Selling an Information Security Policy
Network attacks are continuing to rise. It is critical for the organization to have an effective Information Security Policy in order to reduce the chances of becoming a victim. In 2013, experts saw network attacks up to 50 Gbps, which resulted in an average cost of $32,469 per day to businesses. The average number of days to recover was 32 days, which brought costs up to $1,035,769 per attack. Thus far, 2014 network attacks have shattered 2013’s record with attacks averaging 200-400 Gbps in intensity. These figures are quite alarming when you consider that this is an estimate or average for a single attack. It is important to remember when dealing with information security, that there are many types of attacks and threats such as viruses, worms, malware, and spam. These attack both networks and systems, to disrupt operations in addition to reducing productivity.
Some threat types can go undetected for a long period, as with data theft. When faced with data theft, it may be difficult, if not impossible to put a dollar amount to the amount of damage caused. Data theft is a real threat to the functionality and existence of the business. Data theft can result in costly legal expenses as well as tarnish the business’s reputation. An effective information security policy is crucial to reducing the damages and costs should the organization be attacked. The information security policy contains several sections including an overview, purpose, scope, target audience, and policies.
The overview and purpose of the policy are contained within the introduction of the information security policy. Not only does it provide background information on the issues that the policy addresses, but it ...
... middle of paper ...
...policy guide: why you need one, what it should convey, and how to implement it. Retrieved from http://www.instantsecuritypolicy.com/Introduction_To_Security_policies.pdf
Prolexic. (2013, July 17). Average packet-per-second and attack bandwidth rates rise 1,655 percent and 925 percent respectively according to prolexic's latest ddos attack report. Retrieved from http://www.prolexic.com/news-events-pr-significant-increases-in-average-attack-bandwith-and-packet-per-second-rates-q2-2013-report.html
Smith. (2013, October 09). [Web log message]. Retrieved from http://www.networkworld.com/community/blog/most-costly-cybercrime-attacks-denial-service-malicious-insider-and-web-based
The SANS Institute. (2009, January 26). The business justification for data security. Retrieved from https://www.sans.org/reading-room/whitepapers/dlp/business-justification-data-security-33033
A Policy plays an important role in any organization. A Policy outlines a set of rules and procedures that all employees must adhere to, information security policies are important because they help limit the risks associated with employee’s use of information properties.
Whitman, M. E., & Mattord, H. J. (2011). Principles of information security. Boston, Mass: Thomson Course Technology.
Security helps the organization meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets through the selection and application of appropriate safeguards. Businesses should establish roles and responsibilities of all personnel and staff members. However, a Chief Information Officer should be appointed to direct an organization’s day to day management of information assets. Supporting roles are performed by the service providers and include systems operations, whose personnel design and operate the computer systems. Each team member must be held accountable in ensuring all of the rules and policies are being followed, as well as, understanding their roles, responsibilities and functions. Organizations information processing systems are vulnerable to many threats that can inflict various types of damage that can result in significant losses (Harris, 2014). Losses can come from actions from trusted employees that defraud the system, outside hackers, or from careless data entry. The major threat to information protection is error and omissions that data entry personnel, users, system operators and programmers make. To better protect business information resources, organizations should conduct a risk analysis to see what
Development of privacy policies: Privacy and security policies and procedure must be adopted and enforced including actions items in the event of a breach.
Problem Statement: In the United States, the Information Technology Sector has showed increased reliance on computer systems, which they have linked to almost all their vital infrastructures. Today, however, there is growing concern regarding diverse cyber security threats, which are directed towards
Recognizing the increasing use of computers by federal agencies, and the vulnerability of computer-stored information including personal information being used with unauthorized access, the Computer Security Act was enacted in 1987. Seeing to the immediate issue prior to the sensitive security, The Act provided for improving the security and privacy of information in federal computer systems”. Several agencies were held responsible for many overlapping computer security which inspire a legislative response through The Act (It Law). It was an immediate concern to decide how best to control information in computerized or networked form, and whether further response should be necessary.
