As one of the key risk management practices, the enhancement of information security management has a number of benefits to companies such as ensuring that a company limits its vulnerabilities and threat to it assets. From the given case study, Random Widget Works operation regarding its information security managemt has serious weaknesses that expose the company to serious security threats. The company should thus handle this issue differently as explained herewith.
One of the issues that should have been done differently is the management of information security issues. At RWW, the issue of information security management is hazardous because there is no policy in place that governs the management of the information security systems. As such the company information security needs are not adequately addressed. The company needs to have an information security management policy as part of its strategic management planning and as such, the chief information security officer, CISO, needs to draft and present the information security managemt proposal for deliberation at the executive level. The CISO needs to ensure that the policy identifies the criteria of classifying the company’ security needs as well as those needs that are of urgency. To make the policy workable it is the responsibility of the CISO to ensure that the policy is visible and understood. This will be attained by training the security planning team on the contents and meaning of every clause in the policy document. This will enable the company not only to identify its information security needs but also generate solutions promptly (Baskerville and Siponen, 2002).
Other than the lack of policy in information security management, RWW also need to maintain the security, confidentiality, integrity and accessibility of its own data through a data classification program. Despite the fact that the CISO had identified a classification criterion, the company’s data still lies in disarray. To protect its data, the company needs to develop a data classification policy that will help it to identify the types of data it has and thus make an inventory of all information assets. This will be followed by identification of the level of protection for each of the information assets. This should be followed by a rigorous labeling exercise accompanied by training of all staff on the implication and penalties of violating the data classification policy (Cardinali, Maraziti and Selvi, 2003).
The company had an already established mechanism that sought to ensure that there was no unauthorized access through hacking of its data base. However, the mechanism as already set exposed the company to major hacking risks as the company’s information security measures did not guarantee protection from outside intrusion through hacking. To secure its database from intrusion from unauthorized access, RWW ought to have installed a type of firewall architecture with multiple layers comprising of different types of firewalls to help protect data from a host of external intrusions. This type of firewall architecture needs meticulous planning and implementation to be successful. Amongst the firewalls to be installed is a type that identifies and stops unauthorized access from the outside by mail from anonymous source. This will prevent malwares from accessing the company’s data (Scarfone and Hoffman, 2009).
From this case study the company weaknesses in information security management is manifest in the weaknesses of its overall operational policy. This policy has major gaps and is such not cognizant of the company’s real security needs. For RWW to effectively deal with its information security management then it needs an overhaul of its general operation policy.
List of references
Baskerville, R. and Siponen, M. (2002) An Information Security Meta-policy for Emergent Organizations. Logistic. Information Management. Web.
Cardinali, G., Maraziti, F. and Selvi, S. (2003). Electrophoretic data classification for phylogenetics and biostatistics. Bioinformatics. Web.
Scarfone, K. and Hoffman, P. (2009). Guidelines on firewalls and firewall policy. NIST. Web.