INFORMATION SECURITY INMANAGEMENT INFORMATION SYSTEMS Andy Hernandez Steffi Ann Fernandes
INTRODUCTIONWHAT IS INFORMATION SECURITY? Information security is a process for protecting classified information from unauthorized users from hacking, or threats. Most information is stored in computer databases, with limited or high security networks and technology. Much of the information stored is either top secret, secret or confidential. Contains either, business plans, trade secrets, employee personal information, bank accounts, or federal based information. These types of systems use high end technology, software, wireless devices and security products. Networks are secured and always monitored, wireless devices are encrypted and micro chipped.
FACTORS THAT INFLUENCE IT SECURITYThere are various factors that influence Information Security, and they are based on the Information Security Systems. Service Agreement Service provider qualifications Operational requirements and capabilities Experience staff members Trustworthiness of the service providers Adequate protection for the organizations systems, applications and information.
RISK MANAGEMENT IN INFORMATION TECHNOLOGYInformation security was developed because of hackers and many organizations focus mainly on the risk management factors. IP or Intellectual Property when outsourcing Data Leakage Compliance Visibility for Security Security at the Speed of Business Protecting customers from themselves
CASE STUDY ON FBI SECURITY AND NETWORKS FEDERAL BUREAU OF INVESTIGATION One of the biggest federal agencies in the world. As we all know that they containclassified information and are always at risk and source of threats hence theirsecurity systems must be brilliant. A case study conducted by the GAO stated that some of the FBIs security networks were not protected . The GAO found out classified information being sent over was not secured and was viewable by unauthorized users. The system only monitored it external networks , had outdated risk assessments, defective security plan, and employees lacked security training. Their wireless support and technology was not well secured.
RESULTS OF GAO CASE STUDY ON FBI Their current information security system only protected from outside threats, outdated risk assessment, defective security plan , employees not specialized in security systems nor trained or certified. They did not configure their devices which includes wireless devices and services from unauthorized users. Their network did not authenticate users that used the system No implementation of authorized access. Lacked encryption techniques to protect sensitive data. No logs, audit records to monitor security events No physical security for the network Patching of key servers and workstations
WIRELESS INFORMATION SECURITY FOR FEDERAL AGENCIESFederal agencies that use wireless technology which include increasedflexibility, easier installation and easier scalabilityFederal agencies wireless infrastructure enables devices to connect to the agencynetwork from any public internet access.It is all managed by a wireless router.Three most commonly used wireless technology is WLAN or Wireless local area network Wireless Personal Area Network Wireless Cellular NetworksBut sometimes these networks are not secured connections and could lead informationbeing leaked out .
WIRELESS SECURITY THREATS Blue tooth devices and other personal wireless devices like smart phones are the most common network threats. They are unsecured and they use the internet publically to transmit data which is viewable to other networks According to a document published by GAO-11-43, found a few threats related to wireless networks During an investigation in 2008 at 27 airports it was found that wire less networks has personal information which could be leaked out. Smart phones were tagged, monitored and exploited at the 2008 Beijing Olympics due to software threat to email servers. A retail store in 2007 that was hacked tested wireless networks to get credit card information of about 45 million customers and more.
SOLUTIONImplementing a security system that has a centralized structure formanagement.Their internal networks should be monitored and encrypted.Wireless devices should include security tools, authenticate , VPN andfirewalls.Access points should be made secure to avoid unintended users.Password protect devices, and computer database access.Wireless devices like smartphones, Bluetooth and laptops should bemonitored, recorded, and micro chippedManagement should have access to all the systems and employee networksManagement should be able to collect data, report issues and threats.
MANAGEMENTS ROLEManagers play a vital role in information security.If information needs to be protected, managers and executives should be able tomonitor employee activities and networks.They should have access to all the security networks and systems which will helpthem detect if there is a threat.They should be trained and certified in information securityWith the help of a centralized structure like monitoring configuration settings itassist managers to view the entire wireless networkManagers have control over preventing use of external media and the use ofunauthorized or unlicensed software for viewing of explicit material.Managers should be well trained and certified.
LEGAL ISSUES Legality of MIS security in a workplace is to maintain individual rights and privacy. Information is not only stored in the data base but is also administered by a group or individual. Managers need to be insensitive not only to the staff but to legal needs of their clients. According to Bakos “Work on bounded rationality, human decision making, the value of information, the extraction of monopoly rents, the functioning of markets under imperfect information, barriers to entry, and Williamsons work on transaction costs and organizational boundaries, provide relevant reference theories.” Management and cost advantages are equally linked
LEGAL LAWS IN CASE OF A SECURITY BREACHComputer Fraud and Abuse (18 US Code 1030) which form the basis of federalintervention in computer crimes and which have a minimum of $5000 of the damagecaused. Credit Card Fraud (18 US Code 1029), which states that it is a crime to possessfifteen or more counterfeit credit cards, most computer systems are accused ofstealing credit card numbers and this law can be used against the person.Copyright Violations (18 US Code 2319), if one is distributing or manufacturingcopyrighted material the fine is $1000 to about $2500Interception (US Code 2511) no one can tap a phone without a warrantAccess to Electronic Information (18 US Code 2701) it prevents authorized usersfrom accessing systems that store electronic information but has exceptions to theowners of the service.
SPYWARESpyware was initially a way for employers to view employees activities.Now it has become an ethical and legal tool used by criminals.Spyware is more of a threat to most security companies and programmers.It now the realm of constitutional law and first amendment rights to privacy and toliberties with their own information .Congress has gotten involved in the legislation of the software.According to Sipior, Ward, and Roselli “The ethical and legal concerns associated with spyware calls for a response. Before these fonts will ultimately be determined by the user, organization, and government actions through assessment of the case and effectiveness of various approaches to battling spyware.”The ethics of spyware use in the workplace to supervise the activities of employeesis still being debated.
ETHICAL PERCEPTIONS The ethical perception of an unbiased professional has to changeFormer MIS technicians have bought down companies, stolen information, andhave cost billions in lost revenue.MIS technicians control the actual technology that the company relies on.A positive relationship should exist between the technicians and the employer orclient to allow for more ethical behavior to exist.The best way is to make sure that the right technicians are hired employers need toexamine ethical behavior and individual skills.
CONCLUSIONRisk assessment, systems update and technology update is very important for asecure information security systemManagers should have a more centralized and overall view of networks and alsoaccess to classified information.Managers should be able to view employee activities and monitor this securityand wireless networks.All personal devices or wireless equipment used to transmit information, shouldbe secured, encrypted, physically protected, traced, recorded and monitored.Ethical and Legal issues should be followed and dealt with in a proper way.Staff and managers should be experienced, well trained and certified ininformation security systems