MGMT 6013: Policy Proposal Report for Information Security Management
VerifiedAdded on 2022/11/01
|14
|4132
|432
Report
AI Summary
This report, prepared for MGMT 6013, comprehensively examines information security within organizations. It begins by defining key concepts such as vulnerabilities, threats, and controls, emphasizing their interconnectedness. The report details various threats, including interception, interruption, modification, and fabrication, and explores vulnerabilities stemming from both technological and human factors. It highlights the importance of security controls, differentiating between preventative, detective, and responsive measures. The report also addresses physical security, including the protection of hardware and the implementation of various security controls, such as staff education, physical barriers, and technical measures like smart cards and access logs. Furthermore, the report offers recommendations for the effective use and application of data, including providing user access to data security information and the proper disposal of data to prevent unauthorized access. The report is based on the assessment brief which requires the development of information security policies and controls that address potential threats and vulnerabilities and the analysis of IS for compliance with ethical and legal frameworks making recommendations on the use and application of data.
MGMT 6013
NAME OF STUDENT
NAME OF COLLEGE
AUTHORS NOTE
MGMT 6013
1
NAME OF STUDENT
NAME OF COLLEGE
AUTHORS NOTE
MGMT 6013
1
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
MGMT 6013
Contents
Executive Summary.........................................................................................................................3
Introduction......................................................................................................................................4
Discussion........................................................................................................................................4
Conclusion.....................................................................................................................................11
References......................................................................................................................................13
2
Contents
Executive Summary.........................................................................................................................3
Introduction......................................................................................................................................4
Discussion........................................................................................................................................4
Conclusion.....................................................................................................................................11
References......................................................................................................................................13
2
MGMT 6013
Executive Summary
For determining the security requirements, it is very important consider the ways in which the
system and the information contained in it are exposed to harm which means damage to the
information or loss which means that the information is gone forever. For gaining understanding
regarding operational security it is also very important to understand the concept of vulnerability,
threat and control. Vulnerabilities in information system are caused by technology when there is
a defect in design of the information system which helps in making the job of breaking the
security measures and barriers more easier compared to system without any design flaws. One of
the most common instances of vulnerabilities caused through technology in real life is buffer
overflow vulnerability which takes place when an attacker overloads an application with more
data than it can normally handle and therefore when the buffer capacity of the system gets full,
the excessive data spills into another area of the system memory which will result in unexpected
behaviours. The mitigation of vulnerabilities in information system can be achieved with the
implementation of adequate controls which helps in divide 'defences' across the human and
technological dimensions. Security controls are defined as methods, tools, procedures and
techniques which are used for the mitigation of risks and threats that are caused by
vulnerabilities. The controls which are used for mitigating the risks of vulnerabilities can be
divided into either preventative, detective or responsive. Preventative security controls which
helps in the prevention of security breaches helps in representing enhanced safeguards than
detective measures which helps in detective security breaches in a system, which in turn are
better than responsive controls which helps in responding to security breaches. The
recommendation which can be made regarding the effective use and application of the data
includes providing access to the data to the users so that they can be knowledgeable about how
securely their data is stored and for what purpose they are used. Another recommendation that
can be made regarding the effective use and application of the data includes disposing the data in
an effective manner after they are being utilized so that they cannot be recovered and used by
other entities for their benefits.
3
Executive Summary
For determining the security requirements, it is very important consider the ways in which the
system and the information contained in it are exposed to harm which means damage to the
information or loss which means that the information is gone forever. For gaining understanding
regarding operational security it is also very important to understand the concept of vulnerability,
threat and control. Vulnerabilities in information system are caused by technology when there is
a defect in design of the information system which helps in making the job of breaking the
security measures and barriers more easier compared to system without any design flaws. One of
the most common instances of vulnerabilities caused through technology in real life is buffer
overflow vulnerability which takes place when an attacker overloads an application with more
data than it can normally handle and therefore when the buffer capacity of the system gets full,
the excessive data spills into another area of the system memory which will result in unexpected
behaviours. The mitigation of vulnerabilities in information system can be achieved with the
implementation of adequate controls which helps in divide 'defences' across the human and
technological dimensions. Security controls are defined as methods, tools, procedures and
techniques which are used for the mitigation of risks and threats that are caused by
vulnerabilities. The controls which are used for mitigating the risks of vulnerabilities can be
divided into either preventative, detective or responsive. Preventative security controls which
helps in the prevention of security breaches helps in representing enhanced safeguards than
detective measures which helps in detective security breaches in a system, which in turn are
better than responsive controls which helps in responding to security breaches. The
recommendation which can be made regarding the effective use and application of the data
includes providing access to the data to the users so that they can be knowledgeable about how
securely their data is stored and for what purpose they are used. Another recommendation that
can be made regarding the effective use and application of the data includes disposing the data in
an effective manner after they are being utilized so that they cannot be recovered and used by
other entities for their benefits.
