidentiality, integrity, handiness, earmark and identification, authorization, accountability and silence (Whitman and Mattord, 2009, p. xvii) of information and entropy related to protective cover and reputation of an organization. Information governance in an organization requires squadwork, where all the provide members are aware of the wideness of the confidentiality of information. This mannikin mentions sure that the information and data is secure with accuracy and similarly that the information are shared and recorded in co mpliance with all the legal and lawful procedures and proper set of rules and guidelines (Simmons, Scott, et al., 2006).Information gage governance compliments the Information technology and corporate governance and is an important portion of both. Most of the companies in order to provide a contemporary milieu to the information system of governance are using internationally recognized frameworks like COBIT and ISO 17799. The Control Objectives for Information and related Technology (COBIT) is a framework designed in 1992, by the IT Governance Institute (ITGI) and the Information Systems audited account and Control Association (ISACA). This framework works for the IT trouble in implementing and ontogeny the Information security system measure governance on a wider platform. It take ons the threat analysis, seek assessment, cost estimation as well as countermeasures and future (Solms, 2005). understand 1 Proposed Integrated IT Governance Framework (Dahlberg and Kivijrvi, 2006).Figure 1 shows a proposed integrated IT governance framework. A successful information governance building builds on the integration between the structural and processes attitudes of IT governance, business-IT alignment, and senior executives needs (Dahlberg and Kivijrvi, 2006, p. 1). The framework requires the involvement of the attention board, executive and subject steering committees, service speech squads and all the faculty members related to the net workings, systems, occupations, desk whirligigs and cross functional works (Richardson, 2010, Q 3). death penalty and administration of IT security are carried out by the Information security counsel of the organic law which help see the levels of requirements. Information security counseling follows a methodology or framework which imply top management commitment and information security policies (Ghonaimy, El-Hadidi, et al., 2002). Information security governance ensures that the information security management establish, implement, monitor, and review these procedures and policies in order to meet the business objectives of the organization (Pironti, 2008). The Information security team is responsible for handling security issues regarding the safety and confidentiality of companys information and data protection. It also helps of importtain the integrity and availability of information. Information security management deals with the security team, organisational refinement, change management, assessment luck factors, pile and put on the line demeanour. It is responsible for the development of strategies, policies and procedures to reduce threats, gambles and attacks. The Security team presents to the management team the security analysis, reviews and implementation plans (Parker, 1981).Information Security issues and risk factorsA hack, a virus or a denial-of-service attack whitethorn have the effect of halting business operations (Ross, 2008, p 1). The main dangers faced by many organizations take on, identity theft, leakage of psycheised information, data manipulation and modification and improper get at to security passwords and secure areas. general IT security risks include malware, hacking the system, terrorism, extortion, people and non compliance behaviour of the staff and mangers. These dangers sess affect the overall reputation of the company and stakeholders bend concerned. Main losings and threats include loss of Confidentiality, integrity, availability, authenticity and reliability of information, which require protection (Stoneburner, Goguen, et al., 2002).Confidentiality threat means the unauthorised access to secure information. The breach of confidentiality give nonice emit in number of ways, like the absence of the screen savers on the personal computers and laptops would invite dangers like leakage of data information as staff members or any external visitor with bad intentions discharge slow access them. Similarly, the post-it notes with id and passwords reminders would pose the same violence of confidentiality. Secondly, the direct access to the boniface room primal would be like inviting security theft and accessibility of the unauthorised person (Stoneburner, Goguen, et al., 2002).Integrity implies unauthorised modification and manipulation of data. unlicensed access implies leakage of important information which could mean that anyone can dislocate or misuse the confidential information of the company and this could lead to the dispersion alteration and stealing of personal data and identities of spot personnel and hacking and virus attacks on the organization secure system. An employee can misuse the data information by changing the main figures, mistyping or deleting important information by accident or on purpose. When members of staff take the official laptops alkali with unencrypted personal information, this could mean the leakage and distribution of confidential data passage in the wro ng hands (Stoneburner, Goguen, et al., 2002).Availability means providing accessibility notwithstanding to the authorised users. Loss of availability of data could be caused by attacks like hacking, virus or hardware failure. Unavailability of system to the end-users could mean for theoretical account affecting the productivity time and hence affecting the organisational goals of the company (Stoneburner, Goguen, et al., 2002). in that respect are number of other issues and risk factors regarding information security that can threaten the Information security governance. Lack of professionalism of the employees can generate many high risk issues, for example, sending unofficial emails within the organization assign improper use of internet, which is wrong and unethical. Plus if someone is incharge of companys high risk or sensitive data information then internet shop or emailing can easily invite virus attacks or hacking.Information Security Strategies, Policies and ProceduresTh ese risk factors and security issues require proper security policies and pass on framework. Although the HR department already possess a set of security policies and procedures but they are seldom implemented.The information security governance plan works with the risk management plan with strategies, security policies and procedures to work efficaciously in providing a completely secure environment. Information governance ensures application of all the security policies (Nagarajan, 2006). chance analysis is very important in the first place implementing