Information Security Practice Management

Question: Discuss about the Information Security Practice Management. Answer: Introduction Information Security is the practice to defend the information from the unauthorized destruction, recording, inspection, modification, disruption, disclosure, use as well as the unauthorized access (Catteddu 2014). This report is mainly aimed to understand the essential and major concepts as well as the modern issues associated with the ethics, governance as well as information security. In order to accomplish the prime objective of this report, the improvement strategies of the information security for Deorham have been discussed in this report On the other hand; the importance of information for the small organization is also aimed to be discussed in this report. Apart from that, this report also specifies the human aspects of the information security as well as the strategies with the help of which these aspects can be changed or improved. Besides that, this organization has considered the outsourcing strategy in order to reduce the operating costs of the company. Therefore, this report also specifies the security issues associated with the outsourcing strategy so that these issues can be rectified and resolved. SME Security Information Security is nothing but the set of business processes that can protect the assets of information regardless of how the information is actually formatted or whether it is being stored or being processed is in transit (Gordon and Loeb 2012). The information Security is not the single technology rather it is the strategy, which is comprised of the policies, processes, as well as tools required for countering, documenting, detecting and preventing threats to the non-digital and digital information (Alberts and Dorofee 2012). In case of the small businesses, it is very important for the small enterprises to implement an improved information security for the data security of their business operations (Bulgurcu, Cavusoglu and Benbasat 2016). Every company should have an excellent Information Security program for protecting their information and data (Anderson 2012). No matter how small or large a particular organization is, an organization needs to have a plan for ensuring the s ecurity of the information assets of the company (Denning 2014). The security program gives the framework in order to keep the organization at a desired level of security by assessing the risks, the organization faces, deciding how the enterprise would address them as well as planning for how the company keep the program and their practices of security up to date (Siponen 2015). The data protection or the information security for a small organization means the protection of its availability, integrity and confidentiality (Whitman and Mattord 2013). Therefore, having a program of information security means that a particular business organization has taken steps for mitigating the risk of losing data in anyone of the various ways as well as that company has demonstrated a life cycle to manage the Information Security within that particular company. A common phrase is there in the software development industry that most of the organizations should consider that security should be constructed in from the beginning (Peltier 2013). There are few things those should be considered while pursuing better data security. These are as follows: Cost The major thing for thinking about while upgrading the security system of a small organization is whether the protection cost is worth more than the organization is protecting (Whitman and Mattord 2013). The Disruption Price While this organization should keep an expectation regarding some disruptions of the usual workflow of the company, while looking at the security measures the company should also consider the way the employees of the company work (Peltier 2016). What a small enterprise have to lose the breaches of security cost more than just money (Crossler et al. 2013). If this business relies on the consumer trust, then the information security requires to be a top priority (Ifinedo 2012). If this business accepts the credit card payments then, this organization must make sure that the numbers of those credit cards are secure (Vacca 2012). Where the significant threats lie before making an investment in the measures of security, this organization should think about the most important threat to the sensitive data of this company (Ifinedo 2014). As the maintenance of the Information Security is very important for this organization, thus, it is necessary for this organization to keep improving the information security system of this organization (Hu et al. 2012). There are few ways with the help of this organization can easily improve the information security service. These are as follows: Controlling the access to the admin The unmanaged administrator privileges are few of the most crucial threats to the Information Technology security to this organization (Andress 2014). However, many small businesses do not still take the time for setting up the exact limitations to the access for the non-admin employees, especially while those employees are using their own (Cavelty and Mauer 2016). Layering the security of this organization The information security requires to be a continuous procedure