Developing Strategic Security for Yahoo Inc. - CIS8018 Report

Verified

Added on 2023/06/03

AI Summary

This report, developed for the CIS8018 course, focuses on the strategic information security program development for Yahoo Inc. It begins by summarizing the security measures currently in place at Yahoo, including two-factor authentication and secure data storage. The report then details the existing roles and responsibilities of security personnel, specifically the Chief Information Security Officer (CISO) and Product Security Engineer, and proposes improvements to the organizational hierarchy. It suggests a systematic Board of Directors, improved CISO responsibilities, and the inclusion of Information Asset Owners (IAOs). The report includes training requirements to implement these changes, emphasizing management support and security awareness programs. It explores ISO security standards, recommending a suitable security model, and addresses threat identification and risk assessment within Yahoo. The goal is to provide a clear understanding of the different aspects associated with the implementation of a security program within the organization.

STRATEGIC INFORMATION SECURITY PROGRAM
DEVELOPMENT FOR YAHOO INC.
Created by XXXXXXXXX
CIS8018 – U1106620
1

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Abstract
In the earlier report, the different security threats that exist in the organizational tasks
within Yahoo were discussed in details. Yahoo privacy policies as well as the different
consequences of the failure of security programs were discussed in details. This report is a
continuation of the earlier study and will highlight the different techniques that can be
implemented in order to develop a proper security program for the company, which can have the
potential to eliminate the possible threats from the organization. The different roles as well as
titles for the security personnel that exist within the organization as of now will be discussed in
details and furthermore, recommendations and suggestions will be provided as to how the
security strategies can be improved. ISO security standards will be described in this report and a
suitable security program that maintains such standards will be suggested and designed for
Yahoo Inc. By the end of this report, the reader will have a clear understanding of the different
aspects associated with the implementation of the security program within the organization.
2

Table of Contents
Introduction......................................................................................................................................4
Security measures at Yahoo.............................................................................................................4
Current roles and titles of security personnel:.................................................................................5
Chief information security officer (CISO):.................................................................................5
Product security Engineer:...........................................................................................................7
Suggestions to improve security personnel hierarchy:................................................................8
Training requirements to incorporate these changes:......................................................................9
- Management Support for Change.....................................................................................9
- Case for Change..............................................................................................................10
- Communication and implementation of the change.......................................................10
- Planning a suitable training program..............................................................................11
Determination of a proper ISO certified security model:..............................................................11
Threat identification and risk assessment in Yahoo......................................................................13
Suitability of ISO/IEC 7498 certified OSI information security model:...................................13
Conclusion:....................................................................................................................................14
References:....................................................................................................................................15
3

Introduction
This study aims to create the different organizational considerations while implementing
a information security program within the work force. Organizational security is one of the major
concerns of the organizations in today’s world. In the earlier report, the different threats related
to data security as well as the other aspects such as the consequences of the system failures had
been identified and discussed in details. This report mainly focusses on the development and
implementation of an appropriate security software for the company that eliminates all the earlier
discussed risks and threats related to data security and other security parameters. The ISO
standards that the security programs must follow will also be discussed in the following
paragraphs. A proper certification will also be studied and recommended to the company and a
security application that makes use of the ISO standards as well as the recommended certificate
will be recommended to the company.
Security measures at Yahoo
Information security is one of the primary focus of yahoo ad invest a lot of tie and
expertise in developing the security programs within the organization. Yahoo is aware of the fact
that its users have a lot of trust in yahoo data security policies, they are assured about the security
and privacy of their accounts, and other information stored in yahoo databases. Some of the main
security measures incorporated by yahoo are:
Second-time sign-in short service message verification code – Users needs to authenticate
themselves by typing in a verification code sent through SMS to their mobile phones. It ensures
better verification and security of the accounts (Murashkin et al. 2013).
4

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Transport layer security - It is an encryption method used to securely transmit payment as well
as other financial information.
Secure data storage- Different physical as well as technological security strategies are
incorporated in the organization in order to secure the information.
On-demand recovery passwords- Yahoo can provide on demand passwords to the users in case
they want to link the accounts for another mobile device provided the user has already entered
the mobile number (Horalek, Matyska and Sobeslav 2013).
Training and education – Adequate training has to be provided to the employee regarding the
security program that will be incorporated in order to keep them informed and educated about
the same.
Vendors and partners - Even if Yahoo has to share any kind of confidential information with
its partners or vendors for any business tasks or decisions, it makes sure to maintain the privacy
policies and agreements in the first place.
Access to information -
The security setup at yahoo is very tight and it makes sure to limit the access to the information.
Users can only access the secure data based on their importance and hierarchical level in the
organization.
Current roles and titles of security personnel:
Chief information security officer (CISO):
Yahoo has hundreds of employees who work towards the security of the organization as a
whole. These employees perform different security tasks, which also include data and
information security. The chief security officer is just not concerned about the physical security
5

