StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Information Security Program Development - Case Study Example

Cite this document
Summary
This paper "Information Security Program Development" discusses information itself as an asset most important to an organization. An organization cannot use its other resources efficiently and effectively. It is vital that the organization possesses the intangible asset of knowledge…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER96% of users find it useful
Information Security Program Development
Read Text Preview

Extract of sample "Information Security Program Development"

The Importance of Information and its security Information is an asset most important to an organization. Without information, an organization cannotuse its other resources efficiently and effectively. In order to make a strategy it is vital that the organization possess the intangible asset of knowledge and information that the company can use to create bundles of resources that provide a sustainable competitive advantage to the organization when market is large and competition is immense (Hisrich, Entrepreneurship). Strict adherence to a properly defined security system for information systems is extremely important for several industries’ and as they have a huge amount of critical and sensitive information which is valuable to the organization and its stakeholders and the information is such that it can be easily manipulated or tampered with. While organizations have a reactive approach to such systems, that is they recognize the need for such systems only after they have incurred a loss of valuable information, smarter companies use a proactive approach and develop systems before hand to mitigate the damage that the company faces due to loss and corruption of such data. (Maybelline , 2010) For an organization to ensure that its objectives become a driver for its survival and profitability information is of paramount importance. It is the fundamental requirement and a business deeply depends on knowledge and information no matter how big or small a company is or what its information requirements are, all information or raw data lies in the organizations computer system which is highly prune to being violated and misused if proper security measures are not adopted. (Gabrielson,1994) For Example an Insurance Company’s can improve the quality of the products it provide to its customer if they have in depth information on the customer base that they are serving to. The more knowledgeable they are about an organization, the easier it will be for them to provide products that satisfy consumer needs. Information like the number of children within each household that the insurance company caters to can provide them with an idea to come up with insurances for college students, or savings funds for young children. The information that Insurance companies have is vital to their profitability. They hold important information such as social security numbers and other information of their customers which need to protect against infiltration and corruption as any leakages in such data can cause damage to the company’s reputation. Case in Hand We will discuss the case BIC Insurance Company which has decided to migrate to an up to date and modern information security system. Initially, this company was using very old fashioned methods of securing its important information such as corporate data and consumer data. The damages to the data could have been severe as the exposure to the data to outsiders was very high. The company decided to come up with a project to identify all the important information was to the data and then formulate a plan through which a new strategy to secure data could be implemented. This involved starting the development of an inventory system that would include all the information assets, creating new information and also help the company make groups or sets of people who could be granted different permissions for accessing different data. Training was also given to all the employees on how to implement the new security system which made the process smoother as all the security such as IDs and Passwords given to each according to their roles and position to access data were made to understand through extensive training and usage of manuals. Mini boot camps were also set up for the trainers who were further going to train the employees at BIC and more staff and personnel were hired for support purposes.( Case study,BIC) Vulnerabilities and Threats The insurance Company under scrutiny, BIC has a great use of communication systems as well as complex computer and information systems such as telephone lines, LANS, WANS etc. Because these systems are not only connected within the organization but also physically connected outside the organization’s boundaries it is quite vulnerable to risks existing both internally and externally. If proper methods of protecting the data are not used it is highly possible that critical data and information that the organization relies on for its success and competitive advantage could get corrupted or even lost. Information as important as business strategies, business plans and information regarding customers, suppliers and other stakeholders could be easily destroyed. Viruses that jam systems and hackers who can easily get into the system and erase all information is a constant threat to all organization and with the technology so rapidly changing, any method used to protect data could be easily attacked and intrusion into the company systems could be done even by an amateur no matter how secure the organizations data is. For example the insurance company in