Introduction
Information security management refers to the activities that involve the protection of data, processes (recruitment, production, marketing, branding, and distribution) infrastructure, employees and property against risks like unauthorized access, loss, damage or misuse by its employees, competitors or the public (Harkins 2012). Olympic Resources should secure its information system to protect them from unwanted events that could cause damage, loss, or misuse by deliberate or accidental actions. In addition, it will ensure the assets of this company are not susceptible to attacks from its workers or the public. It will ensure this firm does not incur serious costs if uncontrolled damages or risks occur; therefore, this reduces the impacts of damage, loss, or misuse of data (Whitman and Mattord 2010). This essay presents a proposal that will help Olympic Resources to secure its information in the wake of technological advancements and cut-throat competitions.
Overview of Olympic Resources
Olympic Resources was established in 1947 in Abu Dhabi to offer oilfield related services to countries located in this region. It was established as a back office that offered consultancy services for oil drilling companies but has expanded its operations to include the supply and repair of machines, staffing and drilling and exporting oil and its products. Ahmed Nassir Muhammad founded this company, and at that time, its operating capital was less than $1,000; however, this value is estimated to be about $100,000, and it continues to invest and expand its operations within and outside the Middle East.
Its revenue is about $500,000 billion, with a net income of $100,000; moreover, its assets are valued at $700,000. It has more than 150 employees that include administrative, technical, and management personnel. In addition, it employs casual laborers during peak seasons when the demand for its services outweighs its ability to offer timely and quality responses to its clients. The company is managed by a CEO called Ahmed Nassir Muhammad, and he is deputized by Rashid Abubakar.
The performance of this organization can be rated as average because it has never been operational for more than ten consecutive years due to unpredictable political and civil conflicts that rock this region. However, it has managed to expand its operations and now considers itself successful if the current trends in this region are anything to follow. This company faces stiff completion from companies like Al Mansoori, Al Madina, Al Mushrif, and Al Moroor, amongst others. These companies have huge capitals and experience in this industry; therefore, they outdo Olympic Resources on many issues. However, it has struggled to penetrate the oilfield market in the Middle East and gained popularity by offering cheap but quality services and products.
Olympic Resources introduced computerized management and information system in 2005 to promote efficiency in its services and coordination between departments. The CEO can monitor the activities of all departments from the comfort of his office. He decided to locate his office away from the organization to allow employees to have the freedom of doing their work without having the perception that they allow their steps are being monitored. All departments have computers that are networked to ensure there is a quick transfer of information between the company and its customers. In addition, this ensures there is a little physical movement of employees from one department to another and limits the use of paper documentation in offering its services to clients.
An employee can have access to computers located in all departments because they do not have passwords or encrypted features to protect them from unauthorized users. There has never been any measure to manage access to these computers since they were introduced into this organization nine years ago. The only security measure taken to ensure computers are not accessed by unauthorized people is locking the doors of the main offices when workers are not using them. These computers store data about employees’ profiles, company’s clients, policies, and regulations governing work. In addition, it also stores strategic plans that this company aims to execute to improve its services. This includes minutes of meetings, decisions, and budget estimates that are yet to be discussed by the board of directors.
Employees or outsiders can access the performance records of this company at any time provided the main offices are open. The payment, production, supply, and marketing plans and processes can be tracked from this system, and employees pay little attention to switch off their computers when they are not in use. Therefore, accountability is a huge problem facing this company even though it has very few workers, and it may not be difficult to lay blame on an individual. There are serious flaws in the information system adopted by this company, and this means that its data is not safe.
Problem Definition
This company requested a proposal to ensure its information is secure and thus eliminate or reduce the chances of loosing, misusing or damaging its data. It identified the following key issues that are important in determining the success of its performance; therefore, it proposed that the security of the IT department should be revaluated to ensure it reflects the standards required for information security purposes. First, the management realised that employees have never been adequately trained to use information technology to improve their performance. Therefore, they have developed a poor habit regarding the use of computers to communicate or store information.
In addition, they have poor professional skills that limit their efficiency and reduce productivity in the company because they do not know the functions of various aspects of information technology. Therefore, they need information technology professional skills that will help them to accommodate changes in modern equipment and changes in management and service delivery issues. Secondly, most employees do not know how to support trends and processes towards the consumerisation of information technology and use their skills to improve the quality of services offered (Landoll 2011). This creates a rift between employees and technology and thus compromises the security of information stored on networked computers.
