Security management information system

Security management information system

PROCESS OF RISK IDENTIFICATION

Both Taylor and Francis (1998) insist that this is a very crucial process that ensures that potential risks are identified so as to ensure that the objectives of a program, investment or even an enterprise achieve their objectives. These findings are then documented in a bid to find viable solution to the potential risks. The identification is done by professionals who ensure that there is no ambiguity and there is crystal clarity in the risk-statements.

This is a crucial process that encompasses on identifying that potential weakness that hackers or other parties can exploit intentionally or accidentally creating a vulnerability to the information system. It is the probability that the system will face a risk in a given circumstance and documenting the findings.

The first thing is to encourage identification of potential risks by the information system experts. “This is through making them understand the benefits of their identification and management. This is through constant monitoring, proper tracking and mitigation of the potential risks,” as depicted by both Taylor and Francis (1998). Hence the company should set up serious risk management teams to counter the adverse risks.

Garvey (1998) suggests that use of questionnaires is another vital process of identifying risk as well as online interviews in order to determine the capable sources of the potential risks. On the other hand, the review of older documents can be a very potential source of potential risks to an information system such as the reports on previous risk assessments. The use of scanning tools that are automated is also a good source of risks identification for example the use of network mapping tool.

SOURCES OF RISKS

According to NIST Special Publication (1998), the level of skills of information system developers is a very high potential source of risk. Insufficiency in experience and expertise is a very common risk-source that lead to vulnerability of the security of information systems and hence the management should ensure that regular evaluations are made of their IT experts.

“Crackers and hackers are the most potential source of information insecurity and threat. These are motivated by ego, rebellion or even money so that they can hack through systems to access protected private information and sell it to the highest bidder or company or rather fall a leading company through information sabotage” as cited in the NIST Special Publication (1998). Information bribery is also a potential source.

We have natural sources risk sources that may cause the IT department as well as the information system to fail or stagnate. These may include electrical storms, tornadoes, avalanches or even floods. These are natural and they are caused by nature but they can be controlled in order to minimize the damage.

NIST Special Publication (1998), also insists that human threats is another potential source for example data entry that is unauthorized, deliberate breach of entry of secure and private sites, software uploads that are malicious and even attacks that are network based in order to destroy private data or steal them. The last one is the environmental based threats such as power failure due to storms, pollution, leakages and chemicals may deter the way the system runs hence creating a hazardous and risky environment.

Industrial espionage can be another potential source of risks that may face an information system company. This is due to the fact that other similar companies need to become more competitive in the similar business hence resulting to espionage. The system may thus be penetrated or accessed illegally for information theft.

Other times we can have terrorism as a risk to information system where they will use blackmail, intentional property destruction, killings and even exploitation so as to get the information they want to acquire from the system, for example a military information system.

RISK ASSESSMENT

According to NIST Special Publication (1998), the process that follows after the potential risks have been identified. This is the ability to determine the potential extent to which an information system related risk can affect the system as well as the adverse repercussions that can follow. In addition to that, the process is able to come up with viable control measures that can be adopted to ensure that the risks are eliminated or rather significantly reduced. Hence a number of methodologies are thus adopted to assess the risks.

Garvey (1998) also insists that the first one is the characterization of the system. This looks into the capability and effort of the system that it can be able to input in managing risks or rather its scope of working. This also involves determining the connectivity of the system, its supportive staff, data criticality of the system, interfaces of the system, the hardware and software part of it too. The bottom line is to ensure that the system has no breakdown and works effectively.

RISK CONTROL STRATEGIES

The company can adopt a number of strategies to prevent information theft and vulnerability of the information system by endorsing supportive technical controls. This is by installing the mandatory access controls which ensures that anybody who accessed certain data is duly recognized.

ON the other hand, NIST Special Publication (1998), suggests that another adoption could be that of cryptographic key management. This should be duly protected all the time since that is where most of the storage takes place as well as data generation. The other method is to configure the features of an IT security system in order to adopt periodic changes in accordance to the environment of operation.

Other methods to control risk is better and stronger passwords to company websites and emails of the employees of the company as well as educating them on the importance of keeping such matters private. If need be, data encryption is another way of ensuring that cyber criminals don’t access private company data and even if they do, they cannot decrypt the information.

Authentication is another basic strategy. This involves creating a good authentication process that only identifies the authorized personnel to certain data and no one else. These include PINs, passwords, thumbprints, smart cards, Kerberos and even certificates that are digital. A good authentication process leads to an effective authorization system.

Taylor and Francis (2008) argues that policies that ensure security should also be well defined and enforced effectively. These come along with severe punishments to those who breach the security protocols and an effective software system should be made to detect unauthorized access. On the other hand, another strategy could include the nonrepudiation system that ensures that sent data shows all details of the sender and all details of the receiver without any disputation. This is a type of transmission control.

Viruses should also be detected and eradicated through an effective system software that should be installed in the company’s server and work-stations. These software should identify and eradicate any malicious virus installed to destroy data or files in the system.

VULNERABILITY IDENTIFICATION

Vulnerability is a line of weakness or a porous section identified in the information system. The flaw can be in the design, internal control, implementation or breach in security of the system. Some of the vulnerabilities include a scenario where an employee is terminated to work for the organization but his data is still in the company’s system and hence he can access the data.

The inability to resolve a breach or a risk in time creates a vulnerability in that the system can still be hacked before the management responds effectively to the potential risk.

PREVENTIVE POLICIES ON VULNERABILITIES

According to Garvey (1998), the company should develop an effective checklist for security purposes and the system should be able to determine who works for the company and who doesn’t. There should also be put periodic security control reviews to ensure there is no breach.

The facility operation center should also be well guarded from access by any unauthorized personnel at all costs. There should be developed a system security upgrading plan that ensures that the company does not lag behind in technological advancement.

Constant background investigations on personnel as well as their clearance when joining the institution to maximize on security and integrity as insisted by Garvey (1998). Various people should be assigned different responsibilities while ensuring constant reshuffles of the staff as well as changing of system entry codes from time to time.

REFERENCES

NIST Special Publication 800-18. Guide for Developing Security Plans for Information

Technology Systems (1998). Co-authored with Federal Computer Security Managers’

Forum Working Group.

Computer Systems Laboratory Bulletin. Threats to Computer Systems: An Overview.

March 1994.

Garvey, P.R., 2008, Analytical Methods for Risk Management: A Systems Engineering Perspective, Chapman-Hall/CRC-Press,

Taylor & Francis Group (UK), Boca Raton, London, New York, January 2008, Air Force Past Performance Evaluation Guide.