ABSTRACT
This paper examines the whole aspects of information and computer security in general and its effects on the performance of an organization. Information and computer security is a crucial part of security in an organization. Most of the security breaches are associated with external and internal aspects of security in an enterprise. The main aspects of security involve authentication, confidentiality and availability of information in the format and manner desired. This has lead to implementation of security protocols and procedures that are intended to foster the integrity and safety of information relayed within company systems and with external partners. The paper will focus on development and implementation of models that foster security in information systems, resources required and the level of user participation desired to achieve acceptable levels of safety.
INTRODUCTION
Information systems are becoming a major business driver and organizational tools that are gaining universal acceptance in all sectors of the economy. Basically, information systems are classified as hardware, software and data that facilitate communication. Protection of these systems at the physical, personal and organizational level is essential to the continuity of other operations. Through seamless exchange of information in an organizational network and over the internet, security concerns have been raised. The three major information security areas concerning authentication, authorization and confidentiality has been compromised physically or via the internet through hacking, malware and spyware programs.
Given the paradigm change associated with the internet of things, security has been the main focus. Almost all the daily activities and operations are now dependent on a safe, stable and resilient cyberspace. The military and civilian communication channels and traveling, power control systems, business operations and government services are dependent on a vast array of networks through computer networks and the internet.
Cyber security for instance, is a mechanism of defined standards used by organizations and governments to practice safe security techniques and reduce the number of successful cyber security attacks. Information revolution has enabled attackers to launch their attacks miles away using malicious software’s and cause considerable damage. The same applies with terrorists. Therefore cyber security affects all other security apparatus of a country and because of the nature of attacks, it is always almost impossible to know the source of the attack. Governments and organizations are investing much in the development of comprehensive cyber security plans that provide sufficient security.
According to the Journal of Economic Management, and Financial Markets, the uses of enterprise information systems have enabled companies to assimilate various business functions and information systems into one warehouse. The data in an organization is integrated into one package that can be accessed by various departments and sections. This includes, finance, human resource department, sales and marketing, and administration. This in effect has made business operations easy and arguably efficient to execute.
The centralization of all business operations, information and data at one location makes it more vulnerable to external and internal attacks. The company’s intellectual property, business data, backup information and other essentials such as employee data are susceptible to compromise if inefficient security protocols and measures are not developed and implemented. Malicious or unintentional security breaches and attacks results in business discontinuity, disruption, unreliability, inefficiency as well as eventual company and client losses. An example of such an incident is the NASDAQ malware attacks directed at the Directors Desk to cause security violations in 2011.
Most of the companies agree that employee training and awareness of security protocols and procedures is fundamental to the safety of the organizations data. Safe usage of passwords, accounts, authentication procedures and transfer of sensitive information between departments is crucial to the management of personal security. According to the paradigm shift towards cloud computing is fronting a dynamic area of information security. Until recently, information security has been revolving around technical aspects such as viruses, worms and Trojans. However, according to the Journal of Universal Computer Science, the cloud shift is necessitating more research in the fields of cloud security especially human interaction with the systems. As noted, the biggest problem arises when technology interacts with the people and this concerns the administration, management and use of information technology functionalities.
As a result, organizations have come up with different models of developing security of its systems and information. The frameworks include development of information security policies, developing employee awareness and training and governing access controls.
INFORMATION SECURITY POLICY
The Journal of Economics, Management and Financial Markets “Developing a Model for Enterprise Information Systems Security” notes that IS policies are security programs and policies essential for an organizations security. In formulation of these programs and policies certain relevant standards are used. A security program or policy determines the kind of standard to be used. For instance ITU-T and IEEE are bodies of standards that cover all fields in telecommunication and computer and electronic industry respectively. Security of information systems for an organization is an important exercise that poses major implications on the operation of personnel and security of assets. Security controls are the fundamental parameters that define the managerial, operational and technical safeguards and counter measures deployed to an organizations information system. Several bodies are responsible for the development of information security standards and policies. One such body is NIST. The fundamental aim of NIST standards is to aid in the development of policies that preserve and restore the confidentiality, integrity and availability of information within the system.
