Information Security and Survivability
Information security basically refers to preserving the confidentiality of information from every possible danger. Information needs to be protected from any kind of unauthorized access, disclosure or disruption in the highly competitive world of today (Stamp, 2005). Information is considered an important asset of the organization which is crucial for its efficient running and thus needs to be suitably protected.
Every organization has confidential information stored in its systems about their employees, customers, products or services and financial conditions which needs to protected from intruders, therefore, providing security to information systems becomes utmost important. If the information is not kept protected from others specially the competitors then the company might lose its sales and profits to the competitors. Information security applies to the organization as a whole and is intended to preserve the information from everyone even the employees of a company. (Stamp, 2005)
For achieving information security, various tools and techniques are available to protect the information from any possible danger. There are policies, procedures, organizational structures, softwares and hardware available for doing the task and are referred to as set of controls. These controls need to be properly implemented and monitored to ensure that the security is intact and the organization is able to achieve its objectives with its secure information.
The tools vary with the type of information security. For example, when internet security is concerned information can be protected by installing firewalls or proxies. There are security professionals hired by the organizations who establish systems for ensuring the protection of valuable information. The protection of information is called ‘Information Security Management’ which is designed to ensure that the enterprise information and data is protected while it is being used, shared, stored or transmitted both inside and outside of the organization. When an organization ensures that its data is protected, its operational foundation becomes strong and carries on its processes without any risk of information leakage or loss.
On the other hand, when we talk about information survivability, it refers to protecting information from letting it die. It means ensuring that information is able to survive in the organization through appropriate storage systems. Information survivability refers to the capability of a system to survive in the face of failures, attacks and accidents and continue providing the information needed by the people in a timely manner (Stamp, 2005).
A survivable storage system should be used to ensure that information is available and continuously accessible without any threat to its confidentiality. Such systems should be designed which should be able to survive the component failures and malicious attacks by others so that information is kept secure and protected. When a survivability approach is combined to information security then the risk factor is eliminated through risk management and contingency planning. Today businesses need information survivability while ensuring the security of their information because accidents and failures can result in a loss of critical information without which a business cannot progress. (Dhillon , 2006)
Business continuity refers to the continuing operations of a business despite a disaster or extended disruption. It is about how efficiently a business can recover from a disaster, its data can be recovered and most importantly continue functioning in the same manner after that. The process in which a company plans to recover completely or partially after a disaster is called ‘Business Continuity Planning’. Disruptions, accidents and disasters can occur any time without any notice therefore, organizations need to make plans for their functioning at the time of contingencies.
Business Continuity Plan ensures that an organization is capable of staying in the business and running in the same manner in the event of a contingency. The incidents occur very rarely like fire on the company building, earthquakes or any other natural disaster. At the time of these events businesses need to have plans for staying in the business or else they exist no more. This purpose is served by Business Continuity Plan (Trcek, 2005). Business continuity is also closely integrated with information security and survivability and risk management because it helps a business to survive at the time of disaster and manage the risk associated with it.
There are different systems and procedures for achieving continuity in business operations. One way is by installing a virtual infrastructure which cannot be damaged by natural disasters or fire. Similarly there are other business continuity management systems which organizations choose according to their needs and requirements of the business. Solid IT strategies should be used not only for the protection of data but also ensuring its recovery in the event of disaster. An example of one such system used by organizations is Radware.
Changing trends in information security
As the competition in the business environment is increasing so too are threats becoming more dangerous and faster. To deal with these threats solutions are required that are not only fast but also smart enough to remove the problem from their roots. The malicious attacks made on the systems and hacking of information has become very common these days. The hacking industry has become smarter than ever before trying to collect confidential information by breaking through protective systems. Therefore, the issue of information security has become more critical and complex over the years and requires more money, more skill and more time for managing the security infrastructure (Trcek, 2005).
The trend is changing towards automated security systems with automated processes for managing security issues. These systems are expensive as compared to the traditional information management systems but they have increased efficiency and performance capabilities. They are designed to smartly protect information from hacking or intrusion by others. The local consumers of internet are also being charged additionally for security measures and people are ready to pay a premium for that due to the vulnerability of crucial information. Information is not only moved within a company but also to stakeholders outside the company which increases the risk associated with the transfer.
The trend is also towards increased complexity and cost related to the information security. Since the hacking and threats have increased so complex systems need to be made for preventing the loss or unauthorized access of information which requires more money. People consider information as an asset of their organization so they are willing to spend millions for safeguarding this information from their enemies as this will contribute to their success as well as profits. The demand has increased for information security because people have started to work outside their offices and continue sharing information.
