The technological advances that have been witnessed in the past twenty to thirty years, has placed a tremendous emphasis on data and information. Computers have changed the world in many facets and the ability to communicate and perform work have been greatly assisted by the digital age. Along with these new found powers, there exists also new found threats. The ability to protect these investments and resources of an informational matter, has produced new sciences and approaches to accomplishing such a task.
The purpose of this essay is to discuss and analyze how to establish an information security program to protect organizational information. This essay will address the specific guidelines and elements that compose such a program and explore ways in which these methods can be exploited for the fullest possible benefit. Specific guidelines will be discussed however this is a general overview of a program and the details that are inherent within such a program will be omitted for simplicity sake. The main idea of this essay is to explain the fundamental concepts that are contained within an information security program and how these qualities affect the ability to produce and maintain a competitive advantage within any chosen industry or business realm.
Identifying Information Threats
Before identifying any reasonable steps to an information security program, it is wise and prudent to first single out what the major threats are to the particular business. Threats are unique and general depending on the situation so it is essential that both avenues of approach are covered and investigated to determine the most harmful and prescient threats that are currently being waged against the organization. Since computers and information are included in almost every single legitimate business organization, there appears to be a constant and persistent threat at all times that needs to be protected. Companies and organizations soon become dependent on these technologies and their usage increases. This dependence also creates security concerns due to the emphasis that is placed on such actions.
It appears that many companies and organizations are unaware of the ease in which their information and data can be compromised. Durbin (2013) explained how information is a critical resources that must be protected from the many and varying threats that exist in the world today. He wrote "as we move into 2014, attacks will continue to become more innovative and sophisticated. Unfortunately, while organizations are developing new security mechanisms, cyber criminals are cultivating new techniques to circumvent them. Businesses of all sizes must prepare for the unknown so they have the flexibility to withstand unexpected, high-impact security events."
The interconnectivity of the internet and wireless communication has allowed for clandestine and secret attempts to steal and propagate digital information. Many times businesses have no idea to the high levels of dangerous exposure they are submitting themselves to in many cases. The threats are often invisible and quiet, leaving little traces or clues to signify where and how they originated from. Threats are everywhere and must be constantly identified as the industry landscape and markets are always changing and evolving along with the possibilities of threats and danger.
Computer hacking crime syndicates are more prominent in this day and age due to these leaps in technology and communication. Grimes (2012) argued that these criminal outfits present the largest threat to computer and digital information in today's environment. He wrote "Many of the most successful organized cyber crime syndicates are businesses that lead large affiliate conglomerate groups, much in the vein of legal distributed marketing hierarchies. In fact, today's cyber criminal probably has more in common with an Avon or Mary Kay rep than either wants to admit. Small groups, with a few members, still hack, but more and more, IT security pros are up against large corporations dedicated to rogue behavior. Think full-time employees, HR departments, project management teams, and team leaders. And it's all criminal, no more funny messages printed to the screen or other teenage antics"
Developing a IT Security Program
Regardless of the industry, goals or missions, an organization must align their greater business strategy with that of their IT program. The ability to design and synthesize specific actions that relate to the specific scenario that that organization finds themselves in is paramount in achieving success in developing a security program. This step allows the program to develop around the main ideas and tenets of the company and creates a representation of what is most important within the company.
Additionally, many times the IT department will be solely responsible for the design, implementation and execution of an information security program. This is most likely not the best approach as all members of the team must have the appropriate familiarity with the program, and their role within the program, to help bring the effort to maximum fruition. Teamwork becomes an obvious quality that is necessary in designing such a complete and robust program that can be applied to have deep and profound effect on the way the organization conducts business and achieves a competitive advantage.
Risk assessment therefore becomes one of the most essential tools an organization can use to understand and prepare for the implementation of an information security program. Kadel (2004) wrote " a security program, at its core, is about risk management, identifying, quantifying and mitigating risks to computer data. There are seven basic steps to risk management: 1. Identify the assets. 2. Assign value to the asset. 3. Identify the risks and threats corresponding to each asset. 4. Estimate the potential loss from that risk or threat. 5. Estimate the possible frequency of the threat occurring. 6. Calculate the cost of the risk. 7. Recommend countermeasures or other remedial activities," (p.8).
Once again it is important to realize that the leadership of the organization is responsible for applying these criteria for risk to the appropriate area of responsibility. The unique aspects of every individual requires that the risks associated with that organization is unique as well. "Each organization is different, so the decision as to what kind of risk assessment should be performed depends largely on the specific organization. If it is determined that all the organization needs at this time is general prioritization, a simplified approach to an enterprise security risk assessment can be taken and, even if it already has been determined that a more in-depth assessment must be completed, the simplified approach can be a helpful first step in generating an overview to guide decision making in pursuit of that more in-depth assessment," ( Schimitting & Munns, 2010).
Components of an IT Security Plan
Simplicity and ease of use is the most pressing idea surrounding the issue of a competent and practical information technology security plan. Access becomes the most glaring component of any IT plan when approached in this manner. Access is important because this is where and how information can be approached and taken. This is the first step in comprising an IT plan that is both safe and secure. Hu (2006) suggested that "access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. In some systems, complete access is granted after successful authentication of the user, but most systems require more sophisticated and complex control." Using logon names and passwords is the simplest way to create a system of security regarding access. While this may be appropriate at many levels of the security plan, the more important and sensitive the information is, the more restrictions to access should be afforded within the information technology security plan.
There are many dangers and problems with this portion of the plan. Access is not a simple process and the complexities of the business organization will certainly dictate the complexities of the IT plan that is designed to protect it. When planning for access control it is important that certain standards are kept and that the strategic outlook is always prominent in the planning stages. Many times designers of such systems will overlook key portions of access control that may have damaging effects down the road. Technology can be a great assistance in avoiding such problems, and getting the most out of what is available will no doubt serve the project well. Bioscolo (2008) agreed with this argument when he wrote "Traditional security solutions, such as firewalls, anti-virus, anti-spyware, patch management, or VPNs are no longer sufficient to keep the threats off the network. While these play a vital role, companies are still dealing with devices connecting to the network with unpatched software, out-of-date anti-virus and improper security settings. Not keeping devices up-to-date is probably the largest hole in the security fight today."
IT security programs need more than just a good idea. Monitoring and supervising these factions is also an integral part of any security plan. Privacy enters the picture in this phase of the program and these issues should be reflective of the greater organizational strategy. In some businesses, such as…