The Need Of Sound Information System Information Technology Essay

The Need Of Sound Information System Information engineering science EssaySm both to Medium Enterprise is an giving medication or business that that has a certain number of employees or r purgeues, distinct country has a different definition and warning for SME. In Singapore, SME take aim to fork up at least 30 per cent local equity and fixed productive assets non more than S$15 million and limit of only not more than 200 employees. In Australia, SME has a different category such as very small with only 1 to 9 employees, small with only 10 to 49 employees, medium with 50 to 149 employees and large with 150+ employees.Information in SME is a really consequential asset, the loss or damage in any pieces of tuition will damage the participation really badly. Lose in competitive advantage, customers loyalty is the consequences that may happen and a social club in SME could be out of business if an calamity like that happened. Even though reading gage preempt be applied to all kind of business, provided there argon differences between SME and large company when applying security. SME and large company have a difference kind of challenges when applying security. SME does not have big budget like large company, fewer qualified security effect and resources. Challenges for large enterprisingnesss are often be practice of their large size. They are exhausting to track their users because they have a large number of users and slightlytimes they have a lot of branches in different locations to obligate. SME withal has advantage compared to the large company, SME which has a smaller number of employees than large company has a lesser threat by insider endeavours.One of the solutions for SME for security is outsourcing the security, still the problem occurred because of the price offered, just active SMEs bottom of the inningnot afford the prices, so it comes again with the budget SME has. on that point is former(a) solution offered to SME in sec urity, some of the Internet Service Providers (ISPs) progressively partlynering with security vendors to offers SMEs standard security products.The need of sound schooling system.Information security circumspection is a management that manages threats and risks to the organizations reading it is applicable for all type of organization, from large to small organization. Information security management includes personnel department security, technical security, somatogenetic security, access keep in line, business continuity management and many other things. The standard of the requirement of knowledge security management is ISO 27001 it is one(a) of the ISO 27000 families. With this, it female genitals jockstrap to make the randomness more nurseed and clients will excessively heart secured. ISO 27001 protagonists to treasure all kind of information, information in soft copy or hard copy and even in communication. on that point 3 important characteristics in Informa tion security, Confidentiality, Integrity and Availability (CIA). Confidentiality ensures that only some authorized user may access the information, so different level of information flush toilet only be accessed by certain users. Integrity is a state where the information is complete, and un pervert. Availability ensures that the information is available whenever the authorized user accessed.Information security management is needed because now information is the most vital asset for almost all the organizations. A lot of consequences when the information is destroyed, stolen or corrupted and the consequences may be very dangerous or even make the organizations fall down. Personal information is in like manner vital to the people itself and in like manner to the company, if the company do not handle the information carefully, it will be dangerous to the company because personal information fecal matter also be customer information and when it is not secured, the customers can l ost their trust to the company and the companys reputation will be affected also, these can also applied to the companys staves. There is this case study where some companies in London experienced loss of electricity because there was a problem in the London power company. Because of the loss of electricity, some of the companies have their data corrupted and also systems crashed, these adventures made the companies loss their clients, lightsome corrupted data, re input the data which cost them more and closed the business.There are some of the topics that remain the information security managementBiometric security devices and their useBiometric credential is a tool to protect from intruder to access information but utilise part of the body to authenticate the authorized user instead of typing the countersignature. The advantages are it cannot be borrowed or made and also it is more secured than inputting the password. Biometrics that is using physical body that is unique inc ludes fingerprints, bay wreath, retina, iris, and facial. For the behavioral characteristics include signature, voice, keystroke pattern and human motion.This is a list of biometric and its uses. Fingerprints recognition is a biometric where it identifies by examine fingerprints and looks for the pattern found on a fingertip. There are different kinds of fingerprints verification, some of them using pattern-matching devices comparing the scanned fingerprints from database, they are also using moir fringe patterns and ultrasonic. Palm recognition scan, measure the term of the hand and look for the pattern on the palm. some(a) of the organizations use this for time and attendance recording. Retina recognition analyzing the layer of blood vessels located at the back of the eye. This biometric uses lowly intensity light and source through and optical coupler to look for patterns of the retina, so the user need to focus on a given point. gladiola recognition analyze the colored ring of tissues surround the pupil by using conventional camera element and the users do not need to be close to the scanner. Face recognition analyses the facial characteristics and it requires digital camera to scan. Some organization like casino, scan for scam artists for quick detection.Some of the company even government also using biometric security. Fujitsu Ltd. is now making the company desktop computer to use a palm recognition, it is not using fingerprints because it state that palm recognition is more secured than fingerprint. They are using infrared to scan the users palm, they look for the pattern of the vein in the palm and because they use