The Need Of Sound Information System Information Technology Essay

The Need Of Sound culture System discipline Technology EssaySm wholly to Medium Enterprise is an scheme or business organisation that wholly has a certain tally of employees or revenues, different country has a different definition and standard for SME. In Singapore, SME invite to devour at least 30 per cent local equity and fixed ample assets non more than S$15 million and limit of only non more than cc employees. In Australia, SME has a different category such as very small with only 1 to 9 employees, small with only 10 to 49 employees, medium with 50 to 149 employees and grown with 150+ employees.Information in SME is a really important asset, the loss or distress in any pieces of info result damage the company really badly. Lose in competitive advantage, customers loyalty is the consequences that may materialise and a company in SME could be out of business if an possibility akin that happened. Even though learning aegis pile be applied to all kind of busines s, only when there atomic number 18 differences between SME and large company when applying auspices. SME and large company keep back a difference kind of challenges when applying security system. SME does not consider big budget standardised large company, fewer qualified security strength and re offsets. Challenges for large enterprises ar often beca custom of their large size. They atomic number 18 difficult to track their users because they have a large number of users and or so clock they have a lot of branches in different locations to maintain. SME a alike(p) has advantage compared to the large company, SME which has a smaller number of employees than large company has a lesser threat by insider attacks.One of the solutions for SME for security is outsourcing the security, but the difficulty occurred because of the price offered, some SMEs faecal matternot afford the prices, so it comes again with the budget SME has. at that place is separate solution offer ed to SME in security, some of the Internet Service Providers (ISPs) increasingly partne send for with security vendors to offers SMEs standard security products.The ingest of sound training carcass.Information security charge is a caution that manages threats and risks to the organizations education it is applicable for all type of organization, from large to small organization. Information security management embroils personnel security, technical security, physical security, rag control, business continuity management and many separate things. The standard of the requirement of information security management is ISO 27001 it is star of the ISO 27000 families. With this, it wad wait on to manipulate the information more protected and clients will withal tone of voice limitd. ISO 27001 helps to protect all kind of information, information in soft reproduction or hard copy and even in communication. at that place 3 important characteristics in Information security, C onfidentiality, Integrity and Availability (CIA). Confidentiality ensures that only some authorized user may memory price of admission the information, so different level of information evoke only be admissioned by certain users. Integrity is a state where the information is complete, and uncorrupted. Availability ensures that the information is available whenever the authorized user accessed.Information security management is demanded because promptly information is the roughly vital asset for almost all the organizations. A lot of consequences when the information is destroyed, stolen or corrupted and the consequences may be very dangerous or even shamble the organizations fall down. Personal information is too vital to the people itself and overly to the company, if the company do not handle the information carefully, it will be dangerous to the company because personal information commode overly be customer information and when it is not secured, the customers can lo st their trust to the company and the companys reputation will be affected also, these can also applied to the companys modules. there is this case study where some companies in London experienced loss of electrical energy because there was a problem in the London power company. Because of the loss of electricity, some of the companies have their selective information corrupted and also systems crashed, these nonessentialals made the companies loss their clients, light-colored corrupted info, re input the data which constitute them more and closed the business.There are some of the topics that cover the information security managementBiometric security tresss and their useBiometric security system is a tool to protect from flare upr to access information but victimization part of the body to authenticate the authorized user instead of typing the password. The advantages are it cannot be borrowed or made and also it is more secured than in lay the password. Biometrics that is using physical body that is unique includes finger fall guys, palm, retina, iris, and facial. For the behavioral characteristics include signature, voice, unwrapstroke pattern and human motion.This is a list of biometric and its uses. Fingerprints realisation is a biometric where it identifies by scanning fingerprints and looks for the pattern build on a fingertip. There are different kinds of fingerprints verification, some of them using pattern-matching devices comparing the scanned fingerprints from database, they are also using moir fringe patterns and ultrasonic. Palm recognition scan, measure the shape of the hand and look for the pattern on the palm. Some of the organizations use this for time and attendance recording. Retina recognition analyzing the layer of blood vessels located at the book binding of the eye. This biometric uses low intensity light and source through and optical coupler to look for patterns of the retina, so the user want to focus on a given(p) poi nt. Iris recognition analyze the colored ring of tissues surround the pupil by using conventional camera element and the users do not need to be close to the scanner. Face recognition analyses the facial characteristics and it requires digital camera to scan. Some organization like casino, scan for scam artists for quick followion.Some of the company even government also using biometric security. Fujitsu Ltd. is now making the company desktop computing device to use a palm recognition, it is not using fingerprints because it verbalise that palm recognition is more secured than fingerprint. They are using infrared to scan the users palm, they look for the pattern of the mineral vein in the