As electronic commerce, online business-to-business operations, and global connectivity have become vital components of a successful business strategy, enterprises have adopted security processes and practices to protect information assets. But if you look at today's computing environments, system security is a horrible game of numbers: there are currently over 9,223 publicly released vulnerabilities covering known security holes in a massive range of applications from popular Operating Systems through to obscure and relatively unknown web applications. [01] Over 300 new vulnerabilities are being discovered and released each month. Most companies work diligently to maintain an efficient, effective security policy, implementing the latest products and services to prevent fraud, vandalism, sabotage, and denial of service attacks. But the fact is you have to patch every hole of your system, but an attacker need find only one to get into your environment. Whilst many organisations subscribe to major vendor's security alerts, these are just the tip of the security iceberg and even these are often ignored. For example, the patch for the Code Red worm was available some weeks before the worm was released. [02]
Whitman, M., & Mattord, H. (2011). Reading & cases in information security: law & ethics. (2011 custom ed., p. 264). Boston, MA: Cengage Learning.
Within the last decade, the internet has proven to be the most efficient way to complete tasks in today’s society. Every major business in today’s society relies on the internet to conduct business. Though the internet is a useful tool, our reliability on it opens up the door for cyber-attacks that can be detrimental to business as a whole. One example of a cyber-attacks that have recently started becoming more prevalent are DDoS attacks. Recently, DDoS attacks have been a rising issue for businesses owners who run their own servers, such as video game companies and other high profile web servers, including banks and other credit card payment gateways.
Kabay, M. E., & Robertson, B. (2009). Security policy guidelines. In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), Computer security handbook (5th ed.). New York, NY: John Wiley
Not having an in-depth knowledge of computer systems or networks and their inter-workings, my opinion would be that Denial of Service attacks could have the greatest impact on disrupting business on a global platform from the listed items. While each type of attack offers a different form of threat for the cyber world, stands out because of its ability to halt major institutions, which aid in a global economy. The Denial of Services type attack is where an adversary utilizes several computers, sometimes upwards of a thousand, often referred to as zombies or botnets, which are computers capable of carrying out nefarious acts without the user knowing. This in turn generates heavy amounts of traffic to a website, which can slow down or crash the selected site (Gal, Herzberg, & Keidar 2007 pg 1). This type of attack can have a tremendous impact on an individual business, by causing loss of revenue, loss of service to customers, and negatively affecting the businesses’ reputation, causing customers to flee towards the businesses’ market competitors.
The ability to conduct warfare through technological methods has increased information security awareness and the need to protect an entities infrastructure. Subsequently, cyber warfare produces increased risk to security practitioners that employ technology and other methods to mitigate risks to information and the various systems that hold or transmit data. A significant risk to information lies in the conduct of electronic commerce, hereinafter called e-commerce. E-commerce is the purchasing or selling of goods and/or services through the internet or other electronic means (Liu, Chen, Huang, & Yang, 2013). In this article, the researcher will discuss cyber warfare risks, present an evaluation on established security measures, identify potential victims of identity theft, and present an examina...
Without proper protection, any part of any network can be susceptible to attacks or unauthorized activity. Routers, switches, and hosts can all be violated by professional hackers, company competitors. In fact, according to several studies, more than half of all network attacks are waged internally. To determine the best ways to protect against attacks, we should understand the many types of attacks that can be instigated and the damage that these attacks can cause to data. The most common types of attacks include Denial of Service (DoS), password, an...
Johnson, B. R. (2005). Principles of Security Management. Upper Saddle River, NJ: Pearson Prentice Hall.
The first thing that we must consider about Information Security is that there is not a final destination at which we can arrive. IT Security is an ongoing set of processes and activities that requires attention and expertise on a daily basis. It is important to understand that systems are not secured by themselves and it is our responsibility to maintain and improve them periodically as required. It is of vital importance to establish the appropriate mechanisms and requirements in order to support the company’s CIA triad. The following report will provide you guidance about auditing and hardening techniques applied though the 7 Domains by utilizing IT Security Best Practices.