Information security is importance in any organizations such as business, records keeping, financial and so on. This information security will help the organizations to fulfill the needs of the customers in managing their personal information, data, and security information. There are a few challenges faced by the organizations in managing the information so that it would fall in hand of unauthorized person or hackers. Besides, an effective information security management system can reduces the risk of crisis in the organizations. In order to know more about the importance of information security, the organizations need to overcome the challenges first. Other than that, all organizations must have their policies in secure their information so that the information can be kept safely.
Keywords: Information security, organization, information.
In the development of high technology nowadays in the world, all the organizations are more depends on their information systems. The public become anxious of the use of the system in saving their information, data and especially their personal information. In addition, the threat from the system hackers and identity theft has added their concern on the use of information system because nowadays there are so many hackers from all around the world. Because of this, many organizations will identify their information as their important operation which they need to protect as their one of internal control. The scares issues about stolen or missing data are becoming a frequent in all headline news as organizations rely more and more heavily on computers to store sensitive corporate and customer information. It is necessary to be worried about information security because much of the value of a business is concentrate on the value of its information. According to Grant (2000), he stated that the information is the basis for the competitive advantage and not for profit sector which increased public awareness of identity theft and the power of information. While, according to Turnbull (2003), he claimed that it is also the area of an organization’s operations that which needs the most control. Without the information, either businesses or not for profit sector could function because the value and the protect of information are crucial tasks for the modern organization. To fully understand, the organization must know what is the meaning of information security in organization so that they will know better about this cases. Organizations of all sizes will collect and store a huge volumes of confidential information which may be about their employees, customers, research, products or financial operations. Most of the information is collected, processed and stored on computers and transmitted across networks from one computer to other computers. It could lead to lost business, law suits, identity theft or even bankruptcy of the business if this information fell into the wrong hands (About.com, 2014). Nowadays, information security also has evolved significantly and grown even more important in recent years. Based from career perspective, there are more and more areas where a professional can work in the field. According to About.com website (2014), they stated that, some of the specialty areas or fields within information security are including network security, security testing, information systems auditing, application and database security, business continuity planning and digital forensics science are also among others.
1.1 What is information security?
According to The Open University website (2014), stated that the meaning of information security is the collection of technologies, standards, policies and management practices that are applied to information to keep it secure. Other than that, information security is also means protect the information and information systems from unauthorized access and use, disclosure of information, disruption information, modification or destruction of information in order to provide the integrity, confidentiality and also the availability if information. An integrity means protect against improper information modification or destruction which includes ensuring the information non-dissent and authenticity. While for confidentiality which means authorized restrictions which preserve on access and disclosure which includes protecting personal privacy and proprietary information and lastly, availability is to ensure the timely and reliable access to and use of information (Information Security Handbook, 2014). This definition is based on the concept which a person, business or government will suffer from harm if there is a loss of integrity, confidentiality or availability of information because that is the role of information security to minimize the possibility that such harm will occur. The terms also can change either information security, computer security or information assurance are frequently used.
1.2 Characteristics of information security
The value of information and protecting information are crucial tasks for all the modern organizations. The information were easy to value and protect but however, the organizations would be able to buy or get off-the-shelf information security management solutions from other organizations or countries. There are three characteristics of information security that make this impossible. First of all, the characteristic of information security is the collection of influences to which each organization is exposed varies with the other organization. The information security in which the information technology that the organization uses, its personnel or employees, the area or field in which it does businesses and the physical location. All of these have an effect on information security (OpenLearn, 2014). Secondly, the characteristic of information security is that effects every structural and behavioral aspect of an organization. This means that the gap or lack in a security fence can permit information to be stolen. As for example, an infected computer such as expose to viruses, malware, Trojan and so on, that is connected to an organization’s network can destroy the information. Other than that, a cup of drink spilt on a computer keyboard can prevent access to information because the computer keyboard is damaged. Lastly, each individual that consist of employees, employers and also the top management that interacts with an organization in any way is also the characteristic of information security. It will make his or her own positive or negative contribution to the information security of the organization either from the potential customer browsing the website, to the managing director, from the malicious hacker, to the information security manager and so on (OpenLearn, 2014).
