Information Assurance Systems and Risk Assessment Model - Term Paper Example

Case Study Information Assurance Systems And Risk Assessment Model The Social Context Introduction Risk Assessment Model Risk, in case of varied operational decisions, is seen as a focus of single determinants of behaviour arising from risk theories. (Stephenson, 2004)1 Various unresolved contradictions can be reconciled by examining the usefulness of placing risk propensity and risk proportion in a more central role than has been previously recognised through effective risk assessment programs. Based on such analysis, it is believed that the propensity of risk dominates both the actual and perceived characteristics of the situation as a determinant of risk behaviour. (Stephenson, 2004) Such an observation can safely justify the finding that suggests that apart from being central to any and every business or organisation, risk is something that entrepreneurs in general, are averse to. This can be attributed to the fact that at the end of the day, any loss of information has far reaching implications of its own and is deeply rooted in the genesis of risk taking and management. Coming back to the issue of the risk averse nature of businesses in context of the XYZ organisation, the one question we need to ask before proceeding any further is whether mere risk assessment is enough to act as a strong foundation for resolving all those difficulties arising out of risk management in case of information management and assurance systems. The answer is, no. And more and more organisations in the health care arena are beginning to recognise this basic premise, which has led to creativity in the sphere of risk management strategies. It has become necessary therefore, to keep reinventing the methods and strategies to be used in order to overcome the perils enumerated above, in a timely and cost effective manner. (Brussin, 2006)2 Another creative aspect attributed to the entire gamut of activities concerning risk management in this sphere adheres to the notion of utmost good faith that has been lately used to expand the protection for the insurer from pre-contractual fraud to include post-contractual fraud as well. This works in the benefit of the insured, who is saved from the abyss of financial loss, as well as the insurer, who is saved from parting with the sum assured upon occurrence of such a loss, therefore subjugating both parties to complete protection in an aspect that was earlier a matter of great confusion as well as debate. The mechanism of creative risk management extends to preliminary planning as well. To be prepared and organised for the contingencies in advance will help the managers cope with them more easily. This can be further propagated by the use of timeliness and efficiency in the response stage with a reliable communication system, logistics and flawless coordination to boot. (Stephenson, 2004) For this purpose, in the XYZ organisation damage assessment and reporting should constitute of the preliminaries of restoration and restructuring apart from playing an important role in the formulation of a crisis management plan. Since crises threaten the strategic objectives of the XYZ organisation, crisis management has been structured so as to work under the foresight of strategic management. This is one of the major trends that are seen to be emerging in the field of prioritising control of crisis to facilitate eventual risk management. Further, staff training and scenario testing have been made to sound more specific with special emphasis on real life situations and an assessment of the responses that are gathered thereon. This results in proper task description and designation of responsible staff. Also, outsourcing has become a major trend in providing of equipment and facilities so as to lighten the load on the risk bearer’s mind. During strategic planning of risk management, a major point to be made and clarified is the estimated value of percentages for the probability of the risks that should be included in the picture. To give a fairer idea, the records of insurance companies are now taken as a database for the purpose of analysis. (Stephenson, 2004) In this regard, let us take a brief look at a minor case study from a developing country in order to more effectively depict the level of creativity that is being employed in the sphere of insurance and risk management. Reliance Industries is a major player in India’s insurance industry. India has a vast insurable population of which only 20% is insured. To gain a foothold in the case of the remaining 80%, the newly launched Reliance Insurance Pvt Ltd, has come up with an innovative scheme wherein the ‘connect to life’ proposal offers a ‘no questions asked, no tests conducted’ insurance policy to the insuring entrepreneurs. This not only enhances the client base of Reliance, but also reduces the sum assured payable by the insuring party upon buying such a policy, which becomes more like a retail product. A move of such nature definitely qualifies as creativity. (www.relianceinsurance.com)3 Therefore, it can be said that a risk averse entrepreneur has a variety of innovative options before him today, for the purpose of risk management and insurance in terms of financial loss. In keeping with this viewpoint, the theories studied above have been based on the models that have a great deal of influence on the risk management strategies in the XYZ organisation. Literature Review This paper is a summation and critique of two papers based on social and intellectual capital. These two papers are: Clarifying the Entrepreneurial Orientation Construct and Linking it to Performance, by