What are the key considerations in the effective implementation of an information security program/ architecture?
Executive Summary
Information security has come to play a significant role in modern pacing, but the perpetually technically sensitive environment. Consequently, organizations need secured communications to benefit from the advance the information technology brings. The significance of this factor is to ensure adequate measures are implemented, and also to ensure the much-needed protection measures meet the acceptable level of security competency of an organization.
A trusted and secure environment for stored and shared information primarily enhances an organization’s business, efficiency and performance benefits. Conversely, an unsafe information systems environment establishes serious damage to individuals, organizations and other entities that could significantly compromise their security needs. Hence, a strong security program provides the basis for the successful implementation of the security-related program(s) in the organization. This provides the primary means an organization should endeavor to minimize the risk of inappropriate use of the organization’s information resources. Therefore, it is essential, when implementing a security program/architecture to consider several factors.
One factor worth noting is identifying information vulnerability and threats. This factor allows an organization to determine shortfalls that create loopholes to the security of information, and fix a fitting strategy to avert any security threat. Additionally, understanding organization technology advancement is critical. This allows an organization to determine the appropriate security program fitting their demands.
Other factors critical in while implementing a security program/architecture include; the level of security needed by an organization, cost-benefit analysis, organization structure, and data center availability among others. An organization that embraces these factors stands a better chance of having a reliable and effective system that guarantees the safety of its Information resource systems. Besides, the organization will benefit by reducing costs connected to an uncertain security breach. This paper seeks to explore these factors, among others in greater detail.
Introduction
Information security refers to the measures taken to protect information and the systems thereof against any illegal manipulation, access or destruction. An information security program, on the other hand, refers to the software and tools that provide the controls for the protection of information. When faced with an issue related to the security of information, the most probable response is normally that of implementing security measures.
However, this is not always the best action and hence calls for an analysis of the major considerations of an information security system. The main objectives of a security program in any setup include; providing protection, assisting in risk management and providing a basis for the setting up of security policies (Peltier 2001 p. 26). Any organization needs to ensure that the information security program in use is effective and suits the needs of the organization. For this to happen, several factors need to be considered.
Information vulnerability and threats
Information vulnerability and threats refer to the shortfalls that create loopholes to the security of information. An analysis of the vulnerabilities and threats is an indispensable element in establishing possible risks, hence dictating the security procedures and architectures that should be implemented (Peltier, 2002). The process of establishing the risks in an information system is fundamental before implementing an information security system.
The aspects of credible and reliable information that are primarily affected by unidentified risks include integrity, availability, and confidentiality among others. The workforce involved in risk assessment according to James Madison University (2010) publication is made up of people from various departments in the organization. They ensure the risks in all departments are covered. The most vulnerable points, however, arise where human involvement is particularly needed.
The first component involved in establishing threats and vulnerabilities is determining the value of information and assessing the threats in each case. Threats in the views of McCarthy and Grossman (2008) fall into four categories, which include “malicious actions both internal and external, acts of nature, acts of war and accidents” (2008, p.15). Secondly, carrying out the vulnerability assessment test, which involves; determining the possibility that certain vulnerability will be abused. This also entails evaluating the security policies and standards and quality control measures. The third step is determining the impact of each threat to information. This step is significant because it prioritizes the risks and the appropriate security measures. The final step is the identification, evaluation, and implementation of the security controls in order of the priority determined in the third step.
Vulnerabilities and threats are a key consideration in the effective implementation of an information security program. They determine the actual risks facing the information system. A proper analysis of these two tends to reduce the impact of the risks should they occur. A proper analysis of these two tends to reduce the impact of the risks should they occur, as stipulated by the National Institute of Standards and Technology (2003). This is because the risks are identified and safeguarding measures are incorporated in the security program implementation. Through this, it is also possible to determine the possibility of the occurrence of uncertain risks, hence coming up with counteracting measures should these risks occur. The areas that are identified to be most vulnerable are given the highest priority in the implantation. This increases the reliability of the entire system.
Research and previous experience with information security systems indicate that most programs are faced with vulnerability threats during the maintenance procedures. “This is as a result of the parties involved in maintenance who in most cases are usually third parties and the fact that they have to access the information systems” (Kiountouzis & Kokolakis, 2001, p. 17). The other threat that should be put into consideration is that posed by the malicious codes and viruses.
These programs are typically developed with the sole purpose of destroying and hacking into discrete information. Viruses are known to thrive in a remarkably dynamic process and the parties involved in developing and maintaining the information systems should be well versed with these malicious programs such that they can initiate measures of preventing them from infesting the information system, hence tampering or exposing the information (Layton, 2007).
