Information security is important to the organizations objectives. The uncertainties that organizations are exposed to are wide and varied. To manage through, is an uphill task for the organization. Therefore, information management is vey vital in overcoming these uncertainties. Information Security management is a field of management related to protect information and information systems, from unauthorized access, use, disclosure, modification or destruction. Information security management approach is used to meet the firm's objective of maintaining the integrity, availability, accountability, confidentiality and the assurance of the information.
Information Security management tools that can be used to identify and rate system vulnerability are a must so that effective solution can be sought. In this paper we are going to evaluate the best methodology to implement the highest level of security by merging security tools and management of the information. The information security management topic is important for discussion today because of the emergence of the global economy, transformation of industrial economies and the transformation of the business enterprise. This makes this makes this discussion essential in today's business. In such businesses like Royal Commission Jubail and Yanbu, that welcomes local and international enterprises to invest in their properties. Therefore, RCJY and such businesses must provide a secure foundation of information security in order for investing enterprises to survive and meet their strategic goals. There is an increased need for information security with increased use of internet and IT. There is a threat by intruders including viruses. An organization should be aware of the threat it faces from its employees and outsiders concerning the security of its information.
Objectives of the study
This study seeks to investigate the information security management problem affecting firms, the impact to the organization and the strategies to secure and organization's information. It will narrow down to defining risk in relation to information systems. Since there are many risks involved in managing the information risks, this research paper seeks to answer the following research questions in line with information system;
- What are the factors affecting the information security in organizations?
- With respect to information system, what is a risk and how can risks be avoided?
With respect to information system, a risk is the potential harm that could be caused to the information of an organization due to and event or process. Information risk management is the response of an organization's management to risks posed by the lack of availability, integrity and confidentiality of the organization's information. Risks and threats are interrelated. Threats comprise of all the potential of tampering with the organization's information. The following are the types of threats to information security of an organization.
- Software alteration: this involves intentional alteration of a company's information through deletion, separation and omission of the information.
- Acts of nature: these are natural disasters that result in distorted organizational information. They include; earthquakes, typhoons, tornadoes etc this could lead to total or partial loss of the information
- Electrical interference: this usually results from power interruptions or fluctuations. This can deny access to some users of data.
- Alteration of data: this could be done intentionally or unintentional. Also it could be done by outsiders or employees of the organization. This could lead to distorted information. It interferes with the confidentiality, integrity as well as the availability of the information.
Others are telecommunication malfunctioning, configuration errors of systems, bandwidth usage and accidental erasure. The information security management involves information risk assessment, security controls, monitoring security, the strategies to be used, monitoring and updating the security process.
The management of the organization is responsible for the rallying everyone in the organization to support its mandate to improve the information security. This include seven the board of directors and employees. The senior management of the organization should support, implement, establish policies, oversee mitigation of risks etc. the security of in the entire organization should be integrated by the management (FFIEC, 2006).
Information security risk assessment
All threats form information security risk. Therefore, information risk or security management is very important to the organization because it enables the organization to be prepared incase of any information risks and the means it will use to reduce the damage. This will help the organization to maintain the customer's information confidential.
There are stages that an organization must use to manage risks. They include; gathering the required information, identifying information systems, analysis of information (classifying and ranking applications, data and systems) and assigning the risk ratings (Elky, S. 2006).
An organization must always devise ways to deal with risks as they occur. This is because risks are like misfortunes and it is not known when they will occur. Risks management strategies are four.
Mitigation: this involves the use of compensatory measures that lower the impact of the risk. It can also involve fixing a problem.
Transference: This is where the risk is transferred to another organization to be received by it on the initial organization's behalf. This is rarely common.
Acceptance: this is where the system of the organization is allowed to operate with a risk that is known. This is common with low risk and risks that are of high value to mitigate.
Avoidance: this is where the vulnerable aspect of the system is removed so that it can avoid the expected risk.
Risks should always be assessed. This will help the organization to know the likelihood of the risk happening and the expected impact. Risks can be assessed using either qualitative or quantitative strategies. A qualitative assessment is the one in which that is based on well grounded figures. The figures are not exact. In a quantitative approach of risk assessment, the cost if implementing the strategy is usually not well known. Many organizations prefer a qualitative risk assessment because, the cost of the assessment and the costs of implementing the assessment strategy are known.