discussion, initially only a very basic online security system was being used to protect vital information such as their corporate data which was prone to threats both internally and externally as the system was accessible through outside resources. There was no way to stop anyone outside the framework of the organization and any amateur with the basic skills of programming could easily disrupt the system. Such are the threats for an organization that has so much of important and private information, if proper methods and steps are not implemented to ensure full security of data. Now with BIC, there is always confusion between what should be given more priority, the core operations of the company such as the marketing function, the sales function the finance function or the security of important information. What should be realized is that all these functions generate the information that is required for an organization to gain competitive advantage and that security for this data is vital as this data has to be unique, difficult to imitate and non substitutable. Most of this data is so sensitive that the only way to keep the edge is to give it the right kind of protection. (David, 2007) This is BIC and other firms need to have a formal security plan and security controls as it is the wisest decision to make even if there is a trade off between cost and benefit. A little added cost reps huge benefits in the long run and these benefits can later be quantified by the increased profitability and success of the organization. This not only brings tangible but intangible benefits to the organization through building customer trust and satisfaction with the organization. “Businesses that successfully lead in the information age will be those that efficiently find the balance between protecting corporate and customer information, and making sure good ideas and creativity are not "pent up" and made ineffective.” (Ramana) Risk Assessment Risk is anything that causes negative externalities to a business. Business Risk is a risk that causes the profitability and the cash flow of an organization to decrease and it defines uncertainty that exists within the organization with regard to its operations where there is uncertainty of realization of the returns expected in the future (hjventures.com) Risk assessment refers to a formal and structured process through which an organization decides the critical factors that could act as threats to the organization’s information and lead to the vulnerabilities that could be easily exposed within the system and how detrimental it could be for the organization if the data is exposed or corrupted. The Three major Information Assets that BIC had were: 1. Corporate Information 2. Customer information 3. Product information e.g. health insurance, life insurance packages etc. During the risk assessment four kinds of major threats to information and data were found: In general, there are four kinds of computer security threats: interruption, interception, modification and fabrication. Interruptions: this is a threat that occurs when the information processing or information transfer from one place or another encounters delays and disruptions. This in turn effects the daily business operations adversely. Attacks on the systems through viruses can manipulate important information and delay its process. This could be damaging to the company as insurance relies on timeliness and accuracy of the data being processed therefore a risk like this will make the daily operations of the business hinder. Interception involves access to the information by people who are not officially authorized to do so. This can lead to outsiders such as competition manipulate and use the data against the company. People who browse through databases and intercept phone lines are said to be intercepting information. Life insurance policies of the company usually sell their new products through phone call. They have a list of customers that they target and these lists have been generated through means that should not be revealed to the competitors. Through interception it becomes easy for the competitors to take a look at your information without having the authority to do so in private networks, you have issues with the insiders; who have been blamed for most of the incidents of such sort. Modification involves hacker or other unauthorized users changing the hardware components or the software components of the systems and sometimes even changing the data making the authenticity and the accuracy of data void. For example if an outsider changes data within your corporate client profile of BIC it will be very difficult for the organization to sell the right kind of product to the right kind of people Fabrication is one of the major threats to the existing information assets of the insurance company business. It involves counterfeiting the data and modifying and changing it in such a way that it benefits the outsider. An example of fabrication could be changing of insurance claims by a customer so that they receive more than they actually should. (Gabrielson, 1994) Risk control strategy The most appropriate way to come up with a security plan that involves the entire organization is shown in the diagram below. (Gabrielson, 1994) The best control Strategy in the case of BIC where transaction of information through external sources takes place often. Steps like firewalling web sites and giving individual ID’s and passwords to all the employees within the organization to a centralized database where all the information regarding the customers their background will be stored can be accessed by them. Given their roles and positions in the organization, they