Introduction
The article “Why do organizations need information systems?” describes information as the lifeblood of an organization (Answers Corporation, 2011, 2). The article goes on to point out that poor management and security of information in an organization attracts financial losses and liabilities such as lawsuits (Answers Corporation, 2011, 2). Information systems in organizations are the solutions to avoiding these losses and liabilities as they offer them a better way to manage and secure their critical data as well as improve integration and work processes in them (Answers Corporation, 2011, 2).
An information system differs from other organization systems in its objective, which is to monitor and log the operations of a given organizational system (Answers Corporation, 2011, 2). A system whose operations are being monitored and logged by an information system can be called a target system (Answers Corporation, 2011, 3). For example, the operations of human resources in an organization can be monitored and logged by an information system thus making human resources a target system.
Information Security
When an organization achieves information Security it means that the organization’s information and information systems are protected against intruders, leakages, any form of destruction, and any unauthorized use. In other words, the confidentiality, integrity, and availability of the organization’s information are safeguarded and maintained. The organizational information that is secured can be of an electronic, print, and/or another nature. As pointed out above, poor security of information in an organization attracts financial losses and liabilities such as lawsuits (Answers Corporation, 2011, 2). For instance, a case in which poor security of information leads to a breach in privacy of the organization’s clients can result in lawsuits for the organization that can bankrupt the organization. It is regarded as an ethical, legal, and business requirement to ensure that the discretion of information in a given organization is safeguarded.
As with any other system in an organization, information systems are also associated with a risk, which is known as information technology risk. Information technology risk is the likelihood that an event will actuate that will hurt an organizational information asset (Elky, 2007, 1). Information Technology risk management is a two-step process aimed at lessening the effect of information technology risk. Given the information resources an organization is using in achieving its objectives, the first step in information technology risk management is to identify the vulnerabilities and threats to these resources (ISACA, 2006, 85). A vulnerability concerning information technology risk management is a weakness which if exploited causes harm to an organization’s information resource whereas a threat, artificial or not, is an object that has the potential to damage an information resource (ISACA, 2006, 85). Again, given the information resources, an organization is using in achieving its objectives and further taking into account the value of each resource to the organization, the second step in information technology risk management is choosing countermeasures that lessen the information technology risk to an acceptable level for each resource (ISACA, 2006, 85).
As pointed out in the discussion above, the role of information security is ensuring that the confidentiality, integrity, and availability of an organization’s information are safeguarded and maintained. In so doing, it lessens the information technology risk and guarantees the organization desirable performance at any given moment. Therefore, information security is a critical component in information technology risk management in an organization.
Issues in the management of information security
There are several issues in the management of information security that IT professionals and organizations have to contend with. As the business environment keeps changing threats and vulnerabilities change in tandem. Thus, an outstanding issue in the management of information security is keeping up with the ever-changing landscape of information security and addressing newer vulnerabilities and threats. Another outstanding issue is that IT professionals have to work under budgetary constraints, therefore, the plans and strategies they formulate have to be cost-effective and friendly to an organization’s budget. These issues make the mitigation of the effect of information technology risk difficult as IT professionals have to come up with information technology risk countermeasures that strike the proper balance between performance (or productivity), organization budget-friendliness (or cost-effectiveness), and value of information resources being safeguarded.
Significant information security threats in contemporary organizational settings
Contemporary organizations in today’s world are exposed to several significant information security threats. In information security, a threat is a link between a threat source and accidental triggering or internal exploitation of a vulnerability. That is, a threat without a threat source is dormant and therefore is not harmful (Elky, 2007, 2). According to Elky, a threat source can be defined as a situation, intent, or method that can either intentionally exploit or accidentally trigger a vulnerability (Elky, 2007, 2). Information security threats can be classified into three broad categories, namely, leakage, tampering, and vandalism (Coulouris et al, 2005, 268-269).
The leakage category captures all information security threats that result in an organization’s information ending up in the hands of unauthorized recipients (Coulouris et al, 2005, 268). The tampering category captures all information security threats that result in unauthorized alteration of an organization’s information (Coulouris et al, 2005, 268). The vandalism category captures all information security threats that result in the interference of an organization’s information system(s) (Coulouris et al, 2005, 269). Vandalism threats may benefit their perpetrator or not. Significant information security threats in contemporary organizational settings as given by Elky (2007, 2) are: Accidental Disclosure, Acts of Nature, Alteration of Software, Bandwidth Usage, Electrical Interference/Disruption, Intentional Alteration of Data, System Configuration Error and Telecommunication Malfunction/Interruption.
