This paper examines information security within management information systems, addressing both technical and organizational dimensions. It discusses system interconnectivity requirements, security recommendations from standards bodies like NIST, and the balance needed across personal, business, and global security domains. The paper then analyzes major threats—including malware, physical theft, and sabotage—and evaluates countermeasures at host and application levels. Finally, it emphasizes the importance of performance measurement and organizational culture in sustaining effective security programs.
Information security, often referred to as IS or InfoSec, is defined as the practice of defending or securing information from unauthorized users who may access, disclose, use, modify, disrupt, inspect, record, peruse, or destroy it. Overall, information security is the task of information security specialists who determine the nature and value of data to the business and create critical policies to gain control of the internal information system. Information security also involves information assurance, which is the act of ensuring the data is kept safe and not lost in the event of critical issues such as malfunction, physical theft, and natural disasters (Vladimirov, Gavrilenko, & Michajlowski, 2010). This paper discusses information security in its holistic nature as it relates to personal, business, and global information security.
Interconnectivity of information systems is important to allow full interaction and collaboration among users of the system securely. System interconnectivity does not limit the transfer of data but it makes it simpler while ensuring the security of the information is maintained (Smedinghoff, 2008).
Whenever data is shared in an interconnected environment, there is a risk. It is important to assess the new risk for the environment regularly to ensure mitigating efforts are undertaken as fast as possible. The interconnectivity of the system depends on the corresponding controls and configurations and how sensitive the data is (Watkins, 2013a).
In order to maintain the necessary security levels, when there is an interconnection between the information systems, the risks involved should be assessed together with the level of security protections. Both systems should undertake this assessment to ensure the risks involved are limited and provide the necessary protection. Once the connection between the systems is established, the risks are shared and it may require new protections. The groups involved should also have a high level of knowledge sharing and transparency to ensure the level of security in the different systems is the same.
Depending on the information security environment, the security requirements of the systems differ. However, the common requirements are the use of virus scanning and detection tools, intrusion detection, secure identification and authentication, auditing controls, incident reporting and handling, and assessment and authorization (Vladimirov et al., 2010). The security process areas include management of configurations, incident response, creating awareness, training, and ownership of data, maintaining data backups, and responding appropriately to incidents.
Several information security organizations such as the National Institute of Standards and Technology have draft guidelines on information sharing to prevent cyber threats. These guidelines provide recommendations to prevent cyber-attacks and adopt defensive mechanisms.
The first recommendation is to maintain inventory lists of all hardware and equipment that the company owns. This recommendation helps to keep records in case hardware, equipment, and media is stolen. The second is an inventory list of all information the organization is using and that it is capable of producing. This ensures the company has a record of all information that it owns and produces in order to gauge the sensitivity of the information and ensure the appropriate security policies and procedures are applied.
Organizations are also encouraged to exchange information on threats, tools, and techniques that they use to avert these threats in a formal way. The purpose of this recommendation is to inform decision making for each organization and mitigate risks early. In a similar way that organizations think about their competitive landscape and make investments, they should also use logical factors in deciding on their IT operations (Kouns & Kouns, 2011). The company must consider risks associated with information sharing, and the best source of threat intelligence is partners since companies within an industry have unique industry data that when shared will highlight risks and allow smooth continuity of operations.
Companies should also use open standard formats for their data and transfer protocols. When interchanging information electronically, the system should format the data in an open data format that has high standards to transmit the information from one system to another without intervention of human beings.
The fifth recommendation is for companies to augment data collection, management, and analysis using information that they collect from external sources. This links to the sharing of threat intelligence with partners to ensure the company can analyze their data appropriately to determine when they are under attack in a timely manner. Companies should use adaptive methods to share information proactively with partners to ensure that they are aware of the information security threats and vulnerabilities that exist.
Lastly, companies should have clear responsibilities and roles when there is a cyberattack. This means the company should have a cyberattack response plan that is updated regularly and that ensures the company information remains protected at all times. This means the company should regularly evaluate the efficiency and effectiveness of the control measures they put in their systems.
Collaboration in an organization and with other organizations is important. However, it becomes increasingly difficult to maintain information security when the organization is involved in collaborative activities. Corporations struggle to keep up with industry regulatory requirements, risk management, and economic conditions. The major issue that is raised by industry experts is that employees in companies tend to see information security as tasks for the information security personnel without appreciating that it is a mutual task (Calder, 2010). There is need for collaborative effort in order to achieve security of information in any organization.
