As information security risks have escalated in the last few years, the development and establishment of comprehensive and effective information management systems and plans has become an important aspect of many organizations. This paper examines the information security policy at EMC and includes recommendations for improvements. The discussion includes identification of the data security risks, recovery plan, and the effect of the risk analysis and recovery plan on the department information management.
¶ … Security Policy:
The information security environment is evolving because organizations of different sizes usually experience a steady stream of data security threats. Small and large business owners as well as IT managers are kept awake with various things like malware, hacking, botnets, and worms. These managers and business owners are usually concerned whether the network is safe and strong enough to repel attacks. Many organizations are plagued and tend to suffer from attempts to apply some best practices or security paralysis on the belief that it was efficient for other companies or organizations. However, none of these approaches is a balanced strategy for safeguarding information assets or maximizing the value obtained from security investments (Engel, 2012). Consequently, many organizations develop a coherent data and information security policy that prioritizes and handles data security risks. Some organizations develop and establish a formal risk assessment process while others pursue an internal assessment.
Analyzing Data Security Risks:
As part of the development of data and information security policy, organizations need to develop a strong foundation for their security strategy. While it's commonly known as data security risk assessment, security risk analysis is essential to the information security of an organization. This is mainly because the assessment helps in ensuring that controls and expenditure are totally proportionate with the risks that the organization is exposed to. Based on flexibility and usability, most of the conventional means of conducting security risk analysis are increasingly becoming unsustainable.
Therefore, the modern virtual, dynamic, and global enterprises need an information security strategy that is based on an all-inclusive understanding of information assets. These strategies should also incorporate an understanding of threats to information assets, present controls to counteract those threats, and the resulting risks. Organizations of all kinds can no longer depend on a product-centric approach to security management that basically handles threat isolation. An information-centric risk management perspective that ensures every aspect of the organization's information security program is required for the efficient control of operational and business requirements ("EMC Information Risk Assessment," 2008). Such an information security risk assessment strategy include a five-step process that identifies information assets, locates information assets, classify information assets, performs a threat-modeling exercise, and finalizes data and starts planning.
Risk Analysis of EMC Information Security Policy:
The EMC Information Security Policy is developed and established for the purpose of showing clear management direction and commitment to safeguarding the integrity, availability, and confidentiality of every information asset through a comprehensive approach towards information security. The policy seeks to lessen risks, evaluate vulnerabilities, and mitigate probable threats in a proactive way as it also handles the physical, administrative, and logical controls that are necessary to offer protection, detection, and response capabilities. These controls promote the maintenance of a comprehensive information security posture in the entire organization.
The data and information security risks within the organization range across a wide range of the information security capabilities including the information network, databases, applications, storage, and endpoint. Some of the risks associated with these major segments of information capabilities include eavesdropping, loss, theft, device takeover, unauthorized access, unauthorized activities, leakage, unavailability, and media loss. The occurrence of these activities causes huge problems on the organization's data and information security capabilities.
Recovery Plan:
Since data loss or theft is one of the identified information security risks that can take place, data recovery is an important aspect of EMC Information Security Policy. In most cases, data recovery is important when the source material fails or when there is inadequate physical or logical backup within the organization. Data recovery is basically described as the process of retrieving data from damaged, corrupted, failed, or inaccessible storage media when it cannot be accessed through normal procedures (Wigle, 2010). Notably, the process of data recovery usually varies depending on the type of damage to the memory of the storage or electronic device.
The difference in the type of damages on the material source contributes to different situations in which data recovery is needed. There are two most common situations where data recovery is needed in order to retrieve the data or information in the damaged storage device. These two situations for the need of data recovery are when internal damage occurs and when there is external damage to the device. The internal damage to the device is defined as programs developed to interfere with the normal functioning of the computer such as viruses. In contrast, external damage is the occurrence of physical harm to the device such as dropping the device and exposure to heat or liquids.
Despite of the kind of damage or situation that contributes to the need for data recovery, the organizations needs to take certain actions to enhance the retrieval of the information. First, there is need to repair the device or media that has experienced external damage so that pre-existing data can be recovered. Secondly, the organization may consider bitstream imaging or copying in order to recover the damaged physical drive or sectors. The third action of data recovery involves conducting logical recovery of files, necessary items, and partition structures. The final action or phase of data recovery is the repair of pre-existing files in damaged sectors or space to recover as much as possible ("Data Recovery Overview," 2010).
Effect of Risk Analysis and Recovery Plan:
EMC's data and information security risk assessment is necessary for the effective information management of the organization. On the other hand, the organization needs to establish an efficient data recovery plan to ensure that information that is lost or stolen from the organization cannot be completely gone. Risk analysis has a significant effect on EMC's information management since it helps in the evaluation of the existing controls to determine whether there is need for extra mitigating controls (Maniscalchi, 2010). Generally, the efficiency of the established controls depends on periodic evaluation, which is accomplished through conducting information risk analysis. Moreover, major enhancements, conversions, upgrades, and necessary changes associated with the information systems and applications are usually preceded by a risk analysis or assessment.
You’re 82% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.