Principles Of Information Security And Governance Information Technology Essay

Principles Of Information Security And Governance Information Technology Essay The progress and expansion of the field of information technology and worldwide network has given birth to the issues like, violation of information security, hacking and virus attacks. Information security governance play vital role in providing regular protection of information from a wide range of threats to ensure business continuity. It helps minimize risk factors, maximize profits, investment returns, and boost the reputation. Virus attacks, hacking and information theft are some of the basic dangers faced by many organizations, and the solution lies not only in the hands of technology but management as well. Information security failure or poor management lead to business and financial loss and reputation damage. I will be shedding light upon the principles, risk factors, privacy threats and then the required strategies, policies and procedures for administration and management of an information security and governance program in my organization. Information Security Governance A structured framework of policies, procedures and authority of handling, sharing and recording information securely and confidentially is termed as information security governance (NHS, 2005). A successful information security governance in an organization ensures the confidentiality, integrity, availability, authentication and identification, authorization, accountability and privacy (Whitman and Mattord, 2009, p. xvii) of information and data related to security and reputation of an organization. Information governance in an organization requires teamwork, where all the staff members are aware of the importance of the confidentiality of information. This framework makes sure that the information and data is secure with accuracy and also that the information are shared and recorded in compliance with all the legal and lawful procedures and proper set of rules and guidelines (Simmons, Scott, et al., 2006). Information security governance compliments the Information technology and corporate governance and is an important segment of both. Most of the companies in order to provide a contemporary environment to the information system of governance are using internationally recognised frameworks like; COBIT and ISO 17799. The Control Objectives for Information and related Technology (COBIT) is a framework designed in 1992, by the IT Governance Institute (ITGI) and the Information Systems Audit and Control Association (ISACA). This framework works for the IT management in implementing and developing the Information security governance on a wider platform. It includes the threat analysis, risk assessment, cost estimation as well as countermeasures and future (Solms, 2005). Figure 1 : Proposed Integrated IT Governance Framework (Dahlberg and Kivijà ¤rvi, 2006). Figure 1 shows a proposed integrated IT governance framework. A successful information governance structure builds on the integration between the structural and processes perspectives of IT governance, business-IT alignment, and senior executives needs (Dahlberg and Kivijà ¤rvi, 2006, p. 1). The framework requires the involvement of the management board, executive and subject steering committees, service delivery teams and all the staff members related to the networking, systems, applications, desktops and cross functional works (Richardson, 2010, Q 3). Implementation and administration of IT security are carried out by the Information security management of the organisation which help identify the levels of requirements. Information security management follows a methodology or framework which include top management commitment and information security policies (Ghonaimy, El-Hadidi, et al., 2002). Information security governance ensures that the information security management establish, implement, monitor, and review these procedures and policies in order to meet the business objectives of the organization (Pironti, 2008). The Information security team is responsible for handling security issues regarding the safety and confidentiality of companys information and data protection. It also helps maintain the integrity and availability of information. Information security management deals with the security team, organisational culture, change management, assessment risk factors, people and risk behaviour. It is responsible for the deve lopment of strategies, policies and procedures to reduce threats, risks and attacks. The Security team presents to the management team the security analysis, reviews and implementation plans (Parker, 1981). Information Security issues and risk factors A hack, a virus or a denial-of-service attack may have the effect of halting business operations (Ross, 2008, p 1). The main dangers faced by many organizations include, identity theft, leakage of personal information, data manipulation and modification and improper access to security passwords and secure areas. Widespread IT security risks include; malware, hacking the system, terrorism, extortion, people and non compliance behaviour of the staff and mangers. These dangers can affect the overall reputation of the company and stakeholders become concerned. Main losses and threats include; loss of Confidentiality, integrity, availability, authenticity and reliability of information, which require protection (Stoneburner, Goguen, et al., 2002). Confidentiality threat means the unauthorised access to secure information. The