Modern organizations and businesses continue to experience complex security threats to information technology (Jawadekar, 2013). On the same note, the vulnerability of the IT infrastructures to potential attacks is rising at an alarming rate. Regarding IT infrastructures, they are the cornerstone of the organizational management. Security plays a significant role in an organization, and that is why most organizations have employed state-of-the-art network security equipment to curb cyber monsters from invading into their systems (Jawadekar, 2013). However, there are instances when the organization experiences cyber-attacks from inside the security perimeter. Therefore, as a senior technology analyst, my job is to ensure effectiveness in the information technology security in my Private Equity Company. The paper will entail a review of the organization’s infrastructure and potential vulnerabilities, security models, a design of security plan, code of ethics and security awareness program.
Vulnerability Analysis
Technological vulnerabilities continue to grow as the level of technology improves. As a concept in information technology, vulnerability refers to the weakness that an attacker may exploit to access essential information within the environment (Reynolds, 2014). Therefore, vulnerabilities in a company’s infrastructure portray the absence of a safeguard. The types of vulnerabilities include human, environmental and physical.
Environmental Vulnerabilities
Environmental factors include natural events such as floods, earthquakes, and hazards caused by the immediate infrastructure in which the organization’s assets are located. Improper environmental control in an organization can cause damages to hardware and software (Jawadekar, 2013). Environmental vulnerabilities include power failure, atmospheric conditions, electrical interference, and pipe leaks. Jawadekar (2013) argued that when the organization fails to control the power, ventilation, air quality, heating, and air conditioning in the facility, it makes the IT infrastructure vulnerable to potential attacks. Lack of a proper climate-controlled atmosphere makes the computer systems to overheat. Similarly, failure to clean computer fans may cause improper working temperature that will cause changes in the electronic characteristics thus reducing the efficiency of the computers.
In addition, regarding the atmospheric conditions, high humidity causes corrosion while low humidity results in excessive static electricity. The occurrence of static electricity leads to short circuits in electrical appliances causing loss of data (Jawadekar, 2013). Moreover, low temperatures cause computer systems and other devices to slow down or stop functioning while the presence of high temperatures makes the electrical appliances to use much fan power and in the end shutdown due to the inability to sustain the damages.
During the construction of the IT infrastructure, the failure to ensure that water steam and gas pipes have proper shutoff valves may lead to water and gas leakages, and this will cause damages to computer systems and peripheral devices. On the same note, inaccessibility of the shutoff valves causes the IT infrastructure to be vulnerable in case of a break in the main water pipes and gas lines.
Physical Vulnerabilities
Physical vulnerabilities entail deliberate attempts by a human actor to obtain vital information from the system, cause the system to the disadvantage of the organization and manipulate the system to benefit the threatening party. The common physical vulnerabilities in the organization include the following. First, the organization allows unrestricted access to engineering and utility space. Individuals accomplish active infiltration by penetrating into the facility which they have no authorization (Cherdantseva, Burnap, Blyth, Eden, Jones, Soulsby & Stoddart, 2016). For instance, the Private Equity Company has critical equipment in a single location hence when a person accesses the area; he may obtain vital information about the organization and cause an adverse damage.
System programmers can create unauthorized entry points so that they provide means for individuals to bypass internal security control thus destabilizing the system. Moreover, physical vulnerability may include implicit trap-doors due to the existence of incomplete system design. System programmers may decide to create loopholes in the protection mechanisms so that they benefit the threatening party and make the organization to suffer (Cherdantseva et al., 2016). For instance, the organization might have an unusual combination of system control variables that a person can use as an entry path to all the security features in the facility or system.
The second vulnerability is the existence of an agent within the secure organization. The agent operating in the organization can decide to obtain removable files or develop trap-doors so that they exploit the whole operation later. In addition, the agent might be placed in the company to get knowledge about the system’s operations and installation and obtain vital information that might come his way. The third vulnerability is the existence of the Trojan human. Trojan humans can be in the organization, and no one would notice. They are dressed in the organization’s attire or legitimate technician (Cherdantseva et al., 2016). With such tricks, an individual may penetrate secure environments such as server rooms. Similarly, they may get access to employee computers thus causing damages.
