Login Signup
Verified Document

Computer Security People, Process And Technology Are Capstone Project

Related Topics:
Computer Viruses Human Computer Interaction Computer Ethics Biometrics
Open Document Cite Document

¶ … Computer Security People, process and technology are three things which are involved in information security. Biometrics, passwords and firewalls are some of the technical measures and these are not enough in justifying threats to information. In order to protect information from destruction and to secure systems, a blend of different procedures is required. While deploying information security some factors need to be considered for instance processes like de-registration and registration and people aspects like teaching, observance, leading etc. With the evolvement of information security, the focus has been transferred toward a governance-orientated and people-oriented approach (Baggett, 2003).

Background

The so-called initial stage of information security was characterized by a scientific approach in securing the environment of Information Technology. With the passage of time it was realized by the "technical people" working in an organization that the role of management in information security is imperative and it is essential to involve the top management (Von Solms, 2000). This realization became the basis for the second stage where organizations incorporated themselves with the information security facility. Both of the phases continued in parallel and they are termed as management involvement and technical protection mechanisms. Firms then realized that in past, some other essentials of information security have been ignored. They said that what is immediately required is to address human element that poses the most dangerous threat of information security to every firm (Von Solms, 2000, 1997, Da Veiga, Martins, & Eloff, 2007) and inside the organization extra concentration needs to be given to the culture of information security (Von Solms, 2000). It is included in the third segment of information security that employees should build in their daily routine the culture of information security. In fact it should be adopted as a culture within the organization. Acceptance of information security as a culture means the adoption of an approach which promotes the inclusion of information security in a manner that all the activities being conducted within an organization take place in its presence (Martins & Eloff, 2002).

Problem

It is the foremost duty of the executives to inculcate within the organization a proper culture relating to information security. Not only communicating the relevant content to the employees is important but also a complete controlling framework should be in existence (Cobit security Baseline, 2004). The next section goes ahead with the explanation of governance in relation to information security. This governance mechanism teaches the general approach under which information security is used to diminish threats (Von Solms, 2006).

The next section focuses on the ways to avoid threats of deception and social engineering. Survey conducted by Price Waterhouse Coopers (PWC, 2004) regarding the breaches of information security state that there have been quite a few technology breakdowns, like system failures or corruption, of important information but still the proportion of human error is considered to be the greatest as far as breaches are concerned. Price Waterhouse Coopers have given a suggestion of embedding a security-aware culture within the organization to solve the problem of human error. According to the management, if the employees are allowed to make interaction with the technical controls then there is likely to be a chance of deception to occur. It is emphasized by Von Solms (2006) that for mitigating the chances of threats, the governance mechanism of information security must be present.

Purpose

The sole objective behind this paper work is to asses to assess the existing approach which is being followed in the framework of information security governance, so that the upcoming updated governance could be more wide-ranging and much better than the previous one. The new governance structure is relying on technological, practical and individuals' behavioral mechanism to reach a particular spot of indication for governing information security. Four approaches, which are approaches that are being assessed in this paper are as follows; PROTECT (Eloff & Eloff, 2005), ISO 17799 (2005), the Information security Architecture (ISA) (Tudor, 2000), and the Capability Maturity Model (McCarthy & Campbell, 2001). The next section presents a list of components that are based on the four approaches mentioned above. The information security governance is constructed on the basis of information security components. Within the last section, the information security governance is discussed in detail.

Significance of problem or concern

The risks that an organization faces can be reduced when executives start following the governance framework of information security very strictly, and not only these, they should even monitor sternly the behavior of the employees. To promote the culture of information security, the entity should make provisions relating to employees...