palm and because they use infrared, they can see them. This technology is already in use in more than 18000 bank ATMS in Japan. Germany stores a digital fingerprints and digital photos in to the passport to fight organise crime and international terrorism.Biometric may be more secured but rese arch says biometric like fingerprint recognition can be accessed by unauthorized users also. There is this mathematician named Tsutomu Matsumoto, he use a $10 ingredients gelatine and p endic mold to reproduce a portion of finger and in four of five attempts, he can accessed to 11 different fingerprints recognition systems. sequent result management and disaster recuperationIncident receipt is an organized purpose or procedures to handle and counter some threats like security prisonbreak or attack. Incident response plan includes a policy that discusses how to response to a certain threats, reduces recovery costs and time. Some of hazard response goals are reduce the impact, celebrate future incidents, verify that incident occurred, maintains Business Continuity, and improve security and incident response.There is incident response team in the organization that handles the incident response plan. Incident response team also necessitate another party in organization to help t hem, such as business managers, IT stave, legal department, human resources, public dealing, security groups, analyse and risk management specialists. Business managers make agreements with the team roughly(predicate) their authority over business systems and decisions if scathing business systems must be leave out down. IT staff help the team to access the net income for outline purposes and improve security infrastructure if recommended by the team. Legal staffs need to review non-disclosure agreements and determine site indebtedness for computer security incidents. Human resources help to hire the teams staff and develop policies and procedures for removing internal employees. Public relations help to handle the media and develop information-disclosure policies. Security groups help the team to solve issues involving computer. Audit and risk management help to analyze threat.There are a some(prenominal) steps to response to the incident. First, the organization needs to prepare the staff by having the staff to do some training they need to be trained to response to the incident quickly and decently and also educates the staff to update the security lawfully. The response team has to identify whether it is a security incident or not and the team can also invite some information about the authorized threats. Response team need to identify how far the problem has affected the systems and decide faster by shut down the affected system to prevent yet damage. Then they need to find the source of the incident and remove the source. After that they need to restored the data from clean backup files, oversee them and upgrading the systems to prevent the selfsame(prenominal) incidents in the future. quick device security management lively devices the staffs use also need some kind of security because they can contain pieces of information about the company, it can be the customer or staff information but it can be some kind of soft copy of some report s or documents. Some of IT staffs need to use peregrine devices like PDA or smart phone to make business data. Mobile devices may look secure, issue of viruses and malwares but they are not.There are several threats to the wide awake devices. Intruder can intrude the mobile devices and expose the information out of it through wireless network by using wireless sniffer. Mobile devices can also be stolen or lost and if the devices are not secured by move a password, information can be dig out easily from the devices. Less than 500 mobile operational system viruses, worms and Trojans can be found. Mobile viruses can be a major threat, some of the viruses can clear the data corrupt the data and several other problems. Viruses can intrude the devices when application downloaded to the devices. There is one virus environed 911 Virus, this virus cause 13 million I-mode user in to automatically call Japans emergency phone number. E-mail viruses affect the devices the same as e-mail v irus affect regular PC. It makes the devices to send multiple emails.There are ways to prevent the threat to happen. The easiest way is to put a password to the mobile devices, the password can only be attempted for a several times and if it failed, the devices will be automatically locked down. Using encryption techniques can help to protect interloper from irrupt when exchanging data using wireless network. Back up the data regularly to PC if anything happens to the data. Install antivirus and putting a firewall into the devices can help to prevent viruses. Administrator can take control of the mobile device and also wipe the data on missing or stolen devices.Linking business objectives with securityLinking business objectives with information security can be expensive process and risky. It can create frustration in both(prenominal) sides. There are several actions that can be employ to improve both sides. Reflect the business objectives in information security reflect them in information security policy, objectives and activities. Information security has to be consistent with the organizational culture, changing the culture of the business from information security is often not possible. defend the information in business process by establish a security program. Follow the information security standard, following them will make the staff, customers and client feel that their data is safe. Increase the checking of the need for security, security manager should explain the benefit of them by using business terms, so that everyone can understand more. Obtain the support from management ensure that risk management is part of every staffs job description. The last thing is to use the resources wisely. Spend more resources when the problems are really occurred. With this plan, both business and security can improve and successful.Ethical issues in information security managementIT security personnel are given the authority to access data or information abo ut the individuals and companies networks and system. With this authority, they might use it in a wrong way which mostly is intruding someones secretiveness for example, scanning employees email just for fun or even diverting the messages, read others email and even worse, they can blackmail the employee. The IT personnel can oversee the websites that visited by the network user, they can even place key loggers on machine to