3
MGMT 6013
Introduction
Information security can be termed as the process of ensuring security of data and information to
the information system of organizations. As a result of the increasing threats regarding data and
information, it has become very necessary for organizations to adopt adequate security
framework which comprise of a combination of approaches to security. The current report
focuses on the policies and actions that can be taken by organizations in order to promote
information security and its compliance with legal and ethical framework.
Discussion
It is observed that a computer systems has three vital components namely hardware, software
and data. Each of the above mentioned components helps in representing value to the individuals
who are affected by the system and therefore each of the component must be protected which
refers to the implementation of a computer security system which provides authorised users with
access to defined system components, while at the same time preventing unauthorised users from
accessing those items.
As opined by Paarlberg (2016) for determining the security requirements, it is very important
consider the ways in which the system and the information contained in it are exposed to harm
which means damage to the information or loss which means that the information is gone
forever. For gaining understanding regarding operational security it is also very important to
understand the concept of vulnerability, threat and control.
A vulnerability is defined as a particular weakness in the security system or an issue in procedure
design which can be exploited for causing harm and loss to the system.
A threat is defined as a set of circumstances which possesses the potential to cause harm or loss.
A control is defined as a protective measure in the form of an action, device, procedure or
technique which helps in removing and reducing vulnerabilities.
4
Introduction
Information security can be termed as the process of ensuring security of data and information to
the information system of organizations. As a result of the increasing threats regarding data and
information, it has become very necessary for organizations to adopt adequate security
framework which comprise of a combination of approaches to security. The current report
focuses on the policies and actions that can be taken by organizations in order to promote
information security and its compliance with legal and ethical framework.
Discussion
It is observed that a computer systems has three vital components namely hardware, software
and data. Each of the above mentioned components helps in representing value to the individuals
who are affected by the system and therefore each of the component must be protected which
refers to the implementation of a computer security system which provides authorised users with
access to defined system components, while at the same time preventing unauthorised users from
accessing those items.
As opined by Paarlberg (2016) for determining the security requirements, it is very important
consider the ways in which the system and the information contained in it are exposed to harm
which means damage to the information or loss which means that the information is gone
forever. For gaining understanding regarding operational security it is also very important to
understand the concept of vulnerability, threat and control.
A vulnerability is defined as a particular weakness in the security system or an issue in procedure
design which can be exploited for causing harm and loss to the system.
A threat is defined as a set of circumstances which possesses the potential to cause harm or loss.
A control is defined as a protective measure in the form of an action, device, procedure or
technique which helps in removing and reducing vulnerabilities.
4
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
MGMT 6013
The above mentioned concepts of vulnerability, threat and control are interconnected to each
other as a threat is blocked by control of vulnerability.
Threats
The major threats which are identified in terms of information security are interception,
interruption, modification and fabrication.
As opined by Khan & AlShare (2019) interception refers to an entity that can be a person,
a program or a computer system that is unauthorized and attempting to gain access to
protected data in an illegitimate manner. The real life instances of interception comprise
of directly replication of data or application or indulging in wire trapping for obtaining
network data. A loss of data can be discovered and realized in a quick manner but it is
very difficult to detect instances of interception because in majority of the time it is
observed that an interceptor leaves no trace of their presence in the system.
The threat of interruption is identified when an organization loses its access to its
resources as due to interruption data or applications of an organization can get lost,
unavailable or unusable in nature. Real life examples of interruption include theft of
hardware and deletion of data files form the system in an accidental or incidental manner.
The threat of modification is actually an advancement of the interception threat and is
mostly observed when a party who is unauthorized tampers with the assets of the system.
The real life examples of modification comprise of changing and modification of data in
the database of an organization, alteration of application programs so that they can
perform extra computations and modification of data in a transmission.
As opined by Flores, Antonsen & Ekstedt (2014) the threat of fabrication involves the
creation of counterfeit and duplicate objects in a computer system which can be done by
the plantation of bugs in the system, insertion of false or fake records in a company
database or the installation of keystroke-logging software. The threat of fabrication can
be detected by at times but of the fabrication activities are done in a skilful manner,
therefore the chances of detection of the threats are very minimal.
Vulnerabilities
5
The above mentioned concepts of vulnerability, threat and control are interconnected to each
other as a threat is blocked by control of vulnerability.
Threats
The major threats which are identified in terms of information security are interception,
interruption, modification and fabrication.
As opined by Khan & AlShare (2019) interception refers to an entity that can be a person,
a program or a computer system that is unauthorized and attempting to gain access to
protected data in an illegitimate manner. The real life instances of interception comprise
of directly replication of data or application or indulging in wire trapping for obtaining
network data. A loss of data can be discovered and realized in a quick manner but it is
very difficult to detect instances of interception because in majority of the time it is
observed that an interceptor leaves no trace of their presence in the system.