Information risks and the management strategies must be well communicated both to the organization's management and employees. The risk should be presented in terms of the likelihood of happening. It should be clear and f\direct to the point. The management usually considers the costs involved in each risk management strategy and the expected return on its investment before it invests in it. In implementing a quantitative risk assessment strategy, a comparison is usually made on the cost of the management strategy (Elky, S. 2006).
Information security management system
This is a system that defines the technologies and the processes the employees of an organization use. Different organizations use different technologies and systems in their various departments. Thus there are different systems designed fro different purposes like systems for enterprise management, safety, personnel, risks health etc. since different organizations have different cultures, the systems used in the organizations differ and are chosen based on the organization's culture. The systems used by organizations have common elements despite their varied nature (Whiteman, & Herbert, 2009).
An information security management system focuses mainly on the security management of information in an organization. Information management in organizations is facing numerous challenges from increasing technology in the world today. They face challenges like complying with the new privacy rules and security of information. The ISMS manages all types of a company's information including information in soft copy and the hard copy information. The most important process of this system is the risk management process. This requires serious commitment by the management that involves training and awareness (Whiteman, & Herbert, 2009).
Benefits of the information system management system
According to Whiteman, & Herbert, (2009) the ISMS assures the management the security of their data and information. Well implemented ISMS will guarantee the management the security of the assets of the organization.
Pitfall in the implementation process of ISMS
- Inadequate commitment from the organization's top management
- Inappropriate, inaccurate and insufficient provision of issues
- Lack of awareness by the employees of the company. They may not be able to activate virus detection systems or putting up firewall.
- Lack of competence on the expertise of the employees. This can be due to technological changes or lack of training.
- Implementation flows like open firewalls, default passwords and deactivated password are common. This could be as a result of lack of awareness on the part of the employees as well as the management.
- Lack of risk assessment; this could be due to skewed expenditure of resources where more resources are spend on some areas than others.
- Inadequate resources
This is the state of being free from danger or from one's adversaries. For an organization to succeed, it must have security in various sections of the organization. This include; physical security, (that involves the protection of the various organization's items), personal security, operations security, communications security, network security and information security. According to Whiteman & Herbert (2009), information security is the ability of an organization to protect the information of an organization including its elements like systems and the hardware it uses. Information security involves information security management system, network security and the security of data and the computer. The tools that organizations use to protect its information are; technology, education and training of its employees, awareness and development of relevant policies. Many organizations base their information security system on the C.I.A model of information security. This security system values the characteristic of information to the organization i.e. integrity, confidentiality and availability. Due to the new technological innovations, the availability, integrity and confidentiality of the organization's information are at stake. Therefore, modern information security systems are no longer based on the C.I.A triangle. New techniques have evolved.
Characteristics of information
Availability: this regards the accessibility of information by the users without interference in the needed format. Availability is interfered with when the user cannot get access to the required correct information.
Accuracy: information with no mistakes forms accurate information. Accuracy of information can be interfered with when the information is intentionally or unintentionally tampered with.
Authenticity: this refers to the genuineness or originality of in formation. Authentic information is the information that has not been changed. It is as it was when created. Fabricated information is not authentic.
Confidentiality: this involves protecting information from being disclosed to unauthorized people. Only authorized people with rights and privileges are allowed to access the information. Security information confidentiality can be increased through: classifying the information, storing documents securely, applying the general security policies of the organization and educating the information end users and custodians.
Accountability: polices and processes are put in place to meet the accountability requirements of the firm.
Assurance: this involves policies of the organization that are necessary to the customers to develop confidence in the organization.
Once the organization realizes that it needs information security measure, it has to follow the following steps:
Investigation: this is mainly done to find out the main problem that the organization is facing. It starts by reviewing the initiators of the problem as well as evaluating the cost -benefit analysis to the organization.
Analysis: this is based on the initial information obtained from the investigation phase. It finds out the current status of the organization's system. It also looks at the intended functions of the new system.
Design: this where after the analysis of the current situation of the organization's system, the system developers are employed to start developing the new system. Based on the need of the business, applications and eventually data support structures are chosen to assist in developing the required technology to solve the problem. The next phase that follow are the physical deign, implementation and maintenance.