One most significant information security threats in contemporary organizational settings are accidental disclosure, which can be classified as a leakage threat. Accidental disclosure is the unauthorized release or accidental release of organizational information that is classified, personal, or sensitive. Another most significant information security threat in contemporary organizational settings is Acts of Nature, which can be classified as a vandalism threat meaning that it results in the interference of an organization’s information system(s). Acts of Nature such as earthquakes, floods, hurricanes, infernos, and tornadoes damage the infrastructure of an information system and thus result in the unavailability of organizational information. Another most significant information security threat is the Alteration of Software, which can be classified as a tampering threat as it results in unauthorized alteration of the information of an organization. This threat captures all malicious code e.g. Trojan horses, viruses, worms, logic bombs, etc. Targeted software in this threat is either an operating system or an application program. The alteration involves modification, insertion, and deletion of this software. Alteration of software whether authorized or not compromises the confidentiality, integrity, and availability of information in an organization.
Another most significant information security threat in contemporary organizational settings is Bandwidth Usage, which can be classified as a vandalism threat meaning that it results in the interference of an organization’s information system(s). In an organization, the bandwidth is set aside for a given communication channel as its specified use. Usage of this bandwidth for any other purpose whether intentional or not compromises the availability of an organization’s information system and is thus a threat. Another most significant information security threat is Electrical Interference/Disruption, which can be classified as both a tampering and vandalism threat. Power failures can incidentally result in the unavailability of an organization’s information system or modification of the information of an organization.
Another most significant information security threat is the Intentional Alteration of Data, which can be classified as a tampering threat. Intentionally and mainly for malicious purposes, the data in an organization’s information system can be modified, inserted, and even deleted. Such alterations of data cause a compromise of the confidentiality, integrity, and availability of organization information. Another most important information security threat is System Configuration Error, which can be classified as a leakage, tampering, or vandalism threat depending on its resultant effect. This threat is purely accidental as system configuration errors occur on their own during the initial installation or upgrade of hardware, software, communication channels, and/or operational environment. Another most important information security threat is Telecommunication Malfunction/Interruption, this threat can be classified as a vandalism threat as it results in the interference of an organization’s information system(s). Telecommunication malfunctions and interruptions cause breaking and disintegration of communication channels and therefore, result in the unavailability of information systems in an organization.
Best Practises addressing significant information security threats in contemporary organizational settings
To address the above information security threats organizations have to adopt certain practices. These practices take into account the nature of the threats and the fact that information security is a critical component in mitigating the effect of information technology risk. Therefore, in addition, the practices take into account the issues that are central in the management of information security. One of the issues is the need to keep up with the ever-changing landscape of information security and address newer vulnerabilities and threats that are ever emerging. The other issue is the need for realizing information technology risk countermeasures that strike the proper balance between performance (or productivity), organization budget-friendliness (or cost-effectiveness), and the value of information resources being safeguarded.
One best practice is that an organization develops in itself a continuous quality improvement culture especially in the area of information systems and information security. Continuous Quality Improvement refers to the formal approach applied in analyzing performance as well as improving it (Duke University Medical Center, 2005, 1). Considering that the organization has its interests and those of its clients at heart, it is important for it to develop information systems and information security measures that are of high standards. This is critical in aiding the organization to avoid losses and lawsuits that are likely to take the company down. Thus, it is very important to undertake continuous quality improvements in their products.
Another best practice is for the organization to develop ethics adopt an ethical decision-making model and maintain a high code of ethics. This is because threat sources can exploit a vulnerability in an information system or information security system intentionally or unintentionally. In either case, ethics and an ethical decision-making model are useful in improving decision-making, which in turn is essential in mitigating the effect of information technology risk. Ethics are the principles by which you decide what is right and wrong. Ethics form the basis on which a person or an organization determines which action is fit to take as a response to the various situations, which they encounter (Markkula Center for Applied Ethics, 2010, 2). Ethics constitute the standards of behavior that promote proper coexistence in a community or a society (Markkula Center for Applied Ethics, 2010, 2). It is the case that a decision-making process founded on ethics promises good decision making which is important in building a strong partnership. It is therefore imperative for an ethical person or organization to match its standards with a proper ethical decision-making model. Examples of ethical decision-making models include the Resolved Method by Jonathan Kranky, Laura Nash’s Twelve Questions, Michael McDonald’s A Framework of Ethical Decision Making, and Thomas Bivins’ The Ethical Worksheet among others.
