Information Security Abstract When we think about security we think about doors, bars on windows, guards, alarms and

so forth. When we look at information security we think about passwords and permissions.

In the past that is all we needed to protect our information. As technology continues to advance, security takes on a whole new roll. We are no longer storing papers in boxes behind a locked door. We are now securing servers and large datacenters with vast amounts of information.

Information Security Introduction When we think about security we think about doors, bars on windows, guards, alarms and so forth. When we look at information security we think about passwords and permissions.

In the past that is all we needed to protect our information. As technology continues to advance, security takes on a whole new roll. We are no longer storing papers in boxes behind a locked door. We are now securing servers and large datacenters with vast amounts of information. Protecting this data has given security a whole new meaning. Today we are protecting from spyware, viruses, hackers and even our own employees. Information security is necessary for businesses that want to survey and keep valuable data away from unauthorized users. Many businesses have some type of information security in place, but is it really enough? The articles review below will explain why information security is important and ramifications if information security is not implemented. Information Security Governance The need for information security is necessary for all businesses. Proper planning and implementation is the key to safeguarding data. A recent study has shown that malicious attacks were caused by viruses with employee abuse following a close second. Although most businesses do have some type of

Information Security information security measures in place, the protection tends to be ineffective with staff taking a reactive approach over a proactive approach. The article by Allen Johnston and Ron Hale examine the planning for information security and enhancing the quality of security. A survey conducted by the Computer Security Institute and the Federal Bureau of Investigation found: 56% of respondents reported unauthorized computer

system use during the past year. These unauthorized uses include of malicious acts such as theft or

destruction

intellectual

property,

insider

abuse

and unauthorized access to information that results in a loss of data integrity and confidentiality, as well as malware threats such as viruses, spyware, worms, and Trojans (Johnston and Hale, 2009, p. 126). To better understand how planning and enhancing security can increase the value in security programs; a survey was conducted of security professionals to see their perception on the quality of their security programs. The results allowed for a comparison between the different businesses and viewing the overall picture how information security plays a role in those businesses. Information Security Governance (ISG) has a role in creating policies and strategies within a business and protection of information assets. Information Security

Information Security Governance brings attention to the board and executives, corporations are more effective in addressing and improving

security. In terms of strategic alignment, ISG enables firms to align security with business strategy to support organizational objectives (Johnston and Hale, 2009, p. 127). Corporations are able to use appropriate measures and reduce risk. When addressing information security as part of the overall strategic plan, policies are easily adopted into the goals and objectives. In order to validate the value of Information Security Governance, a survey was conducted among managers, auditor and executives that are Certified Information Security Manager. The survey found those who implemented Information Security Governance had higher level of support by upper management over those who did no implement. Thus those that implemented information security had a better relationship between business and information security than those that did not. The findings from the survey had shown when information security was addressed at a corporate level; employees took greater ownership in protecting the information. Employees did not view security as a barrier but as part of business success. This in turn showed that businesses that used Information Security Governance had a higher level in the quality of protection in information over those who did not.

Information Security The study provided support for corporations to include information security planning as part of their operations. Many businesses are not as motivated or have barriers that make it difficult to develop an information security program. There are many benefits for having an Information Security Governance

program. Implementers were asked to rate on a scale 1 (low) to 5 (high), Legal requirements (4.30) were the most influential factor, closely followed by government regulations (4.24) (Johnston and Hale, 2009, p. 128). When asked to rate the motivating factors for information security, concerns over civil and legal liability (4.20) was considered the most important factor, followed closely by the protection of the organizations reputation (4.19) and compliance with regulatory initiatives (4.00) (Johnston and Hale, 2009, p. 127). The research conducted is promising and provides incentives for implementing an Information Security Governance program, there were limitations in the research. One limiting factor was the classification or grouping of Information Security Governance implementations. Implementers were classified as either those that have put forth such a program or those that were going to utilize such a program. Those that have not implemented or thought of implementing such a program were classified as non-implementers. The research should continue to