Legal and regulatory requirements
Before implementing any information security program, the legal and regulatory requirements should be met to ensure that the organization complies with the law. The most salient feature, in this case, is ensuring that intellectual property rights have been adhered to as indicated by Martinez-moyano et al (2010). Martinez-Miyano et al claim that “this requires the integration of the comprehensive legal requirements so that the security procedures being used in the organization are globally acceptable procedures” (2011 p. 400). For this point to be fully provisioned, several elements need to be considered according to the NIST SP 800-53 (2007) article on information security implementation.
The first consideration is the possible legal actions that might come up against the information security program. Once this is established, it will be possible to assess the relevant legal requirements in place to avoid such confrontations. The second consideration is the cost of legal compliance about the benefits to be accrued from the information security program. If the cost exceeds the benefits, this means a different program or architecture should be adopted.
Next is the timeline aspect; that is the time required to implement the program as well as the period needed before the program requires maintenance. This is also necessary since it contributes to the cost of running the entire security system. Finally, it is the bulk of contracts that need to be put in place before the security system is implemented. This matters in the sense that a contract that requires multiple parties for it to be commissioned takes more time and resources and might prove inadequate (NIST SP 800-53, 2007).
The legal and regulatory requirements are, however, faced with several challenges according to an article by Sarajlic and Malkin (2007, p. 124). “One and the most important of this; is the changing nature of the global laws, regulations, and policies” (Sarajlic and Malkic, 2007, p.124). Research shows that there is a high level of conflict between the growing security requirements and the increasing legal challenges posed by globalization.
In the earlier years, compliance with legal procedures only involved being at par with the rules and regulations of that country or region. This has, however, changed with globalization since there has to be the integration of laws and regulations from different regions that the organization is in operation. The dynamic nature of laws and regulations and security issues is also another factor to be considered. Things are changing so fast that the information security programs being put in place should be dynamic (NIST SP 800-39, 2008).
Organizational structure
Organizational structure is another factor that should be considered when implementing an information security system in the sense that it determines who is authorized to access specific information (Zhang et al., 1988, p. 206). Zhang and his colleagues suggest that it is usually advisable to adopt the segregation of duties system since this ensures that no specific person has all the control of the information. He provides an illustration “where there is a chief information officer; there should be a chief information security officer who is directly in charge of the security team” (Zhang et al., 1988, p. 217). The responsibility of the chief information officer, therefore, in this case, is to assign responsibilities to the security team; the responsibilities should be rotated such that no one person has a designated area of interest. With this organizational structure, it is not possible to manipulate information in the wrong way since any such operation will have to involve multiple parties.
The organizational structure is a concern in the implementation of an information security program since it determines the level of confidentiality that should be put in place. In cases where the segregation of duties structure is in place, then little detail is set in the security system since this in itself is a solid security measure. Otherwise, security measures should be put in place to reduce the accessibility of information to unauthorized persons. Organizational structure is also a factor when determining who should access information and in what form. According to NIST SP 800-37 Revision 1 (2008), most organizations own internal information that is not supposed to be exposed to the public. The organizational structure in this case, therefore, provides a guideline to the team implementing the information security program.
Cost-benefit analysis
About the implementation of the information security program, cost refers to the resources required to put the system in place, while the benefits are the advantages that the security system will accrue to the organization. The cost, in this case, is about the development and maintenance of the security system. This alone cannot be considered as a factor without looking at the benefits that can accrue to the organization, as suggested by Yungton et al (1998). Youngtown et al allege “Some security measures are costly to implement, but they end up saving the organization a lot of losses as a result of information manipulation; on the other hand; other security systems could be expensive, but not effective to the needs of the organization” (Yungton et al., 1998, p.212). This means that implementing the latter would cost the organization more since it brings about less benefit.
The cost-benefit analysis is carried out by researching the security methods being applied in other organizations of the same nature. This method was proposed by McConnell (2001) and Melvin (2009) came to agree with the proposition. The merits and demerits of the security programs are analyzed to come up with a combination that will be advantageous to the organization’s needs and cost of operation (McConnell, 2001). In most cases, information security implementation procedures are generally outsourced.
This is because of the cost involved in developing the infrastructure from the root. Outsourcing has proved to be the best option since it involves getting into a contract with an organization that specializes in offering these services (Melvin 2009). The organization contracted already has the necessary infrastructure. This has proved to be cost-effective in most organizations. It should, however, be noted that in case the information security issue is a long-term need, it is usually advisable to have an internal system. Despite the cost involved in developing this system, the long term benefits exceed the cost, hence making it effective.
According to a discussion brought forth by Khalfan (2004), “the benefits of security investments are often seen only in events that do not happen”. Khalfan (2004) alleges it is impossible to prove a negative, hence wonders what value an organization places on cost avoidance” (2004, p.35). This is a challenge that has not only affected the security concern but has also contributed to the deterioration of processes such as “improving the quality of information security software, conducting security testing, maintaining appropriate documentation, and maintaining the software and hardware records stock records” (Khalfan, 2004).
