Introduction
Information security is an important part of managing organizations that aims to establish a strong e-commerce presence whether they may be a commercial, government, or not-for-profit organization. In fact, the moment you decided to establish an online presence, that is, making yourself visible to other people who also use the World Wide Web to engage in business and do all sorts of things, you are already required to know the basic rules and principles of information security. Knowing how such principles can be applied to certain situations is also a very important factor in deciding whether you will want to step into the online world or just keep the organization lurking in the darkness of the offline world and suffer from the consequences of being unable to establish a blog website.
A blog website, otherwise known as a blog site, is generally considered as an important tool in marketing and advertising the products and services of an organization. In an era where having access to the internet and knowing how to surf the web is considered to be a necessity, establishing a strong and an identifiable online presence is important. In fact, evidence shows that keeping a well-maintained blog site increases a company’s customer satisfaction levels. For for-profit organizations, evidences show that keeping a well-maintained and updated blog site increases the company and brand awareness which more often than not leads to increased sales and profit values.
The objective of this paper is to tackle the different enterprise information security issues and possibilities that may arise in organization, focusing on the general and information security structure being implemented in the subject organization.
Statement of the Purpose
This paper will focus on the general and information security structure and protocols of Avo Incorporated. Avo Incorporated is an online marketing business that was founded and incorporated on the 7th of May 2003. The company’s headquarters is situated in New York, United States of America. Its business operations with its clients and investors are mainly done online. This is actually the main reason why we have chosen this particular company for this paper. It mostly conducts its business processes and transactions online and based on this information, it can be figured out that maintaining a highly-secured online working environment is important. Besides, the impact and importance of efficient information security efforts can be greater realized in organizations whose processes are mostly carried on online. Another important thing to know about Avo Incorporated is that it is a for-profit organization under the Asset and Investment Management Industry.
At some point, we can assume that Avo Incorporated is a hybrid type of company because of the diversity of products and asset and investment management services they currently offer. As of the moment, verified members of Avo Incorporated can avail online money exchange services and a wide range of investment services. The company also features a standardized affiliate program that according to their website, was designed to increase the potential earnings of their members. It is highly advisable for any individual who is thinking about joining the organization to do research about the company first. The company’s international website can be accessed via this link: https://avo.net/index. Avo Incorporated has different websites for world regions such as the U.S., California, Europe, United Kingdom, and Asia. The links to Avo Incorporated’s different websites could be found on their main website. Avo Incorporated has decided not to disclose any specific details about the internal structure of their organization but in terms of the number of employees, it seems logical to assume that it currently employs between 200-500 employees, considering the size of the market it caters to and the various services that it has for its clients.
As an Asset and Investment Management Organization, and a company that conducts most, if not all, of its transactions online, it is important that they establish a formidable information security procedures and protocols. Avo Incorporated is an international organization and their clients are scattered throughout the globe and this is why they cannot afford to let their websites—take note of the fact that the company owns more than one website, be easily compromised. In fact, any organization that handles other people’s assets and investment funds cannot afford to be information security-compromised because they basically rely on their clients’ trust that the money they have invested will be able to meet the promised rate of return of investment or ROI. Having a poorly-maintained and outdated website in terms of information security can actually be considered as a threat to the existence of the company. Avo Incorporated is heavily dependent on their current information system security and policies in conducting successful every transactions. For example, the company should receive the payment first before an investment package could be released and entitled to the investors. Now, with only a partially secured information system, these processes would be too risky to handle and may even lead to loss of resources from both parties as a result of hacking, and other malicious operations going on in the internet that can be considered as threats to confidentiality, integrity, accessibility, authenticity, and non-repudiation—the basic premises in an information security system.
Information Security Policy Elements
Information Security is a process or means of protecting any particular type of information from an information system from malicious and more often than not unauthorized access, use, disruption, disclosure, modification, recording, inspection, inventory, perusal, and even destruction. Information security policy on the other hand is a set of policies or procedures that are usually being implemented in order to direct people, who could be any one of the information system users, how to use products and services while ensuring information security at the same time. Originally, information security policies revolve around the CIA information security triad which is comprised of Confidentiality, Integrity and Availability. Confidentiality is the term used to describe a situation wherein no information is disclosed to any unauthorized or unconcerned individuals or group of individuals without the informed consent of all the parties involved. Integrity is the term used to describe the non-modifiability of any information inside a system in undetected instances. Integrity is sometimes interchanged with consistency. Availability simply means that the information system has the capability to serve its purpose which is to relay information from one sector or entity to another. High availability means that the system is accessible at all times while low availability can mean a lot of things which are usually associated with security breaches such as DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks.
Need for Information Security
Disruptions and even disasters usually occur in an unsecured information system. These two developments are actually common in every business but businesses that operate in a virtual environment are considerably more vulnerable to malicious attacks that cause business disruptions and disasters compared to businesses that are less related to the internet. Avo Incorporated is practically an online-based business because it processes the majority of its transactions via the internet and other third party services which also do the same so there is no doubt that this company needs to tighten up its defenses and establish a fully-secured information system. Fortunately, that could be done by restructuring the current information security protocols.
