Strategic Information Security Program For ANSTO

ANSTO: Organization Overview

Information securities or simply InfoSec can be stated as one of the core practice that helps in preventing the authorized access, utilization, disruption, expose, inspection, recording, modification and even the destruction of the confidential information. This data or information might be taking any form like physical and electronic (Crossler et al. 2013). The following research paper outlines a brief discussion on the strategic information security for the organization of Australian Nuclear Science and Technology Organisation or ANSTO. This is the constitutional body of the government of Australia for replacing the Australian Atomic Energy Commission. Since, this is the centre of the Australian nuclear expertise, it is considered as one of the most effective and efficient organization. This research report will be providing the detailed description of the security program of ANSTO and a risk assessment will also be done here.

Australian Nuclear Science and Technology Organisation or ANSTO is a nuclear organization that provide nuclear expertise to its clients. They have several mission statements within their organization (Ansto.gov.au. 2018). The first and the foremost mission statement of the ANSTO is supporting the significant development as well as implementation of the government initiatives and policies within the nuclear or related areas, both internationally and domestically. Another important and significant mission statement of this particular organization of ANSTO is operation of the nuclear sciences as well as technology based facility, for the core advantage of the industries as well as the Australian or international research communities (Ansto.gov.au. 2018). The third vital and noteworthy mission statement of the ANSTO is the undertaking of research, which would be advanced for the major application of nuclear science as well as technology. Another major mission statement of this specific organization is to apply the nuclear science, expertise and techniques for the major purpose of addressing each and every environmental challenge of Australia and eventually incrementing the competitiveness of the industry of Australia (Ansto.gov.au. 2018). They even advance and manufacture the utilization of the radiopharmaceuticals that could improvise the health conditions of the Australians. There are five research facilities of ANSTO, which are OPAL research reactors, the Australian centre for the neutron scattering, the Australian synchrotron, the centre for the accelerator science and cyclotron facilities (Ansto.gov.au. 2018).

The security program can be stated as the documented set of the organisational information security procedures, standards, guidelines and policies. This particular security program provides the roadmap for the efficient as well as effective controls and practices of the security management (Von Solms and Van Niekerk 2013). The specific security program of the ANSTO should be developed for helping it in ensuring the confidentiality, integrity as well as availability of their customer and even their organizational information and data. There is always a higher risk of the potential breaches and security incidents in their organization since they deal with nuclear data (Peltier 2013). However, with the help of the security program of ANSTO, they could easily secure their financial records, confidential and sensitive information that are quite attractive target to the attackers since these information can be manipulated or even changed by the attackers for bringing major risks (Siponen, Mahmood and Pahnila 2014). Irrespective of the size or type of the data of the organization, the presence of security program could help them in mitigating the various risks and threats that could either lose, alter or steal their confidential information. There are three distinct characteristics that should be present for developing the security program of ANSTO and they are as follows:

1. i) Establishment of Benchmark of Security: The first and the foremost characteristic of the security program of ANSTO is the proper establishment of the benchmark of security (Yang, Shieh and Tzeng 2013). This security must be defined within the organizational environment by the security policies, programs and standard documentation. They could easily measure their information security even for the future.
2. ii) Measurement Against their Benchmark: The next important and significant characteristic of the security program of ANSTO is their measurement against the benchmark.Thus, they can check the effective changes in their organization.

Security Program for ANSTO

iii) Proper Decision Making: The entire decision making procedure in ANSTO could become extremely easier with this type of security program and hence the key stakeholders of this organization could be solely benefitted without any complexities (Peltier 2016).

They should include four components within their security program, which are follows:

1. i) Charter: This component can include the scope, mission and mandate of ANSTO.
2. ii) Policies: The policies could define how the company is addressing the security issues (Singh 2013).

iii) Processes: This particular component ensures that the security program is efficient and repeatable and security activities are performed.

1. iv) Measurement: The measurement of security program helps in determining the various improvements required to be made.