The threat of interruption is identified when an organization loses its access to its
resources as due to interruption data or applications of an organization can get lost,
unavailable or unusable in nature. Real life examples of interruption include theft of
hardware and deletion of data files form the system in an accidental or incidental manner.
The threat of modification is actually an advancement of the interception threat and is
mostly observed when a party who is unauthorized tampers with the assets of the system.
The real life examples of modification comprise of changing and modification of data in
the database of an organization, alteration of application programs so that they can
perform extra computations and modification of data in a transmission.
As opined by Flores, Antonsen & Ekstedt (2014) the threat of fabrication involves the
creation of counterfeit and duplicate objects in a computer system which can be done by
the plantation of bugs in the system, insertion of false or fake records in a company
database or the installation of keystroke-logging software. The threat of fabrication can
be detected by at times but of the fabrication activities are done in a skilful manner,
therefore the chances of detection of the threats are very minimal.
Vulnerabilities
5
MGMT 6013
According to Otero (2015) vulnerabilities to information security are mainly caused from two
sources namely technology and people. In context of business organization, breaches regarding
information security are mainly caused by the people of the organization either by misusing the
resources of the organization, through industrial espionage or due to the intended efforts to
defraud or cause harm to the reputation of the organization. For instance it can be observed that
if an employee of the organization who has access to the information system and resources of the
organization can take revenge from the organization by diverting funds to other entities or by
revealing the trade secret of the organization to other organizations if they hold any sort of
grievances against the organization. Another common instance of vulnerability caused by the
people of an organization include the opening of email attachments that seem to look harmless
but they know that upon installation it converts into surveillance software which keeps track of
every activity of the organization in the information system.
Vulnerabilities in information system are caused by technology when there is a defect in design
of the information system which helps in making the job of breaking the security measures and
barriers more easier compared to system without any design flaws. One of the most common
instances of vulnerabilities caused through technology in real life is buffer overflow vulnerability
which takes place when an attacker overloads an application with more data than it can normally
handle and therefore when the buffer capacity of the system gets full, the excessive data spills
into another area of the system memory which will result in unexpected behaviours.
The mitigation of vulnerabilities in information system can be achieved with the implementation
of adequate controls which helps in divide 'defences' across the human and technological
dimensions.
Controls
Security controls are defined as methods, tools, procedures and techniques which are used for the
mitigation of risks and threats that are caused by vulnerabilities. The controls which are used for
mitigating the risks of vulnerabilities can be divided into either preventative, detective or
responsive. Preventative security controls which helps in the prevention of security breaches
helps in representing enhanced safeguards than detective measures which helps in detective
6
According to Otero (2015) vulnerabilities to information security are mainly caused from two
sources namely technology and people. In context of business organization, breaches regarding
information security are mainly caused by the people of the organization either by misusing the
resources of the organization, through industrial espionage or due to the intended efforts to
defraud or cause harm to the reputation of the organization. For instance it can be observed that
if an employee of the organization who has access to the information system and resources of the
organization can take revenge from the organization by diverting funds to other entities or by
revealing the trade secret of the organization to other organizations if they hold any sort of
grievances against the organization. Another common instance of vulnerability caused by the
people of an organization include the opening of email attachments that seem to look harmless
but they know that upon installation it converts into surveillance software which keeps track of
every activity of the organization in the information system.
Vulnerabilities in information system are caused by technology when there is a defect in design
of the information system which helps in making the job of breaking the security measures and
barriers more easier compared to system without any design flaws. One of the most common
instances of vulnerabilities caused through technology in real life is buffer overflow vulnerability
which takes place when an attacker overloads an application with more data than it can normally
handle and therefore when the buffer capacity of the system gets full, the excessive data spills
into another area of the system memory which will result in unexpected behaviours.
The mitigation of vulnerabilities in information system can be achieved with the implementation
of adequate controls which helps in divide 'defences' across the human and technological
dimensions.
Controls
Security controls are defined as methods, tools, procedures and techniques which are used for the
mitigation of risks and threats that are caused by vulnerabilities. The controls which are used for
mitigating the risks of vulnerabilities can be divided into either preventative, detective or
responsive. Preventative security controls which helps in the prevention of security breaches
helps in representing enhanced safeguards than detective measures which helps in detective
6
MGMT 6013
security breaches in a system, which in turn are better than responsive controls which helps in
responding to security breaches.
Physical Security
As opined by Chavez (2018) an objective in information security which is mostly overlooked is
the decomposition of the information system into its logical system in the form of data and
processes and physical system in the form of physical locale of the hardware on which the
processes run and data are stored. In this context it is stated that if an organization cannot
physically protect their hardware, then they will be unable to protect the data and programs
which are run by the hardware. The controlling of physical security of information system
hardware mainly comprise of various elements such as who has access to the buildings of the
organizations, the servers rooms of the organization and the devices which are housed inside the
rooms, in addition to protecting the hardware from various natural and man-made accidents by
ensuring selection of proper site and by developing and implementing plans for securing the sites
and devices of the organization from unauthorized access.