Human Vulnerabilities
Humans make mistakes, and most of the successful security attacks have occurred due to the exploitation of human weaknesses by external hackers. Human error entails anything a person operating the system or working in the organization does incorrectly. Human vulnerability includes omissions, malfunctions, programming errors and misconfigurations. Moreover, some of the leading human errors that might cause the IT infrastructure to become vulnerable involve sending vital documents to unintended recipients (Cherdantseva et al., 2016). The situation will be aggravated when the security personnel fails to deploy security controls that would help in monitoring critical information that gets out of the organization. Therefore, by inadvertently sending sensitive information to the unintended recipient, the organization is on the verge of losing critical data to hackers.
The second human vulnerability is a blind acceptance of phishing emails. These emails require a person to perform certain tasks so that the hacker could frequently acquire personal information from you. Therefore, when an employee accepts phishing email accidentally, they will be disclosing their information and those of the organization to the attackers. Similarly, when the organization fails to train employees on ways to detect phishing emails, then they will be worsening human error. Some employees in the organization may fail to report phishing emails since they lack knowledge about such email thus attacking more potential attacks.
Security Models to Overcome Associated Security Risks
The prevalence of security issues in the organization means that the management will have to implement certain security measures that would help in overcoming the associated security risks. The security models will entail user authentication, firewall, IT security management and backup.
User Authentication
With authentication, employees in the organization shall be required to identify themselves and to authenticate their identity to the system before they get permission to access classified information or enter the facility. Any person who attempts to perform any task in the system as the user should be authorized to carry the operation. The choice of the technique used to authenticate will depend on the sensitivity of the information stored in the system, security level and the physical location of the user terminal (Kim & Solomon, 2016). The organization shall use authentication methods such as biometric devices and callback system. Biometric devices authenticate users by translating their personal characteristics into digital codes that are compared with those codes stored in the database of the organization.
In the case of our organization, we shall use the following biometric devices. First, fingerprint recognition measures the user’s blood flow, checks and compares arrayed ridges that are at the fingertips. Second, facial recognition entails analysis of the features of a person’s face images that the digital video camera captured (Kim & Solomon, 2016). Third, with voice recognition, the device compares the user’s live speech with his stored voice patterns in the database. The device requires the user to speak into the microphone so that it could recognize his access phrase (Kim & Solomon, 2016). Moreover, for the device to prevent the use of recorded voice, it ensures the high and low frequencies of the sound produced by the user match, lastly, we shall use signature recognition system that will help in recognizing the shape of the user’s handwritten signature. Similarly, the device will ensure the pressure exerted, and motion used to write the signature tally. It will involve the use of a special pen and tablet. Therefore, user authentication is ideal for the organization because it will help control unauthorized access to data. Similarly, the biometric device assures confidentiality and privacy of the user’s information.
Information Technology Security Management
The focus of the IT security management is to guarantee the organization on the availability, integrity, and confidentiality of its information and IT services (El-Kafrawy,Abdo & Shawish, 2015). The measure will involve the use of the information security manager who will engage in the organizational approach to security matters. However, the following are the information management sub-processes that would help mitigate the loss of confidential information to attackers. First, the IT information security management involves the design of security controls. The approach aims to design appropriate technical and organizational measures to guarantee security, confidentiality, availability and integrity of the company’s physical assets, data, information and IT services.
Second, with security testing the approach ensures that the organization’s security mechanisms are put through regular testing. Third, the IT security information management involves managing security incidents. The approach helps the security team to identify and fight intrusion and attacks from both internal and external sources (El-Kafrawy,Abdo & Shawish, 2015). Moreover, the approach is an ideal mechanism that helps to minimize damages caused by security breaches. Fourth, the IT information security management entails security review. The sub-process is significant since it reviews the agreement of safety measures and processes and risk perceptions. In addition, the sub-process validates whether the organization consistently manages and tests safety measures and processes.