Files are transferred over the internet from one system to another; these files can be hacked during their transfer so the company needs to ensure that their file transfer is also safe and secure. The past systems have become less effective because of which the executives of an organization are not even to sleep soundly. They are continuously worried about their information being hacked which has caused the trend towards increased anxiety. They have increased their budgets for enhancing their security level. Solutions have evolved over the past years with much scientific research and development that ensure the systems to be safe and secure from hacking, attacks and other kinds of intrusion. (Dhillon, 2006)
Moreover, there is also an increasing trend towards online transactions due to which people provide their confidential credit card information on the internet which is very easily vulnerable to hackers and can be stolen easily. There have been attacks on online payment systems in which people lose their money in their accounts to hackers. This trend has created problem for companies whose products are not being bought online because of a threat to their confidential information.
Data violation has become an increasing trend in the information security due to which the efficiency of loss prevention technologies has decreased. Secondly, with the introduction of Microsoft Vista hackers got an opportunity to exploit the holes in it and steal valuable information by releasing viruses in the systems. Also spam reached the record high levels in this year through e-mail, documents and even greeting cards. Another trend was the increase in the availability of professional attack kits for example, Mpack toolkit. Phishing through websites also increased considerably over the last year especially in the financial institutions where information disclosure can cause severe losses to a business.
Besides this, the trend has also increased towards hacking from social net working sites where attackers wait for the users and enter their system as soon as they start accessing a particular website. Another threat for the information security is the ActiveX controls application which is downloaded by users and steal valuable information. Another increasing trend is spread of virtualization which has provided an opportunity to hackers for threatening the critical information of companies. People use virtual machines because they are speedy and easy to use but they don’t see the consequences of using such machines which expose them to more threats and vulnerability.
Thus, these trends in the information security have proved to be a threat for the availability, integrity and confidentiality of information for which effective systems must be designed to cope up with this problem. It professionals and researchers are continuously inventing systems with increased capabilities and efficiency for protecting information. (Trcek, 2005)
Disaster Recovery Plan
Disaster Recovery plan is similar as the business continuity plan but it does not ensures that the business is able to function in the same manner after the recovery. A disaster recovery plan is made by companies to recover their data and information systems in the event of a disaster or natural disruption. The plan restores the access to data, communications, workspace and other business processes. It does not involve making the organization able to operate in the same manner (Stamp, 2005). Mostly companies have business continuity plans but some companies only have disaster recovery plan for their own various reasons.
Disaster recovery plans are important for businesses because without them a company cannot recover from the disrupting event. Insurance companies and other such companies can only help in recovering the damages and provide monetary reliefs but none can be able to recover the business and its important data. Disaster recovery plans provide the company again with the data and communications which can be used to operate a business. Though disaster recovery plan is a part of a wider business continuity plan, some companies only use the disaster recovery plan because it fits their requirements and budget.
Disaster recovery plan provides certain benefits to a business due to which they widely used by organizations. Firstly, in the event of contingencies a plan already exists for dealing with them avoiding any wastage of time or resources. It also makes the decision making process faster because the situation has already been analyzed previously while preparing for the plan. It increases the confidence of the business as well as the employees working for the business that it will continue even after a disaster and the employees’ jobs are safe. Back-up information and documents are available in the case if original ones have been destroyed due to the disaster and the availability of stand-by systems is also guaranteed.
The valuable human resources of a company are not lost because of planning ahead which boosts the confidence of the employees and strengthens their relationship with the company. Naturally, companies start firing their employees when they are hit by any unplanned incident but in the presence of a disaster recovery plan, the jobs of the employees remain intact and they have no fear of being terminated from the job. The plan also gives an opportunity to the company executives and managers to improve their abilities and plan ahead for the unforeseen situations.
Overall, the disaster recovery plan ensures that the business will not fail in the event of any disaster and will continue to operate through efficient recovery of data and other business processes. The plan should include the recovery of the information and functions which are critical to the running of a business. Recovery strategies should be designed for the efficient recovery of the business.
As soon as the disaster occurs, the plan should be worked upon to recover valuable information because delay can result in loss of this crucial data. Thus, most companies only use disaster recovery plans because they efficiently meet the requirements of businesses and provide several advantages. (Peltier, 2001)
Seriousness of Information Security
Establishing and maintaining the element of information security in organizations has become the priority of all for the businesses to run efficiently. Information security systems are needed widely today to maintain the confidentiality and privacy of information. This has become a serious problem for companies because hackers and attackers have come up with smarter ways of intruding into the critical information of a company and exploiting it for their own uses to beat the competitors out of the industry.
Companies need to secure their information especially from their competitors because these days companies are using unethical practices to occupy the largest market share and become the market leader. Companies have begun to realize the seriousness of the issue and devising ways and means through which they can protect their information from any possible leakage or disruption. Computer viruses and malicious attacks are threatening the success of organizations due to which information security has become a serious problem in today’s world. Computers can be hacked and infected today in less than a minute through internet because most of them are unprotected (Egan and Mark, 2004).