capture everything that is displayed.There is ethical issues called real world ethical dilemmas, it is where the IT security personnel happened to see the company secrets and may print the documents, it can be use to blackmail the company or even trade the information to the other company. They also may encounter where they see a document where it showed that the company do some dirty things. With this crucial information, the company is in danger, not only the company but also the security personnel themselves.There are ways to prevent the people in internet that want to intrude users privacy, one of the articles give tongue to that when the author access a website, he saw advertisement in the website and the ad said about an event and it takes place at the authors area, and so he tried to change the location of the computer and when he click the ad again, it shows a different area, area where the his computer set up, this kind of ad using the users IP address to track the user, so he figure it out by surreptitiousness or masking IP address using some software, this way, the user can protect their privacy effectivelyOne article talked about how IT security personnel deal with sensitive information in right way, first thing to do if to check whether they have signed a non-disclosure agreement that call for them to protect information that they overheard, if there are then protect it, second things to do is to ask themselves whether it is rational to the host company to expect them to hold such overheard conversation in confidence. If so, they should not spread the overheard information to anyone.Security training and educationWith many organizations are using internet, many users including unauthorized can access and dig out information. They need to train or educate their staff to protect organizations information by creating a system to secure the information from unauthorized users. Certified Information Systems Security Professional (CISSP) educates the staffs about how information security works, secure the information, and maintain the information safe and secured.Network security will have the staffs quickly respond to defend the attacks and have countermeasures. Following by investigate the weakness of the systems. It is not light to protect network security which is why they need to be trained. CISSP education consists of learning about database security, how the intruders intrude the systems, and the right countermeasures for a certain attacks.There is a survey regarding the intrusion to the US com panies, the unauthorized intrusions to their network increased 67% this year from 41% last year. The cause of intrusions mainly because of hacker attack, lack of adapted security policies, employee web usage, virus, employee carelessness, disgruntled employee, weak password policy, lack of software updates and software security flaw. IT managers also take part of the survey about which is the biggest intrusion in the future and they identified that viruses, spyware, Trojan, worms and spam are the biggest risk, followed by hacking, uneducated user about security, sabotage, and loss of information.A group called QinetiQ North Americas Mission stem Group, it provide security education and training to the users but before they train their user, they need to identify individuals mandatory training objectives, plan, develop and validate training materials and then they conduct an effective training to the personnel and at the end evaluate course effectiveness. bear outing against Intern et-based attacksInternet-based attacks can be very dangerous to the company a research said companies are losing an average out of $2 million in revenue from internet-based attacks which disrupt the business. The average of 162 companies said that they are suffered one crucial incident a year from worms, viruses, spyware or other security-related causes, and for for each one attack the systems were down an average of 22 hours. The threats will grow as the companies increase their use of internet.Defend against the internet-based attack can be done by using intrusion prevention and detection, they can detect the attack and the company can quickly defend against them. IDS will be looking for the characteristics of known attacks. IPS can recognize the content of network traffic and block malicious connection. Wireless intrusion prevention monitors the wireless networks, detect unauthorized access points and provide reporting and analysis. There are also basic things like firewalls an d antivirus that can be used to defend and there are many things that can be used to defend these kinds of attacks.Industrial espionage and business intelligence gatheringIncident response is an organized plan or procedures to handle and counter some threats like security breach or attack. Incident response plan includes a policy that discusses how to response to a certain threats, reduces recovery costs and time. Some of incident response goals are reduce the impact, prevent future incidents, verify that incident occurred, maintains Business Continuity, and improve security and incident response.There is incident response team in the organization that handles the incident response plan. Incident response team also needs another party in organization to help them, such as business managers, IT staff, legal department, human resources, public relations, security groups, audit and risk management specialists. Business managers make agreements with the team about their authority over b usiness systems and decisions if critical business systems must be shut down. IT staff help the team to access the network for analysis purposes and improve security infrastructure if recommended by the team. Legal staffs need to review non-disclosure agreements and determine site liability for computer security incidents. Human resources help to hire the teams staff and develop policies and procedures for removing internal employees. Public relations help to handle the media and develop information-disclosure policies. Security groups help the team to solve issues involving computer. Audit and risk management help to analyze threat.There are a several steps to response to the incident. First, the organization needs to prepare the staff by having the staff to do some training they need to be trained to response to the incident quickly and correctly and also educates the staff to update the security regularly. The response team has to identify whether it is a security incident or not and the team can also find some information about the current threats. Response team need to identify how far the problem has affected