breach of confidentiality can occur in number of ways, like the absence of the screen savers on the personal computers and laptops would invite dangers like leakage of data information as staff members or any external visitor with bad intentions can easily access them. Similarly, the post-it notes with id and passwords reminders would pose the same violence of confidentiality. Secondly, the direct access to the server room key would be like inviting security theft and accessibility of the unauthorised person (Stoneburner, Goguen, et al., 2002). Integrity implies unauthorised modification and manipulation of data. Unauthorised access implies leakage of important information which could mean that anyone can steal or misuse the confidential information of the company and this could lead to the distribution; alteration and stealing of personal data and identities of key personnel and hacking and virus attacks on the organization secure system. An employee can misuse the data information by changing the main figures, mistyping or deleting important information by accident or on purpose. When members of staff take the official laptops home with unencrypted personal information, this could mean the leakage and distribution of confidential data going in the wrong hands (Stoneburner, Goguen, et al., 2002). Availability means providing accessibility only to the authorised users. Loss of availability of data could be caused by attacks like hacking, virus or hardware failure. Unavailability of system to the end-users could mean for example affecting the productivity time and hence affecting the organisational goals of the company (Stoneburner, Goguen, et al., 2002). There are number of other issues and risk factors regarding information security that can threaten the Information security governance. Lack of professionalism of the employees can generate many high risk issues, for example, sending unofficial emails within the organization indicate improper use of internet, which is wrong and unethical. Plus if someone is incharge of companys high risk or sensitive data information then internet browsing or emailing can easily invite virus attacks or hacking. Information Security Strategies, Policies and Procedures These risk factors and security issues require proper security policies and advanced framework. Although the HR department already possess a set of security policies and procedures but they are seldom implemented. The information security governance program works with the risk management program with strategies, security policies and procedures to work effectively in providing a completely secure environment. Information governance ensures application of all the security policies (Nagarajan, 2006). Risk analysis is very important before implementing information security rules, strategies, policies and controls. Risk analysis forms the basis of risk management system. Implementations of information security in an organization comprise six major activities: Policy development, understanding roles responsibilities, suitable information security design, regular monitoring, security awareness, training and education. Now in order to achieve reliable information security essential elements of control within the organization is required. Security controls include technical and non-technical controls. Technical Control Technical control provides logical protection by implementing protective software into the system. This includes; access control mechanisms, identification and authentication mechanisms, data encryption, access control list and intrusion detection system, plus other software and hardware controls. Computer security can be achieved by creating strong passwords, updated anti-viruses anti-malwares, firewalls, screen savers, proper encryption and creating backup files (Stoneburner, Goguen, et al., 2002). Keeping in minds that the passwords should be strong and well protected and employees must not share them with anyone and these passwords should be changed periodically. Organisations must have incident response procedures which include the backup generators for electric failure and off-location data centres in case of natural disasters or accidents. Non-technical Controls Management control include management and administration of security policies, operational measures, risk assessments and training and education. Management control is responsible for educating staff members to guide them in handling the case sensitive data and information through a suitable security awareness program. HR team should conduct a proper background check on the employees and especially on the ones who are incharge of handling confidential information in addition to providing proper training to the staff members. The administrative control should also inform employees the UK legislation and laws of data protection that are in place. Internet threats can be handled by educating staff member and creating an awareness of confidentiality, prohibiting web browsing, chatting and useless emailing within the computers containing confidential information and downloading software from unknown or unprotected sources. Moreover, their level of computer literacy must be analysed in or der to identify their capabilities in handling information. It must also administer the authorization and re-authorization of the system (Stoneburner, Goguen, et al., 2002). Security awareness program should provide security training and must also analyse the level of computer literacy in each employee. Information security