of the organization, but also caters to the electronic and data security within the organization.
The present chief information security officer (CISO) at Yahoo Inc. is Bob Lord. He replaced
Ramses Martinez who was the earlier chief security officer on October 2015.
A chief information security officer is the highest authority within Yahoo Inc who
is directly responsible for the overall physical as well electronic data security within the
organization, thereby helping the organization to achieve an overall competitive advantage. One
of the major role of the chief information security officer is to ensure that there is a strong inter
department connection within the organization and there are no acts of vandalism or maintaining
any kind of secrecy within the employees. The job of the CISO is to ensure an optimum level of
transparency as well as harmony within the employees of all departments and all hierarchical
levels while working together. This in turn also ensures an overall security of the organization as
a whole. For instance, when the company will start thinking a worrying less about the different
vulnerabilities related to the data security, the employees will be able to work more in harmony
and better cooperation with each other. In other words, the chief information security officer will
be responsible to reduce any kind of friction between the different departments to ensure a
smoother and safer workplace (Herath et al. 2014).
Chief information security officers are just not concerned about the physical security of
the different yahoo data centers across the world, but they are also concerned about the
information technology (IT) infrastructure and electronic data security. They should always
ensure that the security policies are maintained and the company is always at a safer position and
a competitive advantage as well. A major part of the CSO’s job is to work with the employees of
executive levels to understand the basic drawbacks and security concerns faced by the mid-level
employees. Through this, the basic concerns can be addressed and accordingly financial
6

decisions can be taken implement newer security strategies and ideas within the organization.
Bob Lord also reserves the power and rights to oversee decisions taken by some security director
at any particular branch or data center of yahoo, keeping in mind the overall security and welfare
of the company as a whole.
Product security Engineer:
Binu Ramakrishnan is presently the product security engineer at yahoo who heads all the
different product and information security tasks within the organization. He is concerned with
the protection of the networks as well as the data in the servers and other applications within the
organisation. He is concerned about protecting as well as securing the IT systems. This can
include securing the network, infrastructure, data security, server’s security, cloud computing
security measures etc. Securing important information such as personal information of
customers, financial worksheets, and other confidential data are the major part of the roles of an
IT product security officer. He is also responsible for deciding and providing access to other
employees and users within or without the organization to important data and databases through
multiple user authentication and verification strategies (Harkins 2013).
The product security officer at yahoo is also responsible for developing and
implementing security measures securing the network by using firewalls, data loss prevention
(DLP), creating virtual private networks (VPNs) and intrusion detection system/intrusion
prevention system (IDS/IPS), network access control (NAC) as well as making use of enterprise
antivirus applications such as Kaspersky internet security etc. He is also responsible for
designing local area networks (LAN), wide area network (WAN) as well as virtual LAN
(VLAN), thereby ensuring improved and enhanced security within the organization. Binu
7

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Ramakrishnan is the present officer at yahoo who takes care of all these functions within the
organization.
Suggestions to improve security personnel hierarchy:
The hierarchical structure within the organization can be improved with respect to
different parameters for the overall development of the organization as well as better and
improved security within the organization. Some of the recommendations can be briefly
explained below as:
- There should be a systemized Board of Directors in the headquarters and it should be
ultimately taking care of the entire corporate security governance of the organization. It
should be able to take critical decisions on the information security risks that prevail
within the organization. However, this presently does not happen within Yahoo and most
of the security responsibilities are explicitly delegated by the board to the lower executive
directors, led by the chief executive officer (Chou 2013).
The different Executive Directors within Yahoo should have the flexibility to give
an overall direction of strategic as well as competitive benefit, by getting the different
security principles approved and implemented by all employees within the organization.
- The Chief information security office (CISO) should be handling tasks such as managing
IT Operations, Risk factors, performing compliance as well as internal audit, as well as
the
Yahoo should try to focus on conducting more security awareness programs and
campaigns for its security personnel and help them develop a strong understanding of the
ISO/IEC 27002 standards (Zeki et al. 2013).
8