Thirdly, employees and the company cannot develop an institutionalised cloud strategy that will promote seamless transition and movement of information from one department to another without exposing it to unnecessary risks. Most employees have been penalised for sharing confidential information and accessing managers’ communication. This highlights the need to establish and secure the network of all departments to ensure employees send, receive and access information that is relevant and suitable for them (Tipton and Krause 2007). The need to secure information according to its origin and destination will lower the chances of misusing confidential data and exposing it to unauthorised access.
Fourthly, this organisation has never integrated information technology into company decision-making processes. This means that it has never used technology to promote the safety of its decisions or help managers to establish best practices and adopt effective strategies that will ensure the information of this organisation is secure. Sometimes, the CEO and managers fail to accomplish their missions because workers intercept their communication and access their data before they complete their plans. For instance, it is very difficult for managers to implement unpopular policies like dress codes because employees get prior knowledge of this information and develop resistance to this plan. Therefore, managers want to establish effective ways of securing their discussions and ensuring employees do not have prior knowledge about their plans.
Computers and other information technology devices were introduced in this company nine years ago, but they are yet to bear fruits. Managers have never realised the need to use secure practices in establishing or implementing policies that will help this organisation to achieve its objectives. For instance, employees continue to explore social sites at the expense of wasting the resources of this company and exposing it to poor performance.
Contingency Planning
This company should use four contingency plans to ensure it safeguards its information and secures employees, data and assets. Business Impact Analysis (BIA) plan helps organisations to evaluate critical functions that determine their success (Andress 2011). In addition, it will also help this company to identify and measure the impacts of information insecurity on its financial, managerial and production operations. The Business Impact Analysis (BIA) plan will follow the following procedure to ensure all the required personnel, departments, events and schedules are involved in the preparation of this component.
However, before preparing this plan it is necessary to ensure the following issues are observed. First, all senior managers should support this plan to ensure the goals of this project are achieved. In addition, this process takes a lot of time collecting data and analysing it in different dimensions; therefore, there is the need for patience and accuracy when filling the template. The heads of various departments should be involved in reviewing the findings of this plan to validate the accuracy of the information collected. The Business Impact Analysis will have the following features. The template will have the names of departments that require information security. This includes the accounting, human resource, call centre and management departments.
Secondly, the number of all full-time staff will be entered according to the list of departments prepared. The activities performed by every department will be identified and described and every process ranked according to its importance (Brotby 2009). Then the recovery time should be included and this describes the time a department will take to restore its operations if its information is damaged, lost or misused. In addition, supportive departments and personnel will also be included and their roles in the recovery process identified. The template should also include different sections to enter the quantitative and qualitative impacts of information insecurity suffered by a department or the company.
In addition, the template should include the financial or human resources required to return the information system to normalcy after an interruption. Lastly, the template shows the service or technology recovery time of all departments or aspects affected by the insecurity challenge suffered by this company (Gupta and Sharman 2011).
An Incidence Response Plan (IRP) is a template that describes the processes an organisation can take to identify, react to and control the effects of a loss, damage or issues of its information (Tipton and Krause 2007). This occurs when unauthorised people access confidential information or when employees use data for their own gains at the expense of the losses made by a company. This plan has the following aspects that help managers and other workers to respond in tie and effectively to disasters.
The first step is the description of the person who discovered an incident like misuse of information in an organisation. This should include the employee’s contact details to ensure further reference and clarification can be obtained. The second step involves contacting the security department (if the incident discoverer is not a member of the IT department). This department will contact the IT security sector and inform it about the details of the incident. The IT department will then contact the management and response staff responsible for managing the incident. All contacted members meet to discuss the incident and develop a response strategy. This will lead to the creation of an incident ticket that will classify the incident and the affected department and employees or clients.
The response team will then follow appropriate procedures that will ensure they identify the threat and how to manage it. Then some authorised personnel they will conduct investigations to determine what caused the incident. They will then recommend changes to secure the information of the company and ensure the incident does not happen again. The management must approve the recommendations before the changes are made. The response team will then restore the affected system and ensure it has been secured from damage, misuse or unauthorised access. The whole process is then documented and all materials collected as evidence preserved for appropriate actions. All external parties like the police, suppliers or advertisers should be notified to ensure the incidence does not happen again. The damage caused should be estimated and policies updated to ensure the security of the company’s information is strengthened (Gupta and Sharman 2011).
Disaster Recovery Plan (DRP) is established to help companies to plan and execute various strategies before, during and after a disaster strikes an organisation. Olympic Resources faces serious risks because of its unsecured information system that is exposed to interception, misuse and damage by computer viruses and other malicious software. This company should adopt a Disaster Recovery Plan (DRP) that follows this description. First, it should establish a disaster management department or body to ensure it performs various roles before, during and after the IT system of this organisation is damaged misused or accessed by unauthorised people (employees or the public).
