Strategic Information Security for Norwood Systems †Free Samples

Question: Discuss about the Strategic Information Security for Norwood Systems. Answer: Introduction Information is the most important asset of an organization. In this era of information and communication technology, security threats and risks are becoming a major concern for the organizations (Andress 2014). Information security deals with the protection of the integrity, availability as well as confidentiality of the sensitive and valuable information of a company. Norwood Systems is known for providing telecommunication services to enterprises, consumers and carriers across the world (Norwoodsystems.com 2017). This report discusses the security programs that can be adopted by Norwood Systems for improving its current security structure. This report discusses about the concept of information security and provides suggestion regarding the types of security models that can be implemented for the betterment of the organization. It identifies the security threats and risk assessment plans and programs that can be adopted. This report also provides the requirement for training plans and the suitable ISO standards as well as models for Norwood Systems. Literature on Information Security Information security deals with protecting systems as well as information from any type of unauthorized or illegal access, modification, destruction as well as disclosure. The main objective of information security is to maintain integrity, availability and confidentiality of information (Peltier 2016). Confidentiality deals with protecting or securing the valuable information from any type of unethical or unauthorized access. Confidentiality makes sure that only authorized users can access the right information as per their needs. Integrity deals with protecting valuable information from any type of unauthorized destruction and modification. Integrity makes sure that the information is complete, uncorrupted and accurate. Availability deals with providing correct information in a timely manner without any obstruction or interference. Information system consists of various components like software, hardware, people, data, procedures and networks (Ciampa 2012). All these components are vulnerable to various risks and threats. Information security is an important need of every organization. Several strategies can be used for protecting the information against any kind of attacks. Risks can be avoided and mitigated to promote a secure business environment (Vacca 2013). Loss of valuable information can harm several users and also affect the company reputation. Information security is gaining importance with time. There are several information security models that can be incorporated in the business processes of an organization based on certain needs and requirements. Current Security Situation and Titles of the Security Personnel Norwood Systems are responsible for providing telecommunication services of high quality. The Enterprise Solution makes the use of cloud services for making the communication platform of the corporate world very effective. They have a strong security policy in the organization. Several security personnel are present in an organization. Each of them has an unique role and responsibility. Some of them are as follows: Chief Information Security Officer: CISO is the head of the security department and responsible for the overall management of the security department. Security Engineer: A security engineer is responsible for monitoring the security needs of the organization. A security engineer makes proper utilization of advanced technologies for enhancing the security capabilities of the company. Security Analyst: They are responsible for analyzing and assessing several vulnerabilities in the IT infrastructure of the company. Systems Administrator: They are responsible for installing and managing security systems across the entire organization. Risk Assessment and Threat Identification Risk assessment is required for developing strong security policies in an organization. Real risks and threats are identified along with their level of exposure and probability of occurrence (Peltier 2013). Risk assessment can be done by following certain procedures and steps. In the NIST framework of risk management, assumption of risk, risk constraint, tolerance as well as priorities are identified. The company goals, business processes, mission, information security architecture and SDLC processes are integrated for proper assessment of risk. The threats and vulnerabilities existing in the organization are identified. After the identification is done, the company finds out various ways to respond to the risks and selects the most suitable option. The last component is to monitor the risks and to bring about change in the information system of the organization due to the impact of risks. ENISA framework can be used by Norwood Systems in order to assess the risks that are related to the cloud service that is provided to the enterprises for effective communication. In ENISA, risks are identified then analyzed followed by evaluation process. Security threats are a major concern of Norwood Systems. Telecommunication industries are vulnerable to several threats. The network equipments as well as the switching infrastructure can be accessed in an unauthorized manner. This can lead to tampering and illegal tapping of network traffic. The voice traffic can be intercepted because there is no encryption in case of speech channels. Mobile stations can be modified for exploiting the weaknesses in message authentication (Mayer et al. 2013). This can cause spoofing where the attacker pretends to be someone else in order to gain access to sensitive information. The base stations can also be modified for enticing users for getting attached to it (Jafarnia-Jahromi et al. 2012). The lawful mechanism of interception can be misused. Backdoor attack can take place that observes the activity of the user and misuses the data. Denial of Service attack can use the resources of the network by sending unwanted network traffic to the target syst em. Cloud services that are provided by Norwood Systems are vulnerable to certain threats like data breach, insecure interface, malicious insiders, account hijacking, issues regarding shared technologies and DoS. The deliberate threats are more dangerous and have high exposure because the attacker has malicious intentions behind such attacks (Ross 2014). Categorizing and ranking the threats will be helpful for the organization to promote a secured work culture and environment. Security Models The security models can be considered as standards that can be used for comparison or reference. The NIST access control model is used for identifying the access mechanism of the various levels in Norwood Systems. The management level accesses the data and information related to strategic planning (Chang, Kuo and Ramachandran 2016). The administrative level controls the operational