Security Action Plan, Research Paper Example

Organizational Selection

My organization was a prime candidate for selection in the modification and update of the corporation’s current Security Action Plan. As being part of the automotive industry they are instituting multiple changes within their information technology infrastructure, operations and business processes. Accordingly, information or data is vital for organizations. They need to protect their data from competitors, hackers, cyber criminals and many more. (Calder, 2008) The purpose of this Security Action Plan is to the implementation of an information security management system (ISMS) for my organization, in order to implement a standard to ensure confidentiality, availability, and integrity of data.

In order to know why the corporation was selected it is important to understand why it was selected and what it was selected for. The scope for an ISMS defined as “An information security management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks. An ISMS is part of a larger management system” (Start with security policies, n.d). The selection of my company in the automotive industry is based upon the increased need for a security action plan based upon the increased information technology capabilities in the areas of scheduling appointments, ordering parts, and processing payments. Each area has its own risk factors and will require the safeguard of information. Each area includes personnel data, customer information, banking information, business transactional details and other business information that is critical to business. The greater the capability and expansion of technology the greater the risk exposure encapsulates. Each risk needs a mitigation plan and the security action plan will outline those details on how to mitigate the potential risks to the business and its customers. An effective security management policy will provide the groundwork for the mitigation of potential threats the company’s data and information.

In order to form an organizational information security system it requires multiple layers of security to create a redundant and secure system. Each layer provides its own unique strengths and weaknesses and each layer would complement the other layers weaknesses with their own strengths and vice versa. This in essence would create a nearly impervious security system which would negate risks to the network, information and other information technology systems. This umbrella of cohesive and conjunctive security layers will provide the confidentiality of information, the integrity of the data and the ability for the users to access the system as needed in a secure environment.

Currently the security plan is laid out in different areas covering network, physical, system, data and employee security. There is also an element of disaster recovery and failover associated with the plan. The basis for the organization is that they are not a high level opportunity for a threat to attack, destroy, obtain or decrease the integrity of their data. The reality is that with the increased capability their opportunity for a threat grows exponentially. The currently security setup is based upon legacy systems that do not have the robust security needed for information delivery and receipt. When transmitting new information that is highly guarded there is ultimately a requirement for new security standards. The current security system does not have a holistic approach to security but is compartmentalized among the various entities within the organization. This means that the weakest area in the organization is exposing the other areas to the threats. There is also not a consistent and repetitive risk assessment or audit completed on their security systems, policies or procedures. With each audit and review there are opportunities for growth within the security provisions of the company.

The organization needs a newly updated and modified Security Action Plan. This plan will outline the framework for the security of the entire organization in a holistic approach. There will also be a need for consistent feedback and areas for leadership to drive the change.

References

Calder, A., 2009. Implementing information security based on ISO 27001/ISO 27002 (best practice) Van Haren Publishing. Start with security policies, n.d. Retrieved 8/25/2012, 2012, from http://www.altiusit.com/files/blog/StartWithSecurityPolicies.htm