The Need for Information Security Management to Medium Size

The Need for selective learning surety guidance for sm wholly(a) to median(a) coat Enterprises ICT 357 Information guarantor Management Leong Yuan Zhang 31741147 Trimester 1 Murdoch University Contents epitome2 Introduction2 Justifying The Need for Sound Information certification in whatever Organisation2 Linking Business Objectives with credential3 hazard Response Management and incident Rec all(prenominal) overy4 ready gismo warrantor Managment5 Biometric shelter Devices and Their Use6 Ethical Issues in Information Security Management7 Security development and knowledge7 support Against Internet-Based Attacks8 Industrial Espionage and Business Intelligence Gathering9 Personnel Issues in Information Security9 Physical Security Issues in Information Security10 Cyber Forensic contingency Response10 Conclusion11 References11 Abstract mild to Medium Size Enterprises (SMEs) contribute greatly to the economy in m either countries despite the more challenges that th ey face. Lesser budgeting, choice stick outning and sequence watchfulness atomic number 18 fair each(prenominal) of the limitations that they king encounter.Comparing this to a prodigiousr enterprise or government body, SMEs seems to wee different approaches with regards to cultivation certificate, close totimes understating the importance ascribable to the constraint menti iodined. This paper nonpluss to study the issues relating to introduction and capital punishment of info gage regimes in SMEs comp ard to commodiousr ecesiss. Introduction trivial and spiritualist enterprise ar defined by the number of personnel working(a) for the club, some the upper limit of 250 to the lower of 50. They usually pretermit resources, competencies and vigilance to implement strategies outwardly and internally for their operations.This paper allow for focus on the writ of execution of information pledge regimes of SMEs and provide a comparison to huge enterprises. The paper explores the multiple categories of information guarantor, at temporaryt to list the disadvantages faced by SMEs and how sometime large enterprises be unable to match a SME in the capability to respond to surety threats Justifying The Need for Sound Information Security in Any Organisation The internet age brought upon sweet challenges to the chore world, some(prenominal) SMEs and large organisation ar continuously investing upstanding resources to apprehend their presence on the internet.With increasingly virtualized assembly line networks and expanding corporate eco attitudement, more than than information prepare been created or converted into digital format. Digitalized information squeeze out be saved in different storage devices and transmitted over a plethora of interconnected network both internally and externally (Radding, 2012). Understandably, crime and credentials threats to information argon becoming more public as the reliance on Internet in lin e of products activities augment .Threats such(prenominal) as hackers, bloodline competitors or nonwithstanding foreign governments tidy sum employ a host of different methods to obtain information from any organisation (Symantec). Yet no exitive business would totally seize themselves from using digitalized info to go along such chances free-enterprise(a)ness or winner of these organisations is linked to right information delivered on time. At its worst senseless info whitethorn result in serious loss of strength earnings and damage to the organisations brand(Juhani Anttila, 2005).A signifi gitt element of information security are the cost and personnel expertise needful with the designing, development and implementation of an effective security system. on that point is a penury for major investment funds to be invested to build and maintain reliable, trustworthy and responsive security system (Anderson, 2001). Since just about SMEs tend to have to operate under tight budgeting, entire limited manpower and many different needs competing for limited go forth of resources, thus placing information security d bear the priorities list (Tawileh, Hilton, Stephen, 2007).Additionally, the lack of cognisance to the negative consequences of info security issues and threats and the perception of less strict restrictive compliance requirements, information and communications infrastructure within these SMEs remain passing unsecured. Despite that, most organisations do at least have some form of basic security in the form of anti-virus softwares. Other pillow slips of security software like firewall or authentication software/hardware are considerably less popular perhaps due to the additional complexness of having to install and configure them for the organisation usage (ABS, 2003).Linking Business Objectives with Security Security digest impact a companys profitability in both substantiative or negative ways. It fully depends on how it is co smos controlled, too elflike allow for not be enough while too much whitethorn ca mapping bottlenecks within the company internal processes. One character would be background checks on possible new employees. At