Another best practice that is effective in addressing the above information security threats is critical thinking. As with ethics, critical thinking also improves decision-making in the organization. Sound decision-making can play a role in ensuring that threat sources that exploit vulnerabilities intentionally are kept at a minimum. So what is critical thinking? and what are critical thinking skills? Critical thinking skills are aimed at helping an individual or organization act purely objectively and rationally (Kurland, 2000, 1). According to Kurland, the characteristics of critical thinking are rationality, self-awareness, honesty, open-mindedness, discipline, and judgment (2000, 1).
Another best practice that is effective in addressing the above information security threats is research and development. Research and development is an activity undertaken mainly for broadening an organization’s knowledge (WebFinance Inc., 2011, 1). The knowledge is useful to the organization as it is critical in making continuous quality improvements to the organization’s product(s) or service(s). As technology advances, threats and vulnerabilities change in tandem. Therefore, knowledge of these vulnerabilities and threats is useful in developing robust information systems and information security measures. Therefore, in this way research and development is a best practice in addressing effectively the above-mentioned threats.
Another best practice that is effective in addressing the above information security threats is knowledge integration. Knowledge integration is a best practice in addressing the above information security threats considering that the threats and vulnerabilities are ever-changing meaning that an organization that is keeping up with the changes has lots of knowledge that it has acquired in the process. Therefore, there is a need for this knowledge to be recycled to create an improved, dynamic and robust system or strategy that aids in dealing with these threats.
By achieving knowledge, integration an individual or organization can, first, make use of available knowledge to formulate solutions to address various problems or challenges that they are facing during growth. (Clemens, 2004, 3) Secondly, knowledge integration helps to expose underlying assumptions and inconsistencies through reconciling conflicting ideas (Clemens, 2004, 5). Thirdly, knowledge integration helps an individual or organization to identify effectively areas with incoherence, uncertainty, and disagreement, which it does through synthesizing different perspectives (Clemens, 2004, 6). Finally, by weaving different ideas together knowledge integration achieves a whole that is better than the total of its part (Clemens, 2004, 7).
Ethical issues involved in information systems security management
An ethical issue involved in information systems security management is ethical and responsible decision-making (National Information Assurance Training and Education Center, 2011, 2). Ethics promote sound decision-making, which is critical in managing the security of information systems. Another ethical issue involved in information systems security management is confidentiality and privacy (National Information Assurance Training and Education Center, 2011, 4). It is regarded as an ethical, legal, and business requirement to ensure that the discretion of information in a given organization is safeguarded. This is because poor information security can result in an invasion of an individual’s privacy. This is an undesirable outcome for an organization as it can lead to lawsuits and poor public relations.
Piracy is another ethical issue in information systems security management (National Information Assurance Training and Education Center, 2011, 8). Organizations should be keen to discourage the unauthorized creation of copies that contain its information. These copies can end up in the hands of attackers who can compromise the confidentiality and privacy of the organization’s entities. Another ethical issue in information systems security management is fraud and misuse (National Information Assurance Training and Education Center, 2011, 10 ). Care has to be taken to safeguard the integrity of data in an organization’s information system, otherwise, genuine records can be replaced with fraudulent ones in a malicious scheme to benefit a threat source.
Patent and Copyright Law is another ethical issue in information systems security management (National Information Assurance Training and Education Center, 2011, 13). Patents and Copyright Laws are legal protections of the intellectual property of an organization, which includes its information. These mainly discourage threats originating from an organization’s competitors. Another ethical issue in information systems security management is safeguarding an organization’s computers from sabotage (National Information Assurance Training and Education Center, 2011, 17). Information systems are run in computers and additionally, computers are the main repository of electronic information it is thus ethically important that they are protected from intentional or unintentional sabotage.
Anticipated challenges in the implementation of best practices
An outstanding challenge in the implementation of the above best practices is funding. Considering that the spending of an organization is governed by its budget and that best practices such as knowledge integration and research and development require heavy funding it is thus the case that funding is a likely challenge. Materials and resources have to be made available to ensure effective implementation of the best practices especially knowledge integration and research and development. Poor funding means inadequate resources for implementing these best practices, which in turn suggests a looming failure in the implementation. Thus, it is therefore imperative that the organization allocates sufficient funds for implementing the above best practices especially in knowledge integration and research and development.