In completing this term paper, a few methods has been used to enable in depth understanding about the importance of information security in an organization. The first method that had been used in by searching on the internet which are from online databases from University Technology of Mara and also the open sources such as Google. The information gather from the internet is about the definition of the information security which are from various sources. Besides, the importance of information security is also had been gathered so that the information can be used in this term paper. Other than that, the challenges of information security in organization also been collected. The second method that has been used to know more about importance of information security is based on observation. This method is used by observing Jabatan Hal Ehwal Agama Terengganu (JHEAT) about the way their handling the information in organization. This observation help the student’s term paper in fulfill their needs in collecting and gaining the information about the importance of information security in an organization.
3.0 IMPORTANCE OF INFORMATION SECURITY
Information Technology or as known as IT has become an integral part of and parcel of the organization world today. In fact, it will continue becoming an ever larger factor in the future. Organizations will connect their IT systems as a result of linking to the Internet and other networking systems. All of the factors might hold an information security risk for an organization because an organization are attempt to secure their own IT environment although they have little control over the IT systems that they connect with. If the network that the organization connect with IT environments are insecure, the information security might pose a threat to the IT systems in the host environment. This term paper talk about the importance of information security in an organization. As people know, information security has become very important in almost organizations. This is because, the information access and use and also the resources has become easier with the emergence of information technology such as the internet and electronic commerce that is use by certain organization. So, in order to make sure that the information security is well organized, the organization need to ensure that their information is properly protected and that they maintain a high level of information security. The information in an organization need to be protected because it has a value to the organization. The organization usually hold organization and individual records. As for example, the organization may hold sensitive information of their employees, salary information, financial statements and also the business plans for a whole year. Besides, the organization also hold trade secrets, research and other information that gives a competitive edge for their company. Other than that, for individual, the organization hold the information about their personal information that is sensitive on their home computers which typically perform online functions such as banking, shopping and social networking, sharing their sensitive information with others over the internet (MindfulSecurity.com, 2014). As more and more of this information is stored and processed electronically and transmitted across company networks or the internet, the unauthorized access risk will increases and the organization are presented with growing challenges of how best to protect it. According to MindfulSecurity.com website (2014), they told that there is a steps that must be put in order to protect the information. The same principle can be applied by the organization as the same when people were doing when came out from the house, as for example, people will close the door, close the gate, lock the key and so on when they came out from the house. If the information is not protected, then the information can be accessed by anyone. Besides, if the information is fall on the wrong hand such as theft, hackers and identity theft, it can bring down the business and can commit harm to the whole organization.
3.1 Top three (3) reasons why information security is importance
Based on the title, there are three top reasons why information security is importance to an organization. The reasons is as following:
3.1.1 Proving that the organization has a secure and stable network assures the customers that their information is safeguarded
It is important to think of a security breach in terms of money lost in operations. The sales, customer service, staff productivity and workflow could all be affected by the downtime that will occur. Even after systems are restored many times, an additional checks need to be done to ensure that all factors of the network are clean before business can return to a normal operational state. Nowadays, if there is information breach, the average cost of a data breach is on the rise. Costs went up by over 30% between 2006 and 2007 (Slade, 2009). According to Slade (2009), in addition to these costs, the organization may also lose customers from the negative publicity and may be subject and faced to on-going security audits to ensure the incident does not occur again.
3.1.2 The insurance company are increasingly interested in how companies secure their information assets
Nowadays, there are so many online businesses that usually in social media such as Facebook and Instagram and blogs. Since customers are beginning to do more of their business online, this is one factor that will begin to influence with all companies either small or large company and the trend will only continue to grow with various kind of online business either in healthy products or cosmetics products. Because of this, the insurance company are beginning to believe that the businesses will protect the customers privacy. The insurance company will become more and more common for them to ask for proof that sensitive information is secure and network security software is up-to-date (Slade, 2009). If people maintain confidential client information on the network such as social security numbers, credit card numbers, and other financial data, they should has asked for help and talked to IT consultant about assessing the strength of the firewall in the computer to prevent from information breach. A firewall can be described as a gatekeeper to allow network actions from trusted parties and keep out unauthorized users and harmful viruses. There are also several ways a firewall can be configured and there are pluses and minuses to each (Slade, 2009). To avoid from unwanted issues, the computer must be best protected with integrated firewall to cover the software, hardware and intranet. Besides, it might be best to install a several independent mechanisms with custom levels of protection.