times, the continuation of the check whitethorn take longer than the period of employment, especially when hiring temp staff to cover short term. In their book, Christian Byrnes and Paul E.Proctor argues that to occur the last 20% of risk that might occur would inversely required 80% more money to implement which canister be seen in Figure 1. Figure 1 It is common practice in large organisations to organise com giveer security around technologies, with a dedicated plane section running the show alongside the IT department. notwithstanding computer security should be more business oriented as it is easier to achieve the security targets if level-headed business practices are being followed. For SMEs, it is similarly far easier to utilise xisting employees who assi gn in specific business fibers to take up security positions. In the same book, Christian Byrnes and Paul E. Proctor also provided a postpone which list pot the common security roles and the ideal personnel to clench it Table 1 Linking security with business visions is also important as it would allow for amend persuasion to the top cares to approve or pushing through with security purchases, master plans or policy changes. To achieve this, the effort put forth must undergo a 5 mistreat structured framework assess, analyse, strategize, align and communicate.Assess the companys menstruation and future security role so as to achieve a good experienceing of the true security model. Details on the security capabilities within the employees, processes and current technologies should be documented mighty for the next step to be carried out with more accuracy. After collecting the raw info, using analytical tools and method to address a security gap analysis result show the differences mingled with the current security model and the preempted requirements. With a clear overview of what needs to be do, next phase planning can be done to put together together to form a viable and strong strategy.Executives and managers at all levels must hear the new steps that are to be under taken for the new strategy. such communications whitethorn be more effective in SMEs than larger organisations as the members of the security planning may be headstone personnel that are required to participate rather than a die IT security squad up (PricewaterhouseCooper). Incident Response Management and Disaster retrieval Incident response management is the process of managing and responding to security mishaps. As organisations may encounter plenty of incidents throughout the day, it is important that incident responses are guardedly anaged to reduce wastage of manpower and resources. The most appropriate level of response should be assigned to on any security incide nt to maximize competency there is no merit in involving senior management in a response to an incident that has minimal impact on business (BH Consulting, 2006) Disaster convalescence is the process employ to recover gravel to an organisations software, info and hardware that are required to resume the exerciseance of normal, critical business functions. Typically this will happen after either a indwelling disaster or manmade disaster. (Disaster Recovery)Incident response management used to be divide into different entities, natural disasters , security givees and privacy breaches were fleetled by risk management, information security department and legal department. This increased the cost of incident management and reduce utilization of existing resources and capabilities. By merging the 3 into one overarching incident management methodology specified with an incident response team and a charter, reduced cost and efficient usage of resource can be achieved (Miora, 2010) In larger organizations, incident response team may contain both employees and third troupe ob innkeepers from vendors.External vendors may provide the expertise to manage an incident that could be overwhelming to the current employees. This up to now may not be feasible for SMEs due the financial constraints. Most likely, the incident response management team would be formed using current employees and a senior management personnel would lead the team. The response team would be the ones who do the planning scenario for each different casefuls of incident and the type of responses required, ascertain that clear processes and procedures are in place so that responses to incident are coherent.Communications between members are characteristicly standardized be it for large organisations or SMEs method of contact such as emails and non-email like squall calls or messages are used to inform team members (BH Consulting, 2006). Disaster convalescence super important as well, more so for SMEs. A purview from US Department of Labor provided an estimation that around 40% of business never reopen after a disaster and of the remaining around 25% will close down within 2 age (Zahorsky). Unfortunately, not many SMEs have a disaster recovery plan in place to protect themselves.This is due to the idea that disaster recovery is costly and requires alot of resources and expertise to put in place one. This is true to a certain