This study aims to create the different organizational considerations while implementing a information security program within the work force. Organizational security is one of the major concerns of the organizations in today’s world. In the earlier report, the different threats related to data security as well as the other aspects such as the consequences of the system failures had been identified and discussed in details. This report mainly focusses on the development and implementation of an appropriate security software for the company that eliminates all the earlier discussed risks and threats related to data security and other security parameters. The ISO standards that the security programs must follow will also be discussed in the following paragraphs. A proper certification will also be studied and recommended to the company and a security application that makes use of the ISO standards as well as the recommended certificate will be recommended to the company.
Information security is one of the primary focus of yahoo ad invest a lot of tie and expertise in developing the security programs within the organization. Yahoo is aware of the fact that its users have a lot of trust in yahoo data security policies, they are assured about the security and privacy of their accounts, and other information stored in yahoo databases. Some of the main security measures incorporated by yahoo are:
Second-time sign-in short service message verification code – Users needs to authenticate themselves by typing in a verification code sent through SMS to their mobile phones. It ensures better verification and security of the accounts (Murashkin et al. 2013).
Transport layer security – It is an encryption method used to securely transmit payment as well as other financial information.
Secure data storage- Different physical as well as technological security strategies are incorporated in the organization in order to secure the information.
On-demand recovery passwords- Yahoo can provide on demand passwords to the users in case they want to link the accounts for another mobile device provided the user has already entered the mobile number (Horalek, Matyska and Sobeslav 2013).
Training and education – Adequate training has to be provided to the employee regarding the security program that will be incorporated in order to keep them informed and educated about the same.
Vendors and partners – Even if Yahoo has to share any kind of confidential information with its partners or vendors for any business tasks or decisions, it makes sure to maintain the privacy policies and agreements in the first place.
Access to information –
The security setup at yahoo is very tight and it makes sure to limit the access to the information. Users can only access the secure data based on their importance and hierarchical level in the organization.
Chief information security officer (CISO):
Yahoo has hundreds of employees who work towards the security of the organization as a whole. These employees perform different security tasks, which also include data and information security. The chief security officer is just not concerned about the physical security of the organization, but also caters to the electronic and data security within the organization. The present chief information security officer (CISO) at Yahoo Inc. is Bob Lord. He replaced Ramses Martinez who was the earlier chief security officer on October 2015.
A chief information security officer is the highest authority within Yahoo Inc who is directly responsible for the overall physical as well electronic data security within the organization, thereby helping the organization to achieve an overall competitive advantage. One of the major role of the chief information security officer is to ensure that there is a strong inter department connection within the organization and there are no acts of vandalism or maintaining any kind of secrecy within the employees. The job of the CISO is to ensure an optimum level of transparency as well as harmony within the employees of all departments and all hierarchical levels while working together. This in turn also ensures an overall security of the organization as a whole. For instance, when the company will start thinking a worrying less about the different vulnerabilities related to the data security, the employees will be able to work more in harmony and better cooperation with each other. In other words, the chief information security officer will be responsible to reduce any kind of friction between the different departments to ensure a smoother and safer workplace (Herath et al. 2014).
Chief information security officers are just not concerned about the physical security of the different yahoo data centers across the world, but they are also concerned about the information technology (IT) infrastructure and electronic data security. They should always ensure that the security policies are maintained and the company is always at a safer position and a competitive advantage as well. A major part of the CSO’s job is to work with the employees of executive levels to understand the basic drawbacks and security concerns faced by the mid-level employees. Through this, the basic concerns can be addressed and accordingly financial decisions can be taken implement newer security strategies and ideas within the organization. Bob Lord also reserves the power and rights to oversee decisions taken by some security director at any particular branch or data center of yahoo, keeping in mind the overall security and welfare of the company as a whole.
Product security Engineer:
Binu Ramakrishnan is presently the product security engineer at yahoo who heads all the different product and information security tasks within the organization. He is concerned with the protection of the networks as well as the data in the servers and other applications within the organisation. He is concerned about protecting as well as securing the IT systems. This can include securing the network, infrastructure, data security, server’s security, cloud computing security measures etc. Securing important information such as personal information of customers, financial worksheets, and other confidential data are the major part of the roles of an IT product security officer. He is also responsible for deciding and providing access to other employees and users within or without the organization to important data and databases through multiple user authentication and verification strategies (Harkins 2013).
The product security officer at yahoo is also responsible for developing and implementing security measures securing the network by using firewalls, data loss prevention (DLP), creating virtual private networks (VPNs) and intrusion detection system/intrusion prevention system (IDS/IPS), network access control (NAC) as well as making use of enterprise antivirus applications such as Kaspersky internet security etc. He is also responsible for designing local area networks (LAN), wide area network (WAN) as well as virtual LAN (VLAN), thereby ensuring improved and enhanced security within the organization. Binu Ramakrishnan is the present officer at yahoo who takes care of all these functions within the organization.
