Management and Information Security - Assignment Example

Cover Page Contents Cover Page 1 Contents 2 Table of Figures 3 Question 1: The extended characteristics of principle of information security management are known as six Ps -planning, policy, programs, protection, people, and project management. Discuss and provide anexample of each on how these principles could possible apply on current fast changing inorganisations. 4 Question 2: Describe top-down strategic planning. How does it differ from bottom-up strategic planning? Which is usually more effective in implementing security in a large, diverse organisation? 8 Question 3: Discuss the purposes of unified continuity plan in information security management. Which types oforganisation might use the various contingency planning components as separate plans? Why? 10 Question 4: List and describe the three approaches to policy development presented in chapter 5. In your opinion,which is best suited for use by a smaller organisation and why? If the target organisation are verymuch larger, which approach would be superior and why? 12 Question 5: 14 a) How does training differ from education? Which is provided to the broader audiencewith regard to information security? 14 b) Establish a list of priority when developing a security awareness program. 14 Priority List for Security Awareness Program 15 References 17 Table of Figures Figure 1: The process of planning 5 Figure 2: bull's eye model 6 Figure 3; Packet filtering fire walls 7 Question 1: The extended characteristics of principle of information security management are known as six Ps -planning, policy, programs, protection, people, and project management. Discuss and provide anexample of each on how these principles could possible apply on current fast changing inorganisations. The definition of information security is the safeguarding of information as well as the critical characteristics inherent to that information; that is confidentiality, integrity and availability. Information security encompasses systems as well as hardware that utilise, keep or transmit said information (Whitman &Mattord, 2010). There is increased access to information especially that stored on computers as many people, both business and personal, store their data on computer. A lot of this information that is stored on computers is not for public consumption (wisegeek.com). When executing a plan as part of InfoSec management the process involves development, creation and implementation of strategies that will achieve this goal. There are three levels of planning involved, that is strategic, tactical and operational. The planning process starts when strategic plans are incepted for the whole firm. This entails training, awareness and education. The information security planning involves activities aimed at bolstering the design, conception and application of strategies aimed at enhancing information security. The types of information security plans that are included are incident response, business continuity, disaster recovery, policy, personnel, technology rollout, risk management, and security program planning. Figure 1: The process of planning Policy involves packaging organisational guidelines in such a way that they give guidance on what behaviour is acceptable within the organisation. There are three general classes of policy. These are enterprise information security policy (EISP), issue-specific security policy (ISSP) and system-specific policies (SysSPs). The bulls’ eye model is one that focuses on the role of policy in information security. The issues addressed by this policy progress from common to precise. This is illustrated in figure 2 below: Figure 2: bull's eye model Policy represents the outermost layer of the bulls’ eye model (Whitman and Mattord, 2010). Programs are operations in information security that are distinctly managed entities. An example of a programme is a security education training and awareness (SETA) program which supports all the programs in the army and is not specific to any regulation. The training programs entail security briefings given to new arrivals and a yearly security awareness training online. Protection is carried out through risk management processes such as risk assessment and control, protection mechanisms, tools and technologies. Every mechanism denotes a factor in the administration of distinct controls as laid out in the security plan. Part of protection mechanisms include access controls which are made up of four processes; identification, authentication, authorisation and accountability. Identification involves obtaining the identity of the accessing entity. Authentication determines whether the identity of the entity is confirmed. To perform specific actions on the area, the entity must be authorised. Finally, in order to maintain security, the activities of the authorised entity within the system are logged. Firewalls are used to prevent movement of information from within to without a network or from trusted to untrusted networks. An example of a firewall is illustrated in the figure below: Figure 3; Packet filtering fire walls People are the most important factor of any security program and this fact is recognised by managers. Information security has personnel at its backbone both in terms of personnel security as an aspect of a SETA program. However much security a system has, there is always one aspect that cannot be contained. According to Gartner, 80% of unplanned downtime in the system is caused by people and processes. Meta also conducted a survey that divided security related issues, attributing 30% to technology and 70% to people and practises. At the end of the day, it is people who commit simple errors or deliberately perpetuate crimes that result in most security breaches.According to Martin Smith who is the principle of The Security Company, it is imperative that focus shifts to human error because they are more costly than viruses, phishing, cybercrime or denial-of-service attacks (Alka, 2012). Project Management involves control and identification of project resources. As the project progresses, this movement must be evaluated in order that changes can be made if necessary, as it goes forward. The elements of an information security program are managed as a project although information security itself is a process composed of on-going projects. This is limited however, only to some aspects of the process. Others are simply managed as operations. Question 2: Describe top-down strategic planning. How does it differ from bottom-up strategic planning? Which is usually more effective in implementing security in a large, diverse organisation? Top down planning defines strategy while tactics define bottom up planning. They both have benefits and are necessary to planning techniques. A high level plan characterised by ambiguous requirements, approximated cost and target delivery date comprise elements of a strategic