Management Information Systems Security … Term Paper
Pages: 12 (3422 words) | Style: n/a | Sources: 6
Management Information Systems -- Information Security
Information security, often referred to as IS or InfoSec, is defined as the practice of defending or securing information from unauthorized users who may access, disclose, use, modify, disrupt, inspect, record, peruse, or destroy it. Overall, information security is the task of information security specialists who determine the nature and value of the data to the business and create critical policies to gain control of the internal information system. Information security also involves information assurance, which is the act of ensuring the data is kept safe and not lost where there are critical issues such as malfunction, physical theft, and natural disasters Vladimirov, Gavrilenko, & Michajlowski, 2010.
This paper discusses information security in its holistic nature as it relates to personal, business, and global information security.
Interconnectivity of information systems
Interconnectivity of information systems is important to allow full interaction and collaboration among users of the system securely. System interconnectivity does not limit the transfer of data but it makes it simpler while ensuring the security of the information is maintained Smedinghoff, 2008()
Whenever data is shared in an interconnected environment, there is a risk. It is important to assess the new risk for the environment regularly to ensure mitigating efforts are undertaken as fast as possible. The interconnectivity of the system depends on the corresponding controls and configurations and how sensitive the data is Watkins, 2013a ()
In order to maintain the necessary security levels, when there is an interconnection between the information systems, the risk involves should be assessed together with the level of security protections. Both systems should undertake this assessment to ensure the risks involved are limited and provide the necessary protection. Once the connection between the systems is established, the risks are shared and it may require new protections. The groups involved should also have a high level of knowledge sharing and transparency to ensure the level of security in the different systems is the same.
Depending on the information security environment, the security requirements of the systems differ. However, the common requirements are the use of virus scanning and detection tools, intrusion detection, secure identification and authentication, auditing controls, incident reporting and handling, and assessment and authorization Vladimirov et al., 2010.
The security process areas include management of configurations, incident response, creating awareness, training, and ownership of data, maintaining data backups, and responding appropriately to incidents.
Recommendations relating to interconnectivity
Several information security organizations such as the National Institute of Standards and Technology has draft guidelines on information sharing to prevent cyber threats. These guidelines provide recommendations to prevent cyber-attacks and adopt defensive mechanisms.
The first recommendation is to maintain inventory lists of all hardware and equipment that the company owns. This recommendation helps to keep records in case hardware, equipment, and media is stolen. The second is an inventory list of all information the organization is using and that it is capable of producing. This ensures the company has a record of all information that it owns and produces in order to gauge the sensitivity of the information and ensure the appropriate security policies and procedures are applied.
Organizations are also encouraged to exchange information on threats, and tools, and techniques that they use to avert these threats in a formal way. The purpose of this recommendation is to inform decision making for each organization and mitigate risks early. In a similar way that organizations think about their competitive landscape and when they are making investments, they should also use logical factors in deciding on their IT operations Kouns & Kouns, 2011.
The company must consider risks associated with information sharing and the best source of threat intelligence is partners since companies within an industry have unique industry data that when shared will highlight risks and allow smooth continuity of operations.
Companies should also use open standard formats for their data and transfer protocols. When interchanging information electronically, the system should format the data in an open data format that has high standards to transmit the information from one system to another without intervention of human beings.
The fifth recommendation is for companies to augment data collection, management, and analysis using information that they collect from external sources. This links to the sharing of threat intelligence with partners to ensure the company can analyze their data appropriately to determine when they are under attack in a timely manner. Companies should use adaptive methods to share information proactively with partners to ensure that they are aware of the information security, threats, and vulnerabilities that exist.
Lastly, the companies should have clear responsibilities and roles when there is a cyberattack. This means the company should have a cyberattack response plan that is updated regularly and that ensures the company information remains protected at all times. This means the company should regularly evaluate the efficiency and effectiveness of the control measures they put in their systems.
Need for balance of information security in personal, business, and global areas
Collaboration in an organization and with other organizations is important. However, it becomes increasingly difficult to maintain information security when the organization is involved in collaborative activities. Corporations struggle to keep up with industry regulatory requirements, risk management, and economic conditions. The major issue that is raised by industry experts is that employees in companies tend to see information security as tasks for the information security personnel without an appreciate that it is a mutual task Calder, 2010.
There is need for collaborative effort in order to achieve security of information in any organization.
Many corporations have also become global in the sense that they are expanding their ecommerce capability while increasing interactivity with consumers and customers around the world. These companies are increasingly dependent on third parties for their business operations since these third parties must maintain customer data as confidential. These third parties handle many of the activities in these organizations such as compliance, audit, human resources, IT, information security, and risk management Watkins, 2013b ()
. While the third parties often have better threat intelligence and response due to their specialization, they create a risk since they have access to the confidential information of the company.
Global organizations must thus have an information security culture that is also upheld by the third parties they engage. To create this culture, the organization must ensure they run information security awareness campaigns regularly. This means the organization must run awareness sessions and activities that are targeted for specific audiences Watkins, 2013a ()
. These awareness campaigns are essential for the organization to inform its various departments on their security responsibilities to make information security a mutual task for every department.
Secondly, the organization should have cross-functional teams. This requires the company to have risk councils and information security committees to engage in improving the functional areas of the company and improve the overall security position of the organization. The human resources function must be involved in the entrance and exit policies and procedures relating to information security to ensure employees do not leave the organization with confidential information. Cross-functional teams also have the advantage of enhancing communication and collaboration while reducing isolation of the departments and duplicated efforts. This in turn reduces the costs for the organization and improves their profitability Smedinghoff, 2008()
The management of the organization must be committed to focus on the organizational culture. The organization's culture guides the thinking behind the method by which things are done in the organization. If the management team in the organization do not support the information security program, policies, and procedures, other employees also become discouraged to follow the program Maddock, 2010.
Therefore, it is essential for all senior employees within the organization -- the management team, executives, board of directors, and others -- to own the information security policies and procedures.
The company should also have a strong culture geared towards information security. This culture should be aligned with the business objectives. A clear relationship between information security and the business objectives should be drawn for system end users to understand the reality surrounding risk reduction Krausz, 2010()
The company should also have a risk-based approach to information security. This means the company should implement controls even when there is little or no risk. This proactive method of risk management optimizes the flexibility of the organization, reduces the impact of risks and threats when they arise and improves the regulatory compliance of the organization Krausz, 2010()
Companies should also balance among people, process, technology, and organization. Effective risk management requires the organization to support its employees through efficient processes and use of appropriate tools and equipment to achieve a balance between the people, organization, process, and technology. These should be properly aligned to support each other and prevent wastage.
Circumventing security measures
Threats to information security
IBM estimates that there are close to 100 million information security events annually and these increase by 12% year on year. These security breaches have negative consequences such as damage to brand reputation,… [END OF PREVIEW]
Cite This Paper:
APA FormatManagement Information Systems Security. (2014, December 15). Retrieved April 26, 2017, from http://www.essaytown.com/subjects/paper/management-information-systems/7084752
MLA Format"Management Information Systems Security." 15 December 2014. Web. 26 April 2017. <http://www.essaytown.com/subjects/paper/management-information-systems/7084752>.
Chicago Format"Management Information Systems Security." Essaytown.com. December 15, 2014. Accessed April 26, 2017.