Module 3: Information Security System Implementation
Case Assignment Brief
Based on the reading sources in the below sections and your own research,
prepare a 5-page report to address the following questions:
- Why is information security more than technology?
- How to design and implement a successful information security system.
Your paper should provide a summary of your findings from the assigned materials
and any good quality resources you can find. Please cite all sources and provide a
reference list at the end of your paper. The following items will be assessed in
- Ability to consolidate ideas from reading materials.
- Demonstration of your understanding of how to create an information security
- The ability to express your ideas clearly.
Use at least 3 citations from the sources below
Ethics and Laws
Brey, P. (2007). Is information ethics culture-relative? International Journal of Technology and Human Interaction, 3(3), 12-24. Retrieved from https://search-proquest-com.ezproxy.trident.edu/docview/223245714?accountid=28844
Ethics retrieved on March 18, 2013, from http://fair-use.org/g-e-moore/ethics/
The security laws, regulations and guidelines directory. Retrieved on March 6, 2013, from http://www.csoonline.com/article/632218/the-security-laws-regulations-andguidelines-directory
Differences between ethics and laws. Retrieved on March 18, 2013, from http://www.kedah.edu.my/sahc/a_portal/portal_tekvok/ict/nota_ict_n_soceity/Microsoft%20Word%20-%20les7.pdf
U.S. Laws on information security – General law
Computer fraud and abuse act. Retrieved on March 18, 2013, from http://energy.gov/sites/prod/files/cioprod/documents/ComputerFraud-AbuseAct.pdf
Computer fraud and abuse act of 1986. Retrieved on March 18, 2013, from https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_%28CFAA%29
National information infrastructure protection act of 1996. Retrieved on March 18, 2013, from http://ecommerce.hostip.info/pages/769/National-Information-Infrastructure-Protection-Act-NIIPA-1996.html (This law made changes to the above mentioned
Computer Fraud and Abuse Act. These changes were meant to add strength to that Act by closing legal voids to protect the computer information and networks.)
USA patriot act. Retrieved on March 18, 2013, from http://www.fincen.gov/statutes_regs/patriot. (This law modified previous laws to grant law enforcement agencies more access to combat terrorism related activities. It has touched upon laws on electronic technology.)
Computer Security Act of 1987. Retrieved on March 18, 2013, from https://www.csp.noaa.gov/policies/csa-1987.htm
Computer Security Act of 1987. Retrieved on March 18, 2013, from http://epic.org/crypto/csa/
Information Security System Implementation (Ethics)
Information is an important aspect of life. It is disastrous for information to be in the hands of the wrong people. Successful implementation of information security systems protects information and reduces threats while maintaining the integrity of an organization, employees and all stake holders. Security is an integral part of any successful organization (Moore, 2017). Throughout the centuries, people have always created safety mechanisms to safeguard critical information from the reach of unauthorized people. Brands, governments and various groups of people keep information about their dealings more secretly than the technology itself. The federal government, for instance has legislated many laws, regulations and procedures that define the security issues of a system. Various state agencies and independent bodies such as the national institute of Standards and Technology and the Constitution contain various acts and laws which govern information systems.
Different cultures have different moral inclinations towards various aspects of information ethics. According to Brey (2007), the key aspects of information ethics include privacy, freedom of information and intellectual property.
Western countries have stricter recognition of individual rights than non-western countries. Prevailing moral systems are important in enacting laws regarding information security. In order to enact and enforce information laws, intercultural information ethics must be employed in interpreting, comparing and normalizing the existing problems in the culture at hand. Cultural diversity explains the difference in ethical connotations in implementation of information security systems in various countries.
There are several laws regulating information security. The following are some of the most commonly known laws: The Computer Fraud and Abuse Act (CFAA) aims to reduce unauthorized interference with computer systems. According to CFAA specifications, access to computer systems by outsiders or intruders without authorization is punishable (ILT EFF, 2017). The Computer Security Act of 1987 provides computer standards which ensure computer security to the whole government and workers (NOAA OCIO, 2017; Computer Security Act of 1987, 2017). The law directory (CSO Staff, 2017) lists broadly applicable laws and regulations for corporate affairs, payment data security, consumer information, electronic funds, trade, children privacy and civil lawsuits. It also specifies laws regulating various industries, states and international relations.
Information security is always a work in progress. In order for information to be secure, it has to be protected by two policies. The first one deals with preventing external threats and the second one deals with reducing internal dangers. Both policies help in maintaining the integrity of information.
In order to address external aggression, technology must be enforced. In computer security systems, various technologies like the use of firewalls, email filters, antivirus software and anti-hacking technology helps in detecting unwanted users. Internal aggression is different. It mainly depends on the moral, goodwill and ethical values of people. Internal security entails employment of tactful management and the use of diplomacy and laws in regulating employee behaviors. Well defined policies can help organizations from inappropriate activities which violate security systems and information integrity.
Implementation of information security systems in an organization needs an all-inclusive approach. Nothing should be left to chance. This section outlines the procedure of developing and implementing an information security system.