infrared, they can see them. This engine room is already in use in more than 18000 bank ATMS in Japan. Germany stores a digital fingerprints and digital photos in to the passport to fight organized offense and international terrorism.Biometric may be more secured but research says biometric like fingerprint recognition can be accessed by unauthorized users also. There is this mathematician named Tsutomu Matsumoto, he use a $10 ingredients gelatin and plastic mold to reproduce a portion of finger and in four of five attempts, he can accessed to 11 different fingerprints recognition systems. attendant reply management and disaster recoveryIncident response is an organized plan or procedures to handle and antagonistic some threats like security breach or attack. Incident response plan includes a policy that discusses how to response to a certain threats, reduces recovery cost and time. Some of incident response goals are reduce the impact, prevent future incidents, verify that incident occurred, maintains Business Continuity, and ameliorate security and incident response.There is incident response aggroup in the organization that handles the incident response plan. Incident response group also ineluctably another party in organization to help them, such as business managers, IT provide, legal department, huma n resources, public relations, security groups, scrutinise and risk management specialists. Business managers make agreements with the team near their dresser over business systems and decisions if critical business systems must be shut down. IT staff help the team to access the interlock for analysis purposes and improve security infrastructure if recommended by the team. Legal staffs need to review non-disclosure agreements and determine site financial obligation for computer security incidents. Human resources help to hire the teams staff and develop policies and procedures for removing internal employees. Public relations help to handle the media and develop information-disclosure policies. Security groups help the team to solve issues involving computer. Audit and risk management help to analyze threat.There are a several steps to response to the incident. First, the organization needs to prepare the staff by having the staff to do some procreation they need to be traine d to response to the incident quickly and correctly and also sets the staff to update the security regularly. The response team has to delineate whether it is a security incident or not and the team can also visualise some information about the current threats. Response team need to identify how far the problem has affected the systems and decide faster by shut down the affected system to prevent further damage. consequently they need to take care the source of the incident and remove the source. After that they need to restored the data from clean backup files, monitor them and upgrading the systems to prevent the same(p) incidents in the future. officious device security managementMobile devices the staffs use also need some kind of security because they can contain pieces of information about the company, it can be the customer or staff information but it can be some kind of soft copy of some reports or documents. Some of IT staffs need to use mobile devices like PDA or smar t phone to make business data. Mobile devices may look secure, free of viruses and malwares but they are not.There are several threats to the mobile devices. Intruder can intrude the mobile devices and expose the information out of it through wireless network by using wireless sniffer. Mobile devices can also be stolen or lost and if the devices are not secured by putting a password, information can be dig out easily from the devices. Less than 500 mobile operating system viruses, worms and Trojans can be found. Mobile viruses can be a major threat, some of the viruses can clear the data corrupt the data and several other problems. Viruses can intrude the devices when application downloaded to the devices. There is one virus called 911 Virus, this virus cause 13 million I-mode user in to automatically call Japans emergency phone number. E-mail viruses affect the devices the same as e-mail virus affect regular PC. It makes the devices to send multiple emails.There are ways to prevent the threat to happen. The easiest way is to put a password to the mobile devices, the password can only be attempted for a several times and if it failed, the devices will be automatically locked down. Using encryption techniques can help to protect intruder from intruding when exchanging data using wireless network. Back up the data regularly to PC if anything happens to the data. Install antivirus and putting a firewall into the devices can help to prevent viruses. Administrator can pursue control of the mobile device and also wipe the data on missing or stolen devices.Linking business objectives with securityLinking business objectives with information security can be expensive process and risky. It can create frustration in both sides. There are several actions that can be used to improve both sides. Reflect the business objectives in information security reflect them in information security policy, objectives and activities. Information security has to be consistent with the organizational culture, changing the culture of the business from information security is often not possible. Protect the information in business process by establish a security program. Follow the information security standard, following them will make the staff, customers and client feel that their data is safe. Increase the understanding of the need for security, security manager should explain the benefit of them by using business terms, so that everyone can understand more. hold in the support from management ensure that risk management is part of every staffs job description. The last thing is to use the resources wisely. Spend more resources when the problems are really occurred. With this plan, both business and security can improve and successful.Ethical issues in information security managementIT security personnel are given the authority to access data or information about the individuals and companies networks and system. With this authority, they might use it in a wron g way which mostly is intruding someones privacy for example, scanning employees email just for fun or even diverting the messages, read others email and even worse, they can blackmail the employee. The IT personnel can monitor the websites that visited by the network user, they can even place key loggers on machine to capture everything that is