Information System Security Plan The information security system is required to ensure the security of the business process and make the confidential data of the organization secure. The organization's management is required to analyze the appropriate system to be implemented and evaluate the service provided on the basis of their required needs. The implementation of the system requires the compliance of organizational policies with the service provider to ensure the maximum efficiency of the system. The continuous update and maintenance of the system is required to ensure the invulnerability of the system towards the potential internal and external threats.

Data Security Manager and Coordinator

Develop Plan

Implement Plan

Employees Training

Test Safeguards

Evaluate Service Providers

Internal Risks

Change Passwords Periodically

Restricted access to personal information

Safeguard paper records

Report unauthorized use of customer information

Terminated Employees 1

3. External Risks 1

3.1 Firewall Protection 1

3.2 Data Encryption 1

3.3 Secure user authentication profiles 1

3.4 Secure access control measures 1

4. External Threats 1

4.1 DOS Attacks 1

4.2 Adware/Spyware 1

5. Data Protection 1

5.1 Backups 1

5.2 Updated Software 1

5.3 Complex Passwords 1

5.4 Protect Equipment 1

5.5 Regular Maintenance 1

Conclusion 1

REFERENCES 1

Introduction

The unpredictable and fragile environment of corporate industry has caused the extreme requirement to equip the business mechanisms and processes to be secured with the use of information security systems. These systems are required to make the work and communication procedures efficient and secure for the businesses and their clients so that the latest advancements in information technology can be fully utilized.

The effective information security system can be equipped in the business processes with the condition in which these systems are planned carefully in order for successful implementation and desired outcomes. An effective security plan is required to be developed which will not only provide the businesses with the efficiency in business processes and business transactions but the competitive security advantage will be provided to the company in order to make their business and customer related information safe (Dhillon & Backhouse 2000).

The current study is aimed to provide a comprehensive security plan in order to construct safeguards with respect to technical, physical and administrative practices so that the confidential and personal information of clients and employees can be kept safe.

1. Data Security Manager and Coordinator

The data security coordinator in an organization is responsible to coordinate the importance of the security system and security measures to all the employees in the organization. The coordinator is also liable to monitor if the employees are taking suggestive measures and operating the security system effectively (Whitman & Mattord, 2011).

1.1 Develop Plan

The plan with respect to the information security should be developed by the information security executive or manager. According to Whitman and Mattord (2011), the security manager has to develop the systematic organizational goals and objectives that should be addressed by the proposed security plan and should be in compliance with the organizational processes. Furthermore, the plan should be developed with respect to the allocated budget by the organization for the system development. Moreover, the appropriate processes should be developed in order to monitor the employees' practices in order to do the proper utilization of the system and specific procedures should also be generated to observe the efficiency of the security system. The system security should be prioritized with respect to the importance of business procedures and the important procedures and data should be categorized as most confidential so that the data can be made accessible to the authorized users only.

1.2 Implement Plan

The implementation of the security system takes place when the service providers for the security system are analyzed. The objective data and metrics are developed in order to rate the service providers and the best service providers in terms of cost efficiency, the degree to which the proposed system is compliant with organizational processes and service quality is selected. The agreement between the service provider and organization takes place and implementation process takes place. The effective implementation of the plan takes place when the policies and guidelines are deployed at the organizational level so that employees should follow in a strict manner in order to ensure the security of the system that is proposed for the security plan. The security manager then identifies the gap with the help of his security management group in order to observe the extent at which the organization's employees lack in order to follow the proposed...

The employees who need training should be segmented on the basis of their knowledge and department so that the effective means of training can be adapted in order to ensure the maximum learning by the employees. The departments and employees of the organization should be segmented with respect to the employees' contribution and liability in the organization. The employees should be informed about the benefits of the security plan so that the employees show proactive behavior towards the learning and implementing of the program. Furthermore, the trainers are required to be hired or outsourced to provide the employees with the training related to the operationalization of the security system (Whitman & Mattord, 2011).
1.4 Test Safeguards

The extent to which the security system tends to be safe should be analyzed by keen observation and assessment with the help of conducting the internal audits. The vulnerability of the system is assessed in which the system configuration and system scan takes place in order to analyze the adherence of the system towards the misconfiguration and process weaknesses. Moreover, it should be observed that how the employees are using the suggested practices in order to gain the optimum benefits of the system and continuous internal and external audit should take place to analyze the potential threats that can create bugs in the implemented system. The quantitative analysis should be used in order to keep track of the number of times the security system creates glitches so that the system vulnerability can be identified (Jain et al., 2006).

1.5 Evaluate Service Providers

The performance of the service provider with respect to the implemented security system is evaluated in order to find out if the system is achieving its desired objectives. Therefore, the compliance between system security manager and departmental heads is necessary in order to find out if the system has been proven vulnerable or not and if the system is able to provide optimum results. The organization can conduct survey in order to find if employees and customers are satisfied with the application and installation of new system. According to Jain et al., 2006, the metrics and statistical data based on the performance of the security service will tell the efficiency and effectiveness of the security system. The security manager should ensure that the service provider has been in compliance with the company and is refrained to neglect any aspect of the organizational policy. However, the evaluation of the system can be done with the help of the evaluation process conducted in special laboratories in order to assess the compliance of the security system with the organizational requirements. These process include Nationa-Information-Assurance-Partnership (NIAP) and Cryptographic-Module-Validation-Program (CMVP).

2. Internal Risks

The security system that is being implemented should be able to address the internal risks that may threaten the confidential information of the organization and can cause the misuse of client and business data. The potential internal risks are discussed below:

2.1 Change Passwords Periodically

The employees often change their passwords which threaten the confidentiality of the organizational information. Moreover, when employees use complex passwords then they need to memorize those passwords every time they change it. It becomes difficult for employees to create complex passwords periodically and remember them. They cannot use the previous password alternatively because if any of those passwords are encrypted then unauthorized user will get unlimited access (Tipton & Krause, 2003).

2.2 Restricted access to personal information

The personal information related to clients and the exchange of data and information from clients to the organization should be restricted from the certain level of employees and the accessibility of that data should be refrained from the internal employees and users with the help of making secured VPN and it should be ensured that only specific users can access that data. The access to such data can be limited by making Layer-3 firewall to help control the client traffic in order to deny and restrict the access. Moreover, the information should be encrypted in such that only authorized people can utilize it (Kaufman et al.,2002).

2.3 Safeguard paper records

The paper records that mainly consist of transactions, agreements and policies should be encrypted properly in order to encode the papers in such way so that only authorized personnel can read it.

2.4 Report unauthorized use of customer information

The policy guidelines of the organization should provide the proper reporting with respect to the reporting of unauthorized use. Kaufman et al.,(2002) implies that direct guidelines should be made that tells employees whom to report immediately if they find that the customer information is being used by someone who is…