Many corporations have also become global in the sense that they are expanding their e-commerce capability while increasing interactivity with consumers and customers around the world. These companies are increasingly dependent on third parties for their business operations since these third parties must maintain customer data as confidential. These third parties handle many of the activities in these organizations such as compliance, audit, human resources, IT, information security, and risk management (Watkins, 2013b). While the third parties often have better threat intelligence and response due to their specialization, they create a risk since they have access to the confidential information of the company.
Global organizations must thus have an information security culture that is also upheld by the third parties they engage. To create this culture, the organization must ensure they run information security awareness campaigns regularly. This means the organization must run awareness sessions and activities that are targeted for specific audiences (Watkins, 2013a). These awareness campaigns are essential for the organization to inform its various departments on their security responsibilities to make information security a mutual task for every department.
Secondly, the organization should have cross-functional teams. This requires the company to have risk councils and information security committees to engage in improving the functional areas of the company and improve the overall security position of the organization. The human resources function must be involved in the entrance and exit policies and procedures relating to information security to ensure employees do not leave the organization with confidential information. Cross-functional teams also have the advantage of enhancing communication and collaboration while reducing isolation of the departments and duplicated efforts. This in turn reduces the costs for the organization and improves their profitability (Smedinghoff, 2008).
The management of the organization must be committed to focus on the organizational culture. The organization's culture guides the thinking behind the method by which things are done in the organization. If the management team in the organization does not support the information security program, policies, and procedures, other employees also become discouraged to follow the program (Maddock, 2010). Therefore, it is essential for all senior employees within the organization—the management team, executives, board of directors, and others—to own the information security policies and procedures.
The company should also have a strong culture geared towards information security. This culture should be aligned with the business objectives. A clear relationship between information security and the business objectives should be drawn for system end users to understand the reality surrounding risk reduction (Krausz, 2010).
The company should also have a risk-based approach to information security. This means the company should implement controls even when there is little or no risk. This proactive method of risk management optimizes the flexibility of the organization, reduces the impact of risks and threats when they arise, and improves the regulatory compliance of the organization (Krausz, 2010).
Companies should also balance among people, process, technology, and organization. Effective risk management requires the organization to support its employees through efficient processes and use of appropriate tools and equipment to achieve a balance between the people, organization, process, and technology. These should be properly aligned to support each other and prevent wastage.
IBM estimates that there are close to 100 million information security events annually, and these increase by 12 percent year on year. These security breaches have negative consequences such as damage to brand reputation, lost productivity, lost revenue, investment in forensics, investment in technical support, and hindering regulatory compliance. A different study conducted by PricewaterhouseCoopers (PWC) suggests that in the year ended 2013, the number of breaches reduced but the overall cost of these breaches increased.
In this modern era where the majority of information generated is stored on computers, there exist several threats to the security of information. These threats come in different forms and their impact varies depending on the threat type. The common threats to the computer system include physical theft of the hardware, software attacks using worms and viruses, identity theft, sabotage, and theft of information and equipment. In one way or another, more than 50 percent of people the world over have seen software attacks of some form (Krausz, 2010).
Some of the common examples of software attacks are viruses, phishing attacks, worms, and Trojan horses. Theft of intellectual property, including physical theft of media containing information such as servers, flash drives, external hard drives, and others is also an extensive issue in the information security field (Krausz, 2010). Theft of intellectual property occurs in 23 percent of large and small organizations.
Theft of software, or pirating of software, is also a big issue for software companies. These companies produce software that constitutes their intellectual property and is often heavily guarded. Theft of hardware and equipment is also becoming prevalent in today's world due to most devices being mobile and easy to steal such as laptops, notebooks, mobile phones, and tablets. Cell phones and tablets are the most prone to theft since they are the most desirable pieces of equipment and they have increased data capacity. It is estimated that close to 1 million cell phones and tablets are stolen every year (Kouns & Kouns, 2011). This exposes companies and individuals to huge loss of data and their information security is compromised.
Corporations also collect a large amount of data about their employees, products, customers, and competitors' products and financial status. This data is often stored electronically and transmitted from one computer to another via the Internet. This information is sometimes confidential and can fall into the hands of a hacker or competitor, leading to damage to the overall company reputation or huge financial loss (Kouns & Kouns, 2011). It is therefore essential for companies to protect their confidential information, and even when transmitted, it should be done securely.
Another important threat to information security is sabotage. Sabotage happens when an organization's website or other information is altered in an attempt to get customers to lose confidence in the company (Honan, 2010).
The best way to counter security threats is to think of them at two levels—host and application threats. Host threats include viruses, Trojan horses, worms, footprints, profiling, hacking, denial of service (DDoS) attacks, unauthorized access, and arbitrary execution of code. Application threats are those that occur when running or using applications and include unauthorized access to confidential information, manipulation of parameters, cross-site scripting, buffer overflows, and DDoS attacks (Bs, 2008).
