Delivery in day(s): 4
CIS8018 Strategic Information Security Assignment Help
Information security system plays a vital role in the success of the organisation. It become very important for organisation to adopt the information security system in order to manage their available information from getting theft and miss-used and treat the information as confidential as it is related to their customers and clients. This report is processes over the Strategic Information security system where different topics related to the information management and security process in context to the business organisation get discussed that helps in understanding the importance related to the information security within an organisation. When an organisation adopts the information security process then it helps in reducing the level of risks or threats available in the business market.
Strategic information security helps in getting adequate knowledge over the issues related to the information security and its high level of importance in the organisation. In this report there are various aspects get covered such as security system implemented by the organisation in order to secure their information, professional plan to render training requirements in order to make successful implementation of the changes, ISO security standards followed by the organisation that fully depend over the suitability of the security standards, attain information system certificated that helps in enhancing the security system standards as well as identify the risk in order to remove the threat from the different factors of business environment in context to the organisation. Information security is considered as the important aspect from the safety point of view of every business where they can maintain their confidential and important data in order to render support to the organisational functioning in adequate manner so that they attain their desired objectives (Baskerville, et. al., 2014).
In order to get better knowledge over these points the organisation “Tesco ". It is a multinational grocery and general merchandise that run their functions in Asia and Europe. As per their earned revenues they get considered among 2nd largest retailer in the World. They are considered as market leader in the market of UK, Ireland, Hungary, Malaysia and Thailand. They currently make use of the information security program in order to safeguard their information. They currently focus over the development of their IT system as per the need of the security system in order to safeguard their data and risk identification. Their management also appoint CISO (Chief Information Security Officer) for the purpose of enhancing their information security system as he is liable to evaluate the organisational security management structure for the purpose of analysing associated risks, information system security officer, manager of system program, system administrator, functional manager and designated approving authority (Baskerville, et. al., 2014).
Overall security program
Tesco appoints management in context to the security system within their organisation. Their major concern is related to the risk identification, its assessment, elimination and management of information in order to safeguard it in effective manner. Now-a-days it become very important for the organisations to implement information security system for the purpose of ensuring that the information stored and utilise by them remain secured and helps in maintaining the confidentiality level of the information. Tesco evaluates the security program before its implementation so that they make complete assurance that their information gets secured from the threats available (Seyed Amin Hosseini Seno & Bidmeshk, 2016). Tesco is engaged into retailing services where they need to fulfil the demand of their respective customers. They evaluate the security system in order to access the performance of the security program, its functionality and ability of reducing the impact of the available risks (Akhgar, et. al., 2013).
Tesco consider different aspects that helps in identification of the security plan best suited for the purpose of the securing their information. The one of the aspect included is risk assessment related to the information. The assessment of risk helps in identifying the level of the risk that helps in getting the most suitable and effective security program in order to safeguard the information. Stored information having various different kinds of risks that make inclusion of threat of malicious insiders (include employees, managers, etc.), natural disasters such as fire, flood, etc. risk of hacking and many more. In order to minimise the impact of the risk there is effective need of assigning security responsibilities among the individuals and render them training in order to handle the incidents and also handle the security advices. Management of Tesco put effective control over activities related to management, operations, and technical and perform vulnerable assessment in order to map these aspects in order to reduce the affects over the information security. On the regular basis their management perform random checking over their activities related to the different departments in order to make sure that their security program is functioning properly, and review it in effective manner so that it helps in maintaining its effectiveness over the regular basis that helps in reducing the impact of the risks or threats. Tesco management make use of such security model that based over the risk management and it should attain reliable functioning in order to access the confidential information, analysis and monitoring of the events and activities, threat management and other requirements in order to predict and took the required actions. Like every organisation Tesco need to manage their functions in order to render support for the purpose of maintaining adequate level of safety and security. In order to enhance the effectiveness of their security program they follow the top-down approach in which lower level or operational level get support from the top level management (Wang & Zhuang, 2011).