An information security policy contains the procedures, steps and regulations for managing the access and use of company assets and infrastructure by employees. The credibility and usability of such policy depends on the efficiency of drafting and developing it. Experts are of the view that an information security policy forms the fundamental and practical method of preventing the assets of an organization. Top management goodwill and employee involvement is important for the development process as it ensures the general usability and effectiveness of the policy. Awareness of the current policies in place and security measures is equally important to the users and company since it increase understanding and participation. Employees are at the lowest level of the utilization of the company assets and are better placed at protecting them. Understanding the system and the consequences of security breaches are the only ways of combating and preventing its occurrence.
USER PARTICIPATION IN SECURITY CONTROLS DESIGN
Information systems security research and literature has highlighted the fact that users are the weaker link in security either as a human mistake or a computer crime notes that users plays the part of the problem and the solution in regard to computer security but is of the contrast that users have a more pronounced and valuable role in providing the solution to security. As noted above, awareness plays a major role in information security management and as such, is fundamental to the design of efficient security controls. Organizational controls, measures, standards, and policies that aid in the management of computer and information security are better formulated and utilized by those people who handle the information on a daily basis. According to Significant managerial vigilance is necessary to attain sufficient protective measures only possible through exercise of the highest level of awareness. Secondly, efficient security controls and standards are only effective when aligned with business goals and objectives. Such alignments would necessitate sufficient levels of understanding of information, its usage, transfer and storage within an organization.
This had led to development of information system development contexts since the 1970s probing the connection between satisfaction and psychological attachments. Information system development ISD has been focused on the connection between user participation in terms of information security planning, design, development and implementation. This is manifested ion the four dimensions including users hand-on functionalities, responsibilities, relationships with information systems and security, communications and interaction with other staff and managerial echelons. According to system quality theory, the involvement of users in the system development process leads to better utilization of the business needs as well as high quality and effective systems. This is mostly applicable to the design of large and complex projects and functionalities such as security controls which needs are dynamic and unique in nature.
Security risk management SRM when implemented with ISD aids in the identification and prioritization of impending information system security risks. It highlights the specific processes and procedures of managing potential risks and their controls evident in the ISD process. SRM has particular focus on strategies, policies, procedures and roles that people play in the process of risk security management. This collective management of protocols and people is intended to prevent and reduce the instances of attacks and breaches and are in essence known to preserve the confidentiality, integrity and availability of information in an information system.
APPLICABLE GOVERNMENT REGULATIONS & STANDARDS
According to MIS Quarterly Issue, multiple laws, regulations and standards are applicable to ensure that federal and private agencies maintain an acceptable level of security, interoperability and other factors. To begin with, Financial Industries Modernization Act of (1999), for example, eliminates the barriers of financial institutions providing a huge range of financial services regulates the use and disclosure of consumers’ non-public financial information and defines financial services. Under section 501(b), the Act requires that the technical, physical and administrative safeguards are implemented in order to protect the covered non-public personal information.
In addition, financial institutions are obligated under the Act to ensure the safety of the information systems in the interest of safeguarding their clients’ privacy, security etc. The guidelines under the Act include the Standards for Safeguarding Customer Information 16, Part 314; Privacy of Consumer Financial Information 17, Part 248 and the Commodity Futures Trading Commission, 17, §160.3. In Pennsylvania State Employees Credit Union v. Fifth Third Bank for instance, the Credit Union was forced to foot the financial losses incurred by its clients after the credit cards were compromised on its systems. This places a duty on organizations to ensure that data and information on its systems is secure and controlled. Organizations are also required to maintain the integrity of the information security systems including preserving their forensic quality, under the Sarbanes Oxley Act, Sections 302, 404 as well as the SEC Regulations, United States v. Phillips 2007.