The physical security threats can be divided into following categories as follows:
Weather threats in the form of tornadoes, hurricanes, floods, fire, snow, ice, heat, cold,
humidity,
Fire or chemical threats in the form of explosions, toxic waste and gases, smoke, fire
Earth movement threat in the form of earthquakes and mudslides
Structural failure threats in the form of collapse of building as a result of snow or ice, or
by moving objects such as cars, trucks and other automobiles.
Energy failures in the form of power loss, interference of radiation and magnetic waves
Biological threats in the form virus, bacteria and infestation of animals or insects
Human threats in the form of strikes, sabotage, terrorism and war.
A number of other factors, such as geographic locale, can help in the determination of the
prevalence of the above mentioned threats. The various physical security controls which can
help in mitigating the threats are as follows:
7
security breaches in a system, which in turn are better than responsive controls which helps in
responding to security breaches.
Physical Security
As opined by Chavez (2018) an objective in information security which is mostly overlooked is
the decomposition of the information system into its logical system in the form of data and
processes and physical system in the form of physical locale of the hardware on which the
processes run and data are stored. In this context it is stated that if an organization cannot
physically protect their hardware, then they will be unable to protect the data and programs
which are run by the hardware. The controlling of physical security of information system
hardware mainly comprise of various elements such as who has access to the buildings of the
organizations, the servers rooms of the organization and the devices which are housed inside the
rooms, in addition to protecting the hardware from various natural and man-made accidents by
ensuring selection of proper site and by developing and implementing plans for securing the sites
and devices of the organization from unauthorized access.
The physical security threats can be divided into following categories as follows:
Weather threats in the form of tornadoes, hurricanes, floods, fire, snow, ice, heat, cold,
humidity,
Fire or chemical threats in the form of explosions, toxic waste and gases, smoke, fire
Earth movement threat in the form of earthquakes and mudslides
Structural failure threats in the form of collapse of building as a result of snow or ice, or
by moving objects such as cars, trucks and other automobiles.
Energy failures in the form of power loss, interference of radiation and magnetic waves
Biological threats in the form virus, bacteria and infestation of animals or insects
Human threats in the form of strikes, sabotage, terrorism and war.
A number of other factors, such as geographic locale, can help in the determination of the
prevalence of the above mentioned threats. The various physical security controls which can
help in mitigating the threats are as follows:
7
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
MGMT 6013
Educating the staffs of the organization: The staffs of the organization who are aware and
educated regarding the potential of threats and misuse of information are considered as the best
form of defence for organization. The security training of the staffs should provide knowledge
about the security objectives of the organization, knowledge regarding the emergency and
disaster plan which are in place, knowledge regarding environmental considerations,
identification of suspicious activity and development of a thought process which helps in
accepting that security is a shared responsibility.
Physical controls: As opined by de Albuquerque, Antonio, Junior & dos Santos (2015)
controlling the perimeter of the site involves fencing, turnstiles and mantraps, which, helps in
trapping unauthorized personnel between the various doors of the company. Keyed and
combination locks must be unguarded and should be intended to delay an intruder and not for
absolutely denying access. Dogs can provide a great deterrent to intruders but can also be
trained accordingly for sniffing out illicit drugs and explosives on authorised personnel.
Technical controls: As stated by Otero (2014) smart cards mostly resemble bankcards but it can
be included with a semiconductor chip and with non-volatile memory for storing and processing
data. Smart can be used for the purpose of access control and it becomes useless when it is stolen
unless it is utilized in combination with a photo or fingerprint. For initiating technical controls,
Access logs can be used which although is exclusively a reactive practice, helps in providing
auditors with the required data regarding when certain personnel access restricted areas, but the
organization needs to take care regarding ensuring the integrity of the logs. Intrusion-detection
systems, whose most common form is the house alarm, can also be used for gaining alerts
regarding when an unauthorised intrusion has been detected in the site of the company.
Environmental and life-safety controls: The thinking of organizations should move towards
protection of infrastructure to support operations. Redundant power supplies can help in
protecting against power losses, fire systems can help in the detection and extinguishing of fires
and air-conditioning can help in regulating the cooling and humidity in the server rooms of the
company.
Authentication and Access Control
8
Educating the staffs of the organization: The staffs of the organization who are aware and
educated regarding the potential of threats and misuse of information are considered as the best
form of defence for organization. The security training of the staffs should provide knowledge
about the security objectives of the organization, knowledge regarding the emergency and
disaster plan which are in place, knowledge regarding environmental considerations,
identification of suspicious activity and development of a thought process which helps in
accepting that security is a shared responsibility.