ANSTO has kept some of the most significant and important security personnel and these people are responsible for maintaining the security within their organization (Xu et al. 2014). These are as follows:

1. i) Chief Security Officer: The chief security officer is responsible for maintaining overall the security of the organization. This particular person has the duty to observe the works of the security guards and provide them instructions properly. This person requires to be clearly visible as well as vigilant so that there is no loophole in the security of the organization.
2. ii) Chief Technical Officer: The chief technical officer of ANSTO is responsible for maintaining the confidential information and data and even the hardware and software of the company (Safa, Von Solms and Furnell 2016). The IT related all details are to be notified to him and if there is any type of discrepancy noted, he has the authority to undertake necessary actions against the specified person. There are other subsequent duties as well. Several technicians and employees work under this particular chief technical officer and all of them have to report to this officer. There could not be any change or alteration without the permission of the chief technical officer.

The security program of any organization should be updated and changed eventually for maintaining a proper balance of the information and their protection by the security personnel (Andress 2014). The few recommendations for the purpose of improving the security program within this organization of ANSTO are as follows:

1. i) Ensuring Executive Support: The first and the foremost recommendation that is required for the betterment of the organization of ANSTO is to ensure the executive support. The end user awareness should have a complete support to the top executives as well as the middle managers for becoming successful (Sommestad et al. 2014). Hence, the information flow would be possible easily and promptly.
2. ii) Focusing on the Changed Behaviours of Employees: Another important and significant recommendation for the maintenance of the information security within the organization of ANSTO is focusing on the changing behaviours and hence improving the security. This could only take place when the people could make relevant decisions and act in such ways that the risks are reduced in each and every aspect (Parsons et al. 2014). The organizational employees should be aware of the threats and risks associated with the systems.

iii) Solicitation of End User Ideas: Another important and noteworthy recommendation to improve the security program of ANSTO is by the solicitation of the end users’ ideas and encouraging the feedbacks. Moreover, the success or growth of the security program should also be measured effectively and efficiently by the respective security personnel.

The organization of ANSTO is eventually following the ISO security standard of AS/ NZS ISO/ IEC 27001:2006 for their information securities (Disterer 2013). This particular standard is prepared for providing the model to form, deploy, function, monitor, evaluate, maintain as well as improvise the management system of information security. The adoption of this particular ISO security standard has also provided the strategic decision to the company of ANSTO (Safa et al. 2015). The design or implementation of the information security system of this company is majorly influenced by the various objectives and needs, processes employed, size or structure and security requirements. It is majorly expected that the supporting system of the organization should be changed time to time (Shropshire, Warkentin and Sharma 2015). The main goal of this type of information security is the proper balanced protection to gain three factors of confidentiality, integrity as well as availability for the maintenance of efficient and effective policy implementation and hence not hampering the productivity of the company.

This particular international information security standard even helps in adopting the process approach for the proper maintenance of the organizational information security system (Ab Rahman and Choo 2015). This specific process approach to the information security management for emphasizing on the size of the organization. Hence, the objectives as well as policies are subsequently established here and proper controls are being undertaken by them for managing each and every risk or threats. This organization of ANSTO has also monitored and reviewed the overall effectiveness and performance of the system of information security and hence the objective measurement is done for the continuous improvement of the organizational processes (Baskerville, Spagnoletti and Kim 2014). The international standard of AS/ NZS ISO/ IEC 27001:2006 is substantially aligned with ISO 14001:2004 and ISO 9001:2000 for supporting their integrated and consistent deployment as well as operation with the related strategies of management.

Characteristics of Security Program for ANSTO

The major responsibilities of this information security majorly include establishment of the collection of several business processes for the purpose of protecting the information assets irrespective of the fact that how this information was formatted (Ahmad, Maynard and Park 2014). The security model of any organization is the specific scheme that helps to specify as well as enforce the several security policies. This particular security model might be founded on the official model of the access right, model for the dispersed computing as well as the model for computations. The computer security model is usually implemented by taking the help of a particular security policy and hence it is always accurate and perfect and thus is being utilized by almost all organizations (Kolkowska and Dhillon 2013). There are some of the important and significant security models present in the technological world. Amongst them, the most suitable security model for this organization of the ANSTO is the Clark Wilson model.

