Protection Of Information Assets Sample Essay

Introduction

Information asset protection is a very critical aspect of business management process for the successful operations and continuity of any business. Any form of threat to the security of the electronic or computerized information and its process is a definite threat to the quality of business end result (Boran, 1999). These threats can be minimized or eliminated to an acceptable level either logically or physically or a combination of both, depending on the company’s security arrangements (Cliff, July 2001). Physical protection of information entails physical limitation of access to the information resource places (computers) by putting a limitation to such areas like the building, and specific rooms that have these equipments (12). But as has been observed, protecting the places or areas physically is never sufficient enough to provide maximum confidentiality of the information. This is why it is important to put in place logical and adequate information protection system that would ensure maximum secure control of information to enforce confidentiality of the sensitive company information. It is therefore upon the systems administration team to ensure that all the physical and logical aspects of information security are in place accordingly as per the minimum standard required by the company.

The foremost requirement for adequate logical and physical information protection is for the company to identify, in order of priority, the most important information that needs protection (Cliff, 2001). This can be done by critical analysis of possible threats and impacts they are likely to create to the running of the information system. Subsequent calculation of different risks will ensure that all security detail issues are noted and prioritized (Granger, 2002). However, according to Gallegos (2005), it is important to take note of some critical security issues that the system management teams have to put in mind when dealing with information protection;

  • One should just keep it simple especially if the issue seems complicated since such scenarios are not likely to have serious effect and are very expensive.
  • It is important to set minimum and coherent security management system with a complicated system that does not heavily rely on external factors since this may make it lose privacy.
  • Use some of the tested methods of protection for easy evaluation (41).

Physical Access and Threat

Any business that relies on computers to store information is prone to all types of physical threats, and that protection of information in computers takes more than just password and installation of antivirus software as some people may be made to believe. An intruder can get access to any computer or computer system and cause physical damage to its functionality by altering or replacing a computer part, plant some damaging programs like Trojan horse, or change the settings of the machine and get specific security numbers that may be detrimental to the general security of the information system (Granger, 2002). Granger advises that some very critical links for communications such as switches (routers) are supposed to be protected at all costs. It is thus logical to reason that physical protection is the first and most critical aspect of protection that every company should observe. Physical location, layout, design, and setting up of the facility would determine the level of access and ease of monitoring (16).

Other than attacks from intruders and hackers, and errors from the employees themselves, physical threat to information system has revolved around other concerns such as natural disasters e.g. water, fire, electricity failures, and many other environmental mishaps. Many information security experts believe that most of the information security risks like fraud, sabotage, and theft are as a result of internal arrangements by the companies’ own employees (Micki & Harold, 1997). However, according to the survey conducted by the SearchSecurity.com (2002), many of the problems are accidentally caused by human error or just mistakes from unauthorized users in most cases. The survey, carried out in 2001 indicated that many respondents gave human error as the most probable security risk challenge, and more worrying is the fact that they ranked it the most difficult aspect of information security to enforce. As the report says, “some sees the typical computer criminal a non-technical authorized user of the system who has been around long enough to locate the control deficiencies and use them to cut corners, or it may be a plain accidental errors or people not affiliated to the company or intruders trying to exploit deficiencies in the security system to commit harm against the business” (29). It may be complicated when the company physically restricts their employees to such locations. So how can a company reinforce such a policy without jeopardizing the general operations of the company?

Natural disasters, as mentioned earlier are another physical threat to the information security. As illustrated by ISACA (2001), fire, electricity, lightning, water, earthquake, and other environmental disasters are some of the common natural disasters that pose a challenge to the information security management. Fire, depending on its intensity, can cause different level of damages to the system or even to the whole building. Water, mists, gases, and smoke can be disastrous to the operations of the computer systems (6). Electric faults can result from frequent power interruptions that may interfere with general operations of the business and at worse cause fire leading to unexpectedly big catastrophe (11).

