下面为大家整理一篇优秀的paper代写范文- The Importance of Information Security Management,供大家参考学习,这篇论文讨论了信息安全管理的重要性。信息安全管理的政策应该在组织内部的不同部门实施,以确保政策的整体有效性。从人力资源部门的角度来看,推进信息安全管理政策是非常重要的。人力资本往往是企业的最大资源,员工的安全意识和员工的专业素质对企业尤为重要。除了人力资源,它对法律部门同样重要。对于组织来说,信息安全政策和法规应该是合理合法的。信息安全管理部门有必要与法律部门合作,沟通事件处理问题。
ABSTRACT
In the global integrated business environment, enterprises are becoming more and more dependence on the information devices and information systems. Information system in business and government organizations got really a wide range of applications. Based on the growing dependence on the information systems adding to the operation risk, benefits and opportunities of the business, the information security management becomes more and more critical to the enterprise management. Senior management needs to ensure that information technology is adaptable to enterprise strategy.
But in the real world, any system is a series of complex link. Security measures must be penetrated into all parts of the system, some of which even the system designers, implementers and users do not know. It is widely believed that information security is a problem that government and enterprises must jointly face because more and more cyber attack and network issues have happened in recent years. In addition, the government departments and enterprises in the awareness of the information system security benefits at the same time, they should protect themselves in order to avoid the inherent risk when using information systems.
This report will put attention on the importance of information security management by addressing the importance of several factors, including policy, risk analysis, disaster/incident response and business continuity planning.
1.0 Introduction
With the increasingly developed network technology and information technology, the cyber environment becomes more and more unsafe. In recent years, a large number of hackers enter into the personal computer to obtain the information from enterprises and selling the information to some illegal organization to obtain the interests. Currently, more and more enterprises are depending on the information technology and information systems to obtain the competitive advantage (Boyle & Panko 2014, p.2).The protection of the IT infrastructure and information systems is very important to achieve the information security management. Information security management refers to protecting the information assets through maintaining the confidentiality, integrity and availability of information, which is a series of activities and processes to guide information security management. Information security management includes the management of the information security risk, information security, facility safety and running security. This report will discuss the importance of information security management through analyzing the importance of these factors such as planning and policy, risk management and incident and disaster response within corporations.
2.0 Planning and Policy
2.1 The importance of compliance laws and regulations
According to the Boyle and Panko (2014, p.65), the compliance laws and regulations are the most important driving factors to ensure the security for enterprises. In particular, the enterprises’ information security management measures and documentations need to follow with the laws and regulations policy relative to the information security such as Sarbanes-oxley. Sarbanes-oxley act was founded in 2002 and the aim of the act is to eliminate corporate fraud and abuse (Zhang 2007, p.78). The act takes the security as the core and requires the corporate to own the appropriate internal control system to maintain the financial and auditing security because financial security is critical to the listed companies (Boyle & Panko 2004, p.65). The act pointed out that if there is no proper safety control function, the senior management can not actually sign the financial statements (Linck & Yang 2009). When managers follow with the act, it substantially practices the security management within organizations because it must have a detailed examination of its financial processes (Koehn & Del Vecchio 2004). Once checking the processes, some financial weaknesses and security issues may be exposed and corporate will be forced to enhance the security measures. Therefore, in compliance with laws and regulations is very important for organizations to implement the information security management.
2.2 The importance of information security management within organizations
The policy of information security management should be implemented in different departments within organizations so as to ensure the whole effectiveness of the policy. In view of the human resource department, it is very important to promote the information security management policy. Human capital is often the most resource for an organization, so the employees’ security awareness and professional quality of employees are especially important for enterprises (Williams 2011). According to the Compliance with ISO 17799, the human resource security is prior to employment. This means that security training should be carried out before employment so as to reduce the risk of information theft and misuse of devices, such as job responsibility description and facilities operation manual (Boyle & Panko 2014, p.75). In addition to the human resource, it is equally important to the legal department. For organizations, information security policy and regulations should be reasonable and legal. It is necessary for the information security management department to cooperate with the legal department to communicate the incident address issues (Boyle & Panko 2014, p.75). For auditing departments, it is also especially important to communicate with the security management departments because auditors need to check the organizational units and financial processes so as to achieve the effectiveness and enough control of the organization.