Compliance with the Federal Information Security Management Act (FISMA) is also critical in order to ensure interoperability and clearance to connect or use federal information technology architecture. FISMA clearly sets out comprehensive to frameworks ensure the protection of government information, assets and operations against manmade and natural threats, with massive implications on private enterprises. The National Institute of Standards and Technology Act , established Title 15, Chapter 7, forms a critical part of both FISMA as well as information security regulations. NIST is mandated to develop standards, guidelines and related methods to ensure that information systems run by federal agencies, their contractors and other enterprises are secure, other mitigating national security risks.
IS SECURITY CHALLENGES AND INNOVATIONS
Information Systems security is a combination of information assets and controls intended to protect businesses and entities from emerging threats and vulnerabilities. As Spears notes, any company’s information is secure as much as the security protocols implemented to safeguard it. Untrusted information originating from wrong security policies leads to mistrust and uncertainty which impacts negatively on the continuity of a business entity.
As discussed above, the role of information security is the establishment of policies that initiate healthy working environment and controls the process of information exchange with the ultimate aim of guaranteeing confidentiality, availability and integrity. The security challenges that are mostly evident are grouped in the cryptographic, SMEs, privacy in the clouds, Internet security, forensics and security metrics among others.
The fundamental aim of information security is the protection of information and data contained in the systems from disruption, destruction, modification, unauthorized access and use, and disclosure. The data protected takes the form of electronic, print, among others contained inside or outside of a computer system.
Business enterprises, government entities, financial institutions among other sectors of the economy generate and store numerous files of information about their products, customer’s financials standings and employees. A large portion of this information is currently processed using computers and transmitted via computer networks or internet across the world. Comprise of the networks or information regarding such companies is unacceptable since it is attached with severe business, legal, societal and ethical implications. Privacy is also a major concern and is particularly defined differently in diverse cultures.
In the International Journal of Multimedia and Ubiquitous Engineering, Sattarova et al notes that the ultimate goal of information security is to achieve ultimate defense of information throughout its life span by preserving the CIA. This starts from creation of information, processing across the various information systems, passage and finally through to the final disposal. In order for the information to be fully protected, each component of the processing information system must possess some security controls. The layering on and overlapping of security controls gives rise to a process known as defense in depth. The defense in depth strategy outlines the protective measures put in place to guard the system against threats and vulnerabilities. It defines the strength of a information system security in reference to the weakest point of vulnerability. Controls can be used to define the mechanism of building a defense in depth strategy. The type of controls in use include administrative, logical and physical.
ACCESS CONTROLS
Access controls are administrative tools implemented by the management to control access and use of resources. Controls can be classified as administrative or procedural, logical, and physical. An administrative control comprises the approved policies, procedures and standards that lay the foundation for managing people in an organization. An example is the Payment Card Industry Data Security Standard implemented by companies such as Visa and Master Card. Logical controls entails the use of technical functionalities such as software’s, firewalls intrusion detection systems and passwords to control the privileges available for a certain location and task. Finally, the physical controls entail the procedures employed in a work place and within computing facilities. Physical controls are important for the separation of duties in an entity such that an application programmer cannot be the server administrator at the same time. The technique clearly separates the roles and responsibilities of each work entity.
Cryptography uses encryption and decryption techniques to transform information to a form unusable to any third party user except the authorized user alone. Cryptographic methods are used in information security to safeguard information from unauthorized usage or accidental disclosure which may render such information compromised. Cryptographic applications such as GNUPG or PGP are used for encryption of data files and Email.
POINT OF VIEW
The major challenge in information security and controls still revolve around privacy and the extent to which information is classified as private. Customer or employee details can be used and shared between departments and organizations in respect to the operations involved. However, the challenge lies in the use of such data with management and information systems that permits seamless integration for efficient business operations (Inf Sys Front).
In some instances, the issue concerns the ownership rights possessed by an individual in respect to information about them. According to the International Journal of Multimedia and Ubiquitous Engineering, various types of privacy are in existence including, financial, internet, medical, sexual and political. The design and implementation of controls and to safeguard these kinds of privacy is a challenge that has not received a universal solution. Individuals may not wish to reveal their personal information concerning religion, political affiliation and sexual orientation. The diverse nature of human preference affects the implementation of policies to guard such kinds of privacy since an implementation of one control to safeguard against discrimination, reputation and personal embarrassment by one group may affect the other.
