Importance Of IT Security Management System

What is vulnerability in computer security?

Discuss about the importance of IT security risk and threat to an organization.

Information technology has become the core part of every working centre. The business is using IT in various different departments like human resource, manufacturing, finance, security system and many more. The IT market is expanding in every sector and the organizations are becoming highly dependent on the IT sector on a daily basis (Ahmad, Maynard & Park, 2014). The

IS being vulnerable to destruction, system quality problems, error.

The term vulnerability in computer security defines the weakness that can get exploited by any threat factors. The attackers who perform the unauthorized task within a computer needs to have at least one applicable tool that can connect to a system. A security risk is termed as vulnerability (Bessis, 2015). In the computer security system there can be a weakness in the automated system that can be exploited by a threat. Whenever the data is stored in the digital form it becomes more vulnerable to be exploited by the hackers. The threat for attackers to invade the system includes hardware, software failure. Online communication, data transfer, telecommunication are highly vulnerable to be invaded by exploiters or hackers (Lam, 2014).

Reason:

The internet system architecture includes the information, a server to transfer the information and a web client who is sending or receiving the information. However, this system has become vulnerable as it was designed in such a manner that that can be easily accessible by different people at different corner of the web. The information that is getting transferred from unsecured media can be easily misused and intercepted by the hackers. The software has become a core target to spread and introduce viruses and malicious software. The malicious software includes viruses, Trojans horses, and worms (Pritchard & PMP, 2014). They attach themselves to programs and then spread by themselves. Their primary target is to destroy the files and crash the system. The primary reason for the hackers to hack the system are:

• Stealing the information
• Misuse of data
• Crashing the system
• Spreading of virus
• Theft of goods and services

The IT related risk in the security system in an organization are:

• Malicious Insiders: the members and workers of the organization who has a good grip on the internet usage and IT security field can cause severe damage to the organization. They can access the information that are highly confidential for the organization and cause a serious threat to the organization (Carcary, 2013). Generally it is considered that the insiders betray their organization for monetary issue and thus leak important information of the company to the outsiders and the rivals.
• Accidental use of IT assets: There are few users who use the company information or access them by mistakenly. They do not intent to use them or unlock the privacy of the company. But somehow they tend to misuse the information by mistakenly. Sometimes when the employees are sharing the data they are using their phone or local communication system that is easily accessible by the hackers but his can be a serious threat to the organization as the information are highly important and confidential to the organization.
• Installing rogue program: few steps like visiting improper websites, clicking suspicious links and images, installing unknown software’s and applications can cause installing of rogue programs to the computer. The program might turn out to be malicious thus becoming a huge threat to the organization (Brindley, 2017). The programs might send photo copy of documents and information of the company that are highly important to the company. The attackers will receive the image copy and misuse the data in their own convenient way.
• Complacency: the employees are the defence system of the company thus protecting the IT system from any vulnerable threats. It is their duty to check and keep a note of every single possible threats to the company and thus take necessary steps. However, if the employees are not taking an interest to do so and are reluctant about the security system of the company then it can be highly risky.

Managing the risk in the organization:

• Malicious Insiders- the company must make sure that they are maintaining a well-organized and loyal range of workers in the organization. They should make sure that the workers are dedicated to the organization and have focused on the security system of the company (Cole et al., 2013). Instead of this if the workers themselves are trying to trespass the security system of the company then it can be risky to the organization. Thus the first step that the company should take is to make sure that the workers are dedicated to the company.
• Accidental use of IT assets: the accidental use of asset are generally caused due to casual sharing of data and information through random sources that are vulnerable to get hacked. The workers and the organization must use reliable sources and network to share the information with the desired sources. The company must assure a well -structured communication system among the members so that the information that they are sharing remains confidential to the company (Cole et al., 2013).
• Installing rogue program: The organization should make sure that they are not using and unknown software’s or applications that might have chances to be malicious. The virus can be present in such programs that can damage the entire system and cause a huge damage to the organization. The organization should prevent access to any unknown programs or software with the organization’s system so that the information remains safe and secured.
• Complacency: The organization should motivate the workers to remain aware about the hackers and their techniques of hacking data. The employees should check regularly that the information and the documents of the company are safe and secured and there is to scope for any external threats to attack them (Cole et al., 2013).

Management control is actually the security control that focuses on the risk management of the organization. It basically gathers the information and uses it to evaluate the security system of other organization and implement it in the self -organization for a better security system. The management control can be of three types like preventive, detective, responsive (Maitlis & Christianson, 2014). It influences the behaviour of the organization and helps them to implement organizational strategies.

Why is the IT system architecture vulnerable?

However at the same time application control is a security system that blocks the unauthorized applications that can be risky or the organization. It includes completeness, identification, authentication, authorization, validity check. The companies re reliable to such sources in their day to day working system. The applications include whitelisting and blacklisting to show the organization which is trust worthy and which application is risky to follow.

Management control system focuses on managing the risk and threats to the organization and helps them to find a better alternative to keep away from threats. It uses the information from various sources to evaluate the information and then take a decision about the organization. On the other side application control directly prevents the organization from using any sources that can be risky to the organization and impose a threat to it. They help the company to filter the programs and suggest them to use it or not.

