Delivery in day(s): 3
CIS8018 Strategic Information Security
Information security is an important aspect which plays a vital role for every organisation. Every organisation need to use or adopt an information security system so as to manage the information related to the organisation which is of confidential nature. This report which has been conducted over Strategic information security has discussed the different elements related to the information management and security process of an organisation so as to understand the importance of information security in an organisation. Information security process or system adopted by the organisation reduces the risk to the information of the organisation.
This program has been executed over the Strategic information security which will help in generating knowledge about the different aspects of the information security and its importance in an organisation. This report discusses the security system or program used by organisations for safeguarding the information, a professional plan for the training requirement so as to implement the changes, ISO security standards followed or used by the organisations depending upon the suitability of the security standards, information security certifications which helps in enhancing the security posture of an organisation and identification of the risks so as to identify the threats from the various factors of business environment to the organisation. Information security is an important aspect for every business as safety to the confidential data needs to be maintained so as to facilitate functioning of the organisation in a proper manner and attainment of the objectives of the organisation.
For gaining a better knowledge of these elements an organisation has been chosen which is named as “Attenda” a IT Business process management company which is operating its business in the different parts of the United Kingdom. It offers business process outsourcing and knowledge process outsourcing services to its customers in the different sectors including banking, customer services, telecommunication and media and health care sector. The current security situation of Attenda includes use of information security programs for the safety of the information. In the current situation it is focusing over the development of a product based on the needs, development of a strong IT culture for the safety of data and risk identification. For the purpose of security of the information it has appointed Chief Information Security Officer who is responsible for evaluating the security management structure of the organisation so as to analyse the risks associated with it, system program manager, system administrator, designated approving authority, functional manager and information system security officer.
Overall security program adopted by the organisation
Currently Attenda has appointed different officers for the management of the security system of the organisation. The major focus of these officers is over the risk identification, elimination and management of the information in a secure manner. Every organisation need to develop and adopt a security system which ensures the safety of the data from the harm and to ensure that the confidentiality of the details or information of the customers is maintained. Attenda has selected its security program after proper evaluation of the security program so as to maintain the level of effectiveness in the operations of the organisation. They are offering knowledge process outsourcing and business process outsourcing services to its customers so as to meet the requirements of the customers (Mahadevan, 2011). Attenda has adopted an effective security program after analysis of the program and its functioning so as to ensure that it performs the functions well and reduces the risk by identifying the risks. There are different elements of the security program which helps in performing the functions or operations of Attenda in an effective manner. These elements of the security program of Attenda include assessment of the risk on regular periods, use of an entity-wide security program plan, use of IT software for storing the information at a place which is safe and secure and accessible by the personnel of the Attenda and the customers who have right to access the information, adoption of a security management structure in its environment for ensuring the security of the information, formulation of effective security-related personnel policies and monitoring the security programs effectively and implementing the changes as and when required (Hanny, 2010).
For the purpose of identification of the type of security plan or program Attenda need to adopt it need to consider different aspects. These aspects include the assessment of the risks to the information of the organisation. This assessment of the type of risk will help in the selection of the most suitable security program or plan or software by the Attenda. There can be different type of risks to the information of the organisation and this involves threats from malicious insiders which includes risk from the employee, contractor, theft by the insiders of the organisation, accidental insiders which includes risk due to the poorly trained, curious, natural threat due to the fire, flood or other natural disasters and malicious outsider includes risk from the hacker and industrial espionage. And there is a need to assign the security responsibilities to the individuals and providing training for the purpose of handling the incidents and security advisory handling. Attenda keeps control over the management activities, operational activities, technical activities and vulnerable assessment mapping as these aspects affect to the security of the information. Attenda keeps a random check over the activities of the different fields of the organisation so as to ensure their functioning, reviewing the security program and its effectiveness on regular basis so as to maintain the effectiveness of the program used by Attenda (Hanny, 2010). The security model used by Attenda is based on the risk management, reliable functioning of the critical process of the system or program, information security by using security systems, analysing and monitoring the events or activities, responding to the incidents, threat management and vulnerability management and supporting the operations by prediction and active monitoring actions. Every organisation need to manage its functions so as to maintain the safety and security. It is adopting top-down approach for the security program used by the organisation where the support comes from the top level management of the company to the lower levels (Mahadevan, 2011).
Professional plan of training requirements
For the purpose of ensuring the safety and security of the information there is a need to develop the professionals by providing training to them for dealing with the different aspects of the security system or program of the organisation. Attenda need to educate its human resource so as to ensure the effectiveness of the system or program. Attenda need to conduct a formal security awareness training program for the purpose of providing training for the development of the human resource in a formal manner (Hazardous Materials Table, 2016). The training process of Attenda include job training to the employees of the organisation, providing professional education so as to make sure that the activities or operations are performed within the professional framework and performance matrix. The need of the training or the requirement of the training arises for the purpose of security to be effective and successful, to develop the importance of the security system among the human resource of the organisation, to communicate the security programs to the human resource and to explain the responsibilities to the human resource (Gantt, 2013).
