The Role of Information Security
For any business, the need to protect its assets is just as important as the need to maintain or increase its bottom line - The Role of Information Security introduction. If a business does not, will not, or can not enact a sufficient security plan that is the equal to or greater than its needs, it may find itself rapidly losing its assets, its monies, or completely out of business. In addition to a robust security policy, there must also be robust standards put into place to clearly define the roles the employees, as well as the management, must play in order to properly enact those roles.
Security and unauthorized decryption and access (also known as hacking) are running a perpetual race for primacy. This aforementioned primacy switching hands alternately, white-hat, black-hat, white-hat, black-hat, etc. , It is because of this back and forth evolutionary process that a company cannot have just a good security policy for the moment, but the must have a security policy that is scalable and has the growth potential to keep pace with the next new powerful threats that are poised to come down the pike inevitably.
More Essay Examples on Security Rubric
There is also a less colorful reason that information security practices must have policies and standards, and that less colorful reason is compliance. There are many government bodies that have been established for just this very important reason. As stated by the Rutgers Office of Information Technology, “The protection and management of of non-public personal information (NPPI) must comply with a variety of state and federal laws.
Accurate and reliable reporting according to these laws has an impact on the business and financial health of (any institution). Failure to comply with these guidelines can have direct effects on the business’s ability to do business and continue its mission. ” The Role of the Employee With all the elements that have to be taken into account when defining a suitable information technology security plan, the planners can fail to think of one potential devastating threat: people.
Now while outside people (or users) are always looked at as being possible assailants to the information system, inside people (or the employees) can be overlooked because they are usually considered to have the best interests of the company at heart. Now this is not to say that a company’s employees are out to destroy the company they work for. Sometimes, it is quite the farthest thing from an employee’s mind. It is usually negligence, carelessness, and the attempted circumvention of established guidelines that usually causes the most problems.
According to Center on Human Development and Disability (2010), things like: “…reporting all suspected security and/or policy breaches to an appropriate authority, not disabling firewall and/or anti-virus applications, protecting access accounts, privileges, and associated passwords, accepting accountability for individual user accounts, and above all, maintaining confidentiality, are all accepted ways for employees to aid in the fight to protect their company’s assets.
Security Access Levels Security access levels are a vital portion of securing an information security system and there are many ways to define them. The first one that may spring to mind for many is the system known as the Bell-LaPadula security model. According to Principles of Computer Security (2010), “the U. S. military encouraged the development of the Bell-LaPadula security model to address data confidentiality in computer operating systems.
This model is especially useful in designing multilevel security systems that implement the military’s hierarchical security scheme which includes levels of classification such as Unclassified, Confidential, Secret, and Top Secret. Similar classification schemes can be used in industry, where classifications might include Publicly Releasable, Proprietary, and Company Confidential. ” To define each of these levels we will start with the lowest level first and ascend accordingly.
Unclassified/Publicly Releasable – when all access by any parties is allowed without restriction Confidential/Company Confidential – access is usually restricted to employees only Secret – reserved for management and above Top Secret – strictly for upper management and CEOs only Even with these level designations companies still have a tendency not to manage the information security issues associated with an employee’s termination or separation from the company.
Many times, an ex-employee can find out that their login info, as well as their application and website access, is still existing, or is not removed in a timely fashion. This major oversight or lack of efficiency can leave a company extremely vulnerable to attack and exploitation. Although the above lack of foresight has been a problem for some companies in the recent past, there is a trend of having in place a policy for the removal of all appropriate employee access upon termination by departments usually labeled as the Information Security Access department.
Conclusion Once an organization or business has taken the time to analyze its weaknesses, strengths, pitfalls, and foundations, they can more accurately design a system that can address any issues that comprehensive study has unearthed. The final step then becomes how to make that policy structure adhere in the most efficient, cost effective manner to the needs that the study has defined. The most expeditious manner is to institute a schedule for the implementation of the new policy where the employees are included in the loop.
This clears the way for things like testing and training so that once the go-live date is reached, the number of error or service issues will be as low as possible. Even though a go live date can pass without event (though this is not likely! ) there should still be a plan for a continued level of technical support, as well as continued training. This ensures that as the company grows, the security infrastructure that the company has labored to produce will also continue to grow and evolve.
The final point to be made with this paper is that even after all the points have been addressed to the best effect possible, there is still one area of difficulty and vulnerability that every business must be ever vigilant to prevent. That area is complacency. No information security setup is ever perfect, nor are they so well constructed that they don’t need constant supervision. As long as a company is willing to keep a continual investment in its own integrity, the issues it will face should be kept to a minimum.