the systems and decide faster by shut down the affected system to prevent further damage. Then they need to find the source of the incident and remove the source. After that they need to restored the data from clean backup files, monitor them and upgrading the systems to prevent the same incidents in the future.Governance issues in information security managementSecurity governance is a system that directs and control information security. Governance itself means setting the objectives of the business and ensures them to achieve the objectives.There are several examples of governance issues, CEO of health south corporation said that more than 85 counts that include prank and signing off on false corporate statements that overstated earning by at least US $1.4 billion. Senior vice president and CIO of the company with the 15 other plead guilty. Anot her incident happened in an Ohio-based company that handles payroll and other human resources functions on a contract business which is already bankrupt, and they left wing their 3000 staffs without paychecks and reportedly that the companys client list has been sold.Personnel issues in Information secPersonnel security focuses on the employees involving policies and procedures about the risks the employees accessing the company information and prevents them from taking it. Threats in organizations are not only from the outside but also from the inside, which can make severe damages and costs.There are ways to prevent this from happening. Pre-employment checks are an act where the company will check whether the candidates have the qualification for employment, this way they will know whether the candidates have revealed important information about themselves. National Security Vetting determines whether the candidate is suitable to be given the access to sensitive information which can be valuable to the rival company. This process is usually included in the pre-employment checks.There are also responsibilities for each of some roles that involved in personnel security. Director has to make known and maintain policy guidelines for personnel security, decide the security access requirements and ensure that all the employees have been check into on their background and trained. Information Security Officer prepares the personnel security policy, monitoring the policy, and ensures that all the staffs are trained in computer security responsibilities. Supervisor need to speak with the user about the securitys requirements, monitor the policy, ensures that all the staffs are trained in computer security responsibilities, informs ISO when the staffs access need to be removed, tracking the staffs accounts when they create or delete the account. System Security Officer monitor compliance with the security policy, have the authority to delete systems password if th e employee no longer need access, tracking users and their authorizations. Users need to understand their responsibilities, use the information for only certain events, response quickly by informing the supervisor if there is intruder access the data and abused the information.Privacy issues in the company are also personnel issues. government is also responsible of the privacy of the staffs, because all the staffs records are kept in the organization. Personnel records cannot be seen by other staffs or outsider without the holders permission. Social Security Numbers are not allowed to become private password like email password. Eavesdropping needs to be limited, eavesdropping to the telephone conversation and voicemail are not allowed. monitor is allowed as long as the purpose is to keep the employees work, employees need to be informed early that they will be monitored. Medical records and background information are confidential no one can access them without permission excludin g the holders themselves. corporeal security issues in Information security corporeal security is a security that focuses on protecting the information, personnel, hardware and programs from physical threats. Threat that can cause a lot of damage to the enterprise or building is also things that need to be aware in physical security, for example, innate(p) disaster, vandalism, and terrorism. Physical security can be intruded by a non technical intruder.There are a lot of ways to protect from physical threats. Security can be hardened by putting difficult obstacles for the intruder including multiple locks, fencing, walls and fireproof safes. Putting supervisions like heat sensors, smoke detectors, intrusion detectors, alarms and cameras. There are key areas that need to be focused on. In facility security, they are entry points, data center, user environments, access control and monitoring devices, guard personnel and also wiring closet. For the company staff and the visitor, they need to be focused on control and accountability, use of equipment, awareness, security procedure compliance. Workstations, servers, backup media, and mobile devices need to be protected. Control, storage and disposal of information also need to be focused on.Physical security also issues hospitality industries. Example of hospitality industries are resorts, hotels, clubs, hospitals and also many other things. Physical threats that occurred in these industries are mainly theft, followed by assault, burglary, auto theft, robbery and sexual assault. If these industries experience this kind of threats, the industries can contribute to poor public relations.Company like IBM also offers physical and IT security. IBM Internet security Systems (ISS) products secure IT infrastructure with threat and vulnerability management, enabling business continuity and cost-effective processes. IBM integrate video surveillance and analytic technologies, the products can help reduce time and cost to co llect and store video and it also enable analysis of surveillance data. IBM also provide products for intrusion prevention, mail security protection of pass infrastructure, and also security intelligence which provide information about the threats that can affect the network.Cyber forensic incident responseOne of the primary objectives in incident response plan is to contain the damage, investigate what happen, and prevent it from happening again in the future. It is a bit the same as computer forensic because they need to reduce the damage and investigate the cause of it. By understanding how the data is accessed and stored can be the key to find the evidence that someone has tried to hide, erase, or destroy. The investigator needs to take care of their evidence, make sure that it is not lost, destroyed or changed.