and not just a single event. The best security is comprised of a layered approach (Kolkowska and Dhillon 2013). This organization should perform an ongoing test for the penetration as well as vulnerabilities by the hackers in order to secure the operating systems of this enterprise. Asking regarding cyber-insurance the policies of cyber-insurance have become an exclusively famous option for this business looking for protecting the information of the credit card, customer addresses and names and other sensitive data stored in the online systems (Cezar, Cavusoglu and Raghunathan 2013). The cyber-risks are not covered typically under the general liability insurance. Therefore, it is very important for finding out which kinds of coverage are present (Merkow and Breithaupt 2014). Securing the personal devices but no need of over monitoring Permitting workers for using personal devices for work means this organization require some sort of system of monitoring in place for protecting the company data they are accessing (Baskerville, Spagnoletti and Kim 2014). Human Aspects of Security There are several aspects of the Information Security of a particular organization. However, information security is the most important aspect amongst all the other aspects of information security (Catteddu 2014). The most important fact regarding the information security of a certain organization is that it is the most critical human issue (Gordon and Loeb 2012). Therefore, this organization has to be very careful regarding the human aspects of the information security. In other words, it is necessary for an organization to improve as well as change the human aspects of information security for that organization in order to provide a more secure service (Alberts and Dorofee 2012). Thus, this section mainly deals with the discussion on the human aspects of information security for this organization as well as the discussion on the strategies with the help of which the human aspects of information security can be improved and changed as well (Bulgurcu, Cavusoglu and Benbasat 2016). Th e incidents of information security increasingly result from the communication amongst the people who work in the companies in order to deal with the ISMS. It has prime implications for the role of the human factors as well as challenging their roles in the information security procedure. There can two major as well as important human factors of the information security of this organization. The first one is the driving forces (Anderson 2012). The driving forces generally promote the goals as the objectives as well as expectation from the information security (Denning 2014). On the other hand, the other factor that is the restraining forces is actually deemed as obstacles or obstructions as a consequence of the ineffective ISMS (Siponen 2015). However, this approach can mainly help for recognizing the ideal as well as the current situation or the scenario of the Information Security system in this organization. Force Filed analysis The Force Field Analysis has been broadly utilized for the changes in the management in the companies. Figure 1: Force Filed analysis (Source: Gordon and Loeb 2012, pp.440) The figure drawn above can portray an overview of the Force Field Analysis in that the retraining forces versus driving forces for the accomplishment of the effectiveness of the goal of ISMS. The driving forces ate those forces which coerce for as well as elevate changes (Whitman and Mattord 2013). On the other hand, in contrast, the restraining forces function for holding back the driving forces as well as prevent a change from obtaining by creating risks as well as obstacles (Peltier 2013). Therefore, strengthening the driving forces at the time of the elimination of the restraining forces, can assure the ISMS goal succession that is mainly preventing the risks by giving the cost effective measures of control (Whitman and Mattord 2013). The human factors based on the Force Field analysis are very subjective matters those require a measurement in terms of being visualized as well as quantified (Peltier 2016). Thus, it has been noticed that the human factors are the subjective matter s as well as need the techniques to be quantified. The FFA makes enable the human aspects quantification in terms of assisting the senior management of this organization for making decision on the allocation o the resources of the organization in order to achieve the goals of ISMS (Crossler et al. 2013). The above drawn figure demonstrates a status of both of the directions as well as the forces which this organization must move for achieving effective ISMS (Ifinedo 2012). The current scenario actually prevents the positive changes for stopping the moves of ISMS towards the ideal solutions in terms of keeping the status quo (Vacca 2012). The obstacles promote goals as well as risks boost the ISMS integrity. There are several human aspects as well as the human factors of Information Security. These are as follows: Information Security can create usable mechanisms of security It can also implement the user centric privacy as well as security Information security can also control the human behaviour in the cyber privacy as well as security (Ifinedo 2014). On the other hand, Information Security can also balance the potential security