Sign Up Now
Get instant access to over 1 million+ study documents
OR
Already registered? click here to login
By creating your account, you agree to our terms of service, privacy policy and student honor code.
Information Security Strategy
The world of information technology (IT) has evolved tremendously in the last few decades. Today, IT systems permeate virtually every aspect of work in the organizational setting – from strategic planning functions to administrative and operational functions such as human resource management, payroll management, project management, procurement, customer relationship management, and financial management. These systems have enabled organizations undertake a wide variety of tasks with far greater ease, effectiveness, and efficiency than ever witnessed. Nonetheless, with more dependence on IT systems, organizations increasingly face a significant problem – information security (Andress, 2011). Against the backdrop of growing incidents of hacking and other cyber crimes, protecting information has become a top priority for organizations – small and large – in diverse sectors and industries (Vacca, 2013). Indeed, information security has been identified as a key ingredient of organizational success in the 21st century. Recent incidents of cyber crime – e.g. the Equifax data breach (July 2017), the WannaCry ransomware (May 2017), the JPMorgan Chase Bank hacking incident (2014), the eBay data breach (2014), and the Sony PlayStation Network hacking incident (2011) – are perfect reminders of the severe consequences information security failures can have on organizations.
It is imperative for an organization to have a robust information security strategy. Any prudent organization cannot afford to be casual when it comes to information security. This is particularly because cyber criminals are employing more and more cunning ways to gain unauthorized access to data (Whitman & Mattord, 2017). This means that organizations must also use more ingenious information security techniques. An information security strategy acknowledges information security as a priority for the organization, clearly identifies roles and responsibilities for information security, and outlines competence areas and resources relating to information security. This paper presents an information security strategy for the organization. Attention is specifically paid to the role of the chief information security officer (CISO), the role of the chief information officer (CIO), and how the digital forensics function complements the overall security efforts of the organization. Also, the paper evaluates the operational duties of digital forensic personnel and highlights the technical resources available to digital forensics personnel for performing forensic audits and investigations.
Role of the Chief Information Security Officer
With information security increasingly becoming a priority for the organization, having a CISO is imperative. U.S. Department of Homeland Security’s (DHS) Information Technology (IT) Security Essential Body of Knowledge (EBK) defines a CISO as an officer in charge of an organization’s information and physical security strategy (DHS, 2008). The officer is specifically involved in developing and enforcing the organization’s information security policies and procedures, information security awareness programs, disaster recovery and business continuity plans, as well as the relevant government laws and regulations.
The CISO position is essentially an executive position (Conklin & McLeod, 2009). The CISO serves as the head of all information security operations in the organization. One of the important functions performed by the CISO entails developing the organization’s information security plan. An information...
The CISO can execute this function, for instance, when the organization is contemplating to enhance information security in the wake of a significant security breach. When such a breach occurs, it is the role of the CISO to recommend specific ways on how the organization can prevent a similar breach in the future.
Part of ensuring information is secure involves acquiring information security products. It is the duty of the CISO to recommend to the organization the most suitable security products for the organization and the most suitable vendor for providing the products (Andress, 2011). This role would be particularly crucial when the organization is, for instance, installing a new information security system. It is not just enough to have an information security plan and to acquire the required information security products: all employees within the organization must also have comprehensive information security awareness (DHS, 2008). Ensuring this awareness falls under the umbrella of the CISO. The CISO is responsible for developing an information security awareness program for the organization as well as designing and implementing training initiatives to equip employees with the organization’s information security plan and their roles in promoting information security.
Fulfilling these roles requires the CISO to have a number of competencies. Some of the areas the CSIO should be competent in include data security, system and application security, security risk management, digital forensics, incident management, business continuity, IT security training, physical and environmental security, regulatory compliance, and procurement (DHS, 2008). These competencies place the CISO in a better position to fulfill the information security needs of the organization.