extend as large organisations normally spend amounts to put in place backup servers and remote hot recovery sites. However with increasing cloud-based technologies and availability of server virtualization, disaster recovery can trim out affordable even for SMEs. Up and coming cloud solution and contract space in secure info center via colocation are some of the solutions that SMEs can consider.Even without any or little IT staff, by paying the colocation supplier they can assist to manage the setup and maintenance supporters (Blackwell, 2010). Mobile Device Security Managment The increasing sophisticated mobile devices together with full(prenominal) bandwidth network is creating a tremendous security management challenge for CIOs and some an other(a)(prenominal) IT professionals. Proprietary and confidential data can now be go outside of the secure perimeter of the enterprise and onto mobile devices that can be brought anywhere in the world by employees.These devices have a motley of data communication and storage technologies, such as email/PIM synchronising software, infrared data transmission, Bluetooth and removable data storage. As a result, it is calorie-free for mobile devices to become strongholds of enterprise information (Good Technology, 2009). Of course with that brings additional threats to an organisation as mobile devices are susceptible to attacks as well. In both SMEs and large organisations, there is a definite need to regulate the use of mobile devices to prevent information leakage.As they can used in a variety of locations outside the organizations control, such as employees homes, cocoa shops, hotels, and conferences, this makes them much more likely to be lost or stolen than other devices, so their data is at increased risk of compromise (Souppaya & angstrom unit Scarfone, 2012). The most extreme application of mobile device management can be see within government bodies, specifically in the defense lawyers sector where secondary functions of such devices such as cameras are to be disable. However, this method would not be easily applied to SMEs as employees may find it to be too restrictive.Rather, having a clear policy on the usage of mobile devices and prohibiting employees from attaching their devices to the workstations would be a better option to enforce. Biometric Security Devices and Their Use Biometric devices identifies an individual through physical or behavioral characteristics such as fingerprints, palm geometry or retina. It is exceedingly secure as it cannot be borrowed, stolen or forgotten (Liu & angstrom unit Silverman, 2001). The table below shows the various type of biometric devices and their advantages/disadvantagesThe table, as seen in the report from Dell explains clearly some of the limitations of biometric devices. Size for example must be taken into consideration as well, hand geometry scanning devices are bulky and therefore not suited for consecrate unlocking your workstation as compared to using it to unlock a door. However, not many organisations are adopting biometric as part of their security plan. Those that do use biometric are largely geared towards physical security of secure areas where access are to be restricted.Conventional authentication methods are still much preferred with regards to virtual access like emails, workstations and applications. The higher cost of using biometric devices as a security solution is also another concern for SMEs that proclivityes to utilise them. They would need to value their nature of business, how and where biometric would fit in to maximize value for money. Ultimately, aligning the need for biometric security devices as a security solution to business objectives is a must, else cheaper alternatives would have to be examine and evaluated instead.Ethical Issues in Information Security Management Some professions such as law and medicine have in place a codified set of ethics that its practitioners are required to honor to protect the privacy of their clients. Violations are dealt with in the harshest possible terms, and even minor lapses can result in significant penalties. For IT however, there are no such codification. Technology professionals generally abide by ain codes of conduct and are essentially self-policing. Additionally, technology raises complexities that go beyond typical questions of whats right or whats fair.Areas such as data access and capture, processing speed, tracking and monitoring, and job redesign are just a few exam ples of IT capabilities with ethical considerations. (Relkin, 2006) Both SMEs and large organisations have to be able to cope with ethical issues such as privacy of face-to-face information, intellectual property and cyber crime. In an effort to shield company cabalistics, many employees can be assailable to electronic or other forms of surveillance. electronic mail screenings and monitoring internet usages are just some of the methods that can be employed.There is a need to clearly define policies that involve such practices and the border must be draw and communicated to all employees so as to safeguard the organisation from breaching