Control of physical access

Physical protection of information involve the physical restrictions to the access of the resources to prevent accidental or intentional damages to the computer systems, storage devices, microcomputers, computer terminals, and other communication equipments (Singleton, 2006). The first procedure here is to asses the conditions of the present security structure of the company. Such details will include: the entire building, office doors, desks and cabinets; computer and telecommunication rooms; how the company control the access to information and whether that is secure; how the information access is monitored by the company; and finally how the general information protection is carried out (Singleton, 2008). This is to give guidance and the basic understanding of the general information security in the company that will offer an overall benchmark for any improvement proposed (19). The evaluation will need the analysis of the possible risks and threats against the cost of mitigation and control (21).

Classification of Access Controls

Experts have classified physical access controls as preventive and detective controls (Singleton, 2008). The preventive control generally helps to avoid events that are unwanted, while detective controls are meant to identify unwanted events after they have occurred (United States General Accounting Office, 2002). Some of the commonly used physical security control systems include: manual doors/ cipher key-locks, magnetic door locks with electronic keycards, biometric authentication, security guards, photo ID’s, Entry logs perimeter fences, computer terminal locks among many other methods (43). On the other hand, detective security controls entails: smoke and fire detectors, motion detectors, visual and electronic surveillance systems, intrusion alarms erected at the perimeter fence (45). So which way to go, preventive or detective access control? Well, just to begin with, Micki & Harold (1997) explains the difference between the two methods in terms of their functionality. He says that detective method, being “invisible”; never affect the everyday working life of the employees. It only comes to action when there is a security breach and the need to investigation for example the response of the alarm, which by any sense means that there is already a problem caused (66). On the other hand, preventive control (e.g. door locks and security guards) limits the employees and other people’s movement that is, restricting their movements to some particular areas and limiting the type of information they are supposed to use (68). It is therefore imperative to suggest that preventive controls are more effective than detective controls since in the first place they prevent the problem from occurring. However, it may be a very challenging process if the employees fail to cooperate with the security team. Experts therefore advise that all employees should be given enough information about such arrangements so as to enhance understanding (Gallegos, 2005). But it would be more effective if both methods are used to enhance both detective and preventive measures since they tend to complement each other (89). When controlling access to restricted zones, areas defined as sensitive (like computer labs) should be monitored so as to ensure that only a limited number of people get access to the area with authorization from the designated people. National Institute of Standards and Technology, (2001) proposes the following methods of controlling access to restricted zones:

  • Use of electronic access controls, combination of mechanical locksets, or deadbolts
  • Restricting the number of points for entry as required by the safety regulations
  • Monitoring through personnel e.g. receptionist or guard situated at the entry points to ensure only approved persons allowed in especially during working hours and all the entries should be video-recorded for references in case of security breach.

In addition, it is necessary to maintain a list of specific persons who are authorized to access such sensitive information areas that houses IT-assets. This is backed by the recording all the detailed information of the visits of such areas like time and date of entry, reason for entry, and exit time (31)

Backup information

In any information storage system, it is important to create a backup for the information stored to act as “insurance compensation” in case of any loss of the primary information (Micki & Harold 1997). Losing information about the business can sometimes be a frustrating encounter that can disorganize all the operations. The backup media is therefore stored in rooms or safes, at a reasonable distance away from the origin of the primary information to avoid losing all the data due to same calamity. As described by Granger (2002), “Backups of sensitive information should have the same level of protection as the active files of same information”.

Maintenance of work place

To prevent any unauthorized person accessing any sensitive information about the organization, every employee should leave his or her desk clean and organized (Royal Canadian Mounted Police, 1997). All IT equipments that handle confidential information should be positioned such that no one can have access to the information other than the authorized person. Such measures include positioning of the monitor, fax, and printers in a secure place such that no unauthorized person gets access to them (98). A practical method of preventing any potential overview of the information on the monitor screen is to put the screen away from the window or away from the vicinity of the visitors, and the printers meant for confidential information should be placed in restricted zones (99)

Contingency plan

IT experts advise that businesses should have contingency plans just in case of some extraordinary events (ISACA, 2001). The plan should be able to cover all the eventualities like power failures or surge, information theft, flood, fire, etc. The contingency document plan should provide essential services in case of losses (9). It should also take care of both on-site and off-site recovery process like the recovery of information due to system failure, and critical support system loss (11)

Controlling access location

Whatis.com. (2002) proposes a number of preventive measures that should be taken to ensure proper safety of the information considering the location of such facilities. Some threats like flood can be minimized by proper selection of a facility location that would not be prone to flood like near the rivers that flood nearly annually. The area should also be free of fire threats, mist or high humidity, or electromagnetic interference that may be detrimental to the efficient operations of the information system (Granger, 2002).