2.3 The importance of risk analysis
In terms of the information security management, the most important management focuses on the risk control. For organizations, there are many risks they need to take into consideration such as political risk, economic risk, internal risk, business operation risk and so on (Kasperson 1988). The risk analysis of information security means the comparison of the possible losses with the potential costs resulted from the information security management and risk control (Boyle & Panko 2014, p.81). This indicates that it will be not meaningful to spend several million dollars to protect a worthy of &5,000 computers. Therefore, risk analysis is quite important because enterprises need to balance the benefits and costs when implementing the information security protection. Although most of enterprises have had some professional experts to deal with the risk, not all risks can be completely avoided and eliminated (Boyle & Panko 2014, p.81). For example, the IT experts within organizations are responsible to eliminate the network hackers’ attacking risk and protect the information security. However, enterprises also face other risks such as business operation failure, policy risk and so on. These risks are difficult to predict and eliminate for enterprises’ managers. Therefore, the goal of the organizations is to manage the risk and make the risk reasonable. The reasonable risk means that enterprises can not absolutely guarantee the information’s availability, security and confidentiality because of the existence of the robbery (Boyle & Panko 2014, p.81). At the same time, no society and organizations can completely eliminate these robberies. Therefore, organization should attach more importance to the reasonable risk when carrying out the risk analysis. In addition, too much protection and security also means lower efficiency and business operation within organizations. An obvious example is that when employees set a long and complex password to enter its computer and open the important documents, the time cost will be spent and work efficiency is obviously lower. At the same time, employees’ mind and feeling will be affected and unpleasant feelings will be produced. Last but not least, security protection also spends huge costs for enterprises because purchasing securer devices and systems may be more expensive and the labors to operate these devices are also not cheap (Boyle & Panko 2014, p.82). In view of these factors, the goal of the risk analysis is to make the reasonable risk.
3.0 The Importance of Incident and disaster response
3.1 Importance of business continuity planning
Business continuity planning is defined to be a series of business measures and operation processes that can be used to help the organization make a rapid response to some incidents and disasters (Von Solms 2014). The business continuity is defined as the ability of companies to maintain its daily business operation normally and the business operation is not irrupted when facing the risk and incidents (Tipton & Nozaki 2012). Providing business continuity for important enterprise applications and processes should include the following three aspects. First of all, the high availability should be met for the business continuity planning. High availability refers to the ability to continue accessing the application in case of a local failure whether it is a business process, physical facility or IT hardware and software failure (Tipton & Nozaki 2012). Second, continuous operation characteristic is important part of business continuity planning, which is defined that organization has the ability to keep its business operated continuously when all devices are not failing (Von Solms 2014). Users do not need to stop using just because of normal backup or maintenance. Third, business continuity planning should include the disaster recovery, which means the ability to recover data at different sites and locations when disaster destroys production centers such as fire disaster.
After setting up the business continuity plan, the specific plan should not be put aside. In order to make sure the plan is realistic, managers need to turn it into an active document. If the enterprise’s business model has changed, or the business process has redesigned, the old plans will need to be updated in a timely manner. When there is a change, every employee should ask how the change will affect the part of the business continuity plan.
The current society’s dependence on the network is increasingly deepening. The traditional backup recovery type safety plan has been unable to guarantee the continuous operation of the enterprise business. Business continuity planning is born because of this and it is based on business processes rather than the technology for making, which is conducive to building more abilities of security management system as a whole. According to Saint-Germain (2005), if the large data centers and information infrastructure of the enterprise stop running more than 10 days, then more than thirty percent of the companies within a quarter collapse and close to 90 percent of the businesses will fail within a year. According to the TRAVELERS (2016), the natural disasters are becoming more and more common and the recovery cost is increasingly higher. The Travelers study result shows that 90 percent of 10 world natural disasters had happened in US in 2012 and the losses reached almost $80 billion and the insured losses from natural disasters in 2014 arrived at $100 billion. Another positive example is Walmart’s business continuity planning. Walmart has been committed to establishing the disaster response departments to ensure its business’s continuity when disaster occurs. When the Hurricane Katriba disaster happened in 2005, Walmart successfully ensured its business operation continuously by the perfect business continuity planning, which makes its losses minimized during the disasters period (Boyle & Panko 2014). So it is necessary for corporations spend a lot of money in business continuity planning to ensure business continuity.
3.2 Importance of detection, analysis and escalation according to plan
The timely and effective detection of the incident and disasters is very important to the organization. Without the detection of the potential incidents and disasters, enterprises will lose the objective to make the targeted and detailed business continuity plan. In general, different incidents and disasters require different emergency treatment and means to rapidly recover the business operation. For example, the small incidents may require fewer resources including the financial resources and labor resources and involve less departments and personnel compared to the disaster. This means that the resources required on business continuity plan can be distributed fewer than the natural disasters.