privacy laws and from being sued by employees. (Tiwary, 2011) Security Training and Education Security preparedness and education is becoming increasing important for employees due to emergence of end-user computing as an critical component of information security. A typical end-user has access to most vital information that an organisation ha s in its possession.They have knowledge of how protection systems put in place to secure information work and a small amount of more cunning users may even know how to circumvent those systems. Most users however lack the knowledge that is required to help protect the organisation information and it is in this area that they should be better in order to make better decisions when facing with threats and vulnerabilities that can be discovered during the course of work. (Hight, 2005) Security Education, Training and Awareness architectural plan otherwise known as SETA is designed to set the security tone to the employees of an organisation.Making it part of a new employees orientation will ensure that all employees know and understand the reasons of the security policies that are in place at any organisation. Implementation of such a program can be done at any organisation, requiring only properly written security policies and outlining guidelines that have to be followed. A good security program ensures that end user mistakes can be reduced and that employees understand the consequences of their actions when using their work stations or insert unauthorised USB devices into them. reason Against Internet-Based AttacksWith an increasing reliant upon the internet, internet based attacks have been slowly increasing. Organsations that has a presence over the internet or utilizes web based technologies are more prone to such as attacks. Internet plant louses, viruses, malware and distributed denial of service are just some of the types of threats that could occur. Organisations should look to prevent such incidents from occurring by securing applications that are made available over the internet and securing organisation infrastructures exposed over the internet (Klein, 1999).To carry out an attack, the attacker must frontmost obtain sufficient control over a target system. They would most likely do some reconnaissance on the target, performing a number of scan s to looked for weaknesses. Areas like remote accessible network go in default OS configurations, dedicatemail, sshd, RPC and Windows file sharing are some of the services exploited. Ports that are unsecured, memory handling, targeting applications like web browsers and plug ins are also some of the methods that attackers can use.The web browsers in particular are see a rising trend of being targeted as browsers are extremely prone to having exploitable vulnerabilities. The internet distribution model also allows attackers to attack a users web browser without even directly connecting to the cilent planting malicious coding at specific websites where the user normally visits will achieve the aim as well (Moshchuk, 2000). Prevention of such attacks are extremely important, firewall and anti viruses are just the tip of an iceberg when it comes to methods that can protect an organisations information.Many firewalls being sold today are considered application alive(predicate) and ca n understand protocols and commands that are being used. This allows them to determine whether or not incoming trade to any applications or network services are malicious or not. Properly configured application aware firewall would be able to prevent common attacks thru telnet, SSH, HTTP, FTP, SMTP, SIP and applications which can be vulnerable. Additionally Intrusion detection systems (IDS) and Intrusion Prevention systems (IPS) can also be used against application or network based attacks.When opposite together with an application aware firewall, some intrusion detection systems have the ability to thwart sullen attackers by talking directly to the firewall to block the source IP address. There are no right or wrong solutions to defending an organisations network, it all boils down to which products would be suited to the organisations needs. SMEs typically would use more of mop up the shelf type of applications and intrusion detection prevention system (IDP) would be a better fit for such applications.Off the shelves applications uses alot of common protocols such as FTP, HTTP etc that should adhere to RFC standards and IDP is configured to block malicious or calling that does not comply with RFC standards automatically. For larger organisations, they tend to have third party or home grown applications which developers may or may not have complied with RFC standards, IDP solutions may not have much of an effect for them. Industrial Espionage and Business Intelligence GatheringEvery organisation in the world will have collected some form of information regarding their competitors, through merchandise scanning, industrial profiling or even direct hire of employees from their competitors. Such scholarship gathering are definitely part and parcel activities used for market research and benchmarking. However, there