Delivery in day(s): 4
CIS8018 Strategic Information Security Assignment Solution
In this CIS8018 strategic information security assignment solution we have discussed about General Electric organization which works on a proper mechanism and with proper planning in a systematic manner. The organization has many follows many of the strategies to reduce the risk prospective as the organization works in a proper planned way. But as we know no plans and strategies are perfect as there are some or the other breaches in every plans and strategies and same thing was faced by General Electric, so as to overcome with those breaches General Electric used the risk control strategies and started doing various risk control practices. General Electric started using different type of approaches to control the risk of uncertainties it started using various firewalls to maintain the confidentiality of work so as to attain success in the competitive market. General Electric use to follow the business ethics so as to maintain the goodwill of the organization and maintain the decorum of legal environment to reduce the conflicts and to attain success and to maximize the revenue of the organization.
Every organization work with a single motive and the ultimate target is to maximize profit so as to attain the ultimate target every organization has to make some changes and those changes comes from proper planning and with effective strategies as the changes are done in the organization for development so as the organization development with its employees because if the employees will develop they would work with enthusiasm and would work in effective manner and if the employees will work effectively the organization will grow and will attain the ultimate targets and will generate more revenue.
General Electric has developed the process with proper staffing by placing the right person at right job but from last few months it was facing several challenges with some employee’s policies and practices and was facing the challenges with the security system of the work that was being processed in the organization. With proper research the organization get to know that there was some loop in the security system and there were some breaches in the staffing policies. As the organization was in a very highly competitive market then becomes important to it to fill all the loops and remove all the breaches by taking corrective measures as soon as possible because an organization like General Electric cannot take any risk by leaving any loops or breaches whether they are at small level or at big because it could directly on the goodwill of the organization as well as could result in the reduction of the revenue.
With a proper research and planning General Electric was able to find the proper mechanism with which it was able to fill the all the loops and resolve all the breaches which was going in the organization. The process of planning and research caused a huge cost for General Electric but it was beneficial for the organization in the long run so as to keep the organization sustain in the highly competitive market.
As General Electric was facing challenges in controlling the risk factors and was having problem with the security system of the organization, it appointed some strategy developer so as to have a proper framework of the plans and the strategies which could help the organization to reduce breaches in the organization so as to work in an effective and efficient way and to attain the ultimate target and to keep the organization in a secure path with proper security systems and firewalls so as to keep the information secured and to maintain the confidentiality of the organization. (Bruhn & Buhalis, 2011)
The strategy developers were able to find four major strategies to control the risk which were suitable for the organization so that the organization could work on the verge of the continuity and could be able to reduce the loops and the breaches so as to maintain the proper functioning and could maintain the workflow in the direction of the ultimate. The risk control strategies are discussed below for the better understanding.
Risk control strategies are:
- Avoidance: Avoidance is a risk control strategy that helps to safeguard organizational assets from there vulnerabilities. As we know assets are the main source for every organization and it is a prime motive for every organization to keep their asset safe so as to keep the workflow in a smooth way therefore to keep those assets in a way of proper functioning it is important for General Electric to use strategies like avoidance because through avoidance it could remove the vulnerabilities in assets. (Keon & Berry, 2009)
- Transference: As the word implies transference it is a risk control strategy through which the risk could be shifted to other asset, process or organization. This process of transference could be accomplished through rethinking or re-engineering the services, through outsourcing and through revising the development model. General Electric should have transference strategy so that it could transfer its risk for the smooth workflow.
- Migration: Migration is a risk control strategy which also works to reduce the risk of vulnerabilities through planning and preparation. The planning which are required in migration are disaster recovery plan, incident response plan, business continuity plan. General Electric should have proper plans for disaster recovery, incident response and for business continuity so as to maintain sustainability in the market.
- Acceptance: Acceptance is a risk control strategy in which the organization has to accept all the vulnerabilities so that it can have proper assumptions for near future to have a clear information about the vulnerabilities the organization have to determine the level of risk, it has to estimate the potential damage that had happened, it has to take in account the feasibility of other control, the organization has to decide if a particular asset or data is justifying its cost or not. Therefore General Electric has to find out all the assumptions through acceptance and has to make proper plans for near future. (Barkan & Linoff, 2013)
Techniques of Feasibility Analysis
Examine the Market
In this technique of feasibility study General Electric has to examine the whole competitive market so as to have a proper information about the rivals in the market which can harm it in achieving the ultimate goals and has to plan according to the market.
