For organization to get a bigger market share, the management must continuously conduct research activities to enhance their services as well to develop and invent new products. With Smooth Electronics, the management plans to have a mass production of their new product – HOLD. However, they discovered that the rival firm, Exigent Pty Ltd, also plans to develop and mass produced the item of almost the same that of the newly developed product of Smooth Electronics.
With this, Smooth Electronics needs to conduct an investigation pertaining to any information of their rival firm. In the conduct of the investigation, a lot of factors need to be taken into consideration. The team of Smooth Electronics must adhere to the ethical standards and policies governing information security and information gathering processes. Thus, it is very important for Smooth Electronics to be aware of some information security guidelines as well as information gathering methods which are considered legal.
Introduction Information is very vital to any organization. Information serves as lifeblood of any organization. With information, any organization can be able to continue its operation and eventually invent new products to increase productivity and profitability. For organization to develop new products, thorough research analysis needs to be conducted. This is to ensure that the development and production of the goods is feasible – that customers will buy in to the idea. In the business world, competition is so strong.
Each establishment wants to have a bigger market share, thus, the management needs to introduce new products to their customers. Through the enhancement of existing products and services and introduction of new ones, customers will be more than satisfied. Hence, profitability is increased. For Smooth Electronics Incorporated, the management introduced new product – HOLD or HOLographic Disc. The research and development team of Smooth Electronics discovered that their rival firm, Exigent Pty Ltd, is also developing a competitive product in the same field.
With this, Smooth Electronics needs to investigate in this suspected new product of their rival firm. However, in the investigation of this new product of the rival firm, the research and development team of Smooth Electronics has to consider security concepts with regards to any information of the rival company. It is very much apparent that any organization does not divulge or disclose information about their company, to protect privacy.
Having this notion, Smooth Electronics must still gather information about the suspected development of the same product of the rival company; but the means of gathering information must be legal. Smooth Electronics must adhere to the ethical standards regarding information security. There is a management standard which is primarily designed to guide and direct managers in terms of securing information. This standard is known as ISO27002 or the Code of Practice for Information Security Management.
In the process of securing information, it is best to note the eleven (11) steps to good security management: (1) Security Policy – this is a policy approved by the management in which the various security procedures are based; (2) Organization of Information Security – this shows the organization of people who are responsible in dealing with security issues; (3) Asset Management – this pertains to the understanding of the importance good information security; (4) Human Resource Security – refers to the recruitment of personnel who are employed in some key positions; (5) Physical and Environmental Security – this is to ensure that the precautions of physical security match the need of the company; (6) Communications and Operations Management – this is to ensure that information is well-monitored, managed and protected; (7) Access Control – this refers to the personnel who is responsible in the monitoring and control over the organization’s information processing system; (8) Information Systems Acquisition, development and maintenance – this is to ensure that the future development of products and services continues to meet and exceed the strength of protection of the information in the previous generation; (9) Information Security Incident Management – this is a process the management needs to do in case where incident happen which can affect the organization; (10) Business Continuity Management – this is a strategy to alleviate the impact of any undesirable events on the processes of the business and (11) Compliance – this to ensure that the organization complies to the legal and regulatory requirements for managing information. (http://security. practitioner. com/introduction/infosec_3_1. htm) Information Security Concepts In any organization, the management must be able to identify important information which makes the company continue its operation. It is a fact that information is most important so the company can be able to sustain its operation as well as continue giving the best services to its valued clients.
Information is the basis for the success of the company – a successful company is managing its information using means which have already been proven and tested. With information, all transactions in the business can easily be managed and dealt with accordingly. With information, the management can be able to enhance the quality of their services as well as discovering new products to offer to their customers. It is also most important for an organization to know the basic concepts of securing information – integrity, confidentiality and availability. The loss of confidentiality occurs when information is copied by an unauthorized person. The loss of integrity, on the other hand, happens when information is modified in ways which are unexpected or it is corrupted.
And the loss of availability happens when information becomes inaccessible. To overcome such problems, it is important that the management prevents any unauthorized access to the organization’s information. (Pesante, 2008) The idea of securing information in an organization is depicted in a process called Information Security Management System (ISMS). In this process, the risks which may be encountered are continuously analyzed, assessed and managed through the application of strategies to alleviate consequences that the organization may suffer. In addition, it is important for an organization to work behind the nine (9) principles of information systems.
