Importance Of Information Security In Organizations Information Technology Essay
Abstract: Currently information security is crucial to all organization to protect their information and conducts their business. Information security is defined as the protection of information and the system, and hardware that use, store and transmit that information. Information security performs four important for an organization which is protect the organization’s ability to function, enable the safe operation of applications implemented on the organization’s IT systems, protect the data the organization collect and uses, and lastly is safeguards the technology assets in use at the organization. There are also challenges and risk involves in implemented information security in organization.
Keywords: Information security, challenges of information security, risk management
Information is one of the most important organization assets. For an organization, information is valuable and should be appropriately protected. Security is to combine systems, operations and internal controls to ensure integrity and confidentiality of data and operation procedures in an organization. Information security history begins with the history of computer security. It started around year 1980. In 1980, the use of computers has concentrated on computer centers, where the implementation of a computer security focuses on securing physical computing infrastructure that is highly effective organization. Although the openness of the Internet enabled businesses to quickly adopt its technology ecosystem, it also proved to be a great weakness from an information security perspective. The system’s original purpose as a means of collaboration between groups of trusted colleagues is no longer practical because the usage has expanded into millions of frequently anonymous users. Numerous security incidents related to viruses, worms, and other malicious software have occurred since the Morris Worm, which was the first and shut down 10% of the systems on the Internet in 1988. These incidents have become increasingly complex and costly. However, the information security awareness has been increases. Many organizations have implemented the information security to protect their data.
In completing this term paper, the methodology that was used to collect the data is by reading and literature reviews to enable in depth understanding of information security. Literature review of research paper and journal is done to collect the data about the study of information security and to know more depth about the information security. Another approach that has been used in collecting the information about information security is by reviewing the article from internet sources.
Definitions, Concepts and Importance of Information Security to Organizations.
In general, information security can be defined as the protection of data that owned by an organization or individual from threats and or risk. According to Merriam-Webster Dictionary, security in general is the quality or state of being secure, that is, to be free from harm. According to Oxford Students Dictionary Advanced, in a more operational sense, security is also taken steps to ensure the security of the country, people, things of value, etc. Schneier (2003) consider that security is about preventing adverse consequences from the intentional and unwarranted actions of others. Therefore, the objective of security is to build protection against the enemies of those who would do damage, intentional or otherwise. According to Whitman and Mattord (2005), information security is the protection of information and its critical elements, including the systems and hardware that use, store and transmit that information. Information security is the collection of technologies, standards, policies and management practices that are applied to information to keep it secure.
The information security performs four important functions for an organization which is enables the safe operation of application implemented on the organization’s Information Technology (IT) systems, protect the data the organizations collects and use, safeguards the technology assets in use at the organization and lastly is protect the organization’s ability to function.
The information security also enables the safe operation of application implemented on the organization’s Information Technology (IT) systems. This is because to protect the data, the organization will applied or install the appropriate software that will secure the data such as antivirus and others protected applications. So, information security is very important in an organization to protect the applications that implemented in organizations and protect the data store in computer as well. Besides protect the data, the application installed also need to be protect because it can contribute to information lost or damages.
Information security will protect the data the organization collects and used. If the information is left unprotected, the information can be accessed by anyone. If the information falls into the wrong hands, it can destroy lives, dropping business and can also be used to do harm. Information security programs will ensure that appropriate information is protected both business and legal requirements by taken steps to protect the organizations data. In addition, taken steps to protect organizations information is a matter of maintaining privacy and will help prevent identity theft.
In an organization, information is important business assets and essential for the business and thus need appropriate protected. This is especially important in a business environment increasingly interconnected, in which information is now exposed to a growing number and a wider variety of threats and vulnerabilities. Cause damage such as malicious code, computer hacking, and denial of service attacks have become more common, more ambitious, and more sophisticated. So, by implemented the information security in an organization, it can protect the technology assets in use at the organization.
In term of protecting the functionality of an organization, both general management and IT management are responsible for implementing information security that protects the organization ability to function. Information is the most important element in organization to do business. Besides that an organization is kept their customers information, so it is crucial for them to protect the information. Without information, the business cannot be run. By secure the information store; it can enable the organization to run business as well. That’s why the information security is important in organizations.
Information Security Related Theory
There are five theories that determine approach to information safety management in organization. Table 1 below showed the related theories that determine the information security management.
Table 1: Information Security Related Theory
Security policy theory
Aims to create implement and maintain an organization's information security needs through security policies.
Risk management theory
Evaluates and analyze the threats and vulnerabilities in an organization's information assets. It also includes the establishment and implementation of control measures and procedures to minimize risk.
Control and audit theory
Suggest that organization need establish control systems (in form of security strategy and standard) with periodic auditing to measure the performance of control.
Management system theory
Establishes and maintains a documented information security management system. This will include information security policies that combine internal and external factors to the organization that scope to the policy, risk management and implementation process.
Information security is part of contingency management to prevent, detect and respond to threats and weaknesses capabilities of internal and external to the organization.