data and the technical level accesses the daily information that is required for continuity of business. The security models help to implement information security in the organization. These models can be incorporated in the hardware, software as well as policies of the organization. Norwood Systems provide enterprise solution via cloud services called Corona Cloud (Malik and Nazir 2012). NIST Security models will be extremely beneficial for the company. NIST documents are freely available and have been updated by the government as well. It provides guidelines regarding risk assessments, privacy controls and security plans (Hamlen et al. 2012). Norwood Systems need to implement strong security policies for protecting the cloud against any kinds of threats (Youssef 2012). Development of Security Program Norwood Systems is a medium sized company and has a hierarchical organizational structure. Code of conduct prevails in the organizational culture. The employees are expected to act honestly and protect the assets of the company. The employees can release confidential information with the permission of the company. The company takes serious action if there is breach of conduct. Strong security program needs to be developed for protecting the company against security threats and risks. Failure to protect valuable information will harm the reputation of the company. The key components of the security program that needs to be developed are as follows: Hire a DSO or Designated Security Officer: DSO is required for monitoring and coordinating the security policies of the organization. Risk Assessment: The Company must identify the types of information that it stores along with the value of the information. Identification of risks and threats that is associated with different category of information needs to be done. The threats and risks must be ranked according to its level of exposure and effect. Access control: The security officer must decide which information must be available to whom. The employees must be authorized to access the type of information that is needed by them to run the business and depending upon their roles and levels in the organizational structure. Individual account: All the employees must have a separate account so that it can be monitored properly and it will also help to investigate any data loss or manipulation. Develop policies: Information security policies must be developed so that the entire organization is aware of the security expectations. The importance of information must be mentioned in the policies. These policies must be reviewed as well as updated every year. The employees must sign agreement to follow the rules and policies. Effective governance: The security officer must make sure that the policies are being followed in an effective manner. The roles and responsibilities of the employees must be clearly defined so that the operations are carried out in an effective manner (Siponen, Mahmood and Pahnila 2014). Install firewalls: Firewalls can be implemented to protect the internal network from any external malicious attack. A hardware firewall can be used between the internal network and Internet (Hu, Ahn and Kulkarni 2012). The firewall must be installed with antivirus software. Software firewall needs to be installed in all the computer systems. The firewall must be updated. It must be purchased from an authentic vendor. Secure wireless access points: The administrative password of the device must be changed. The wireless access points should be set in such a manner that does not broadcast its SSID. The router must be set to use WPA-2 along with AES or Advanced Encryption Standard. Web filters: The security officer must set email filters so that it can filter out malicious emails. Use of web filters will help Norwood Systems to detect any malicious website and prevent from accessing the malicious website. Encryption: The information of the system must be protected by encryption technique. The plain text information can be converted into cipher text so that it cannot be read by the attackers (Daemen and Rijmen 2013). AES can be used for protecting valuable information. Roles and Responsibilities CISO: The CISO looks after the entire security policies and procedures in the organization. The strategic planning is done by the CISO. CISO guarantees that the design for the information security of the firm is effective. CISO monitors the working of all the security related jobs in the organization. Security Manager: The security manager deals with collecting, storing as well as utilizing information to achieve the organizational goals. They play the role of a decision maker while selecting appropriate methodologies for the organization. They also coordinate and communicate information among the different layers in the organization. Security Engineer: The risk assessment and control framework of the firm is designed by the security engineer. The security engineer designs an appropriate security framework for the firm. It is the responsibility of the security engineer to update the design based on current security threats and risks. Security Analyst: The security analyst is responsible for analyzing the security threats and its exposure. The security analyst helps to maintain the integrity of the data. Improvement Plan The information security of Norwood Systems can be improved by dividing the responsibilities of the security personnel in an effective manner. More designations must be added so that the responsibilities of the employees are not overlapped. Each of them will have a separate role to play and the outcome will be highly effective. Proper strategies must be developed for improving the information security of Norwood Systems (Ahmad, Maynard and Park 2014). The new roles and titles that can be very effective are as follows: Technical security manager: These managers will focus on the firewall implementation, protection of data leakage, encryption, patching and all other technical aspects of the information security in the organization. Program security manager: These managers will focus on evaluating the vendor or third party risk. The security managers role can be divided into technical and program security manager for the betterment of the firm. Risk Officer: A risk officer must be hired whose main focus will be to manage implementation procedure of risk function. A risk officer will develop processes for identifying risk areas, exposure of the risk and develop risk policies as well. Risk officer will monitor and tackle risk issues that are critical. Other specialized roles can include virus technician who will identify new viruses and develop defense mechanisms against them, intrusion detector who will monitor the networks and systems to identify how the intrusion occurred. Source code manager can review source codes to detect vulnerabilities. Distinguishing all the security related roles and functions can be helpful in improving the information security of the firm. Training Requirements