3.1.3 Having consistent security practices and IT maintenance procedures ensures a smooth road for business operations
The organization must make sure that the computer network in the organization is securely configured and actively prevent from unknown threats. A new methods to protects from unknown threats are emerging every day to protect from malware programs that can be unintentionally installed on customer’s or employee’s machine, which an attempt to phishing that deceive them into giving up confidential information, to viruses, worms, and strategic identity theft attempts. One of the benefits of having a consistent technology expert on the organization roster is that the expert can offer a fast reaction time and be proactive in safeguarding organization IT system when new warnings first emerge. The IT network professional can also help the organization to maintain a secure virtual environment by reviewing all computer assets and determining a plan for preventive maintenance. This also includes routinely cleaning up unnecessary or unsafe programs and software, applying security patches and performing routine scans to check for intrusions. Besides, it is also crucial for the IT professional in organization to change the password of their employee’s personal computer frequently, so that the information can be secure properly.
3.2 Information Security Policies
The written policies about information security essential to a secure organization. Everyone in a company needs to understand the importance of the role they play in maintaining security. The way to accomplish the importance of information security in an organization is by publishing a reasonable security policies. These policies are documents that everyone in the organization should read, sign and compulsory to be followed when they come on board. In the case of existing employees, the policies should be distributed, explained and after adequate time, need for questions and discussions. One key to create an effective policies is to make sure that they are clear, and as easy to comply with as possible. Policies that are overly complicated only encourage people to bypass the system. In order to implement this, there a few policies that need to be followed by the employees.
3.2.1 Internet usage
According to About.com website (2014), stated that the internet contain all information that employees need. It is very important to the organization to collect and gained the information from the internet. However, the internet can also bring dangers to them. As for example, the internet access which include the downloading of malicious software such as malwares, viruses and Trojans can affect the information security. An internet usage policy should be pressed whether or not the employees are allowed to use the computers at the company for personal uses. Other than that, the policy also must make sure that only the system administrator can downloaded the software in company’s computer. The internet usage policy also need to consider whether the employees can use media social using the company’s computers or during company time.
As people know, nowadays, there are so many social networking that can be found on the internet such as Facebook, Instagram, Twitter and Linked. These social networking is being used to connect the people either there are near or far away from each other. Other than that, the email also a way people use to send the data or information to other people. These technologies make it very simple to disseminate information. But, these types of information must be distinguish between the personal or organizations. Once the information is leaves from the building, it can rarely be recalled. So, the employees must and should address appropriate content for company emails and social media pages. Employees must always think that not all private information can stay be private on the internet. They must use a proper way by following the policy to make sure that the company’s image will stay clean and confidential information stay be kept.
3.2.3 Visitor Management
The visitor is mean that the people other than the employees of an organization. The visitor management must be manage properly so that An unauthorized or unescorted visitor do not intrude in the organization. This is because an unauthorized or unescorted visitor can be a physical threat and can also steal sensitive information. Before a visitor can enter into the organization, all the information about the visitor must be check. If there is problem, the security guard must take an action. Based on the policy, the visitor might be escorted at all times especially in confidential areas. The visitors are required to wear a badge and should sign in and sign out if necessary. If the policy is being used, the organization will feel more secured and protect the importance information.
3.2.4 Key Control
Unlike an electronic access device, mechanical keys can be duplicated and used without leaving a trail. The organization key control policy should include a means to track who is currently holding mechanical keys and who has permission to duplicate those keys. Besides, all the keys that has been duplicated must be placed on a secure place such as in security room. Employees must write their name on the book to make sure that when the key is lost, the last name of the employees that use the key can be track down. Other than that, the organization must make a policy to use the smart card reader other than using the mechanical keys. The authorized person such as the employees only should have the smart card to be used to scan when entering the places which contain importance information.