In order to create an effective and realistic business continuity plan, the analysis of the business process is very important. An organization’s continuous and integrate operation is not separate from the major processes such as productions and sales processes as well as marketing and accounting processes (Boyle & Panko 2014). For the organization, it is necessary for the managers to first identify the most important departments and business processes. At the same time, the relationships between different business operations processes should be well understood by employees. Once the incident and disaster occurs, the organization should make a rapid response to the business processes and ensure quick recovery according to the business continuity plan. In addition to the identification of the key business departments and business processes, enterprises need to analyze and evaluate its resources abilities to distribute to each process. In view of the limited resources scale for an organization, it is necessary for organizations to distribute the key resources to the important business processes to ensure the rapid recovery from the disasters. Last but not least, precise actions and sequences based on the business continuity plan should be achieved. The successful implementation of the plan mainly depends on the detailed action steps and action sequences (Boyle & Panko 2014). For example, Walmart made detailed actions steps in the Hurricane disaster such as the getting cleanup supplies distributing personnel to individual stores to ensure the security. Based on the ordered action to deal with the natural disasters, Walmart ensured its business continuity operation during the disaster period. Therefore, it is very important to ensure the specified actions and sequences when addressing the incidents and disasters.
In addition to the analysis of the business processes, enterprises also should continuously test and update the business continuity plan. First of all, the test of the plan is important. Without the effective test for the plan, the business continuity plan is very likely to be inefficient when facing the natural disasters. The test can be implemented through communicating with various departments and learning the lessons from other external businesses. In fact, the test may be more difficult for the natural disaster than the incidents because natural disasters have larger impact on the organization. Enterprises’ managers also need to continuously update and escalate its business continuity plan. This is because of that business environment and structure may change frequently (Boyle & Panko 2014). When the new business activities and projects are produced within organizations or new business departments are set up, the managers need to determine whether the new business continuity should be listed in the plans or not. If the new businesses are critical to the overall business and organizations, managers should update its business continuity plan to add the new businesses addresses.
4.0 Conclusion
In conclusion, this report discusses the importance of information security management through addressing the importance of the compliance laws and regulations and incident and disaster response. Compliance laws and regulations require which security must be responded for corporate. Sarbanes-Oxley act requires that organization must examine its financial reporting processes to clear the weaknesses so as to adopt the security measures. There are close relationships for security management departments to cooperate with other departments such as auditing department, human resource department and legal departments. For organizations, risk analysis is also important. It is impossible to eliminate all risks. The goal of the organization is to make reasonable risk. In terms of the incident and disaster respond, it is equally important for organizations. Rapid respond system to incident and disaster can ensure the business continuity. Therefore, the business continuity planning is very important. According to the plan, the organization should timely detect, analyze and update the plans to ensure the business continuity plans not out of date.
References
Boyle, R. J., & Panko, R. R. (2014). Corporate computer security. Prentice Hall Press.
Koehn, J. L., & Del Vecchio, S. C. (2004). Ripple Effects of the Sarbanes-Oxley Act. The CPA Journal, 74(2), 36.
Kasperson, R. E. (1988). The social amplification of risk: A conceptual framework.Risk analysis, 8(2), 177-187.
Linck, J. S. & Yang, T. (2009). The effects and unintended consequences of the Sarbanes-Oxley Act on the supply and demand for directors. Review of Financial Studies, 22(8), 3287-3328.
Saint-Germain, R. (2005). Information security management best practice based on ISO/IEC 17799. Information Management, 39(4), 60.
Tipton, H. F., & Nozaki, M. K. (2012). Information Security Management Handbook, Volume 6. Auerbach Publications.
Von Solms, B., & Von Solms, R. (2014). The 10 deadly sins of information security management. Computers & Security, 23(5), 371-376.
Williams, P. (2011). Information security governance. Information security technical report, 6(3), 60-70.
Zhang, I. X. (2007). Economic consequences of the Sarbanes–Oxley Act of 2002. Journal of Accounting and Economics, 44(1), 74-115.
Travelers 2016, Why is Business Continuity Important?, viewed on June 14, 2017, <https://www.travelers.com/resources/busienss-continuity/why-is-business-continuity-important.aspx>.
想要了解更多英国留学资讯或者需要论文代写,请关注51Due英国论文代写平台,51Due是一家专业的论文代写机构,专业辅导海外留学生的英文论文写作,主要业务有essay代写、paper代写、assignment代写。在这里,51Due致力于为留学生朋友提供高效优质的留学教育辅导服务,为广大留学生提升写作水平,帮助他们达成学业目标。如果您有代写需求,可以咨询我们的客服QQ:800020041。
51Due网站原创范文除特殊说明外一切图文著作权归51Due所有;未经51Due官方授权谢绝任何用途转载或刊发于媒体。如发生侵犯著作权现象,51Due保留一切法律追诉权。
留言列表