officer must administer and implement information security awareness program, which should include providing training and awareness to the senior management, staff and employees involved in handling data information as well as educating the end-users or the clients. Involvement of all the users within the organisation is essential (Ghonaimy, El-Hadidi, et al., 2002). Operational control include physical control and environmental security. It plays a vital role in implementing administrative and technical controls. Operational security ensures the quality of electric supply, humidity, temperature controls and physical facility protection system. Some examples include; backup generator, physical intrusion detection systems like alarms and motion detectors. This system also monitors and controls physical accesses to the secured areas, some examples include; locks, doors, cameras, security guards and fencing (Stoneburner, Goguen, et al., 2002). The HR department should provide security awareness training to the staff members and must make sure that when appointing a new employee, the contract of employment must include the security policies and procedures. These security controls should be revised and renewed annually in order to achieve successful information security. All these essential controls and security awareness program must be implemented by the Human Resource department. Information security culture Peoples behaviour and attitude towards their working atmosphere forms the organisational culture of the organisation. Information security culture evolves from the behaviour and attitudes of the people towards confidentiality, integrity and availability of the organisational information and knowledge. It includes people, training, processes and communication because the inside behaviour poses a more serious threat to the security of information than outside behaviour (Ghonaimy, El-Hadidi, et al., 2002, p. 204). It is therefore essential to understand and analyse the organisational and corporate culture of the organisation as well as the need to change the security culture within the organisation. Threat analysis would indicate how much the organisational culture contributes towards the violation of security and it should be changed accordingly by educating staff members (Ghonaimy, El-Hadidi, et al., 2002). Figure 2 describes a proposed information security culture in an organisation. Figure 2 : A proposed information security culture (Ghonaimy, El-Hadidi, et al., 2002). A healthy security culture is achieved when people in the environment are trained to handle the clients confidential information securely and are completely aware of the threats and dangers around them regarding information theft; hacking and virus/malware attacks and they should be trained to handle these situations with confidence and responsibilities (Richardson, 2010, p. 3). Information security culture can change the organisational culture in a positive way. For example, the staff must understand that if servicing or repairing is required than this should only be handled by an authorized person. Security culture depends upon the managerial attitude, including the top management, security awareness and training and awarding of security conform behaviour (Ghonaimy, El-Hadidi, et al., 2002). Risk Management System However, the information security policy alone cannot be counted upon to effectively eliminate these threats because it narrowly focuses on the use of technology to mitigate threats as the nature of threats and attacks have changed to become highly targeted, highly effective and nonadvertised (Pironti, 2008, p. 1). Therefore a proper risk management model is compulsory. The ever changing faces of attacks and dangers on the information security require proper risk management system which must be understood and supported by the senior management and business leaders of the organization, to identify and finalize investment levels utilizing proper information protection and risk management capabilities. Moreover, regular reporting is essential to demonstrate the effectiveness of the Information Risk management practices. This model will definitely improve the efficiency of the information security team in following the Risk management teams decisions, which is made by the higher officials, who can have the valuable approach towards information infrastructure and can make these decisions effectively. The corrective approach of a successful risk management program depends upon the presence of a single team leader (Pironti, 2008). Information risk management program helps in characterizing and analyzing whole system of companys information highlighting risk factors and information infrastructure. It combines individual functional capabilities into one single well managed and well oriented organization enhancing business strategies. It increases the efficiency of security teams. It produces a bridge of confidence and communication between the team and the leaders. This program provide protection against wide range of threats in terms of security theft not by limiting access but by evaluating appropriateness and requirement of extent of that access, which in turn does not stop an organization to achieve their targets (Pironti, 2008). Conclusion In order to achieve a level of satisfaction in terms of confidentiality, integrity and availability of companys case sensitive information and data protection, reliable information security governance is required. This framework must include the implementations, renewal