Control of Logical Access and Exposure

This is the most common recognized information access controls that involve a combination use of computer hardware and software to restrict or detect access by unauthorized persons (Micki & Harold, 1997). For example, most of the specific areas or sites will require the user to have some personal identification numbers, or passwords that will allow access to the areas. IT professionals emphasize that logical controls should be designed in away that would limit the authorized user to a particular systems, programs and files that they may need and absolutely deny others who may be hackers from accessing the system (67).

Well used, logical security controls would be able to support the company in an effort to protect information assets even if individuals get access to the computer hardware. It thus helps businesses to:

  • Identify or recognize specific individual users, particular computers authorized to get access to computer networks, and other resources like data,
  • Limit or restrict the specific data or information access
  • Easily produce as well as analyze the trails of user activities and audit the system,
  • Take defensive actions against the intruders, and sometimes requiring more information to prove the legality of the access. For example employees who may not have authority to access specific information may try to access the information without the express authority of the person in charge. With accurate and well planned logical control system, they cannot gain access to such information (Granger, 2002).

Some of the commonly used logical controls are: antivirus software, access control software, passwords, encryption, smart cards, dial-up access control and callback systems, audit trails, and intrusion detection programs (Royal Canadian Mounted Police, 1997).

Access Control programs

There are a number of proven and tested methods to detect unauthorized access to information assets in a computer system namely:

  • Access control software; this software is installed purposefully to offer protection to the information resources considered important and confidential by the company (Cliff, 2001). Its ability to control and monitor the access to the computer system information is vital for the company’s information safety (109). It limits the access by making sure that only particular registered member or users have the express access to the computer information or some very specific data, requiring them to insert their unique user ID accompanied by a password. A good example is the Computer Associates eTrust CA-ACF2 Security for mainframes (114).
  • Passwords; it is a computer encrypted characters that is protected and meant to authenticate the person accessing the computer system. It is normally a second identification method after the user has entered the username or ID (Singleton, 2008). According to ISACA (2001), “password is the first line of defense against outside attacks” and that weak passwords are easy to break especially by password breaker tools such as L0phtCrack. Strong password will therefore make it difficult for such tools work or it may make the process long and boring for the intruder. Depending on the access control system, password guideline set up criteria differs. However, there are some general minimum criteria for setting up a secure password as illustrated by the NIST (2001); A fairly secure password should have character length of between 5-8 characters, able to accept a combination of numerical numbers, alpha, both lower and upper case, and most important some special characters, that is not identifiable with the user details like date of birth or name, the system must not allow passwords previously used and changed after 5-10 generations to be reused, it is necessary to periodically change the passwords (between 60-90 days) as long as that will assure the security of the data, they should never be displayed when entered, immediate replacement after implementation is necessary if it is a vendor-supplied one, and finally it is advised that all passwords should be personal and should never be shared at all levels if the information it safeguards is very vital. It is thus important to establish a proper password policy that would guide the usage.
  • Antivirus software; viruses have proved to be one of the most frustrating disruptions to the computer network information safety. According to ISACA, (2001), viruses are code segments that have the ability to replicate, acting remotely and sometimes proving difficult for some of the known antivirus. They are malicious programs that are able to bring down the whole system or completely damage the existing user files. Once replicated, they attach themselves to the existing executables, and that “the new copy of the virus is executed when a user executes the new host program (United States General Accounting Office, 2002). Its primary sources have been from the internet, through downloaded files and local computer networks. There are numerous types of viruses that have caused havoc to the business operations in the past years (NIST, 2001); one like W32.SirCam caused a considerable damage to companies’ files and information. The most effective and proven way to control the virus in the computer system is to install antivirus software (23). Antivirus is able to detect, prevent attacks from the virus, and sometimes remove or repair the infected files. Some of the known antiviruses are AVG, Kerspersky, NOD32, NVC, among many available ones (48). Other than antivirus installation, a company should be in a position to establish clear and relevant antivirus policy that guides its usage. To be effective, the policy should be part of a contingency plan, guide the usage procedure outlining who, when, and how is it should be used (52).
  • Smart cards; this is an intelligent chipped device, size of credit card that is used to authenticate the user (Granger, 2002). It requires the user to illustrate that he or she is the real owner of the card by requiring entry of some unique personal identity codes (77). One enters his or her PIN once the card is inserted into the system to allow access. It is a sure way of authenticating the identity of the user as it requires the person to own the card and at the same time have and remember the PIN (81). Smart cards have been used at the doors of sensitive computer/data rooms, and IT experts project that smart card use will definitely increase in the future considering the expected increase in technological advancement (83). Probably this is why the PC/SC Working group companies like Microsoft, Intel, and Toshiba have defined certain standards for the interface between programming and PC hardware in a smart card (PC/SC Working Group, 2002).
  • Encryption; this is a technique used to protect texts through the use of codes to hide the data for any other reader other than the informed. It is commonly used to protect data on transit or stored data from any intrusion or interception by unintended person (Boran, 1999). However, encrypted data is still prone to loss and again the encryption programs can easily be compromised (54). It is therefore advisable to use it as just part of the security details for a company and must be accompanied by other more reliable information asset security efforts.