as well as user friendliness Information Security can also enhance the user privacy as well as the user privacy with the help of its design (Hu et al. 2012). On the other side, it can also enhance the awareness of the cyber security of the users as well as the awareness of the training programs (Andress 2014). Information Security can also create the marketing models for the security of the end users. Information Security also plays a significant role of the end users on the risks of cyber security as well as their mitigation (Cavelty and Mauer 2016). Information Security also develops the economics of the cyber security for the end users (Kolkowska and Dhillon 2013). On the other side, the information security also helps this organization for improvising the policy of the cyber security as well as the behaviour of the users. Improvement of the Human Aspects of Information Security Figure 2: Information Security Policy (Source: Baskerville, Spagnoletti and Kim 2014, pp-149) First of all, the security mechanisms should be improved in such a way so that the chances of the cyber attack can be completely eliminated (Cezar, Cavusoglu and Raghunathan 2013). On the other hand, a trustworthy biometric security system should be imposed in this organization. On the other hand, trustworthy as well as secure ambient and life-logging intelligent ecosystems should be imposed in this organization. Apart from that, the organization should focus more on the social influence as well as the user psychology in order to take the decisions regarding the privacy and security by the organization. Security Outsourcing As the business of an organization develops the operating cost of that business would increase (Crossler et al. 2013). There are several steps that an organization can follow in order to lower the amount of money the company pay for daily expenses like electricity, payroll, payment processing as well as telecommunications (Merkow and Breithaupt 2014). This organization intends for constructing a list of requirements of security depending on the common sense in terms of satisfying this particular requirement (Alberts and Dorofee 2012). It has fairy proven effective with the simple as well as well understood media like pen and paper (Bulgurcu, Cavusoglu and Benbasat 2016). The likelihood of a gap in that common sense list of requirements has enhanced as information management has become more complicated in nature (Whitman and Mattord 2013). The relative minimization in the common understanding of how the information of this organization is erased, stored, manipulated as well as recorde d makes it very difficult for identifying a complete set of the requirements of security for protecting it (Baskerville, Spagnoletti and Kim 2014). Therefore, the effective outsourcing of a particular business function needs that the stated function is appraised, defined as well as its outputs or the inputs established (Crossler et al. 2013). This organization can make an approach to the market as well as specify clearly the scope of what it requires as well as what deliverables are expected by utilizing this information (Cezar, Cavusoglu and Raghunathan 2013). However, organizations can often outsource their distribution, accounting as well as payroll (Baskerville, Spagnoletti and Kim 2014). Therefore, this organization has decided to consider the outsourcing strategy in order to lower the operating costs (Catteddu 2014). This organization wants for looking at hiring staff strategically in the foreign countries for completing the tasks that the internal staffs of the organization c urrently does (Gordon and Loeb 2012). There are several advantages as well as benefits of doing that. These are as follows: Improved performance While the internal staff of this organization would have time for focusing on their core roles, the overseas staff can become the specialists in some specific areas at a fraction of the cost (Alberts and Dorofee 2012). On the other hand, this business can become more efficient potentially. Reallocation of Funds the amount of money that is saved on the payroll can also be utilized for reinvesting in assets, researching new markets or refurbishing premises (Bulgurcu, Cavusoglu and Benbasat 2016). There can be several security issues for this organization in terms of the outsourcing strategy of reducing the operating cost (Anderson 2012). The information security domain is the aggregate of the subsets of all the other subsets (Gordon and Loeb 2012). As a result of this, it arises from the requirement to have the controls in place that can assure all the domains accurately operate (Cezar, Cavusoglu and Raghunathan 2013). The components of the outsourcing can be easily achieved but there is often a significant gap between an outsourcing intent as well as what it results in (Merkow and Breithaupt 2014). Some of the security concerns with the outsourcing of the IT services incorporate the maintenance of the privacy of the sensitive data, awareness of the local regulations as well as laws and the quality of service (Denning 2014). Thus, in terms of effectively secure the activities of outsourcing, it is very important for having in place proper procedures (Whitman and Mattord 2013) . The security procedure of the data transfer is equally essential as the processes on how the external