and revision of the strategies and policies within the organisation, understanding the need to change the organisational security culture and monitoring and management of the information security team with the supervision of the top management. However with the expansion of global network day by day, there are major risk factors of viruses and malware which require a risk management system as well. These policies, strategies and procedures must be implemented through the HR department including hiring and training of security officers and staff members with the approval of the top management. Appendix A: Summary of the paper presentation Key Elements of an Information Risk Management Program As part of our MSc assessment we were asked to take part in a paper presentation on the key elements of an Information Risk Management system based on a paper written by John Pironti, which was published in 2008 in the Information Systems Control Journal, Volume 2. Information security has become more challenging with the ever-changing and evolving faces of threats in the information processing. The adversary creates a new threats as soon as the defender develops and implements the defensive controls. The defenders get affected by the ethics, rules, knowledge, time, and lack of investment and resources. The adversaries can only be defeated by a suitable Risk management approach by using available assets, resources and potential. Policies, procedures and processes complemented by technology prove far more effective in mitigating security threats than the technology alone. Information security only relies upon the technology to create defences against threats that can easily be downloaded or purchased. The reason is that these components require proper implementation and operation. The organizations Information Risk Management approach identifies which information to protect and the level of protection required to align with organizational goals. It must be understood and supported by the senior management and business leaders of the organization, to identify and finalize investment levels utilizing proper information protection and risk management capabilities. Team Structures in most of the companies today have segregated leaders with the title chief, which is of no significance as the main chief has limited access to the senior positions and business strategies. In order to meet current challenges, all these independent capabilities must be united on a single platform as Information Risk Management program. Information Risk Management Program helps in characterizing and analyzing the whole system of companys information highlighting risk factors and information infrastructure. It combines individual functional capabilities into one single well managed and well oriented organization enhancing business strategies lead by the Chief Risk Officer. The leader becomes the focal point to produces a bridge of confidence and communication between team and leaders regarding all communications about risk identification, mitigation and management. This program provide protection against wide range of threats not by limiting access but by evaluating appropriateness and requirement of extent of that access, which does not stop an organization to achieve their targets. This team leader has regular access to higher officials to provide them correct and update information regarding risk factors and business strategies. Key performance indicators are essential measurement tools for the performance of a business function, process or capability. These indicators need to be assigned thresholds to ensure that they are working within normal limits. The key elements of risk management program include; presence of a Chief Information Risk Officer, Information security, Physical security, compliance, privacy, financial risk, market strategy risk, business operations risks, risk methods, practices, key performance analysis effectiveness, cultural awareness, training, communications, strategy governance and risk oversight board and committee. Information Risk Management serves as a mature progression of information security. The Risk management program structures the Risk management, utilizing existing capabilities and provides a 360 degree holistic view of security risks within the organization. Appendix B: Discussion generated from the paper presentation Q. What do you mean by the holistic view of risks that affect productivity and success? A. A holistic view implies focusing from a high perspective and ensuring that all the organisational requirements are met with relevant policies, processes and procedures complimented by technology rather than certain technical area on which the information security team focuses on. Q. How would you convince the businesses that such a wide model of Risk management program can get implemented with the requirement of so many resources? A. This program probably applies mostly to the larger organisations with more number of people involving different levels so that they are able to map on this new mature model, explaining the benefits and understanding why change the structure of the information governance. Another key element to highlight would be that this model re-uses the existing resources within the organisation. Q. Who decide the key performance indicators in the policy and standards maintained by the Risk Management program? A. Normally it would be something which is discussed by all the actual relevant departments rather than the IT department telling you what your KPI should be. It will be coming from a higher level and senior management. Appendix C: References

