Managing Your Security Future

ABSTRACT

Information technology organizations within most corporations are spending significant time and resources securing IT infrastructure. This increased need for security is driven by a number of factors. These factors include increased dependency on the Internet, financial and legal liability, protection of personal identity information and sensitive corporate data, increased numbers and age of legacy systems with limited vendor support, deploying complex systems, and new regulations governing corporate transactions. There a number of technologies on the market today that can mitigate most of these security factors. However, managers in IT organizations need to identify potential future threats and security technologies to assess and potentially mitigate risk through the deployment of those technologies. This article investigates three areas critical to the successful deployment and securing of information technology.     

Building E-Enterprise Security: A Business View

Abstract

Web technology has enabled many organizations to form an E-enterprise for effective communicating, collaborating, and information sharing. To gain competitive advantages, E-enterprises must integrate entire lines of business operations and critical business data with external organizations or individuals over the Web, which may introduce significant security risks to the organizations' critical assets and infrastructures. This article provides systems professionals with a multidimensional E-enterprise security view. The view puts forward practical steps and sustainable solutions for tackling the unique security challenges arising in an E-enterprise environment.     

Information technology in Nigeria: Problems and prospects

Abstract

Information Technology has revolutionised Information Management and tremendously increased the value of even the smallest piece of data. All over the world, effects of IT are noticeable in almost all aspects of life. In developing countries, the impact of IT is yet to be felt to any appreciable extent, yet the need is strong and the awareness, in certain sectors, high. The Nigerian situation is critically examined and a possible re‐orientation strategy suggested.     

Technical Briefing: Business Continuity Management

Abstract

This article discusses business continuity management as a risk management activity that extends well beyond the realm of IT Disaster Recovery Planning. It describes a rational, iterative process for assessing the risks, selecting appropriate risk treatments, and implementing various mitigating controls including resilience, recovery and contingency measures. While the IT Department undoubtedly has an important part to play in business continuity management, the article emphasizes that the process should be driven by senior managers since they are ultimately accountable for the organization's health and survival. As such, they have an obvious interest in balancing business risks against business opportunities.     

Intrusion Detection: Making the Business Case

Abstract

In the current atmosphere of large- scale corporate mergers and acquisitions, downsizing and eliminating redundant operations has become the norm. Couple this with massive one-time expenditures on EMU and the year 2000, the amount spent on mitigating information risk has grown in overall size but has shrunk in the area of data security. Information risk management, a term coined in the early '90s, has had to become leaner and more client-focused, implementing only what is absolutely necessary. This has left IT managers hard-pressed to cost-justify every dollar spent. With IT budgets in the millions and even billions for larger financial services companies, decisions regarding specific technology expenses can have far-reaching implications. Deploying a tool or technology across the enterprise must be thought through carefully in terms of its hard and soft costs and benefits. Thorough analysis up front can mean a faster approval cycle for the product and a more transparent implementation. The key is to present all the analysis in business terms.     

Outsourcing Security: The Need,the Risks,the Providers,and the Process

Abstract

The securing of data and networks is vital for any organization, yet not all organizations have the resources to keep up with the latest security issues and threats. One option is to outsource the professionals needed to get the work done. Outsourcing is defined as contracting professionals from the outside to do services that are core or non-core to the business. Yet, outsourcing does have its risks. Allowing non-employees to manage key security operations can be scary. The decision is not an easy one, which is discussed here to allow security managers to make a more informed decision. This article discusses the need for outsourcing security, determining the risks, choosing a provider. and managing the process. The premise is that outsourcing can be used as a successful tool for saving an organization money by allowing outside providers to perform non-core competencies.     

Potential Problems with Information Security Risk Assessments

ABSTRACT

To protect the information assets of any organization, management must rely on accurate information security risk management. Management must access the risk to the organizations assets then develop information security strategies to reduce the risks. This assessment is difficult because of rapidly changing technology and new threats that are frequently being discovered. Research to address methods associated with information security risk management includes quantitative and qualitative methods. More comprehensive approaches combine both the quantitative and qualitative methods. This paper argues that current methods of information security assessment are flawed because management decisions regarding information security are often based on heuristics and optimistic perceptions.     