Attenda have three separate entities for the purpose of the security program and these include the top level management, technical employees and the staff. Different types of training can be provided to the human resource depending on the nature of the security program and the requirements of the security program used by the organisation. The training process needs to be focused over spreading awareness among the human resource so as to make them aware of the roles and responsibilities they need to fulfil. Proper channels of communication need to be established among the internal resource of the organisation so as to deal with the situations in a better manner. The technical department need to review the performance of the other staff of the organisation so as to keep a check over the routine functions of the organisation for reducing the chances of risks. Security training need to be provided on regular basis and on continue basis so as to match up with the changes in the security programs of the organisation (Trim, et. al., 2013;2016).
For the development of the individual training plan need to be prepared. Attenda need to formulate plans for the development of the professionals by identifying the training needs of the employees and providing training to them. Specialised training programs need to be organised by the Attenda. In these specialised training programs focus is over the development of the professional in relation with the requirement of the software, system or program for the information security. Training to the individuals needs to be provided so as to make them expert in the use of devices and technologies for maintaining the effectiveness of the security system. Different roles are there in the security system of the organisation which needs to be provided different type of training as per the requirement of the role. These trainings need to be provided in the administration field for performing the functions of the field, risk management techniques, development of the policies and Information development system (Hazardous Materials Table, 2016).
ISO security standards
ISO which stands for International Organisation for Standardisation is the largest developer of the voluntary international standards of the world. ISO security standards provide guidelines or rules and regulations for the safety and security of the information various harm or threats. There are two types of approaches according to the ISO security standards for the purpose of security of the information. These approaches are baseline approach and risk analysis approach. Baseline approach indicated by ISO security standards widely covers the control coverage and rich categorisation of the information which need to be kept secured and safe. This approach divides the 133 controls into 11 categories (Skyhigh, 2016). Risk analysis approach indicated by ISO security standards listing is done of the all the important assets of an organisation. In this approach analysis is done of the risk to the life time of the asset of the organisation and helps in controlling the risk associated with the different assets. ISO security standards ensure that the good practices are adopted by the organisations for the safety of the information. There are two functions on the basis of the ISO security standards. These functions are process based and PDCA approach. Process based function of the information security applies to every organisation irrelevant to the structure, size and nature of the organisation. PDCA approach function of information security includes the activities related to planning, executing, checking and monitoring actions. In this function the activities are executed step by step in a sequence and spiral evolution (Amsenga, 2014).
The 133 controls and 11 categories discussed under the Baseline approach is defined in the ISO as information security standards and these are discussed below:
Numbers of Controls included in each category
Organisation of information security
Human resource security
Environmental and physical security
Communications and management
Information systems acquisition, development and maintenance
Information security incident management
Business continuity management
Attenda need to follow the standards and the guidelines given or provided by the ISO security standards so as to ensure the security of the data or information as well as of the other assets of the organisation. Adoption of the ISO security standards by Attenda will ensure that the safety and security of the information of the customers of the business is done effectively. These will help Attenda in reducing the cost and time and errors in the system. The customers of Attenda will be confident about the safety and security of information as Attenda will follow the ISO security standards (Gutiérrez-Martínez, et. al., 2015). ISO security standards also involve the customers in the process of standard development work. ISO security standards provide the advices of the experts to the business and enhance the performance of the organisation in the business environment. The main motive of ISO security standards is to ensure that the services offered by the business are reliable, safe and good for the entities of the environment.
Information security certifications
For the purpose of security of information various certifications are issued. Every organisation need to acquire these certifications so as to ensure that the ethical code of conduct is maintained. For the purpose of ensuring the safety of the information every organisation need to possess skills or knowledge of the different aspects of the information security. Attenda need to acquire these certifications for information security. The appointment or employing the individuals who have undergone a course for gaining the knowledge of the particular aspect of information security and acquiring the certifications for the information security. These certifications for information security acquired by the Attenda are as follows:
Cyber security forensic analyst:this certification is a proof that the individual possess the skills for effectively interpreting the evidence and communicating the results of the interpretation in an effective manner. This certification provides an advantage to Attenda as the holder of the certificate is able to perform the comprehensive analysis that too within the limited span of time (A, et. al., 2015).
Information Systems Security Engineering Professional (ISSEP) certification:holder of this certificate holds or possess the knowledge of the systems security engineering and knowledge of technical management. The aim of this certification is to improve the skills of the security engineering.
Certified Ethical Hacker:with the help of this certification Attenda can look for the weaknesses and vulnerabilities in the system and using these weak points for improving the performance of the systems. This form of hacking is legal as it is done for a fair reason and in an ethical manner (Markov, et. al., 2015).
EC-Council Certified Security Analyst/Licensed Penetration Tester:the main motive behind designing this certification is to perform or execute the audit of the security systems. The focus of this certification is over the client and it helps in presenting the accurate information and making suggestions to the clients and the employers.