Cybercrime is the most dreaded threat to information security, research conducted by the National Institute of standards and technology (NIST SP 800-39, 2008) indicated “investigations into the stock price impact of cyber-attacks show that identified firms suffer losses of one to five percent in the days after an attack. For the average, New York Stock exchange Corporation; price drops of these magnitudes; translate into shareholder losses of between $50 million and $200 million” (NIST SP 800-33, 2001). From this, we can conclude that the cost of not having an information security program is higher than the initial cost of implementing one.
Level of protection required
Before an information security system is implemented, another factor that should be considered is the level of protection required. Setting the scale for measuring this aspect can be challenging but it can be simplified by indicating the strengths and weaknesses of each security model proposed. The weakest factors that pose the greatest danger to the information security should be identified and given priority when developing the security system, as proposed by Aikins (2008) in his article “Implementing a Sound Public Information Security Program”.
Aikins explains that these should be the determining factors as to security measures being put in place (2008, p.21). For example, there are organizations whose majority of employees are made up of unskilled labor. The greatest internal risk to information, in this case, will typically be faced by the hard copy information since most of the employees are either un-computed or under-computed. The security measures in this case, therefore, will largely revolve around having lockable chests and ensuring that some areas have restricted access (Aikins 2008, p. 23).
This is, however, not the case in organizations dealing with computed individuals, (Danchev, 2003). In these instances, the information that is at risk is generally that which is stored as soft copy. This is most cases is usually the most sensitive information in the organization. Therefore, it requires more intelligent security measures such as storing information in encrypted formats or having files and folders under passwords. “This is, however, vulnerable to individuals who are acquainted with hacking, hence the need for a more dynamic security system that is unpredictable” (Danchev, 2003).
Technological advancement in the organization
Different organizations have adopted technology at different levels. This is the reason why information security measures being applied in one organization cannot automatically apply to another organization. According to Bernard and Ho (2009) organizations that have adopted high-level technology face more information security challenges owing to the creation of loopholes during the integration of the information technology systems (Bernard and Ho, 2009). Therefore, technology advancement should encompass high – tech security programs that can detect vulnerabilities that already exist and those that can come about. When dealing with security issues related to the advancement in technology, there are some factors that the organizations have to face.
First is the urge to undo some security details to accelerate the process of integrating technology. This might not be done cautiously, but the whole process of installing more advanced technological systems or improving the existing ones automatically creates a loophole. This is an issue that in most cases cannot be controlled, but security measures should be put in place to counter any security issues that can occur as a result of this. The second factor that should be considered is the legacy of the existing security measures if any.
Bernard and Ho indicate in their article that there are those security measures which might have existed in the organization for a long time, but have been deemed obsolete owing to technological advancements, hence needing replacement (2009). Any other security program being put in place should not divert so much from this, instead; only the relevant changes should be put in place to save on resources (Klein & Menendez, 2003).
Information systems are known to mature over time and during this time more vulnerable areas and risks tend to be exposed. This is why any information security program being installed should be dynamic, and be able to change with the changing nature of the organization according to the stipulations brought forth by Peterson (2006) in his article. Again as the information systems grow, they become more complex hence requiring an equivalent security level. Peterson explains “an information security system that stands the test of time and proves effective should be maintained in the organization, with only minor changes being conducted when the need arises” (2006, p.47).
According to this discussion, therefore, it is necessary to consider the organizational information technology trends when implementing a security program. The program is put in place should be flexible enough to cater for the changing needs of the organization. This will save the organization from the need to frequently change the information security system about the changing technology. In some cases, however, it is never about new or old technology, but existing technology whose potential had never been realized. Some security measures might have been used under different circumstances earlier on just to be discovered for a different application. In such a case, it is not necessary to totally transform the entire security program but just to make some relevant changes to the existing ones.
Datacenter availability
The other factor that should be considered before implementing a security program is the availability of a data center in the organization. Dhillon defines a data center as a repository for vast quantities of computing power and storage upon which applications are built” (2007, p.12). He goes ahead to explain that this is a department handling information both in raw and processed forms. In the presence of a data center, the safeguard measures to be taken to protect information are minimal since it only revolves around a few individuals who are in charge of the data center. However, this area requires exceptional attention since it carries the entire information of the organization. Any unauthorized access to this information endangers the organization since it can lead to a leak of extremely confidential information.
The data center is normally connected to the other departments via LANs which are interconnected through all the departments. This is where all this information is analyzed, and the possibility of fraudulent activities detected. In large organizations, there usually exists more than one data center, hence increasing the need for more security measures. These data centers are a crucial consideration when implementing the information security programs since they are at the core of the organization’s security concerns. For any malicious activity to be conducted, the parties involved have to begin from the data center since that is where incriminating evidence will be obtained (NIST SP 800-33, 2001).