Another outstanding challenge in the implementation of the above best practices in getting the required corporation from involved parties especially the organization’s employees. Without proper corporation best practices such as ethics and critical thinking are impossible to implement. The corporation is important as it is the first step in creating a learning atmosphere, which is crucial in aiding the involved parties to familiarize themselves with these best practices. Once the involved parties are familiar with the best practices they are enabled to make better decisions that among other things guarantee the confidentiality, integrity, and availability of the organization’s information. Thus, it is therefore imperative that corporation from involved parties is guaranteed.
Addressing the challenges to best practices
To address the above challenges a framework is needed that encourages an organized thinking approach to the problem of implementing the best practices. Thus, the solution lies in undertaking Checkland’s soft system analysis of the organization concerning the broader problem of information security. The result of this analysis is a framework that makes the entities of the organization more aware of the need for the best practices.
The Soft Systems Methodology (SSM) is an approach developed mainly by Peter Checkland for tackling problematic situations that exist in the real world (Checkland and Scholes, 1990, 18). The fundamental difference between the SSM approach and the hard systems approach is that the former views a system as an epistemological entity whereas the latter views a system as an ontological entity (Marcia, 8). SSM is carried out so that purposeful action can be determined which will bring about a certain desired change in an organization. The purposeful action results from a study of the organization as a system that does something. The desired change, in this case, is to move from an organization that does not have the above best practices to one that has them.
Security defenses against Internet-based attacks
The internet is classified as a distributed system meaning that its components are located in computers that are networked and that communication and coordination of actions between these components are achieved through the exchange of massages (Coulouris et al, 2005, 1). The typical nature of internet-based attacks is characterized by theft of communication channels or the establishment of new communication channels that cover up or that disguise as authorized communication channels (Coulouris et al, 2005, 269). Internet-based attacks can be classified into five broad categories, namely, eavesdropping, masquerading, message tampering, replaying, and denial of service. Each of these categories captures a distinct misuse of internet communication channels. The communication channels are the mechanisms in which communication and action-coordination messages are exchanged (Coulouris et al, 2005, 269).
Eavesdropping attacks misuse internet communication channels in such a way that copies of messages being exchanged in the communication channels are obtained devoid of authorization. Masquerading attacks misuse internet communication channels in such a way that an intruder can assume the identity of an authorized principal and therefore receive as well as send messages. Replaying attacks misuse internet communication channels in such a way that messages do not reach their intended recipient at the intended date because an attacker intercepted and held them for transmission at a later date. Denial of service attacks misuses internet communication channels in such a way that communication channels deny authorized principals service following an attackers flooding of the channel with messages.
Message tampering attacks misuse internet communication channels in such a way that messages being transmitted in the communication channels reach their intended recipient after they have been altered from the original form without authorization. One common form of massage tampering attack is the man-in-the-middle attack, which involves three stages (Coulouris et al, 2005, 269). The first stage is the attacker establishing a secure channel through interception of the first message transmitted in a channel that carries the encryption keys of the channel (Coulouris et al, 2005, 269). The second stage in the attack is the attacker’s submission of compromised keys that enable him/her to decrypt any subsequent messages sent through the channel (Coulouris et al, 2005, 269). The third stage in the attack is the actual tampering of messages: the message is decrypted, altered to the attacker’s satisfaction, reassembled in the correct key, and then submitted (Coulouris et al, 2005, 269).
One security defense against internet-based attacks is cryptography, which is the encoding of a message in such a way that its contents are hidden from unauthorized principals (Coulouris et al, 2005, 275). To unhide the contents of an encrypted message one has to be familiar with the cryptography key used and its encryption algorithm. Thus, as a measure to boost internet defense, the cryptography key is a secret only known by the concerned parties. Encryption algorithms in use in cryptography can be classified into two main classes, namely, shared secret keys and public/private key pairs (Coulouris et al, 2005, 275). The first class of encryption algorithms is such that both the sender and recipient of the messages must have knowledge of the cryptography key used. The second class of encryption algorithms is such that the sender of a message uses a public cryptography key in the encryption of the message and the recipient, who as prior knowledge of the public key used decrypts the message using a private cryptographic key. A shortcoming of cryptography is that once the cryptographic key is compromised all the information being exchanged in the communication channel is left unprotected and therefore an attacker can tamper with it to his/her satisfaction.
In the face of attackers, cryptography boosts internet security by ensuring the secrecy and integrity of information through encryption and decryption of messages by authorized principals who themselves are not a security threat (Coulouris et al, 2005, 276).
