Information Security Essay
Information security is the protection mechanism used by the organizations to protect their data from losses, unauthorized access or unauthorized modification of data. Today information that an organization has in its database is very valuable to them and many refer to it as their company’s asset. This information of the organization needs to be made available to the employees and therefore is vulnerable to security threats.
As an organization makes technological advancements, its work processes become more efficient and less use of resources is required. The output of the employees becomes greater when there is technological obsolescence in the organization. Use of data and information becomes more frequent and concentrated. This data which constitutes the records about the organization and important customer data is very useful to organizations. Loss of this data or unauthorized use of this data means the loss to the organization in monetary terms also. The importance of data to the organization depends on the type of business the organization is in. For example, an organization which is an Information technology (IT) solution provider; this firm will have everything in the form of data and its data is the firm’s only main assets. Therefore this data needs protection to safeguard it from loss or unauthorized access.
The information in the organizations should be available whenever needed that is why it cannot be locked up in the databases or files. This data is needed by certain employees to perform their tasks and some data is not needed by other employees and needs to be hidden from them. If this data is made available to all the employees, it will be viewable by all of them and they can modify. This data needs to be protected and given different access levels to different designations of employees. As technology advances are made in the organization and systems are installed in the organizations to make the data available to the employees, the threat to information security becomes more.
Data from all the departments of the organization are integrated in one platform to make it highly available, to keep it one format, for fast access, keep it up to date and to make the retrieval of information more efficient and fast. This integration of data of different departments also means that all the employees of the organization will access the database. If there are no controls, the information becomes more vulnerable to loss of data and unauthorized use of information.
An organization can protect against threats to information security in a variety of ways. Every threat has a different control and security management. Access controls can be implemented to control the access of unauthorized personnel to the information. Access controls can also be implemented for giving employees different levels of access to them. The employees who only need to view the information in the database will only be given rights to view the information and those who needs to modify, add or delete the records can be given the relevant access level to the database. The best way to implement access control is to create unique user id for each system user and allow each id different access levels and privileges. The user id is authenticated by passwords which is also unique for each user. The users should be trained and educated about the security controls so that they understand that different information is viewed by different users.
The information should be stored in a cryptographic form so that it is unusable to someone who is unauthorized. The authorized users will be able to transform the cryptographic information into usable form. The information is also protected from any physical damage, disruptions or disasters. These disasters may be manmade or natural which includes fire, earthquake, destruction of building etc. For protecting the data against these disasters or physical damages, physical controls are implemented such as locking systems in the doors, air conditioning, fire alarm, cameras and security guards. Data recovery mechanism should also be present in the organization which includes making backup of the important data. The backup is usually made on some distant site and sometimes also at the same location. This ensures that the data will not be lost even if a disaster strikes the organization.
The management should be informed about the losses of customer data and valuable information which will cause heavy losses in the earnings. The management should also be told that inadequate information security may cause theft of customer data. The customers are very conscious about the data that is being recorded about them. Therefore if their data is placed in wrong hands or stolen, the customers are most likely to switch to the competitors such as UPS for services. A presentation should be prepared by the IT personnel that should be presented to the management to win their support. This presentation should also contain the fact that UPS is better equipped with security controls much better than us which that is why they attract more customers. It should also be mentioned that the return on investment will rise as a result of more security of data, the number of customers will also rise and they will also be more satisfied than before.
The collection of data from many sources has allowed organizations to put together databases of facts and information. This information can easily be abused and stolen even by the authorized employees who can use it for illegal and unethical purposes. The organization should make strict regulations of ethics in information security to avoid illegal and unethical behavior of employees. There are cultural differences in ethical concepts in determining what is ethical and what is unethical. When one nationality’s ethical behavior contradicts that of another, difficulty arises.
Deterrence to unethical and illegal behavior is the prevention of such activities. With the enforcement of laws, policies and technical controls, unethical and illegal behavior can be prevented. Laws and policies in the organization are only successful if some conditions are present. These conditions are listed below:
-Fear of penalty
-High probability of being caught by the management
-Possibility of penalty being administered
Organizations have codes of ethics or code of conduct to avoid unethical behavior at their organizations. Just having a code of conduct created is not enough unfortunately. The employees must be made aware of the important topics related to information security and must be trained of the expected behaviors of an ethical employee. Proper ethical and legal training is essential in creating a well prepared, informed and low-risk system user. This is especially vital in the areas of information security as the organizations witness technological obsolescence. Many employees do not have formal technical training to understand that if their behavior is unethical or even illegal.
