Software Acquisition Model: Rent, Outsource or Develop In-House? - Essay Sample

Introduction

Depending on an organization's business needs, the software can be acquired from a third-party vendor or developed internally. Under the outsourcing or renting model, the acquiring organization will pay for the software usage to a third party as a service and does not physically own the piece of software. In-house, the software is developed by an internal team within the company. Therefore, the organization has a wide variety of choices when it comes to selecting a software acquisition model.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

Besides, we have other models like custom software and packaged software acquisition models. The package model involves an organization buying a software from a third party and freely decides how to utilize it. Packaged software have been prebuilt with all the features working. Therefore, particular business needs are generally addressed in advance by the vendor. The custom software acquisition model involves an arrangement where an organization request for customized software that suits its business needs. However, the custom made software is developed by an external party, unlike in-house, where an internal team is involved. Every acquisition model comes with different unique licensing requirements. For instance, the package software acquisition model requires a single User License where the usage if for only one user who paid for the license.

Security Strategy and Network Activity Monitoring

In every organization, there exists a lot of resources and assets that need protection against data or information breach. Therefore, a security policy is very crucial and involves defining clear company objectives, setting rules of behavior for the administrators and users, and defining system and management requirements. Besides, an information security policy requires continuous updates in line with the technological as well as employee growing needs. A network security policy should translate, clarify, and communicate the managerial position on the security as defined in its high-level standards. Lastly, a security policy aims at defining the expected consequences of violating the set policies.

A security policy should define its target audience, for instance, company employees, suppliers, contractors, customers, and any other party who might access your company's computer network. A good policy should treat each group differently (Stoneburner, Goguen, and Feringa, 2002). Besides, a well-documented procedure should group users based on their roles on the network. Therefore, the content of a security policy is well determined by its target audience. For instance, companies should categorize their users as either an internal audience or an external audience where the Internal audience will include managers and executives, business units and departments, end-users, and technical staff. On the other hand, the External audience would consist of partners, customers, contractors, consultants, and suppliers.

Additionally, designing a security policy involves an understanding of different components of functional security components. For instance, it should comprise governing policies, end-user, and technical network security policies. A governing security policy is the highest level concept of a security policy that is critical to an organization or company. Besides, it comprises all the procedures and rules relating to the interactions among business units and support departments within an organization. The end-user policy takes care of the security needs of the end-users. In contrast, the technical security policies involve the security needs of your employees related to their day to day operations within the company network. The technical security policies are more detailed addressing a specific issue, for instance, access control and physical security.

A good security strategy is required to ensure all critical network assets are highly protected. However, modern computer networks have become complicated and porous, making security design a significant challenge. Besides, modern IT networks include extranets connections for business partners, public servers for e-commerce, as well as remote access capability for those employees working from home. Cisco, the giant provider of network devices, recommends a structured set of steps to be followed while designing and implementing a security policy. The following are the recommended strategies for developing a good network security policy. Firstly, network engineers should identify all network assets. Secondly, analyze the associated security risks, carefully examine all the security requirements as well as trade-offs. Fourth, develop a security plan that defines all the security policies, network security policy procedures, and implementation strategy. Besides, organizations should ensure continuous testing, maintenance as well as update of the security system to fix any issues (Stoneburner, Goguen, and Feringa, 2002).

Information Security Strategic Plan

The principal objective of a security program is to protect the information assets for an organization, including managing security risks. For instance, currently, my organization has designed a strategic plan to ensure the security of the IT network. Firstly, identifying, approving, and promoting the best IT security standards as defined and recommended by Cisco. Therefore, with these procedures, the organization targets at providing a clear security baseline for all the users. Besides, business processes should be performed within a secure environment. Secondly, developing, approving, and promoting a comprehensive set of network security policies. The first goal should act as the primary standard for developing affective network security policies. Therefore, the organization can achieve security control across the network and business processes (Stoneburner, Goguen, and Feringa, 2002). Besides, this second goal allows the organization to define clear security roles, responsibilities as well as accountability among network users.

