Introduction
Information technology has become so pervasive in our lives that acts and ordinances are being enacted and amended on a regular basis in order to keep a check on its exponential growth. Nearly every field has a law that institutions need to be in compliance with; the healthcare segment has the Health Insurance Portability and Accountability Act, retail has the Payment Card Industry Data Security Standard, the banking sector needs to comply with the Gramm–Leach–Bliley Act, and educational institutions receiving funding from the government have the Family Educational Rights and Privacy Act. Even though these acts are as comprehensive as possible in terms of covering security features organizations need to implement, there always exist circumstances wherein certain entities exploit vulnerabilities in an institution’s security program, thereby compromising the sensitive data of its stakeholders. Therefore, in order to supplement the controls set in place by the aforementioned acts, individual institutions need to evaluate their current security frameworks and accordingly deploy monitoring, metrics, reporting tools and analysis (MMRA) so that they can either proactively fix gaps in their system, or react in the shortest time possible to any security threats to the system.
Different organizations approach MMRA in different ways. They could decide to use tools and methods developed internally, use off the shelf packages, or even a hybrid of the two. The rest of this
Because technology is consistently growing and changing, preventative measures must include flexibility to allow for change and growth. Without these considerations, a business could jeopardize themselves by restricting the ability to expand or even update the systems with necessary security patches. Preventative measures should include future growth. As technology grows, risks increase. Protection mechanisms will change as new threats are introduced to business as well as new legislations. Many security standards are based on data protection regulations and as laws change or new laws are introduced, information technology is the most costly element in ensuring compliance. There could be costly ramifications with poor planning.
Another step involves security checks upon implementation and describes agency-level threat to the business scenario or the mission. It similarly entails sanctioning the information system for processing and lastly constant monitoring of the security controls. FISMA and NIST's standards are aimed at offering the ways for agencies to achieve their identified missions with safety commensurate with the threat (United States Department of Agriculture, 2015). Together with guidelines from the Office of Management and Budget (OMB), FISMA and NIST create a framework for advancing and growing an information security scheme (SecureIT, 2008). Such framework includes control descriptions and evaluation, program development, and system certification and accreditation. The final objective involves conducting daily functioning of the agency and achieving the agency's articulated objectives with sufficient security commensurate with risk.
Harris, S. (2006, November 5). Developing an information security program using SABSA, ISO 17799. Retrieved September 19th, 2015, from
Premier Collegiate School has a staff of thirty (30) faculty members, including administrative staff and teachers, and an enrollment of 300 students. The school maintains two (2) servers, one for student usage applications and software, and one for administration. Also, teachers have ten (10) computers located in the teacher’s lounge; and each administrative personnel have dedicated computers (10) at their disposal. Each student is required to provide their own laptop with wireless access (ITT technical institute, 2016).
Cyber security, also referred to as information technology security, focuses on protecting computers, networks, software programs and data from unintended or unauthorized access, change or destruction. Post 9/11 and other terrorist attacks, the United States grows its endeavors to repulse cyberattacks, U.S. corporate organizations and the government agencies wind up in strife over how to adjust to new methods of security and privacy. The current state of security measure protocols and privacy policies placed by the US government in cyberspace raises concerns for the 99%. This is due to the recent cyber-attacks on American corporate organization systems and government alike, where their digital information and network infrastructures within the systems were compromised, and personal data was hacked and stolen.
In today’s IT world every organization has a responsibility to protect the information and sensitive data they have. Protecting data is not only responsibility of security and IT staff but every individual is involved in protecting the information. The risks to information security are not digital only, but it involves technology, people and process that an organization may have. These threats may represent the problems that are associated to complex and expensive solution, but doing nothing about these risks is not the solution.
Whitman, M. E., & Mattord, H. J. (2010). Management of information security (3rd ed.). Boston, MA: Course Technology.