Professional Plan of training requirements
In order to make sure of safety and security of the stored information there is effective requirement of developing professionals with the help of rendering training and development program to them so that they get trained over different aspects related to the security system of the organisation. Tesco need to educate their employees to enhance the effectiveness of the security system and for this purpose their management conduct security awareness training program in order to render adequate training to their employees in formal and certified manner (Workman, 2012). Their training process make inclusion of job training related to the organisational employees, provide education professional in order to make sure that all the activities or their assigned operations get executed in the prescribed manner or as per the structured framework and performance matrix. Training department access the need or requirement of the training programs in context to the security to make it effective as well as successful for the purpose of developing the importance of the security system within their employees and make effective communication related to the security program and also divide the responsibilities among the human resource (Workman, 2012).
Within Tesco there are three levels among their security program and that makes inclusion of top level management, technical staff and employees. They render different security program trainings to their employees in order to make them aware about the need of the security and also implement the essentials of the security measures that get followed by their employees to initially safeguard the information from getting misused. The initial training program focused over the spreading awareness related to the security requirements among their employees long with make them aware about their roles and responsibilities. There is effective requirement of developing adequate communication channels that helps in reacting or handling the threat situation in the effective manner (Nandkumar, 2012). Technical department put adequate level of monitoring over the processing of the employees in order to conduct regular check over their routine functions that helps in reducing the chances of getting threats. There is effective need of rendering regular security training in order to make their employees updated in context to the changes made in the security programs of the business organisation (Nandkumar, 2012).
There is effective need of developing individual training plans. Management of Tesco prepare effective plans in order to develop the professionals and for this purpose the make identification of need of training of employees and render them adequate level of training. For some professionals they also arrange some specialised training programs and these specialised programs helps in developing the professionals in context to the requirement of the software, system or programs related to the information security (Kelly, 2010). Training is required in order to make them experts from normal so that they make use of updated devices or technologies for the purpose of maintaining the effectiveness of their implemented information security systems. There are various different roles or responsibilities are included in the information security system and different training program get arranged as per the requirement of the role. These trainings make inclusion of risk management techniques, policy development and information development system (Basu, 2011).
ISO security standards
ISO or International Organisation for Standardisation is the largest developer in developing voluntary international standards. ISO security standards rendered guidelines or rules & regulations related to the safety and security of the information from the available threats and issues. As per the ISO security standards there are two types of approaches are available in order to safeguard the information and these approaches are baseline approach and risk analysis approach. Baseline approach makes include wide range of control coverage and rich information categorisation in order to maintain its security and put them safe (Borum, et. al., 2015). This approach helps in dividing the 133 control in 11 categories. As per ISO security standards risk analysis approach stated that all the important organisational assets get listed and with the help of it analysis is made over the risk related to the assets for the lifetime period and render adequate help in controlling or managing the risk related to their different assets. ISO security standards make sure that organisation follows best and effective practices in order to safeguard their information. On the basis of the ISO security standards there are two functions and these are process based function and PDCA approach. As per process based function information security implies over every organisation irrelevant to their structure, size and nature of the organisation. Whereas PDCA approach function focus over including activities related to the Planning, Doing, checking and analysing the actions. According to this function activities get performed step by step in a sequential manner and spiral evolution (Brown, 2014).
In the below table the 133 control get categories under 11 categories as per the Baseline approach such as: -
Name of category
No. of control included by each category
Organisation of information security
Human resource security
Environmental and physical security
Communication and management
Information systems acquisition, development and maintenance
Information security incident management
Business continuity management
(Hedström, et. al., 2011)
Tesco follows the standards or guidelines rendered by the ISO security standards in order to make sure that security of data or information related to the other organisational assets. By adopting ISO security standards Tesco make sure high level of security and safety for their information and also make their customer satisfied over the information security. With the effect of it effective results attained by them such as reduction in cost, time as well as errors in their processing. Their customers attain effective level of confidence related to the safety and security of their information stored at Tesco as they make follow the ISO security standards. As per the ISO security standards they make inclusion of customers for the purpose of standard development. It helps in advising the experts of the business organisation in order to enhance the organisational performance as per the business environment. The main motive of ISO security standard makes sure that the services rendered by the business organisation are reliable, safe and excellent in nature as per the business environment (Tabansky & Ben-Israel, 2011).