Dial-up access control and callback systems

In some cases the users of computer system may attempt to remotely connect to the computer systems from home or any other location other than the business enterprise via a dial-up line. It is advisable to restrict such uses through a dial-up access control. This method prevents any attempt by such people to get access to the secured information (Singleton, 2006). It’s also able to authenticate the remote user other than affecting a call-back system. When on action, the link for telecommunication lines that are established by a dial back into a computer remotely is interrupted so that “the computer would dial back to the caller” (Boran, 1999). The security catch here is that the caller can only be permitted if the number is valid and recognized. Boran (1999) advises that the phone numbers should be regularly changed to ensure maximum safety and warns that if the company’s business is not adequately secured by dial-up access controls, the information stored are vulnerably exposed to war dialers e.g. Toneloc that can sweep the company’s extensions, with an intention to get access to an open modem to answer the call (Singleton, 2006).

Audit trails; the other useful information security tool is the audit trail. It is used to trace back any illegal input of information from some other source to the original user (Boran, 1999). Any improper attempt by an employee for example to access restricted information database is automatically reported back to the original source. This is useful in areas where specific employees are allowed some specific areas access but not all the database (97). If they attempt to access the unauthorized data, it can be reported back to the central location.

Conclusion

It has emerged that there are numerous risks that information assets can be exposed to, both natural and man-made risks. It is therefore upon the organization to have a proper analysis of the potential risks and take precautions to avoid any disastrous loss of data or information. It is important to manage and maintain both logical and physical security in an equal measure to adequately protect the organization’s information. The actual challenge for any organization would be to get the right security, both physical and logical, in place that would correctly fit the particular organization’s needs.

References

Boran, S., (1999), “The IT SecurityCookbook”.

Cliff, A., (2001) “IDS Terminology, Part Two: H-Z”. Web.

Granger, S., (2002) “The Simplest Security: A Guide to Better Password Practices”. Web.

Gallegos, F. (2005), Computer Forensics: An Overview CISA, CDE, CGFM Volume 6.

Micki K., Harold T. F., (1997). “Handbook of Information Security Management”. Web.

Singleton, T. W. (2008), What Every IT Auditor Should Know About Access Controls CISA, CITP, CMA, CPA, Volume 4.

Singleton, T. W (2006), What Every IT Auditor Should Know About Cyber forensics CISA, CMA, CPA, CITP Volume 3.

Royal Canadian Mounted Police (1997), Technical Security Standard for Information, Technology (TSSIT).