The rise and fall of the competitive local exchange carriers in the U.S.: An institutional perspective

The debacle of the telecommunications industry at the turn of the millennium resulted in significant consequences for investors, workers, financial institutions, telecom companies, and the economy in general worldwide. In the midst of the telecom bubble, the CLECs (competitive local exchange carriers) adopted similar or identical business plans and saturated the market, which resulted in destructive competition. In this study, we investigate the isomorphic business models of the CLECs from the perspectives of the new institutional theory. We argue that the combined coercive, mimetic, and normative institutional forces exerted on the companies by the actors who controlled the funding, managed the business, and provided the information fashioned the isomorphic CLEC business models, which in turn contributed to the demise of these companies and thus the burst of the telecom bubble. Evidence of the institutional influences on CLECs and the actors exerted the influences are presented and their consequences are discussed. Qing Hu is Professor of Information Systems in the Department of Information Technology & Operations Management at Florida Atlantic University. He earned his Ph.D. in Computer Information Systems from the University of Miami. His research interests include economics of information technology (IT), IT strategy and management, and information security. His work has been published in leading academic journals including Information Systems Research, Journal of Management Information Systems, Communications of the ACM, Communications of the AIS, California Management Review, and IEEE Transactions on Software Engineering. He also serves as associate and guest-editors for a number of IS journals and major conferences. C. Derrick Huang is Assistant Professor in the Department of Information Technology & Operations Management in the College of Business at Florida Atlantic University. Previously, as a practitioner, he held executive-level positions in the area of marketing and strategic planning in a number of high-tech companies. Dr. Huang’s research interest lies in the business value and strategic impact of information technology in organizations, and his current focus is on the economics and management of information security investments. He holds Ph.D. from Harvard University.     

2014 Top Security Topics

Abstract

Recent data breaches at major retailers have created an extra awareness of information security risks within the IT internal auditors. This article focuses on top security topics which every internal auditor must consider before they finalize their audit plans     

Risk assessment in IT outsourcing using fuzzy decision-making approach: An Indian perspective

Outsourcing of Information Technology (IT) is a common practice in global business today. IT Outsourcing (ITO) refers to the contracting out of IT services (or functions) with the objective of achieving strategic advantages as well as cost benefits. Recently, many IT industries are facing daunting challenges in terms of healthy alliances on their ITO strategy due to existence of inherent risks. These risks must be recognized and properly managed towards successful establishment of effective ITO strategy. Therefore, risk assessment appears to be an important contributor to the success of an ITO venture. In this paper, a hierarchical ITO risk structure representation has been explored to develop a formal model for qualitative risk assessment. The basic parameters for defining risks have been presented including the metrics for measuring likelihood and impact that aid to achieve consistent assessment. An improved decision making method using fuzzy set theory has been attempted for converting linguistic data into numeric risk ratings. In this study, the concept of ‘Incentre of centroids method’ for generalized trapezoidal fuzzy numbers has been used to quantify the ‘degree of risk’ in terms of crisp ratings. Finally, a framework for categorizing different risk factors has been proposed on the basis of distinguished ranges of risk ratings (crisp). Consequently, an action requirement plan has been suggested for providing guidelines for the managers to successfully manage the risk in the context of ITO exercise.     

Software Quality Perspectives

Abstract

Software Quality have multidimensional perspectives. Information Security, Reliability are the Integral Characteristics of it. Audit, Inspection & Testing are the methodological process to reach this goal. The meaning of Software Quality cannot be completed without including Security, Reliability, Inspection and Audit. That is the ultimate perspective of this article. This article defines the meaning and Characteristics of Software Quality and its scope and integral relationship with other entities as it is pre-requisite Quality Assurance. This article also identifies the methodological and procedural perspectives of Software Quality Assurance. Discussing a parallel evaluation on Control Objectives for Information and related Technology (COBIT) and Capability Maturity Model Integration (CMMI).