Suggestions to improve security personnel hierarchy:
The hierarchical structure within the organization can be improved with respect to different parameters for the overall development of the organization as well as better and improved security within the organization. Some of the recommendations can be briefly explained below as:
There should be a systemized Board of Directorsin the headquarters and it should be ultimately taking care of the entire corporate security governance of the organization. It should be able to take critical decisions on the information security risks that prevail within the organization. However, this presently does not happen within Yahoo and most of the security responsibilities are explicitly delegated by the board to the lower executive directors, led by the chief executive officer (Chou 2013).
The different Executive Directors within Yahoo should have the flexibility to give an overall direction of strategic as well as competitive benefit, by getting the different security principles approved and implemented by all employees within the organization.
The Chief information security office (CISO) should be handling tasks such as managing IT Operations, Risk factors, performing compliance as well as internal audit, as well as the
Yahoo should try to focus on conducting more security awareness programs and campaigns for its security personnel and help them develop a strong understanding of the ISO/IEC 27002 standards (Zeki et al. 2013).
The managers across the organization should ensure that all the employees are biding by the ethical as well as security guidelines while taking any business decisions. They should also ensure that all thephysical, procedural as well as technical controls comply with the security guidelines to prevent any sort of privacy breach or data misuse within/outside Yahoo workplace.
Yahoo should also look forward to hire more efficient information asset owners (IAOs). They are the specialized managers in an organization who are responsible for securing any particular information asset by making use of their LSC or SC. IAOs in yahoo should have the authority to assign tasks to managers, related to information or data security but they are themselves responsible for the proper implementation of the tasks and the security policies. This is presently not happening within Yahoo work culture and the management should consider this to be implemented (Flores, Antonsen and Ekstedt 2014).
The information asset owners (IAO) should also be held responsible and answerable for the risk mitigating measures as well as action plans within the employees in case they are not performing up to the mark. They should personally look into critical risk factors and policy exemption scenarios to prevent discrimination and employee unrest as well. IAO’s should make sure that the exemption process is executed successfully by the managers under their own supervision in case of any extreme security related issue.
In order to implement the above-discussed hierarchical changes within Yahoo to ensure an improved security program within the organization can be summarized in eight points as discussed below:
Management Support for Change
All the employees will be gladly accepting the change in the organizational change in structure if they get to see a proper support from the entire organization. It will be of utmost importance for Yahoo to make sure that there is adequate communication as well as training programs arranged especially for the leadership teams to ensure a smooth transition of responsibilities. This in turn will also create newer job opportunities within yahoo Inc. If the employees are not comfortable in understanding or relating to the changes in the security policies within the organization, they will not even consider implementing them themselves and it will be a total failure for the organization (Duffield 2014). In turn, it can cause vandalism among employees and other threats within the organization itself in case any employee is dissatisfied with any other colleague or is not happy about the working principles within the organization itself and has a revengeful mentality toward the organization. Employee job satisfaction plays a major role here.
Case for Change
No organization wants namesake kind of a change may it be in the security program or any other departments. A case for the change is all that is required. It is calculated based on surveys on comment cards from customers, customer satisfaction, employee satisfaction survey, defect rates as well as business goals (Siponen, Mahmood and Pahnila 2014). Budget pressures in order to implement a new security program as well as for implementing, the above discussed changes in hierarchy should be taken into consideration, which will also need the organization to schedule proper training sessions for the finance departments as well (Peltier 2016).
Communication and implementation of the change
Employees depend on the management to effectively communicate any changes within the organization to them. Rumors about the change can cause resistances to be created for the change itself. Yahoo should be proactive enough to communicate the changes and ensure adequate training programs on the new security policy (Kang et al. 2015). The employees should not get any kind of surprises in case a new security policy is implemented within the organization.
There should also be a tentative date of roll out of the new security plan within the organization and a pre roll out testing phase of the new security program within the organization to keep the employees well informed about the changes (Ford 2014).
Planning a suitable training program
Yahoo Inc. will need a prior approval of the training sessions for the upper management in order to conduct the training and development programs. The different aspects of the training programs such as security policy milestones, its implementation costs, tentative dates as well as deliverables have to be covered in the training modules. Commitment form the employees as well as their understanding of the learning outcomes should be ensured by Yahoo management (Daya 2013).
Traditionally, Yahoo used to believe in its password and pin model of data verification and user authentication. However to combat the ever increasing incidences of data theft and security breach it recently came up with a concept called ‘yahoo account key’ which enables the user to log into his yahoo account without having to enter a password. It makes use of push notifications to help users login faster and safer into their yahoo email accounts. Yahoo considers user friendliness more important than the information security and relies on a simple technique of tapping a button to sign in, instead of making its user memorize long complicated passwords. This particular model is not very secure and is not helping much in securing the sensitive information and the use data (Dadelo et al. 2014).
The open systems interconnect or the OSI model of security should be incorporated in the Yahoo workplace in order to secure the data even more (Bora et al. 2014). This model is ISO/IEC 7498 certified and should be incorporated within Yahoo Inc. because of its multiple benefits. Some of the benefits of the OSI model are:
The different threats faced by yahoo in terms of security parameters can be described below as:
The risk factors that exist within the organization related to information security are:
There are multiple advantages for the suitability of this model for Yahoo. Firstly, it is ISO certified so there is no question about its credibility. Secondly, it believes in industry standardization therefore allowing third party applications to integrate with the Yahoo security programs (Omar 2017). Using this process security related issues can be troubleshot more easily since the working in the different layers of the OSI model are clearly differentiated form each other (Huang et al. 2017).
