Contemporary Information Security Requirements, Research Paper Example

1.BCP Plan

A complete BCP consists of five characteristics mentioned below:

• BCP Governance
• Business Impact Analysis (BIA)
• Procedures, strategy and provisions for business continuity
• Instant procedures
• Quality assurance techniques (exercises, maintenance and auditing)

1.1 Organizing a Governance Structure

A governance structure that is in the form of a committee is embedded within a BCP. In fact, the BCP allows senior management assurance, as well as delineates the responsibilities of senior management. The role of BCP senior management committee provides oversight, initiation, planning, approval, testing and audit. (Sandhu & NIIT, 2002) However, the implementation of the BCP is responsible for the coordination of activities, BIA surveys approval, creating continuity plans and evaluation of the quality assurance activities. Following are the some responsibilities that are performed by the senior leadership of the BCP Committee

• Governance structure approval.
• Specify the responsibilities of the persons involved in the program.
• Administration of the procedures and planning committee, developing teams and working groups.
• Necessary messages and strategies must be communicated.
• BIA results must be approved.
• Assessment of identified significant services and products.
• Continuity procedures and plans approvals.
• Quality of the services must be observed.
• Determining problems and demonstrating its solutions.

The members that are involved in the BCP are the executive sponsor that controls all the responsibilities related to the BCP. Moreover, they also ensure the availability of sufficient funding as well as the procedures regarding senior management support and directions. In fact, the senior managements support is responsible for BCP Coordinator security, evaluation of necessary funds, policy making of BCP, observing the BIA procedures, effective consumer participation, observing development plans related to business continuity, forming working groups and teams, organizing proper trainings and offers routine testing, auditing and analysis of the BCP (Fulmer & Rothstein, 2004). In order to ensure all the security requirements of the BCP in any organization the security officer must work with the coordinator. In addition, the Chief Information Officer (CIO), IT specialist and the BCP coordinator works together for the development of effective business continuity. The performance is further analyzed through the input provided by the business unit representatives. However, the BCP committee is generally co-chaired by the coordinator and the executive sponsor.

2. DR Plan

Our organization is bound to provide IT based services without interruption and it is dependent on its current IT infrastructure that includes IT assets, applications and networks. In case of a major disruption in one of these components impacting the critical IT services, our organization will not be able to provide quality services and may breach the conditions of the Service Level Agreements from the clients. As we have already discussed, risk assessment and risk management along with cost benefit analysis, the expenses should not exceed the value of an asset or service. Likewise, our organization may take a decision after evaluating the business benefits along with associated cost. There are many different DR sites available to date; we will discuss three different DR sites for this case study. They are (Sandhu & NIIT, 2002):

• Hot Site that is fully replicated similar to the primary site or IT infrastructure of the organization and they can switch to in just a matter of time. However, this option can be the most expensive one.
• Warm Site is considered as a secondary source where all the electronic and computing functions are available. Likewise, the site can be operational within several hours and still expensive compare to the cold site.
• Cold site is considered to be an alternate source that is not ready nor have equipment for operation. However, the premises can be used for installing the required electronic and computing equipment that may take a substantial amount of time and effort to make it operational. Cold sites are the most cost effective option but still it depends on the nature of business and customer requirements.

The selection of any one from these three depends on the business requirements. If the organization is dependent on IT services and willing to deliver quality services and gaining competitive advantage in the market, hot site will be the most suitable option for our organization. The site will minimize downtime for the internal staff and service outage for the customers.

3. Information system Policies and Procedures

Information security policy must be enforced to secure information resources from threats, as it will build confidence in stakeholder confidence. Moreover, by securing information resources, competitive advantage can be achieved in the market, that will result in maximizing profitability along with trust in data. Security of the organization should not focus on Information technology only. Some of the sources of threats includes vandalism, sabotage, espionage, natural disasters, online frauds, phishing etc. however, cyber criminals can also compromise networks while data in transit. Some of the threats are non-ethical hacking, viruses, Trojan, malicious codes, and denial of service attacks. An information security policy generally contains Scope, Policy, Ownership, Acceptable Use Requirements, Configuration Requirements, Compliance with Legal Requirements, Associated and Applicable Legislation, All employees Intellectual Property Rights, Intellectual Property Standards and Training, Using Software from Outside Sources, Enforcement and Revision History.

4. Security Controls on Personal Privacy

The requirement for securing personal data and privacy online is due to many reasons. The first reason incorporates not a single law of how to handle customer data. For instance, if an online company sells products and maintains databases including customer information, they can do whatever they want. Most probably, they can sell data in terms of cash. Every website has a link stated as ‘Website Privacy Policy’, but no one knows exactly, to what extent they are authentic. The practical approach to that privacy policy is a different story. The second most prominent reasons are hacking, viruses, Trojans, spywares, phishing and many more. All these threats are designed to gain administrative access to user systems and to steal confidential and personal information Due to these threats; organizations are bound to incorporate strict security procedures and compliance for databases that are incorporated with customer data.

5. Ethical Obligations

Local regulations must be addressed that are applicable where data is handled, stored or protected. Likewise, legal officer of an organization will examine applicable laws and regulations of policies at different regions. The legal officer will consult chief information security officer for establishing required exceptions to policies and specific policies to different regions.

6. Enacted Privacy Laws

Federal Trade Commission (FTC) is examining issues related to online privacy since 1995. The commission believes on the stability factors, as it will not only benefit web users but also businesses. This will be achieved by increasing confidence in the web users who are the core players of the online marketplace. Every website supporting electronic commerce must state a comprehensive privacy policy, in order to achieve customer confidence. A study demonstrated that websites for 33 out of 100 largest cities do not have a privacy policy statement (Gellman & Dixon, 2011). Likewise, they were violating laws and regulations because they were collecting personal data. However, in 2001, most popular commercial website, collecting data from the customers, have clearly mentioned privacy policy statements on their websites (Gellman & Dixon, 2011).

7. Violation of Property Rights

All employees of an organization will conform to the legal requirements of intellectual property protection along with license agreements related to copyright software. The objectives of this policy is to make the employees aware and to make them comply with copyrights, trademarks etc. Employees are accountable if they not use organization’s intellectual property with guidelines and standard procedures. In case of non-compliance, employee will face a disciplinary action, termination of employment and criminal or civil charges. Moreover, the Chief information security officer or any role acting in this category along with system owners will develop educational and training session.

References

Fulmer, K. L., & Rothstein, P. J. (2004). Business continuity planning: A step-by-step guide with planning forms, 3rd edition Rothstein.

Gellman, R., & Dixon, P. (2011). Online privacy: A reference handbook ABC-CLIO.

Sandhu, R. J., & NIIT, (. (2002). Disaster recovery planning Premier Press.