COBIT is designed to meet multiple requirements it allows an organization to assess the business risks and assign control objectives to a common set of IT functions. And CMMI has defined the quality and process.

As integral part of Software Quality Assurance, this article also briefly discusses important parts of Testing, different type and level of testing what to be tested and what not to be tested. Different types of Reviews, Audit, Incident management, Defect management, Risk vulnerability and Threat Management, and Information Security issues.     

Categorization of risk factors for distributed agile projects

ContextOrganizations combine agile approach and Distributed Software Development (DSD) in order to develop better quality software solutions in lesser time and cost. It helps to reap the benefits of both agile and distributed development but pose significant challenges and risks. Relatively scanty evidence of research on the risks prevailing in distributed agile development (DAD) has motivated this study.ObjectiveThis paper aims at creating a comprehensive set of risk factors that affect the performance of distributed agile development projects and identifies the risk management methods which are frequently used in practice for controlling those risks.MethodThe study is an exploration of practitioners’ experience using constant comparison method for analyzing in-depth interviews of thirteen practitioners and work documents of twenty-eight projects from thirteen different information technology (IT) organizations. The field experience was supported by extensive research literature on risk management in traditional, agile and distributed development.ResultsAnalysis of qualitative data from interviews and project work documents resulted into categorization of forty-five DAD risk factors grouped under five core risk categories. The risk categories were mapped to Leavitt’s model of organizational change for facilitating the implementation of results in real world. The risk factors could be attributed to the conflicting properties of DSD and agile development. Besides that, some new risk factors have been experienced by practitioners and need further exploration as their understanding will help the practitioners to act on time.ConclusionOrganizations are adopting DAD for developing solutions that caters to the changing business needs, while utilizing the global talent. Conflicting properties of DSD and agile approach pose several risks for DAD. This study gives a comprehensive categorization of the risks faced by the practitioners in managing DAD projects and presents frequently used methods to reduce their impact. The work fills the yawning research void in this field.     

Alternate Approaches to Business Impact Analysis

ABSTRACT

Business impact analysis (BIA) is an important process that probes into business processes to determine and list critical processes that are vital to keep the business going. It is necessary to understand business environments, gather data and information, identify critical processes needed to carry out vital business operations and finally prepare a BIA report enlisting your findings to be submitted to the top management. Efforts toward consideration of internal and external environments and risks that impact financial position as well as the goodwill of the organization must be considered. Effectiveness of the business impact analysis is reflected by the management's commitment of people and technological resources to mitigate risks of business continuity projected by your findings. Buy-in is important to make the Business Continuity Management System efficient and sustainable by providing funding and setting a system for management oversight on a continuous basis.     

iMeasure Security (iMS): A Framework for Quantitative Assessment of Security Measures and its Impacts

ABSTRACT

As business systems are getting interconnected, the importance of security is growing at an unprecedented pace. To protect information, strong security measures need to be implemented and continuously updated and monitored to ensure their promise against present and future security breaches. However, the growth of networked systems and the increasing availability of sophisticated hacking tools make the task of securing business systems challenging. To enhance the security strength and to justify any investment in security-related products, it becomes mandatory to assess the security measures in place and estimate the level of security provided by them. The existing standards to certify the strength of a security system are qualitative, lack consideration of the countermeasures and do not consider the impact of security breaches. Consequently, there is a need for an alternative approach to estimate the security strength of a system in a quantitative manner. This paper aims to provide an extensible framework called iMeasure Security (iMS) that quantifies the security strength of an enterprise system by considering the countermeasures deployed in its network, analyzes the business impact of the security breaches, and provides insights as to how the level of security can be improved from current levels.     

Information Security Awareness Status of Business College: Undergraduate Students

Abstract

Because end users are often the weakest link in a security chain, students need to practice security controls properly to improve information security on campus. This study surveyed undergraduate students in a business college to investigate their understanding and attitudes toward information security. Survey findings show that college students understand most information security topics suggested by National Institute of Standards and Technology (NIST) Special Report 800-50. Universities should provide easily accessible security training programs for students. Practical suggestions are provided to encourage students to participate in security training to enhance their security awareness level.     

