Security Analysis in the UK Essay

Excerpt from Essay :

Security Report

In the present day, organizations are reliant on information in order to continue being relevant and not become obsolete. To be specific, organizations are reliant on the controls and systems that have been instituted in place, which provide the continuing privacy, veracity, and accessibility of their data and information (Lomprey, 2008). There is an increase and rise in threats to information contained within organizations and information systems (Lomprey, 2008). There is also a rise in the intricacy of such systems and information, which places emphasis on the importance for organizations to understand and gain an understanding of how to better safeguard their information as well as information systems. As stated by Briggs (2005), globalization has instigated the world to become a global village. This, in turn, has increased the level of complexity and intricacy of the information security aspect of the organizations across the world. There is greater need for accessibility, but at the same time, an even greater need for accountability and integrity (Briggs, 2005). Being a military company, information contained within this organization is very crucial and ought to be protected to great extents (Lomprey, 2008). In accordance to Whiting (2010), enterprise risk management (ERM) delves into and explores the realm of risks encompassing strategic, financial and inadvertent risks, and others, that an organization faces. Nonetheless, enterprise risk management does not entirely take into consideration the risks that are customarily linked with security at all times. It is enterprise security management that is in place to make sure that these risks are effectively taken into account and treated (Whiting, 2010). The following report endeavors to outline the strategic management of information security, the key components of strategic plan in relation to information security, the challenges and benefits linked to the management of information security and recommendations attained from this review.

To outline key explanatory aspects relating to the strategic management of the security function you have chosen

In definition, information security is the safeguarding of information from an extensive and wide array of threats with the main objective of making sure that there is continuity of the entity, minimization of risk and also the maximization of return on investments. In accordance to the Information Security Handbook developed by the National Institute of Standards and Technology (NIST), the strategic management of information security encompasses planning for and executing a structure together with the procedures that fend for the arrangement of information security strategy with corporate goals and objectives and pertinent regulations and industry principles. One of the main key aspects of strategic management of information security is the development of a security plan for the organization (Wakefield, 2003). This will encompass the analysis of the prevailing mission, vision and the strategic security objectives of the organization. In particular, a great analysis and evaluation of the security objectives with respect to the information security unit of the organization should be undertaken (Tipton and Krause, 2003).

The strategic security plan is purposed to assist the management of the organization with the pertinent information to make well-versed decisions regarding investment in security. In particular, the strategic plan relates and interconnects the security function with the direction that the business is taking. Strategies for security assist in attaining business goals by classifying and taking into account security necessities in organizational functions and enterprises, providing infrastructure, personnel and practices that meet those necessities. Even though compelled by business necessities, strategies ought to take into consideration other factors that may influence the realization of those results. In addition, the strategies have to be updated occasionally to permit for variations in the business direction and in the limiting factors (Whitman and Mattord, 2010). In accordance to Power (2004), the lack of information security is also a lack of risk management. The risk management of the organization enables the management and functioning of other business functions to operate smoothly. It also bears important values and principles, not least of culpability and responsibility.

To outline the main components of strategic planning (strategic analysis, strategic design, strategic implementation and strategic review) in relation to the specific requirements of that function

There are several elements that pertain to the strategic planning of the distinctive requirements of information security. To begin with strategic planning encompasses the implementation of strategies. Information security strategies take into account plans that are implemented to alleviate information security risks, whereas acting in accordance with legal, constitutional, contractual, and internally developed necessities (Gill, 2014). Characteristic phases to constructing a strategy take account of the description of control purposes, the identification and evaluation of methods to meet the goals, the assortment of controls, the formation of standards and measures, and the groundwork of execution and analysis plans. An information security strategic plan endeavors to institute an organization's information security program. In essence, information security program is the entire multifaceted group of activities that provide a backing to information protection. An information security program consist of technology, official management procedures, and the casual culture of an organization. An information security program is concerning generating efficacious control mechanisms, and concerning functioning and handling these mechanisms (Gill, 2014).

Strategic Analysis

The strategic analysis component of strategic planning is purposed to analyze the security of the presently existing information security system. The results attained from this analysis will assist in the carefully choosing of security aspects that the organization will execute in accordance to the mechanism that is outlined in the security plan. At the end of the day the valuation of the assets of the establishment is done, dangers to these assets ascertained, the impact of the dangers assessed and the most fitting security controls are recommended. Some of the stages of strategic analysis of the information system include the criticality of the system, the review of information security controls and the evaluation and management of risk (Walby and Lippert, 2014).

i. System Criticality

This sub-phase outlines the kinds of protection and safeguard that is required for the system. More often than not, safeguard is elucidated in terms of privacy, integrity and accessibility needs. The extent of criticality is outlined by using two elements, which are the accessibility of the information resource in which the information is processed and the sensitivity of the information in which the information resource is processed. In definition, the sensitivity of the information security refers to the necessity to protect it from corruption or leakage. It is imperative for the information security manager to make sure that the level of security of the organizational system, with regard to accessibility of the resource of information and sensitivity of the information, and subsequently espouse the greater rating to establish the general security level of the system (Alfawaz, 2011).

ii. Review of Existing Security Controls

This phase ascertains all of the prevailing security controls or those that are being predetermined. On the minimum of three years, the organization ought to ensure that there is the independent management review of the information security controls. This review ought to be independent and autonomous from the information security manager of the organization. The main purpose of these reviews is to make a provision of the substantiation that the controls chosen or installed are adequate to provide a level of safety, corresponding to an adequate level of risk for the information security system (Alfawaz, 2011).

Strategic Design

In the strategic planning of an information security plan, the strategic design stage is the most significant one. This is owing to the fact that it employs all of the information that is gathered in the preceding phases. It is imperative for the all members of the organizational team to be cognizant with the obtainable best security practices. It is also suggested that the organization can have consultations with other specialists. In particular, the strategic design ought to produce a structure that is fitting to the security policy of the organization. More so, it outlines security control measures that are linked and applicable to the system (Raggad, 2010).

Strategic Implementation

Prior to the implementation of the information security plan, there are a number of steps that have to be undertaken. To start with, an execution team has to be created and a time schedule has to be defined. The key members of the execution team are more often than not tasked with writing down the information security plan. If at all the organization intends to outsource, a number of the internal security staff personnel who took part in creating the plan ought to be included in the execution team. The enactment of the information security plan ought to be constantly backed by security assessment methods all throughout the lifespan of the security plan. Some of these methods include: inspections, checklists and audits (Raggad, 2010).

Strategic Review

The strategic review is purposed to make sure that the information security system is acting or functioning in accordance to the design manual, which contains the security resolves encompassed in the security plan. The organization has to assess risks occasionally and whether the security controls encompasses are valid.…

Sources Used in Documents:


Alfawaz, S. M. (2011). Information security management: a case study of an information security culture (Doctoral dissertation, Queensland University of Technology).

Ashenden, D. (2008). Information Security management: A human challenge? Information security technical report, 13(4), 195-201.

Briggs, R. (2005). Joining Forces From national security to networked security. DEMOS.

Chang, S. E., Ho, C. B. (2006). Organizational factors to the effectiveness of implementing information security management. Industrial Management and Data Systems, 106 (3): 345-361.

Cite This Essay:

"Security Analysis In The UK" (2015, December 19) Retrieved September 22, 2020, from

"Security Analysis In The UK" 19 December 2015. Web.22 September. 2020. <>

"Security Analysis In The UK", 19 December 2015, Accessed.22 September. 2020,