Information Security Certifications
In order to enhance the level of confidence in the security system there are various certificates are available. For every organisation it become important to acquire such kind of certificated in order to make sure that they maintain adequate ethical code in their organisation. In order to ensure the information safety there is effective need of having effective set of knowledge related to the different information system aspects. Tesco also required these certifications in order to enhance their security system. Their management also appoint the individuals who attain adequate level of knowledge related to the different aspects of information security and helps in attaining certifications (Basu, 2010). There are some certifications get discussed below such as: -
EC-Council Certified Secure Programmer
This certification helps in attaining the knowledge in order to develop the high quality codes that get utilised for best practices and enhancing programming techniques in order to safeguard the business information from threats or vulnerabilities.
Check-point certified security expert
This information security certification helps in developing the skills of individual that helps in process various programs such as building, deploying, modifying and troubleshooting in order to make identification of issues or problems. This also helps in upgrading the servers of management in order to make sure about the optimal security.
This certification enables the individual to get the knowledge over the hand-on application related to security tasks having relation with the wide range of information security system. With the use of this certification Tesco attain knowledge related to the hand-on applications.
EC-council certified security analyst or Licensed penetration tester
With the help of this certification the process of auditing security system get processed. The main purpose of this certificate is over the client as with the use of it accurate information and suggestions get rendered to their clients as well as to the employers.
Cyber security forensic analyst
This certificate proves that individual having enough capability or skill set in order to make effective interpretation of the evidences and make adequate level of communication over the attained results of interpretation. For Tesco this certificate helps in making comprehensive analysis within a short span of time period. As it took huge time period for interpretation and its communication.
Information Systems Security Engineering Professional certification (ISSEP)
This certification renders that holder of it attaining huge set of knowledge related to the security system engineering and knowledge related to the technical management. This information helps in improving the existing skill set related to the security engineering.
Certified ethical hacker
This certification helps in getting the weakness or the vulnerabilities related to the security system and make use of the knowledge in order improve or develop the existing performance of systems. This process of hacking is considered as legal as it is done by the business itself and for enhancing their security system in an ethical manner.
(Murphy & Beach, 2010)
Risk assessment is the process that helps in analysing and evaluating the risk rise or associated with any of their activity. Organisation performs the risk assessment in order to identify the risk associated with the activities in order to minimise its impact over their processed activities. For an organisation risk assessment is not an easy task to complete it get considered among complex processes but it is necessary in order safeguard their information from getting theft or miss-utilised. For running organisation risk assessment is not an single time activity it is an continuous process that helps in identifying the risks, analysis of its measures in order to remove the risks or minimise its impact in order to reduce the failure of the activity performed (Vaishya & Tripathi, 2011). The risk level helps in determining the organisational effectiveness in context to handling risks such as risk identification and minimising its impact. Risk assessment is the process of identifying the risk and also helps in resolving the issues related to it. Tesco conducts the risk assessment activities or regular intervals in order to enhance their security systems and safeguard their information from getting theft. Proper and systematic procedure is followed under the risk assessment process. Tesco adopts the process in which they make regular security checkups in order to make identification of the risks. Their process also include various things such as documentation phase in which they render description to the system and handle the available information, indentify the systems security level along with the identification of the threats and harms, and in the end analyse the measure in order to reduce the impact of risk (Vaishya & Tripathi, 2011). There management identify the level of risk in order to measure its severity and identify the available solutions in order to safeguard the information from the impact of the risk. It is very important for them to monitor the risk assessment process in order to identify the current risk and threat associated with the business activities and information. There is requirement of making immediate communication or well on time communication is required for the purpose of handling the risk issues well on time. This helps in preparing security plans well on time. There are various aspects related to the security program that helps in executing the operations or functions related to the business need. These aspects having inclusion of the regular check-ups of the security process, analysis of the security program plans, utilisation of the IT software for the purpose of recording information where it remain safe and secure and get accessible by only authorised body, provide access to the authorised customers only, adoption of the security management structure in the business environment for the purpose of ensuring the security level of the information, policy formulation related to the security system and also monitor the security programs in effective manner and also implement the available changes in it when it get required (Vaishya & Tripathi, 2011).