When dealing with organizations that have data centers, caution should be exercised because of the complications that can arise from this department. Where multiple data centers are involved, it might be difficult to determine exactly where the problem has occurred. One of the best measures to put in place in such cases is that of random rotation of duties, such that a mess caused by one person can be detected by another one and action taken to prevent further losses. Random rotation of duties means that it is not possible to determine who will be handling which duties in a day or two. This minimizes the possibility of an individual or a group of individuals to organize any misdemeanor of the information.
Putting into consideration a data center when planning a security program has several advantages. First is the ability to track all the operations in the organization from the data center. This happens with the help of CCTV cameras and motion sensors. As a result of this, it becomes possible to know who was where at what time, hence being able to recognize the people who perpetrated crimes in case they occur. The other advantage is the ability to store and disseminate information in different formats. From the data centers, information can be stored in different ways and transmitted depending on the intended recipient. This control enables the filtering of information such that people in the organization get access to information that is only relevant to their needs. The information security team must consider having a data center in place when developing a security program or architecture.
Conclusion
Information security is a continuous mechanism of ensuring the highest level of protection of information from unauthorized access and manipulation. This implementation according to Peterson (2007) involves consistent training, evaluation, response and reviewing. From this, it is clear that information security is an ongoing procedure that lasts through all the cycles of the organization. It is not possible to have a perfectly effective security system. Perhaps, this is why any information security system should be flexible enough to change with the changes taking place in the organization.
References
Aikins, S K 2008, ‘Implementing a Sound Public Information Security Program’, In G Garson & M Khosrow-Pour (Eds), Handbook of Research on Public Information Technology, Florida, pp. 689-698.
Bernard, S & Ho, M 2009,‘Enterprise Architecture as Context and Method for Designing and Implementing Information Security and Data Privacy Controls in Government Agencies’ In P Saha (Eds), Advances in Government Enterprise Architecture, pp. 340-370.
Danchev, D 2003, ‘Information security best practices’ checklist for best practice IT security measures, Web.
llon, G 2007, ‘Principles of Information Systems Security’, Text and Cases, Vol. 2 no. 5, pp. 12 – 14.
James Madison University, 2010, Computer Science applications: The information Security problem. Web.
Khalfan, A 2004, ‘Information security considerations in IS/IT outsourcing projects: a descriptive case study of two sectors’, International Journal of Information Management. Vol. 24, pp. 29-42.
Kiountouzis, E & Kokolakis, S 2001, ‘Information systems security’, facing the information society of the 21st century, Vol. 15 no. 2, pp. 17 – 19.
Klein, S, & Menendez, J 1993, ‘Information security considerations in open systems architectures’, IEEE Transactions on Power Systems (Institute of Electrical and Electronics Engineers), Vol. 8 no.1 pp. 224-230.
Layton, P 2007, ‘Information Security’ Design, Implementation, Measurement, and Compliance. Vol. 1 no. 12, pp. 123 – 221.
Martinez-mono, I, Conrad, S, & Andersen, D 2011, ‘Modeling behavioral considerations related to information security’, Computers & Security, no. 30, pp. 397-409.
McCarthy, R & Grossman, M 2008, ‘Privacy and Security’, Where do they fit into the Enterprise Architecture Framework?. In R Subramanian (Ed.), Computer Security, Privacy and Politics: Current Issues, Challenges, and Solutions, pp. 180-194.
McConnel, K 2001, Information security program; information security office. Web.
Melvin, C 2009, Information security program, information security, cal poly, Web.
National Institute of Standards and Technology 2003, DRAFT FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, Web.
NIST SP 800-33 2001, Underlying Technical Models for Information Technology Security, Web.
NIST SP 800-37 Revision 1 2008, Draft Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach, Web.
T SP 800-39 2008, Draft Managing Risk from Information Systems: An Organizational Perspective, Web.
NIST SP 800-53 2007, Recommended Security Controls for Federal Information Systems, Web.
Peltier, R 2001, Information Security Risk Analysis, Auerbach Publisher, Florida.
Peltier, R 2002, Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Vol. 2, no. 2, pp. 13.
Peterson, G 2006, Security Architecture Blueprint, Web
Peterson, G 2007, ‘Top Ten Information Security Considerations in Use Case Modeling’ Web.
Sarajlic, N& Malkic, J 2007‘Data protection, and association rules analyses in IT network management’ Information System Security. pp. 121-127.
Youngtown, J, Reilly, P, & Teich, J 1998, ‘A software architecture to support a large-scale, multi-tier clinical information system’, Proceedings / AMIA… Annual Symposium. AMIA Symposium. pp. 210-214.
Zhang, Y, Yang, L, Zhou, Y & Kuang, W 2010, ‘Information security underlying transparent computing: Impacts, visions and challenges’, Web Intelligence and Agent Systems: An International Journal. Vol. 8, pp. 203-217.