Thirdly, implementing a formal risk and contingency management program. The company is continually analyzing its business impact as well as risk assessment. For instance, organizing business functions as either mission-critical or less critical, understanding the existing relationship, and quantifying the risk associated with disruption. Moreover, we have implemented a business continuity plan as well as disaster recovery procedures to ensure continuity of the mission-critical business functions. Besides, continuous testing of these plans is critical. Fourth, Inventory and classifying both systems and data. For instance, network systems and organizational data should be categorized based on the criticality as well as the sensitivity of their respective functions or roles. The most sensitive systems, including data, are protected according to the goal number two with the guidance from network engineers CISO, data owners, as well as business owners. This fourth step aims to reduce the risk of exposing both sensitive data and systems.

Besides, the sensitive data are classified continuously, managed, and protected. Fifth, our company has established a broad program for educating and training both customers and staff on IT security. The program enhances security awareness that should be integrated into the company's HR, off-boarding, and onboarding workflow. Besides, the company has invested in offering relevant training and educational materials on network security as well as expected outcomes. Moreover, an organization needs to align its governance, including IT processes, to support the set security policies in reducing security risks.

The External and Internal Threats to Information Systems

Firstly, malicious cyber-attacks which in most situation is perpetrated by internal users, including IT staff or even systems administrators. Besides, employees who are more proficient in networks can use their system access privileges and potentially exploit any back doors into internal systems also even install spy software to collect and steal information on the company IT network. However, to curb internal malicious cyber-attacks, there is a need to closely monitor the employees' activities on the net by installing network monitoring systems (Stoneburner, Goguen, and Feringa, 2002). Besides, daily logs, as well as alerts in case of malicious or foreign activities, should be reported to prevent disgruntled employees from exploiting their positions. Other steps to minimize these attacks would be deactivating employees' user account whenever one leaves the company to avoid any attempts to uses their account for accessing the network remotely.

Secondly, social engineering is another most common internal threat in most organizations. Social Engineering involves hackers who exploit the existing trust among the employees to gain access to an organization network. Besides, they trick company employees through phone calls who end up giving or revealing confidential information such as access passwords. Therefore, awareness should be created among employees by educating them on the risks that would minimize the chances of falling into the trap. Employees, both support and technical staff, need to understand that they not supposed to give their passwords via phone calls. Besides, they also need training on how to recognize and ignore any potential phishing emails.

Thirdly, another potential internal threat is malicious internet downloads. Employees from small businesses are known to spend a lot of time browsing for personal interests, for instance, just watching videos online or even sharing files over the internet as well as playing games. Moreover, the majority are not aware of the risks or even what these activities can cost them. Furthermore, today the number of malware, including viruses over the internet, is increasing daily. Often malware and viruses can be hidden in online games, videos, and social media sites including, insecure websites created to deceive internet users (Stoneburner, Goguen, and Feringa, 2002). However, educating internal network users, including your employees, can help in reducing the risk of data breaches by malware. Employees should be trained on the potential harms possess by the malware. Besides, employees need to understand how to differentiate between secure websites from those that are insecure.

Lastly, data leakage through USB drives, CD-ROMs, and digital cameras is another significant risk. Today, there is a higher risk of losing confidential information just via a flask disk. These devices are very portable and have higher capacities for holding a massive amount of data. Most people, including internal staff, have been found copying data onto their USB or even mobile devices, and in the process, most have lost their passwords to third parties. Hackers are taking advantage of USB devices to install carrier malware that steal information such as user passwords whenever inserted into the computer system within the network. Besides, some of them go beyond just taking a password to install their malware programs, which then keep collecting data from unsecured PCs.

Therefore, to curb the risk of losing data via these portal storage devices, organizations, both small-scale and medium enterprises, are encouraged to block devices such as USB and other computer data sticks from being inserted into the company's PCs. Besides, reliable anti-viruses, including malware detection systems, need to be installed on all internal systems to detect and probably raise alarms when detected. Also, a password policy should be implemented alongside strong encryption standards for sensitive data. Organizations should set group policies on the Active Directory to restrict any unauthorized copying of...