Jamaican History (Basic) 5th Grade

jamaica was one a the largest sugar producing country inah the caribbean . Jamaica, the third largest Caribbean island, was inhabited by Arawak natives when it was first sighted by the second voyage of Christopher Columbus on 5 May 1494. Columbus himself was stranded on Jamaica from 1503 to 1504 during his fourth voyage.The Spanish settled in Jamaica in 1509 and held the island against many privateer raids from their main city, now called Spanish Town, which served as capital of Jamaica from its founding in 1534 until 1872. In 1655 Jamaica was conquered by the English, although the Spanish did not relinquish their claim to the island until 1670. Jamaica became a base of operations for privateers, including Captain Henry Morgan, operating from the main English settlement Port Royal.In return these privateers kept the other colonial powers from attacking the island. Following the destruction of Port Royal in the great earthquake of 1692 refugees settled across the bay in Kingston which by 1716 had become the biggest town in Jamaica and became the capital city in 1872. Until the early 19th century Africans were captured, kidnapped, and forced into slavery to work on plantations when sugarcane became the most important export of the island.Adam Taylor's slaves had arrived in Jamaica via the Atlantic slave trade during the same time enslaved Africans arrived in North America. During this time there were many racial tensions, and Jamaica had one of the highest instances of slave uprisings of any Caribbean island. [1] After the British crown abolished slavery in 1834, the Jamaicans began working toward independence. Since independence in 1962 there have been political and economic disturbances, as well as a number of strong political leaders

The Social Contract Theory Essay - 1249 Words

1a. The Social Contract Theory According to the Social Contract Theory, it suggests that all individuals must depend on an agreement/ or contract among each person to form a society, in which they live in. The concept emphasizes authority over individuals, in other words, the social contract favors authority (e.g. the Sovereign) over the individuals, because men have to forfeit their personal right and freedom to the government, in exchange for protection and security, which I will further elaborate in this paper. In the book Leviathan, Thomas Hobbes was one of the first to discuss the social contract. Hobbes explains that all human beings are born in â€Å"the state of nature†, which means that all men used to live in the primitive†¦show more content†¦However, â€Å"for such is the nature of men, that howsoever may acknowledge many others to be more witty, or more eloquent, or more learned, and they will hardly believe there be many so wise as themselves†. (Hobbes, 1651, p.184). However, individuals would believe that some men would be inferior or superior to them, as a result, each person in the state of nature is in fear of others who may attack for any reasons (e.g. gain, safety, and glory). But, men never wanted to live in fear, in contrary, they wanted peace in their life. In such dilemma, individuals must agree on rule to govern their actions. In other words, men enter the social contract, which requires them to give up their rights and freedom, and act upon the general rules to the sovereign. By agreeing to the mutual consent, individuals also agree to obey the laws, and submit their obedience to the sovereign. However, the sovereign, in exchange, must guaranty the safety and protection of each of its members for their rights and obedience. Nevertheless, the social contract theory make men lose their moral obligations, and forces men to act more civilize to ensure a functioning society for all its members. In conclusion, Hobbes argues that people live in a state of

The Most Hated, Adolf Hitler - 778 Words

Adolf Hitler, one of the most hated men in history of the world, deemed Wilson examines the â€Å"Demon King of history† (pg. 185) in a new light in â€Å"Hitler†. A. N. Wilson, a prestigious, award winning biographer, took on this task, giving a short biography on Hitler, rather than the typical portion of history taking place during World War II that most people are familiar with, he analyzes Hitler’s entire life. The major points that Wilson discusses in his book, which are very controversial in the world we live in today, are Hitler’s idea of anti-Semitism and the concept that although Hitler was an ordinary individual he had extraordinary abilities, which allowed for his great successes. The final concept that Wilson brings to the book is Hitler’s idea of Darwinism in society. Throughout the life of Hitler, many different factors led to his anti-Semitism views and the eventual genocide of the Jewish population. This â€Å"hatred of the Jews wa s one important element in his early rise power† (pg. 4). Hitler was raised in a lower middle class family, which he determined to be his fate, as mentioned in his manifesto, â€Å"My struggle.