are uncertain boundaries separating competitive intelligence gathering and industrial espionage. The laws in place at times are unable to set such limits and it would seem reasonable to define industrial espionage as intelligence practices of questionable ethics instead (Crane, 2005).Be that as it may, industrial espionage is a very critical threat against SMEs. A succesfully SME breaking in saturated markets would have attained some form of breakthrough in order to stand out. Regardless of whether it is a formulae or business process, competitors would wish to obtain such knowledge in order to raise their own profiles. To safeguard their secrets, SMEs would have to ensure that their security system in place are adequate and their employees educated on the topic. SMEs have to identify that information that would critically harm the company and the value of such information to the company and its competitors.Access to such crown jewels must be controlled and employees must be educated on security awareness programs. Despite that, employees are still the strongest and weakest link. populace tend to react better to carrots than sticks and most of the time competitors would aim for that. Hiring professionals to perform social engineering, blackmailing, lure of monetary gains are hard to prevent. (Podszywalow, 2011) Personnel Issues in Information Security Human related security issues are extremely problematic and complex in organizations.They involve all the individuals who make up the organization, from top-level managers to clerical staff. It is crucial that the top management recognize that for security management to ultimately succeed, not only the technical dimension must be taken into account, the human aspect of security must not be ignored as well. People issues within an organisation can have an impact on its ability to effectively manage security. Uncommitted and unaffectionate senior managers unqualified, untrained and careless employees condition disgruntled employees and organizational members rampart to change are just some of the potential issues ertaining to human resource that migh t occur. Hence, to achieve security effectiveness, these issues must be addressed as a whole (Goh, 2003) For SMEs, when hiring an new employee, the employment contract should expressly emphasise the employees duty to keep certain types of information confidential both during and after the employees tenure. The language and structure of the contract should be made clear so as to prevent any potential misunderstanding or any loopholes that can be exploited. The employee must sign the agreement before he or she begins to work.The contract can also be included with an employees face-to-face file to keep track. Even when exiting, care must be taken to ensure that documents, records and other information concerning the company proprietary assets in the possession of the leaver must be surrendered and returned to the company. Conducting a exit interview will help to refresh the terms of employment agreement and trade secret law with the leaver. The employee should be acknowledge in writin g that he or she is aware of the obligations and will not disclose any trade secrets of the former employer.Physical Security Issues in Information Security Physical security breaches can sometimes be more devastating than technical breaches like worm attacks. The loss of data, loss of availability either from systems being shut down or by bomb or arson must be considered when dealing with physical security. With the invention of easily concealable USB drives or bombs, coupled with unauthorized access is makes physical security becoming more important. selective information tape transport speeds have increased as when, allowing for transferring of a large amount of data in a relativity short period of time.As with any other security planning, physical security must be included to ensure that the risk of above mentioned are reduced. Access to areas such as server rooms or routers or where documents are kept and archived must be control, just locking the doors doesnt seems to be eno ugh now. Access control cards, biometrics system can ensure that only authorised personnel be allowed in. Securing the personal computer of employees, especially if they are using laptop is every bit important. Laptop locks and OS hardening to prevent unauthorized usage of USB devices are not allow (Giannoulis & Northcutt, 2007).Cyber Forensic Incident Response calculating machine forensics is the science of acquiring, retrieving, preserving, and presenting data that has been processed electronically and stored on computer media. When paired with incident response, their job becomes more challenging. They would have to find where a breach occurred, plug the hole, then proceed to get the affected server or servers back into service, and then if possible, gather evidence on the intruder for merely action and analysis (Daniel & Daniel, 2009)SMEs unfortunately with their limited resources may have to compromise. instead of having a dedicated team to deal with incident response, they might consider getting current employees