Information Security Technology Effectiveness in Current Organization
Essay Preview: Information Security Technology Effectiveness in Current Organization
Report this essay
Information security Technology Effectiveness in Current Organization
Information security effectiveness and efficiency depends on how the organization design security policy, security plan, and how well it implements. In this paper, I will evaluate the effectiveness of security technologies and methodologies in my current organization and also will determine uncertainty, risk of each type of threat and possible additional control needed to make the security more robust and effective.
Effectiveness of the security technologies and methodology
My current company is very mature in terms of security control, technology and methodology. It understands that security is an ongoing process and to make sure security is effective and get the full benefit, it always needs monitoring, review and verification. Company arrange internal security audit every six months and external audit once in a year and based on that outcome, company upgrades technology, methodology or modify policy as and when required. “The final key element of an information security program is ongoing testing and evaluation to ensure that systems are in compliance with policies, and that policies and controls are both appropriate and effective” (GAO Report, 2004). Senior executives of the company take full initiative at personal level to make sure security technology and methodology are up to the standard and can help the organization to comply with all the required government and industry specific regulatory reporting.
Uncertainty
There is nothing 100% secure, so uncertainty is always there. The Monte-Carlo model is a good tool to capture uncertainty in information security modeling parameters like frequency of intrusion, damage, vulnerabilities, etc., and it can predict the impact of the uncertainty on the projected result. In my current company following are the list of uncertainties.
People – Internal threat – intentional or unintentional mostly because of employee negligence – 10 % uncertain.
Process – Wrong information upload and delete or manipulation some critical process document – 50 % uncertain.
Software – Virus or malware attack, unauthorized access and hacking – 20 % uncertain
Hardware – Natural disaster, terrorist attack, electrical spark, sabotage – 10 % uncertain.
Database – Unauthorized access, sabotage – 10 % uncertain.
These all uncertainty numbers can vary from year to year and with more historical data these numbers will be more accurate.
Risk for each threat
Each threat has it own risk value based on the asset it impacts. The valuation process is based on the value company will lose in case the information asset is damaged or modified (asset value) multiplied by annual rate of occurrences (ARO) multiplied by (1- control effectiveness) multiplied by (1+ uncertainty).
In my current company following are the risk values for different assets.
Asset Name
Asset Value ($)
Threat Description
Controls in Place
Uncertainty
Risk Value ($)
People – Unix System Administrator
80,000
Internal threat – intentional or unintentional mostly because of negligence.
Very High (.9)
Low (.05)
( 90 % certain)
80,000 X .05 X (1-.9) X (1+.1) = 440
Process – Application support run book
50,000
Wrong information upload and delete or manipulation some critical information
Low (.5)
Very Low (.001)
( 50 % certain)
50,000 X .001 X (1-.5)X(1+.5) = 37.5
Software – In-house developed – Loan Approval recording and controlling system
200,000
Software threats related to in-house are primarily security and virus issues. Like spyware, viruses, or other malicious software. And data delete or leakage during transmissions because of application hacking.
High(.8)
Medium
( 80 % certain)
200,000X.1X (1-.8) X (1+.2) = 4800
Hardware –
49,000
Threat to hardware relates to accidental/natural disaster or deliberate damage, war outbreak, earthquake, fire outbreak, flooding, windstorm, electrical spark, internal/external sabotage, theft, equipment break down
Very High(.9)
Medium
( 90 % certain)
49,000 X.1 X (1-.9) X (1+.1) = 539
Database – Oracle 11g database
150,000
Database Communication Protocol and Platform Vulnerabilities.
Denial of Service, un authorized access to data from both internal and external front.
Very High(.9)
Medium
( 90 % certain)
150,000 X .1 X (1-.9) X (1+.1) =
Additional controls
To prevent security threats technological controls may