This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Information Security Strategy for EasyShopping
Technology is vital part of today's global market and business operations. Information technology can be seen every nook and corner of a business. Information is an asset that, like other important business asset, is essential to an organizations business and consequently need to be suitably protected.
Since businesses have become more fluid, at present the concept of computer security has been replace by the concept of Information Security. This for the reason that new concept covers a broader range of issues, from the protection of data to the protection of human resources. So Information Security is no longer a duty of a small group of people in a company. It is the responsibility of every employee, and specially managers.
Information Security is the protection of information from wide range of threat in order to ensure business stability, minimize business risk, and maximize return on investments and business opportunities. In general, security is defined as “the quality or state of being secure -to be free from danger”.
In order to implement the Information Security Strategy for the EasyShopping we look at the following specialized areas of security that contributes to the Information Security program.
- Physical Security- Protects people, physical assets and the workplace from various threats including fire, unauthorised access, or natural disasters.
- Personal Security- Protects people within the EasyShopping.
- Operations Security- Secure the EasyShoping's ability to carry out its operational activities without interruption of the compromise.
- Community Security- Protect the EasyShoping's communication media, technology, and contents, and the ability to use these tools to achieve the organizations objectives.
- Network Security- Protect an organizations data networking devices, connections, and content, and ability to use that network to accomplish the EasyShoping's data communication functions.
Key concept of Information Security
EasyShopping is needed to develop a security strategy in order to protect the company system and also the customer. To develop this strategy we must familiar with three key characteristics of Information that make it valuable to an organization. Those are confidentiality, availability and integrity. This means the system should be able to protect the data from disclosing to the unauthorized people, and the data shouldn't be modified by the unauthorized people. And also the data should always available when that data is needed.
Much important information is in the EasyShopping Information system, so those sensitive data should not be disclosed to any user who is not authorized to access that information. So in this security strategy the confidentiality of data should be implemented. Vital features of confidentiality are Identification, Authentication and Authorization.
This means that there is a resistance to alteration or substitution of data or those changes are detected and provable. It means that information can only be accessed or modified by authorized people only. The integrity or information threatened when it is exposing to corruption, damage and destruction. This is also can be compromised by hackers, unauthorised users or malicious codes and those threats can harm to data or programs.
By making servers accessible only to network administrators, giving a user levels for all users, data integrity can be avoided.
This means data need to be accessible when and where needed it. It is the guarantee that system is accessible by authorized users when needed. That system is responsible for distributing; storing and processing information are accessible when needed, by those who need them. Attacks or accidents can bring down systems so the puzzle is how to keep our data available. High availability including load balancing, fail over and quick backup and restoration are all involved in solution.
There are two kinds of security threats, internal attacks and external attacks. Internal attacks are the threats that coming from the internal staff of the company. Some internal attacks are abuse of privilege, breach of system, negligence, etc. External attacks are threats that coming from outside world. Some external attacks are direct attack, robot attacks, malware, etc.
As an answer for all security threats we provide a security policy for the people who are integrated with system which provides a primary picture of our strategy that make available security responsibilities for all the users of EasyShopping online system. In our security policy we describe solutions for many of the security threats which cover following areas,
- Regulatory compliance
- Software Security
- Back Office Security
- Customer Security
Though there is the security policy there may be a chance of breaches which can happen beyond this policy. The following are the most powerful and broadly used security mechanisms.
- Access control
- Dial up protection
- Intrusion detection systems
- Scanning and analysing tools
Among these mechanisms we recommend EasyShopping to use Access Control and Firewalls as security mechanisms for their information system. We will consider the other methods in future as a long term plan.
- Access Control - Access control encompasses two processes, confirming the identity of the person accessing logical or physical area (authentication), and determining which action that person can carry out in that physical or logical area(authorization).
Authentication- there are for types of authenticating methods. Such as,
Something you know (eg. Password and passphrases)
Something you have (eg. Smart cards and cryptographic tokens)
Something you are (eg. Fingerprints, palm prints, hand geometry and iris scan)
Something you produce (eg. Voice and signature pattern recognitions)
Password is a private word or several characters which only the user should know. He or she can access to their accounts using the above. We provide user accounts to all users with passwords with set of privileges according to their role and responsibilities.
Smart card is a card with a magnetic strip which contains an ID which compare to a pin when a user inputs it. In our company we offer a smart card to the company staff in order to login the system easily.
Authorization- this is the process of controlling access and rights to resources, such as services or files. As we use user accounts and smart cards to authenticate users, we give an authorized access to the system to read, edit, add or delete the appropriate information on the system according to the role and responsibilities of that user.
- Firewall - As above the passwords and smart card will protect EasyShopping Information System with internal attacks. As well as internal attacks there may be external attacks from the outside world. So we propose to have an updated firewall which prevent a specific type of information from moving between the outside world, known as the untrusted netwok, and the inside world known as trusted network. We suppose this will stop most hackers gaining access to the system.
- Virus Guard - Though there was a firewall it is advisable to have an updated virus guard to monitor the system throughout the day.
By using above mechanisms we can protect the sensitive data of EasyShopping Information system. Although we protect them we have to make the data and information available any time when a user needs them. So we have to have data backup plans, disaster recovery plans, and business recovery plans in case of data lose. Employees should be trained in their responsibilities in data backups, disaster recovery, and business continuity.
Data backup plans
An organization must be able to restore data in any data corruption or hardware failure. To do that Data backups are vital part of information security. Backups should be done on a regular basis and should be stored in a secure place, and also should be test on regular intervals to ensure that the process is functioning properly.
Disaster recovery plans
This is used to recover quickly after a disaster happen to the organization. This allows the company to decide which technologies must implement to achieve the recovery. The main thing is organization's disaster recovery plan cannot be tested until a disaster happens.
Business recovery plans
This is a part of a disaster recovery plan and this says in logical way how to recover step by step and how to resume to normal business after a disaster happens. This also includes employees' responsibilities and how to implement a plane when the disaster happens. This plane must be regularly modified to ensure that any changes to business processes will happened.
As the conclusion, we would suggest EasyShopping Ltd to set up these information security Systems with all the mechanisms mentioned above so that these systems will help to protect the sensitive data stored by EasyShopping's information systems.
Management of Information Security (2004)-Michael E Whiteman and Herbert J Mattord
Information Security Concepts (2009)-Lee Clemmer- www.brighthub.com/computing
Group Assignment No. 1 - Question 5 - Group L - 0901077 / 0912319 / 0912326