Review Technical Requirement
It is not necessary that if we have a proper knowledge of the market then there are no challenges to face an organization should also have a proper information regarding the resources that whether there are proper resources available or not whether they need to be improved or what is the need of which resource. General Electric has to review all the technical requirements and have to fulfill all the requirements of the resources. (Collin & Bresman, 2015)
Explore the Business Model
For long term viability an organization should explore the business model means it should expand the business according to the scenario which is going on in the market because without any expansion an organization could not sustain and it becomes hard for the organization to survive in the competitive market.
Look for an Escape Route
There should be a proper exit strategies for every organization especially for the investors and other stakeholders that may want to move on as it is a well known thing that no one wants to stay forever with one organization as it is hard for the stakeholders and investors to stay forever, therefore General Electric must have some or the escape plans ready for the future prospective.
Risk Control Practices
In risk identification process it is being seen that what are the different risks that an organization could have from the competitors whether it is a risk of losing the information of the confidential data, whether there is a risk of natural calamities. In this process the organization do not take any action it just gather the idea of what the risk factors that can harm it in near future could. General Electric could have a proper blueprint of the risk factors through risk identification process.
After identification the next step that comes is of analyzing the risk. In analyzing the risk the organization has to make some decisions as we have discussed above there was no decision making process in risk identification but in risk analysis General Electric has to make some or the other decision in regards with the risk which are being identified. (Al-Shaer & Butler, 2001)
Risk prioritize is a costly method as in this process actions on the identified risk has to be taken as we know that it is hard to take action on every identified risk as we don’t know that what could be the impact of that risk factors as the identification of risk is fully dependent on forecasting the organization don’t even know that whether the assumptions are correct or not.
As we know for every single step it is important for an organization to plan things before executing it, so it is important for General Electric to plan things that what could be the impact of that particular risk factors and what are the steps that has to be taken at that particular scenario so that there won’t be any hindrance in the workflow of the organization. (Bourner & Berry, 2009)
In this process the organization mitigate the risk factors by preparing the strategies to reduce the possibility or the loss impact of a risk. General Electric has to follow the risk mitigation process to eliminate the risk items or to resolve the risk problems.
After all steps are being followed it is important for an organization to keep an eye on the previous risk factors it should regularly monitor all the aspects so as to keep the risk under control so that there won’t be any bleach in the workflow of the organization. General Electric have to regularly monitor the progress of the product and the resolution of the risk items by taking corrective actions.
There should be an ongoing communication system in the organization so as to keep everyone aware about what is going in the organization as well as if there any issues among the employees then it should be escalated to the management so that the issues can be resolved and there should be proper coordination between the employees and the management. (Aramberry & Bjork, 1999)
OCTAVE (Operational Critical Threat, Asset and Vulnerability Evaluation) as the name implies it is very easy to understand that OCTAVE approach is a strategy to analyze and remove the critical threats to the assets of the organization and to remove all the vulnerabilities that can harm the organization. OCTAVE is a part of risk control system which includes every single aspect from examining to removing all the aspects of risk.
OCTAVE is the process which allows the organization to balance the protection of the confidential information against the costs which is required to detect and protect the information from various vulnerabilities. OCTAVE is a very useful approach for General Electric as it helps it to cut the cost of the risk analysis process and make it very simple process to determine the risk factors and vulnerabilities to the organization and helps in removing all those factors and vulnerabilities. (Law & Asseal, 2008)
Access Control Approaches
Role-based Access Control (RBAC)
Role-based access control is an approach which eliminates all the previous accesses which are not important for the organization like if an employee leaves the organization then through role-based access control the access of that employee would be removed and the rights and permission will be allowed to the new person so that he/she can work in the organization.
Mandatory Access Control (MAC)
Mandatory access control is more effective approach than role based access control approach as MAC keeps an eye on each and every aspects the access which are very important for the organization as it is a very crucial matter for every organization that right person should have right access so that there won’t be any confusion of who has to what.
Rules based Access Control
Rules based access control is totally different from all other approaches as it is largely based on context. RAC helps in removing the unwanted results and make sure that access controls must be very accurate and there won’t be any unwanted things in the organization that could create confusion. (Bound, 2010)
The process through which it is being checked that the person who is using the systems in the organization is genuine or fake. In the process of authentication a different ID and passwords are given to an individual so that it should have access and no other can use the system so that data could remain confidential.
Authorization is totally a different thing from authentication, authentication checks that whether the person who is using the system is a genuine user or not but authorization is a process which works on the identity and allows the person to use different resources or systems.