Information Systems Audit and Control Association (ISACA) (2001), CISA Review, Technical Information Manuals. Rolling Meadows: ISACA, Inc.

National Institute of Standards and Technology, (2001) “An Introduction to Computer Security: The NIST Handbook” – Special Publication 800-12.

SearchSecurity.com, (2002), a TechTarget site for Security professionals- A search for the definition of “Intrusion detection”. Web.

Whatis.com. (2002), A search for the definition of “Intrusion detection”. Web.

PC/SC Working Group. Web Page. Web.

United States General Accounting Office (2002). “Federal Information Systems Control Audit Manual – Volume 1: Financial statements audit”, GAO/AIMD-12.19. Web.

Client Focused Priority Needs

The review of the literature has uncovered a correlation between mental illnesses and disempowerment. Moritz et al. (2010) have found out that people lose control over their lives the moment they suffer from a psychiatric disability. The primary concern is that global communities have traditionally stigmatized individuals suffering from mental health diseases. Society often confines patients presented with psychotic complications in secluded facilities (Rigby & Alexander, 2008). Consequently, these victims never get the opportunity to take part in social activities because the public considers them to be “unproductive” or “useless” (Moritz et al., 2010). Conversely, we have resolved to deviate from these notions by giving the Pinecrest residents a chance to form social networks. According to Galletly (2009), social isolation worsens the severity of psychiatric symptoms.

Our meeting with Lisa and Annette brought us to the conclusion that the Pinecrest residents are required to increase their level of socialization. In addition, it was imperative to encourage the clients to maintain a healthy lifestyle. Firstly, we noted that only three individuals joined us to play the BINGO game, which we introduced as a first intervention. By contrast, the others focused on independent activities. For example, G was filling a puzzle by himself while other individuals watched television or drank pop in isolation. The highlighted instances exemplify the extent of seclusion at the Pinecrest treatment center. As such, it was essential to introduce initiatives that would foster increased socialization. Cimpean and Drake (2011) have argued that social interactions enhance clinical outcomes among patients with mental disorders.

The progression of mental disorders accelerates because of societal misconceptions. In addition, these symptoms exacerbate when patients feel incompetent (Kilbourne et al., 2008). Loneliness was a common phenomenon at the Pinecrest community center. For instance, the individuals were watching the television together in silence without any form of social interaction. We will promote socialization by allowing the Pinecrest residents to participate in the carnival. The purpose of the festival activities is to support these individuals to form social networks by identifying their hobbies and interests. We hypothesize that the carnival activities will not only increase socialization but also improve the overall quality of life. The more these patients participate in multiple activities at the fair the more they will enhance their social interaction skills.

People suffering from chronic mental disorders are often isolated socially and lack the capacity to live independently (Kilbourne et al., 2008). The case of Pinecrest has highlighted the scope of social disconnectedness among patients with psychotic disorders. The activities at the carnival will help the Pinecrest residents to acquire and utilize social skills adequately. The main point of argument is that it will be counterproductive if the individuals do not use the acquired social competencies in real life. In practice, we will concentrate on making certain that these patients function autonomously. According to Dogra et al. (2009), the core of social training is to enable people with severe chronic disorders to perform communal activities with minimum support from caregivers.

On the other hand, the initial assessment revealed that these clients had adopted unhealthy lifestyles. For instance, they were accustomed to drinking pop rather than water. Second, smoking was a prevalent habit practiced by a majority of the occupants. Third, the patients had adopted a sedentary lifestyle, as well as poor nutrition options. Dogra et al. (2009) have indicated that individual lifestyle choices are the most common modifiable risk factors that cause poor physical health among mental health cases. Cimpean and Drake (2011) have asserted that notable gaps in mental health services exacerbate the physical health problems in this population. Consequently, the promotion of physical activity, combined with sound eating habits and healthy practices constitute critical priority needs for these individuals.

