Business Model in Information Security

A model is a schematic description of a system that explains its known or inferred properties and may be used for further research. The business model for information security is, therefore, the schematic description that explains the known properties of business information security (Bojanc & Jerman-Blažič 2013).A business model information system consists of four elements and six dynamic interconnections as explained below.

Organization:

This is an important element of BMIS since the overall design of the business is one part of the most important factor in business. This element and its strategy is one of the requisites that influences the organization element.

Organization element acts as a driver to demonstrate the value of security program to the business and will always have great influence on the performance of the information security program.

Process:

This is the second element of BMIS. The process provides a dynamic link to all of the model’s dynamic interconnections. Processes are made to assist the organizations’ achieve their strategy. This element is very important, and it symbolizes the requirement for a business to develop, educate and enforce security process and procedures.

The process is a key element that will always involve the other elements and the D interconnections .Process will, therefore, consist of a large number of individual processes supporting information security.

Technology:

This is one of the most known parts of information security program, it is a moderately complex and highly specialized in BMIS. Technology gives security practitioners which is one of the many tools used to accomplish the mission and vision of the enterprise or a business. These practitioners include generic security limits of confidentiality, integrity, and availability.

Therefore within BMIS, technology element refers to every implementation of technical skill that could have an impact on the security of information.

People:

This represents the human resource in an organization, for example, the employees, vendors, contractors and service providers. People may be classified as primary or secondary within the BMIS. Primary people are those who are associated with the organization while secondary people are those who are indirectly involved but have some interest in the enterprise. All these groups of people may have some impact on security which may not be the same. People will influence information security through their interaction with the immediate environment reflected on its corporate strategies and processes or in other people.

This business model is, therefore, an interconnection of activities that are carried out in the business and of which without any of them the business operations may not be complete. The four elements are the key parameters of the business model for information security and without their consideration the security of information may not be effective. These key elements are also enhanced through the application of the dynamic interconnections that are, culture, architecture, emergency, governing, enabling support and human factors. (Cherdantseva & Hilton, 2013, September).

References:

1.      Bojanc, R., & Jerman-Blažič, B. (2013). A quantitative model for information-security risk management. Engineering Management Journal.

2.      Cherdantseva, Y., & Hilton, J. (2013, September). A reference model of information assurance & security. In Availability, Reliability and Security (ARES), 2013 Eighth International Conference on IEEE.

Six Future Risks to Information Security

A risk is likely to harm that may arise the current process or from the future occurrence. In this, future risk is the likely harm that may arise from the future occurrence (Zissis & Lekkas, 2012). The following are the six future risks to information security.

Emergence:

Emergence may include natural calamity that is the act of nature which is beyond human control, for example, earthquakes, volcanoes, floods, landslides and many more. Any of these risks could lead to total or partial damage to information security.

Human factors:

This is the release of sensitive or confidential information to an unauthorized person. Accidental disclosure may also arise from the process of hacking, password cracking, tunneling, malware, spyware, viruses, worms and many others (Vacca, 2012).

Culture:

The above named may cause future risk to information security through various ways like exposing trade secrets, exposing strategy and new products to competitors, bad or false publicity, and many others. This may be caused by social interaction of people in a certain environment

Through social interaction, the following may occur, intellectual property theft, copyright infringement, illegal infiltration, competitive research, price surveillance and many more.

Governing:

The above may pose a risk to information security through some of the ways like, acts of war, biological welfare, chemical welfare, electrical welfare that include physical disruption or intentional interference, terrorism, cyber warfare, just to name but a few.

The enabling and supporting factor:

These are people who have all information pertaining a certain information system and who are likely to cause intentional alteration of data, tampering, sabotage, vandalism, fraud, scandals and many others.

Architecture:

This is the general design of the organization. The design gives the interconnection of activities and operations of an organization. The design of the organization structure may determine the security of the information through the determination of how the information will flow in the organization.

How they will affect individuals and organizations

The risks mentioned earlier may negatively affect individuals and organizations involved through some ways. Among them is disclosing individuals’ or organizations’ sensitive information that may pose danger to the affected, it may also create unhealthy business competition to the people involved and can also lead to losses or closure of ones or organizations’ business activities and, in general, it may negatively affect the performance of business.

References:

1.      Vacca, J. R. (2012). Computer and information security handbook. Newnes.

2.      Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation computer systems.

Role of Cloud Computing in Business Organizations

Cloud computing has brought a lot of promises and benefits to organizations. It has proved to more than just a simple technology and has being able to transform organizations.  Cloud computing plays a very vital role in bringing agility. It delivers improved agility due to its rapid elasticity and it’s on demand self-service. The IT resources required in the organization can now be deployed easily and can be improved to meet the needs of the different situation s in the organization (Leimeister, Böhm, Riedl, & Krcmar, 2010, June)

Cloud computing has led to increased productivity. This is because it provides a good environment and enables participants in the organization structure to share logic. The capability of cloud computing to provide shared logic in an organization leads to improvement in productivity capacity of the organization. Another role of cloud computing in a business organization is that it brings about better quality. This can be attributed to the better usage of information, manageability, quality provision of IT solution, and the business continuity which comes as a result of cloud computing (Leimeister, Böhm, Riedl, & Krcmar, 2010, June)