information security rules, strategies, policies and controls. stake analysis forms the basis of risk management system.Implementations of information security in an organization comprise six study activities Policy development, understanding roles responsibilities, suitable information security design, regular monitoring, security awareness, training and education. Now in order to achieve safe information security essent ial elements of control within the organization is required. Security controls include technical and non-technical controls.Technical ControlTechnical control provides logical protection by implementing protective software into the system. This includes access control mechanisms, identification and authentication mechanisms, data encryption, access control list and intrusion detection system, summation other software and hardware controls. Computer security can be achieved by creating strong passwords, updated anti-viruses anti-malwares, firewalls, screen savers, proper encryption and creating backup files (Stoneburner, Goguen, et al., 2002). guardianship in minds that the passwords should be strong and well protected and employees mustiness not share them with anyone and these passwords should be changed periodically. Organisations must have incident response procedures which include the backup generators for electric failure and off-location data centres in case of inhering disasters or accidents.Non-technical ControlsManagement control include management and administration of security policies, operational measures, risk assessments and training and education. Management control is responsible for educating staff members to guide them in handling the case sensitive data and information through a suitable security awareness course. HR team should conduct a proper background check on the employees and especially on the ones who are incharge of handling confidential information in plus to providing proper training to the staff members. The administrative control should also inform employees the UK legislation and laws of data protection that are in place. Internet threats can be turnd by educating staff member and creating an awareness of confidentiality, prohibiting web browsing, chatting and bootless emailing within the computers containing confidential information and downloading software from unknown or susceptible sources. Moreover, their leve l of computer literacy must be analysed in order to identify their capabilities in handling information. It must also administer the authorization and re-authorization of the system (Stoneburner, Goguen, et al., 2002).Security awareness architectural plan should provide security training and must also analyse the level of computer literacy in each employee. Information security officer must administer and implement information security awareness program, which should include providing training and awareness to the senior management, staff and employees composite in handling data information as well as educating the end-users or the clients. Involvement of all the users within the organisation is essential (Ghonaimy, El-Hadidi, et al., 2002). useable control include physical control and environmental security. It plays a vital role in implementing administrative and technical controls. Operational security ensures the smell of electric supply, humidity, temperature controls and p hysical facility protection system. Some examples include backup generator, physical intrusion detection systems like alarms and motion detectors. This system also monitors and controls physical accesses to the secured areas, some examples include locks, doors, cameras, security guards and fencing (Stoneburner, Goguen, et al., 2002).The HR department should provide security awareness training to the staff members and must make sure that when appointing a naked employee, the contract of employment must include the security policies and procedures. These security controls should be revised and renewed annually in order to achieve successful information security. All these essential controls and security awareness program must be implemented by the gentle Resource department.Information security socializationPeoples behaviour and attitude towards their working atmosphere forms the organisational grow of the organisation. Information security culture evolves from the behaviour and a ttitudes of the people towards confidentiality, integrity and availability of the organisational information and knowledge. It includes people, training, processes and chat because the inside behaviour poses a more than serious threat to the security of information than outside behaviour (Ghonaimy, El-Hadidi, et al., 2002, p. 204). It is in that respectfore essential to understand and analyse the organisational and corporate culture of the organisation as well as the need to change the security culture within the organisation. Threat analysis would indicate how much the organisational culture contributes towards the violation of security and it should be changed accordingly by educating staff members (Ghonaimy, El-Hadidi, et al., 2002).Figure 2 describes a proposed information security culture in an organisation.Figure 2 A proposed information security culture (Ghonaimy, El-Hadidi, et al., 2002).A healthy security culture is achieved when people in the environment are trained t o handle the clients confidential information securely and are completely aware of the threats and dangers roughly them regarding information theft hacking and virus/malware attacks and they should be trained to handle these situations with self-reliance and responsibilities (Richardson, 2010, p. 3). Information security culture can change the organisational culture in a positive way. For example, the staff must understand that if servicing or repairing is required than this should only be handled by an authorized person. Security culture depends upon the managerial attitude, including the top management, security awareness and training and awarding of security conform behaviour (Ghonaimy, El-Hadidi, et al., 2002). stake Management SystemHowever, the information security policy alone cannot be counted upon to effectively eliminate these threats because it narrowly focuses on the use of technology to mitigate threats as the nature of threats and attacks have changed to become highl y targeted, highly effective and nonadvertised (Pironti, 2008, p. 1). Therefore a proper risk management model is compulsory.The ever changing faces of attacks and dangers on the information security require proper risk management system which must be understood and supported by the senior management and business leading of the organization, to identify and finalize investment levels utilizing proper information protection and risk management capabilities. Moreover, regular reporting is essential to demonstrate the effectiveness of the Information Risk management practices. This model will definitely improve the qualification of the information