Challenges in creating an effective security model 1
Risk Profiling 4
Risk Profile Evaluation 5
Risk Profile Analysis 7
This paper sheds a light on the concerns of risk management in an organization and it necessity. Security is essential when it comes to the sharing and storing of information in a company because due to the increase of activities related to hacking and leaking of critical data, an organization has to safeguard the information that goes through the company to protect the interests of the company and its customers. Risk Management is perceived as a comprehensive process which requires the input from all the areas of the organization. Risk management is an activity of broad scope which deals with risk from a strategic level to the operational level in the organization. Information security in particular has become a crucial factor for companies to analyze and practice as a measure to observe quality for an organization. (U. S. Department of Commerce, 2011)
This paper will also delve into the particulars of the risk management process which is to be observed in the risk management activity in a company while also analyzing the challenges that arise in developing information security. A business scenario of a small company will be created in which the transmission and storage of information will be discussed by evaluating its risk profile in reference to the information security aspects. This is done to protect the information which is being used and stored by a company to safeguard the privacy and interests of the company and its customers or clients.
CHALLENGES IN CREATING AN EFFECTIVE SECURITY MODEL
In the current business scenario, organizations handle data in an advanced manner by digitally recording and storing data. It is essential to protect that data from threats which can lead to the leaking and exploiting of data putting the interest of the company and clients into jeopardy. To construct a barrier for protect the information of the organization, the application of information security is very crucial. To adapt information security in a compact, it is required to bring a change in the thinking of people inside the organization. There are a myriad of challenges faced in the adaptation of information security in the organization.
Increasing perception within an organization
It is essential to provide a deep insight to the people of the company regarding the need for information security in an organization. The first step would be to determine the exact security needs of an organization depending on its type and nature of data involved. The objective behind the application of information security measures is also to enable awareness regarding information security and its benefits among companies. (Johnson & Goetz, 2007)
The aspect of behavior is directly related to how company officials view matters of information security. If concerns regarding information security are raised, it can help to generate a clear impact about information security. This change is behavior is difficult but necessary to change the perspective of business people and propagating information security.
Associating with globalization
In a company regardless of the company being big or small, it is important that the security measures are strong and parallel in effectiveness over the globe as the data is to be made accessible everywhere at times within the company. At times only company personnel in a single unit understand the risks but there is also necessary that people in all the units of the company should recognize security needs.
Safeguarding Intellectual Property
The protection of the intellectual property within the organization at a global level has become one of the greatest concerns. It is essential when the information is shared with multiple divisions and units in a global organizations. Also when data interchange is done through mobile devices it becomes a greater challenge to protect the data. The protection of intellectual property remains at its highest level when the data being interchanged is data of entertainment which is copyrighted. (SMITH & SPAFFORD, 2004)
Covering Technology as well as Security
The typical role of firms providing security tools is to supply companies with security technology but in the current scenario, there is an increasing demand of services like policy development, governance solutions, and consultancy regarding security issues. (Goetz & Johnson, 2006)
Expansion accompanied with Security
In the time of expansion in an organization, maintaining security is one of the foremost concerns. The challenge here is to maintain the same level of security even after expanding the operations of the company. The challenge arises through the introduction of new systems after acquisitions. (SMITH & SPAFFORD, 2004)
Complying with legal rules and regulations
Many organizations find it difficult to maintain compliance with government laws and regulations as well as industry standards. Government standards include compliance with health standards or other acts like Sarbanes Oxley Act. It becomes an added challenge for companies which are expanding their operations overseas to maintain compliance with new rules and regulations.
Funding improvement with tight budgets
In certain organizations facing budget cuts, it is difficult to maintain security systems during crisis which requires an insight about information security. The insight should include reasons why security is important all the time and should be considered while budgets. This is a critical challenge as in situation of budget cuts, the funding is limited but the threats that are to be dealt with remain the same. This leads to the point of decision regarding how much security is enough to deal with the amount of threats. (Goetz & Johnson, 2006)
The company in consideration is a consulting firm which provides consultancy services regarding ERP systems and its installation. The firm also provides troubleshooting help regarding ERP systems when required. This firm deals with organizations and which includes the give and take of a long range of data regarding the clients which are companies. This data includes information about the company’s systems which is very sensitive data. It can also possess data about the login credentials as it needs it for troubleshooting purposes. It is bound not to provide the data to anybody not authorized but storing sensitive data requires information security.
For determining the amount and nature of risk associated with the operations of the company, creating a risk profile is essential. This risk profile will cover the type of risks like legal risks, financial risks, marketing risks, and risks associated with productivity. The resulting impact to these areas causes related actions. (European Network and Information Securty Agency, 2007)
Risk Area Impact
Legal rules and regulations Non-Compliance and resulting legal actions
Productivity Decline in productivity
Finance Event of financial loss or instability
Reputation (Brand Image) Direct or indirect impact to brand image causes brand image to depreciate
RISK PROFILE EVALUATION
Risk Area High Medium Low
Legal and Regulatory Business handles data of sensitive nature about the clients which includes their technical specifications and login details Business handles data of sensitive nature of technical information of customer’s computer system. Business just possesses data regarding no. of units and no. of employees.
Productivity Business has above 100 employees working who require access to services. Business has 50 employees working who require access to services Business has less than 20 employees which require access to services.
Financial Stability Yearly revenue exceeds 10 million AED Yearly revenues are between 1 to 5 million AED Yearly revenues do not exceed one million AED
Marketing More than 50% of the customers have access to online services Less than 10% of customer base has online access. If the service is not available online then it is not an issue.
RISK PROFILE ANALYSIS
The consultancy firm faces high amount of risk in the areas of legal rules and regulations due to the nature of data being handled by the business. This data contains the no. of systems in the client’s business units, their technical specs, and login details of certain clients for troubleshooting needs which needs to be protected for security reasons. In the area of productivity, the business faces a medium amount of risk as there are around 50 employees working who require access to services which puts the rate of productivity risk to a moderate level.
In the area of finance, the business has yearly revenue of around 2-3 million AED which puts the amount of risk to a moderate level. All the customers affiliated with the business are provided access to online services for troubleshooting purposes. This projects a high risk factor as the brand image depends on the availability of the online services. On an overall outlook, the business faces a high to moderate risk in considering all the factors of the business.
Taking this level of risk into consideration, the business requires information security services and technologies to protect the information. This will be a factor of quality and it can be a selling factor for the business. It is essential to protect the sensitive data of the client providing a sense of security and if the technology employed is effective than the level of security will not affect the performance of their online availability.
European Network and Information Securty Agency. (2007). Risk Management & IT Security for Micro and Small Businesses. IAAITC.
Goetz, E., & Johnson, M. E. (2006). Embedding Information Security Risk Management into the Extended Enterprise. Dartmouth: Glassmeyer/McNamee Center for Digital Strategies.
Johnson, M. E., & Goetz, E. (2007). Embedding Information Security into the Organization. Dartmouth: THE IEEE COMPUTER SOCIETY.
SMITH, S., & SPAFFORD, E. H. (2004). Grand Challenges in Information Security:Process and Output. THE IEEE COMPUTER SOCIETY.
U. S. Department of Commerce. (2011). Managing Information Security Risk. Gaithersburg: National Institute of Standards and Technology.