Challenges in Information security.
There are several challenges in our constantly changing environment that makes it difficult to adequately protect our resources. There are blending the corporate and personal live, inconsistent enforcement of policies, lack of awareness in information security, information security threats and
Blending the corporate and personal live
Free internets facilities have make employees takes its advantages b used it for personal purposes. For example, employees use company email for some personal communications, and some employees may be issued a blackberry or cell phone that they use for limited personal use. Many people may not even have a home computer and use their company issued laptop for everything including running personal software, like their tax software. On the flip side, some employees may bring a personal laptop into the office and try to plug it in. This makes employees used organization asset that function to access and kept organization information for personal purposes. The risk of this action is, the information may be can access by other person from external organizations.
Inconsistent enforcement of policies
Many organizations either haven’t enforced their policies in the past, or have done so inconsistently depending on the position of the employee. This causes many issues when a security function tries to crack down of violators. Many organizations have underestimated the important of implement policies and regulation about the information security. This makes many organization writes the information policies but does not applied it.
Lack of awareness in information security
Lacking in information security understanding makes the employees in an organization not secure the information properly. They are lacking in awareness on important of information security makes the information is easier to being attacks. Basically, employees protect the information, but they do not take proper method in secure the information. This may put the confidential information in risk.
Information security threats
New security threats are emerging every day from malware programs that can be inadvertently installed on a user’s machine, to phishing attempts that deceive employees into giving up confidential information, to viruses, worms, and strategic identity theft attempts. Sometimes the threat that attacks the information in organizations is difficult to handles. It is because the protection programs that installed in the computer system to protect the data are not appropriately function or not good enough.
Difficulties in manage information security because of do not the proper qualification in information security.
Sometimes organizations do not take seriously about hiring employees based on their qualification. This is because there are organizations that hiring employees for the information security manager but it is doesn’t match with his qualification or skill that he have about information security. So, it is difficult for that staff to protect the organizations data with proper protection. This will makes other attackers easier to attacks and stole the information if the employees don’t have skill or knowledge on how to protect the confidential data.
Recommendations to address the challenges in information security in the organizations
In response to these challenges, several recommendations are proposed as follows:
Don’t mix the corporate and personal live
Employees should know their boundaries. They should know to differentiate their personal life and their job. They should not taking advantages by used company facilities for their personal. This is because they can encourage the threat attack and makes the organizations’ information is in risk. Organization should explain about this to the staff to let the staff know what they can and cannot. The employees should be explain about the rules and ethics in the workplaces before they start their works.
Follow the policies and stay to the policies
The organization should establish, implement and maintenance the policies about the information security. This is to ensure the employees follow the rules to access to the information. Information security policies are very important in the organization because the information security policy will state the information security requirements. So the organization should review the policy in regular basis in order to meet the demands of organizational security requirement.
Increase the employees’ awareness level on information security.
In order to increase the awareness on security issues among the employees, the organization should take several steps to improve the employees’ awareness and understanding on the important information security. Method that could be taken by the organization is by give education to their employees about the protection of data and gives the training to the staff about the way to protect the data. By implement these methods, the employees can have better understanding about information security and also can protect the information well. Employees must understand and accept the risks that come with using technology and the Internet in particular. By knowing the threats that are present, they can learn to use the luxury of carefully, and not blindly accepting someone will have a solution for the problems they may face.
Install the appropriated protection programs and always secure the data.
The employees and organizations’ personnel must ensure that the organizations computer network is securely configured and actively managed against known threats. IT network professional also should help organization maintain a secure virtual environment by reviewing all computer assets and determining a plan for preventive maintenance. This includes routinely cleaning up unnecessary or unsafe programs and software, applying security patches such as small pieces of software designed to improve computer security, and performing routine scans to check for intrusions. Organization also may review access rights and have the IT professional set up an automated procedure that requires the employees to change their passwords at regular intervals to further protect organization information assets. Beside that, the computer system should be install updated and latest protected program such as the updated antivirus to protect the computer from viruses attacks.
Hiring the qualification employees
To protect and secure the confidential information well, the organization should hiring the IT experts and employee that have the right qualification to protect the data. This is to ensure the employee know what to do if problem occurs and to protect the data as well. Besides that, the IT expert or the qualification staff have better understanding of information security and know the steps to ensure the information is always keeping safely.
Information security is crucial in organization. All information stored in the organization should be kept secure. Information security will be defined as the protection of data from any threats of virus. The information security in important in the organization because it can protect the confidential information, enables the organization function, also enables the safe operation of application implemented on the organization’s Information Technology system, and information is an asset for an organization. Even thought the information is important in organization, there are several challenges to protect and manages the information as well. One of challenges faced in an organization is the lack of understanding on important of information security. When employees is lack of information security knowledge in term of keeping their information, the organization is easy to being attacks by hackers or another threats that try to stole or get the organization confidential information. So it is crucial and important to all staff in an organization to have knowledge and understanding about the importance information security practice in an organization to protect the confidential data.