Describe potential risks to the information and the related vulnerabilities within the organization. Identify the forces that drive each threat and the related vulnerabilities.
Information is a vital asset to a company or an organisation. Information is processed, stored and disseminated to the places they are needed by use of IT infrastructure and communication devices. These devices face threats from different sources and of different kinds which results in the threats to information. Information is passed through networks that employees and other personnel rely on every day to generate income for the company.
Threats to information in the organisation are discussed in the sections that follow:
Spam: this is a major threat to email users where emails are filled with unwanted and not-so useful products. These products include scum products, designer goods and schemes that are unrealistic. Research shows that up to 95% of emails in our inbox are spam and considering the fact that email usage is a growing phenomenon which is harmful to the information in the organisation. The spams have links to sites and web pages which may result in downloading of malware and spyware which is harmful to company files in the machines.
Viruses: a virus is basically a set of codes and instructions with malicious intentions which when executed causes the machine to function in an unexpected manner. Viruses are of different types and act different, it can replicate itself unnoticed and fill up memory space, if the virus attacks a cluster it transmits to files in other machines on the same network, they may also spread through other channels such as emails, network shared resources.
Employee sabotage: this is an imminent threat where employees intentionally gives out vital information, intentionally hampers procedures, activities and events that pertains the use, storage and dissemination of information. The employee sabotage may be as a result of employees feeling neglected unappreciated with less pay. Sabotage is most vital threat since it is an internal threat unlike other threats to information in the organisation.
Another threat to information is espionage. Companies and organisation in the same sector compete with each other in the market. Another company may acquire information through unauthorised means from companies competing together and use the information to overthrow the other company organisation.
Information is also threatened by unauthorised access to the information through hacking, tapping and other unauthorised means. The hackers gain access to information by breaking the security codes and passwords put in place to secure storage of information. The tappers gain access to information by tapping in the communication lines and networks to eavesdrop on company or organisation information.
Hardware and software failure: most organisations and companies communicate through network connections. The network is made up of workstations remote computers and other devices which must always work together for the purpose of continuity of activities in the organisation. If a server crashes, all information dissemination and communication are halted therefore the organisation must ensure that the network servers and other devices are well maintained.
The physical threats is also a major threat to information in the organisation, breaking in to the storage locations where information is stored results in loss of information. The devices used to store the information may malfunction thus resulting in ineffective transfer and even loss of information in the organisation.
Discuss how the values for threat and vulnerability combine to indicate the overall risk the organization faces
Information in an organisation should always be secured to ensure:
Confidentiality: preventing unauthorised disclosure of information as a result of poor security measures and information dissemination by employees.
Integrity: prevention of unauthorised modification of information, it is the maintenance of accuracy and correctness of information. This mainly results from authorised users.
Availability: information should be available when and where needed by the respective users, the threats and vulnerabilities may at some point prevent the availability of information.
Authentication: this is the verification of users of the information through use of security checks to reduce unauthorised access to information.
Authorization: The process of allowing only authorized users to access to sensitive information. An authorization process uses the appropriate security authority to determine whether a user should have access to resources.
Threats to the information will result to the breaking of one or more of the principles mentioned thus posing overall threat to information in the organisation.
Describe how an organization can properly manage its information security efforts using proper risk management techniques and cost-benefit analyses for these information security efforts.
Risk management entails the process of identifying the risk, assessing the risk and mitigating the risk. This should be done in the most effective and efficient way in order to minimize the impact of threats to an organisation. Information security in the organisation can be achieved by first identifying the threats to information. Some of the efforts to be used include installation of antivirus software to prevent against virus attack, protection of information by use of passwords and authentication codes, use of physical locks, security cameras and also proper enumeration of employees. Having standby servers in case of server failure is also important. The organisation should also secure communication channels to prevent hacking and tapping.
The cost of installation and implementation of the security efforts should be considered and compared with the benefits accrued to the effort.
Explain the legal, ethical, and regulatory requirements for protecting data.
The legal requirements entails the review of existing legal frame as regards data protection and information security this include privacy act, the data protection act and many more, the organisation uses the existing legislations to create an information security policy to guide the use, storage and dissemination of information in the organisation. The international Organisation for standardization (ISO) has developed standards such as ISO 15443: Information technology - Security techniques - A framework for IT security assurance, ISO/IEC27002: Information technology - Security techniques - Code of practice for information security management: ISO-20000: Information technology - Service management and ISO/IEC27001: Information technology - Security techniques - Information security management systems – Requirements which guide the process of data protection and information security.
Dhillon, G. (2007). Principles of Information Systems Security: text and cases. New York: John Wiley & sons.
Gollmann, D. (1999). Computer Security. New York: John Wiley and Sons.
Microsoft Corporation. (2000). Microsoft Windows 2000 Resource Kit. Redmond. Washington: Microsoft Press.