Information Security be conducted in order to distinguish the different levels of implementers and non-implementers. Information Security Governance is a critical approach to

an organizations information security success. As the process is developed corporations can move from a reactive approach to a proactive approach. The article has provided support for information security when addressed at an enterprise level. For organizations that have or are able to implement information security, the article suggests they will have improved security with the support of executive management and a relationship between the business and security. Honeypot Protection Detection Response Recovery Model The base of a security management system consists of security management policies and security management model. In todays system these models offer different approaches in information security. Meta Group, a security research firm conducted interviews with specialists in information technology field in and found among the interviewees many agree their companies are more susceptible to threats now than in the past. The study found that many contribute their vulnerabilities to lack of information policies, outdated configurations and lack of procedures in applying software patches. Finding the right security management model for a small and medium-sized enterprise (SME) can be a challenge.

Information Security In order to understand security models, three has been presented. The first model is Protection Detection Response Recovery (PDRR). This model consists of protection, detection, response, and recovery, forming a dynamic information security period (Gang, Huifeng, Shubao, 2010, p. 51). Each of the

policies integrates a group security unit. There are three parts in the model for security management. The first part is protection and the second is detection. Protection is taking measures such as accessibility, encryption, and security patches. Detection is used to detect when an attack happens including the identity, source, and loss. The last part is system recovery. After an attack, returning the system state back to pre-attack status completes the stages. The next model is PDCA or plan, deploy, check, and action. The first step is planning based on the organizational needs and requirements, this includes a risk evaluation. The second step is to deploy the information security plan based on the strategies, procedures and rules defined in the organization. The next step is to check the implementation of security based on the strategy created and legal requirements. This also includes monitoring and testing the implementation. The last step is action which is to evaluate and examine the strategy and continue to make improvements.

Information Security The last model is the adaptive network security model (ANSM) proposed by the American Internet Security System Corporation. This model examines the operational and technological needs by using the life cycle of customer

information. It finds that seven aspects reflect the continuous circulation of information system security: plan, evaluation, design, deployment, management, urgent, response, and education (Gang, Huifeng, Shubao, 2010, p. 51). Security attacks can happen quickly thus making it difficult to identify. Most SMEs are not staffed to handle security technology and hackers usually are ahead and are able to master technology much more quickly than SME technologists. This leaves many SMEs at a large disadvantage. Having an early warning detection system is a long-term task which many SMEs cannot satisfy. Once information is either stolen or destroyed, the loss is irreparable. This is why an early warning detection system is important to SMEs. The article has proposed a solution called Honeypot Protection Response Recovery (HPDRR) which allows monitoring, detection and analyze activities. There is no real function in honeypot. Honeypot collects very little data and the data it does collect is from attacks. Honeypot is not dependent on other detection technologies, which in turn reduces false negatives and false alarms.

Information Security Honeypot is a good fit for many SMEs. It does not require the resources as other early detection systems and is cost effective. It is also simpler to use versus more complex

detection systems allowing administrators to master the software easily and level the playing field with hackers. Honeypot is the first appliance that is hacked by a hacker, thus security workers are able to capture the initial movements of the hacker by monitoring the honeypot data. The article has provided valuable information regarding security in SMEs. The article proposes a security management policy using HPDRR and presents a plan for implementing, administering and improving the policy. The management policy proposed in this article can solve many information security issues in SMEs. Misconceptions about Information Security The hacking world is consistently making ground despite any attempt to word off the attempts from the information security industry. The efforts in most case are reactive and a common problem is the security industry is not acknowledging hackers are one step ahead in security. Security needs to be reevaluated as improvements are needed. This article offers various processes in security and systems based on cases and experience of the authors.

