Capstone Project: Computer Security People, Process

Pages: 15 (4780 words)  ·  Bibliography Sources: 10  ·  Level: Doctorate  ·  Topic: Business - Management  ·  Buy This Paper


[. . .] It also emphasizes that country law should have strict policies for the confidentiality of organizations' data. These principles also include procedures as well as technological requirements to deal with the entities' security needs.

First principle speaks about the security organization and infrastructure. It also defines responsibilities with respect to executive protection, while, the second principle necessitate that the policies and the standards given by management should be developed and executed. The security related controls that are developed in an organization should not be made in isolation rather it should be linked with the ongoing activities of the organization, thus incorporating the risks faced by organization. The third principle continues on with the risk assessment procedures that should be performed across all the stages of application, database and networks. A project should also be initiated that keeps a check on the financial plan and assets required to identify and reduce risks and in execution of controls. Training programs should be conducted by the organization to ensure that the employees are well aware of their responsibilities, so that their working level becomes more effective. Fourth principle aims to develop a bond of goodwill and trust between employees, management and third parties, in order to make transactions easier and also for the sake of sustaining privacy. The last principle, that is the fifth one, stresses on conformity testing. This is done by the external and internal auditors. These auditors monitor the efficacy of the security program. There should be a strict check on the number of times the sites are viewed, and the emails are used to keep a practical approach for identifying risks to confidential information. The latest research work of Tudor narrates that recovery of disasters and continuity of business are the two factors that can prevent entity's assets and useful information (Holborn, 2005).

Strategic plan

An all-inclusive inventory of some components was piled up from the pertinent segments of ISO 17799, some points from the Capability Maturity Model, components of PROTECT and fundamentals of the ISA method. The aforementioned components were chosen from every method and each component was represented either as an important principle (for instance, "risk focus"), or like an information security control (for instance, "business continuity"). A grouping of some components was made wherever the components coincided amongst the various methodologies (ISO 17799, 2005).

As far as the scope of the components of information safety is concerned, the components of ISO/IEC 17799 (2005) and the Capability Maturity Model by Campbell and McCarthy are considered to be complete. For this very reason, the ratios of representation of these are higher than that for the methodologies put forth by Tudor, Eloff and Eloff. When leading the information security in any company, many researchers consider reliance, ethical conduct and corporate governance to be the key features of any approach. These features are, however, lacking in the above mentioned approaches (Donaldson, 2005; Flowerday & Von Solms, 2006; Trompeter & Eloff, 2001).

Eloff and Eloff (2005) is of the view that a complete group of controls needs to be studied targeting predominantly on presenting a uniform approach for the organization of an information security program. The approach presented by Eloff is the only one that talks about the ethical conduct. Trompeter & Eloff (2001) is of the opinion that employees must incorporate ethical values into their lives in matters pertaining to information security of their organization. Baggett (2003) states that business values pertaining to both social responsibility and profit making should be developed and communicated by the administration and the owners of the organizations. To ensure that preferred environment of information security develop ethical values like not using the facility of Internet for personal reasons while working in the organization and not stealing the company's software to work at home, should be inculcated in the employees. Though the Eloff methodology (Eloff & Eloff, 2005) is all inclusive, it fails to make any remarks about factors like incident management and business continuity.

The approach by Tudor (2000) is the only approach which makes some remarks about trust. Von Solms (2000) regards trust as perhaps the most significant area of concern as far as instituting information security in an Information Technology setting is concerned. If the feeling of trust is reciprocated by both the employees and the management then it becomes easier to apply new processes and direct employees through behavioral changes relating to information security. Trust, ethical values and corporate governance should all be encompassed into the approach used by a business to offer a detailed collection of information security components which can counter the risks like efforts to socially engineer, fraudulent activities and abuse of information systems.

Plan of action for implementing your problem solution

By combining the approaches pertaining to the field of information security control, one can compile an all-inclusive group of components to study the information security control. The suggested structure of governance of Information security can be employed as a preliminary step for information security governance through the development of guiding principles and application of controls to counter the risks recognized by businesses, for instance, misappropriation of internet surfing, theft of identity and data corruption. This new structure can be used to control the behavior of the employees in all desired aspects of information security. Moreover, it can help nurture a desired degree of information security environment (Baggett, 2003).

Finally, this governance model gives the administration a way to apply an effectual and complete program of information safety governance which pertains to the routine, technical and human components. It combines the components of the previously mentioned approaches and also incorporates the components which have not been considered before, for instance, trust. Therefore, the framework gives a distinct reference point for managing the information security so that a desired level of information safety can be instilled in the organizational culture. Because the organizational culture of every organization is different and faces legal constraints, some components might be needed whereas the rest may not be needed (Baggett, 2003).

The information safety model is divided into four stages viz. A, B, C and D. Stage A comprises of tactical, administrative / application based and technical safety components. The tactical components give guidance to the administrative and functional components.

Level B comprises of six core groups which are classified with relation to the three categories of Level A The six core categories are:

* Tactical:

- Direction and governance.

* Administrative and Functional:

- Security organization and association;

- Security measures and regulations;

- Security program organization; and - User security organization.

* Technological:

- Technology protection and operations (Baggett, 2003).

Level C comprises of an all-inclusive inventory of information safety components classified under all the six core categories (level B). Each of these six core categories are affected by change (i.e. level D) (Baggett, 2003).

Application of information security components brings about a change in the procedures of an organization and will affect the manner in which people complete their tasks. Verton (2000) is of the opinion that establishments do not undergo any changes, but employees do and hence employees change establishments. In an organization, the changes related to information security need to be acknowledged and administered in such a manner which enables employees to integrate these changes into their daily tasks. While applying any component of information security, the component of "Change" should be accounted for. The six core classifications of information security components and the structure are stated below.

Leadership and Governance

The issue of information security is of great importance for the government that is why maximum support is provided by the top administrative level in order to protect information records. A collaboration of IT department and Corporate Governance is responsible to provide best information security governance (Von Solms, 2005). It is the responsibility of the board relayed by the Corporate Governance, to successfully manage the association with the help of good leadership skills (King Report, 2001; Donaldson, 2005). By corporate governance, one means authority, rights of ownership, reporting structure, ability to see and predict future patterns, policies and procedures adopted by the company (Knapp, Marshall, Rainer, & Morrow, 2004). IT governance also includes the policies related to the governance of its technology and information security stated by Posthumus and Von Solms (2005).

According to the research performed by Gartner (Security, 2005), execution of security development tools, dealing with security violations and disturbances and also the privacy rules and regulations are some of the main responsibilities of the Chief Information officers (CIOs) i.e. they are among the top ten priorities. The demonstration of good information security leadership can be possible by adopting these measures which represent that the management is considering the security issue as the main one in the development process.

An information security strategy development for an organization also comes under the responsibility of leadership and governance. This strategy involves dealing with information coercions by… [END OF PREVIEW]

Computer Security Briefly Support Your Own Opinion Term Paper

Security Awareness the Weakest Link Case Study

Security Issues Creating a Site Using Trend Research Proposal

Computer Viruses: A Quantitative Analysis of User Term Paper

Computer Science Choosing One's Major in College Essay

View 1,000+ other related papers  >>

Cite This Capstone Project:

APA Format

Computer Security People, Process.  (2012, March 28).  Retrieved August 25, 2019, from

MLA Format

"Computer Security People, Process."  28 March 2012.  Web.  25 August 2019. <>.

Chicago Format

"Computer Security People, Process."  March 28, 2012.  Accessed August 25, 2019.