- Identification of risks
In order to identify the risks, you must conduct a risk assessment to determine the most important data to the organization. While doing risk assessment, it is easy to identify security vulnerabilities threatening information safety. Generating a risk register can help in identifying critical systems, internal and external threats and vulnerabilities that are most likely to affect the system. The first step is important because it lays the foundation upon which all other processes rest. The process also helps in identifying the scale of operation and the budget estimates (Continuity Central Archive, 2017). While identifying risks, you should specify the type of information whose access should be restricted. The best way of identifying risks is by monitoring the system and user information.
The type and amount of information accessed depends on the organization and the guiding policies in place. While some employees may feel that their user-generated data and their privacy is at risk, system monitoring helps in getting deeper insights about a system. To avoid ethical issues outlined in this paper, employees or system users should be informed about system monitoring. They should also be assured of safety of their information.
- Learning from others
Before adopting information security systems, it is important for an organization to learn from similar organizations. It is possible to get security information about various aspects online or through other sources such as books and publications. It is good practice to read various information system policies before adopting the best and workable ones.
- Formulation of policies
- Conforming to policy and legal requirements
Federal laws regulating system security and access to data and information should be followed depending on the type of organization, jurisdiction and location. If required to follow certain laws, it is important to adhere to the minimum standards to avoid conflicts and ensure security and integrity of information. In case the company holds personal information, more stringent measures should be enforced to avoid infringement of personal rights and security breaches of the users.
- Staff training and involvement in policy development
Technical training of staff is necessary in ensuring compliance with the laws. Proper training should be done in case an organization uses new technology. All staff should be thoroughly informed of the security awareness by knowledgeable trainers. The staff should also be involved in decision making and in the implementation of the security system for better compliance. Employees do not like policies dictated from senior managers; they prefer to be part of the solution. The policies should be written and well displayed for easy access by all employees.
- Implement monitoring programs
After installation, security systems need regular monitoring in order to detect vulnerabilities and areas of weaknesses. Anomalies in networks and system access may lead to costly information breaches. System anomalies are indicators of more intensive system attacks which may expose information to unauthorized people. Weekly review of security logs or even more stringent measures can secure an organization’s system.
- Setting and enforcing penalties
Information security should be treated with utmost care. For instance, the network security of an organization’s computers is a serious matter. Given that a lot of sensitive information is at stake, there should be severe penalties for perpetrators of system insecurity and information breaches. While implementing system safety, the organization should put measures in place for punishing offenders. Haphazard compliance with the regulations is equivalent to having o policy at all.
- Update your staff
The network of a security system is always evolving. It is necessary to update the staff about any challenges, opportunities or threats affecting the system. The security policy document can be modified according to new discoveries in the system. Open communication is important to keep the staff informed of the day-to-day operations affecting their information.
- Installing necessary tools
Formulating a policy is different from enforcing it. Many companies are good at formulating and bad at enforcing policies. Installing necessary tools such as antiviruses, firewalls, two-step authentication and other related mechanisms can ensure adherence to policy. Although some tools cost money and expenses in installing, they must be implemented for safety of operation (Duigan, 2017).
- Finding the right balance
In information security, there is no one solution that fits all problems. Each organization must implement, verify, rectify and verify again until they get the right solution. With the evolution of threats, it is not possible to reach a time when systems are free from threats and weaknesses. Hackers, viruses and other vulnerabilities are constantly evolving to exploit weak spots in information systems. The need for constant implementation of security measures is as urgent as when you first began.
Implementation of information security systems is an important undertaking in any organization which desires safety and security of data. There are many statutory laws and regulations governing data safety and access to data depending on the national, cultural and ethical connotations. Just because laws seem good does not always imply that they can be used in any culture. In the implementation of security systems, the laws should not infringe into personal rights of the users. In order to secure information, proper laws should be enacted and enforced.
Brey, P. (2007). Is Information Ethics Culture-Relative? International Journal of Technology and Human Interaction, 3(3), 12-24. http://dx.doi.org/10.4018/jthi.2007070102
Moore, G. (2017). Ethics. Fair-use.org. Retrieved 27 September 2017, from http://fair-use.org/g-e-moore/ethics/
CSO Staff. (2017). The security laws, regulations and guidelines directory. CSO Online. Retrieved 27 September 2017, from https://www.csoonline.com/article/2126072/compliance/compliance-the-security-laws-regulations-and-guidelines-directory.html
ILT EFF. (2017). Computer Fraud and Abuse Act (CFAA) – Internet Law Treatise. Ilt.eff.org. Retrieved 27 September 2017, from https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_%28CFAA%29
NOAA OCIO. (2017). Computer Security Act of 1987. Csp.noaa.gov. Retrieved 27 September 2017, from https://www.csp.noaa.gov/policies/csa-1987.htm
Computer Security Act of 1987. (2017). EPIC. Retrieved 27 September 2017, from http://Electronic Privacy Information Center
Continuity Central Archive. (2017). Implementing a good information security program. Continuitycentral.com. Retrieved 27 September 2017, from http://www.continuitycentral.com/feature1093.html
Duigan, A. (2017). 10 steps to a successful security policy. Computerworld. Retrieved 27 September 2017, from https://www.computerworld.com/article/2572970/security0/10-steps-to-a-successful-security-policy.html