The Clark Wilson integrity model is responsible for providing a specific foundation to specify and analyse the integrity policy for any particular computing system (Tamjidyamcholo et al. 2013). The Clark Wilson model is majorly concerned about the formalizing of the notion of the information integrity. Since, ANSTO is a nuclear science organization, information integrity is highly required. It is properly maintained by the prevention of the data items corruption either for the malicious intents and errors. The integrity policy subsequently describes the procedure of keeping the data items valid from any one state of their system to the other and even specified the major capabilities of the several principals within the systems (Webb et al. 2014). Hence, ANSTO would be highly benefitted if they would implement the Clark Wilson model; since this model defines the enforcement rules as well as certification rules.

 The Australian Nuclear Science and Technology Organisation should implement certification within their business (Cardenas, Manadhata and Rajan 2013). Certification is extremely vital and significant for any organization since it helps to maintain the adequacy of the information system security standards for each and every requirement of the organization. The issue of the security standards and methods are addressed with the certifications for the core purpose of enabling the analysis, evaluation and controlling of the security of the information system (Layton 2016). One of the most significant application of these security methods majorly involve the various checklists and guidelines that could allow avoiding the misses or lapses within the proper adoption or implementation of the security procedures or measures. Moreover, the critical processes and vulnerabilities regarding the information security is extremely important for ANSTO (Ahmad, Maynard and Park 2014). The respective discipline is being standardized and the basic guidance, industry standards and policies are set and collaborated for passwords, firewalls, legal liabilities, anti virus software and encryption software. There are some of the major objectives of these programs of information security and these objectives are the confidentiality, integrity as well as availability of the business related data or the IT systems (Shropshire, Warkentin and Sharma 2015). All of these objectives eventually ensure that the sensitive information could only be disclosed to the authenticated parties and the integrity of data is being maintained and modified. Hence, certification is extremely suitable for ANSTO.

Components of Security Program for ANSTO

A specific process of risk management is present that help in identifying the threat sources, potential impacts, vulnerabilities, assets as well as possible controls (Baskerville, Spagnoletti and Kim 2014). The effectiveness of the risk management plan is also assessed here. The threats and risks are responsible for bringing major vulnerabilities within any specific organization and hence affecting the information security. ANSTO, being a nuclear organization, might face some of the most important and significant threats, which should be mitigated on time for maintaining their confidential information and data properly and perfectly (Parsons et al. 2014). The major and the most significant and noteworthy threats for the information security of ANSTO are given below:

1. i) Social Engineering Attacks: The first and the most important threat for the organization of ANSTO information security would be the social engineering attack. This particular attack manipulates the people to perform various actions and to divulge the confidential information for any type of malicious reason (Ab Rahman and Choo 2015). The best example of this attack is phishing.
2. ii) Disclosure of Passwords: The second important and significant threat of the organization is disclosure of passwords. These passwords should not be disclosed at any cost and hence should be kept in secret.

iii) Accessing of Network: Since ANSTO is a nuclear organization, there should not be any loophole for information security (Safa, Von Solms and Furnell 2016). The network should be accessed by the unauthorized persons under any circumstance.

1. iv) Errors in the Maintenance of Hardware: The hardware plays the most vital role in securing the confidential information for all companies. Hence, the several errors for the maintenance of the hardware could be extremely vulnerable. Moreover, the hardware could even be stolen by the respective attackers.
2. v) Human as well as Natural Disasters: These are the next significant and important threats that are quite common for the organization of ANSTO (Yang, Shieh and Tzeng 2013). The human disasters majorly involve the tampering and vandalism of information by the staffs and employees of ANSTO; however the natural disasters involve the volcanoes, storms and earthquakes.
3. vi) Destruction of Confidential Records: The next important and significant threat of the information security of ANSTO is the respective destruction of records (Siponen, Mahmood and Pahnila 2014). As this company deals with nuclear data, the sensitive records should not be destructed at any cost.