It would not be wrong to say that organization is looking for a governance structure which does not only work on the technological and procedural reins of the previous sessions but also takes account of the human behavior. A framework with such qualities would be able to mitigate threats from the organizations culture up to an acceptable level (Baggett, 2003).
Analysis of current solutions in the marketplace

ISO/IEC 177995 and ISO/IEC 27001

The technique-code for Information security management (ISO/IEC 17799, 2005) as stated in Information Security Organization (ISO) is a complete guidance for the organizations in the shape of a suggestion point which helps them recognize the controls that they would be needing in situations where information systems are used. Slowly and gradually, with the passage of time ISO/IEC 17799 (2005) has gained popularity as a very important standard as far as information security is concerned (ISO / IEC, 2005). There are 11 control segments mentioned in relation to this in the study.

ISO 27001 (2005), an officially recognized standard, is taken as the second part of ISO/IEC 17799 (2005). ISO/IEC 17799 (2005) suggests adopting a continuous development approach. Such an approach can be obtained when organizations start to establish, implement, operate, monitor, review, maintain and improve the entity's information security management system. The previous standards were built around a single approach, where as now ISO/IEC 17799 (2005) gives detailed mechanism of information security, while ISO/IEC 27001 (2005) sketches the executing and supervision strategies.

PROTECT

The research introduced by Eloff and Eloff (2005) consists of a program which is related to information security and is named as PROTECT. PROTECT is basically a short form of Policy, Risk, Objective, Technology, Executive, Compliance and Team. The aim of PROTECT is to tackle all the problems relating to information security. It comprises of schemes which ensure that well incorporated controls are present within the organization, which aim to reduce the chances of risks and guarantee efficacy and competitiveness. PROTECT has seven components and all these components aim to provide an efficient information and security program. The efficiency of the program is not limited to technological perspective but also deals with people.

Capability Maturity Model

The Capability Maturity Model (McCarthy & Campbell, 2001) presents a set of controls, which are aimed to prevent chances of illegal access, alteration or demolition of data. The study describes the seven major control points demonstrated by the holistic view of the model based on information security.

Security leadership is the first stage and lays stress on the significance of a security agent at the executive level and even on information security strategy. For both long and short-term security strategies within an entity, this should be taken as the origin. Second stage defines the duties which should be undergone for the development and execution of information security program. The responsibilities of many individuals need to be defined, like for instance the roles of security officer, network whiz, anti-virus expert, database professional and Helpdesk specialist. The third stage encompasses guidelines which need to be assembled in order to express and execute the information security program. These policies provide guidance on technological, procedural as well as the human part of information security. Security management can then turn out to be a division of routine operations. This comprises of operations regarding the monitoring of users and the technology organized. The organizations have to make sure that the employees are aware of their policies and the user reports are managed. In the end, the approach focuses on the technological aspects of information security, such as the arrangement of a safe firewall, network and database. Technology protections not only focus on IT environment but also embrace business stability and disaster revival (McCarthy & Campbell, 2001).

Capability Maturity Model follows the approach which begins from the strategic level and goes down to technology levels. The technology levels operate by the instructions or rather guidance given by the authorities at the strategic level. This model is used in executing information security. The model evaluates the information security program, identifies its risks and even gives solutions to reduce the effect of risks. The solutions given by the model are the implemented into the current procedures (McCarthy & Campbell, 2001).

Information Security Architecture (ISA)

A very flexible and competitive approach, Information security Architecture (ISA), is given by Tudor (2000) to prevent the organizations' assets from all sorts of threats. ISA highlights five principles, these principles identify the risks in which the organization is operating and also assess controls to reduce the risks. It…

Continue Reading...
Sources used in this document:
References

Baggett, W. 0. (2003). Creating a culture of security. The Internal Auditor, 60 (3), 37-41.

Bresz, F.P. (2004). People-Often the weakest link in security, but one of the best places to start. Journal of Health Care Compliance, 6 (4), 57-60.

Cardinali, R. (1995). Reinforcing our moral vision: Examining the relationship between unethical behaviour and computer crime. Work Study. 44 (8), 11-18.

