Acct 521 - Information Systems

Essay by Natasha Pendleton • June 25, 2017 • Research Paper • 2,079 Words (9 Pages) • 867 Views

Essay Preview: Acct 521 - Information Systems

prev next

Report this essay

Page 1 of 9

[pic 1][pic 2][pic 3][pic 4]

Management Information Security

6/23/2016

Acct 531

Natasha Pendleton

ABSTRACT

The evaluation of information systems security is a process in which the evidence for assurance is gathered, identified and analyzed against criteria for security functionality and assurance levels. Security metrics are important indicators of how well security services are present in the information systems and can be used to measure organization’s security maturity levels. Security measures help to improve an organization’s performance and understanding. These are important aspects to be understood by users of information systems since normally they face problems that are not only related to technology but also are related their environments.

INTRODUCTION

There is a growing recognition of the role of management in protecting organizational information from a range of security risks. Those risks include the leaking of trade secrets and intellectual property, disruption of critical systems and malicious attack from both insiders and outsiders. Policy is a critical formal control in which management provides strategic and tactical guidance on a range of issues. Issues can include acceptable use of information technologies, security structures, roles and processes to be instituted. Security researchers have consistently debated that the effectiveness of managerial practices associated with security of policy is critical to a successful organization.

Deficiencies of IS

In order to discuss information security we must first point of the deficiencies from a management perspective which includes four main deficiencies:

Lacks a holistic view of the policy lifestyle
Lacks consistency in terminology and explanation
Includes varying levels of granularity in describing policy management activities
Makes it difficult to extricate guidance on policy management from that of other practice areas such as risk management and security education, training and awareness.

The first deficiency, the lack of holistic view of the policy lifestyle can be identified in the existing policy development lifestyles. Bayuk (1997) presents a process with a narrow view that focuses on the development of policy documents and does not include any practices related to the implementation and the maintenance of the policy. It consists of several steps starting with identifying assets and then forming a team to develop the policy. Then the draft policy is created. Then the policy goes through a review process leading to approval and publishing.

The second deficiency, existing policy and lifestyle lack consistency in terminology and explanation. It has a more holistic view of the policy development process; it suggests that there are overlapping concepts such as monitoring, compliance and enforcement. These three concepts are shown in the approach as three different activities that represent the management efforts to ensure that the policy is being adhered to by employees. Referring to three concepts as one or as different terms may cause confusion among security practitioners embarking on the process of policy development (Whitman 2008).

The third deficiency uses varying levels of granularity in describing policy management activities. Policy lifestyle differs in the level of detail and emphasis on policy development aspects. Hare (2002) presents the development process of security in a systematic way, however, details are lacking about how the policy will be published and how it will be communicated and enforced. The development process did not discuss the issue of user compliance with the policy and user awareness and training in communicating and enforcing security policy in organizations.

The fourth deficiency is the difficulty to extricate guidance on policy management from that of other practices areas. There is a great importance to having risk assessment as an input of the policy development process, as well as a need for security awareness and training to communicate and enforce policy. It can be argued that conducting risk assessment and developing security awareness and training programs are not part of the security policy lifestyle. Policy development lifestyle goes beyond the development of security program in an organization; they address security policy, risk assessment, technical controls and incident y. response (Olnes, 1994).

Development Stage

Information security managers in an organization must participate in the process of developing the information securities policy to help establish a policy development team. This would include two main activities, identifying key stakeholders who should be involved in the development of policy and to help define roles and responsibilities.

It is important to involve key stakeholders in the security development process to help ensure a success for the stages of development, implementation and evaluation. A team of representative stakeholders from across the organization at all levels should be assembled. Those representatives in the organization may include technical personnel, process owners, decision makers, managers, legal department, the human resource department, users, plus other function area personnel affected by the new policy (Maynard, 2011). A security policy developed for a specific department in the organization may involve people in the development process than the policy developed for the entire organization.

It is important to clearly define the roles and responsibilities of the development team members to avoid delays in the development process due to interpersonal challenges and political objections that may occur. Maynard (2010) asserts that while many authors emphasize the importance of involving different stakeholders in the development process; the roles of these stakeholders remain unclear. He also points out that authors simply mention the name of the stakeholder that needs to be involved in the development process without specifying what this group of people should do in the process.

After establishing a development team, the organization should next determine its security needs. A good understanding of the current situation of the organization and a sufficient understanding of the organization’s security objectives and goals should be required. This can be done by conducting a thorough investigation of the problem facing the organization (Whitman 2008). This consists of two activities, identifying security requirements and assessing the organization’s current policies and procedures.

...

Download as: txt (14.1 Kb) pdf (164.8 Kb) docx (14.4 Kb)

Continue for 8 more pages »

Read Full Essay Save

Only available on Essays24.com

Similar Essays

Management Information System

INTRODUCTION: Management Information Systems (MIS) is a field of science that studies on (1) how better we can manage technologies (2) how better we can

2,040 Words | 9 Pages
Information Systems And Organizational Departments

Information Systems and Organizational Departments Abstract The three organizational departments that I have chosen for this paper are accounting, management, and human resources. For each

607 Words | 3 Pages
Management Information System

About Us Home sweet home. That is one way of describing us. We want to make our customers feel at home. With our concepts of

4,256 Words | 18 Pages
Information Systems Development Process

Oliver Lines BABS 2 - Option Managing Information Systems In Organisations RECENT ADVANCES IN SYSTEMS DEVELOPMENT WILL RADICALLY CHANGE THE INFORMATION SYSTEMS DEVELOPMENT PROCESS INTRODUCTION

2,671 Words | 11 Pages
Management Information Systems

1. General Motors has several internal and external influences that are challenging them to reduce their operating costs and become more efficient. In doing

2,739 Words | 11 Pages
3m's New Information System Research Paper

3M's New Information System Research Paper Intro The business environment is very competitive. Consequently, companies need to offer customers efficient and reliable service. If they

1,502 Words | 7 Pages
Critical Issues In Managing Information Systems In Organisations

Instant Messaging Systems Instant Messaging is a widely available communication medium and due to popularity and productivity increase its use has become popular in the

2,186 Words | 9 Pages
Information Systems Application Exercise

The evaluated sites stated herein seemingly demonstrate programs, analysis and visual conferences of awareness, accessibility, and potential opportunities for instructing information to interested users and

539 Words | 3 Pages