Firewall
Most organizations have moved to the use of firewall as a security measure. In the case of my organization, it would be ideal if we employ this measure to deny intruders from accessing our security system. Firewall refers to a device that an organization or individual uses to block the access of internet communications to the private resource such as organization’s server, computer systems, and network firewall is an effective device; however, it can be destabilized in situations when the protected resource has a configuration of a modem or auto-answer. Firewall functions by protecting everything that is behind it from what might come from in the front.
The two types of firewalls include protocol level and application level firewalls. In the case of a packet filtering firewalls, the device involves the use of packet’s header to find the suitability of the incoming packet. Although this approach is fast and requires less skill, it is vulnerable due to its inability to determine the spoofing attack from the incoming packet (El-Kafrawy,Abdo & Shawish, 2015). For our case, the dynamic packet filtering firewalls would be an ideal device since they provide an improved version of protection against incidences such as spoofing. Regarding the application-level firewall, they play an essential role in protecting the computer system and servers by offering high-level security since the device understands how the application performs communication. Therefore, with firewalls the organization can overcome risks such as misconfigurations due to human vulnerability.
Backup
Backing up critical information and data is vital in disaster recovery. The organization considers data as its heart; therefore, they will do anything to ensure they protect it. For instance, backing up data or organization’s files guarantees protection against database corruption, hardware failure, natural disaster and accidental loss of user data (El-Kafrawy,Abdo & Shawish, 2015). Since there are situations when files or data are accidentally deleted due to unavoidable circumstances, it would be ideal for the organization to make use of its backup and recovery plan.
The backup types will depend on the information the organization would like to protect and the convenience of retrieving the information. The best type of backup for Private Equity Company is a daily backup. The approach is significant because the backing up of files occur on a daily basis (Kim & Solomon, 2016). Moreover, it would be important use full backup approach. The approach ensures that all files that the employee has selected are backed up regardless of the settings portrayed in the archive attribute. Some of the common backup solutions that the organization might use include tape drives, magnetic, optical drives, autoloader tape system, disk drives, removable disks and digital audio tape drives.
A Robust Security Plan
Since the organization collects and stores client’s information, and because of our reliance on technology, it would be ideal if we implement a multi-pronged approach that would help safeguard the information of both the organization and the client. Therefore, protecting the organization’s assets and other critical information comes down to the designing of a robust security plan. The organization’s security plan entails security policies (Kim & Solomon, 2016). These policies provide specific guidelines and steps to follow if they would like to have a successful implementation process. Moreover, the organization’s security plan policies will have consider valuable things, and steps to safeguard the assets. The following are the key component of Private Equity Company’s security plan.
Network Security Policy
The security policy will define limitations regarding accepting the use of the network. The organization will use strong passwords, update them regularly, and request employees not to share passwords. Similarly, when accessing the system, users must enter their passwords at authentication time. The organization will communicate policies that installation and use of external software. Moreover, in situations when employees use personal devices such as smartphones, laptops, and tablets, to access the network, they should configure the devices safely. The organization will use a reliable Mobile Device Management solution to ensure that they safely set up a personal device to the network.
Communication Policy
Due to the legal and security reasons, the organization will outline the use of email and internet resources. Policies governing the use of the company’s email helps employees reduce the risk of inadvertent misuse. Besides, guidelines include using email to conduct official business, personal business, managing and retaining email messages, and confidential protection (Kim & Solomon, 2016). Moreover, the plan recommends restrictions on data transfer and settings requirement when it comes to sharing of digital files within and outside the network of the organization. The plan specifies guidelines on personal internet use, social media and instant messaging. In the case of Private Equity Company, it reserves the right to monitor all communication sent and stored on the company’s system.