Conclusion:
Therefore, it can be concluded from the above report that even though Yahoo has security concerns with its data security, there are mitigation techniques that can be implemented in order to come up with an improved information security system. The security personnel organizational hierarchy can be revised and an ISO certified security model like the OSI model can be used to ensure improved security and smoother business operations. These changes if properly implemented can take the security levels within the organization to newer heights in the future. IN the earlier report, the different threats and risks were identified and in this report, the techniques of designing an appropriate security program for the organisation has been clearly identified. The risk analysis shows that risks such as employee vandalism should also be prevented within the organization, which can be ensured by keeping in consideration the level of employee satisfaction within the organization. Other information security techniques such as audit trails can also be introduced in the organization through which managers can keep a track on who accessed what information at what point of time and the system from which the information was accessed. Therefore, it can be concluded that provided all the threat mitigation techniques are properly implemented, Yahoo will be able to achieve optimum information security within the organization and which in turn will help in improving customer satisfaction for the company.
References:
Bora, G., Bora, S., Singh, S. and Arsalan, S.M., 2014. OSI reference model: An overview. International Journal of Computer Trends and Technology (IJCTT), 7(4), pp.214-218.
Chou, T.S., 2013. Security threats on cloud computing vulnerabilities. International Journal of Computer Science & Information Technology, 5(3), p.79.
Colesky, M., Futcher, L. and Van Niekerk, J., 2013, September. Design patterns for secure software development: demonstrating security through the MVC pattern. In 15th Annual Conference on WWW Applications, Cape Town (pp. 10-13).
Dadelo, S., Krylovas, A., Kosareva, N., Zavadskas, E.K. and Dadeliene, R., 2014. Algorithm of maximizing the set of common solutions for several MCDM problems and its application for security personnel scheduling. International Journal of Computers Communications & Control, 9(2), pp.151-159.
Daya, B., 2013. Network security: History, importance, and future. University of Florida Department of Electrical and Computer Engineering, 4.
Duffield, M., 2014. Global governance and the new wars: the merging of development and security. Zed Books Ltd.
Flores, W.R., Antonsen, E. and Ekstedt, M., 2014. Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Computers & Security, 43, pp.90-110.
Ford, J.K. ed., 2014. Improving training effectiveness in work organizations. Psychology Press.
Harkins, M., 2013. Managing risk and information security: protect to enable. Apress.
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J. and Rao, H.R., 2014. Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service. Information systems journal, 24(1), pp.61-84.
Horalek, J., Matyska, J. and Sobeslav, V., 2013, November. Communication protocols in substation automation and IEC 61850 based proposal. In Computational Intelligence and Informatics (CINTI), 2013 IEEE 14th International Symposium on (pp. 321-326). IEEE.
Huang, P.L., Lee, B.C., Wang, C.S. and Sun, C.T., 2017. Relative Importance of the Factors under the ISO-10015 Quality Management Guidelines that Influence the Service Quality of Certification Bodies. Journal of Economics and Management, 13(1), pp.105-137.
Jouini, M., Rabai, L.B.A. and Aissa, A.B., 2014. Classification of security threats in information systems. Procedia Computer Science, 32, pp.489-496.
Kang, R., Dabbish, L., Fruchter, N. and Kiesler, S., 2015, July. my data just goes everywhere:” user mental models of the internet and implications for privacy and security. In Symposium on Usable Privacy and Security (SOUPS) (pp. 39-52). Berkeley, CA: USENIX Association.
Kumar, S. and Lin, E.C., Yahoo! Inc, 2013. Management of network login identities.
Murashkin, A., Antkiewicz, M., Rayside, D. and Czarnecki, K., 2013, August. Visualization and exploration of optimal variants in product line engineering. In Proceedings of the 17th International Software Product Line Conference (pp. 111-115). ACM.
Muslukhov, I., Boshmaf, Y., Kuo, C., Lester, J. and Beznosov, K., 2013, August. Know your enemy: the risk of unauthorized access in smartphones by insiders. In Proceedings of the 15th international conference on Human-computer interaction with mobile devices and services (pp. 271-280). ACM.
Omar, H.O., 2017. Transformational Leadership in Quality Management.
Pathan, A.S.K. ed., 2016. Security of self-organizing networks: MANET, WSN, WMN, VANET. CRC press.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.
Shameli-Sendi, A., Aghababaei-Barzegar, R. and Cheriet, M., 2016. Taxonomy of information security risk assessment (ISRA). Computers & security, 57, pp.14-30.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Zeki, A.M., Elnour, E.E., Ibrahim, A.A., Haruna, C. and Abdulkareem, S., 2013, November. Automatic interactive security monitoring system. In International Conference on Research and Innovation in Information Systems (ICRIIS) (pp. 215-220).
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download