GSEC certification:This certification in the information security enables an individual to gain knowledge of the hand-on applications of security tasks which are related to the wide range of information technology system. It helps Attenda to gain knowledge of the hand-on applications.
EC-Council Certified Secure Programmer:this certification provides knowledge of the manner of developing the high quality coding that uses the best practices and effective programming techniques to protect the business from the harm or threats or vulnerabilities.
Check Point Certified Security Expert:this certification in information security develops the skills of the individual for the manner in which the programs are built, deployed, modified and troubleshooting so as to identify the issues or problems. This certification helps in upgrading the management servers for ensuring the optimal security (Schultz, 2011).
Risk assessment can be understood as the process of analysis and evaluation of the risk which may arise or may involve in any task or activity. Risk assessment is done so as to identify the risks involved in any activity which will help in minimising the impact of the risk over the execution of the activity. Risk assessment is a huge challenge in front of an organisation as it is a complex task. Risk assessment is an important aspect or element of risk management. Risk assessment is a continuous process which involves identifying the risks, analysing the measures for correcting the risks and solving the security issues for reducing the chances of risks in the system. The objective of risk assessment is to analyse the system and the environment of the business (Butt, 2011). The level of risk associated with the activities determines the effectiveness of the organisation in dealing with the risks as and when they are identified. Risk assessment helps in the identification of the risks and measures for resolving the issues or risks on time. The risk assessment must be conducted on regular intervals so as to ensure the safety and security of the information. For the purpose of risk assessment a process need to be adopted. Attenda has adopted a risk assessment process in which regular checks are done of the system of the information security so as to identify the risks. The process adopted by the Attenda include system documentation phase in which description of the system is provided and the handle the information, identification of the security level of the system, identification of the threats and harm for the purpose of analysis of the risk and identification of the measures for dealing with the risks. Attenda need to identify the severity of the impacts so as to analyse the level of risk. And recommendations need to be made so as to safeguard the information of the clients or customers. The process of the risk assessment needs to be monitored on regular intervals so as to analyse the risks. The risks must be communicated on time so as to deal with the issues or the risks on time. Plans need to be prepared by the organisation (Hart, 2010).
This program covers the different aspects related to the information security in an organisation. The role of information security in an organisation plays a crucial part as it ensures the safety and security of the information of the customers or clients. In this program discussion has been over the security system or program adopted or used by an organisation for ensuring the safety of the information. It also covers the professional plans for the purpose of training requirements, risk assessment so as to identify the risks involved in every activity, ISO security standards which ensures the safety and security and reliability of the services offered by an organisation for the safety of the information and the information security certifications which are required by an organisation for ensuring the quality services to the customers or clients.
"Skyhigh Networks Joins Cloud Market Leaders in Adopting Critical Security Standard ISO 27018", 2016, Pharma Business Week, , pp. 132.
A, M.M., A, M.A. & V, M.O. 2015, "INFORMATION SECURITY OF THE ACCOUNTING OF ASSETS AT CERTIFICATION OF MANAGEMENT SYSTEMS", Polythematic Online Scientific Journal of Kuban State Agrarian University, , no. 111, pp. 1244-1252.
Amsenga, J. 2014, "ISO/IEC JTC1/SC27 – SE Standards for Information Technology Security", INSIGHT, vol. 17, no. 1, pp. 20-22.
Butt, M. 2011, "Risk assessment", Accounting, Auditing & Accountability Journal, vol. 24, no. 1, pp. 131-131.
Gantt, R. 2013, "HazMat Transportation: Navigating Training Requirements", Professional Safety, vol. 58, no. 6, pp. 68.
Gutiérrez-Martínez, J., Núñez-Gaona, M.A. & Aguirre-Meneses, H. 2015, "Business Model for the Security of a Large-Scale PACS, Compliance with ISO/27002:2013 Standard",Journal of Digital Imaging, vol. 28, no. 4, pp. 481-491.
Hanny, J. 2010, "Building an Application Security Program", Information Security Journal: A Global Perspective, vol. 19, no. 6, pp. 336-342.
Hart, C. 2010, "Risk assessment", Mental Health Practice, vol. 14, no. 4, pp. 8.
Hazardous Materials Table, Special Provisions, Hazardous Materials Communications, Emergency Response Information, Training Requirements, and Security Plans2016, , Federal Information & News Dispatch, Inc, Lanham.
Mahadevan, P. 2011, Politics of Counterterrorism in India, The : Strategic Intelligence and National Security in South Asia, I.B.Tauris, London.
Markov, A., Rautkin, Y., Luchin, D. & Tsirlov, V. 2015, "Evolution of a radio telecommunication hardware-software certification paradigm in accordance with information security requirements", IEEE, , pp. 1.
Schultz, B. 2011, Cissp! Who cares? Information security certifications have their role, but not necessarily as a career accelerant, reports Beth Schultz, Haymarket Media Group.
Trim, P., Upton, D. & Books24x7, I. 2013;2016;, Cyber Security Culture: Counteracting Cyber Threats through Organizational Learning and Training, New edn, Gower, GB.