Information Security Today there seems to be many failures when it comes to information security and has raised many questions. Blaming

10

carelessness has been ruled out in most cases. For instance the FBI and Department of Homeland Security has run into issues and both organizations have devoted a large sum in their security system, but both fail. The thought where the problem lies is the relationship between information systems management, security management and management on the business side. The relationship between these two departments is structured as a subservient relationship. Up to this point in time there is no common solution on separating the duties between security and information systems. Small businesses would have the same person or department taking care of both information and security needs whereas larger organizations have the resources available to separate the roles. We see the need to have both information and security management separated. The separation at the management level is not important as there is not a true separation in the business management structure. The popular opinion that information security should always seek the good relationship, support, and understanding from business management for its planned activity; this is, because the boss can stop the flow of money (Utin, 2008, p. 165). What we should be asking, should information security be depended on the limited technical background of

Information Security managers? The threats that are present to security systems

11

usually go beyond a mangers understanding with limited technical knowledge even if they have higher education such as an MBA. Here is an example as to why security is behind in securing information. A security analysis does a routine check on the network looking for various vulnerabilities. On a network with 500 computers 15 are found to be out of date with updates or no anti-virus protection. Although this is a low number it is still a risk none the less. A course of action is planned as required by department procedures and the analysis informs the various departments that work will need to be done on computers. The task should take no more than ten minutes a computer thus taking no more than a day or two to complete the job. In most cases this job ends up taking several weeks to complete. This failure causes us to look at why the procedure that states it should take two days had taken us several weeks. One factor that procedures do not take into account is human factor. Human factor can take a well thought out timeline and cause it to become obsolete. In most cases, information and security staff will attempt to schedule time with end users to perform these maintenance but most cases these times tend to be an inconvenience to the end user and having these times rescheduled.

Information Security

12

To gain a greater understanding, two points of views are to be considered with the example provided. From an information systems point of view, lack of updates or missing anti-virus does not prevent the end user from doing their job nor does it affect daily business activities. So there is no rush in resolving these issues in a timely manner. Administrators are in agreement that computers should be up to date in security patches and have anti-virus software installed but those are security issues and not business based. The information security point of view will advise that out of date patches and no antivirus software is a large risk and should be addressed as soon as possible. If the risks go unattended then there is a potential risk to the network which in turn can affect business operations. Ideally through information security, all computers posing security risks would be isolated from the network until the issues has been resolved. Business functionality or concerns would not be considered as they would be overridden by security concerns. The end users would be notified on how their computers can be placed back on the network and the issues would be address as soon as possible which would leave the example of taking several weeks to complete a thing of the past. An organization named TraceSecurity offers their services for risk management and helps organizations secure their

Information Security information. Upon review of Citibank, TraceSecurity found Citibank customer accounts were hacked through the ATM and the software that drives ATMs. After an investigation it was found

13

that many of these servers that power ATMs were un-patched. The numbers were in the thousands. As found with many third party software and vendors, Jim Stickley at TraceSecurity said, Financial institutions are failing to perform patch updates to ATM servers often because third party vendors arent approving the patches to be applied to systems running their ATM software (Computer Security, 2008). This allows hackers to find exploits in the Microsoft operating system which many of these servers are using today. With added issues found, many of the ATMs are not on secured network segments. This allows someone with a little know how to plug into the network and listen to traffic. Network infrastructures are needed to be planned better and configured properly. Many organizations including network administrators believe that as long as their servers reside behind firewalls, they are secure. This is not the case and these are the systems that tend to be hacked. The article concludes that in order for information security to work, the information systems tactic must be changed. The goals have changed from business to security. Any amount of money spent on security is justified if it is used to

Information Security securing the network and systems. One breach can cost a vast amount of money in losses or even bring a halt to company operations. As business goals are needed for security, in todays world a business can only survive with security. Information Security View Information technology is an important part in businesses today. One of the main goals of information technology is information security. Poor security can cause unauthorized

14

access which can result in litigation, financial losses, damage to brands, loss of customer confidence, loss of business partner confidence, and can even cause the organization to go out of business (Rainer, Marshall, Knapp, & Montgomery, 2007, p. 100). Information technology and security professionals were surveyed; the concern that was found lead to management issues over technical. The survey also found how many information technology and security professionals should have a strong background in business management and excellent communication skills. With poor communication skills, information professional are not able to convey the need for funding, justify expenses or obtain management support which are crucial for buy-in on current and future projects especially in security. Communicating with end users and executives through workshops and training raises awareness of security, thus leading to forming policies, risk management and disaster