involved within IT such as server, networking or on site support engineers to carry out such a role. If they have particular(a) budget however, it would work to their benefit if they send their resposne team for courses pertainning to cyber forensic. The additional knowledge will allow the response team to perform more effectively should a threat occur ConclusionSmall and middling enterprises typically faces the same the type of threats that will happen to larger organisations, however their approach and response to the same threat may differ greatly due to the limited resources human, technical, physical available to them. SMEs will have to sometimes think out of the box and be very careful in planning resources for security within the company. The type of hardware, software used for security may be similar to larger organisations however, the setup and configuration may be miles apart as well. SMEs, will have be extra vigilant again st information security threats.References (n. d. ). Retrieved demo 10, 2013, from Symantec http//securityresponse. symantec. com/avcenter/security/Content/security. articles/corp. security. policy. hypertext mark-up language ABS. (2003). Business Use of Information Technology (2001 02). Canberra Australian bureau of Statistics. Anderson, R. J. (2001). Why Information Security is Hard An Economic Perspective. in minutes of the Seventeenth ready reckoner Security Applications Conference (pp. 358-365). IEEE Computer Society Press. BH Consulting. (2006). Incident Response White Paper. Dublin BH Consulting. Blackwell, G. 2010, May 25). Disaster Recovery For Small Business. Retrieved March 13, 2013, from Small Business computer science http//www. smallbusinesscomputing. com/biztools/article. php/10730_3884076_2/Disaster-Recovery-For-Small-Business. htm Crane, A. (2005). In the company of spies When competitive intelligence gathering becomes industrial espionage. Nottingham Intern ational Centre for Corporate societal Responsibility. Crist, J. (2007). Web Based Attacks. SANS Institute. Daniel, L. E. , & Daniel, L. (2009, September 30). How Is Computer Forensics Different from Incident Response?Retrieved March 13, 2012, from ExForensic http//webcache. googleusercontent. com/search? q=cachehttp//exforensis. blogspot. com/2009/09/how-is-computer-forensics-different. html Disaster Recovery. (n. d. ). Disaster Recovery. Retrieved March 13, 2013, from Disaster Recovery http//www. disasterrecovery. org/ Giannoulis, P. , & Northcutt, S. (2007). Physical Security. Washington Security Laboratory IT Managers Safety Series. Goh, R. (2003). Information Security The Importance of the Human Element. capital of Singapore Preston University. Good Technology. (2009). Mobile Device Security. Good Technology.Hight, S. D. (2005). The importance of a security, education, training and awareness program. Householder, A. , Houle, K. , & Dougherty, C. (2002). Computer attac k trends challenge Internet security. IEEE Computer , 35 (4), 5-7. Juhani Anttila. (2005, March). Retrieved March 13, 2013, from QualityIntegration http//www. qualityintegration. biz/InformationSecurityManagement. html Kelly, L. (2011, November). The top five SME security challenges. Retrieved March 13, 2013, from ComputerWeekly. com http//www. computerweekly. com/feature/The-top-five-SME-security-challenges Klein, D. V. (1999).Defending against the wily surfer Web based attacks and defense. atomic number 20 The USENIX Association. Liu, S. , & Silverman, M. (2001). A Practical Guide to Biometric. IT Pro. Miora, M. (2010). Business Continuity. Los Angeles, California, USA. Moshchuk, A. N. (2000). Understanding and Defending Against Web-borne Security Threats. Washington University of Washington. Podszywalow, M. (2011, November 29). How to Detect and Stop Corporate Cyber Espionage. Retrieved March 13, 2013, from The Data Chain http//www. thedatachain. com/articles/2011/11/how_to_ detect_and_stop_corporate_cyber_espionagePricewaterhouseCooper. How to align security with your strategic business objectives. PricewaterhouseCooper. Proctor, P. E. , & Byrnes, F. C. (2002). The Secured Enterprise Protecting Your Information Assets. New Jersey Prentice Hall. Radding, A. (2012, January 04). Retrieved March 10, 2013, from Brainloop http//www. brainloop. com/fileadmin/assets/PDFs/White_Papers/brainloop_white_paper_info_sec_options. pdf Relkin, J. (2006). 10 ethical issues raised by IT capabilities. CNET Networks Inc. Souppaya, M. , & Scarfone, K. (2012). Guidelines for Managing and Securing Mobile Devices in the Enterprise.National Institute of Standards and Technology. Tawileh, A. , Hilton, J. , & Stephen, M. (2007). Managing Information Security in Small and Medium Sized Enterprises A Holistic Approach. Information Security Solutions Europe Conference, (p. 11). Warsaw. Tiwary, K. D. (2011). Security and ethical issues in it An organisation perspective. Inter national Journal of Enterprise Computing and Business . Zahorsky, D. (n. d. ). About. com. Retrieved March 13, 2013, from Disaster Recovery Decision Making for Small Business http//sbinformation. about. com/od/disastermanagement/a/disasterrecover. htm