The constantly evolving technological landscape is posing a big challenge for institutions to comply with various Acts like FERPA, HIPPA etc. Institutions have started appointing Chief Information Security
There are three primary goals for an information security metrics program: compliance with legal requirements; reduce risk by adding new or improving existing capabilities; improve efficiency or reduce cost. In order to achieve any of these goals it is extremely important to gather the appropriate data and formulate useful metrics. The need for useful security metrics cannot be overstated, but there can be confusion about what a metric is, and difficulty determining what a useful metric is. As a business USAA has a duty to protect and improve shareholder investments, and of course must comply with all applicable laws and regulations. There are a variety of laws and regulations that dictate security requirements for financial institutions.
Just like every other organization, Adius, LLC relies on information technology to manage their information, processes, and assets in order to thrive, conduct their business efficiently, and deliver their services effectively. However, no organization is immune from cyber-attacks and threats. In fact, cyber-attacks and threats have been increasing exponentially during the past few years. Having outdated and irrelevant cybersecurity procedures, policies and practices places organizations in greater vulnerabilities and risks. For this reason, cybersecurity procedures, policies and practices in place must be in line and be more relevant to the security needs of Adius, LLC.
While all of these technologies have enabled exciting changes and opportunities for businesses, they have also created a unique set of challenges for business managers. Chief among all concerns about technology is the issue of information security. It seems to be almost a weekly occurrence to see a news article about yet another breach of security and loss of sensitive data. Many people will remember high profile data breaches from companies such as T.J Maxx, Boston Market, Sports Authority, and OfficeMax. In the case of T.J. Maxx, a data breach resulted in the loss of more than 45 million credit and debit card numbers. In many of these incidents, the root cause is a lack of adequate security practices within the company. The same technologies that enable managers can also be used against them. Because of this, businesses must take appropriate steps to ensure their data remains secure and their communications remain
“The cyber security landscape has changed in the past couple of years – and not for the better” (Steen, 2013). Banks are faced with attacks to retrieve customer account information, the military battles with attempts to obtain secrets. These attacks are not just committed by induvial hackers but entire countries. Data privacy rules differ from country to country. For example, Fisher, 2014 states individual search engine access is restricted in different ways depending on the country. China along with other countries restrict access to politically sensitive information, while the United States protects the free flow of information (Gonzalez-Padron, 2014). With companies relying more on technology such as cloud computing and virtual storage their level of vulnerability rises. IT personnel have the difficult task of protecting company data, this is why it is vital to have an ethical compliance program in place protect the organization from internal and external threats.
People across the world are becoming disproportionately dependent on modern day technology, which results in more vulnerability to cyber-attacks including cybersecurity breaches. Today, the world continues to experience inordinate cases of cybersecurity meltdowns. There is a rapid growth in complexity and volume of cyber-attacks, and this undermines the success of security measures put in place to make the cyberspace secure for users. Cyber-attacks on both private and public information systems are a major issue for information security as well as the legal system. While most states require government organizations and certain federal vendors to report incidences of data breaches, no equivalent legislation exists to cover private entities.
Information security professional’s job is to deploy the right safeguards, evaluating risks against critical assets and to mitigate those threats and vulnerabilities. Management can ensure their company’s assets, such as data, remain intact by finding the latest technology and implementing the right policies. Risk management focuses on analyzing risk and mitigating actions to reduce that risk. Successful implementation of security safeguards depends on the knowledge and experience of information security staff. This paper addresses the methods and fundamentals on how to systematically conduct risk assessments on the security risks of information systems.
Designing a working plan for securing the organization s information assets begins by creating or validating an existing security blueprint for the implementation of needed security controls to protect the information assets. A framework is the outline from which a more detailed blueprint evolves. The blueprint is the basis for the design, selection, and implementation of all subsequent security policies, education and training programs, and technologies. The blueprint provides scaleable, upgradeable, and comprehensive security for the coming years. The blueprint is used to plan the tasks to be accomplished and the order in which