Define The Concept Of Information Security, Explain Its Importance To Businesses Today And Describe In Which Forms Threats May Appear In The Business Environment.
You Should Also Present Case Studies Of Businesses Which Use Procedures And Measures To Deal With Information Security.
Information Security is practice to protect information by mitigation of information risks. This is a risk management of information’s part. This involves typically reducing or preventing probability of inappropriate or unauthorised use, access, disruption, disclosure, destruction, deletion, modification, corruption, devaluation, recording or inspection. However, it might involve reducing incidents’ adverse impacts. The information might take any kind of form, such as electronic, tangible, physical or intangible. Information security’s main focus is protection for integrity, confidentiality or availability of the data, along with maintaining focus over policy implementation that is effective, without hampering the productivity of the organization (Von Solms and Van Niekerk 2013).
It is achieved largely by risk management’s structured process which involves evaluating risks, identification of information and all related assets along with potential vulnerabilities, impacts and threats, deciding the procedure to treat or address the risks, which is avoiding, mitigating, accepting or sharing them, where there is need of risk mitigation, designing or selecting proper controls of security and implementing those and monitoring activities, making the adjustments for addressing any kind of changes, issues and opportunities for improvement (Peltier 2013).
Information security is critical for every organization for protecting their business data and also conducts the business. It could be defined as protection of system and information and the hardware which store, transmit and use the information. Four essential functions are performed by information security for organization that is protect ability for functioning for the organization, enable applications’ sage operation which are implemented on IT systems of the organization, protect data which is used and collected by the organization and safeguards the assets of technology that is used within the organization (Crossler et. al. 2013). However, there are risks and challenges involved in implementation of information security within organizations.
Information is an essential asset for the organizations. Information must be protected appropriately. The security is for combining systems, internal controls and operation for ensuring confidentiality and integrity of data and procedures of the operation within the organization. Information security is used for protecting the data which is owned by an individual or the organization from the risks or threats. Goal of information security is building protection against attackers who could cause damage. Information security is protecting information and the critical elements, which consists of systems and the hardware which use, transmit and store the information. It is group of policies, management practices, technologies and standards which are applied in information for keeping it secure. Information security enables also applications’ safe operation which are implemented on IT systems of the organization as for protecting the data, organization would install proper software that must secure data like antivirus (Siponen, Mahmood and Pahnila 2014). Hence, it is really crucial within the organization for protecting applications which are implemented within organizations and also protect data which are stored within the systems. Along with protecting the data, application which are installed must be protected also as it could contribute in damages of information.
It would protect data which is used and collected by the organization. If data is left not protected, anyone could access the data. If information falls in wrong hands, this could drop business, destroy lives and could be used for doing harm. Programs of information security would ensure that protection is provided to proper information, both requirements of legal and business by taking necessary steps for protecting the data of the organization. Additionally, steps are taken for protecting information of organization to maintain privacy and would help in preventing identified theft. Within the organization, information is essential business assets and require proper protection. It is especially essential within environment of business, where information could be exposed to increasing number and broader variety of vulnerabilities and threats. Cause damage like computer hacking, DoS attacks and malicious code became more ambitious, more sophisticated and more common (Peltier 2016). Hence, by information security’s implementation in the organization, it could protect assets of technology within the organization.
With respect to protection of the organization’s functionality, both managements are in charge to implement information security which protects ability of organization for functioning. Information is an essential element for the organizations for doing business. Along with it, the information of the customers of the organizations are also kept. Hence, it is essential for them for protecting information. Without having information, businesses could not be run (Singh 2013). Through securing information store, this could enable organization in running business also. Hence, it is crucial to have information security in the organizations.
Information security’s implementation within the organization could protect information assets and technology used by it by detecting, preventing and responding to both external and internal threats. Both IT and senior management are in charge for strategy of information security of the organization. Though within smaller organizations, the job would sit with security and risk, compliance and data and managers of information security and IT and the directors (Xu et. al. 2014). For supporting the strategy of information security, it is essential in improving awareness of issues of information security to the staff members by initiatives and training. Organizations should also enforce their policies of information security and review the policies regularly for meeting the security requirements. Vulnerabilities and threats must be analysed and evaluated which means implementing and establishing procedures and control measures for minimising the risks and also auditing for measuring the controls’ performance.
Organizations recognised importance to have roadblocks for protecting private information in becoming public. When community members of information security took part in Trends Report of Cybersecurity, they were questioned about how they felt with the security stance. Cybersecurity professionals were concerned about malware, malicious insiders and phishing attacks (D'Arcy, Herath and Shoss 2014). Organizations are making efforts for allocating more funds within the budgets for the security. As there is increase in threats of cybersecurity, experts of information security are pushing more focus to protect the organizations in losing time as for disruptions in defence of network. Security disruptions which interfere with essential functioning of the organization is threat which could be fought against skilled professionals of information security stopping infiltration which went undetected initially.
It is not only related to securing the information from the unauthorized access. It is practice to prevent unauthorised use, access, disruption, modification, recording, inspection, destruction or disclosure of information. Data could be electrical or physical. Several areas of research are spanned by information security such as cyber forensics, social media, mobile computing and cryptography (Andress 2014). Programs of information security are created having 3 objectives, termed as CIA namely, Confidentiality, Integrity and Availability.
It means there is no disclosure of information to the unauthorised users, process and entities. For instance, if someone is logging in Gmail account and another guy sees it. In such case, password is compromised and the confidentiality is breached.