3.3 Information Security Management Committee
One of the most important thing in maintaining the information security in organization is by developing information security management committee. It is one of the responsibilities in ensuring the effective implementation of information security. An information security management committee usually consists of the unit of departments in an organization. The departments such as Human Resources, Legal, Financial, Information Systems and so on should provide representatives from each of the departments which usually the expert and professional, and has influential in the information security area and anybody who want to represents their departments. According to CyberSecurity (2014), they stated that, there are a few factors that has made the implementation of information security within an organization successful. The factors such as the information security policy, objectives, and activities that reflect business objectives, visible support and commitment from all levels of management and effective marketing of information security has made the information security successful to protect the valuable information. All of these factors has support in setting up the information security management committee. The data from each departments will help in achieving the goals of an organization such as to identify the changes in organizations accurately, to bridge the divide between management and technical and to segregate responsibilities in implementing information security (CyberSecurity, 2014).
4.0 INFORMATION SECURITY CONCEPTS
Diagram 1: The concepts of Information Security
(Sources: Charles, 2013)
The C.I.A concepts or also known as C.I.A triangle is the concepts used in information security. The C.I.A is stands for confidentiality, integrity and availability. According to Charles (2013), they informed that the confidentiality means the information which ensures that only those with sufficient privileges or authorized person only may access certain information. While for integrity is the quality or state of being whole, complete and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state. And lastly, availability is a way in making information accessible to the user to access without interference or obstruction in the required format (Charles, 2013).
5.0 CHALLENGES OF INFORMATION SECURITY IN ORGANIZATION
In implementing the information security in organization several issues and challenges about this has been found. This issues and challenges have resulted the information security that will be implemented delayed. There are several issues or challenges that have been found in implementing the information security in the organization.
5.1 Failure to understand about Information Security
In order to handle the importance information in organization, the employees must have the understanding about the information security in their organization. As the employees need to the level of security education and knowledge within their organizations, the employees must know what is the policies that they need to follow, the types of informations they control, how to find the services the customers need and so on. The ultimate objective is to let the business units share in information security risk management. The information security intelligence is a function of visibility in the organization. But nowadays, not so many people concern about the information security. They deliberately posting about the fake information about the organization on their social media which can lead to the damages of the organization. They do not think about the effect of such posting on the internet. Part of raising awareness involves personalizing risks for managers, showing them how vulnerabilities could affect them as individuals and also organizations (Johnson & Goetz, 2007).
5.2 Mobile Workforce and Wireless Computing
One of the most frequently challenges was the mobile workforce and wireless computing. Nowadays, there are so many types of smart phones located in the market. These smart phones provide the wireless connection to the internet. The arrival of mobile computing devices had made a significant impact on people’s everyday life. Wireless communications release the employees and consumers from relying on phone lines to communicate. With the convergence of these devices, the information on them need to be protected because it may be contain the confidential information about the organizations as employees use it to perform the business activities on their mobile devices. A long time ago, all the organizations work was being done using the company’s computers and only can be used on the company. But nowadays, all the works can be done using the mobile device. The information such as name, address, phone numbers and all other personal data can be trace by other people easily just by using the mobile devices. The employees must know that the company’s computers has been provided with the anti-viruses that they cannot get it for their mobile devices. So, the organizations must take a serious way and careful considerations when handling with the wireless devices.
5.3 Shortage of Information Security Staff
Finding a qualified information security staff is a difficult task, which will likely continue to be the case in the near future. The organizations has not had the time to grow the staff necessary for these roles. In addition, the information security challenges keep growing at a rapid pace, constantly expanding the list of technology to be deployed, and the information security staff cannot keep up with the emergence of information technology. The organizations need more time and money to get the staff trained on commercially available products. Other than that, the most and greatest challenge in this area is finding a leader who has a
broad background in the field and who can pull together an effective information
security team in the organizations. The team cannot be operate properly if the leader is also does expert in managing the information security.
5.4 Information Security Attacks
Security incidents that are related to malicious code such as worms, viruses, and Trojans have grown from slightly to significantly damaging to business operations. A computer virus is a piece of malicious code that attaches to or infects executable programs such as software in the computers. Unlike worms, viruses rely on users to execute or launch an infected program to replicate or deliver their payloads. A virus can delete data or damage system files. This challenge is the commonly happen in any organizations.