G T Lumpkin and G G Dess. This paper analyses the entrepreneurial strategy making process that goes into the creation of performance oriented goal achievement programmes that are the helm of social capital. (Lumpkin et al, 1996) Social Capital, Intellectual Capital and the organisational advantage, by J Nahapiet and S Ghoshal. This paper basically discusses a mechanism that can create the platform for the use of social capital for the creation of intellectual capital. (Nahapie et alt, 1998) These two papers have been used to demonstrate how a management strategy can be built on the basis of intellectual capital for better performance in the goal achievement arena. To begin with, traditionally, organisations have been seen to work on the premise of three basic factors of production – land, labour and capital. These three factors have been hailed as equally important with labour always having occupied a special place of importance. In this regard, the three factors of production were enough to nicely and simply sum up the requirements of an organisation. (Nahapiet et al, 1998) The modern day organisation used four factors of production or four basic categories of resources: land, labour, capital and expertise. With the advent of various technologies and trends like globalisation, there has been a strong emphasis on the growth of manpower development along the lines of securing employees as long term assets in whose hands the growth of company lies. This is where the term expertise comes in. (Lumpkin et al, 1996) Whether it is in the Research and Development department or the marketing department of the organisation, this term has been categorised to imply a lot of things which an employee must possess for the relevant department in terms of characteristics of basic mental competency. There are various companies in the world that has conceptualised intellectual capital and recognised the same as a strategy for building a brand asset. This in turn, has given the brand competitive advantage and competency through its intellectual capital base, which makes its manpower a ‘thinking’ capital and not just a ‘doing’ capital. This competency has a strong nexus with the competitive advantage that an organisation has and the quality of the same. This level of competitive advantage is the primary tool in measuring the IC in the organisation. The characteristics of this competency may be creativity, foresight and intellect, among numerous others. In this regard, we will delve further into the intellect part of things, as this paper deals with the concept of intellectual capital. (Lumpkin et al, 1996) Analysis Social Context: Knowledge Management for an Effective Information Assurance System In toady’s world of diverse technological needs and the requirement for a support system that cater to all the specifications required by various governments, businesses as well as individuals, there is a need for an appropriate IT systems integrator which will promote the utilization of resources for more effective knowledge management. Knowledge is the key capital in the XYZ organisation and this has been demonstrated by the design of IT systems that integrate knowledge management tools in their software and models. Before delving any deeper into the elements of this brand of knowledge management, it is important to study and analyze the exact implication for this management tool as regards an information assurance system within the XYZ organisation. (Source: Wilson, 2002)4 The above diagram depicts the growth of titles using knowledge management which may be applied in a multi layer fashion to the information assurance system within the XYZ organization as discussed above. In this regard, information management may be defined as something that involves deploying new technology solutions, e.g: content or document management systems, data warehousing and portal applications. It covers all the systems and processes in an organization for the creation and use of corporate information. Managing information in a secure manner has become one the most difficult tasks within the healthcare industry. The sheer variety of information sources has changed information from mediocrity of data to a natural efficacy and requirement. Information management involves people, processes, technology and content. (Wilson, 2002) Knowledge management encompasses strategy, method, practice and approach in an organizational context. Data represents facts or values of results and has the capacity to represent information. Patterns of relations of data, and information have the capacity to represent knowledge. This shows a strong connection with the premise that the XYZ organization operates on in terms of the use of various tools of information technology to integrate the knowledge within the organization. This also promotes a stronger and wider base for communication. In this regard, XYZ also shows that communication management is a vital phenomenon in organization and is extremely important in an organization. In general, efficient communication in an organization contributes directly or indirectly to improved organizational performance. This shows a focus on knowledge management which has been integrated into its system through a deep analysis of the information that can be used accordingly. (Wilson, 2002) The organization transforms diversity of information and complexity of technology into a detailed collection, which represents the need for intelligent and innovative drive towards integration of information and technology. Thus, with use of words like intelligence and innovation, it is understood that there is a lot of scope for the use of tools like