Management of Information Security

Management of Information Security

Introduction

Information plays an increasingly important role for today's business organizations to attain and maintain a competitive edge over their rivals in the industry. Information can exist in several forms including printed material, or the one stored on an electronic device which can easily be transferred electronically. In today's world of highly competitive business landscape, such valuable information regarding business plans, operations and inner workings of an organization is continuously under threat from many sources which could be exist in many forms—internal, external, natural disaster, accidental or involving malicious programs (Raggad, 2010).

Today business organizations are increasingly using new technologies to store, transfer, and receive information from a wide variety of sources thereby opening themselves up to growing numbers and kinds of threats which calls for the establishment of a comprehensive Information Security Management encompassing all the aspects of information security in an organization (Bocij, Greasley & Hickie, 2008).

Information Security Standards

Many government departments and agencies, special interest groups, and standard organizations have, after much research into the subject, developed comprehensive information security assessment tools that can work as a guide for any organization in order to assess whether the information security practices in the organization are following the international standards. These tools and standard models can also help in devising an effective information security policy which would ensure the protection of sensitive information in order to prevent this information end up in the hands of those who are not authorized to access it. One such guide or tool is “Security Self-Assessment Guide for Information Technology Systems (SP 800-26)” developed and published by National Institute of Science and Technology which provides general guidelines for implementing an effective and comprehensive information security policy in a business organization. This paper will present the self-assessment of a business organization ABC Insurance company, in the light of standards proposed in the SP 800-26 document. The paper will further propose recommendations in the areas of management, operational and technical controls, based on the analysis of results of self-assessment.

Discussion

Organization

ABC Insurance Company is an insurance provider specializing in general and product liability insurance. The nature of its business incorporates covering general accidents and injuries whereas the company also provides product liability insurance which incorporates protection against financial losses as a result of defective product for companies in manufacturing and retail sector.

Result of Assessment

The ABC Insurance Company has been operating in old technologies of 1980s and the basic information system infrastructure is not following the recommended practices. There is no specification and distinction of Local Area Network (LAN) and Wide Area Network (WAN), and the network consisted of only 3000 dumb terminal linked by a coaxial cable to the mainframe. Additionally, ABC Insurance Company had previously purchased and acquired a small insurance company whose application is now running on the ABC's mainframe. A proprietary security system is currently providing basic forms of access controls for the applications running online with no access controls aimed at outside the online environment. The assessment of information ...