Inappropriate Use
The organization prohibits the use of the company-owned system or network to hack or distribute viruses. The plan requires the organization to restrict and block employees from visiting websites that are unauthorized or prohibited (Kim & Solomon, 2016). For example, it is not acceptable for employees to use the company’s internet resources to visit a Bit Torrent site and download TV series or music.
Code of Ethics Related to the IT Profession
In the course of working for Private Equity Company, IT employees performing regular tasks in the organization may have access to critical information in the file system, server, network, applications, emails and the computer that the organization must protect. The organization’s code of ethics describes the ethical values of the organization and ways employees should approach various issues (Reynolds, 2014). First, IT professionals shall avoid harm to others. The code of ethics requires employees to avoid negative consequences such as property damages, undesirable loss of company’s information. Therefore, IT professionals at Private Equity Company are prohibited from using computing technology to harm users, employees, and employers. In this case, harmful acts include the intentional destruction of files and programs.
Second, IT professionals shall exhibit honesty and trustworthiness. An organization that works without trust cannot function effectively. IT professionals should not make deceptive claims about system design or anything that relates to the organization’s IT infrastructure (Reynolds, 2014). On the same note, IT professional in this organization shall disclose all pertinent system limitations. Third, IT professionals shall honor property rights. The law prohibits violation of trade secrets, copyrights and patents and the organization’s terms of license agreement. Fourth, IT professional shall respect the privacy of other people. According to Reynolds (2014), computing and communication technology entails collecting and exchanging personal information. Therefore, professionals in the organization should maintain privacy and integrity when handling data that describes individuals.
An End User Security Awareness Program
The organization’s security awareness program focuses on educating users on their obligations to help protect the availability, confidentiality, and integrity of the company’s information assets or data. Besides, the program raises the collective awareness of the benefits of having and controlling security (Kim & Solomon, 2016). Designing the security awareness program will entail the following. First, the general security training will consist of all employees in the organization regardless of their positions. During the training program, the topics that would be covered include education on policies and procedures and rules for handling confidential data. Similarly, the program will entail a topic on educating employees on who to contact when they experience a security threat. The advantage of general security training is that it suits mass communication channels such as the use of posters, emails, web-based training and newsletters (Kim & Solomon, 2016).
Second, the group specific training aims at employees with particular skills (Kim & Solomon, 2016). In this organization, the topics that the program will concentrate include following. For IT operations staff, the program will handle the topic on disaster recovery and business continuity planning. The finance staff will get the education on fraud detection training while the development organization will get training on coding, design, and architecture. The group specific training will include educational conferences and instructor-led training.
Conclusion
The vulnerability of the IT infrastructures to potential attacks is rising at an alarming rate. The types of vulnerabilities include human, environmental and physical. Environmental vulnerabilities include power failure, atmospheric conditions, electrical interference, and pipe leaks. Common physical vulnerabilities in the organization include allowing unrestricted access to engineering and utility space, creating unauthorized entry points by system programmers, the existence of the Trojan human and agent. Human vulnerability includes omissions, malfunctions, programming errors and misconfigurations. The organization should use security models such user authentication, firewall, IT security management and backup to overcome security risks. The organization’s security plan entails security policies such as network security policy, communication policy, and inappropriate use. The organization’s code of ethics describes the ethical values of the organization and ways employees should approach various issues. The security awareness program entails general security training and group specific training.
References
Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., & Stoddart, K. (2016). A review of cyber security risk assessment methods for SCADA systems. computers & security, 56, 1-27.
El-Kafrawy, P. M., Abdo, A. A., & Shawish, A. F. (2015). Security issues over some cloud models. Procedia Computer Science, 65(2015), 853-858.
Jawadekar, W. S. (2013). Management information systems: Text and cases: a global digital enterprise perspective. New Delhi: McGraw Hill Education.
Kim, D., & Solomon, M. G. (2016). Fundamentals of information systems security. Burlington, Massachusetts: Jones & Bartlett Publishers.
Reynolds, G. W. (2014). Ethics in information technology. Australia: Course Technology.
Do you need an Original High Quality Academic Custom Essay?