† Being from a poor family, he experienced many of the common problems associated with the lower middle class during his early years. He learned to believe that everything was the Jews’ fault, that they were much like how the people of the United States viewed the African-Americans previous to the civil war. The idea continues as he blames the Jews as to whyShow MoreRelatedSignificance Of Adolf Hitler1188 Words   |  5 Pageshow Adolf Hitler’s leadership was successful and how he took Germany to war. Hitler had to go through a lot of arguments to get where he got in Germany. He hated Jews and liked to take stuff that didn’t belong to him. Hitler did not accomplish a lot while being leader in Germany. This how Hitler was significant while being leader. If he didn’t do any of the things he did then he wouldn’t of been significant. Adolf Hitler’s leadership was significant because lots of people and countries hated himRead MoreAdolf Hitler Was A Bad Man827 Words   |  4 PagesMarch 21, 2017 Adolf Hitler Adolf Hitler was a bad man who did many bad things in his lifetime. He was responsible for the Holocaust and for World War II. Who was Adolf Hitler? What motivated him as dictator of Germany? What did he do in the course of his lifetime? Adolf Hitler was born on April 20th, 1889. He was born in Braunau am Inn, Austria, of German descent (Hitler). Hitler s father s original name was Schicklgruber but he changed it in 1876 to Hitler (Adolf). Hitler had three sistersRead MoreComparing Adolf Stalin And Adolf Hitler And Hitler843 Words   |  4 PagesAdolf Hitler and Joseph Stalin are 2 notoriously known people in world history. Both Stalin and Hitler are known for the great number of deaths they have caused. Although both men have totally different reasons on why they killed so many people their ways of leadership are somewhat alike. Adolf Hitler and Joseph Stalin both use propaganda as a technique to get people to support them. Using propaganda shows the public what they want to hear and see, even if it’s not true they use this method to trickRead MoreThe Treaty Of Versailles Was A Peace Treaty921 Words   |  4 PagesAdolf Hitler was born on April 20, 1889 in Austria. Hitler was a German politician and the leader of the Nazi Party. Adolf Hitler was a decorated veteran from World War I. The Treaty of Versailles directly affected the German people and Hitler. The Treaty of Versailles was a peace treaty set in place at the end of World War I to end the war. One of the most crucial and contentious problems with this treaty was it required that the country of Germany to disarm, take guilt and pay apologies toRead MoreAdolf Hitler Rise707 Words   |  3 Pageswondered why Adolf Hitler was one of the most powerful men you could possibly imagine? Well read this essay and youll find out how Adolf Hitler r ose to power. In Hitlers younger years about age 5-7 He had lived through a very rough and traumatic childhood. It started when Hitler was 6, two of his younger brothers died from the disease, their names were Edmund Hitler, and Gustav Hitler. After the two passed away, his father turned into a very abusive man and treated Alois and Adolf poorly. AndRead MoreThe Terror Of World War II Essay1492 Words   |  6 PagesThe Terror of WWII I. Adolf Hitler is no doubt the most infamous person that ever existed on this planet. He had an impact on the whole world during WWII. Hitler was the leader of the Nazi party during the second World War. Adolf Hitler had hated the Jews and had imprisoned them in what is known as concentration camps and had killed over 17 million people during WWII. II. Early Life a. Born April 20, 1889 in Braunau am Inn, Austria. b. His grandfather was in fact Jewish. c. He had grown up in aRead MoreThe Terror Of Wwii : Adolf Hitler1456 Words   |  6 PagesThe Terror of WWII: Adolf Hitler’s Rise to Power Adolf Hitler is no doubt the most infamous person that ever existed on this planet. He had an impact on the whole world during WWII and had changed every person’s view of war in the 1930s and 1940s. Hitler was the leader (or Fuhrer) of Germany and the head of the Nazi party during the Second World War (www.biography.com). Adolf had hated everyone that did not have the same â€Å"perfect† quality that the â€Å"Aryan race† had, which is basicallyRead MoreAdolf Hitler : The Leader Of The Nazi Party905 Words   |  4 PagesAdolf Hitler was a German politician who was the leader of the Nazi Party, He was the Chancellor of Germany from 1933 to 1945, and Fà ¼hrer of Nazi Germany from 1934 to 1945. As dictator of the Germany, he started World War II in Europe with the invasion of Poland in September 1939, and was the leader to the Holocaust. Born: Apr 20, 1889 Died: Apr 30, 1945 Height: 5 9 (1.75 m) Spouse: Eva Braun (1945-1945) Children: Jean-Marie Loret (Son) Founded: Nazi Party, Schutzstaffel, Hitler Youth, GestapoRead MoreAdolf Hitler As A Leader Of The Nazi Germany1398 Words   |  6 PagesAdolf Hitler was the leader of the Nazi Germany party from 1934 to 1945. During his time of leadership, he initiated fascist policies that ultimately led to World War II. What he is most infamous for the horrendous acts he committed against the Jewish people in Germany as well as other groups of people, such as gypsies, the handicapped, homosexuals, and many others. While Hitler is most known for the genocide he committed, he is also recognized by many historians as a powerful and effective leaderRead MoreWhy Did Hitler Start World War II? Essay771 Words   |  4 PagesMicahla Livesay HST 200 Rees What Made Hitler Who He Was; a Look into His Mind One of the most common asked questions through history is: Why? Why did settlers decide to take people and turn them into slaves? Why was war created? Why do people discriminate against each other? Why did Adolf Hitler start the Holocaust? As of the 21st century, we have the knowledge as to why Hitler decided to start World War II, therefore creating the Holocaust. However, we only understand the historical side of things