Information Security

15

recovery plans in the event of an attack. This is a challenge to someone who has technical expertise and no business background. Thus information technology and security professionals should work with executives and business managers in order to understand the business side of the organization. The findings have found the important factor is business managers should have basic technological knowledge and information technology and security professional should have basic managerial knowledge. As technology and security professionals understand the organization, discussing budgets for security needs, productivity, metric or return on investments become effortless. Ideally business managers would be interested in technical areas of information technology an security than relying on the information being given to them by the technology and security professionals. Although, the workload on these individuals proves to be a challenge to learning something new. It is recommended that information technology and security professional take business and management course to become familiar with different aspects of their organization which will lead to becoming more effective in addressing issues as they arise. Conclusion

Information Security As we have seen, information security is necessary for businesses to survive. Education, policies and security models

16

are used to protect business from spyware, viruses, hackers and our own employees. Information security is necessary for businesses that want to survey and keep valuable data away from unauthorized users. The articles have explained why information security is important and the ramifications if information security is not implemented. As technology continues to advance our data will continue to become vulnerable and new methods of security will need to be implemented. By building your knowledge and created a strong foundation in security, business information can be secured.

Information Security References

17

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance: An Empirical Study of Rationality-based Beliefs and Information Security Awareness. MIS Quarterly, 34(3), 523-A7. Retrieved from EBSCOhost. de la Merced, M. J. (2008, February 5). Ex-Banker is Convicted of Leaking Insider Tips. New York Times. p. 3. Retrieved from EBSCOhost.. Federal Financial Institutions Examination Council. (2006, 7). Information security. FFIEC IT examination handbook, 138. Retrieved from http://www.ffiec.gov/ffiecinfobase/booklets/information_sec urity/information_security.pdf Gov't determined to strengthen function of information security policy. (2000, 8 30). Korea Times. Hacker gets BellSouth. (1999). Inter@ctive Week, 6(20), 36. Retrieved from EBSCOhost. JOHNSTON, A. C., & HALE, R. (2009). Improved Security through Information Security Governance. Communications of the ACM, 52(1), 126-129. Retrieved from EBSCOhost. More, better information security systems urged. (2004, 11 25). China Daily.

Information Security Pemble, Matthew (2004)/ What do we mean by 'information security'?, Computer Fraud Puhakainen, P., & Siponen, M. (2010). Improving Employees Compliance Rabinovitch, E. (2001). The Neverending Saga of Iinternet Security: Why? How? And What to do Next?. IEEE Communications Magazine, 39(5), 56. Retrieved from EBSCOhost. Rainer, R., Marshall, T. E., Knapp, K. J., & Montgomery, G. H.

18

(2007). Do Information Security Professionals and Business Managers View Information Security Issues Differently?. Information Systems Security, 16(2), 100-108. doi:10.1080/10658980701260579 Saarelainen, M. (1995, 11 7). Become informed on information security. The Australian. SHANE, S. (2010, April 16). A Former N.S.A. Official Is Charged With Leaking Classified Information. New York Times. p. 18. Retrieved from EBSCOhost.. Shubao, X., Huifeng, X., & Gang, L. (2010). Honeypot Protection Detection Response Recovery Model for Information Security Management Policy. Asian Social Science, 6(12), 50-53. Retrieved from EBSCOhost.

Information Security

19

Syamsuddin, I., & Junseok, H. (2010). Visualization of Strategic Information Security Decision. International Journal of Academic Research, 2(3), 92-95. Retrieved from EBSCOhost. TRACESECURITY FINDS THOUSANDS OF UN-PATCHED ATM SEVERS. (2008). Computer Security Update, 9(8), 1-2. Retrieved from EBSCOhost. Utin, D. M., Utin, M. A., & Utin, J. (2008). General Misconceptions about Information Security Lead to an Insecure World. Information Security Journal: A Global Perspective, 17(4), 164-169. doi:10.1080/19393550802369792