Risk management and risk assessment are two important aspect in IT risk management system. The risk management system comprises these two aspect as they can use these two component to identify the risk and prevent the company from facing any challenges related to IT security risk. Among these risk management includes planning, control, implementation, monitoring, security policy that helps the organization to management the security system and prevent any risk related challenges to be faced by the company. On the other hand risk assessment includes a time period when the risk related to the company are assessed and identified by the company (Wall, 2013). These are two important aspect of security management in an organization. There are few steps that a company might take to assure a situation where they will not face any security related risk in the organization. The possible steps the company might take are:

• Clear communication regarding the cybercrimes with the employees: The employees should be well aware of the possible threat that might come from the cyber system of an organization. The internet access has become a common source for sharing data and communicating in every organization. At the same time the hacker are also well aware about this development. They also tend to hack the information shared through this system (Ismail, 2014). Thus the workers should be informed about the impact of poor cyber hygiene.
• Training the employees: the staff should be well aware of the cyber system and its risk to the organization. The employees should be informed how to handle the entire system and handle it with care. They should be aware that the cyber risk can be a real threat to the organization. The threat starts from encrypting data to hacking the personal accounts of the workers. Thus they should be aware of such risks and be careful while accessing the internet (Ismail, 2014).
• Using effective password management: The password that the company is using should be difficult to hack or make out. The company should use strong password system to protect the data and vital information of the company. The employees should also be warned for not sharing their password with any third person. The employees should also be trained to recognise and respond to any attack that they are facing. This will help them to take necessary step to protect the data and also save the company from facing any attacks (Ismail, 2014).

Risk management is important for every organization because without this a company will not be able to define its objective for the future (Bossler & Holt, 2015). If the risk related to a company are not considered then there are chances that the company might lose their direction.

The 5 risk management steps are:

• Identify the risk
• Analyse the risk
• Evaluate the risk
• Treat the risk
• Monitor and review the risk

The risk evaluation helps the organization to determine the chances of risk and then decide whether to accept the risk or take necessary action to prevent it or reduce it. Thus it is important to evaluate the risk and its possibility to harm the organization. Depending on this the company should take necessary steps.

What are the different types of controls?

Reliability-

• The Company must hire employees who are trust worthy and dedicated to the organization. They should have least scope to betray the company and leak any information of the company.
• The sources for interaction and sharing data that the company is using should be secured and well maintained so that there are less chances for leakage of information.
• The organization can use password and security lock to prevent the sharing of data with the permission of the reliable sources. The messages can be encrypted by the organization so that even when the data is leaked the hacker cannot understand the meaning (Faizan, Ulhaq, & Khan, 2014).

Confidentiality-

• The information should be shared only with the reliable resources and no extra person should be informed about the personal information.
• The organization should train and inform the employees about the importance of maintaining the confidentiality of the information. The workers should also be informed about the risk related to the organization, if the information is leaked or systems are hacked.

Availability-

• The organization can maintain a personal site where they can upload information regarding the organization. However this system will be secured with special technology boundaries that will protect the site from outsiders and hacker. It will also keep a note whether any insider is trying to leak any information or not.
• The communication system used by the organization should also using reliable and trust worthy sources that will assure that the data shared through the medium is safe and not accessible by any external resources.

The digital business process helps the organization to improve their standard in every field and come up with innovative ideas. The digital system has introduced the usage of internet, software and applications that helps the organization to create a better scope for expansion of the company. The digital business process includes sharing of information with digital system, maintaining the records in digital applications, billing through digital system, payments made in digital system. However, this can be a real threat to the organization as the cybercrimes have become more prominent with in the past few years and they are misusing the technology in a severe way. The business might make sure they are using reliable sources to communicate, share data, access monetary transaction and prevent access to malicious programs that can damage the entire system.

Conclusion:

Thus it can be concluded that the security management system is very important in every organization. The security management determines the scope for risk to the company through IT surface. The company must make sure they are using sources that are trust worthy and do not damage the privacy of the company. The company must use reliable resources to share data and vital information regarding the company and its working. They should hire employees who are highly dedicated to the organization and makes sure that they are working for the benefit of the company. However, there can be few threats that can still survive in the organization in that case the company should adapt the step that has been mentioned in the study in the previous pages. It can be assured that if an organization is using these steps then there will be very less scope for security threat or risk in the organization

References:

Ahmad, A., Maynard, S. B., & Park, S. (2014). Information security strategies: towards an organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), 357-370.

Bessis, J. (2015). Risk management in banking. John Wiley & Sons.

Bossler, A., & Holt, T. J. (2015). Cybercrime in progress: Theory and prevention of technology-enabled offenses. Routledge.

Brindley, C. (Ed.). (2017). Supply chain risk. Taylor & Francis.

Carcary, M. (2013). IT risk management: A capability maturity model perspective. Electronic Journal of Information Systems Evaluation, 16(1), 3.

Cole, S., Giné, X., Tobacman, J., Topalova, P., Townsend, R., & Vickery, J. (2013). Barriers to household risk management: Evidence from India. American Economic Journal: Applied Economics, 5(1), 104-35.

Faizan, M., Ulhaq, S., & Khan, M. N. (2014). Defect prevention and process improvement methodology for outsourced software projects. Middle-East Journal of Scientific Research, 19(5), 674-682.

Ismail, S. (2014). Exponential Organizations: Why new organizations are ten times better, faster, and cheaper than yours (and what to do about it). Diversion Books.

Lam, J. (2014). Enterprise risk management: from incentives to controls. John Wiley & Sons.

Maitlis, S., & Christianson, M. (2014). Sensemaking in organizations: Taking stock and moving forward. The Academy of Management Annals, 8(1), 57-125.

Pritchard, C. L., & PMP, P. R. (2014). Risk management: concepts and guidance. CRC Press.

Wall, D. S. (2013). Enemies within: Redefining the insider threat in organizational security policy. Security journal, 26(2), 107-124.