Secondly, the body or department must obtain commitment from top management to assure it that its roles will be supported through the provision of financial and personnel resources that are required to perform its responsibilities. This department should establish a planning committee that will implement the strategies of this body. All members of this committee should be assigned roles to ensure there is division of labour according to their areas of specialisation. For instance, roles should be assigned depending on how members understand and manage software and hardware components of the IT system.
The committee should perform a risk assessment to help this organisation to predict the possibilities of damages or misuse of its IT system. The establishment of priorities for operations will help this committee to manage disasters, according to their severity and damages. Moreover, the need to establish recovery strategies will be determined by the nature of a disaster and its magnitude. For instance, damages caused by viruses will be managed by procuring antivirus software.
Data should be collected before, during and after the disaster to enable planners to develop plans that will help the organisation to prevent the occurrence of damages in the future or reduce their severity. A written plan should be established, organised and documented to ensure all committee members understand their roles in managing disasters. The criteria developed should be tested and a procedure for this established to ensure it is supported by the resources of this organisation (Whitman and Mattord 2010). The committee should test its disaster management plan to ensure it works. This can be done by staging a disaster and testing whether the recovery plan works or not. The committee should use the information collected during and after testing the disaster recovery plan to improve its strategies. Lastly, the disaster recovery team should seek approval of its plan from top management to ensure it is incorporated in the policies and departments of this company.
The Business Continuity Plan (BCP) helps organisations to identify their threats (external and internal) and use their resources to prevent the occurrence of disasters or help the company recover from them without incurring losses or compromising the quality of its services and products (Tipton and Krause 2007). Olympic Resources should develop this plan by following these steps. First, it should identify security threats to its IT system and design a solution that will avert or limit the impacts of a disaster.
The second step involves implementing the Business Continuity Plan and ensuring it performs its duties according to the expectations of the relevant body in charge of disaster management. The implemented plan should be tested so that its developers can evaluate its effectiveness and develop appropriate measures to correct weaknesses and improve its quality. Moreover, this plan should be improved because technology keeps changing and some plans may not work with new systems. Lastly, an analysis should be made to evaluate the possibilities of other factors affecting the effectiveness of a business continuity strategy. This will ensure this organisation diversifies its approaches to disasters and increase its level of responsiveness, awareness and security of its IT system.
Enterprise Information Security Policy
Organisations must develop information security policies that take into consideration the mission and objectives of their managers and employees (Tipton and Krause 2007). It must also address assets that require protection, the risks involved and how to eliminate or mitigate them. A suitable Enterprise Information Security Policy (EISP) for Olympic Resources addresses the following important aspects. First, this security policy will identify key aspects that define this organisation. This includes understanding its mission, objectives, hierarchies and the roles of all employees will help in the formulation of an appropriate security policy. This policy should define the scope and programme of its components. This means that it should focus on identifying what it will cover to ensure those responsible for translating the policy do not go beyond its scope.
In addition, it is necessary to identify the targeted audiences to ensure not everybody is covered by this policy. The agendas of the CEO, CIO and CISO should be clearly identified because these are the main stakeholders responsible for signing off on it (Wheeler 2011). The policy should not deviate from the mission of an organisation and the need to maintain high security standards for the company’s information system. The policy should be broad and general, but high-levelled to ensure all important aspects are given maximum attention. The policy should be easily translated to regulations by the appropriate staff; therefore, it should not have controversies or diversion fro the goals of this organisation.
Moreover, the policy should not violate external laws that regulate the practices of this industry. This means that it should be within the limits of the national constitution. The policy should be realistic and have backups to ensure its goals are attainable and that it has professional, legal and moral integrity.
Issue Specific Policies
The security policies of the IT system of this company are aimed at ensuring there is responsible use of technology to improve the performance of employees by facilitating the effective delivery of services (Andress 2011). In addition, they are aimed at promoting fairness, equality and accountability in all departments to minimise cases of issues and damage of information. Security policies in this department will address the following issues. First, these policies will ensure users do not misuse the information stored in the security system of this organisation. This will enhance responsible transfer, access and use of information to ensure employees promote professional ethics regarding confidentiality of data (Whitman and Mattord 2010).
