Introduction
Information security is essential in the preservation of integrity, confidentiality, and availability of information (Peltier, 2016). Any information security management standard must support these three fundamental goals. Confidentiality is intended to ensure that only authorized users can access specific information. Integrity refers to the protection of the completeness and accuracy of data that is on transit or storage systems. Availability seeks to ensure that authorized persons can access their information and associated data whenever needed. According to Peltier (2016), standards must be reasonable, flexible and up to date. It is also paramount to ensure that the standards are practical, applicable to the organization and reviewed regularly.
According to Susanto et al. (2011), an organization is expected to adhere to the following elements that are recognized by the ISO:
IS policy
An organization must express its intent to secure information and databases through the development of policies (Peltier, 2016). A policy helps an organization to declare its position and directs employees to achieve set goals in information security.
Communication and Operations Management
Operational procedures and responsibilities often help in the correction of network resources. According to Peltier (2016), this can be achieved through documentation of procedures, management, segregation of duties, and management of the external facilities. System planning and acceptance minimize the risk of failure through capacity and fallback planning, system acceptance and operational change control. The protection of a system from malicious software, network management, and media handling and security are additional measures.
Access Control
The objective of access control is to block unauthorized access to data and information in a system (Peltier, 2016). This is achieved through access restrictions, utilization of the system, program restriction, system isolation. Other access controls affect the application, computer, network, and monitoring.
IS Acquisition, Development, and Maintenance
A firm should have a security requirement of systems that enables the incorporation of security protocols into an IT system (Peltier, 2016). The security application system prevents modification, loss or misuse of the information in systems. Security application system files enhance security during the development of IT projects and support systems. Security in development and support environment maintains the software and data by providing a change control process and restricting changes.
Organization of IS
Security organization comprises IS infrastructure that controls IS within a firm. Third-party access facilities of an organization and the assets of clients (Peltier, 2016).
Asset Management
It is recommended to enhance the accountability of assets through the management of inventories (Peltier, 2016). Classification of information protects data based on standards and labeling.
IS Incident Management
Responding to incidences can be achieved through reporting weaknesses, incidents, software issues and processes (Peltier, 2016).
Business Continuity Management
The primary objective of business continuity planning is to prevent interruption of normal activities in case of a security issue (Peltier, 2016). This segment entails the business continuity planning process and framework. It is recommended to test the business continuity plans and update them whenever necessary.
Human Resource Security
Firms must put in place measures to eliminate risks due to human error, fraud, theft, and misuse (Peltier, 2016). Recruitment screening, job descriptions, user training, and response to incidents can increase an approach to securing information and systems within a firm.
Physical and Environment Security
Securing areas to prevent unauthorized access to the physical space where systems are stored (Peltier, 2016). Inventory of all IT equipment helps in the prevention of damages, loss, and compromise.
Compliance
Information security standards must comply with legal requirements hence prevent a firm from breaching criminal, statutory, or civil obligations (Peltier, 2016). Compliance also entails a security review of IT systems that are intended to align systems to organizational policies and procedures. Finally, compliance is also intended to enable system audits.
Cloud Computing and Information Security
The hacking of interfaces and API is one of the commonest threats in cloud computing. Most of the cloud computing techniques utilize the APIs and interfaces which IT teams rely on to access the cloud services (Parekh & Sridaran, 2013). Therefore, the API is the backbone of the security and management of cloud computing services. The tendency of third parties to rely on existing APIs and developing on the interfaces which may reveal the credentials and services of organizations.
The presence of exploitable bugs is a serious threat to multi-agencies that use the same information database, memory and cloud computing resources that are close to each other often expose new attack surfaces (Parekh & Sridaran, 2013). It implies that breach of information in one of the databases can reveal information concerning other databases. The proximity of resources is enabled by the pooling technique that allows clients to use and share different resources within a cloud system. Resource pooling allows unauthorized access to information from various users because different customers share the same network. Cloning is a process that can contribute to duplication of data thus leading to exposure of machine authenticity. Cloning is one of the processes that contribute to leakage of information.
Data encryption is another determinant of information security in cloud technology. Data encryption is a technique that is often used to protect the information in a database from malicious or external attacks (Jathanna & Jagli, 2017). Unencrypted data is always vulnerable to different forms of attack including access by unauthorized users. Utilizing a single or predictable encryption key for all information in a cloud database system can increase system vulnerability. An example of such vulnerability was witnessed in the case of Dropbox which often used one encryption key.