Importance of information security
Many organizations would prefer to have a secure information system because it would like to lose data in forms of erroneous data erasure, deletion (intentional or accidental), data modification and storage of data in unsecure areas such as the desktop, trash or website. One careless person in an organization can cause a lot of loss and damage to the organization. Through education, training and awareness much of the human error committed by employees can be corrected. This goes hand in hand with simple controls like procedures both simple and complex.
Another benefit of information security is the protection of patents and copyrights. Through the protection of the organization's information system, the organization is in a position to protect its patents and copyrights and allowing only limited access to authorized persons. Allowing unauthorized persons to access the copyrights and patents of an organization can result to piracy especially when they are tampered with. This also forms part of the information security threat to the organization's information.
Tools used in information risk management
Unwanted persons can access an organization's information through: denial services, remote login, using system bugs, SMTP session hijackings, back door applications, viruses etc. the tools that are applied in the information risk management usually depend on the risk expected and the affected section of the organization. The following tools are efficient in keeping the company's information secure and away from intruders:
The management employs the method that secures accessibility to the network of the organization. It is through the network that outsiders can access the information regarding in business of the organization. The top management of the organization uses the following tools:
Firewall: this is an information security tool that is used by organizations to protect their network and thus data. It helps filter the information from the internet getting into your web. A firewall restricts access of the organization's information only to those authorized people both internal and external people. Without a firewall, anyone can access the organization's information including hackers. It helps keep away hackers of information and keeping away from websites that are offensive. It functions like a server filtering data, mediating between the clients and inspecting every detail of the data entering and leaving the organization. Thus it acts as a barrier keeping away unwanted interference to data (Howstuffworks, 2010).
Outbound filtering: this is where all the information that is out of bounds to the organization is filtered and cannot get access to the organization.
Malicious code filtering: this method controls the browsing and other internet communications.
Quarantine: this is where the internet within the organization is protected from actions and codes that are malicious.
Proxy servers: this is a computer that is used as a server serving other computer that act as clients. The client computers request for information from the server which in turn sources the information from other computers. The server mediates between the clients and the source of the information. A client can request for a file form a server. On receiving the request, the proxy sever will evaluate the request through filtering through it. After validating the request by the filter, the server will provide the requested file itself or requesting it o the client's behalf from the relevant server with the file. The server is in a position to alter the client's request. A proxy server has advantages like:
- The ability to keep the clients behind it anonymous. This it does fro security reasons.
- It sis used to bypass security controls
- It circumvents regional security restrictions
- It scans data keeping off outbound contents.
- It enables employees of organizations to access the internet.
- It enables fast access to data through. This it achieves through caching.
Encryption: this is a process by which information is transformed into a plain text by use of an algorithm. This makes the information unreadable and can only be read by authorized people who have a key. Initially, this process was used by governments and the military to hide certain information but now it is used by several organizations to secure their information. Encrypted data can also be decrypted. Encryption can be used by organizations that frequently exchange data to protect the exchanged information across networks. This is because the exchanged data if encrypted is difficult to intercept (Howstuffworks, 2010).
Remote access controls: this is where the organization's management restricts the accessibility of its information. This can be achieved though physical access controls, access system operation, credentials; components of a system, topology etc. information access control can be achieved through discretionary or non-discretionary techniques.
Access to operating systems
An organization should secure its operating system because when an unauthorized person with malice gets access to it, he can ground the entire system of the organization. This can be done through using an appropriate technology to limit the number of people accessing it.
Physical environmental protection: this is where the organization's management puts a system in place that protects and prevents damage to the organization's information from the effects of environmental problems like earthquakes, tornadoes, tsunamis, floods, etc.
In addition to the above, the organization's management should provide care to the organization's information that is in file cabinets and data centers. This can be done using uninterruptible power supplies, making use of operation centers, and other telecommunication equipment.
Everybody in the organization has a role to play regarding information security management. The top management of the organization is to make sure that the policies put in place to secure information are followed to the latter. On the other hand, the employees are to follow the organization's policies on information security. They are to show loyalty to the firm and thus ensure the confidentiality and integrity to the organization's information.
Antivirus software: a virus is software that is developed by a malicious person to create harm to another person's information or programs. They can even delete the information or programs. The virus is aimed at causing destruction or creating access to the required information. An antivirus is a software program is developed to detect, prevent and delete the malicious virus. These antivirus programs usually detect the virus using any means they can trace. Antiviruses are many in types and are also varied in their detection methods. Some can even show the damage to be caused by the virus and either whether the virus has malicious intentions or not. More antivirus (heuristic) with advanced technology is in used today. They are manufactured using a new technology that identifies new viruses or mutating viruses that can cause hidden damage to the organization's information.