There minimization of cost when you use the concept of cloud computing.  Agility, quality, and increased productivity are often associated with cost increment but this is not the case when you employ the use of cloud computing. Contrarily to the notion that it is expensive, cloud computing helps an organization achieve cost reduction through some products such as thin clients, server consolidation, and community sharing. Another role that cloud computing plays in a business organization is creation of new business opportunities. This is achieved through added service provision, and cloud service provision (Leimeister, Böhm, Riedl, & Krcmar, 2010, June)

References:

1.      Leimeister, S., Böhm, M., Riedl, C., & Krcmar, H. (2010, June). The Business Perspective of Cloud Computing: Actors, Roles and Value Networks. In ECIS.

Information Security Measures

Information security measures

Every organization must ensure that information is protected from loss and access by unauthorized parties. The information security measures should consist of physical, technological and administrative safeguards to protect the information (Hill, 2010). Each safeguard is responsible for protecting the organization from unauthorized access by persons from outside and within the company.

Physical safeguards include limiting the physical entry of personal into the organization or into areas information is stored. Physical safeguards include using a badge program that includes information about the employee and their specific access areas. Limiting the entrance of outside parties such as vendors or salespeople from access the network or using personal laptops in the organization is another physical safeguard (Hill, 2010). Physical safeguards would protect the movement of hardware and data storage devices such as flash disks in and out of the organization.

Administrative safeguards are important measures in protecting the information within the organization. Administrative safeguards include setting policies and procedures that guide the activities if the employees within the organization. Information access management is another administrative measure that determine who has access to specific information within the organization (Whitman & Mattord, 2012). Security awareness and training would help to educate the employees on their responsibilities and activities that should undertake to prevent loss of information such as deleting unknown emails to prevent phishing.

Technological measures of protecting information include establishing strong passwords to ensure data cannot be easily accessed. Encryption of data in the organization would prevent authorized parties from understanding the information. Installation of anti-virus and anti-malware would ensure malicious software are detected and destroyed before any sensitive information can be leaked (Whitman & Mattord, 2012). The organization has to put strong firewalls to protect their computer systems from entry. Backing up data constantly would prevent it from the loss when the system is hacked. Updating software periodically to ensure they are up to standards would be another technological measure of protecting information.

References:

1. Hill, D. (2010). Data protection. Boca Raton, FL: Taylor & Francis.
2. Whitman, M., & Mattord, H. (2012). Principles of information security. Boston, MA: Course Technology.

Common Information Security Threats in Business

Threats to information security

Information security threats include malicious software, stolen laptops or mobile devices, unsecured wireless internet networks, phishing and intruder/insider employee threat. Malicious software includes worms, spyware, viruses and Trojan horse. The malicious software is secretly installed in the network or computers in the organization and cause internal damage to information by deleting or corrupting it. The malicious software extracts information such as passwords and other sensitive information from the organization and uses this information for financial gains such as extortion or theft (Sanchez, 2015). Malicious software scan also leads to the breakdown of the entire computer network within the organization.

Stolen mobile devices and laptops are another major threat to information security. Once the laptops or the mobile devices have been stolen the information from them can be accessed. Laptops hold valuable and sensitive information and, therefore, leading to the theft of information (Teixeira, 2007).

Unsecured wireless internet connections provide hackers with an open door to enter the system. Hackers can easily enter the system through the wireless internet network and steal valuable information regarding the organization, its clients or its employees (Teixeira, 2007). The unsecured network gives hackers and easy access the system from outside the organization easily.

Phishing is the process whereby e-mails are sent disguised to seem like those from an authorized party in the attempt to gain confidential information such as administrative passwords from employees in the organization (Sanchez, 2015). Once the employee feeds the password to the link used in the e-mail, the hackers will immediately have the password necessary to enter the system. The employees must, therefore, be educated to understand the importance of protecting information from threats such as spear poising sent through emails.

Outsider or insider threat is also possible within the organization, outside parties may enter the organization steal the mobile devices or load up information in storage devices when not being monitored and walk away with it (Teixeira, 2007). Insider threats include disgruntled employee who is more dangerous than a hacker since they have access to the system and can delete or manipulate information at will causing damage to the organization.

References:

1. Sanchez, M. (2015). The 10 most common security threats explained. blogs@Cisco - Cisco Blogs. Retrieved 25 October 2015, from http://blogs.cisco.com/smallbusiness/the-10-most-common-security-threats-explained
2. Teixeira, R. (2007). Top Five Small Business Internet Security Threats. Small Business Trends. Retrieved 25 October 2015, from http://smallbiztrends.com/2007/06/top-five-small-business-internet-security-threats.html

Some Data Security & Privacy laws used in a Organization.