- The managers across the organization should ensure that all the employees are biding by
the ethical as well as security guidelines while taking any business decisions. They
should also ensure that all the physical, procedural as well as technical controls comply
with the security guidelines to prevent any sort of privacy breach or data misuse
within/outside Yahoo workplace.
- Yahoo should also look forward to hire more efficient information asset owners (IAOs).
They are the specialized managers in an organization who are responsible for securing
any particular information asset by making use of their LSC or SC. IAOs in yahoo
should have the authority to assign tasks to managers, related to information or data
security but they are themselves responsible for the proper implementation of the tasks
and the security policies. This is presently not happening within Yahoo work culture and
the management should consider this to be implemented (Flores, Antonsen and Ekstedt
2014).
The information asset owners (IAO) should also be held responsible and
answerable for the risk mitigating measures as well as action plans within the employees
in case they are not performing up to the mark. They should personally look into critical
risk factors and policy exemption scenarios to prevent discrimination and employee
unrest as well. IAO’s should make sure that the exemption process is executed
successfully by the managers under their own supervision in case of any extreme security
related issue.
9

Training requirements to incorporate these changes:
In order to implement the above-discussed hierarchical changes within Yahoo to ensure
an improved security program within the organization can be summarized in eight points as
discussed below:
- Management Support for Change
All the employees will be gladly accepting the change in the organizational change in
structure if they get to see a proper support from the entire organization. It will be of
utmost importance for Yahoo to make sure that there is adequate communication as well
as training programs arranged especially for the leadership teams to ensure a smooth
transition of responsibilities. This in turn will also create newer job opportunities within
yahoo Inc. If the employees are not comfortable in understanding or relating to the
changes in the security policies within the organization, they will not even consider
implementing them themselves and it will be a total failure for the organization (Duffield
2014). In turn, it can cause vandalism among employees and other threats within the
organization itself in case any employee is dissatisfied with any other colleague or is not
happy about the working principles within the organization itself and has a revengeful
mentality toward the organization. Employee job satisfaction plays a major role here.
- Case for Change
No organization wants namesake kind of a change may it be in the security
program or any other departments. A case for the change is all that is required. It is
calculated based on surveys on comment cards from customers, customer
satisfaction, employee satisfaction survey, defect rates as well as business goals (Siponen,
Mahmood and Pahnila 2014). Budget pressures in order to implement a new security
10

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

program as well as for implementing, the above discussed changes in hierarchy should be
taken into consideration, which will also need the organization to schedule proper
training sessions for the finance departments as well (Peltier 2016).
- Communication and implementation of the change
Employees depend on the management to effectively communicate any changes
within the organization to them. Rumors about the change can cause resistances to be
created for the change itself. Yahoo should be proactive enough to communicate the
changes and ensure adequate training programs on the new security policy (Kang et al.
2015). The employees should not get any kind of surprises in case a new security policy
is implemented within the organization.
There should also be a tentative date of roll out of the new security plan within the
organization and a pre roll out testing phase of the new security program within the
organization to keep the employees well informed about the changes (Ford 2014).
- Planning a suitable training program
Yahoo Inc. will need a prior approval of the training sessions for the upper
management in order to conduct the training and development programs. The different
aspects of the training programs such as security policy milestones, its implementation
costs, tentative dates as well as deliverables have to be covered in the training modules.
Commitment form the employees as well as their understanding of the learning outcomes
should be ensured by Yahoo management (Daya 2013).
11

Determination of a proper ISO certified security model:
Traditionally, Yahoo used to believe in its password and pin model of data verification
and user authentication. However to combat the ever increasing incidences of data theft and
security breach it recently came up with a concept called ‘yahoo account key’ which enables the
user to log into his yahoo account without having to enter a password. It makes use of push
notifications to help users login faster and safer into their yahoo email accounts. Yahoo considers
user friendliness more important than the information security and relies on a simple technique
of tapping a button to sign in, instead of making its user memorize long complicated passwords.
This particular model is not very secure and is not helping much in securing the sensitive
information and the use data (Dadelo et al. 2014).
The open systems interconnect or the OSI model of security should be incorporated in the
Yahoo workplace in order to secure the data even more (Bora et al. 2014). This model is
ISO/IEC 7498 certified and should be incorporated within Yahoo Inc. because of its multiple
benefits. Some of the benefits of the OSI model are:
1. Overview: This model gives an overall security of all the different aspects of the
organization may it be physical security or electronic data security.
2. Authentication: It helps in providing excellent user authentication techniques such as
single sign on and account keys (Kumar and Lin 2013).
3. Access control: Efficient access control is also provided in the office premises making
sure not all employees, users can access all the information rooms or server rooms.
4. Non-repudiation: Signature authentication of the certificates used in this model are never
questioned and are extremely authentic and credible.
12