top down plan. This is a natural progression from the flow-down emanating from corporate goals and objectives from business units. The next step is to come up with a bottom up plan that fills in details and specifics missing from the top down plan. The top down plan provides the structure of the plan while the bottom up fills in the details. The bottom up plan is the bases for adjustment of the overall product strategy should this become necessary (Hueston, 2006). The variation between top down and bottom up models in strategic management stems from operational strategies although the company does identify its supreme goals in the same way.In top down strategic management model, the objectives of the plan are determined in high levels of management or at ownership level while the rest of the business has the job of seeing these objectives come to fruition. In terms of small business ownership, the onus is then on the management team to incept a successful plan for the organisation and outline each employee’s role in bringing this to life. In this system, there is hardly any contribution from lower tier employees on business objectives. The advantages of this model are that it puts the direction of every aspect of the business in the owner’s hands and therefore there is a high level of control over the business. This means that operations follow the owner’s specifications to the letter. The disadvantage is that the business rises or falls depending on the business savvy of the owner. Should the owner’s product development strategies or market knowledge fail, this impacts directly on the company’s bottom line. Should the business owner fail to convey clearly what his objectives are to lower echelon employees, achievement of these objectives and business goals will be put at risk (Lister, 2012). In opposition to this the bottom up strategic management model attempts to find and develop concepts sourced from the entire workforce. The ownership of the business is still the custodian of the company’s supreme goals and their achievement dates, however lower echelon personnel from every level contribute in terms of the nuts and bolts. Brainstorming sessions are held at all levels and then management teams compile all the concepts proposed so that the ownership can select the most appropriate (Lister, 2012). The involvement of the entire organisation in the bottom up strategic management model is a source of teamwork and motivation to employees and gives them a sense of having a stake in the company. That means that employees would feel more involved in the workplace and work harder to achieve the set goals. However, it can also create a build-up of ideas for management to consider which may be time consuming and ultimately defeat the purpose of having an effective plan. There is also the possibility of feelings being hurt should their ideas not be chosen (Lister, 2012). For a large diverse organisation however, bottom up strategic plan may be more practical than top down. Question 3: Discuss the purposes of unified continuity plan in information security management. Which types oforganisation might use the various contingency planning components as separate plans? Why? A business continuity plan is a group of expert team plans that outline the strategies in place for back up or continuity should the events arrived at during a business impact assessment come to pass. These include procedures to relocate, restore or recreate a business. There are various plans within the unified continuity plan which are differing in content and contain the necessary information for a team to carry out its functions. The plan is not the strategy, but consists of different elements including IT recovery, business unit plans and Logistics/communication plans as well as overall coordination. Recovery of technical information is fairly simple and this is usually the most successful plan. Recovery of the business unit is more intricate but not impossible. Logistic planning is the most difficult to execute (Lucey, 2005). The individual default response for every team member is embedded within each plan, listing each member by name and providing both for work and outside work hours. They are listed by name because this is more likely to attract the individual team member more effectively than a team role designation. A coded copy of the IDR can be carried by the team member on their person, at all times. This coded copy also contains other crucial information (Lucey, 2005). Automated notification systems that provide for messages that are preprogramed, ad-hoc or allow for voice text translation should be used. These systems are used to carry out routine notification tests from which reports are automatically produced. This is a good testing tool in itself and is more effective in an emergency than a manual call tree. The contact information for team members is not contained in the team plan but can be stored in an ASP-based high-performing automated notification system. The subscribed service must have fully redundant sites offsite, accessible by phone or online so that nothing is stored onsite. This is because the emergency communication system will be at risk of being eliminated by an event should it take place, if it is onsite. This is also true for detailed reference information, be it digital or not. Technical recovery information can be stored at the site where it is expected that recreation of systems will occur. If there should be more than one of this sites, replica information should be kept at all sites (Lucey, 2005). Continuity strategies involve several options whose determining factor is usually cost. Generally, there are three exclusive-use alternatives. These include hot sites, warm sites and cold sites. There are also three shared use alternatives viz, timeshare, service bureaus and mutual agreements. Hot sites are composed of fully configured computer facilities, fully serviced with communication links and physical plant operations. Warm sites are similar to hot sites without inclusion of software applications. Cold sites have access to only basic services and amenities. Timeshares are similar to exclusive use sites but they are shared either with a business partner or another company. Service bureaus are paid for facilities that give access to physical amenities in the event of disaster. Mutual agreements are signed between organisations to assist each other during emergencies. Question 4: List and describe the three approaches to policy development presented in chapter 5. In your opinion,which is best suited for use by a smaller organisation and why? If the target organisation are verymuch larger, which approach would be superior and why? Policy development can be done as part and parcel of the security program. This means that the term ‘information security program’ in this context denotes the framework and organisation expended in the effort to contain risks to information