The literature in the studied journals has pointed out to the diverse nature of security threats and vulnerabilities attributed to information inside and outside of computer networks. In that respect, they have proposed models that can be adopted to build a IS security for a business case. This is clearly manifested in the MIS Quarterly Special Issue which explores the impacts of user participation in IS security risk management analysis. The Issue also recognizes the contribution of Sarbanes-Oxley Act and related acts in the enactment and implementation of security legislations.
The model described in the Journal of Economics, Management, and Financial services describes a four step phase in design of an enterprise Information System Security. It outlines policies, security awareness, access control and TLMS. In my view, these are the fundamental features for implementing security protocols in an organization.
In the same breadth, the “Current information system security challenges and innovations” covered in the Journal of Universal computer science has successfully classified and described security challenges. The journal has, however, not exhausted the discussion in more detail but the critical review that follows the classification is satisfactory.
CONCLUSION
The protection of information in an organization is the topmost priority that should be implemented in any organization. Safeguarding data and information prevents ethical, legal and financial implications. The paper has reviewed the various security elements discussed in different journals and issues. In all, it is evident that confidentiality, integrity, and availability of information have been prioritized in the covering of their respective methods.
References
Hyang-Chang Choi, Y.-H. Y.-H.-N.-H. (2005). A Privacy Protection Model in ID Management Using Access Control. ICCSA.
Spears, J. L. (2006). A Preliminary Investigationof the Impact of the Sarbanes-Oxley Act on Information Security. Proceedings of the 39 Hawaii International Conference on System Sciences (p. 218). Los Alamitos: IEEE Computer Society.
s(2012). An Overview of Current Information Systems Security Challenges and Innovations. Journal of Universal Computer Science, 1598-1607.sue, J. S.
Kim, S. F.-h. (2007). IT Security Review: Privacy, Protection, Access Control, Assurance and System Security. International Journal of Multimedia and Ubiquitous Engineering, Vol.2 No.2 .
Wang, K.-c. C.-p. (2010). Information systems resources and information security. Springer Science.
BIBLIOGRAPHY
Dan Shoemaker, P. W. (2011). Cybersecurity: The Essential Body of Knowledge. Cengage Learning.
Gary B. Shelly, T. J. (2010). Systems analysis and design. Cengage Learning.
Goodman, J. C. (1997). General Packet Radio Service in. IEEE COMMUNICATION.
Hyang-Chang Choi, Y.-H. Y.-H.-N.-H. (2005). A Privacy Protection Model in ID Management Using Access Control. ICCSA.
Issue, J. S. (2012). An Overview of Current Information Systems Security Challenges and Innovations. Journal of Universal Computer Science, 1598-1607.
Kim, S. F.-h. (2007). IT Security Review: Privacy, Protection, Access Control, Assurance and System Security. International Journal of Multimedia and Ubiquitous Engineering, Vol.2 No.2 .
Mansfield-Devine, S. (2011). DDoS: threats and mitigation. Network Security. Springer .
Park, C.-S. S.-S. (2010). A Study of Effect of Information Security Management System [ISMS] Certification on Organization Performance. JCSNS International Journal of Computer Science and Network Security, 10(3): 10-21.
Ralph Stair, G. R. (2011). Principles of information systems. . Cengage Learning.
Rudolph, K. (2009). Implementing a security awareness program:Computer Security Handbook. John Wiley & Sons, Inc.
Sauter, M. (2011). Beyond 3G - Bringing networks, terminals and the web together:LTE, WiMAX, IMS, 4G Devices and the Mobile Web 2.0. . John Wiley & Sons.
Song, W. W. (2011). Information systems development. Springer.
Spears, J. L. (2006). A Preliminary Investigationof the Impact of the Sarbanes-Oxley Act on Information Security. Proceedings of the 39 Hawaii International Conference on System Sciences (p. 218). Los Alamitos: IEEE Computer Society.
Wang, K.-c. C.-p. (2010). Information systems resources and information security. Springer Science.