will be given the authority to perform certain task that is based on their positions, they will be able to use and manipulate the data to the use. Also the approach used to develop the strategy will be to use Managed security service providers who are outside third parties that provide security services. There are many advantages of using mss providers. First of all it has major cost advantages. Outsourcing throughout the world has reduced the cost of organizations through letting them focus on their core competencies; also they provide their excellent skills and expertise that the organization sometimes may lack. These providers also give the advantage of facilities as they have SOC’S (specialized security operation centers), that have all the latest technologies to provide excellent services. ("A Business case,") Also implementing a resource access control facility that allows control the flow of information and adheres to compliance is preferable (IBM, 2003) OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation Approach”) OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is systems approach that uses a unique set of tools, methods and techniques to develop strategies for organizations that have valuable information and provides a guide for risk based assessment and planning. (CERT). OCTAVE provides three different approaches for three different kinds of aspects an risk management in information based organizations such as OCTAVE original which forms the foundation for the body of knowledge and OCTAVE small which provides guidance for small businesses as their needs are separate from large organizations and multi nationals and OCTAVE-Allegro which is a streamlined approach to assess the security measures needed for an organization. There are several benefits of using the OCTAVE approach to securing data and information within an organization and these features add value to the process and implementation of this process. The OCTAVE method using self directed teams comprising individuals from each of the important functions of the organization. These teams work across all the business units and involve the information technology employees who together devise strategies that cater to the information and security needs of the organization. These teams have all the empowerment to make decisions best suited for the organization. This flexibility is not just restricted to the decision making process but to the methods that are available within the OCTAVE framework. Each organization can tailor the methods to suit their requirements of risk mitigation and can allow the organization to use tools that are best suited for the kind of employees they have their level of expertise and technical skills. Another advantage of OCTAVE is that it is an ever evolving process. It has changed the perception of securing data and information in the organization from a very technical aspect to a business perspective to risk based modeling. OCTAVE is a fairly eay process to implement in any organization. In an insurance company, there are several departments where data is collected sorted and then analyzed for further decision making. (CERT) For example, for health insurance collection of data take place where the customers gives his or her medical information to the company, the company then sorts out the information and then decides what kind of insurance should the customer receive depending on age, Severity of illness, work background etc. Teams can be developed from separate functions of the organization that can judge the data and see what kind of security is required according to the expertise and technologies available. Also if MSS providers are used then these teams can work in collaboration with these providers for sound implementation of the OCTAVE methods within the working network of the organization. Proper control methods and appropriate use can be learned through training of employees in using different techniques and methods of OCTAVE. . 1. Ramana, S. V., “Securing the Enterprise” Network Magazine, January 2003. http://www.networkmagazineindia.com/200301/cover9.shtml 2. Definition of Business Risk, HJ Ventures, http://www.hjventures.com/valuation/Business-Risk.html 3. Gabrielson, Bruce C. (1994). Information security program development. Retrieved from http://blackmagic.com/ses/bruceg/progmgt.html 4. Hisrich, R. (2002). Entrepreneurship 7th edition. Mcgraw Hill. 5. Benton, R. (2005). Case study in information security, securing the enterprise. Retrieved from http://www.sans.org/reading_room/whitepapers/casestudies/case-study-information-security-securing-enterprise_1628 6. Computer Security - information on security systems http://shine.yahoo.com/channel/none/computer-security-information-on-security-systems-1253385/ 7. David, Fred.R. (2007). Strategic mangement. South Carolina: Mcgraw Hill. 8. A Business case for Managed Security Service. CGI solutions. Retrieved (2010, ) from http://www.cgi.com/cgi/pdf/cgi_whpr_50_mss_e.pdf 9. CERT, OCTAVE, http://www.cert.org/octave/ 10. www.cgi.com 11. IBM. “Resource Access Control Facility”. November 2003. http://www-1.ibm.com/servers/eserver/zseries/zos/racf/ Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(Information Security Program Development Case Study, n.d.)
Information Security Program Development Case Study. Retrieved from https://studentshare.org/management/1566210-course-work
(Information Security Program Development Case Study)
Information Security Program Development Case Study. https://studentshare.org/management/1566210-course-work.
“Information Security Program Development Case Study”, n.d. https://studentshare.org/management/1566210-course-work.
  • Cited: 0 times

