2. INTRODUCTION
WHAT IS INFORMATION SECURITY?
Information security is a process for protecting classified information
from unauthorized users from hacking, or threats.
Most information is stored in computer databases, with limited or high
security networks and technology.
Much of the information stored is either top secret, secret or
confidential.
Contains either, business plans, trade secrets, employee personal
information, bank accounts, or federal based information.
These types of systems use high end technology, software, wireless
devices and security products.
Networks are secured and always monitored, wireless devices are
encrypted and micro chipped.
3. FACTORS THAT INFLUENCE IT
SECURITY
There are various factors that influence Information Security, and they are
based on the Information Security Systems.
Service Agreement
Service provider qualifications
Operational requirements and capabilities
Experience staff members
Trustworthiness of the service providers
Adequate protection for the organizations systems, applications and
information.
4. RISK MANAGEMENT IN
INFORMATION TECHNOLOGY
Information security was developed because of hackers and many
organizations focus mainly on the risk management factors.
IP or Intellectual Property when outsourcing
Data Leakage
Compliance
Visibility for Security
Security at the Speed of Business
Protecting customers from themselves
5. CASE STUDY ON FBI SECURITY
AND NETWORKS
FEDERAL BUREAU OF INVESTIGATION
One of the biggest federal agencies in the world. As we all know that they contain
classified information and are always at risk and source of threats hence their
security systems must be brilliant.
A case study conducted by the GAO stated that some of the FBIs security
networks were not protected .
The GAO found out classified information being sent over was not secured and
was viewable by unauthorized users.
The system only monitored it external networks , had outdated risk
assessments, defective security plan, and employees lacked security training.
Their wireless support and technology was not well secured.
6. RESULTS OF GAO CASE STUDY
ON FBI
Their current information security system only protected from outside threats
, outdated risk assessment, defective security plan , employees not specialized in
security systems nor trained or certified.
They did not configure their devices which includes wireless devices
and services from unauthorized users.
Their network did not authenticate users that used the system
No implementation of authorized access.
Lacked encryption techniques to protect sensitive data.
No logs, audit records to monitor security events
No physical security for the network
Patching of key servers and workstations
7. WIRELESS INFORMATION
SECURITY FOR FEDERAL
AGENCIES
Federal agencies that use wireless technology which include increased
flexibility, easier installation and easier scalability
Federal agencies wireless infrastructure enables devices to connect to the agency
network from any public internet access.
It is all managed by a wireless router.
Three most commonly used wireless technology is
WLAN or Wireless local area network
Wireless Personal Area Network
Wireless Cellular Networks
But sometimes these networks are not secured connections and could lead information
being leaked out .
8. WIRELESS SECURITY THREATS
Blue tooth devices and other personal wireless devices like smart phones
are the most common network threats.
They are unsecured and they use the internet publically to transmit data
which is viewable to other networks
According to a document published by GAO-11-43, found a few threats
related to wireless networks
During an investigation in 2008 at 27 airports it was found that wire
less networks has personal information which could be leaked out.
Smart phones were tagged, monitored and exploited at the 2008
Beijing Olympics due to software threat to email servers.
A retail store in 2007 that was hacked tested wireless networks to get
credit card information of about 45 million customers and more.
9. SOLUTION
Implementing a security system that has a centralized structure for
management.
Their internal networks should be monitored and encrypted.
Wireless devices should include security tools, authenticate , VPN and
firewalls.
Access points should be made secure to avoid unintended users.
Password protect devices, and computer database access.
Wireless devices like smartphones, Bluetooth and laptops should be
monitored, recorded, and micro chipped
Management should have access to all the systems and employee networks
Management should be able to collect data, report issues and threats.
10. MANAGEMENTS ROLE
Managers play a vital role in information security.
If information needs to be protected, managers and executives should be able to
monitor employee activities and networks.
They should have access to all the security networks and systems which will help
them detect if there is a threat.
They should be trained and certified in information security
With the help of a centralized structure like monitoring configuration settings it
assist managers to view the entire wireless network
Managers have control over preventing use of external media and the use of
unauthorized or unlicensed software for viewing of explicit material.
Managers should be well trained and certified.
11. LEGAL ISSUES
Legality of MIS security in a workplace is to maintain individual rights
and privacy.
Information is not only stored in the data base but is also administered by
a group or individual.
Managers need to be insensitive not only to the staff but to legal needs of
their clients.
According to Bakos
“Work on bounded rationality, human decision making, the value of
information, the extraction of monopoly rents, the functioning of markets
under imperfect information, barriers to entry, and Williamson's work on
transaction costs and organizational boundaries, provide relevant
reference theories.”
Management and cost advantages are equally linked
12. LEGAL LAWS IN CASE OF A
SECURITY BREACH
Computer Fraud and Abuse (18 US Code 1030) which form the basis of federal
intervention in computer crimes and which have a minimum of $5000 of the damage
caused.
Credit Card Fraud (18 US Code 1029), which states that it is a crime to possess
fifteen or more counterfeit credit cards, most computer systems are accused of
stealing credit card numbers and this law can be used against the person.
Copyright Violations (18 US Code 2319), if one is distributing or manufacturing
copyrighted material the fine is $1000 to about $2500
Interception (US Code 2511) no one can tap a phone without a warrant
Access to Electronic Information (18 US Code 2701) it prevents authorized users
from accessing systems that store electronic information but has exceptions to the
owners of the service.
13. SPYWARE
Spyware was initially a way for employers to view employees activities.
Now it has become an ethical and legal tool used by criminals.
Spyware is more of a threat to most security companies and programmers.
It now the realm of constitutional law and first amendment rights to privacy and to
liberties with their own information .
Congress has gotten involved in the legislation of the software.
According to Sipior, Ward, and Roselli
“The ethical and legal concerns associated with spyware calls for a
response. Before these fonts will ultimately be determined by the
user, organization, and government actions through assessment of the
case and effectiveness of various approaches to battling spyware.”
The ethics of spyware use in the workplace to supervise the activities of employees
is still being debated.
14. ETHICAL PERCEPTIONS
The ethical perception of an unbiased professional has to change
Former MIS technicians have bought down companies, stolen information, and
have cost billions in lost revenue.
MIS technicians control the actual technology that the company relies on.
A positive relationship should exist between the technicians and the employer or
client to allow for more ethical behavior to exist.
The best way is to make sure that the right technicians are hired employers need to
examine ethical behavior and individual skills.
15. CONCLUSION
Risk assessment, systems update and technology update is very important for a
secure information security system
Managers should have a more centralized and overall view of networks and also
access to classified information.
Managers should be able to view employee activities and monitor this security
and wireless networks.
All personal devices or wireless equipment used to transmit information, should
be secured, encrypted, physically protected, traced, recorded and monitored.
Ethical and Legal issues should be followed and dealt with in a proper way.
Staff and managers should be experienced, well trained and certified in
information security systems