My organization of chose is the Bank of America. This is among the largest banks in this country and also controls a huge market share compared to smaller competitors. This means that it also has a large number of customers that it hands financial transaction for them, and this puts them in possession of their customer’s financial information that is considered to be personal information. Seeing that this information is well protected is one of the most important tasks of the bank so that they do not face cases in the law court on the giving out of personal information. This is done using several techniques and is assured by the data security measures that the bank has in place. Among the most important are;

 First is the protection of customer’s information. This is always the first and the most important. This is usually achieved by having very secure bank systems. Most of the financial transactions in today’s economy are electronic, and this means that in case that one has access to the data from the bank, they can be able to tell the activities or transactions of a certain customer. In the past, this has been made possible by hacker (Pfleeger and Pfleeger, 2014).  Through this important data, they could use it to manipulate their victims and could even sometimes steal from them hence making sure that the information is inaccessible to any outsider is critical for the organization.

Second is to ensure that records do not tamper with. This is because it is possible for employees of the bank to change records of a certain account and also amend the details inside like the amount of money in the account and this would allow them to steal money from the accounts of customers. This means that it is important to set up policies on who has the right to access the information about the details of a client, and this makes it possible to monitor the funds movement in the organization hence closing down the loopholes that an employee with wrong intentions may use. In other cases, employees can only satisfy their curiosity on how much one has, and this should be limited to make sure that the customers have the privacy they deserve.

The bank has put up systems that require different passwords for the employees to access a particular type of information from the system. The employees are allowed to access information depending on their particular jobs and also the clearance that they have from the organization. This makes sure that all customer details are with the people that they should be with and those that can assure them of their confidentiality. The bank also has laws that are set to punish those that are found to have gone against the set rules and regulations, so that to make sure that the laws are not taken for granted and that the customers information is well taken care of( Collins, 2014).

In conclusion, all the institutions those have their operations run through computers are always a risk of losing information. This is through system collapse or even through harking. It is important to have very strict measures on who regulates your data center, and this helps to monitor the whole organization's activities. Having a secure system also raises your customer confidentiality and so can act as an active tool in pulling in more customers for the business.  The loss of enterprise data can also lead to more adverse problems like the closing down of the company because in the cases of particular industries like the financial sector. It is important to make sure that you operate with only the correct information so that one can avoid losses at the end of a fiscal year. 

References: 

1. Pfleeger, C. P., & Pfleeger, S. L. (2014). Security in computing. Prentice Hall Professional Technical Reference.

2. Robling Denning, D. E. (2012). Cryptography and data security. Addison- Wesley Longman Publishing Co., Inc.

3. Tehan, R. (2008). Data security breaches: Context and incident summaries. New York: Novinkna Books.

Information Security in Work Place

A workplace is any floor that employees of an organization meet to undertake the respective duties depending on what the employer has given them. This is a critical place for any group as it determines the overall productivity of the employee. Another importance of such a place is that it holds information about the organization and about the activities that it undertakes which might be considered as secrets of the company (Tehan, 2008). It is therefore critical to take into consideration the security of this place so as to ensure that crucial information is never stolen from the organization and hence stand to benefit the competitors. Several measures are taken into consideration so as to make sure the information is safe and these are;

The first should be the regulating of people so as to be certain who enters and leaves the building. Several things can be done so as to make sure this happens and these are several security installations that the organization follows and these are listed below. The first should be to post security guards at the entrance of the building. The guards can be the first line of defense as they can notice any an authorized persons who enter the building and stop them. They can be posted both in front of the main building and also in front of some particular offices. These would likely be the principal positions in the organization where the information is stored.

The second would be the installation of both CCTV cameras and also the metal detecting devices. These together would help to monitor everybody that comes into the building and also those that walk out. This would mean that the system can account for the whole movement of people in the organization and state where they go. The metal detectors would also be of importance as they should help in monitoring what the people walk in with and what they come out with. And suspicious device or item can be checked physically by the guards and make sure that no information is stolen from the organization.

The organization should also provide for an under the counter alarm system. This means that in case of any sign of a dangerous customer, the security team should be able to be alerted within seconds through the system, and so the response should be very immediate and hence reduce the risk of losing the information. The employees should also be briefed on the steps that they should take in case of such situations arises where there is the threat of losing information that is delicate to the organization (Roblin, 2012). This would help in avoiding fracas because this is what criminals use to have an upper hand. It is, therefore, important that there are steps that can be followed during an emergency so as to assure every one of their security.

System clearance is the other item. In most cases, organizations store their information in computers, and this means that for one to access the information they need to have access to the computers. This is where the security clearance comes in. Different employees should be given different security clearance depending on how trustworthy they are in character. This means that not all the employees should have the access to all the information. Depending on the rank of the person, different employees should have different clearances to the access of the system hence making sure that only a few at the top can be trusted with the information.

The computers should also have passwords and other security features that need to be bypassed before the person reaches the final information. Other features may include the fingerprint identification and other biometric measures. These characteristics are even more efficient because they can detect the particular person accessing the information in real time. There should also be alerts that are in place so that to inform other people in case the information is obtained. Coding is the last security measure that can be used so as to make sure that even if the information is obtained, they need an extra effort so as to understand it and this means it may not be useful to the thief after all.  

References: 

1. Collins, M. (2014). Network security through data analysis: Building situational awareness, 1 million log records at a time.