CHECK THESE SAMPLES OF Information Security Program Development

The US Department of Veterans Affairs

information security program Survey: US Department of Veterans Affairs (VA) Executive summary The United States Department of Veterans Affairs (VA) is government powered departmental system for providing services for the wellbeing of military veterans, their families, and survivors.... Recently, the VA has implemented the Continuous Readiness in information security program (CRISP) to enhance the privacy of information about Veterans and their families.... This information security program greatly fits the VA's FY 2010-2014 strategic plan because this program notably contributes to value optimization and stakeholder satisfaction....
4 Pages (1000 words) Essay

Developing the Corporate Strategy for Information Security

The paper "Developing the Corporate Strategy for information security" discusses that the operational duties of digital forensic professionals include securing the data from various system vulnerabilities so that it does not get manipulated and the integrity of the investigation remains intact.... nbsp;  Example: Implementation of this function in the organization can be done through the utilization of risk assessment tools in order to depict potential risks to information security....
6 Pages (1500 words) Assignment

The Unification of Information Security Program Management and Project Management

The breakthrough of the new technology and the aim of any organization or enterprise to achieve development and better service have pushed the unification of information security program Management and Project Management.... In light of the mentioned union, his paper will discuss the risks brought about by the new technology, the tasks to be dealt with in developing the Enterprise information security program, and the adherence to executing risk management.... The unification of information security program Management and Project Management comes with new security threats/risks that must be addressed accordingly....
5 Pages (1250 words) Article

Security Program

The security program is aimed to protect users from unauthorized access to their information and protect library from attacks.... The security program was implemented 5 years ago.... security planning is one of most important risk management initiatives in modern organizations.... security planning must be seen in the context of wider organizational policies.... Many aspects of security planning will be taken care of by, for example, the IT department or its equivalent....
7 Pages (1750 words) Case Study

The Development Information Security

It not only defines a particular security program in order to provide a foundation for security system but also satisfies particular needs of the organization.... Consequently, this ever-increasing security threat has led to the development of numerous information security standards.... This security framework provides steps to establish best suited information security Management System (ISMS) for SMEs.... Such framework is derived from the development of a prioritized set of objectives and practices as suggested by literature and standards provided by ISO standards....
25 Pages (6250 words) Essay

Enhanced Commitments to Women to Ensure Food Security

The ECW program for women has now included the women's enhanced control of their food.... The full transparency of food distribution measures is also being committed to this program.... This paper "Enhanced Commitments to Women to Ensure Food security" presents various programs with the goal of ensuring sufficient programs for safeguarding the welfare of women.... One of these policies is the policy on “enhanced commitments to women to ensure food security”....
9 Pages (2250 words) Case Study

The Organizations Physical, Human, and Electronic Information Holdings That May Be at Risk

This research will begin with the statement that in today's situation, scrutiny of the physical security of services and properties has to turn out to be an even extra serious feature of an organization's information security and industry stability preparation.... Through resources being protected and procedures covering physical security, operations will gain benefit by an enhancement in security on the physical risk to the information.... This essay explores the key areas for physical risk as follows Facility security: access point, information hub, user and sensitivity environments, admittance power and monitoring policy, protector personnel and cabling closets; Internal Company Personnel: Control and accountability for jobs, use of equipments, security procedure compliance, awareness and use of break areas and entry points; External Visitor and Contractor Personnel: Control and accountability, use of equipment, security procedure compliance and use of break areas and entry points; Computer Systems and Equipment: Workstations, servers, backup media, PDAs and modems and physical access points (visual ID only)....
11 Pages (2750 words) Research Paper

The Implementation of the Security Plan

This case study "The Implementation of the Security Plan" focuses on the action plan that is to beef up the information security in the banks and ensure that all threats and vulnerabilities are reduced to a minimum.... he purpose of the action plan is to beef up the information security in the banks and ensure that all threats and vulnerabilities are reduced to a minimum.... The program will use the various federal laws, policies and regulations together with best practices from the industry to come up with an effective information security plan for the bank (Whitman & Mattord, 2014)....
7 Pages (1750 words) Case Study
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us