Physical controls: As opined by de Albuquerque, Antonio, Junior & dos Santos (2015)
controlling the perimeter of the site involves fencing, turnstiles and mantraps, which, helps in
trapping unauthorized personnel between the various doors of the company. Keyed and
combination locks must be unguarded and should be intended to delay an intruder and not for
absolutely denying access. Dogs can provide a great deterrent to intruders but can also be
trained accordingly for sniffing out illicit drugs and explosives on authorised personnel.
Technical controls: As stated by Otero (2014) smart cards mostly resemble bankcards but it can
be included with a semiconductor chip and with non-volatile memory for storing and processing
data. Smart can be used for the purpose of access control and it becomes useless when it is stolen
unless it is utilized in combination with a photo or fingerprint. For initiating technical controls,
Access logs can be used which although is exclusively a reactive practice, helps in providing
auditors with the required data regarding when certain personnel access restricted areas, but the
organization needs to take care regarding ensuring the integrity of the logs. Intrusion-detection
systems, whose most common form is the house alarm, can also be used for gaining alerts
regarding when an unauthorised intrusion has been detected in the site of the company.
Environmental and life-safety controls: The thinking of organizations should move towards
protection of infrastructure to support operations. Redundant power supplies can help in
protecting against power losses, fire systems can help in the detection and extinguishing of fires
and air-conditioning can help in regulating the cooling and humidity in the server rooms of the
company.
Authentication and Access Control
8
MGMT 6013
The authentication and control of access for the logical system helps in presenting of the most
challenging operational security controls. The idea regarding control of access is allowing
authorized access to the system and at the same time blocking unauthorized access to the system
and doing both of the tasks at the same time is very challenging. Organizations often find it
difficult to strike a balance between the two tasks as while providing access to authorized users,
the entry of unauthorized users at the same time increases the risk of entry of unauthorized
personnel while adopting too many security measures for blocking unauthorized personnel can
also cause problems and delays of entry for authorised personnel.
Access control is mainly achieved by the usage of identity checks or authentication. In any
authentication system, the user makes an identity claim and must supply credentials for verifying
those claims which are detailed in three major authentication measures namely passwords,
smartcards and biometrics. A simple authentication system can make use of one of the above
mentioned measures, while at the same time advanced authentication system can use a
combination of the measures.
As opined by Nel & Drevin (2019) passwords help in representing a secret combination
of alphanumeric or non-alphanumeric characters which theoretically is only
knowledgeable to the authorised user and are not known by unauthorised users. The
habits of users of selecting their password based on their personal context and
attachment make the passwords very vulnerable for unauthorized users to detect who
remain in closed acquaintances with the authorized users. The setting of passwords based
on proper names and dictionary words also make it easy for unauthorized users to crack
the passwords who are well acquainted with the authorized personnel. Therefore it is
very important for Information Security Managers of organizations to encourage their
employees to set passwords which has an alpha-numeric combination along with special
characters in order to increase its protection from being hacked also encouraging them to
change their passwords frequently. While complying with the above mentioned
suggestion, it is mostly observed that the passwords which are created as a result of the
suggestion are complex in nature and it can be easily forgotten by the users and in order
to remember them they generally note down the password in some places which further
increases the chances of hacks and breaches. Therefore in this context it can be stated
9
The authentication and control of access for the logical system helps in presenting of the most
challenging operational security controls. The idea regarding control of access is allowing
authorized access to the system and at the same time blocking unauthorized access to the system
and doing both of the tasks at the same time is very challenging. Organizations often find it
difficult to strike a balance between the two tasks as while providing access to authorized users,
the entry of unauthorized users at the same time increases the risk of entry of unauthorized
personnel while adopting too many security measures for blocking unauthorized personnel can
also cause problems and delays of entry for authorised personnel.
Access control is mainly achieved by the usage of identity checks or authentication. In any
authentication system, the user makes an identity claim and must supply credentials for verifying
those claims which are detailed in three major authentication measures namely passwords,
smartcards and biometrics. A simple authentication system can make use of one of the above
mentioned measures, while at the same time advanced authentication system can use a
combination of the measures.
As opined by Nel & Drevin (2019) passwords help in representing a secret combination
of alphanumeric or non-alphanumeric characters which theoretically is only
knowledgeable to the authorised user and are not known by unauthorised users. The
habits of users of selecting their password based on their personal context and
attachment make the passwords very vulnerable for unauthorized users to detect who
remain in closed acquaintances with the authorized users. The setting of passwords based
on proper names and dictionary words also make it easy for unauthorized users to crack
the passwords who are well acquainted with the authorized personnel. Therefore it is
very important for Information Security Managers of organizations to encourage their
employees to set passwords which has an alpha-numeric combination along with special
characters in order to increase its protection from being hacked also encouraging them to
change their passwords frequently. While complying with the above mentioned
suggestion, it is mostly observed that the passwords which are created as a result of the
suggestion are complex in nature and it can be easily forgotten by the users and in order
to remember them they generally note down the password in some places which further
increases the chances of hacks and breaches. Therefore in this context it can be stated
9
MGMT 6013
that Passwords helps in representing a minimal security approach to authentication and
therefore they should be used for minimal security requirements.
