Information Security Plan provides businesses direction and guidance in meeting company’s security and privacy objectives according to its business needs. Establishing prescribed management ‘s Information Security Plans and Policies are expected to be enforced in the implementation of the organization’s business and Information Technology security strategies. A comprehensive Information Security Plan is necessary to ensure that all areas of security and privacy management are covered, potential oversights and company’s critical information exposure are avoided. Ensuring the enforcement of information security policies can guarantee support for information security and privacy from significant exposure of corporate assets and intellectual properties. It allows an organization to set limits to the level of access to different resources within the network. To protect its resources in a way that relates to the information security goals of the organization.
Information Security Plan
Given today’s global world and rapid technological developments and as enterprises “embrace the current trend in mobile technologies traditional security mechanisms are challenged by the co-location of personal and business activities on employee-owned mobile devices” (Harkins, 2012, p. 44) on the enterprise network. This presents a new “risk to enterprises as employee-owned devices can now be used as stepping stones for bypassing traditional enterprise perimeter security” (Harkins, 2012, p. 3, 44). A comprehensive Information Security and Privacy Plan provide high-level statements of management’s security and privacy goals and objectives where scope is companywide that typically identify the enterprise-wide “roles and responsibilities of each employee involved and organizations accountable for the implementation of the management directives” (Harkins, 2012, p.67).
The following important elements are carefully examined on this research paper and found out that almost all the companies in United States that have included Information Security Plan as part of their data protection measures are proven to be effective and help ensure the prevention and restriction of company’s critical data exposure:
This strategy allows only work product prescribed according to management’s “direction based from the requirements found in U.S. guidance documents to guide an organization in meeting their corporation’s security and privacy objectives according to its business needs” (DeLuccia & Bradley, 2008, pp. 46-47). The policies are expected to be used in the implementation of the organization’s business and Information Technology strategies and in any specific solution or application. DeLuccia and Bradly (2008) explained that the content and implementation of security and privacy policies are part of a typical formal business and financial audit. It provides high-level statements of management’s security and privacy goals, objectives, and beliefs (p. 50). The preceding statements from DeLuccia and Bradley clearly indicates that the absence of Security and Privacy Policies demonstrate a lack of management direction and support for information security and privacy can result to significant exposure of corporate assets. Hence, the company’s ability to enforce security policies and procedures in addition to management support for security and privacy initiatives by ensuring that all areas of security and privacy management are covered, “can effectively avoid potential oversights and additional exposures that can be traced back to human error” (Buecker et al, 2013, pp, 6).
Threat Model Awareness
As threat landscape is evolving rapidly, a company’s awareness of the different threat is very important. Zeldovich (2014) defined threat as “a trajectory or method by which the company’s information system application, and data can be compromised by an attacker “. The two main causes of security vulnerability threat according to Buecker et al. (2013) are:
Internal threats. Security-related failures and incidents are caused by “threats that are found within the physical and logical boundaries of the organization that operates and controls the IT system” (p. 5). These threats might be associated with technology or people. Internal threat is a poorly designed system that does not have the appropriate controls or a person who uses his ability to access the IT system or influence business or management processes to carry out a malicious activity.
External threats. Security-related failures and incidents are caused by threats that are found outside the physical and logical boundaries of the organization that operates and controls the IT system. These threats are also associated with technology or people. They “seek to either penetrate the logical or physical boundary, or to influence business or management processes from outside the logical or physical boundary” (p. 6). External threats are a computer virus or worm that penetrates the physical or logical network boundary. Another example is an attacker, or someone who gained the ability to act as an insider, using personal electronic credentials or identifying information. (pp. 5 -6)
Not all threats pose an equal risk that’s why it is important for companies to understand the threats that pose the most risk to the enterprise’s system application so that company can allocate the resources appropriately. Having a clear understanding about the different threats “allow the company to adequately manage threat by strategically allocate more resources to higher risk threats and less resources to lower risk threats (DeLuccia & Bradley, 2008, pp. 40). Threat modeling is most valuable, and easier when “done during the Design and Analysis phase of the project which it works best between the Think and Code phases” (Buecker et al, 2013, p. 145). DeLuccia and Bradley (2008) recommended that threat modeling should be completed by the security architects or experienced developers which must be aware and familiar with the different threat models (p. 86-88). Security experts have revealed that it is possible to insert malicious code into the company’s enterprise application system using the following security threat models.