intellectual capital which this IT system supports. Intellectual capital thus finds the scope for growth and development through a focus on the use of intelligence and innovation in this system. (Wilson, 2002) In this regard, the importance of knowledge management comes to the fore in terms of its applicability in any information management system which integrates the use of knowledge. (Wilson, 2002) (Source: Skyrme, 1999)5 The sections portrayed above cater to the various aspects of the operational sphere within which the XYZ operates. These are in terms of information assurance systems, risk assessment as well as other details like digital investigation, post mortem facilities, and so on. Cross Functional View of Information Processing at XYZ In this regard, an organization like XYZ and the healthcare arena surrounding it, are growing everyday by leaps and bounds in the technological arena. Hence, it has been seen that an organization or industry that is in the depths of development is always in dire need of a unique knowledge management system. In this regard, XYZ requires an IT Systems Integrator for its varied virtual and information processing needs. As a model for IT integration, it should have the capacity and experience for providing strategic technology solutions to the healthcare organization. The XYZ organization has widespread use of the tools of knowledge management as the information from within needs to be transmitted to effectively to various external parties in terms of risk assessment plans, information assurance systems, and others. This IT system integrator must operate at the following levels: Secure the internal network of the organization through firewalls. Use of public key infrastructure to secure all VPN connections. Provide universal serial bus authentication tokens with passwords to radiologists for external access. Create a system to tackle and run through all ranges of potential security breaches. Eliminate system bugs through a determination of appropriate user interface, minimum software and hardware requirements, bandwidth and system functionality. Creation of digital subscriber lines that will enable faster and improved internet connectivity as well as user feedback that can be acted upon instantly in terms of disaster management and risk assessment as well as virtual vulnerability assessment. Enrolment of a select group of doctors in varied batches for a tele - radiology program. (Stephenson, 2004) Therefore, it may be observed that an IT system integrator has the capacity to promote knowledge management within its own unique framework that can be applied to the XYZ organization. Knowledge and information have become almost interchangeable in their ability to transform workplaces that operate in the virtual sphere. Recognizing this premise, the company must provide result-oriented solutions in terms of various technological innovations. It must work with a variety of alliance partners in the virtual sphere with an unmatched level of domain knowledge so as to render effectiveness to the IT system integrator. This will empower the XYZ organization with inventive and scalable technology solutions thereby increasing the organization’s competitive advantage and return on investment. (Wilson, 2002) An alternative view of the information environment within the XYZ organization Knowledge management has the scope to encourage learning within the organization. Without learning something everyday, effective knowledge management has been deemed impossible. In this regard, training and development have been seen as strategic partners and tools of knowledge management within the XYZ organisation. (Jones, 1995. p 61 to 77)6 As regards development, XYZ is an organization committed to creating partnerships with various virtual vendors for delivering technology integrated and process driven solutions in the healthcare arena. This aspect of XYZ has a strong focus on learning within the organization through its focus on secure information exchange. It spurs resources from skills to infrastructure by providing thorough industry knowledge, experience and best practices. This will enable the XYZ organization to focus on its core business by fulfilling the needs of information management as well as technology demands and expectations. This in turn, recognizes the need for an integrated system that will help promote various shared learning methods through the creation of cognitive strategies that will in turn, promote the flow of knowledge along smooth flowing lines. (Boisot et al, 1999. p 525 to 536)7 XYZ must operate by offering a unique set of services best suited to meet the information management requirements in the healthcare arena. It must be committed to keep the healthcare interest first by cultivating partnerships with leading global technology vendors. This shows a strong leaning towards communication management and the creation of a fitting environment for further training and development in this regard for effective communication within the organization. (Jones, 1995) Managing the balance between exploitation of knowledge and exploration of knowledge at XYZ Exploitation of intellectual capital and knowledge is the first and foremost area through which the XYZ organization may tap into its resources and transform the same from latent to active. This can be done through a total End-to-End Systems Integration solution in its information assurance system. These end-to-end solutions work in the arena of providing the scope and sources for collection of data as well as the tools with which this data may be linked with the operational goals as well as the information security aspect. XYZ must aim