Management of i.t. security A Brief Look

It cannot be repudiated that currently information technology is a very significant advantage and resource for any contemporary business. Consequently defending its valuable resource through effective management of its IT security is central and quickly becoming a top precedence for many businesses and organizations. Regrettably there is no distinct formula that can promise complete, 100% of data security. To guarantee administrative effectiveness, companies that provide service like cloud storage, must make comprehensive arrangements to act against cyber dangers before they transpire, and to recuperate from mischievous cyber activities when such dangers do well.

A cloud security threat-management approach must be an active document that is frequently revised by stakeholders, and must comprise of policies and purposes that bring into line with the needs of the organization. "Given the threat of security breaches, to both cloud service providers and organizational cloud service users, cloud security and privacy are growing public policy concerns as well as salient area of inquiry for researchers" (Choo, 2014, p. 52). This means that along with strong and effective management of the processes involved with IT security, certain frameworks must be applied. A good example of one is COBIT.

COBIT

COBIT is an IT governance structure and supportive toolset that sanctions managers to link the gap between regulatory requirements, technical problems, business hazards, and security concerns. COBIT has five IT Governance parts of application. "The Control Objectives for Information and related Technology (COBIT) is a certification created by ISACA and the IT Governance Institute (ITGI) in 1996. They believe that it is a set of practices (framework) for IT management" (Susanto, Nabil Almunawar & Chee Tuan, 2011, p. 23).

COBIT involves strategic alignment. Which means focus on ensuing the connection between IT plans and businesses. This means maintaining, validating, and defining the IT value proposal including aligning IT operations alongside business operations. The next aspect is value delivery. Value delivery concerns execution of value proposal through any specific delivery cycle. Performing these processes ensures that IT provides the promised benefits suggested by use of the strategy, with concentration and focus on optimization of expense along with proving the intrinsic worth of IT.

Along with value delivery, the next step is resource management. Put simply, resource management concerns the optimum investment as well as the appropriate management of critical IT properties that include: applications, people, information, and infrastructure. Risk management is a step that involves a concise comprehension of the enterprise's enthusiasm for risk and comprehension of compliance. The last step is monitors strategy and performance measurement tracks that involve implementation, project conclusion, resource practice, process presentation and service distribution. This could include balanced scorecards that transform approach into action in order for businesses to accomplish objectives measurable beyond predictable accounting requirements, and pellucidity into the organization.

Security Risk Evaluation

In order to supply the processed needed in a framework like that of COBIT, an effective security risk evaluation is often needed for businesses and organizations to understand what is needed in relation to expenses, processes, and weaknesses that could lead to security outbreaks. A security risk evaluation has several stages that involve becoming aware of a vulnerable points and shortcoming within the system.

The proposed framework is about risk management which is implemented through creating risk management system and is based on the reduction strategies, and via these properties, threats and weak points can be determined and suitable quality level will be recognized and then controls will be chosen to neutralize or reduce the unpleasant risk to an acceptable level (Malayeri, Modiri, Jabbehdari & Behbahani, 2012, p. 6).

The first part of this stage of awareness of the properties within the security zone. What this essentially means is security as it relates to the safeguarding of properties and resources against threats. So in order to assess security, one must know what properties and resources are at risk should a security outbreak transpire.

The second stage is determining whether or not the threats are associated to the resources and properties and determine if there are any vulnerable points to these properties. In order to do this, application of threats modeling method should assist a system designer determine attacks, vulnerabilities, and threats within a software zone. Threat modeling essential is:

1. Identification of security objectives

2. Application overview

3. Decompress application

4. Identify threats

5. Identify Vulnerabilities

The next stage, stage three involves determination of actual probability. Essentially what are the real probabilities of each compound: threat and vulnerability, should be acknowledged. Compounds that cause unnoticeable likelihoods are ignored. Those that have higher frequency...

