Explain how information security and assurance policies, programs, and processes have special needs that must / should be accommodated as organizations manage their responses to incidents, disasters, and crises. Is this a one-way relationship, or do InfoSec and IA activities also have their own contributions to make to the continuity of business operations planning, management decision making, and response and recovery operations? Explain your reasoning.
Information assurance (AI) is “a powerful practice embraced by organizations to manage various risks associated with the use, storage, transmission, and processing of data” (Mele, Pels, & Polese, 2015, p. 127). The practice is characterized by different security and assurance measures. Information security and assurance policies tend to have special needs arising from the required safety of data. Information is “usually threatened thus affecting the privacy of many users during disasters and crises” (Grispos & Glisson, 2014, p. 3). That being the case, the AI concept should be taken seriously in order to manage the targeted information. Incident Management Plans (IMPs) should embrace the best ways to handle, retrieve, and manage data. The approach will ensure the data is not accessed by third party users.
Information Security (IS) and Information Assurance (AI) activities should be undertaken simultaneously. These activities will “ensure there is continuity of organizational functions such as management decision-making, response and recovery operations, and business operations planning” (Grispos & Glisson, 2014, p. 3). The information retrieved and safeguarded during the process will be used to respond to the disaster. IA activities will ensure the firm focuses on its operations (Mele et al., 2015). It will also support every decision-making process and eventually produce the best results.
How would you compare and contrast information security and information assurance controls, countermeasures, and safeguards? Can (or should) the same process, tool, technology, or activity act in more than one of those roles? Why or why not?
Grispos and Glisson (2014) argue that “IA controls, safeguards, and countermeasures focus on the best approaches to protect the integrity of data especially in the event of a disaster” (p. 4). Such safeguards and assurance measures employ the use of administrative, physical, and technical approaches. Information assurance, therefore, manages risks associated with the use, transmission, processing, and storage of confidential data. On the other hand, information security is usually aimed at “defending vital information from any unauthorized use, disruption, modification, or disclosure” (Mele et al., 2015, p. 129). Information Security (InfoSec) is therefore used to safeguard both physical and electronic data.
It should be observed that the same tool, technology, or process cannot act in more than one role. This is true because IA is derived from the concept of Information Security. A given technology or process can work effectively towards promoting the security of the targeted information (Grispos & Glisson, 2014). However, the same technology cannot be used to achieve the required IA activities or goals. Different tools and technologies will therefore be required to manage some of the risks associated with the transmission of information.
Explain the process of responding to an information security/information assurance incident. What are the key decision points in that process? What should you consider if the information needed to make these decisions normally comes from or is produced by the very same information systems involved in the incident?
Organizations should use powerful strategies to respond to every information security incident. The first step should be to minimize the severity of the threat or incident. The next step will be to assemble what is known as the core Computer Security Incident Response Team (CSIRT). The “next move is to establish an Incident Response Plan” (Corlett, 2014, p. 3). The plan “will make it easier for the team to contain the incident and manage the identified risks” (Corlett, 2014, p. 3).
Critical decisions should be done when assembling the right CSIRT. Competent individuals should be identified and included in order to get the best results. The Incident Response Plan should also be crafted in a professional manner (Kim & Solomon, 2013). The strategy will address the targeted information security risk. Such decisions should also be done in accordance with the targeted data or information.
Sometimes the decision-makers will have to use or rely on the existing information system (IS). Some information systems are also designed in such a way that they can assist throughout the decision-making process. If the IS needed to make various decisions is involved in the incident, the CSIRT leader should determine whether the system is capable of supporting the process (Corlett, 2014). The CSIRT leader can also embrace new ideas from different teammates in order to make accurate decisions. The approach will ensure the right decisions are made towards developing the right Incident Response Plan.
Think back to Module 1’s Directed Inquiry, in which you hypothesized about the core business processes of COPA AIRLINES. Asset-based risk management requires that organizations make some kind of a valuation of the asset(s) in question. For information-intensive business processes, how would you think this should be done? How do you suggest that should Copa “value” their various information assets, the ones that provide critical support to those processes you considered previously?
COPA Airlines should make the best valuation of its information assets. This is necessary because such assets provide critical support to its core business processes. This approach will ensure the company has a powerful risk management plan. The strategy will deal with various challenges and present the most appropriate interventions. Such information assets are expensive and should be treated as critical systems towards supporting the firm’s core business functions. The value of such information assets will make it easier for COPA Airlines “to determine the impact of every risk” (Grispos & Glisson, 2014, p. 4).
NIST 800-30 seems to have a strong asset-based focus on information risk management. Is this really the case, or does it embraces and use process-based, threat-based, or outcomes-based thinking as well? Are these different points of view or risk bases in conflict with each other?
It is notable that NIST 800-30 has a strong focus on asset-based information risk management. However, it should be observed that the analysis embraces process-based, outcome-based, and threat-based thinking. The analysis focuses on the totality of information systems as vital assets of an organization. This approach examines the nature and usability of the information system (Kim & Solomon, 2013). The wider field of information risk management should therefore consider the existing assets, processes, and outcomes.
These “information risk management points of view are therefore critical towards managing various information-related risks” (Grispos & Glisson, 2014, p. 7). It should also be observed that the wider field of asset-based information risk management focuses on the existing processes, threats, and outcomes. As well, such points of view are not in conflict with each other.
Corlett, J. (2014). Systems Theory Applied to Organizations. Web.
Grispos, G., & Glisson, W. (2014). Rethinking Security Incident Response: The Integration of Agile Principles. Web.
Kim, D., & Solomon, M. (2013). Information Security and Assurance Textbook: Fundamentals of Information Systems Security. Burlington, MA: Jones & Bartlett Learning.
Mele, C., Pels, J., & Polese, F. (2015). A Brief Review of Systems Theories and Their Managerial Applications. Service Science, 2(1), 126-135.