Individuals with severe mental illnesses are susceptible to a myriad of physical health problems. Despite being common in the general population, patients with psychotic disorders suffer the greatest consequences of poor physical health. Lifestyle choices (particularly smoking, poor diet, and inactivity) increase the risk of physical limitations. Galletly (2009) has found out that people with mental diseases are more vulnerable to the incidences of obesity and overweight compared to the general population is. Further, Cimpean and Drake have shown that poor diet and the lack of exercise contribute to the increasing cases of obesity and overweight in mental health settings. Conversely, antipsychotic medications also cause abnormal weight gain in this group of patients. We will pay particular attention to nutrition and physical activity as priority needs for the residents.

The increased risk of Pinecrest residents to deleterious physical health necessitates the development of prevention measures. As such, our second intervention will focus on modifying the underlying risk factors and lifestyle choices. The primary objective is to modulate the poor diet, sedentary behaviors, and smoking. In relation to nutrition, we found out that the Pinecrest community was promoting unhealthy dietary choices, exemplified by low fiber and high-calorie intakes. We will take advantage of the carnival to train these individuals on how to adopt sound eating habits. For instance, we will encourage them to consume water, vegetables, and fruits during the carnival. We expect that these practices will become a norm in the long term.

Physical activity is a very vital component of health and wellbeing. Findings from medical studies have shown that exercise reduces the risks of chronic diseases in people with mental illnesses. For instance, Dogra et al. (2009) have established that constant exercising improves cognition and behavior significantly. Despite these benefits, Propst (2010) has noted the difficulty of implementing physical activity in mental health settings because of emotional and behavioral disturbances. We have resolved to encourage the patients to participate in physical activities during the carnival. The primary objective is to enhance physical functioning besides promoting social connectedness. Some of the individuals are suffering from arthritis, which is an indicator of declining mobility.

Person-centered care plays a fundamental role in facilitating recovery in patients suffering from chronic mental disorders. The essence of client-focused nursing is that mental illnesses are diverse with each condition having unique symptoms (Wölwer & Frommann, 2011). Propst (2010) has reported that patients suffering from mental diseases have unmet needs because care providers usually generalize these conditions. Unfortunately, Pinecrest had adopted a similar model ofa treatment since it was focusing more on group activities that do not prioritize the necessities of individual patients. The aim of our interventions is to ensure that every person at Pinecrest takes control over their lives. We will implement physical activity and socialization concurrently to achieve beneficial outcomes. As such, activities at the carnival will incorporate aspects of social interaction and physical activity.

Reconciling The Need For A Bureaucracy Versus All These Issues It Presents Against Democracy

Although bureaucracy as a phenomenon has gained a rather negative coloring in the everyday use of the word, it is, in fact, supposed to describe a neutral phenomenon. Traditionally, the notion of bureaucracy is expected to imply strict adherence to rules and regulations, which, in itself, is a positive and even important part of organizational performance. However, in most of its iterations, bureaucracy poses a threat to democracy when implemented (Meier et al. 1577). Therefore, one will need to introduce control tools to contain the side effects of bureaucracy while amplifying the positive ones.

By using bureaucracy as a control tool for preventing instances of unfairness, dishonesty, and fraud from taking place and restricting the influence of bureaucracy to the specified area, one will be able to make it coexist with democracy. Moreover, the specified step will allow making bureaucracy serve one of democracy’s primary goals, namely, the promotion of justice and equity (Meier et al. 1578). When executed as functionally balanced notion, bureaucracy can become a rather powerful tool for maintaining the status quo and avoiding key risks. Moreover, when implemented as professionally competent, bureaucratic measures contribute to the effective functioning of democracy (Meier et al. 1561).

Overall, the reconciliation between bureaucracy and democracy is possible once the former is perceived as a control tool and not as a philosophy for officials to adhere to when implementing relevant goals. Moreover, bureaucracy can offer a way of maintaining the current system in order and keeping it sustainable so that it could remain effective in the future. Therefore, with the focus on the advantages that bureaucracy provides, one can reconcile it with democracy even if some of their aspects are quite contradictory.

Work Cited

Meier, Kenneth J., et al. “Bureaucracy and the Failure of Politics: Challenges to Democratic Governance.” Administration & Society, vol. 51, no. 10, 2019, pp. 1576-1605.

error: Content is protected !!