Abstract
The term “be prepared” applies especially well to today’s business environment, where enterprises across all industries and locations are challenged by a volatile, increasingly unpredictable world. In addition to protecting their internal resources, organizations must consider the security and well-being of their employees, partners, suppliers and customers, as well as the reliability of the web of networks and systems on which most now depend.
Stop Managing Security. Start Managing Risk.
The way forward lays in a security risk management (SRM) approach that protects your company from the most severe threats to critical IT systems and operational processes. SRM helps your organization understand its assets and analyze
…show more content…
The lack of management support is one of the key failures for IT project implementations (Johnson 1995). Similarly, without adequate management support, IT security audit would not accomplish much. Part of a balanced SRM is a proper risk evaluation or an audit. An IT security audit should be integrated into the corporate management function as an important priority. There are two types of management approach to the IT security function in the organization. The first is the bottom-up approach. The implementation of the IT security audit is from the grass-root level, whereby, the systems administrator and technical officers are the one making the decision on how to improve the security systems. This is advantageous because they possess technical expertise to enable them to execute these IT security functions. However, even with the best technical expertise, IT security within an organization would still be vulnerable due to lack of participation support from top management and the users of these IT systems. Another management approach is the top-down approach. The IT security audit is initiated by the top management. Top management is responsible for setting the organization's goals and making sure that the IT security function is aligned with these goals. This includes creating a corporate culture which appreciates the importance of IT security. The support for IT security auditing in the organization is shown
As recognized by leading research and consulting firms with knowledgeable, skilled management, advanced state-of-the-art IT affords extraordinary opportunities for greater efficiencies, cost reduction, higher productivity, customer satisfaction, and profitability. Sophisticated IT applications realize their full potential with highly specialized technical knowledge and management skills readily available only in smaller firms focused primarily or exclusively on such applications. Through State of the art IT Security Management (ITSM) processes such as threat management, auditing, encryption and customer education will be used to prevent misuse and/or abuse of Finman’s IT resources or services.
The purpose of this qualitative study is to identify the IT leaders who have successfully implemented security policies and procedures. Using the quantitative methodology would not be appropriate because the collected data will not be in the form of numbers and/or statistical results, and the statistical findings will not generalize the real-world problem that needs to be resolved. (Creswell, 2014). Quantitative methods are used mainly to find out the who, what, when and where and the results numerical descriptions provide where the researcher needs more of a detailed narrative (Sutton, & Austin, 2015)
Without an Internal Audit Group to shepherd the IT's activities and guarantee that they stay agreeable with the security administration systems to which the association has submitted, the presentation of danger could be intemperate and a genuine risk to the fruitful operation of the association. The Audit's presentation and Compliance Framework denote a noteworthy change in the Office's audit hones. Further, it reasoned that the presentation of the graduated danger based methodology has met global principles and speak to best work on, bringing about a viable and effective audit
Both Security Management and Prevention are categories that should be included in any review or audit process of IT systems. SM reviews how security is managed from the top down. The how and if management supports the ISMS program is identified. The overall management of the company and how services are provided are essential. Prevention looks at the performance and maintenance of IT systems and the reporting of these processes. It is extremely important to have these categories as part of the ISMS process and any review of these processes.
Whitman, M. E., & Mattord, H. J. (2010). Management of information security (3rd ed.). Boston, MA: Course Technology.
In shaping a new security policies, it is essential to have a full understanding of all aspects of the internal network and services to be protected from both internal and outside threats. An article by Solms & Solms (2004) outlines several criteria in developing information security. First, a governing body must be formed to ensure all sensitive data is secured and provide due
Ideally however, a business monarchy would be established, clearly defined security policies would be put in place along with information security education, training and awareness to every employee in the organization and some investment would be made in the IT structure whereby the server might be accessible at the organization itself as well as in the Finance Commission’s offices. Lastly, another alternative would be to establish IT governance within the organization and give invest in education, training and awareness of information security to all employees involved with the organization whether directly or indirectly.
The framework provides a roadmap for the implementation, evaluation and improvement of information security practices. An important feature of the information security governance framework is that it defines the roles of different members of an organization. The framework specifies what corporate executives, senior management, and CIOs/CISOs should do. The framework is also flexible enough to apply to different business models. The framework benefits are it identifies cornerstone security practices that nearly all organizations are following and makes recommendations where in an organization the responsibility falls. Some disadvantages to BSA's framework is that it is still a work in progress and it still needs to develop useful metrics that enable managers to quantify the return on investments in information security and the effectiveness of information security programs and measures (BSA).
Securing an IT environment properly can be broken down into three basic questions. The first question to address is what assets within the organization need protection? After these assets have been identified, it is important to ask in what are they threatened? Finally, the question of what needs to be done to counteract these threats (Stallings & Brown, 2012)? By answering these questions, it is
Previous studies showed that the more an organizations’ top leadership engage in creating the information security environment, the more employees are willing to be compliant with the policies (Chen, Ramamurthy, Wen, 2012). This is because more commitment, monitoring and training are being in place with respect to information security policy and preparation. Therefore, in this study the three hypotheses will be a positive relationship between management engagement, regulation and training of information security and employees compliance with these policies.
IT arrangements are set with the reason for keeping its managers, suppliers and clients sheltered and additionally the framework and information. Most organizations will work an accumulation of polices in the security administration.
During the data gathering phase it is crucial to interview technical and non-technical staff to determine if the security policies are being followed. Any staff who have access to the computers or systems in the organization should be interviewed in the security audit. System users, managers, and even cleaning staff should be considered. During the interview it will need to be determined what access the staff have to the systems and what their usage patterns are. If they have administrator access or root access is important to understand. The respondents should rate the controls used to secure the IT assets, these controls include: management controls, authentication/access controls, physical security, outsider access to systems, system administration controls and procedures, connections to external networks, remote access, incident response, and contingency planning. Technical staff should also be interviewed to a much higher degree, here are some common questions asked during these interviews:
The security incident management policy of Blyth’s Books is quite comprehensive in the aspect of the detection and reporting of information security events. Detection and reporting of a security incident is vital for an organisation’s survival. If an organisation’s stakeholders and employees cannot detect when an incident has occurred or have detected one but cannot report owing to the fact that how and whom to report to is unknown, the remainder of the incident management procedure which is aimed at getting the organisation back on its feet information security wise cannot be put into process. No one can handle or respond to an incident they have no knowledge of. The security incident management policy of Blyth’s Books was pretty comprehensive in outlining what security incidents are and how they could be identified by those covered in the scope of the policy. A review of Norwegian organisations and institutions performed in 2005 where strategies for data security incidents were analysed demonstrated that statistics
Security risk management is “the culture, processes and structures that are directed towards maximizing benefits and minimizing disbenefits in security, consistent with achieving business objectives”. (Australia, 2006) And where
Have a good Information Security Governance that translates into a set of policies, processes, and responsibilities associated with structures and people in the organization. It makes it possible to clearly establish the decision-making process and the guidelines for the management and use of IT, all in a way that is aligned with the organization's vision, mission and strategic goals. It also ensures the alignment of IT plans with business plans, which the anticipated benefits are actually being generated. Allowing the organization to recognize all risks (and opportunities) for the business by deciding the appropriate plans to mitigate, accept or avoid them. Having fundamental performance measurement throughout this process, monitoring and monitoring strategy implementation, use of resources and delivery of services.