Developing the Corporate Strategy for Information Security, Research Paper Example

An information security strategy is a procedure to reduce risks associated with information malpractices while complying with all the contractual, statutory and legal requirements. An effective information strategy should include the techniques of prevention, detection and response measures in the case of a cyber crime. In building an information security strategy, the following steps are essential.

Risk Assessment

This process should include identification of information and the specific information systems to be secured. These systems include electronic systems and components used to keep, transmit, protect and also dispose of the information in an appropriate way. The system should analyze networks, computer systems that are interconnected to business partners. In due process, it is important to comprehend how an institution uses information in its daily activities. For example, the assessment should address how the employees access, use and dispose information as per the request. Institutions should also consider the way information containing documents are managed and give authority and authenticity to those who receive information and how they can make it available for viewing (Tipton & Krause, 2012).

Analyzing of Information

An effective information strategy should classify information to put aside the more important information according to the criticality and sensitivity of the information. By aggregation of the data documents, an institution then can detect the degree of the risks that may be involved. Classification allows protection of information consistently and other data that is critical. Withthe information well classified, it is easier to assess the threat and vulnerability of the information system. This is generally done to find out which information deserves prior attention. Threats are occurrences that could affect the secrecy, reliability and availability of information. Threats can be caused by internal factors such as incompetent workers, contractors, service providers and former insiders of an institution. Threat as a result of external factors can be caused by hackers, competitors or terrorists. Vulnerabilities are weaknesses in a system which can cause unauthorized disclosure, alterations or destruction of the information system if exploited. Vulnerabilities that are expected to occur in the future are the ones to be considered. These may include unpatched software, employees’ failures and contractor’s default to provide security duties. Finally, evaluation of control effectiveness is necessary to fully complete the whole process of analyzing information. The evaluation should look upon the unique place of the institution and determine how effective that environment is in response to threats. The evaluation should consist of the controls that detect, prevent and correct damages that may occur. The controls have to include a summary of important physical access controls. This information should be comprehensive and should cover all data and all facilities. The physical control of evaluation is a combination of all scenarios of evaluation (Matwyshyn, 2005).

Assigning Risk Rating

After accessing the possible exposure to threat, vulnerabilities and evaluating the effectiveness of the control, an institution should now assign the risk rating to the information system. In this framework, it is understood that not all threats and risks are given the same rating with consideration that institutions have limited financial resources. Reasonably, risks that can be foreseen are supposed to be prioritized and rated with regard to how sensitive or important that information is to the organization. Once the threat and vulnerability associated threats have been accessed, probabilities to them assigned and the risks rated completely, they should be separated to distinguish those that should be accepted from those to be mitigated. After an institution has completely identified risks to be reduced, it can now move ahead to begin the risk reduction strategy (Matwyshyn, 2005).

Security Strategy

The strategy should be based on defining the control objective and then establishing the best plan to implement the objective. The plan should include identification and accessing the approaches to meet the objectives, selecting the controls, preparing the implementation and testing plans. The selection of cost controls is typically based on comparing the cost of different approaches to the risk (May, 2003). Any approach that is to be applied should consider the following factors:

Policies and Procedures

These are the basic components of the strategy which guide the users, administrators and managers and inform them of their security responsibilities. These policies also provide a medium through which a responsibility can be met and guide in acquiring, computing and auditing of the system. A successful security policy should consist of the following key actions:

• Giving clear and understandable information to all the concerned parties
• Enforcing the policies through security bodies and sanctions
• Separating the areas of responsibilities for users, administrators and managers
• Obtaining the employee’s acknowledgement that they have gone through and have understood the policies.
• Providing the flexible means to address changes in the environment
• Conducting an annual review and approval of the strategy by the board of directors.

Technology Design

Unsecured information system events can easily been reduced by use of proper technology. An advanced technological system provides effective monitoring and limits the ability of an intruder to hack the network. The advanced system can work on timely manner and therefore can reduce newly discovered vulnerabilities. To accomplish these goals effectively, an institution needs to establish a security domain. A security domain is a section of a system with its own policies and mechanisms for control. Domains that are made by routing controls can be bounded by network perimeters. These perimeters separate trusted information from untrustworthy information. The selection of where to put a certain area domain is the role of the risk assessment (May, 2003).

Outsourced Security Services

Security services can be outsourced with an aim of getting experts, to obtain greater range of services or to minimize the costs. An institution should ensure that it has enough experts to oversee and manage the security services that have been outsourced. They should also monitor the outsourced security providers to ensure that the service provider is meeting all the responsibilities. Theinstitution should use important monitoring tools such as, reports from the provider, independent reviews and tests from the service providers (Tipton, & Krause, 2012).

Access control

This is a way to allow access for only the authorized individuals and deny access for unauthorized individuals. Authorized individuals may be employees, vendors, visitors or customers. Access should be provided to the people whose identity is known and their access should also be limited to the area required for a business purposes. There should be a correct process to administer the right to access which should include:

• Assigning users and their devices to access information that is limited to the intended purpose.
• Keep updating the rights to access based on the personnel changes or changes in the information system.
• Periodically reviewing rights to users’ access depending on the frequency of use and the possible risks involved.
• Designing the appropriate user’s policies and making them to agree by signing.

The access rights process is very essential because it programs the system and will only allow users to access the information that is limited to the access rights they are granted.

Authentication

This is the verification of one’s identity based on the presentation of typical details to that particular system. Presentation of strange details will definitely deny access to the data system. Unique information is based on something that a user knows about the system and this implies that a particular system remains confidential to those who have got the specific access details. Authentication provides confidentiality and accountability of a given data. The most effective form of authentication is the shared system where passwords are used to key in the data (May, 2003).

Network Access

Network security requires implementation of several control mechanisms. This may begin by dividing the network into logical security domain. This is a distinct section of the network with policies that are different from other domain. With more critical information, it may require that there should be no connectivity between the cooperate network and wire transfer system. With other applications, it may require that services that are accessed by each zone are only confined in their localized area. The organization should acquire a network intrusion prevention system that can help detect if their database has been hacked. Guarantees are devices that are used to detect malicious action. The device works to prevent access to a particular domain until the appropriate patches are downloaded and installed. The corporate are advised to employ the remote system access where individuals are not allowed to come close to the information system unless there is management approval. This can also involve restricting use of access devices by the management (Tipton & Krause, 2012).

Training and testing

The information security system selected should be tested to determine whether the system is effective.  If the system is seen to be containing problems, it may be rectified but for problems which seem too complicated to handle, may require the process to be changed. There is need to conduct training sessions for the users and the managers. The users need training on how to apply the system to the required limits. This strategy for information security development can be very significant in any institution that opts to keep its information safe and secure.

References

Matwyshyn, A. M., (2005). Material Vulnerabilities: Data Privacy, Corporate Information Security, and Securities Regulation. Berkeley Bus. LJ, 3, 129.

May, C., (2003). Dynamic corporate culture lies at the heart of effective security strategy. Computer Fraud & Security, Vol. 2003 no.5, pp. 10-13.

Tipton, H. F., & Krause, M., (2012). Information security management handbook. CRC Press.