displayed.There is ethical issues called real world ethical dilemmas, it is where the IT security personnel happened to see the company secrets and may print the documents, it can be use to blackmail the company or even trade the information to the other company. They also may encounter where they see a document where it showed that the company do some illegal things. With this crucial information, the company is in danger, not only the company but also the security personnel themselves.There are ways to prevent the people in internet that want to intrude users privacy, one of the articles say that when the author access a website, he saw a dvertisement in the website and the ad express about an event and it takes place at the authors area, and so he tried to change the location of the computer and when he click the ad again, it shows a different area, area where the his computer set up, this kind of ad using the users IP address to track the user, so he figure it out by hiding or masking IP address using some software, this way, the user can protect their privacy effectivelyOne article talked about how IT security personnel deal with sensitive information in pay off way, first thing to do if to check whether they have signed a non-disclosure agreement that required them to protect information that they overheard, if there are then protect it, second things to do is to ask themselves whether it is reasonable to the host company to expect them to hold such overheard conversation in confidence. If so, they should not spread the overheard information to anyone.Security training and educationWith many organizations are u sing internet, many users including unauthorized can access and dig out information. They need to train or educate their staff to protect organizations information by creating a system to secure the information from unauthorized users. Certified Information Systems Security Professional (CISSP) educates the staffs about how information security works, secure the information, and maintain the information safe and secured.Network security will have the staffs quickly respond to defend the attacks and have countermeasures. Following by investigate the weakness of the systems. It is not easy to protect network security which is why they need to be trained. CISSP education consists of learning about database security, how the intruders intrude the systems, and the justifiedly countermeasures for a certain attacks.There is a survey regarding the infraction to the US companies, the unauthorized intrusions to their network increased 67% this year from 41% last year. The cause of intrusion s mainly because of hacker attack, lack of adequate security policies, employee web usage, virus, employee carelessness, disgruntled employee, weak password policy, lack of software updates and software security flaw. IT managers also take part of the survey about which is the biggest intrusion in the future and they identified that viruses, spyware, Trojan, worms and spam are the biggest risk, followed by hacking, uneducated user about security, sabotage, and loss of information.A group called QinetiQ North Americas Mission Solution Group, it provide security education and training to the users but before they train their user, they need to identify individuals required training objectives, plan, develop and validate training materials and then they conduct an effective training to the personnel and at the end evaluate course effectiveness.Defending against Internet-based attacksInternet-based attacks can be very dangerous to the company a research said companies are losing an aver age of $2 million in revenue from internet-based attacks which disrupt the business. The average of 162 companies said that they are suffered one crucial incident a year from worms, viruses, spyware or other security-related causes, and for each attack the systems were down an average of 22 hours. The threats will break as the companies increase their use of internet.Defend against the internet-based attack can be done by using intrusion prevention and detection, they can detect the attack and the company can quickly defend against them. IDS will be looking for the characteristics of known attacks. IPS can recognize the content of network traffic and block despiteful connection. Wireless intrusion prevention monitors the wireless networks, detect unauthorized access points and provide reporting and analysis. There are also basic things like firewalls and antivirus that can be used to defend and there are many things that can be used to defend these kinds of attacks.Industrial espi onage and business intelligence gatheringIncident response is an organized plan or procedures to handle and counter some threats like security breach or attack. Incident response plan includes a policy that discusses how to response to a certain threats, reduces recovery costs and time. Some of incident response goals are reduce the impact, prevent future incidents, verify that incident occurred, maintains Business Continuity, and improve security and incident response.There is incident response team in the organization that handles the incident response plan. Incident response team also needs another party in organization to help them, such as business managers, IT staff, legal department, human resources, public relations, security groups, audit and risk management specialists. Business managers make agreements with the team about their authority over business systems and decisions if critical business systems must be shut down. IT staff help the team to access the network for ana lysis purposes and improve security infrastructure if recommended by the team. Legal staffs need to review non-disclosure agreements and determine site liability for computer security incidents. Human resources help to hire the teams staff and develop policies and procedures for removing internal employees. Public relations help to handle the media and develop information-disclosure policies. Security groups help the team to solve issues involving computer. Audit and risk management help to analyze threat.There are a several steps to response to the incident. First, the organization needs to prepare the staff by having the staff to do some training they need to be trained to response to the incident quickly and correctly and also educates the staff to update the security regularly. The response team has to identify whether it is a security incident or not and the team can also find some information about the current threats. Response team need to identify how far the problem has aff ected the systems and