Cryptography also boosts internet security as it supports the authentication of communication between the principals involved (Coulouris et al, 2005, 276). Cryptography is integral in the implementation of digital signatures, which are an emulation of conventional signatures and which, also, indicate that there is no alteration of any nature in a document or message. In this way, cryptography boosts internet security (Coulouris et al, 2005, 278).
Another security defense against internet-based attacks is credentialed, which is a collection of evidence presented by one principle to another when the former is requesting an internet resource (Coulouris et al, 2005, 284). An example of a credential is a digital certificate. The credentials of a given principle regulate or dictate the allocation of internet resources to the principle and thus in this way, credentials boost internet security. A delegation is a form of credentials that is very useful on the internet and other distributed systems (Coulouris et al, 2005, 284). This form of credentials allows an action to be performed for a principal using the authority of another principal. For delegation to happen a delegation certificate has to be presented and the system has to support this capability. A delegation certificate contains the sole signature of the requesting principal and permits another principal to have access to an internet resource, which the principal had no prior access to (Coulouris et al, 2005, 284).
Another security defense against internet-based attacks is firewalled, which monitors and regulates communication in and out of a computer on the internet or in an intranet (Coulouris et al, 2005, 109). Service control is one of the aims of a firewall security policy and is achieved by rejecting certain incoming requests and determining the resources to accord an outgoing request. Behavior control is another aim of firewall security policy and it is achieved by preventing behaviors in requests that are likely to be exploited by attackers to cause harm to the system. User control is another aim of firewall security policy and it is achieved by prohibiting certain users from certain external services as these are likely to be exploited by attackers without the knowledge of these users to cause harm to the system. A shortcoming of firewalls is that the security is not effective in situations where an attacker is attacking from inside an organization (Coulouris et al, 2005, 285).
Proactive incident response plan
This section develops a strategy for managing information security threats through a proactive incident response plan. The strategy is concerned with identifying vulnerabilities of an information security system before they are exploited. Additionally, it suggests how to mitigate the effects of such exploitations when they eventually occur. The strategy and subsequent plan are based on the failure mode and effect analysis (FMEA) procedure.
The Failure Mode and Effect Analysis (FMEA) is one underlying concept of continuous quality improvement. FMEA is an abbreviation for Failure Modes and Effect Analysis. FMEA is an analytic activity carried out on a product, service, or process to know its strengths and weaknesses, deal with a potential problem before it occurs and ensure that it meets the set requirements. FMEA has its origin at the National Aeronautics and Space Administration (NASA) in the USA where it was used as risk analysis and mitigation technique, however more recently; it has become widespread in industries being used to attain process improvement. FMEA is a vital tool for project teams and companies as a whole who are faced with questions like how a failure can occur, the effect of such a failure on a system, and what actions can be taken to counter such potential failures if they happen. It provides a suitable approach to developing remedies to these questions.
The functions of FMEA include, first, it predicts design or process-related failure modes and by doing so, it works to ensure that set requirements for a process or product are met. Secondly, FMEA tests and finds out the effect and severity of a given failure mode. Thirdly, FMEAs pinpoint the cause and work out the probability of occurrence of a failure mode. Fourthly, it identifies a control and weighs its effectiveness; it quantifies each associated risk and ultimately arranges the risks in order of priorities. Finally, it develops and documents action plans that appear to reduce the risks involved.
Therefore, the stages of the plan are:
- The first stage of the plan is predicting vulnerabilities in an information system
- The second stage is determining the severity of an attack
- The third stage is determining the likelihood of occurrence of an attack
- The fourth stage is prioritizing each attack against the others
- The fifth stage is developing a documented action plan to deal with each attack
References
Answers Corporation. ( 2011). “Why do organizations need information systems?”. Web.
Checkland, P. & Scholes, J. (1990). Soft systems methodology in action. John Wiley & Sons: Chichester, GB.
Clemens, M. (2004) Knowledge Integration. Web.
Coulouris, G. Dollimore, J. And Kindberg, T. ( 2005). Distributed systems concepts and design. (4th ed.). Pearson Education Limited: England.
Duke University Medical Center. (2005). What is quality Improvement. Web.
Elky , S. (2007). An introduction to information system risk management. Web.
Kurland D. J. (2000). What is critical thinking?. Web.
ISACA (2006) CISA review manual 2006. Information systems audit and control association.
Marcia, S. (n.d.). Beyond Checkland & Scholes: improving SSM. Web.
Markkula Center for Applied Ethics. ( 2011). A framework for thinking ethically. Web.
National Information Assurance Training and Education Center. (2011). Ethical issues. Web.
WebFinance Inc.. (2011). Research and development. Web.