6.0 RECOMMENDATIOS OF INFORMATION SECURITY IN ORGANIZATION
In order to establish information security in an organizations, a few recommended solutions has been highlighted. It is been recommended to overcome the current issues or challenges that had been occurs these days. Without the recommended solution, the organizations cannot establish the information security which is important to them. There are a few solutions that are related to the current issues or challenges have been recommended.
6.1 Find an expertise in information security
In order to implement the good information security, the organization must find an expertise in information security. If the organization has the right people to implement security, meaning individuals who take ownership of security and build good relationships with others in the organization and external partners, the information security can be implement successfully. Although it is hard to find the expertise, but the organization can find the people who really know and understand how to explain the risk-reward trade-off and can sell solutions within the organization.
6.2 The use of mobile security (ForeScout)
In order to prevent from the stolen of personal information and organization information, mobile devices must be protected by using the mobile security. The most famous mobile security is the ForeScout. ForeScout provides real-time visibility and control over smart phones, tablets and wireless devices on the network. With ForeScout, it can let users to enjoy the productivity benefits of mobile computing devices while keeping the network safe from data loss and malicious threats. Besides, it is an automated security control platform that gives IT security managers an easy way to reduce mobile security risks. ForeScout CounterACT provides real-time visibility of personal and mobile devices on the network, limits the network access of those devices, and prevents those devices from spreading malware on network (ForeScout, 2014). No matter where people are, the organization in which on the consumer IT adoption spectrum that involve blocking, tolerating, supporting or promoting the use of personal mobile devices for business use, they need a way to enforce security policy. So, the use of ForeScout is necessary to prevent this problem.
6.3 Training of information security to the employees
An organization’s success is depends on the skills and expertise of its individual employees which can attributed to them. To make sure that all the employees had the skills in information security, the training should be done. The organizations can make a seminar about the information security and let the employees know what is the information security. Besides, the organization also can invite the expertise from other organization to help the employees in managing and protecting the valuable information in their places. Although the training will cost more time and money, but it is worth because the information which had the value to the organization can be kept properly. Other than that, the customers also will gain the trust in keeping their personal detail with the organization.
6.4 Protect computers from anti-viruses
Protecting the computer from viruses and other threats is not difficult, but users have to be diligent. There are a few actions that can be taken by the users or employees in preventing the computer from viruses and threats. Firstly, by installing an antivirus program and keeping it up to date can help defend the computer against viruses. Anti-virus programs scan for viruses trying to get into the email, operating system, or files. The new viruses may appear daily, so users must set the anti-virus software to install updates automatically. Secondly is the use of firewall. Windows Firewall or any other firewall can help alert to suspicious activity if a virus or worm attempts to connect to the computer. It can also block viruses, worms, and hackers from attempting to download potentially harmful programs to the computer. Lastly, users must not open an email attachment unless know the content of the email. This is because, many viruses are attached to email messages and will spread as soon as open the email attachment. Users must avoid open an email that is suspicious.
As a conclusion, information security is importance to the development of an organization that keep the data or information about their customers or company. The development of modern organizations are depends on the availability, confidentiality and integrity to ensure information security. Other than that, the extensive use of information technology had improves the efficiency of the business, but exposes the organization to additional risks and challenges such as failure to understand about information security, mobile workforce and wireless computing, shortage of information security staff and information security attacks. The implementation of the information security is a process that is by far more complex than the implementation of the other management due to the large number of factors that may affect its effectiveness. To ensure information security, the organization should understand that information security is not solely a technological issue. The organization should also consider the non-technical aspect of information security while developing the information security. Besides, it should be noted that, well implemented information security in organization has the ability to reduce the risk of crisis in the organization.
Other than that, information security management committee play an integral part in the successful of information security implementation in organization. Organization should emphasize the formation of this committee to ensure that the implementation of
information security in the organization achieve the organization’s goals. Besides, the written policies about information security are also essential to a secure organization. Everyone in a company needs to understand the importance of the role they play in maintaining security. The way to accomplish the importance of information security in an organization is also has made a great effort in implementing the information security in an organization.