Grades range from 0-6 with 0 being unlikely to happen and 6 being once a day frequency. The fourth stage is unpleasant effect calculation. "The unpleasant effect may be measured by numbers in order to show the caused damages by them. This amount makes the risk importance possible, ignoring its probability. The unpleasant effect is not dependent on probability level" (Malayeri, Modiri, Jabbehdari & Behbahani, 2012, p. 7).
User Policy

Gradually over time users are being viewed as the fragile link in the chain of information technology, especially when it comes the security of business data. Employees could willingly or unknowingly leak out private company information that could result in serious security breaches. "Should the users of computer systems act in any inappropriate or insecure manner, then they may put their employers in danger of financial losses, information degradation or litigation, and themselves in danger of dismissal or prosecution" (Doherty, Anastasakis & Fulford, 2011, p. 201). This is a predominantly significant worry for knowledge-intensive organizations, like Google that hold cloud services that universities and other establishments use making security breaches ruin the availability, reliability and precision of computer-based information resources. A progressively important contrivance for decreasing the incidence of incongruous behaviors, and in so doing, defending business information, is through the construction and application of an official 'acceptable use policy (AUP). "Whilst the AUP has attracted some academic interest, it has tended to be prescriptive and overly focussed on the role of the Internet, and there is relatively little empirical material that explicitly addresses the purpose, positioning or content of real acceptable use policies" (Doherty, Anastasakis & Fulford, 2011, p. 201). The comprehensive purpose of such a policy is to help businesses deal with intolerable behavior by proactively endorsing appropriate and operational security behaviors.

Perception of Security Threat

Often times some businesses do not perceive much threat when it comes to some of their services. For instance, the celebrity nude pictures scandal was a result of lax security on the part of passwords when it came to cloud accounts. Hackers were able to access the files located within the cloud servers by simply guessing over and over again the password. It is in instances like these that companies like Google, who have cloud servers, must become aware of the possible security threats that lurk in areas that are presumed to be low risk.

When businesses attempt to manage information security, traditionally they approach a control-based compliance model. This strategy "assumes that human behavior needs to be controlled and regulated. We propose a different theoretical model: the value-based compliance model, assuming that multiple forms of rationality are employed in organizational actions at one time, causing potential value conflicts" (Hedstrom, Kolkowska, Karlsson & Allen, 2011, p. 373). Human behavior does need to be controlled and regulated to some extent, but the problem of security breach is more complex than that. More than just behavior it's the processes involved within the systems, continual threat assessment, and proper monitoring of suspicious activity. All of these contribute to the betterment of IT security over all areas. Another important aspect to recognize is positive partiality.

In one study, results demonstrated positive partiality in risk awareness on information security territory. The degree of this positive partiality is better with a distant contrast target with scarcer information sharing undertakings. Consequently, this positive partiality is also established in relation to awareness of controllability over information security threats. "In order to overcome the effects of optimistic bias, firms need more security awareness training and systematic treatments of security threats instead of relying on ad hoc approach to security measure implementation" (Rhee, Ryu & Kim, 2012, p. 221). To circumvent such thought processes, additional training could remove some of the possible mistakes that come about from this form of thinking.

Conclusion

Information Technology security is a complex undertaking. It involves using multiple strategies and models that not only help defend suspicious user behavior, circumvent optimistic bias, and providing appropriate and easy to follow evaluation procedures. Becoming aware of potential dangers, high risk areas, and employing a sound user policy should any business avoid potential hiccups within the IT security field.

References

Choo, K. (2014). A Cloud Security Risk-Management Strategy. IEEE Cloud Computing, 1(2), 52-56. doi:10.1109/mcc.2014.27

Doherty, N., Anastasakis, L., & Fulford, H. (2011). Reinforcing the security of corporate information resources: A critical review of the role of the acceptable use policy. International Journal of Information Management, 31(3), 201-209. doi:10.1016/j.ijinfomgt.2010.06.001

Hedstrom, K., Kolkowska, E., Karlsson, F., & Allen, J. (2011). Value conflicts for information security management. The Journal of Strategic Information Systems, 20(4),…