organization would be able for storing this data as well as securing it within their facility (Peltier 2013). On the other hand, the other important area that requires to be covered for an organization while adopting the outsourcing strategy is the direct network connections between the outsourcing provider as well as this company (Peltier 2016). Thus, any kind of connection can make several strong vulnerabilities for the network of an enterprise (Alberts and Dorofee 2012). The vulnerabilities can incorporate the unauthorized access by the personnel of the partner, intrusion by a hacker as well as the installation of Trojans or other malicious software who has penetrated the network of the partner (Baskerville, Spagnoletti and Kim 2014). Summary Information Security has become a major concern as well as the major problem for all business. Nevertheless, unlike the bigger companies, small companies or the small businesses often lack the resources for managing the processes for maintaining the data security. The attention of this particular business is focused on only the commercial activities like growth of sales as well as winning the new customers. Therefore, this entire report has mainly interpreted the suggestion of on the matters, which are related to the information. Thus, this report has gone through detailed discussion on the process of the improvement of the information security of the small and medium enterprises. Therefore, this study has also focuses on describing the importance of the unique issues of the SMEs that the small organizations face as well as discussing a strategy in order to improve the security of the organization. Deorham knows the fact very well that the information security is described often as b eing human issues. Therefore, in the context of this, the human aspects of the information security have also been discussed in this study. At the end of the study, the outsourcing strategy followed by this company as well as the security issues associated with this strategy have also been discussed on this report. Thus, after the entire discussions made in this report, a conclusion can be drawn that the Deorham should also keep focusing on the continuously improvement on the information security process. In this matter, this organization should also be concerned about the security issues and the well-implementation of the techniques to mitigate those issues of outsourcing strategies for lowering the operating costs. Reference List Alberts, C.J. and Dorofee, A., 2012.Managing information security risks: the OCTAVE approach. Addison-Wesley Longman Publishing Co., Inc. Anderson, R., 2012, December. Why information security is hard-an economic perspective. InComputer security applications conference, 2001. acsac 2001. proceedings 17th annual(pp. 358-365). IEEE. Andress, J., 2014.The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress. Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security: Managing a strategic balance between prevention and response.Information management,51(1), pp.138-151. Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2016. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness.MIS quarterly,34(3), pp.523-548. Catteddu, D., 2014. Cloud Computing: benefits, risks and recommendations for information security. InWeb Application Security(pp. 17-17). Springer Berlin Heidelberg. Cavelty, M.D. and Mauer, V., 2016.Power and security in the information age: Investigating the role of the state in cyberspace. Routledge. Cezar, A., Cavusoglu, H. and Raghunathan, S., 2013. Outsourcing information security: Contracting issues and security implications.Management Science,60(3), pp.638-657. Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M. and Baskerville, R., 2013. Future directions for behavioral information security research.computers security,32, pp.90-101. Denning, D.E.R., 2014.Information warfare and security(Vol. 4). Reading: Addison-Wesley. Gordon, L.A. and Loeb, M.P., 2012. The economics of information security investment.ACM Transactions on Information and System Security (TISSEC),5(4), pp.438-457. Hu, Q., Dinev, T., Hart, P. and Cooke, D., 2012. Managing employee compliance with information security policies: The critical role of top management and organizational culture.Decision Sciences,43(4), pp.615-660. Ifinedo, P., 2012. Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory.Computers Security,31(1), pp.83-95. Ifinedo, P., 2014. Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition.Information Management,51(1), pp.69-79. Kolkowska, E. and Dhillon, G., 2013. Organizational power and information security rule compliance.Computers Security,33, pp.3-11. Merkow, M.S. and Breithaupt, J., 2014.Information security: Principles and practices. Pearson Education. Peltier, T.R., 2013.Information security fundamentals. CRC Press. Peltier, T.R., 2016.Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press. Siponen, M.T., 2015. A conceptual foundation for organizational information security awareness.Information Management Computer Security,8(1), pp.31-41. Vacca, J.R., 2012.Computer and information security handbook. Newnes. Whitman, M.E. and Mattord, H.J., 2013.Management of information security. Nelson Education. Whitman, M.E. and Mattord, H.J., 2013.Principles of information security. Cengage Learning.