Secondly, the policy will promote privacy of information. This will ensure nobody has access to information that does not belong to him. Only authorised users, recipients and senders will access information in this system. Moreover, the policies will secure information from malicious software that may damage data or assets of this company. Fourthly, data management policies will ensure information is distributed to the relevant departments by the correct personnel. This will reduce instances of rumour mongering and incitement in this company.
The Regulated Content policy will prohibit access to sensitive information and ensure the secrets of this company are not leaked to the public or unauthorised workers. Digital Copyright policies will protect all information obtained or distributed through electronic means. This means that third parties will take responsibility for damage or loss caused misuse of digital information. Moreover, information technology system policies will deal with domain names and their usage. This includes the names of suppliers, manufacturers and customers and how the use of their trade identities will affect this organisation.
In addition, IT accessibility policies will help those with special needs to use modern technology to share important information within or outside this company (Landoll 2011). Policies regarding safety of users will enable employees to avoid falling victims of internet frauds. This will ensure they take precautions before subscribing to various sites, downloading or accessing content that may damage the computers of this organisation. Ethical standards are policies that will ensure employees use company assets to promote healthy interactions, timely communication and sharing information that will improve productivity.
Fair and responsible use of office email policies will ensure employees use the internet to communicate professional messages. In addition, this will reduce the use of emails to abuse, incite or threaten managers or other employees. Ethical standards in email communication will reduce misunderstanding and conflicts that arise when managers and employees do not observe the requirements of formal communication. In addition, this will help managers to communicate with employees and ensure their messages can be retrieved for future references.
Information Security Awareness Programme
An Information Security Awareness Programme (IASP) is a deliberate action taken by managers or employees to educate their colleagues on the importance and ways of ensuring their data is secure (Wheeler 2011). An Information Security Awareness Programme document contains the following important aspects that should be described and arranged according to their importance. First, the title of this document will be as it appears in this discussion.
Secondly, it should outline security measures that are aimed at promoting the safety of the information of this company. In addition, security threats should be identified and this should include a description of their origin and impacts. Employees should be educated on how to predict or determine the presence or possibility of security threats on the systems of this organisation. Moreover, each threat should be analysed and their solutions presented and this means that they should be available to employees (Tipton and Krause 2007). Lastly, there should be recommendations that will inform employees how to manage threats when they occur.
Risk Management
The process of managing risks involves three stages that have different descriptions. First, there is the need for this company to identify the risks that face its security system this includes attacks from dangerous software, misuse of information by employees and damage to resources caused by natural or artificial occurrences. The second step involves evaluating the likelihood and impacts of these risks as high, medium or low and assesses mitigating factors and their usefulness (Harkins 2012). The last stage involves risk management and here Olympic Resources should assess what more it can do about the risks identified and identify a timescale to do this. The person responsible for this process should be identified and the stated risks should be reviewed after all the other steps have been taken.
Security Staff
The security team for this organisation will constitute 14 members. This team will be supervised by a manager whose role will be to oversee the activities of this department. He will report to the company’s manager or his deputy and the chair the meetings of the security team. There will be an assistant manager who will report to the officer above him and perform his roles when he is not around. The rest of the team will be subdivided into three groups and each of them will have four members.
The groups will be assigned different roles in different departments. For instance, one group will be responsible for identifying security threats in this organisation. The second one will evaluate effective strategies for managing the threats. The third group will implement the strategies developed while the last one will evaluate the effectiveness of approaches used to manage the threats. However, the roles of these groups and the entire team will vary depending on the risk, availability of resources and frequency of occurrence of the disaster (Wheeler 2011).
The manager and his deputy should have attained any level of training on disaster management and any working experience in this department. Other team members should have knowledge of disaster management. However, the entire team must have excellent communication and interpretation skills. They must have advanced knowledge of IT system and all aspects that involve the security of assets in this department (Brotby 2009). In addition, they should know how to manage time, stress and work without supervision.
References
Andress, J. (2011). The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice. Amsterdam: Syngress Press. Web.
Brotby, K. (2009). Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement. Florida: Auerbach Publications. Web.
Gupta, M. and Sharman, R. (2011). Social and Human Elements of Information Security: Emerging Trends and Countermeasures. Pennsylvania: Information Science References. Web.
Harkins, M. (2012). Managing Risk and Information Security: Protect to Enable. New York: Apress. Web.
Landoll, D. (2011). The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments. Florida: CRC Press. Web.
Tipton, F. and Krause, M. (2007). Information Security Management Handbook. Florida: CRC Press. Web.
Wheeler, E. (2011). Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. New York: Wiley. Web.
Whitman, M. E. and Mattord, H. J. (2010). Management of Information Security. New York: Cengage Learning. Web.