This nine principles are as follows: (1) awareness – users must be aware of the importance of information security; (2) responsibility – everybody must take the responsibility to secure all information; (3) response – everybody must be cooperative to the management to prevent and respond to security incidents; (4) ethics – all users must respect each other’s interests; (5) democracy – information security systems must be compatible with values of the society; (6) risk assessment – continuous risk assessment must be conducted to ensure safety of information; (7) security design and implementation – everybody must understand the need to incorporate security in information systems; (8) security management – the management must be able to apply a comprehensive approach to managing security in information systems and (9) reassessment – everybody must review the process of security in information system and reassess in order to make improvements to the existing policies. (http://www. gcio. nsw. gov. au/documents/Information%20Security%20Guideline%20V1. 1. pdf)
Information comes in various forms – electronic data, documents and papers, the system on which information is stored, intellectual information such as knowledge and perception and items in which information use may be derived. All these support the management in any decision making process. The management itself is responsible to secure all types of information since it can affect the success of the organization. The management is also responsible for identifying the importance of the company’s information assets and the strategies and measures to secure this information. Proper safeguarding techniques must be applied so that the company’s confidential information may not be known by the rival firm. (http://www. gcio. nsw. gov. au/documents/Information%20Security%20Guideline%20V1. 1. pdf) Information Security Management System (ISMS) and Risk Assessment
For an organization to be able to manage its information resources effectively, it is best to have an in-place management system which is properly documented to ensure that all process necessary to carry out its plans are implemented. Risk assessment is also needed so that risks and any untoward incident may be prioritized and handled properly. Information Security Management System is a process of establishing and ensuring that a company’s information asset is best managed through the application of appropriate means. The quality of the implementation of ISMS depends on the training and awareness of the people assigned to operate such system. One of the aspects of business security is information security.
It is important for the management to safeguard information assets which involves procedures, behaviour of the people as well as technology. It is a fact that the primary purpose of information security is to avoid security failures. The process of risk management involves the establishment of the context of risk management, the identification of the possible risks to information asset, evaluation of the risk options and selecting and implementing cost-effective treatments. There is a need for the management to continually manage risks in order to properly manage information of the company. (http://www. gcio. nsw. gov. au/documents/Information%20Security%20Guideline%20V1. 1. pdf)
Aside from the commitment of the management in terms of the implementation of information security, there are a variety of critical success factors to consider. One is a realistic assessment of the security risks which might be involved, appropriate awareness training to all the staff and processes to measure the Information Security Management System or ISMS. Some indicators of the effectiveness of the implementation of ISMS include the responsibility of the business unit managers for the security of information which is used in their operations, a conduct of a regular review of information security products to ensure cost-effective operations and the accountability of all the individuals for any security breaches. (http://www. gcio. nsw. gov.
au/documents/Information%20Security%20Guideline%20V1. 1. pdf) The assessment of risk in information security is an ongoing process of discovering, correcting and preventing security problems. This is important for the management to know how to effectively deal with any undesirable events that might happen. This is a part of risk management which is designed to endow with levels of security for information systems. This also helps every organization in the determination of acceptable levels of risks and the system requirements for each system. The risk assessment is presented in three phases: (1) System Documentation Phase, (2) Risk Determination Phase and (3) Safeguard Determination Phase.
The first phase includes documenting system identification, documenting system purpose and description and document system security level. The second phase includes identifying threats and vulnerabilities, describing the risks, identifying existing controls, determining likelihood of occurrence, severity of impact and risk levels. It is in this phase that the team decides whether or not to include controls which are currently implemented. The last phase, safeguard determination phase, include a recommendation of controls and safeguards, determination of residual likelihood of occurrence and residual risk levels. (http://www. mass. gov/) Information Security Process The first step in information security is scope definition.
In this stage, there are a lot of references to consider such as the set of stakeholders, the proxies and interests that represent the stakeholders, legal requirements and the degree of importance of public visibility of assurance. In the threat assessment process, there are certain factors which need to be considered such as stock take, nature of threats, sources of threats and the situation of threats. The situation of the threats include several locations such as within manual processes, content and data storage, within the physical premises which houses facilities connected within the system, within the organization’s computing and communication facilities and within supporting infrastructure.
The third process, the Vulnerability Assessment, which involves susceptibility within the system to ensure all risks are managed properly. The risk assessment, on the other hand, considers the likelihood of threatening events to occur on vulnerability. The cost of risk mitigation may be very high in some cases. Kinds of costs may include the time of manager for planning and control, the time of operational staff, the loss of service, additional media, time for operational staff, duplicated hardware and networks and contracted support from warm-sites. The next process, the risk management strategy, specifies the various approaches which can be used. These approaches include proactive strategies, reactive strategies and non-reactive strategies.
The Security Plan stage explains the process of implementing the security plan which may be subjected to strong project management. And the last stage, the security audit, specifies the need to periodically review the mechanism used to evaluate its output. (http://www. rogerclarke. com/EC/IntroSecy. html#ISProc) Information Security Responsibilities and Duties For an organization to implement information security, it is important that the management understands their role in the process of implementing such information security policy. The set of responsibilities and duties of each personnel involve can direct them as to how they are going to do the tasks assigned to them.