Another information protection tool is the logical tool which puts in use the ID of the user of a computer that contains the organization's information. The logical information security tool makes use of other tools like passwords, user accounts, intruder access remote and termination procedures (Howstuffworks, 2010).
Laws: according to Niatec, (2010), laws can also be used as tools to protect an organization's data and information. The federal and the state governments should come up with laws governing the privacy of organizations. The organization or the individual should be the only controller of information concerning them. There has been a privacy concern over the increasing information security due to risen cases of information access. This has led to the legislators coming of some regulations concerning information privacy. These laws have not been adopted by all states. They should be adopted by all state s. In addition to that, the various governments should be very strict dealing with criminal offences related to privacy and data security. Laws relating to information security include; privacy laws and legislation, intellectual property laws, federal and state statutes. This would deter would be information hackers (Niatec, 2010).
Findings and discussion
This research finds out that information security management is one of the major roles of an organization. An organization must do everything in its might to protect its assets including information. To do this, the organization must analyze the risks that its assets are involved. The risks are assessed and where possible, they are mitigated. Risks assessment helps improve the preparedness of the organization. According to Elky, S. (2006), risks can be assessed through the following means: gathering the necessary information, information identity and analysis and assigning of risk ratings. Information security management involves the designing of a good security system and employing the best security services.
Tools used in information security management
The tools applied in information security management are many and varied. They are usually applied depending on the sector of the organization. More they must be cost effective to the firm going in line with the objectives of the organization. These methods include:
Network access tools: These are methodologies that are used in relation to the organizations access to the network secure its information. They restrict usage of the network and what actually is exchanged in and out of the organization. These tools include servers, firewall, malicious data filtering (they control web browsing, and other internet communications), outbound filtering, prevention system to the network intrusion, quarantine, etc.
The organization's management has the responsibility of proper access to the network in the security domains set. It has to make sure that all the technological controls regarding access to the network are implemented. In addition to the, it is to monitor anomalies in the system and those who violate the organization's set policies (FFIEC, 2006).
Operating system access: These are methodologies that are used to restrict access to the operating system of the organization. Access to the organization's operating system could bring down the whole system of the organization. The organization should control access to its operating system by limiting access to certain times of the day, access and security events, monitoring the rules access of the system and employing a system that can analyze the activities of the user (FFIEC, 2006).
Remote system access: this is achieved by the management employing remote access devices, an authentication that is strong, monitoring all communications done remotely.
Physical environmental protection: this is where the organization takes into consideration all the risks associated with the physical environment. The organization will employ the security measure that will not only control but also prevent the damage to the information. Thus physical security Zones should be defined and each zone provided with a suitable method that suits the expected risks.
The other types of security that should be considered are the security at the data center and the vault and cabinet security. The organization should prevent any program that tries to alter the codes or programs (software) of the organization. Such programs include viruses and worms. This can be achieved through the use of antivirus. Servers can also be employed to filter the exchanged information in the company and between the company and other external users.
Information security is a big challenge. To tackle it, the organization's management must be determined to know it current state of security. They can use multiple security systems to help them asses the security situation. Then, they should lay down priorities and strategies to deal with the security problem. This will help bar people from stealing the organization's information asset. In information security management, every part of the organization must b involved beginning from the directors to the employee. The tools that are used in the information security management include laws governing information privacy, access to the operating system, access to applications of the organization and the network access. All these tools if effectively applied will make the organization realize its objectives.
- Elky, S. (2006). An introduction to information system risk management. SANS institute
- FFIEC, (2006). “Information security.” IT examination handbook. FFIEC
- Fiona, P. (2007). Certifying information security management systems. CISSP
- Howstuffworks, (2010). “Firewall security software.” Retrieved on February 26, 2010 from: http://computer.howstuffworks.com/firewall1.htm
- Niatec, (2010). “Laws as Tools for Computer Security.” Retrieved on February 26, 2010 from: http://niatec.info/ViewPage.aspx?id=189
- Whiteman, M. & Herbert, M. (2009). Principles of information security (third edition). Canada: Thomson course technology