Smartcards, as mentioned earlier, is similar to the concept of bankcards and can be used
in combination with a password or fingerprint. Smartcards are developed for supporting
multiple applications and has the ability to store and process a small amount of data and
are often used for storing passwords. The security of smartcards can be threatened by
card readers which analyses analysing power consumption during their usage. By the
usage of techniques such as 'simple power analysis' (SPA) and 'differential power
analysis' (DPA), data can 'leak' out, which leaves the smartcard architecture open to
duplicate cards.
Biometrics, is an application of mathematical and statistical theory to biology.
Biometrics can be divided into two subcategories namely physiological and behavioural
biometrics. Physiological biometrics comprises of voice prints and fingerprints; hand
structure; iris, retina and face scans and DNA. Behavioural biometrics comprise of
keystroke latency, voice signature, and gait. As a result of the high expenses involves in
the implementation of biometrics, biometrics authentication is mostly observed for
hypersensitive government, military and financial institution information security.
Biometrics helps in providing the most advanced security to information system and it is
almost impossible for unauthorized users to gain access in the system by breaching
biometric security measures.
Software Controls
As opined by Mukundan & Prakash Sai (2014) the most common threat to information system
and computer security is in the form infections through viruses and Trojans which are defined as
any software that designed for malicious purposes and is also termed as malware. Before the
immense popularity of the internet, malware spread itself in the system through floppies, CDs
and removable disks whereas currently they spread and infect system via emails. It is vital for
every organization containing even the smallest amount of information in its system should use
anti-virus software for mitigating risks related to malware.
Another technology which is being utilized by contemporary organisation is a firewall, which
basically acts as a filter for data. The use of firewalls gained popularity when system hackers
10
that Passwords helps in representing a minimal security approach to authentication and
therefore they should be used for minimal security requirements.
Smartcards, as mentioned earlier, is similar to the concept of bankcards and can be used
in combination with a password or fingerprint. Smartcards are developed for supporting
multiple applications and has the ability to store and process a small amount of data and
are often used for storing passwords. The security of smartcards can be threatened by
card readers which analyses analysing power consumption during their usage. By the
usage of techniques such as 'simple power analysis' (SPA) and 'differential power
analysis' (DPA), data can 'leak' out, which leaves the smartcard architecture open to
duplicate cards.
Biometrics, is an application of mathematical and statistical theory to biology.
Biometrics can be divided into two subcategories namely physiological and behavioural
biometrics. Physiological biometrics comprises of voice prints and fingerprints; hand
structure; iris, retina and face scans and DNA. Behavioural biometrics comprise of
keystroke latency, voice signature, and gait. As a result of the high expenses involves in
the implementation of biometrics, biometrics authentication is mostly observed for
hypersensitive government, military and financial institution information security.
Biometrics helps in providing the most advanced security to information system and it is
almost impossible for unauthorized users to gain access in the system by breaching
biometric security measures.
Software Controls
As opined by Mukundan & Prakash Sai (2014) the most common threat to information system
and computer security is in the form infections through viruses and Trojans which are defined as
any software that designed for malicious purposes and is also termed as malware. Before the
immense popularity of the internet, malware spread itself in the system through floppies, CDs
and removable disks whereas currently they spread and infect system via emails. It is vital for
every organization containing even the smallest amount of information in its system should use
anti-virus software for mitigating risks related to malware.
Another technology which is being utilized by contemporary organisation is a firewall, which
basically acts as a filter for data. The use of firewalls gained popularity when system hackers
10
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
MGMT 6013
identified networks would act unexpectedly when they were sent malicious messages. The main
task of the firewall is to analyse the contents of each message which passes through it and
determining whether it adheres to protocol standards. The messages which do not adhere to
protocol are simply 'dropped' at the firewall and are not forwarded to the appropriate network
nodes. The concept of data filters extends to filtering of email for suspicious attachments and
profanity, and ensuring that data which is sensitive is not sent outside the network.
Data hiding or cryptography is considered as of the oldest military tactics, which originated with
the substitution cipher used by Julius Caesar's, in which the letters of the alphabet are substituted
by letters which are two places lower in the alphabetical order of that alphabet, such as the letter
A will actually mean C .The simplicity of Caesar's cipher paved the way for complicated
algorithms, which included multi-alphabet substitution and those which are based on binary
logic. In the current time period, cryptology is an emerging mathematical discipline which
comprises of extremely complex algorithms that adopted as industry standards. Examples
include Blowfish, the Data Encryption Standard (DES), Public Key Encryption, Pretty Good
Privacy (PGP), and RSA (named after its inventors Rivest, Shamir and Adlema).