Some people think that deploying technologies like proxy servers, antivirus and firewalls will rid them of security problems and they systems will be protected from all kinds of malware and attacks. But this is not true, they are actually underestimating the risks to which they are exposed by using valuable information. Some people have even developed it as a hobby to hack the accounts and email addresses of their colleagues and keep a check on their systems. As the world is becoming high tech, people are always at the brink of information loss and theft. Nobody can be trusted so information should be protected from everyone within the company as well outside the company.
The thing that adds to the problem of information security is that clear solutions don’t even exist today for preserving the information from all kinds of theft and attacks. Hackers are getting smarter and IT professionals are still lacking behind. Threats to information security have become a leading problem for all businesses and they need to cope up with it efficiently with the help of IS and IT specialists. The different kinds of threats are viruses, worms and other malware; spyware, adware and Trojans; Rootkits, Identity theft and Data security breaches; Web threats, Email and messaging threats; Hacking tools and techniques.
These all have given rise to the seriousness associated with the problem of information security which the organizations have realized now and working upon to solve this problem or else they’ll lose their business to others. Protecting information is vital for the success of an organization over its competitors and gaining a leading position in the market therefore, information security presents a serious concern for all the executives, professionals and managers. (Thuraisingham, 2005)
Ways for securing a company’s information
Different tools and technologies have been developed to protect a company’s information and prevent it from lost, damaged or disclosed to others. These ways are discussed in the following points (Egan and Mark, 2004):
- Information systems can be protected through ‘secure operating systems’. These systems contain operating system kernel technology and are based on certain security policies which protect the system from being exposed to any risk or threat. (Trcek, 2005)
- Security architecture is also installed in certain organization to ensure that information is safe and secure. It is plan in which security controls are placed at places where there is risk to the loss of critical information.
- Firewalls are increasingly used by Internet users to protect their information but they do not provide protection against unpatched vulnerabilities so there use should be limited.
- For efficient and secure transmission of data between systems, cryptographic techniques are widely used for protecting this exchange of information.
- Another widely used way for securing information from loss and disruption is ‘back-ups’. It means storing a copy of information on another medium so that in case of any loss the information is easily available.
- There are also authentication and chain of trust techniques which ensures the authenticity of the systems
Many different technologies have been invented which use these systems for preventing the information and information systems from malicious attacks both from inside and outside the organization. (Peltier, 2001)
Coso’s enterprise risk management-integrated framework
Enterprise Risk Management (ERM) refers to the process of identifying the uncertain events occurring in an organization’s environment as risk or opportunities and take full advantage of them to provide value to the stakeholders. This system is designed to effectively deal with and manage the uncertainty prevailing in the environment of an enterprise. This system makes full use of opportunities that might exist due to the changing environment and eliminate risk as a result of the change. Its main aim is to enhance the value of the organization in the eyes of its stakeholders.
ERM is important from the point of view of the stakeholders who want to make profits from having a stake in the company. ERM is able to create that value by identifying the uncertainties in a company’s environment and responding to them in a way which erodes the risk and presents an opportunity for making profits. These systems can help also from the point of view of information security because it manages the risk and threats in a company’s environment. (Jones and Ashenden, 2005)
ISO / IEC 27002
ISO/ IEC 27002 is a part of ISO/IEC ISMS standards family which provides guidelines and recommendations for those who are involved in the use of Information Security Management Systems. Organizations worldwide follow these standards for ensuring a good practice of information security. It works for all kinds of organizations even commercial enterprises because it is concerned with information security and everyone follows the recommendations mentioned in this code of practice. This way organizations ensure that their data is protected and secured from any kind of danger.
The paper discusses the issue of information security in detail with reference to the changing trends in information security, the seriousness of the issue, ways to protect it and even discusses the importance of business continuity and disaster recovery plans. Thus, it is extremely important for organizations in today’s competitive world to secure their information from outsiders, hackers and attackers for ensuring the continued survival and success of their organization.
Dhillon , Gurpreet (2006). Principles of Information Systems Security: Texts and Cases. Wiley.
Egan , Mark , & Mather, Tim (2004). The Executive Guide to Information Security: Threats, Challenges, and Solutions.Addison-Wesley Professional .
Jones , Andy, & Ashenden, Debi (2005). Risk Management for Computer Security: Protecting Your Network & Information Assets .Butterworth-Heinemann .
Peltier, Thomas R. (2001). Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management. AUERBACH.
Stamp, Mark (2005). Information Security : Principles and Practice . Wiley-Interscience .
Thuraisingham, Bhavani (2005). Database and Applications Security: Integrating Information Security and Data Management . AUERBACH.
Trcek, Denis (2005). Managing Information Systems Security and Privacy . Springer.