decide faster by shut down the affected system to prevent further damage. Then they need to find the source of the incident and remove the source. After that they need to restored the data from clean backup files, monitor them and upgrading the systems to prevent the same incidents in the future.Governance issues in information security managementSecurity governance is a system that directs and control information security. Governance itself means setting the objectives of the business and ensures them to achieve the objectives.There are several examples of governance issues, CEO of health south corporation said that more than 85 counts that include fraud and signing off on false corporate statements that overstated earning by at least US $1.4 billion. senior(a) vice president and CIO of the company with the 15 other plead guilty. Another incident happened in an Ohio-based company that handles payroll and other human resources functions on a contract business which is already bankrupt, and they left their 3000 staffs without paychecks and reportedly that the companys client list has been sold.Personnel issues in Information secPersonnel security focuses on the employees involving policies and procedures about the risks the employees accessing the company information and prevents them from taking it. Threats in organizations are not only from the outside but also from the inside, which can make severe damages and costs.There are ways to prevent this from happening. Pre-employment checks are an act where the company will check whether the candidates have the qualification for employment, this way they will know whether the candidates have revealed important information about themselves. National Security Vetting determines whether the candidate is suitable to be given the access to sensitive information which can be valuable to the contend company. This process is usually included in the pre-employment checks.There are also responsibiliti es for each of some roles that involved in personnel security. Director has to publish and maintain policy guidelines for personnel security, decide the security access requirements and ensure that all the employees have been checked on their background and trained. Information Security officer prepares the personnel security policy, monitoring the policy, and ensures that all the staffs are trained in computer security responsibilities. Supervisor need to speak with the user about the securitys requirements, monitor the policy, ensures that all the staffs are trained in computer security responsibilities, informs ISO when the staffs access need to be removed, tracking the staffs accounts when they create or delete the account. System Security Officer monitor compliance with the security policy, have the authority to delete systems password if the employee no longer need access, tracking users and their authorizations. Users need to understand their responsibilities, use the inform ation for only certain events, response quickly by informing the supervisor if there is intruder access the data and abused the information.Privacy issues in the company are also personnel issues. Organization is also responsible of the privacy of the staffs, because all the staffs records are kept in the organization. Personnel records cannot be seen by other staffs or outsider without the holders permission. Social Security Numbers are not allowed to become private password like email password. Eavesdropping needs to be limited, eavesdropping to the shout out conversation and voicemail are not allowed. Monitoring is allowed as long as the purpose is to keep the employees work, employees need to be informed early that they will be monitored. Medical records and background information are confidential no one can access them without permission excluding the holders themselves.Physical security issues in Information securityPhysical security is a security that focuses on protecting t he information, personnel, hardware and programs from physical threats. Threat that can cause a lot of damage to the enterprise or building is also things that need to be aware in physical security, for example, natural disaster, vandalism, and terrorism. Physical security can be intruded by a non technical intruder.There are a lot of ways to protect from physical threats. Security can be hardened by putting difficult obstacles for the intruder including multiple locks, fencing, walls and fireproof safes. Putting surveillances like heat sensors, smoke detectors, intrusion detectors, alarms and cameras. There are key areas that need to be focused on. In facility security, they are entry points, data center, user environments, access control and monitoring devices, guard personnel and also wiring closet. For the company staff and the visitor, they need to be focused on control and accountability, use of equipment, awareness, security procedure compliance. Workstations, servers, backup media, and mobile devices need to be protected. Control, storage and disposal of information also need to be focused on.Physical security also issues hospitality industries. Example of hospitality industries are resorts, hotels, clubs, hospitals and also many other things. Physical threats that occurred in these industries are mainly theft, followed by assault, burglary, auto theft, robbery and sexual assault. If these industries experience this kind of threats, the industries can contribute to poor public relations.Company like IBM also offers physical and IT security. IBM Internet security Systems (ISS) products secure IT infrastructure with threat and vulnerability management, enabling business continuity and cost-effective processes. IBM integrate video surveillance and uninflected technologies, the products can help reduce time and cost to collect and store video and it also enable analysis of surveillance data. IBM also provide products for intrusion prevention, mail securit y protection of messaging infrastructure, and also security intelligence which provide information about the threats that can affect the network.Cyber forensic incident responseOne of the primary objectives in incident response plan is to contain the damage, investigate what happen, and prevent it from happening again in the future. It is a bit the same as computer forensic because they need to reduce the damage and investigate the cause of it. By understanding how the data is accessed and stored can be the key to find the evidence that someone has tried to hide, erase, or destroy. The investigator needs to take care of their evidence, make sure that it is not lost, destroyed or changed.