assets within the organisation. The factors that must be taken into account when constructing this framework are the culture of the organisation, its size, the budget for security personnel, and the capital budget for security. The bigger the size of the organisation, the more likely it is that the department of security is not up to par with the intricacy of the organisation framework. Internal groupings tend to be formed in information security departments in order to deal with the challenges that may be long term as well as daily security procedures. These functions are divided among the groups. In smaller organisations, the groups are inevitably fewer or even just one group of specialists. This contrasts sharply with large organisations that tend to spend less per person on security than smaller organisations. There is a policy approach that distinguishes group functions into four areas. These are functions carried out by non-technology business units not located in the IT department; functions carried out by IT but not in the purview of information security; customer service functions within the information security department and compliance functions performed within the information security department. The next approach is that adopted by a medium sized organisation which is multi-tiered. It involves a lot less specialised groups than in large organisations with more functions assigned to these groups. Some information security functions are disregarded. The security approach used in small organisations tends to follow the simple, centralised IT organisational model. The small organisation tends to have under a hundred computers but they spend a lot more money on security as compared to larger organisations. The responsibility for information security normally falls on one security administrator and the policy measures are minimal as are planning and security measures. There is a tendency to outsource online operations and any policies in operation tend to address specific issues only. For these reasons, the centralised model is ideal for the small organisation because it keeps everything in one place making it easier for the person in charge to keep tabs on what is going on and raise the alarm in good time should the need arise. In larger organisations with a more diverse organisation structure and varied security needs, the best approach would involve spreading functions around into the designated groups. In this way, the information security program would ensure that all the bases are covered and reduce the likelihood of a security breach. Question 5: a) How does training differ from education? Which is provided to the broader audiencewith regard to information security? b) Establish a list of priority when developing a security awareness program. The difference between training and education is that the former is intended to convey a skillset through learning by rote while the latter involves delivery of basic skills coupled with the ability to advance these skills through individual effort. Training programs are designed to equip the participants with specific skills but does not give the participants tools to advance these skills. Formal education will provide a foundation from which the participant is able to seek further knowledge, should they be interested in doing so (Tomhave, 2010). The SETA program was designed to minimise security breaches that occurred by accident. It consists of three elements; security education, security training and security awareness. The benefits of this program are that it improves how employees behave, enhances accountability among company employees enabling management to hold them responsible for their actions. SETA is utilised for security enhancement through construction of in-depth knowledge in the design, implementation and operation of security programs. It does this by promoting development of skills and knowledge that enables users to carry out their duties on computers without compromising the IT security. It also improves awareness of why it is necessary to protect system resources. From this knowledge it can be deduced that training is carried out to a broader audience with regard to information security as opposed to education. This is because a majority of users do not require in-depth knowledge but simply sufficient skill to get their jobs done in the most secure way possible. Priority List for Security Awareness Program An effective security awareness program empowers employees to be accountable for their actions. This also eases the propagation and implementation of policy as the training and awareness programs are available. Another advantage of this security awareness program is that it helps to shield the organisation against litigation. Security awareness denotes different things to different audiences and many approaches are available to deliver the message. It is important to be aware that often times people tune out what is being said to them. Therefore, when constructing a security awareness program, a priority list is vital. This list would consist of the following items: The concept of information security is about people and not the technical aspects of the system. It is important to speak in the language of the audience that one is addressing. Therefore if they are more comfortable speaking in various slang vocabularies that would be the format to use. Learning via visual aids is the most effective means of ensuring the audience assimilates the data presented. It is important to make the point identifiable both to the audience and the speaker. A sense of humour is essential. Once the point is made, ensures that the speaker supports it and draws a conclusion from it. The recipients must be made aware of how the requested modification of behaviour will impact upon them. It is the tame horses that are ridden. The training methodology used must be formalised. Time keeping is essential to training even if it means that certain schedules that may contain urgent information will be skipped. References Alka, M. Why Organization Needs Information Security? Viewed 15 December 2012 from: http://www.scribd.com/doc/92829149/M07920000220104013Materi-Multimedia-LO-M0792-pert-13#download (2012) Hueston, B. Top-Down or Bottom-Up. Viewed 15 December 2012 from: https://blogs.oracle.com/tacticalleadership/entry/top_down_or_bottom_up (2006) Lister, J. The Difference Between Top Down and Bottom Up Strategic Management. The Houston Chronicle. Demand Media. (2012) Lucey, K. Business Continuity Plan Development Explored. Presentation given by Kathleen at the Continuity Planning & Management 2004 West conference, May 2004. Portal Publishing Ltd. (2005) Tomhave, B. I Am InfoSec, and So Can You. Viewed 16 December 2012 from: http://www.secureconsulting.net/2010/04/i-am-infosec-and-so-can-you.html (2010) Whitman, Michael E, &Mattord, Herbert J. Management of information security.Course Technology. (2010) Read More