Biometric is an authentication techniques which works on the biological characteristics of the person. It has the same procedure of providing an id and password to a genuine person but in a different way. It gives the access to the person on the basis of several biological characteristics like analyzing the financial characteristics, analyzing the fingerprints, hand geometry, retina, signature and voice. (Barkan & Linoff, 2013)
Types of Firewalls
Packet firewall is the process which helps in filtering the information in small groups. It provide a threat proof wall to the system by dividing the information into the smaller group so as to maintain the accuracy of no threat or less threat so the system won’t get affected by the threat.
Proxy firewalls are the firewalls which protects the system by examining the connections as the application level. It checks the connection setting that from which source the connection is coming and whether the connection which the system is using is secure for the system or not.
Combined firewall is a broader protection system which protects the system in both the manner by filtering the information as well as by examining the connection. It is a very effective firewall system as it has the quality to check the threat from both the ways and could protect the system from threat in a more accurate way and in less cost. (Collin & Bresman, 2015)
In this firewall IP address are being checked so as to make sure that the path which is used tpo connect the system is secure or not.
Intrusion Detection System
The security process in which the inspection of inbound and outbound activity is done to remove the suspicious patterns that may system attack from someone attempting to break into.
Intrusion Detection System can be categorized as
Misuse detection vs. anomaly detection
Misuse detection is a pre-configured setup in the system which is setup by the administrator to protect the system fro the use of unprotected files like scanning of the external drives etc.
Anomaly detection is the process which is based on the network detection it detects the network which can cause a problem to the system. (Al-Shaer & Butler, 2001)
Passive system vs. Reactive system
Passive system is the way of detection of the threat which shows a massage to the user of threat in using particular network or external drives to the system.
Reactive system is the Intrusion Detection System which removes the threat without showing any warning to the user and keeps the system threat protected.
Cryptography is also known as code breaking. There are several massages which are protected and can’t be read therefore to break that protection several coding are used to transfer that massage into readable format this process of transforming the massage from unreadable format to readable format is known as cryptography.
Encryption is the process in which the information or massage is being transformed in such a way so that the massage could be decoded by the authenticate person only. (Law & Asseal, 2008)
Laws are the government issued regulatory systems which an organization has to follow and an organization cannot void these type of rules and regulations in any circumstances.
Ethics ere the responsibilities of the business towards its society as the organization is made by the society and for the society therefore it has several responsibilities towards the society.
Major U.S. Laws
Computer Fraud and Abuse Act 1986
National Information Infrastructure Protection Act 1996
USA Patriot Act 2001
Telecommunication Deregulation and Competition Act 1996
Communication Decency Act
Computer Security Act 1987
Ethical Concept in Information Security
An organization should not use the computers to harm other peoples
There should be no hindrance in other’s computer work
Data privacy should be there (Law & Asseal, 2008)
The organization should not do any type of illegal work which provide a false information to the society
The organization should have copyrights of what it is using
The organization should not steal the information of others or the information which is copyrighted.
Key US Federal Agencies
The Federal Bureau of investigation
National Infrastructure Protection Center
National Security Agency
The US Secret Service
At the end I would like to conclude that the organizations like General Electric work in a very risky conditions and are at a big platform which have many of the responsibilities whether they are towards its employees or towards its government or towards the society in which the organization is situated so as to maintain all these responsibilities General Electric has to follow several ethics and laws as it is important for every organization to follow all the ethics and laws made by the government. General Electric should follow the risk control strategies so as to reduce the future risks for the smooth functioning of the organization and should have better plans and execute them to reduce the risk aspects. General Electric should use the OCTAVE approach so that it could reduce the risk in more effective manner with the accuracy and in less time. General Electric should follow a proper staffing function for the security of the information of the organization and should have proper employment policies and should follow proper employment practices.
- Al-Shaer, E., & Butler, R. (2001). Lead in learning. Chandler: Barbarian Books.
- Aramberry, J., & Bjork, R. (1999). Automated Management analytics : design, configuration and optimization. Springer: Prentice Hall.
- Barkan, R., & Linoff, G. (2013). Non-Sampling vs. Sampling Errors in Survey Research. Journal of Finance. , 144-159.
- Bound, D. (2010). Internal and External approach of different learning attributes. Charlotte: Cerebro Press.
- Bourner, T., & Berry, M. (2009). Developing a framework for rewards in combined production/service businesses. Austin: eLectio Publishing.
- Bruhn, M., & Buhalis, D. (2011). Learning in self directed mode. Chicago: Printice Halls.
- Collin, R., & Bresman, H. (2015). Process development and ECM management. Journal of Marketing , 66-87.
- Keon, J., & Berry, M. (2009). Self assessment and learning. London: Aardwolf Publishing.
- Law, R., & Asseal, H. (2008). International Journal of Service Industry Management. Journal of organisational development , 197-212.