The general statement with regards to information system security states that the development of an information system which are used to capture, create and store any classified information must be managed properly to prevent unauthorized access of information, loss of data integrity and to ensure that data and system are available. Moreover, the responsibilities of the IS Security Manager includes ensuring the development and presentation of IS security education and training activities for ease of facility management, establishing documents for the IS security programs, identifying local threats and vulnerability, ensuring the development of facility procedures and developing and implementing remote maintenance procedures. Protection measures of information must also be specified.
The levels of concern are as follows: information sensitivity matrices, confidentiality of level of concern, integrity of level of concern and availability of level of concern. (http://www. fas. org/sgp/library/nispom/change_ch8. htm) Passive Information Gathering Information in any organization, no matter much security is applied to it, can be leaked in any way. The leakage may be used by the competitor for whatever purpose it may serve them. There is a number of passive information gathering which can be used to get information. These techniques include Internet Service Registration, Domain Name System (DNS), Search Engines, Email Systems, Naming Conventions and Website Analysis.
INTERNET SERVICE REGISTRATION: In order to access resources through the use of the internet, all host machines must have a unique IP Address. The registration of IP addresses and domain names are done at the international level; thus, for the management to administer these IP Addresses, organizations must include physical billing address and technical contact information. DOMAIN NAME SYSTEM: DNS is a service which is primarily designed of providing a link between the IP Address and the unique host name. The most common implementation of DNS is Berkeley Internet Name Daemon (BIND). To query using DNS, it is noted that the use of the “dig” tool is very rampant. This tool is distributed as part of the BIND and is usually installed in Unix-based operating system.
SEARCH ENGINES: This is widely used to harvest any information across the globe. This approach is very helpful for any organization to gather information about any topic. Searching newsgroups exposes details about an organization’s administrator’s answer in relation to specific network components. EMAIL SYSTEMS: Email host are considered to be important business critical systems for organizations which are exposed to the internet. This also provides an important means of business communications. Through passive analysis of mail systems, so much information about an organization can be gathered – enumeration of user accounts is one. NAMING CONVENTIONS: This is a subtle way of gathering information.
This makes use of the observation and analysis of the names which are used to define each networked service. The naming convention used by an organization provides an insight to the position of hosts within an organization. In some cases, the use of poor naming conventions reveals the type of hardware used. Some examples of mistakes include: the use of physical location information, operations system information, functional information, hardware manufacturer information, network location information and the use of common sequences. (http://www. ngssoftware. com/papers/NGSJan2004PassiveWP. pdf) In addition to the above-presented techniques, a variety of other techniques may be applied. First, gather information from the customers.
The process of information gathering is a fact-finding process. One best way to gather information is to ask the customers, listen to them and document everything they said. Ask the customers questions which can indirectly tell them about the problem they encounter. Questions that must be asked must be open-ended ones to give the customers the opportunity to share what he knows. It is also best to use models to effectively gather relevant information from the customers. One model is the One-Sided Assessment Model. In this model, the customer simply narrates the problem and/or any information without the process of interaction – no further questions are asked.
This method is best if the management doesn’t get any information from the customers through phone calls. On the other hand, the Unstructured Interchange Model is a method in which the customer presents information and an interaction from the management takes place; that is, the management asks questions. Since the questions don’t follow a structured format, the information that is collected is dependent on what the management perceives about the problem. The five W and one H Model refers to “who, what, when, where, why and how” process. The “who” refers to the person, “what” refers to asking a question such as “what is wrong? ”, “when” refers to “when it did happen?
”, “where” refers to the location, “why” refers to “why it did happen? ” and “how” refers to “how it did happen? ”. Another model is the Actual versus the Expected Model. In this approach, the customer describes the problem by presenting actual data. The information gathered from this process may be used as a checklist at the end of the probing phase. The Dimensional Analysis Model helps the management understand and know the customer’s problem even during the initial call. This gives an opportunity for the management to gather facts so that they can easily define the problem and develop accurate solutions. (http://www. thinkhdi. com/library/deliverfile.
aspx? filecontentid=19) It is important for organizations to develop information gathering techniques to get any desired information which can help them in conduct of future researches. An effective information gathering can help the management utilize their time in a very effective and efficient manner, improve critical thinking skills through sorting techniques and to broaden the management’s outlook through the exploration of various sources. For the management, information is used for a variety of reasons – to develop skills, widen knowledge, reduce uncertainty, deepen understanding, solve problems, and gain inspiration and to secure power.
The management may be able to find out relevant information from a variety of sources such as journals, newspapers, text books, internet, audio and video presentation, experiences, peers and friends and other print out materials. Information gathering strategies may include problem analysis, identifying search areas, planning search activities, adapting search method to appropriate tools, implementing the methods for review and evaluation. In planning for search activities, the management consider questions such as “How long does the management need to carry out the search? ” and “What is needed to help you search? ”. (http://www. lboro. ac. uk/service/ltd/campus/infouser. pdf) The management may implement some of the mentioned information gathering techniques to get any relevant information of the rival firm.