COBIT security baseline -- An information security survival kit. (2004). Rolling Meadows, USA: IT Governance Institute.
Electronic Communications and Transactions Act. (2002). Retrieved 12 January 2006 from site: <http://www.acts.co.za/ect_act/>
Holborn Books. Information security architecture: An integrated approach to security in the organization (2005). Retrieved 18 April 2005 from: http://www.holbornbooks.co.uk/details.aspx?sn=1244811
King Report. (2001). The King Report of corporate governance for South Africa. Retrieved 12 January 2006: http://www.iodsa.co.za/downloads/King%20ll%20Report%20CDRom%20Brochure.pdf
PriceWaterhouseCoopers. Information security Breaches Survey. (2004). Retrieved 12 March 2005 from http://www.dti.gov.uk/industry_files/pdf/isbs_2004v3.pdf
Promotion of Access to Information Act. (2000). Retrieved 12 January 2006 from http://www.acts.co.za/prom_of_access_to_info/index.htm
Cite this Document:
Copy Bibliography Citation

Related Documents

Essay
Computer Security: Corporate Security Documentation Suitable for
Words: 5280 Length: 19 Document Type: Essay

Computer Security: Corporate Security Documentation Suitable for a Large Corporation Item (I) in-Depth Defense Measures (II) Firewall Design (III) Intrusion Detection System (IV) Operating System Security (V) Database Security (VI) Corporate Contingency of Operation (VII) Corporate Disaster Recovery Plan (VIII) Team Members and Roles of Each (IX) Timeline with Goal Description (X) Data Schema (XI) Graphical Interface Design (XII) Testing Plan (XIII) Support Plan (XIV) Schematics Computer Security: Corporate Security Documentation Suitable for a Large Corporation (I) In-Depth Defense Measures Information Technology (IT) Acceptable Use Policy The intentions of

Read More
Essay
Computer Security Briefly Support Your
Words: 2728 Length: 8 Document Type: Term Paper

The public-key cryptography approach also creates a more efficient means of cryptographic security by ensuring RSA-compliant encryption and decryption throughout the secured network (Sarkar, Maitra, 2010). As a result the use of public-key cryptography hardens and makes more secure each connection and node on a network (Chevalier, Rusinowitch, 2010). C3. What will help you trust a public-key that belongs to an unfamiliar person or Web site, and why does it

Read More
Essay
Computer Security Although It Is Never Possible
Words: 687 Length: 2 Document Type: Term Paper

Computer Security Although it is never possible to fully prevent the unauthorized use of information from people with security clearances and access, the use of security clearance and access is important to ensure that people without security clearance cannot access the confidential information. In other words, the concept of 'absolute security' is a chimera. It is the nature of security that makes it necessary to weigh up the threats, the risks,

Read More
Essay
Computer Security
Words: 1081 Length: 4 Document Type: Term Paper

Computer Security In the past few years, viruses like "I Love You" and "SoBig" have generated much publicity and apprehension and highlighted problems of computer security. In the last month alone, experts estimate that 52 new viruses have spread through computer networks. In addition, the growing incidence of identity theft also illustrates the growing sophistication of hackers and their tools. This paper examines the main problems related to keeping the information on

Read More
Essay
Computer Security Information Warfare Iw
Words: 5531 Length: 20 Document Type: Research Paper

His study includes the following; The U.S. government through the executive to provide appropriate leadership to steer the country in the domain of cyber security. The state to conduct immediate risk assessment aimed at neutralizing all the vulnerabilities. The creation of an effective national security strategy as well as the creation of an elaborate national military strategy. Molander (1996) uses a qualitative research approach and methodology .The method used is constructive. The constructive

Read More
Essay
Computer Security for Small Businesses
Words: 1170 Length: 4 Document Type: Essay

Information Technology Security for Small Business The need for protecting a business's information is crucial in the modern business world regardless of the size of the business. In light of the increased technological advancements that generate numerous threats and vulnerabilities, protecting a business's information is as significant as safeguarding every other asset. Actually, businesses are facing the need to protect information in a similar manner like safeguarding employees, property, and products.

Read More

Sign Up for Unlimited Study Help

Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.

Get Started Now