Information security teams from the top down should be capable of working collaboratively with business units participating on strategy committees, assessing business objectives, presenting risk analyses, and reporting common accomplishments in recognition of common objectives. The premise is that security relies on people is well founded and understood that it is something that is necessary part of daily business. Information technology Directors interactions with users, administrators, and management define how well they are doing their jobs, and how well they are running their information security programs.
The organizational structures that deal with, information security is business intelligence. “Properly used information security information from Security Information Management systems, collation systems, and other management systems is all valuable to the business because it allows the security department to move assets around depending on the needs of the business in regards to what techniques and processes are being used to attack it. This can reduce costs by allowing for the efficient use of personnel on day to day issues, and provide al metrics on how many people are trying to really attack the company” (Cooley, 2007).
To create an effective administrative, technical and physical security plan that will protect information you must evaluate your electronic and physical methods of accessing, collecting, storing, using, transmitting, protecting, and disposing of your electronically stored data. To protect a network against unauthorized access you want to first identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of information. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the data that is being stored.
Also, it is imperative to evaluate the efficiency of existing policies, procedures, data systems, and other safeguards in place to control risk. Action steps to take to accomplish these tasks are the following: Appoint a specific person within the firm to be responsible for initial implementation of the plan, training of employees, regular testing for the controls and safeguards established by the plan, and evaluating the ability of prospective service providers to maintain appropriate information security practices, ensuring that such providers are required to comply with this information security plan, and monitoring.
Periodically evaluate and adjust the plan as necessary, in light of relevant changes in technology, sensitivity of data, reasonably foreseeable internal or external threats to the firms data, changes to the business (such as mergers or acquisitions or outsourcing), and changes to the computer systems.
Conduct an annual training session for all owners, managers, employees and independent contractors?and periodic training for new employees working for the firm on the elements of this information security plan, the contents of the firm’s “Privacy Policy,” and any other requirements of federal or state privacy laws. All persons in attendance should be required to certify their attendance at the training, their receipt of the firm’s privacy policy, and their familiarity with the firm’s requirements for ensuring the protection of customers’ non- public personal information.
Determine reasonably foreseeable internal threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or information systems, assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information, and evaluate the sufficiency of existing policies, procedures, customer information systems, and other safeguards in place to control risks.
Determine reasonably foreseeable external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or information systems, assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information, and evaluate the sufficiency of existing policies, procedures, customer information systems, and other safeguards in place to control risks.
Information technology security is often the challenge of balancing the demands of users versus the need for data confidentiality and integrity. For example, allowing employees to access a network from a remote location, like heir home or a project site, can increase the value of the network and efficiency of the employee. Unfortunately, remote access to a network also opens a number of vulnerabilities and creates difficult security challenges for a network administrator.