These three threats pose a significant threat to the organization's data since they bring inherent vulnerabilities in applications that spread the threats further. Countermeasures for these three threats include installing operating system updates and software patches, blocking unnecessary firewall and host ports, hardening weak default configurations in the system, and disabling unused functionalities (Tkacheva et al., 2013).
Foot printing includes ping sweeps, port scanning, and enumeration of NetBIOS. Attackers use foot printing to steal valuable system-level information to prepare themselves for larger attacks. Countermeasures to foot printing include disabling unused or unnecessary protocols and ports, locking down ports with the right firewall configuration, using TCP/IP filters for in-depth defense, configuring IIS to prevent information disclosure, and using an IDS to pick up any foot printing patterns and reject traffic that is suspicious (Ransbotham & Mitra, 2009).
When a system is locked down to prevent anonymous connections, hackers attempt to use authenticated connections. This means the attacker must attempt to find a valid combination of username and password. The first and most direct way to avoid password hacking is avoiding use of default usernames such as admin, administrator, and user. Secondly, the company should enforce minimum password strength rules to ensure passwords are strong. Lockout policies should also be applied to end-user accounts to limit retries on password guesses. These lockout policies should also log these failed login attempts to take appropriate corrective action (Kumar, Park, & Subramaniam, 2008).
DDoS attacks are aimed at the organization infrastructure. It is a brute force attack that is aimed at identifying the vulnerabilities in the system. Countermeasures include configuring application services and firewalls to prevent brute force attacks. Secondly, it is essential to stay up-to-date with security patches and updates. The company should also review the failover functionality of the organization regularly to detect potential DDoS attacks and take corrective action immediately (Hui, Hui, & Yue, 2012).
This occurs when an attacker executes malicious code on the organization's server. The attacker compromises the resources of the server. Arbitrary code execution can be prevented by configuring the operating system to prevent path traversal. Second is to ensure the servers are up to date with security patches and fixes to discover buffer overflows speedily (Guo, Yuan, Archer, & Connelly, 2011).
While most web systems have access control, it is important to ensure these controls are updated regularly to restrict access to information or perform other restricted operations. Common vulnerabilities in the organization's system may include lack of appropriate permissions. It is therefore important for the organization to configure secure web permissions for each user to prevent unauthorized access (D'Arcy, Hovav, & Galletta, 2009).
Input validation is an application-side control where the administrator must ensure the type, format, length, and range of input data are appropriately specified to prevent compromise to the application. When these application inputs are secured, it becomes harder for attackers to use public interfaces since they cannot inject code into the organization's applications. In input validation, it is important to seal buffer overflow vulnerabilities that can lead to DDoS attacks (D'Arcy & Hovav, 2009). It is important for the organization to limit the use of unmanaged APIs and ensure validation of APIs appropriately. Thorough input validation is essential to prevent code injection.
No single countermeasure is 100 percent efficient in the current information technology environment. It is therefore essential for each company or organization to use a combination of countermeasures to optimize their security procedures and protocols. It is also essential for a company to track its security protocols and procedures regularly. This calls for the organization to establish a framework to link its strategic goals to the tactical execution of their security protocol through measuring performance. Regularly testing the system to measure the effectiveness of security policies and procedures is essential in strengthening the security program.
The company should develop a performance plan to regularly evaluate the effectiveness of the security system based on defined performance indicators. This means the plan should provide detailed procedures of conducting reviews of security controls, management processes, and other applications. Secondly, the organization should establish acceptable performance levels for particular systems and facilities and incorporate them into the security controls. Thirdly, the organization should perform random reviews on the efficiency and effectiveness of its security protocols. These random reviews will help to test the system and take corrective action proactively.
The company should also oversee that they comply with security standards and approved programs using a combination of tests, interviews, record reviews, and inspections. This will help them to measure performance against these standards to make sure they are meeting the expected standards and where necessary they are able to drive improvements in the processes. The company should also build the capacity to gather and use their performance information appropriately using a data collection, analysis, and reporting system.
Measuring the efficiency and effectiveness of an information security system can be very challenging. This is majorly because it is difficult to control that which cannot be measured. Industry experts suggest that efforts to measure effectiveness are hindered by availability of data. Empirical data is difficult to obtain and they often are uneven in their quality. Some data is also not routinely collected making it difficult to collect the data and use it to identify and quantify indicators of performance.
Companies should review their information security system regularly to ensure they remain aware of threats and countermeasures, adopt new technology and technology updates when they are available, use specific assets such as employees and firewalls to mitigate risks, and prioritize their risk management process.
You’re 94% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.