security team in following the Risk management teams decisions, which is made by the higher officials, who can have the valuable begin towards information infrastructure and can make these decisions effectively. The corrective access code of a successful risk management program depends upon the presence of a sensation team leader (Piront i, 2008).Information risk management program helps in characterizing and analyzing whole system of companys information highlighting risk factors and information infrastructure. It combines single(a) functional capabilities into one single well managed and well oriented organization enhancing business strategies. It increases the efficiency of security teams. It produces a bridge of confidence and communication between the team and the leaders. This program provide protection against wide range of threats in ground of security theft not by bound access but by evaluating appropriateness and requirement of extent of that access, which in turn does not stop an organization to achieve their targets (Pironti, 2008).ConclusionIn order to achieve a level of satisfaction in terms of confidentiality, integrity and availability of companys case sensitive information and data protection, reliable information security governance is required. This framework must include the implementations, novelty and revision of the strategies and policies within the organisation, understanding the need to change the organisational security culture and monitoring and management of the information security team with the supervision of the top management. However with the expansion of global network day by day, there are major risk factors of viruses and malware which require a risk management system as well. These policies, strategies and procedures must be implemented through the HR department including hiring and training of security officers and staff members with the approval of the top management. vermiform appendix A Summary of the paper presentationKey Elements of an Information Risk Management ProgramAs part of our MSc assessment we were asked to take part in a paper presentation on the key elements of an Information Risk Management system based on a paper written by John Pironti, which was published in 2008 in the Information Systems Control Journal, Volume 2.Information secu rity has become more challenging with the ever-changing and evolving faces of threats in the information processing. The adversary creates a new threats as soon as the defender develops and implements the defensive controls. The defenders get modify by the ethics, rules, knowledge, time, and lack of investment and resources. The adversaries can only be frustrated by a suitable Risk management approach by using available assets, resources and potential. Policies, procedures and processes complemented by technology prove far more effective in mitigating security threats than the technology alone. Information security only relies upon the technology to create defences against threats that can easily be downloaded or purchased. The agent is that these components require proper implementation and operation.The organizations Information Risk Management approach identifies which information to protect and the level of protection required to align with organizational goals. It must be u nderstood and supported by the senior management and business leaders of the organization, to identify and finalize investment levels utilizing proper information protection and risk management capabilities. Team Structures in most of the companies forthwith have segregated leaders with the title chief, which is of no significance as the main chief has limited access to the senior positions and business strategies. In order to meet current challenges, all these independent capabilities must be united on a single platform as Information Risk Management program.Information Risk Management Program helps in characterizing and analyzing the whole system of companys information highlighting risk factors and information infrastructure. It combines individual functional capabilities into one single well managed and well oriented organization enhancing business strategies lead by the Chief Risk Officer. The leader becomes the central point to produces a bridge of confidence and communicati on between team and leaders regarding all communications about risk identification, mitigation and management. This program provide protection against wide range of threats not by hold in access but by evaluating appropriateness and requirement of extent of that access, which does not stop an organization to achieve their targets. This team leader has regular access to higher officials to provide them correct and update information regarding risk factors and business strategies.Key performance indicators are essential measurement tools for the performance of a business function, process or capability. These indicators need to be assigned thresholds to ensure that they are working within normal limits. The key elements of risk management program include presence of a Chief Information Risk Officer, Information security, Physical security, compliance, privacy, financial risk, market strategy risk, business operations risks, risk methods, practices, key performance analysis effectiv eness, cultural awareness, training, communications, strategy governance and risk oversight board and committee.Information Risk Management serves as a get on progression of information security. The Risk management program structures the Risk management, utilizing existing capabilities and provides a 360 degree holistic view of security risks within the organization.Appendix B Discussion generated from the paper presentationQ. What do you mean by the holistic view of risks that affect productivity and success?A. A holistic view implies focusing from a high perspective and ensuring that all the organisational requirements are met with relevant policies, processes and procedures complimented by technology rather than authoritative technical area on which the information security team focuses on.Q. How would you commute the businesses that such a wide model of Risk management program can get implemented with the requirement of so many resources?A. This program probably applies mos tly to the larger organisations with more number of people involving several(predicate) levels so that they are able to map on this new mature model, explaining the benefits and understanding why change the structure of the information governance. Another key element to highlight would be that this model re-uses the existing resources within the organisation.Q. Who resolve the key performance indicators in the policy and standards maintained by the Risk Management program?A. Normally it would be something which is discussed by all the real relevant departments rather than the IT department telling you what your KPI should be. It will be overture from a higher level and senior management.Appendix C References