The security professionals are responsible to act unethically and accordingly to the policies and procedures of their organization and laws of the society. Therefore most organizations create and formalize a body of expectations which is referred as policy. Policies function in organizations like laws. To make the policy enforceable, it must be:
-Distributed to all the employees who are supposed to comply with it
-Easily understood by the readers and translated versions should be available in different languages
-Readily available for reference by employees
-Signed and acknowledged by the employee in form of consent letter.
The course that is required to be designed for the students should not be technical and should contain the laws of states and government. First of all the objective of the course is needed to be defined to the students in order to give an overview of the core ideas present in the course. Distinctions between laws and ethics should be clearly made in the course presentation for a better understanding of the future studies. Types of laws, U.S. Laws relevant to information security and privacy should be included in the course. A topic about customer data privacy and its sacredness should also be included in the curriculum. Definition of international laws, legal bodies, state and local regulations, copyright acts and UN charter about information should be included in the course. Policy and law should be differentiated and guidelines should be mentioned to design enforceable policy at organization. Auditing bodies such as Information System Audit and Control Association (ISACA) and their purpose should also be taught to the students.
An organization has many assets and information assets are the least well managed although it is being recognized as one of the organizations’ most valuable assets. Information has started consuming vast resources of finance and human resources to record, store, manage, and process information, but it receives no financial identification on the balance sheet.
When all these conditions are met only then the organization has a reasonable expectation of effectiveness of policy. we are going to look at the information assets valuation methods which can be used for valuation. Using the communications theory (Shannon and Weaver, 1949), the information can be valued through focusing on the amount of information being transmitted over certain distance. It can be measured in volume of data per second that is transmitted over a distance. However this method of valuation is not so effective because the content and its usefulness is not being taken into account while evaluating.
Accounting valuation model is used to value information as the accounting theory is used to value other assets of the organization. The value of an asset comes from two sources according to the accounting theory. The first source is the use of asset; if the asset is frequent in use and its use is beneficial for the organization, which means that the asset is valuable for the organization. Same theory applies to information assets of the organization; if the piece of information’s use is beneficial for the organization, then the value of the information is high. The other source is the sale of asset; which means that if the sale of the asset is generating enough money then the asset is valuable. The same theory applies to information; if information is more valuable, more buyers will be there and more revenue from its sale will be generated. Another way of valuation of information is market value of that information.
The amount that other firms are ready to pay for the information is the market value of it. Advent of internet has allowed information to be sold as a product or paid for on a usage basis. The entire informational databases of the organization are generally not usable by the other firms. In general only a small proportion of information is saleable to other organizations for use. Information can be sold over and over again without losing value and is reusable. While the market value represents what another party is ready to pay for it, the utility model is better because it generated future cash flows rather than payment of one time only. The utility valuation of money is measured by the profits that can be derived from it in terms of future cash flows.
This method is the best indicator, although difficult, because it takes into account how the information is used. The major setback of this method is that the estimates of the future benefits are highly subjective and time consuming to collect. In case of liquidation of General Motors (GM), the information in the databases of GM is not of any use to the organization. There are three types of information; administrative, commercial and confidential. The internal information such as financial budgets, employee salaries, purchasing costs are generally not of interest to other external parties. This internal information is only for the use of internal management and other firms cannot use this information directly. Although it can be used indirectly to train the employees of the organization or in seminar sessions but it cannot be used for operations of the business.
The second category of information is commercially sensitive information. Usually it is not in the interest of firms to sell this type of information to other firms as they will use it to profile customers and improve their sales process. In the case of GM, this type on information will be very vast and diverse as this company has been one of the largest firms of US. Its sales information and production procedures will be very useful for the other firms and these firms can use this information to make better decisions.
The third category is confidential information which is very sensitive and the firms may be sued if this information is not kept private. In case of GM, this information will be very useful to the other firms which need this data, as they will be able to get customer data and personnel records. But this information is not allowed to be sold or passed to an external form for privacy reasons.
Boo Layton, P. Timothy. (2007). Information Security: Design, Implementation, Measurement, and Compliance. ca Raton. FL: Auerbach publications.