Security awareness plays a critical role in the implementation of the new security program. There must be a balanced trust across the organization so that information is shared in a secured and effective manner (Hu et al. 2012). The higher authorities must play a significant role in demonstrating the need for security programs in the organization. The employees must be given proper training so that they understand the security policies in a correct manner. The employees should know to utilize the organizational resources in an efficient way. They must be given training so that they can tackle any type of security incident. Monthly meetings must be set up to discuss about various security issues and measures to overcome such issues. Cooperation of the employees is needed in order to promote information security in the organization. ISO Standards and Models ISO model is the most used security model in the industry. This standard was developed for providing a common base to the organizations for the purpose of developing security standards (Disterer 2013). This helped in developing inter organizational deals. ISO/IEC 27001: This provides information regarding the implementation plan of ISO/IEC 27002 for the purpose of setting up ISMS or Information Security Management System. ISO/IEC 27002: This addresses controls of information security. A firm can use this standard to address their security needs and develop security policies. This model is suitable for Norwood Systems as it will help the organization to develop a management system that will manage information security. Norwood Systems provides Enterprise Solutions with the help of Corona Cloud. The ENISA security model will also be suitable for the cloud security of the organization (Pearson 2013). This model will help the firm to assess the risks related to cloud computing. This model will also provide an assurance framework for the cloud computing services. Conclusion This report concludes that Norwood Systems is a medium sized company that can use certain steps to improve the information security of the organization. This report said that Information security deals with protecting systems as well as information from any type of unauthorized or illegal access, modification, destruction as well as disclosure. It said that the main objective of information security is to maintain integrity, availability and confidentiality of information. This report discussed about the organizational culture as well as the size and suggested a well defined security program for improving the security policies and for protecting sensitive information of the firm. It suggested few techniques like encryption and implementation of firewalls in the security program. The roles of the security personnel are discussed and suggestions are provided for improving it. It suggested that new designations must be included in order to implement an effective security program. This r eport also suggested that ISO as well as ENISA security models are suitable for the Norwood Systems. It discussed the importance of risk assessment and the probable threats that can affect the organization. Recommendations Norwood Systems can improve its information security by following certain steps and procedures: Strong Policies must be developed along with specific user guidelines so that the employees do not misuse company resources. Software updates must be done on a regular basis. Anti-Virus software must be installed in order to fight against any malicious software attack. Vendor management must be done in an effective manner. Strong vendor guidelines must be implemented in order to prevent the release of sensitive information. Strong passwords must be used to protect the systems from any unethical or unauthorized access. Employees must be given proper training to communicate in a secure manner. They must be aware of the need of information security in an organization. Annual updates must be done in order to ensure that the security program remains up to date. References Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an organizational multi-strategy perspective.Journal of Intelligent Manufacturing,25(2), pp.357-370. Andress, J., 2014.The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress. Chang, V., Kuo, Y.H. and Ramachandran, M., 2016. Cloud computing adoption framework: A security framework for business clouds.Future Generation Computer Systems,57, pp.24-41. Ciampa, M., 2012.Security+ guide to network security fundamentals. Cengage Learning. Daemen, J. and Rijmen, V., 2013.The design of Rijndael: AES-the advanced encryption standard. Springer Science Business Media. Disterer, G., 2013. ISO/IEC 27000, 27001 and 27002 for information security management.Journal of Information Security,4(02), p.92. Hamlen, K., Kantarcioglu, M., Khan, L. and Thuraisingham, B., 2012. Security issues for cloud computing.Optimizing Information Security and Advancing Privacy Assurance: New Technologies: New Technologies,150. Hu, H., Ahn, G.J. and Kulkarni, K., 2012. Detecting and resolving firewall policy anomalies.IEEE Transactions on dependable and secure computing,9(3), pp.318-331. Hu, Q., Dinev, T., Hart, P. and Cooke, D., 2012. Managing employee compliance with information security policies: The critical role of top management and organizational culture.Decision Sciences,43(4), pp.615-660. Jafarnia-Jahromi, A., Broumandan, A., Nielsen, J. and Lachapelle, G., 2012. GPS vulnerability to spoofing threats and a review of antispoofing techniques.International Journal of Navigation and Observation,2012. Malik, A. and Nazir, M.M., 2012. Security framework for cloud computing environment: A review.Journal of Emerging Trends in Computing and Information Sciences,3(3), pp.390-394. Mayer, N., Aubert, J., Cholez, H. and Grandry, E., 2013, June. Sector-based improvement of the information security risk management process in the context of telecommunications regulation. InEuropean Conference on Software Process Improvement(pp. 13-24). Springer, Berlin, Heidelberg. Norwoodsystems.com. 2017.Norwood Systems - Company. [online] Available at: https://www.norwoodsystems.com/company.php [Accessed 1 Oct. 2017]. Pearson, S., 2013. Privacy, security and trust in cloud computing. InPrivacy and Security for Cloud Computing(pp. 3-42). Springer London. Peltier, T.R., 2013.Information security fundamentals. CRC Press. Peltier, T.R., 2016.Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press. Ross, J.D., 2014.Defending critical infrastructure against deliberate threats and non-deliberate hazards(Doctoral dissertation, Monterey, California: Naval Postgraduate School). Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees adherence to information security policies: An exploratory field study.Information management,51(2), pp.217-224. Vacca, J.R. ed., 2013.Managing information security. Elsevier. Youssef, A.E., 2012. Exploring cloud computing services and applications.Journal of Emerging Trends in Computing and Information Sciences,3(6), pp.838-847.