It means maintaining completeness and accuracy of data. It means data could not be edited or altered in unauthorised process. For instance, if a specific organization is left by an employee, in such case, data of the employee in every department such as accounts, must be updated for reflecting status as LEFT, as the data must be complete and additionally, only authorised user must be allowed for editing data of employee (Safa, Von Solms and Furnell 2016).
It means information should be available whenever required. For instance, if someone needs in accessing information of particular employee for checking if employee outstand quantity of leaves, in such case, this needs collaboration from many separate organizational tams like development operations, policy change management, network operations and incident response. Attack of DoS is one factor which could hamper information’s availability.
Apart From These, One Principle Is Also There Which Governs Programs Of Information Security, Which Is Non Repudiation.
It means that one party could not deny to receive a transaction or message nor other party could deny to send a transaction or a message. For instance, It is enough to show in cryptography that the messages show digital signatures that are signed with private key of the sender and the sender might have sent a message and no one could have changed it while transmitting (Chen, Ramamurthy and Wen 2015). Data authenticity and data integrity are pre-requisites of Non repudiation.
It means that this must be possible for tracing actions for entity unique to the entity. For instance, not all employees must be given access to make changes within data of other employees (Ahmad, Maynard and Park 2014). For this, separate department is there within the organization which is responsible to make the changes and while request is received by them for change, then the letter should be signed by the higher authority.
It means verification that the identity of the users and input arriving towards the destination is received from trusted source. The principle if follows makes sure that genuine and valid message is received from the trusted source by valid transmission. As instance, if message is sent by the sender with the digital signature that was generated by using private key and message’s hash value (Kolkowska and Dhillon 2013). Now at side of receiver, the digital signature should be decrypted by using public key which generates hash value and the message is hashed again for generating hash value.
Threats of information security are of several different forms. Few of most known threats are the attacks of software, identity theft, intellectual property’s theft, sabotage, information extortion and theft of information or equipment. Software attacks like these are experienced by most people. Worms, Trojan houses, viruses and phishing attacks are few known examples of the attacks of software. Intellectual property’s theft is extensive issue of several businesses in field of IT. Theft of identity is the attempt in acting as anyone else for obtaining personal information of that person or for taking advantage of the access for important information by social engineering (AlHogail 2015). The theft of information or equipment is becoming more prevalent as maximum devices are mobile, which are prone for theft and thus become desirable as there is increment in amount of capacity of data. Sabotage includes destruction of website of the organization in attempt for causing confidence’s loss on part of the customers. The information extortion includes theft of information or property of an organization in attempt for receiving payment n exchange to return the property or information back to the owner as ransomware. Several ways are thee for helping to protect from such attacks, however a functional precaution is conducting awareness to periodical user (Soomro, Shah and Ahmed 2016). Most known threat for any company is internal employees or users, they are known as insider threats also.
Governments, corporations, military, hospitals, non-profitable organizations, private businesses and financial institutions amass great deal about confidential information related to the customers, products, employees, financial status and research. Should confidential data about finances or customers of the business or the new product fall in hands of competitors, the business along with the customers could face many issues, irreparable of financial loss along with damage to organization’s reputation. From perspective of business, information security should be balanced with cost (Yang, Shieh and Tzeng 2013). Model of Gordon Loeb provides approach of mathematical economy to address this issue. For individual, there is significant effect of information security over privacy that is viewed quite differently in several cultures.
Possible responses for security risk or threats are:
Mitigate or reduce: Implement countermeasures or safeguards for eliminating the vulnerabilities or for blocking the threats.
Transfer or assign: Place cost of threat into other organization or entity like outsourcing or purchasing insurance.
Accept: Evaluate it if cost of countermeasure overweighs possible loss for cost due to threat or risk.
Conclusion
Information security is used within the organizations to maintain confidentiality, integrity and availability (CIA) of information, making sure that the information is not altered or modified when there are any crucial issues. Such issues consist of natural disasters, physical theft and server or computer manipulation. The specialists apply the information security into technology. Specialists of IT security are found within major organizations due to value and nature of data in larger businesses. Information security’s field has evolved in last few years. This offers several parts for specialization, which include securing allied infrastructure and networks, securing databases and applications, digital forensics and security testing.
References
Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), pp.357-370.
AlHogail, A., 2015. Design and validation of information security culture framework. Computers in Human Behavior, 49, pp.567-575.
Andress, J., 2014. The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress.
Chen, Y.A.N., Ramamurthy, K.R.A.M. and Wen, K.W., 2015. Impacts of comprehensive information security programs on information security culture. Journal of Computer Information Systems, 55(3), pp.11-19.
Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M. and Baskerville, R., 2013. Future directions for behavioral information security research. computers & security, 32, pp.90-101.
D'Arcy, J., Herath, T. and Shoss, M.K., 2014. Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31(2), pp.285-318.
Kolkowska, E. and Dhillon, G., 2013. Organizational power and information security rule compliance. Computers & Security, 33, pp.3-11.
Peltier, T.R., 2013. Information security fundamentals. CRC press.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.
Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model in organizations. computers & security, 56, pp.70-82.
Singh, G., 2013. A study of encryption algorithms (RSA, DES, 3DES and AES) for information security. International Journal of Computer Applications, 67(19).
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp.215-225.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers & security, 38, pp.97-102.
Xu, L., Jiang, C., Wang, J., Yuan, J. and Ren, Y., 2014. Information security in big data: privacy and data mining. Ieee Access, 2, pp.1149-1176.
Yang, Y.P.O., Shieh, H.M. and Tzeng, G.H., 2013. A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Information Sciences, 232, pp.482-500.