OSIIT An analysis of IT policy transformation

The aim of this project is to evaluate the effectiveness of information security policy in the context of an organization, OSI Systems, Inc. With presence in Africa, Australia, Canada, England, Malaysia and the United States, OSI Systems, Inc. is a worldwide company based in California that develops and markets security and inspection systems such as airport security X-ray machines and metal detectors, medical monitoring anesthesia systems, and optoelectronic devices. The company is also represented by three subsidiary divisions in offices and plants dedicated to the brands, Rapiscan Systems, OSI Optoelectronics and SpaceLabs Healthcare.

In 2010, OSI, Inc. had sales of $595 million with net income of over $25 million. As of June 2010, the company was comprised of 2,460 personnel globally. The parent company provides oversight and fiscal control to the different divisions, and is connected through its virtual network world-wide intranet system; with external integration of other stakeholders involved in the channel of operations, mostly represented by third party vendors whom are connected to the company's extranet. Key stakeholders involved in IT security decision and job responsibilities at OSI, Inc. are outlined in Table 1.

Table 1

3 Definitions

3.1 CIO -- Chief Information Officer

3.2 VPN -- Virtual Private Network which is used to connect to internal networks while outside of corporate locations or on wireless networks

3.3 IT Management Team -- The CIO, Global Directors, and Global Managers in the IT department

3.4 Company -- Refers to OSI Systems, Inc. And all subsidiaries

Table 1. OSI, Inc. IT Security Policy provision definitions of key stakeholders (2009).

In 2011, OSI, Inc. will implement changes to its IT security policies. Those changes are largely in response to national articulations in computer misuse laws. This especially pertains to extensive statutory provisions within UK employer related policy on internet privacy and propriety commercial information as will be discussed in review of the nation's Computer Misuse Law (CMA), put into effect in 1990 with revision in accordance with technological innovation in 2006. Related legislation in the United States on telecommunications and internet use, and in accordance with post 9/11 provisions on web-based privacy infringement in part to anti-terrorist legislation on IT infrastructure, OSI, Inc. will improve its competency as a technology organization through heightened policy posture.

As with other global organizations, OSI, Inc. is constantly seeking solutions to its vulnerabilities to both internal and external forces of competition. For this reason, security policy amendments are strategic priorities: 1) Corporate and IT Organizational structure including rules and resources with respect to information security; 2) Stakeholders (users, managers, and designers) interacting with information security; 3) Security technology (technical platform); 4) Tasks associated with information security (goals and deliverables); 5) Information Security risks. Formidable to those actionable goals, is the vision of CIO, John Loo's administrative oversight of the corporation's IT informatics network. In an interview with Mr. Loo, I redeemed important insights into the transition of OSI, Inc. In this unit of business operations, illustrated in Table 2.

Table 2

Interviewer

IT Director, John Loo

1. Do you have a full Contingency plan (CP) in effect composed of BIA (Business Impact Analysis) included in this are an Incident Response (IR), Disaster Recovery (DR) Plan and a Business Continuity (BP) plan? Do you have a Security Incident Response Team (SIRT) as well?

JL: was that he did not have a not have such a large encompassing plan due to the relative smallness of the company as compared to a General Electric or IBM. In fact many contend that this type of security philosophy is penny wise and foolish (Whitman & Mattord, 2010. 171). He said he had just a Disaster recovery plan which did not include an SIRT team.

He said that he does not have a list of personnel that he calls from but basis his team on the immediate threat at hand. In the event of a vulnerability attack on the network, Mr. Loo would base the severity of the attack and that he himself would determine if it was just an incident or a major disaster. From there he would then determine the extra personnel that would be needed to take care of the threat. Again, no security team list is in place.

2. Do you classify, profile and describe any of the potential threats, vulnerabilities, and attacks, such denial-of-service, zombie attacks, etc., with a before, during, and after response description...

Mr. Loo also indicated that his primary fear or concern for security was simply having someone walk into an OSI facility, plant or office and plug their laptop into the network and be able to hack or password into the network and interrupt or steal company data.
3. If you Mr. Loo get sick, injured or die, who will follow into your place during an emergency?

JL: he has back-up managerial personnel from Global IT and Telecom management to fill-in in the case he is absent.

4. Do you do practice or test any vulnerability attack scenarios, such as a simple desk check, structured walk-through, simulation, or full-interruption scenario, so that you know what to expect and do in a real-life situation?

JL: indicated that he does not do any testing at all. It is all in his head.

5. Concerning a natural disaster within the business continuity and strategy plan, do you have a disaster recovery in place in case of a man-made or natural disaster that would destroy the corporate data center and it's data?

JL: he does have a back-up - a warm back-up site facility in Issaquah Washington. It is not a hot site where the company can immediately turn things on and start operating. Although all of the applications are loaded in the servers, the back-up data tapes and disks are stored in Burbank, CA and that they would have to be carried and sent over to Issaquah and then loaded into the databases and tested before operation can begin. That would take anywhere from 10 hours to 2 days for completion. If the situation was not totally disabling, he would just send the disks and tapes to the Torrance California facility and restore the servers from there. That would take less than a day.

6. Are all of the third party vendors that do business with the company on-board with back-up computing resources and services if needed?

JL: indicated that he has agreements with all the vendors during an emergency or disaster but that he does not contact them frequently if at all and that he assumes that the facilities are on board with any disaster that may happen. This non-action can be very dangerous.

7. Concerning crisis management and the press, how would you handle it?

JL: he will be the main point of contact for the CEO and for newspaper and TV announcements to let the public know the situation of the disaster.

8. Since OSI has a risk assessment department, are they involved at all in the assessment of a disaster to the company?

JL: they were not involved in this area and that all planning and assessment was done in IT.

9. What is the relationship between the organizational structure of the IT department and its relationship with the CEO, as stipulated in the organizational hierarchy chart?

JL: indicated that although there is no Chief Information Security Officer (CISO) between him and the CIO, the CIO is firmly committed to obtaining the resources and expenses for fully implementing proper security within the company. Unfortunately, the CIO himself does not directly report to the CEO but to the non-technical CFO Mr. Edick and that sometimes it is very difficult to obtain additional money and resources to fully implement all of Global ITs plans for security since the company has never had an IT or security in a real emergency before.

Although it is quite common and natural for many companies, both small and large to place their security department or group within the IT organizational structure, this is not the best place for it. Given the seriousness for destructiveness due to loss data and networks, many organizations place their security group either within Legal or Insurance and Risk Management departments. Since OSI is small it is just within the IT department. Another factor is that the CIO and CEO are brothers and that can provide for a conflict of interest. This is why the CIO does not report directly to the CEO. This conflict imperils information security. Most experts agree that the CIO or CISO should report directly to the COO or President of the company. In case they do not.

10. What are the duties and responsibilities of the individual stakeholders (users, managers, designers, and vendors) interacting with information security and that of Critical Electronic Data?

JL: See the Critical Electronic Data Policy attachment.

What is OSI's Global IT Security policy?

JL: Document

Do you provide for advanced IT and security training for your IT employees?

JL: Yes, we have…