at aligning technology requirements, which are necessary to support such a strategy. Detailed analysis helps in outlining gaps in the IT environment surrounding the healthcare industry in terms of risk assessment and risk management. This will help in developing a customized services solution for achieving the integrated IT environment within which the information assurance system will operate. These customized services are a part and parcel of the direction that an average organization takes when it comes to transmission and utilization of information and knowledge. (Kirk, 1999)8 A perspective of organizational learning communities at XYZ The XYZ must aim at the use of intellectual capital and the development of the same through various training and learning strategies that are subtly supported by it integrative model. In this regard, it is imperative to note that without learning values and an atmosphere for shared learning, the application of any integrative system will not involve full participation or generate positive contribution of the technology from all corners of the organization. This will render failure of the application of such a model. For this kind of application, the creation of a certain culture and value base through tools like awareness and learning are the only answers. (Davenport, 1999)9 The values must therefore be set by XYZ drive their employees to learn, perform and grow. The learning environment at XYZ will help in providing scalable and interoperable technology solutions with an eye on the evolution of the information assurance system for future projections and needs. It must revolutionize itself to become process driven company with conformity to international standards as far as its risk assessment and information assurance system is concerned. This awareness further fuels the motivation for working towards integrating this knowledge and its application within the organization and the IT systems integrator that its uses. In this regard, the integrative system used will be one based on learning and the creation of an informal learning structure through the creation of learning communities. (Davenport, 1999) The learning community at XYZ must coordinate the designing, development, organization, operation and maintenance of IT solutions and technology infrastructure, which will promotes and adds value to the core business of XYZ. This competency has a strong nexus with the competitive advantage that an organisation has and the quality of the same. The characteristics of this competency may be creativity, foresight and intellect, among numerous others. This promotes the environment for the growth of intellectual capital along the lines of the information system and technology applied within the organisation. (Jones, 1995) All activities and operations within the organisation depend on communication and the transmission of the right information at the right time, and in a right way. (Wentling et al, 1999)10 The training strategy seeks to engage strength in these hubs in order to give rise to a phenomenon known as development. Thus, the golden ratio called Phi holds the answer for perfect symmetry in the XYZ organization. Read growth through a breakdown of communication barriers within the information assurance system. This brings us to the specific skills which we have used for the development of an effective training strategy, after the process of initiation as discussed in the above chapter has been effectively followed. These have been represented as the points in the grid so as to facilitate the process of analysis. Vulnerability assessment & intrusion detection systems Risk assessment & risk management Backups & business continuity planning Disaster recovery planning Computer incident response teams Digital investigation & incident post-mortem Privacy & anonymity in cyberspace; censorship & content filtering Management responsibilities & liabilities The future of information assurance Professional development Creation of Opportunities for Information and Knowledge Management at XYZ: Positive and Negative Impact of System XYZ must gain assistance through Systems Integration Services by transforming the strength of their technical team to their core operational sphere, which is the healthcare industry. The company must integrate the above mentioned technologies for delivering IT solution, which fulfills the organization’s IT goals and objectives as well as disaster management goals. These objectives are a part and parcel of any integrative model. (Eaton et al, 1991. p 156 to 165)11 Solution Deployment services within the XYZ organization for disaster management, risk assessment and information assurance management, must include an establishment of Data Centers, Network Operation Centers, middleware, software tools, applications, establishment of customer network infrastructure, training and skills development of staff. The technical team must train the staff until they are able to manage the operations and maintenance of the information management system from the resources within XYZ. In this way, there will be a strong focus on competitive advantage through the development of intellectual capital and knowledge management within the organization. (Boisot et al, 1999. p 525 to 536) Macro contents for an Information and Knowledge Management Policy at XYZ The Macro contents of an information and knowledge management policy include development of an IT Strategy, which is aligned with the basic Business Strategy. XYZ must work with vendors who will devise the Solution Architecture developed by their Solution Design Centre (SDC) once the customer has established the IT Strategy. After