Information is the key asset for any organization. These days, most of the organizations are relying on the internet and other technologies for the managing the business information so they should be well known about the issues, risks and threats associated with these systems and ways to manage and mitigate them (Keller, Powell, Horstmann, & Crawford, 2005). The steps an organization can take to deal with the risks associated with information security are:
Identify Applicable Threats
Threats/risks must be identified before they are managed. Threat can be anything that could affect the confidentiality, accuracy and availability of the system or network. The threats can be from human environmental factors (Jenkins, 1998). The possible threats to an information system consists of malware, botnet, information leakage, phishing and distributed denial of service that may result from intentional, unintentional, natural or fabricated factors like hacking, spam, information theft, misuse of data, war, industrial accident and natural calamities (Wallace, 2015).
Assessing Vulnerability
After the identification of threats, the level of risk is measured by accessing the interrelationship between threats and vulnerabilities. Vulnerability is the condition of weakness that creates exploitation of the system by the threats. The assessment of vulnerabilities of the identified threats helps in determining the effectiveness of existing security system, identifying the security gaps and looking for ways to fill those gaps. Risk matrix is used to access the vulnerability. It provides idea about which system should be paid much attention to prevent the risks (Wallace, 2015).
Security Controls
After accessing the vulnerability, the administrative and technical security control measures are implemented to secure the system. Administrative security controls refer to the policies, processes and incidence response plans directed towards enhancing information security. It sets the control mechanism to avoid the potential threats possessed by the staffs, customers, vendors and suppliers. The detailed plan to identify the threats, determine the cause, preserve the evidence and recover the system are incorporated in the administrative security control. Technical security control is related with authentication strategies, encryption and intrusion prevention to limit data access. It aims on preventing the unauthorized parties from interacting with the system, accessing the business information and manipulating available data (Wallace, 2015). It is equally important to ensure that past employees or anyone who was related with the organization will no longer be able to access the data once they quit or leave the company.
Review
The implemented security control measures are to be reviewed frequently to evaluate whether they are operating as expected or not. This will let the organization know about the necessary updates and changes they have to incorporate in the control measures to mitigate and manage the threats.
Since the major decisions are based on the available information, it is important to ensure information security. So the above mentioned steps can be followed to mitigate the threats/risks associated with information system and make business operations efficient by utilizing the secure information for properly.
References
Jenkins, B. D. (1998). Security Risk Analysis and Management. Countermeasures, Inc. Retrieved from nr.no/~abie/RA_by_Jenkins.pdf
Keller, S., Powell, A., Horstmann, B., & Crawford, M. (2005, March). Information Security Threats and Practices in Small Businesses. Information Systems Management, 22 (2), 7-19. doi:10.1201/1078/45099.22.2.20050301/87273.2
Wallace, P. (2015). Introduction to Information Systems (2nd ed.). New Jersey: Pearson Education, Inc.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where students share, stay up-to-date, learn and grow.
Information is the key asset for any organization. These days, most of the organizations are relying on the internet and other technologies for the managing the business information so they should be well known about the issues, risks and threats associated with these systems and ways to manage and mitigate them (Keller, Powell, Horstmann, & Crawford, 2005). The steps an organization can take to deal with the risks associated with information security are:
Identify Applicable Threats
Threats/risks must be identified before they are managed. Threat can be anything that could affect the confidentiality, accuracy and availability of the system or network. The threats can be from human environmental factors (Jenkins, 1998). The possible threats to an information system consists of malware, botnet, information leakage, phishing and distributed denial of service that may result from intentional, unintentional, natural or fabricated factors like hacking, spam, information theft, misuse of data, war, industrial accident and natural calamities (Wallace, 2015).
Assessing Vulnerability
After the identification of threats, the level of risk is measured by accessing the interrelationship between threats and vulnerabilities. Vulnerability is the condition of weakness that creates exploitation of the system by the threats. The assessment of vulnerabilities of the identified threats helps in determining the effectiveness of existing security system, identifying the security gaps and looking for ways to fill those gaps. Risk matrix is used to access the vulnerability. It provides idea about which system should be paid much attention to prevent the risks (Wallace, 2015).
Security Controls
After accessing the vulnerability, the administrative and technical security control measures are implemented to secure the system. Administrative security controls refer to the policies, processes and incidence response plans directed towards enhancing information security. It sets the control mechanism to avoid the potential threats possessed by the staffs, customers, vendors and suppliers. The detailed plan to identify the threats, determine the cause, preserve the evidence and recover the system are incorporated in the administrative security control. Technical security control is related with authentication strategies, encryption and intrusion prevention to limit data access. It aims on preventing the unauthorized parties from interacting with the system, accessing the business information and manipulating available data (Wallace, 2015). It is equally important to ensure that past employees or anyone who was related with the organization will no longer be able to access the data once they quit or leave the company.
Review
The implemented security control measures are to be reviewed frequently to evaluate whether they are operating as expected or not. This will let the organization know about the necessary updates and changes they have to incorporate in the control measures to mitigate and manage the threats.
Since the major decisions are based on the available information, it is important to ensure information security. So the above mentioned steps can be followed to mitigate the threats/risks associated with information system and make business operations efficient by utilizing the secure information for properly.
References
Jenkins, B. D. (1998). Security Risk Analysis and Management. Countermeasures, Inc. Retrieved from nr.no/~abie/RA_by_Jenkins.pdf
Keller, S., Powell, A., Horstmann, B., & Crawford, M. (2005, March). Information Security Threats and Practices in Small Businesses. Information Systems Management, 22 (2), 7-19. doi:10.1201/1078/45099.22.2.20050301/87273.2
Wallace, P. (2015). Introduction to Information Systems (2nd ed.). New Jersey: Pearson Education, Inc.