Information Security

Information Security

The modern day organization operates in a very different environment compared to the organizations of the past. This difference has been occasioned by the opening up of the world by phenomena such as globalization and the internet. Globalization has broken down all the barriers that previously existed between nations converting the world into one big global village. The internet on its part has afforded a platform by which organizations can conduct their business. However, these two phenomena are not risk free; on the contrary, they are laced with multiple threats and vulnerabilities. The essay that follows comes against this backdrop to identify the three major information security threats faced by an organization.

The concepts of risks and vulnerabilities occur jointly as risks in the information system of an organization. In other words, a risk is said to occur when threats meet vulnerabilities. Organizations face a number of threats and vulnerabilities. The threats include intruders, hackers, and sloppy current employees. The corresponding vulnerabilities might include lack of controlled entrance, poorly configured firewall, and poor accountability system to monitor the employees (Gregg, 2005). The exposed risks include theft, stolen client information, and loss of integrity in the data entered by these employees. The correlation between the threat, vulnerability, and risk can be tabulated as shown hereunder:

Type of Threat	Threat	Vulnerability	Exposed Risk
Human factor Internal threat	Intruder	Lack of controlled entrance	Theft
Human factor External threat	Hacker	Poorly configured firewall	Stolen client information
Human factor Internal threat	Sloppy employee	Poor accountability and lack of an audit policy	Lack of integrity  in data entered into the system

Table 1: A table showing the relationship between threat vulnerability and risk

Any organization wishing to safeguard its information system must unearth all vulnerabilities in the system and address them forthwith failure to which a threat might take root and place the entire system at risk (Gregg, 2005). The organization must address the vulnerabilities that have been identified. By dealing with these vulnerabilities, the organization will be sealing all loopholes and by so doing ensure that the threats do not occur in the information security system.

All the three threats are because of human factors. Two of them namely intruder and sloppy employees are internal to the organization while the threat posed by hackers emanate from outside the organization. These threats together with the vulnerabilities that cause them are fuelled by human factors.

In the event, that the organization fails to deal with the vulnerabilities then the threats identified above can easily take root and jeopardise the integrity and security of the information system. When crucial data is manipulated prior to it being input or processed by the system, the whole organization is placed at a risk. This is because various departments within the organization might rely on the wrong set of data to formulate important decisions (Gregg, 2005).

Aside from data manipulation by fraudulent employees, the other threat that can occur in an organization relates to the access of information by employees whose clearance level does not allow them to access that information. This is considered a breach of the IT security system and it exposes the organization to a risk of external attacks from hackers and crackers.

Employees who are of the habit of accessing the organization’s information technology system can also leave a backdoor open exposing the organization’s crucial and confidential data to external intruders. A leak of sensitive information to organization’s competitors might jeopardize the organizations competitive advantage position. Supposing the leak involves sensitive client information, such a leak can inflict direct harm to the clients, who would seek retribution by suing the organization.

Threats and vulnerabilities noted must be looked at based on the effect they will have on the organization. Threats and vulnerabilities are often graded or their value is obtained by measuring them in terms of capability and motivation. For instance, hackers have a high motivation to inflict harm on an organization’s information security system and they are capable of doing this with ease (Gregg, 2005). On the other hand, non-technical staff accessing the information system might be taken to have lower motivation levels, but their capability might still be high because they not only offer a backdoor to hackers but might also steal electronic data from the system and sell it to the organization’s competitors.

A low value can be allocated to threats and vulnerabilities that that either have little or no motivation or capability, while high value can be ascribed to those possessing high motivation and capability. This allocation of value to threats and vulnerabilities renders the risk facing the organization’s information system quantifiable. Quantification of risk is important as it enables the management and policy makers have a better appreciation of the implication that threats and vulnerabilities have on the well-being of the organization’s information system (Gregg, 2005).

An organization seeking to manage its information security efforts must use top-notch risk management technique. The technique used must confer more of benefits to the organization and the cost for the technique chosen should be maintained low. The process of risk analysis follows three successive steps:

1. Understanding risks- this requires that the organization get an understanding of the two components of risk; threats and vulnerabilities and how these can occur.
2. Determining the approximate cost if the risks occur- the tenet of cost-benefit analysis dictates that the organization should center its attention on those risks that have the highest potential cost.
3. Come up with appropriate and workable policies and measures that will:

• Reduce the likelihood of the threat taking place
• Deter or detect the threat
• Facilitate a recovery program in the event that the threat happens

When it comes to determining the cost-benefit analysis of risk management techniques the organization must take into account the type of risk, the likelihood of its appearance and the potential cost it would confer on the organization if it ever occurred. All this can be determined by the process of risk assessment and the organization can then act on the findings of such an assessment.

The legal, ethical, and regulatory requirements for protecting data

It is required of all organizations to safeguard the data that has been submitted to them by the various stakeholders of the organization. The regulations safeguarding an organization’s data appear in the form of laws, ethics, and policies. A law is a rule that either allows or prohibits certain behaviour; ethics, on the other hand, refers to behaviours that are socially acceptable while policies outline the acceptable behaviours by employees in a workplace environment.

Organizations are expected to adhere to the set laws on data protection failure to which they can be held liable for any resulting damage. In a bid to protect themselves, organizations have laid down rules (policies) which all employees must follow to the latter. Additionally, most of organizations strive to remind their employees of the importance of adhering to the law and behaving ethically in their everyday business (Warren, 1962).

In the US, the laws on data protection are stringent and individual found guilty of breaking the law risks serving up to 20 years in prison. These laws guard against threats such as identity theft, privacy of customers’ data, and espionage laws. The ethical rules governing data protection include misuse of corporate resources, software infringement, and illicit use. All these must be addressed to ensure that the data in the custody of the organization is safe and secured.

 

References

Gregg M., (2005) CISSP Security Management Practices. [Online] Retrived on 07 October, 2013 from <http://www.pearsonitcertification.com/articles/article.aspx?p=418007&seqNum=4>

Warren E., (1962) Legal, Ethical, and Professional Issues in Information security

 

Use the order calculator below and get started! Contact our live support team for any assistance or inquiry.

[order_calculator]