The risk assessment of all the identified risks and threats within this organization of ANSTO is as follows:

Serial Number	Identified Threats or Risks	Impact of the Identified Risks
1.	Social Engineering Attacks	Medium
2.	Disclosure of Passwords	High
3.	Accessing of Network	High
4.	Errors in the Maintenance of Hardware	Low
5.	Human as well as Natural Disasters	Medium
6.	Destruction of Confidential Records	Extreme

Table 1: Risk Assessment of the Identified Risks of ANSTO

Conclusion

Therefore, from this above report, a conclusion can be drawn that the information security can be described as the distinct set of several strategies, which help in managing the various processes, policies as well as tools that are solely needed for the proper exposure, prevention, countering and finally documenting the probable threats to any type of digitalized or non digitalized organizational confidential information. A proper process of risk management is being conducted, by which the threats as well as vulnerabilities could be continuously assessed for applying protective controls. The above research report has clearly outlined a brief discussion on the organization of ANSTO regarding its security program. Various details such as threat identification, ISO security standards, and current roles of the security personnel are provided in this particular research report. Moreover, the suitable security model is also chosen here and the suitability of the certification is determined properly. Relevant recommendations are also provided in this research report for improving the entire security structure of the ANSTO.

References

Ab Rahman, N.H. and Choo, K.K.R., 2015. A survey of information security incident handling in the cloud. Computers & Security, 49, pp.45-69.

Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), pp.357-370.

Andress, J., 2014. The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress.

Recommendations for Improving Security Program for ANSTO

Ansto.gov.au. 2018. ANSTO | Australia’s Nuclear Science and Technology Organisation. [online] Available at: https://www.ansto.gov.au/  [Accessed 18 Oct. 2018].

Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security: Managing a strategic balance between prevention and response. Information & management, 51(1), pp.138-151.

Cardenas, A.A., Manadhata, P.K. and Rajan, S.P., 2013. Big data analytics for security. IEEE Security & Privacy, 11(6), pp.74-76.

Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M. and Baskerville, R., 2013. Future directions for behavioral information security research. computers & security, 32, pp.90-101.

Disterer, G., 2013. ISO/IEC 27000, 27001 and 27002 for information security management. Journal of Information Security, 4(02), p.92.

Kolkowska, E. and Dhillon, G., 2013. Organizational power and information security rule compliance. Computers & Security, 33, pp.3-11.

Layton, T.P., 2016. Information Security: Design, implementation, measurement, and compliance. Auerbach Publications.

Parsons, K., McCormac, A., Butavicius, M., Pattinson, M. and Jerram, C., 2014. Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Computers & Security, 42, pp.165-176.

Peltier, T.R., 2013. Information security fundamentals. CRC Press.

Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.

Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A. and Herawan, T., 2015. Information security conscious care behaviour formation in organizations. Computers & Security, 53, pp.65-78.

Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model in organizations. Computers & Security, 56, pp.70-82.

Shropshire, J., Warkentin, M. and Sharma, S., 2015. Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Computers & Security, 49, pp.177-191.

Singh, G., 2013. A study of encryption algorithms (RSA, DES, 3DES and AES) for information security. International Journal of Computer Applications, 67(19).

Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), pp.217-224.

Sommestad, T., Hallberg, J., Lundholm, K. and Bengtsson, J., 2014. Variables influencing information security policy compliance: a systematic review of quantitative studies. Information Management & Computer Security, 22(1), pp.42-75.

Tamjidyamcholo, A., Baba, M.S.B., Tamjid, H. and Gholipour, R., 2013. Information security–Professional perceptions of knowledge-sharing intention under self-efficacy, trust, reciprocity, and shared-language. Computers & Education, 68, pp.223-232.

Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers & security, 38, pp.97-102.

Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management. Computers & security, 44, pp.1-15.

Xu, L., Jiang, C., Wang, J., Yuan, J. and Ren, Y., 2014. Information security in big data: privacy and data mining. IEEE Access, 2, pp.1149-1176.

Yang, Y.P.O., Shieh, H.M. and Tzeng, G.H., 2013. A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Information Sciences, 232, pp.482-500.