The VMs are another vulnerability that attackers can focus on to illegally access a database and affect the information of other clients in a cloud database. According to Parekh and Sridaran (2013), the type of attack that can result in this case is known as VM hopping. However, the threat can only be realized once two VMs are operating on a single host and the attacker is aware of the IP address linked to a VM.
Authentication and identity management is a concern in cloud computing. According to Parekh and Sridaran (2013), identity management is an important consideration in a cloud database because it helps in authentication using the credentials of specific users. However, risks of intrusion can arise from architectural patterns, identity negotiation protocols, and identity tokens.
Flooding attacks can occur if an unauthorized user sends many requests to a cloud resource. In this case, the cloud source gets flood with ample requests thus forcing the cloud system to respond by expanding to comply with new commands. The expansion makes it difficult for other cloud users to access the affected resource.
Back and storage is an important priority for any cloud service vendor in case a user loses any data. However, an important concern is the unencrypted format in which information is stored in the backup system which makes it easy for unauthorized access. Therefore, data backups are serious threats to the information security of users in a cloud system.
A malicious insider can take advantage of their positions within a cloud service provider company to compromise the integrity, confidentiality, and availability of information. According to Jathanna and Jagli (2017), the situation raises concerns of trust and loyalty among employees tasked with managing a cloud database. There is always a risk of employees from a trusted service vendor to engage in fraud which can affect the information security of clients.
Incident and Crisis Management
Readiness
Incident crisis management can be broken down into readiness, response, and recovery. The readiness of a firm to manage security issues related to information refers to the ability to monitor and allocate adequate mitigation resources (Deloitte, 2016). Readiness can be enhanced by establishing a well trained and experienced multifunctional team. According to Crump (2019), the selection of a response team, and assigning roles and responsibilities can enhance the outcome. Simulations of possible crisis can help to improve the levels of awareness and incidence management. Also, a mock crisis can help in the establishment of a reaction protocol in case of an information security concern. Preparing a firm for crisis management must also establish a reliable communication and detection system.
According to Deloitte (2016), governance provides the leadership required to organize and manage a crisis response team. Governance equally helps in the coordination of all associated functional areas, and documentation of procedures, policies, and incidents. The process ensures that all protocols, roles, and responsibilities are communicated. Therefore, the main goal of governance is to ensure that the goals are aligned with the response.
Response
The main role of response is to mitigate and contain the problem from escalation. A firm that fails to put in place an excellent response can increase the severances to form a crisis (Tyagi, 2017). A good response is a product of intelligent players that are well-coordinated and aware of the security issue at hand. Quick response increases the ability of a firm to secure its unaffected data and provide an opportunity to enhance security and attempt to recover any lost files.
The governance of incidence response can be divided into four categories including strategy, technology, business operations, and risk and compliance. The response must be in line with the established organizational strategies for handling cyber incidents (Deloitte, 2016). The technology in incident response must include technical approaches, forensics, log, and malware analysis, and IT support services. The team tasked with business operations must ensure operational resilience and business progress during the time of crisis. The risk and compliance team have a mandate to ensure risk compliance management and aligning institutional strategies to existing laws and regulations.
Recovery
Once the response strategies have prevented an escalation of a threat, it is paramount to implement the recovery phase. The recovery stage aims to restore normal operations. The data that had been backed up can be restored and secured to prevent further similar threats in the future.
After responding to an incident, the IT team in charge must document the crisis, actions, and results. According to Deloitte (2016), collection and analysis of crisis details can help the firm to determine the risk factors, impact, damage, and cost. The response team can use this data to protect a firm from related threats in the future. Also, monitoring and evaluation can help to ascertain the effectiveness of existing remedies.
References
Crump, J. (2019). Cyber crisis management planning: How to reduce cyber risk and increase organizational resilience. Jeffrey Don Crump.
Deloitte. (2016). Cyber crisis management: Readiness, response, and recovery. Retri...
Cite this page
Securing Information: Integrity, Confidentiality and Availability - Research Paper. (2023, Apr 09). Retrieved from https://proessays.net/essays/securing-information-integrity-confidentiality-and-availability-research-paper
If you are the original author of this essay and no longer wish to have it published on the ProEssays website, please click below to request its removal:
- Assignment Example on Leadership and Management
- Life-Threatening Situations as an Imminent Danger to an Individual Paper Example
- Research Paper on Management and Leadership Theories
- Marketing: Traditional v Digital - Exploring Modes of Awareness Development
- Essay Example on Cultivating an Ethical Organization: Benefits of Establishing a Code of Ethics
- Essay on Gaining a Competitive Edge with Digital Marketers & Audience Platforms
- Shining Hope: Empowering Communities Through Jessica Posner & Kennedy Odede's Story - Essay Sample