the customer agreement for Solution Architecture, XYZ’s technical team, along with the vendor, helps to develop the specific technology solution for the information environment and disaster management projections that surround the organization. This will involve the requirement for applications, networks, hardware, technology and people skill requirements. XYZ must lay down its specific requirements in front of the vendors for the appropriate selection of the technology identified in the previous process of Solution Development for its varied needs like information assurance systems, risk management, disaster management as well as virtual security. Issues in implementing an Information and Knowledge Management Policy at XYZ The following steps are involved in the implementation of an information and knowledge management system at the XYZ organization: Outsourcing Maintenance and support Operations Systems Integration Solution deployment Technology selection Consulting Solution development Architecture Conceptualization (Stephenson, 2004) Keeping in view the complexity of information technology elements vendors and solution providers are complemented with Outsourcing Services within the organization.  These include cover Operations and Maintenance of the solution deployed by the XYZ organization and the related information technology elements. Data Centers can be established at various developing countries like India and Far Eastern Countries where the BPO revolution is at its zenith. This can be used by the XYZ organization as the primary site or secondary site or Disaster Recovery. All activities and responsibilities related to information technology operations, management and maintenance will be taken care of by the service providers and vendors while the XYZ organization can focus on its core operational area. This core area will involve the use of integrative models that will make ample use of knowledge management as well as learning tools. (Langley et al, 2003)12 The main issues involved are failing to meet key business objective, over budget projects and delayed projects. In order to compete with local and global competitive threats XYZ must use the best expertise and solutions to companies for resolving such issues. These issues contribute to the notion that the individual is the most important entity when it comes to carving the overall image and identity of the organization. This fuels the importance of learning and development. (Langley et al, 2003) XYZ must deliver end to end solutions covering consulting, technology platforms, systems management, IT optimization, system software and tools, applications, security, maintenance, help desk and networking needs. Its staff must have international experience that use business process mapping and business process redesign to align IT solutions with healthcare objectives. Software house and systems management will allow XYZ to offer a unique unmatched value proposition to its customers. This will help XYZ in the following ways: reducing and controlling operating costs; increasing efficiency; increasing disaster preparedness efficiency; improving the safety and security within the information assurance system; decreasing vulnerability to defects within the security system; reducing investment in technology expertise; increasing flexibility in selecting technology paths; accelerating reengineering benefits for the future of information assurance systems; freeing up internal resources for other purposes and helps in gaining access to expertise which is not available internally. (Stephenson, 2004) In this regard, it may be seen and asserted that the tools of knowledge management need to support a fitting environment for learning. This will lead to better applicability of the actual tools and elements of the integrative system within the XYZ organization so as to encourage the use of awareness as the basic premise on which the model for a better information assurance system can be based. This has a strong connection with the fact that information and knowledge flow lines need to be charted throughout the organization with a strong focus on and connection with the integrative technology used. Also, with such aims in mind, it is generally easier to avert the risk of miscommunication and misinformation, which in turn will promote effective operations in all departments and corners of the organization through optimum utilization of the skill and resource base. The strategic business plan for any organisation depends on its resource base as well as its capabilities. A strategic business plan is an integration of various elements that propel a business towards overall goal achievement. The strategic business plan depends on effective practice of sustainability theories as well as those of competitive advantage. Conclusion The XYZ organisation never had formal, systems-based controls as a significant feature as it is a goal-oriented organization. While these goals may lean more towards short term profits than long term sales growth and market share it has been noted that the twin objectives of risk assessment and information assurance system within which various objectives like disaster management as well as information security operate, were clearly understood throughout the organization. Further, the XYZ organisation demonstrated that the means of measuring achievement is via cash flow, monitoring actual expenditure levels apart from a concerted effort towards achieving sustained progress through the information assurance system and risk assessment in the technological department. (Brussin, 2006) These developments have led to the belief that management accounting