Role of the Chief Information Officer
It may appear as if the CISO and the CIO are one and the same thing or perform similar duties. While their duties generally revolve around information security, the CIO is a more senior role. The CIO is a member of the organization’s topmost executive team and serves as the most senior IT officer in the organization. Ordinarily, the CIO is accountable to the chief executive officer (CEO). The overarching role of the CIO encompasses developing the organization’s overall IT strategy (DHS, 2008). This relates to not just information security, but also IT policies and information systems (Conklin & McLeod, 2009). For example, if the organization desires to automate its processes, it is the job of the CIO to develop a viable IT strategy for the organization and to oversee the implementation of the strategy.
The CIO is also involved in evaluating the organization’s IT strategy (DHS, 2008). At its core, a strategy is meant to achieve certain goals and objectives. For instance, the organization may adopt an IT system with the aim of reducing administrative or operational costs. In this regard, the CIO is involved in monitoring the relevant metrics to ascertain whether the specified objectives were achieved or not. Based on the evaluation, the CIO can then make recommendations to the management. Another important role of the CIO relates to the acquisition of IT infrastructure and personnel. The CIO is responsible for ensuring the organization has the necessary IT infrastructure to support its computing and data processing needs. Also, as the leader of the IT team, the CIO should ensure the…
References
Andress, J. (2011). The basics of information security: Understanding the fundamentals of infosec in theory and practice. New York: Elsevier.
Conklin, A., & McLeod, A. (2009). Introducing the Information Technology Security Essential Body of Knowledge framework. Retrieved from http://www.amcleod.com/mcleod8.pdf
Shankdhar, P. (2017). 22 popular computer forensics tools. InfoSec Institute. Retrieved from http://resources.infosecinstitute.com/computer-forensics-tools/#gref
Stallings, W. (n.d.). Standards for information security management. CISCO. Retrieved from https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-38/104-standards.html
U.S. Department of Homeland Security. (2008). Information Technology (IT) Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development. Washington, D.C.: U.S. Department of Homeland Security, National Cyber Security Division.
Vacca, J. (2013). Computer and information security handbook. New York: Elsevier.
Whitman, M., & Mattord, H. (2017). Principles of information security. 6th ed. Boston: Cengage Learning.
SECURITY Information Security and Risk Management in IT This essay is designed to present and discuss both an assessment of information security and risk management in IT systems and a comparative discussion of important academic theories related to security and risk. In the first section, An assessment, a conceptual framework will emerge including reference to important terminology and concepts as well as an outline of legislation and authorized usage examples. In the
Security Policy: The information security environment is evolving because organizations of different sizes usually experience a steady stream of data security threats. Small and large business owners as well as IT managers are kept awake with various things like malware, hacking, botnets, and worms. These managers and business owners are usually concerned whether the network is safe and strong enough to repel attacks. Many organizations are plagued and tend to
Security Management During the span of one's college career, a select number of courses become something more than a simple requirement to be satisfied to assure graduation; these are moments in a student's educational process which make the most lasting impacts. In my personal case, the lessons I have learned as part of my studies in ISSC680 will likely be remembered in those terms, as my eventual career will find
Security Programs Implementation of Information Security Programs Information Security Programs are significantly growing with the present reforms in the United States agencies, due to the insecurity involved in the handling of data in most corporate infrastructure systems. Cases such as independent hackers accessing company databases and computerized systems, computer service attacks, malicious software such as viruses that attack the operating systems and many other issues are among the many issues experienced
Federal Information Security Management Act (FISMA) The Federal Information Security Management Act places emphasis on the importance of training and awareness program and states under section 3544 (b).(4).(A), (B) that "security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency of- information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures
Security A broad definition of information security is given in ISO/IEC 17799 (2000) standard as: "The preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of information and processing methods), and availability (ensuring that authorized users have access to information and associated assets when required" (ISO/IEC 17799, 2000, p. viii). Prior to the computer and internet security emerged as we