As opined by Dombora (2016) Information System of an organization must adhere to legal and
ethical frameworks to ensure that data is used and applied for right purpose. According to the
Data Privacy Laws, it is essential to ensure security of data for their stakeholders and check that
it is not used for other purposes. The Privacy Laws also states that organizations should
communicate to their stakeholders to rationale behind the collection of data and information in
order to make them aware regarding the use of data and information. The Information System
must also adhere to ethical framework which states that organization should not utilize data for
their commercial advantage and must seek permission from stakeholders before using and should
not share with other entities who can take advantage of data and cause concern regarding privacy
of the stakeholders.
The recommendation which can be made regarding the effective use and application of the data
includes providing access to the data to the users so that they can be knowledgeable about how
securely their data is stored and for what purpose they are used. Another recommendation that
can be made regarding the effective use and application of the data includes disposing the data in
11
identified networks would act unexpectedly when they were sent malicious messages. The main
task of the firewall is to analyse the contents of each message which passes through it and
determining whether it adheres to protocol standards. The messages which do not adhere to
protocol are simply 'dropped' at the firewall and are not forwarded to the appropriate network
nodes. The concept of data filters extends to filtering of email for suspicious attachments and
profanity, and ensuring that data which is sensitive is not sent outside the network.
Data hiding or cryptography is considered as of the oldest military tactics, which originated with
the substitution cipher used by Julius Caesar's, in which the letters of the alphabet are substituted
by letters which are two places lower in the alphabetical order of that alphabet, such as the letter
A will actually mean C .The simplicity of Caesar's cipher paved the way for complicated
algorithms, which included multi-alphabet substitution and those which are based on binary
logic. In the current time period, cryptology is an emerging mathematical discipline which
comprises of extremely complex algorithms that adopted as industry standards. Examples
include Blowfish, the Data Encryption Standard (DES), Public Key Encryption, Pretty Good
Privacy (PGP), and RSA (named after its inventors Rivest, Shamir and Adlema).
As opined by Dombora (2016) Information System of an organization must adhere to legal and
ethical frameworks to ensure that data is used and applied for right purpose. According to the
Data Privacy Laws, it is essential to ensure security of data for their stakeholders and check that
it is not used for other purposes. The Privacy Laws also states that organizations should
communicate to their stakeholders to rationale behind the collection of data and information in
order to make them aware regarding the use of data and information. The Information System
must also adhere to ethical framework which states that organization should not utilize data for
their commercial advantage and must seek permission from stakeholders before using and should
not share with other entities who can take advantage of data and cause concern regarding privacy
of the stakeholders.
The recommendation which can be made regarding the effective use and application of the data
includes providing access to the data to the users so that they can be knowledgeable about how
securely their data is stored and for what purpose they are used. Another recommendation that
can be made regarding the effective use and application of the data includes disposing the data in
11
MGMT 6013
an effective manner after they are being utilized so that they cannot be recovered and used by
other entities for their benefits.
Conclusion
From the above report it can be concluded that information security is the ultimate need for every
organization to protect loads of data and information that are contained in its system for ensuring
the privacy and security of their stakeholders. Also there are various security threats which are
faced by organizations and given the complexity it is recommended for organizations to use a
combination of approaches to ensure Information Security which can ensure effective use and
application of data through providing access to authorised users so that they can be
knowledgeable about how securely their data is stored and for what purpose they are used.
Another recommendation that can be made regarding the effective use and application of the data
includes disposing the data in an effective manner after they are being utilized so that they
cannot be recovered and used by other entities for their benefits.
12
an effective manner after they are being utilized so that they cannot be recovered and used by
other entities for their benefits.
Conclusion
From the above report it can be concluded that information security is the ultimate need for every
organization to protect loads of data and information that are contained in its system for ensuring
the privacy and security of their stakeholders. Also there are various security threats which are
faced by organizations and given the complexity it is recommended for organizations to use a
combination of approaches to ensure Information Security which can ensure effective use and
application of data through providing access to authorised users so that they can be
knowledgeable about how securely their data is stored and for what purpose they are used.
Another recommendation that can be made regarding the effective use and application of the data
includes disposing the data in an effective manner after they are being utilized so that they
cannot be recovered and used by other entities for their benefits.
12
MGMT 6013
References
Chavez, R. (2018). The role of HR in cybersecurity: Communication and collaboration are key to
ensuring your organization’s information security. HRNews, Retrieved from
https://search.proquest.com/docview/2118330522?accountid=30552
de Albuquerque, Antonio E, Junior, & dos Santos, E. M. (2015). ADOPTION OF
INFORMATION SECURITY MEASURES IN PUBLIC RESEARCH
INSTITUTES/ADOÇÃO DE MEDIDAS DE SEGURANÇA DA INFORMAÇÃO EM
INSTITUTOS DE PESQUISA PÚBLICOS. Journal of Information Systems and
Technology Management : JISTEM, 12(2), 289-315. Retrieved from
https://search.proquest.com/docview/1734627929?accountid=30552
Dombora, S. (2016). Characteristics of information security implementation
methods. Management, Enterprise and Benchmarking in the 21st Century, , 57-72.