and non-financial performance measurement were not valuable as a control device in the XYZ organisation. It has been widely accepted that other than to a limited extent in terms of expense control, this performance measurement system has little use. In annual method of accounting, the matching principle was not applicable owing to the lead time between information transfer, risk assessment and subsequent income flows. In this regard, accounting reports have not provided any significance in contribution to the measurement of the XYZ’s success as it operates in the healthcare industry where the traditional standards do not apply. Yet, according to the performance management literature, it has been seen that non-financial performance measures are yet to take care of accounting’s limitations. With a scarcity of formal non-financial measures other than number of units sold and market share, there has been a shift of attention to qualitative aspects of performance in the area of information assurance system, such as flexibility, quality and innovation, as suggested by models such as the Balanced Scorecard. However, these are not quantified. Information networked (Ansari, 1977) controls were visible in various spreadsheet models. These controls can act as the critical control device within the XYZ organisation as they demonstrate an emphasis on continual feed forward processes rather than on any post feedback. Further, in a trend that shrugs off the traditional profit and balance sheet presentation, the XYZ organisation’s spreadsheet model is more of a historical record, a forecasting device and a decision-making tool. As a business model, this will has funnel profits into the information building decisions apart from providing forecasts regarding the available and required cash flow that will support exponential growth in terms of improved solutions and systems for risk and disaster management. The advent of the revised spreadsheet found various elements of industry and market share modelling. This is in keeping with the cluster theory that has been used for the company. Therefore, it can be used to capture market share by targeting the customers of weaker competitors, apart from identifying the XYZ organisation’s borrowing ability by linking his cash flow to the bank’s lending policies. Therefore, the economic perspective has shown the structuring of a relevant accounting which has ensured a discourse of future-oriented market share, sales growth and cash flow. In the terms used by Miller (1998)13, traditional accounting had been pushed to the margins, while the spreadsheet models developed by Taylor can become central to the success of the XYZ organisation with an eye on the integration of its varied information and risk assessment needs. References Brussin, D (2006). Professional penetration testing for better Security. CISSP Stephenson, P (2004). Getting the Whole Picture. The Center for Digital Forensic Studies. Reliance Insurance Industries. URL: www.relianceinsurance.com (Accessed during: February, 2008). Wentling RM, Palma-Rivas N (1999) Components of effective diversity training programmes. International Journal of Training and Development. Marquardt, Michael J. (1996) Building the learning organization: A systems approach to quantum improvement. Mc-Graw Hill. Skyrme, D. J. (1999) Knowledge Management Solutions - The IT Contribution. David Skyrme Associates Limited Boisot, M. and Cox, B (1999). The i-space: a framework for analyzing the evolution of social computing. Technovation, 19 (9), p. 525-536. Kirk, J (1999), Information in organizations: directions for information management, Information Research, 4 (3) Eaton, J. and Bawden, D. (1991). What kind of resource is information? International Journal of Information Management, 11 (2), 156-165. Davenport, T.; (1999). Is knowledge management just good information management? Mastering information. London: Financial Times Jones, M. (1995). Organisational learning: collectivist mind or cognitivist metaphor? Accounting, Management and Information Technology, 5 (1), 61-77. Wilson, T D (2002). The non sense of Knowledge Management. Information Research, 8(1). Last accessed at http://informationr.net/ir/8- 1/paper141.html Langley, E., Seybrooks, J., Ryder, D. (2003). Information audot as a holistic approach: a case study. Last accessed on thr 3rd November 2003 at URL http://www.sla.org/division/dst/LangleySLA062003.pdf Ansari, S.L., 1977. An integrated approach to control system design. Acc. Organizations Society 2, 101–112. Daft, R.L., Macintosh, N.B., 1984. The nature and use of formal control systems for management control and strategy implementation.J. Manage. 10, 43–66. Ferreira, A, Otley, D., 2005. The Design and Use of Management Control Systems: An Extended Framework for Analysis, Social Science Research Network. http://papers.ssrn.com/sol3/papers.cfm?abstract id=682984. Kaplan, R.S., Norton, D.P., 1992. The balanced scorecard—measures that drive performance. Harvard Bus. Rev.(January–February). Merchant, K.A., 1998. Modern Management Control Systems: Text and Cases. Prentice-Hall, Upper Saddle River, NJ. Miller, P., 1998. The margins of accounting. Europ. Acc. Rev. 7, 605–621. Simons, R., 1995. Levers of Control: How Managers Use Innovative Control Systems to Drive Strategic Renewal. Harvard Business School Press, Boston, MA. Lumpkin, G. T. and Dess, G. G. (1996). Clarifying the Entrepreneurial Orientation Construct and Linking It to Performance. Academy of Management Review, 21 (1), 135-172. Nahapiet, J., & Ghoshal, S. (1998). Social capital, intellectual capital, and the organizational advantage. Academy of Management Review, 23(2), 242-266. Read More