Communications Security,LAN Security,and Viruses

Abstract

This paper reports the impact of virus attack announcements on the market value of affected companies over a period of 15 years.

Information Systems (IS) risk is a top concern for organizations.¹ These concerns are due to the fact that the consequence of a security breach can be detrimental to a company's financial performance.² Thus, security strategies revolve around the act of a security breach (or an attempt at one) and the need to minimize the financial loss resulting from such a breach. Gordon et al.³ proposed a framework to manage cyber-risk. The antecedent activities include the assessment of the risk involved in a security breach. Subsequent steps involve the preventive measures necessary to avert such an attempt. These measures are divided into technical or procedural measures (i.e., access control, firewalls) and financial measures (such as buying cyber insurance). The final step entails the maintenance of an accepted level of risk.     

Preemptive Security Through Information Analytics

ABSTRACT

Business security and threat actors continue to play a dangerous cat-and-mouse game with businesses intellectual property, customer data, and business reputations at stake. Businesses need to delve into a new way of doing business security to break out of this game. Businesses are sitting on repositories full of security-relevant data that is not being capitalized upon with the current information security and physical security organizations within businesses. This article poses the introduction of a data scientist role and a new supporting central data correlation technology platform based on big data predictive analytics into business security functions. The goal is to intelligently and autonomously identify, correlate and pinpoint normally innocuous or unnoticed security event attributes to allow security personnel to preemptively remediate physical and information risks before exploitation or loss of intellectual property occurs.     

Integrating Information Security through Total Quality Management

Abstract

As companies begin to increase their electronic presence, digitizing increasingly more of their private and sensitive information, the need for information security becomes mandatory. While the relationship between technology and business functionality expands, information security has safeguarded the information the business needs to survive. Organizations are increasingly aware of information security issues and are constantly seeking control measures. Information security studies predominantly focused on the presence of information security controls rather than the quality of those controls. Security, as an element of quality, must be addressed in the development, implementation, and monitoring of strategy and policy. In order to ensure that adequate controls are established for information systems, quality assurance and information systems auditors should maintain a close working relationship. Total Quality Management is mandatory in the successful application and proliferation of information security controls.     

A Simple Instrument to Measure IT-Business Alignment Maturity

Abstract

The challenge of aligning Information Technology (IT) to business has often been cited as a key issue by IT executives. This paper presents a simple, flexible, and easy-to-use instrument that measures the alignment maturity between business and IT and identifies major gaps. The proposed instrument is based on Luftman's “Strategy Alignment Maturity Model” (SAMM); it directly encodes all attributes of SAMM alignment areas using a unidimensional framework. The instrument supports multiple levels of analysis with minimum assumptions about data using non-parametric statistical tools. In addition, the instrument provides an aggregation procedure to summarize the alignment maturity level for high-level executives. The instrument can also be customized to incorporate the contextual parameters of a company. In addition to the development of the instrument, this paper also shows how this instrument was applied to assess the alignment maturity level between IT and business in a rapidly growing company that had recently been publicly listed. The instrument was successful in identifying six major gaps for the company across the various alignment areas. These gaps were benchmarking, business metrics, strategic business planning, inter / intra organizational learning, architectural integration, and the impact of IT on business processes.     

Thinking Beyond Security

Abstract

A competitive business views information technology (IT) as an integral part of itself in achieving the business mission. On the other hand, IT cannot stand up to the service level agreement (SLA) with the business units if it views solutions in an ad hoc way [1]. In a time where the IT as a business enabler and enhancer is the target of unanticipated attacks from various agents, the entity at risk is the business itself and the trust the business has developed so far in the IT [2]. Government initiatives, such as the Critical Infrastructure Protection Act [3], include even the assets owned by private industry, such as those of major banking and energy sectors, as a part of the national asset. They mandate that companies take initiatives to protect and make information resources available, despite possibilities of threats [4].