We would like to emphasize on the confidentiality of information because this area of information security is the most common cause of legal and ethical issues that are usually brought to the court for trial. Firstly, malicious entities that are lurking idly on the internet or being controlled by an attacker could breach into the information security system and damage the information. The extent of the damage depends on a lot of factors such as the type of attack that was initiated and the goal of the attacker. In most cases, the outcome of a successful breach in information boils into two things—modification or worse, destruction of information. Without valid and reliable records about the client and investors, the management would surely be unable to make any decisions that involve withdrawals and transfer of funds. Such anomalies usually lead to the clients and investors suing the company due to fraud accusations. This is just one of the examples of issues and complications that may arise as a result of breaches in information security.
As an Asset and Investment Management Organization, the role of Avo Incorporated is to ensure the safety of the assets and the investments that the clients and investors have decided to divert to and be used by the company and to keep every relevant and promised information within the reach of the clients, investors, and even the employees all the time. Unfortunately, the online-processing mechanism, which in this case, can be considered the root cause of the problems because there are basically a lot of threats existing on the internet, is keeping them from fulfilling that role.
Information Security Responsibilities and Roles
The Chief Executive Officer (CEO) governs every aspect of the business together with the Chief Operating Officer (COO), Chief Technical Officer (CTO), Chief Marketing Officer (CMO) and the Chief Security Officer (CSO or CISO). Avo Incorporated can be subdivided into three major departments: Sales and Marketing Department, Portfolio Management, and Operations. The Sales Marketing Department is the one responsible for advertising the products and services offered by the company to different communities while maintaining focus on the target market. Technically, Avo Management does not target any particular population or market because according to the company policies, everyone that can afford to buy the investment and advertisement packages being offered can become a partner member of Avo Management. The Portfolio Management Department is comprised of professional brokers and assets and investments experts that provide information to the clients and investors. Basically, these department helps the clients and investors manage their portfolio, hence the name of the department. Aside from aiding the clients and investors, the Portfolio Management Department is also responsible for storing records and making sure that they are on a fully-updated as unsynchronized records could lead to loss of clients’ trust and other complications. Lastly, the Operations Department is the ones responsible for handling the company’s financial management issues. This department is also the one responsible for risk management and other real-time business operations. Below is a schematic diagram that shows the different departments involved in Avo Incorporated’s operations.
Information Security Structure
As stated in the previous sections of this paper, maintaining a formidable information security is key to the company’s success, considering the type of processes involved in the company’s operations. Just like other companies that feature an information security department, Avo Incorporated’s Information Security Department is headed and directed by the Chief Information Security Officer. The information security chain of command then goes to the Information Security Data Custodians Council (ISDCC), the Information Security Risk and Policy Advisory Group (ISRP), or the Information Security Technology Advisory Council (ISTAC), depending on the current type of order or threat. Nevertheless, these three sub-departments work together to create a relatively secured working environment for clients and investors and the management of Avo Incorporated.
Standards and Guidelines
The standards and guidelines that could be applied to Avo incorporated and its clients and investors are quite complicated because it is an international and online-based business entity and so it cannot be subject to any single standard policy or a set of rules and regulations that are related to information security. The only thing that clients could rely on is the company terms and policies that can be found on the company’s website. They have their disclaimer that contains certain clauses describing the different company terms and policies. Of course, there are clauses that are dedicated to information security.
In the international community, there are certain legislations and policies that were enacted to protect both the consumers and the businesses from the complications brought about by information security threats and issues. One of which was the UK Data Protection Act of 1998. This act makes new provisions for individuals regarding the processing of information. This act focuses on the obtainment, holding, disclosure and use of any classified and confidential information. In fact, a few years after this law was enacted, the European Union Data Protection Directive (EUDPD) required all member states to adopt to the standard EU data protection regulations. Another information security law that was passed was the Sarbanes-Oxley Act of 2002. This law was originally intended to enhance the national policies related to the way how companies manage their finances and submit financial reports to their respective state trade and industry department. There was a section in this case however, that requires publicly traded companies, or those who enable trading of stocks to conduct an accurate assessment of the effectiveness of their financial management and reporting. The same section states that the Chief Information Officers should be held responsible for the accuracy, reliability, security, and most importantly, confidentiality of the information systems that they use to process, store and report different company data.
References
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. MIS Quarterly.
Chad, P. (2009). The CIA Triad. TechRepublic.
Cornell University. (n.d.). Title 44 United Sates Code. Cornell University Law School.
Guiltinan et al. (2010). Marketing Manamagement: Strategies and Programs. McGraw Hill/Irwin.
Harwood, I. (2009). Confidentiality Constraints within Mergers and Acquisitions: Gaining INsights Through a bubble Metaphor. British Journal of Management, 437-459.
Jarmon, D. (2012). A Preparation Guide to Information Security Policies. SANS Institute.
Long, G. (2009). Security Policies in a Global Organization. SANS Institute.
Peltier, T. (2009). Information Security Risk Analysis. Boka Raton, FL: Auerbach Publications.
SANS Institute. (20011). Information Security Policy-A Development Guide for Large and Small Companies. SANS Institute InfoSec Reading Room.
Whitman, M., Townsend, A., & Aalberts, R. (2011). Information Systems Security and the Need for Policy. In G. Dhillon, Information Security Management: Global Challenges in the Next Millenium (pp. 9-18). London: Idea Group.