Under this report there are different aspects get covered related to the information system of Tesco Information security system plays an crucial role in ensuring the safety and security measures of the organisational information related to the customers or clients. Different organisations implement different information system in order to safeguard their information from the available risk. There are professional plans in order to identify the requirements of training as well as identify the available risks, ISO security standards that ensure high level of security and reliability over the services rendered by them to the customers.
Akhgar, B., Yates, S. & Books24x7, I. 2013, Strategic Intelligence Management: National Security Imperatives and Information and Communications Technologies, Butterworth Heinemann, US.
Baskerville, R., Spagnoletti, P. & Kim, J. 2014, "Incident-centered information security: Managing a strategic balance between prevention and response", Information & Management, vol. 51, no. 1, pp. 138-151.
Basu, C. 2010, "Expert Opinion: Interview with: Peter Ells Director of Strategic Alliances, SoftwareONE", Journal of Information Privacy & Security, vol. 6, no. 1, pp. 72.
Basu, C. 2011, "Interview with: Ntoh O. Etta Director of Strategic Projects & Corporate Security at NetworkSolutions LLC", Journal of Information Privacy and Security, vol. 7, no. 3, pp. 64.
Borum, R., Felker, J., Kern, S., Dennesen, K. & Feyes, T. 2015, "Strategic cyber intelligence", Information & Computer Security, vol. 23, no. 3, pp. 317-332.
Brown, C.W. 2014, Introduction to information security: a strategic- based approach, American Library Association dba CHOICE, Middletown.
Hedström, K., Kolkowska, E., Karlsson, F., Allen, J.P., Handelshögskolan vid Örebro universitet & Örebro universitet 2011, "Value conflicts for information security management",The Journal of Strategic Information Systems, vol. 20, no. 4, pp. 373-384.
Kelly, L. 2010, "Where security feeds value (how information security can improve profitability)", Strategic Direction, vol. 26, no. 11.
Murphy, R. & Beach, S. 2010, "Using Strategic Planning in Support of Defense Acquisitions", Information & Security: An International Journal, vol. 25, pp. 57-77.
Nandkumar, A. 2012, "Cash-out or flameout! Opportunity cost and entrepreneurial strategy: theory, and evidence from the information security industry", Strategic Direction, vol. 28, no. 4.
Seyed Amin Hosseini Seno & Bidmeshk, O.G. 2016, "Proposing and Testing the Model of Aligning the Marketing Information Security Policy with Strategic Information Systems Plan (Case Study: Ferdowsi University of Mashhad)", New Marketing Research Journal, vol. 5, no. 4, pp. 73-98.
Tabansky, L. & Ben-Israel, I. 2011, "An Interdisciplinary Look at Security Challenges in the Information Age", Military and Strategic Affairs, vol. 3, no. 3, pp. 21-37.
Vaishya, R. & Tripathi, S.P. 2011, "Strategic Approach for Automatic Text Summarization",International Journal of Computer Science and Information Security, vol. 9, no. 5, pp. 54-62.
Wang, X. & Zhuang, J. 2011, "Balancing congestion and security in the presence of strategic applicants with private information", European Journal of Operational Research, vol. 212, no. 1, pp. 100-111.
Workman, M. 2012, "Validation of a biases model in strategic security decision making",Information Management & Computer Security, vol. 20, no. 2, pp. 52-70.