It is also in this way that the management can be able plan strategies they must apply to still get a bigger market share. When the management gets any relevant information of the rival firm, they can start to make some abrupt changes of their marketing styles. It may already be impractical should the management changes the design and features of the new product – HOLD. However, they can still be ahead of their competitors should techniques in information gathering be strategically implemented. It is also very evident that some techniques can hardly be implemented. This may not be a hindrance in the conduct of the information gathering process of the management.
After all, the output of this information gathering process can contribute a lot to the success of the company. The process of information gathering is not an easy task most especially if the rival firm knows and had already implemented security techniques to information, as mentioned in the previous section of this paper. Hence, Smooth Electronics’ strategies in gathering information must be legal and the management still abide to the provisions of the code of ethics. Smooth Electronics must put into consideration how Exigent Pty Ltd secures its information. It is very obvious, though, that Exigent may not easily divulge and disclose information which is advantageous for their rival firm.
Thus, Smooth Electronics must use strategies to come up with their desired output. The strategies must be directed towards achieving the goals and objectives of Smooth Electronics, without affecting much of the business of Exigent Pty Ltd. Information can also be gathered either formally or informally. Formal assessment may be conducted to learn specific skills or interest. Formal assessment offers to the management a variety advantages such as providing data in the form of scores and is often the starting point for the determination of career development activities. However, the conduct of such assessment is costly and at some point it lacks availability.
On the other hand, the conduct of informal assessment is more informative way of gathering information. Informal assessment is inexpensive, provides usable information and information can easily be attained through interviews, questionnaires and observations. (http://www. cde. state. co. us/cdesped/download/pdf/TK_MethodGatherInfo. pdf) Information Gathering Implementation Since Smooth Electronics got the desire of getting relevant information of their rival firm – Exigent Pty Ltd, the management of Smooth Electronics must first employ people who are best fit for conducting an investigation about their rival firm. Once the right people are already employed for the right job, the identification of gathering techniques must then be identified.
The team must ensure that the techniques they will use get the best information about the rival firm. However, the team must also consider ethical standards in information gathering. Should the rival firm suspects about the said investigation, they can file a complaint against Smooth Electronics. To prevent this problem, the team must adhere to the code of ethics. The management of Smooth Electronics must be understand that Exigent is big company, thus, they know and must have applied information security policies. After having identified the gathering techniques, they must document everything – including the process and output of their investigation.
Through a thorough research of the competitor’s information, Smooth Electronics can be able to revise their strategic plan to fit the demands of the market. Most importantly, Smooth Electronics must not invade the privacy of the rival firm in any way. The research team must be fully aware of the consequences they might face should they perform in opposition with the norms of information gathering techniques and ethical standards. References Clarke, R. 2001. Introduction to Information Security. Retrieved on April 21, 2009 at [WWW] http://www. rogerclarke. com/EC/IntroSecy. html#ISProc. Colorado Dept of Education. Retrieved on April 21, 2009 at [WWW] http://www. cde. state. co. us/cdesped/download/pdf/TK_MethodGatherInfo. pdf. Commonwealth Massachusets. 2009.
Information Security Risk Assessment Guidelines. Retrieved on April 21, 2009 at [WWW] http://www. mass. gov. GCIO. 2007. Information Security Guidelines. Retrieved on April 20, 2009 at [WWW] http://www. gcio. nsw. gov. au/documents/Information%20Security%20Guideline%20V1. 1. pdf. Information Gathering. Retrieved on April 21, 2009 at [WWW] http://www. lboro. ac. uk/service/ltd/campus/infouser. pdf Ollmann, G. 2004. Passive Information Gathering. Retrieved on April 21, 2009 at [WWW] http://www. ngssoftware. com/papers/NGSJan2004PassiveWP. pdf. Pearson, R. 2003. Effective Information Gathering Techniques. Retrieved on April 22, 2009 at [WWW] http://www. thinkhdi.com/library/deliverfile. aspx filecontentid=19.
Pesante, L. 2008. Introduction to Information Security. Retrieved on April 20, 2009 at [WWW] http://www. us-cert. gov/reading_room/infosecuritybasics. pdf. An Introduction to Information, Network and Internet Security. Retrieved on April 20, 2009 at [WWW] http://security. practitioner. com/introduction/infosec_3_1. htm. Information System Security. Retrieved on April 21, 2009 at [WWW] http://www. fas. org/sgp/library/nispom/change_ch8. htm. University of Illinois. 2008. Information Security Policy. Retrieved on April 22, 2009 at [WWW] http://www. obfs. uillinois. edu/manual/central_p/sec19-5. html.