Retrieved from https://search.proquest.com/docview/1945203613?accountid=30552
Flores, W. R., Antonsen, E., & Ekstedt, M. (2014). Information security knowledge sharing in
organizations: Investigating the effect of behavioural information security governance and
national culture. Computers & Security, 43, 90. Retrieved from
https://search.proquest.com/docview/1532245062?accountid=30552
Khan, H. U., & AlShare, K. A. (2019). Violators versus non-violators of information security
measures in organizations-A study of distinguishing factors. Journal of Organizational
Computing and Electronic Commerce, 29(1), 4-23.
doi:http://dx.doi.org/10.1080/10919392.2019.1552743
Mukundan, N. R., & Prakash Sai, L. (2014). Perceived information security of internal users in
IT services industry. Information Technology and Management, 15(1), 1-8.
doi:http://dx.doi.org/10.1007/s10799-013-0156-y
Nel, F., & Drevin, L. (2019). Key elements of an information security culture in
organisations. Information and Computer Security, 27(2), 146-164.
doi:http://dx.doi.org/10.1108/ICS-12-2016-0095
13
References
Chavez, R. (2018). The role of HR in cybersecurity: Communication and collaboration are key to
ensuring your organization’s information security. HRNews, Retrieved from
https://search.proquest.com/docview/2118330522?accountid=30552
de Albuquerque, Antonio E, Junior, & dos Santos, E. M. (2015). ADOPTION OF
INFORMATION SECURITY MEASURES IN PUBLIC RESEARCH
INSTITUTES/ADOÇÃO DE MEDIDAS DE SEGURANÇA DA INFORMAÇÃO EM
INSTITUTOS DE PESQUISA PÚBLICOS. Journal of Information Systems and
Technology Management : JISTEM, 12(2), 289-315. Retrieved from
https://search.proquest.com/docview/1734627929?accountid=30552
Dombora, S. (2016). Characteristics of information security implementation
methods. Management, Enterprise and Benchmarking in the 21st Century, , 57-72.
Retrieved from https://search.proquest.com/docview/1945203613?accountid=30552
Flores, W. R., Antonsen, E., & Ekstedt, M. (2014). Information security knowledge sharing in
organizations: Investigating the effect of behavioural information security governance and
national culture. Computers & Security, 43, 90. Retrieved from
https://search.proquest.com/docview/1532245062?accountid=30552
Khan, H. U., & AlShare, K. A. (2019). Violators versus non-violators of information security
measures in organizations-A study of distinguishing factors. Journal of Organizational
Computing and Electronic Commerce, 29(1), 4-23.
doi:http://dx.doi.org/10.1080/10919392.2019.1552743
Mukundan, N. R., & Prakash Sai, L. (2014). Perceived information security of internal users in
IT services industry. Information Technology and Management, 15(1), 1-8.
doi:http://dx.doi.org/10.1007/s10799-013-0156-y
Nel, F., & Drevin, L. (2019). Key elements of an information security culture in
organisations. Information and Computer Security, 27(2), 146-164.
doi:http://dx.doi.org/10.1108/ICS-12-2016-0095
13
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
MGMT 6013
Otero, A. R. (2014). An information security control assessment methodology for organizations.
Business Premium Collection. Retrieved from
https://search.proquest.com/docview/1525810664?accountid=30552
Otero, A. R. (2015). An information security control assessment methodology for organizations'
financial information. International Journal of Accounting Information Systems, 18, 26.
Retrieved from https://search.proquest.com/docview/1732582426?accountid=30552
Paarlberg, J. W. (2016). An empirical analysis on the effectiveness of information security
policies, information technology governance, and international organization for
standardization security certification. Business Premium Collection. Retrieved from
https://search.proquest.com/docview/1815064541?accountid=30552
14
Otero, A. R. (2014). An information security control assessment methodology for organizations.
Business Premium Collection. Retrieved from
https://search.proquest.com/docview/1525810664?accountid=30552
Otero, A. R. (2015). An information security control assessment methodology for organizations'
financial information. International Journal of Accounting Information Systems, 18, 26.
Retrieved from https://search.proquest.com/docview/1732582426?accountid=30552
Paarlberg, J. W. (2016). An empirical analysis on the effectiveness of information security
policies, information technology governance, and international organization for
standardization security certification. Business Premium Collection. Retrieved from
https://search.proquest.com/docview/1815064541?accountid=30552
14
1 out of 14
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.