top of page

Heading 1

Search

Information Systems Security and Vulnerability

Updated: Mar 2

INTRODUCTION

The age of information has brought with it serious risks. Criminal activity has become intelligent and exploitative of system vulnerabilities. Security software can only secure systems from known cyber-attack methods. The unknown attacks and vulnerabilities pose the biggest threat to people and organizations today. Instituting a security plan for the known and unknown risks will help maintain solvency.


ANALYZING RISKS FOR INFORMATION SYSTEMS SECURITY AND VULNERABILITY

How do you analyze the risk to your organization? There are four areas to analyze risks for your information systems security and vulnerability:


  1. Insider threats where system users are either negligent or malicious.

  2. Hardware vulnerabilities and configuration errors.

  3. Software flaws, called bugs, with incomplete code or wrong paths.

  4. Intelligent criminal minds seek to destroy or steal information for nefarious purposes using applications such as spyware, malware, worms, and viruses.


Analyzing the risks a business faces is an enormous task. Specifically, it identifies an organization's risk exposure with no control. Developing a risk assessment by collaborating with an information systems expert will identify the risks. The resulting report will contain probability and frequency values for the vulnerability. In addition, it will also include the dollar value of the potential losses. Each organization's potential risks are unique, ranging from embezzlement to power grid failures. Knowing the risks involved in conducting business and planning for unknown dangers can significantly minimize losses.


RISK ASSESSMENT

A risk assessment identifies and analyzes potential risks to an organization's information systems. It is a critical step in developing a security plan. The assessment will identify the risks and the probability of the risk occurring. It will also identify the potential losses associated with the risk. The evaluation will help determine the most significant risks and the most cost-effective strategies to mitigate the risks.

The risk assessment will identify the following:


  • The risks to the organization's information systems

  • The probability of the risk occurring

  • The potential losses associated with the risk

  • The most significant risks

  • The most cost-effective strategies to mitigate the risks


The risk assessment will also help identify the most significant risks to the organization. Address business risks by developing a security plan. The security plan will outline strategies to mitigate the risks. The security plan will also outline the procedures to follow during a data breach.


SECURITY POLICY

After reviewing the risk assessment, an organization can compose enforceable security policies. Security policies define measures to secure business information systems and equipment. Answering questions about who or what controls the techniques and equipment, what is an acceptable risk, and how the policy will be carried out and enforced are covered. It is the baseline for all other policies. Providing enforceable policies helps transfer the risk of loss. Consistent and unbiased enforcement further enhances policy effectiveness.


DATA PROTECTION POLICIES

Data protection policies outline the procedures for handling sensitive data. Sensitive data is any data that could cause harm if it falls into the wrong hands. Sensitive data includes personal information, financial information, and proprietary business information. The policy will outline who has access to sensitive data, how it is stored and transmitted, and processes for disposing of it. The policy will also outline the procedures to follow during a data breach. Ensuring the proper handling of sensitive data will minimize the risk of data breaches.


DATA RETENTION POLICIES

Data retention policies determine the time required to keep and dispose of data. Maintaining data for too long can increase the risk of a data breach. Data that is no longer needed should be disposed of securely. The policy will outline the procedures for disposing of data, including shredding paper documents, and securely deleting electronic files. The policy will also outline the procedures for archiving essential data requiring more extended retention policies. Having a data retention policy will help minimize the risk of data breaches.


ACCEPTABLE USE POLICIES

An acceptable use policy outlines how users can use the company's equipment and software. These policies define and enhance the administrative permissions when setting up a device. It covers using devices such as computers, laptops, and phones and the software installed on each. Additionally, it regulates information access. For example, the policy will state what information is accessible to a group of users. Violations of the policy have clearly outlined consequences. Having and enforcing an acceptable use policy will prevent or minimize security leaks.


SECURING INFORMATION RESOURCES

Securing and maintaining information assets is a priority for businesses. Unfortunately, data breach losses continue to rise as organizations move to internet-based computing technologies. According to IBM Security and Ponemon Institute (2021), detecting and containing data breaches took a year. Detecting and managing data breaches took one week longer on average in 2021 than in 2020. In addition, remote work adoption made data breaches harder to detect and contain. Sadly, as the world struggled to adapt to the pandemic, criminals exploited system vulnerabilities. Based on the findings, information technology architecture that assumes the system has already been compromised is the best strategy to prevent data breaches.

Information systems can be more secure using the following software and hardware resource


Information systems can be more secure using the following software and hardware resources:


  1. Server Location(s) & Configuration(s)

  2. User Authentication & Permissions

  3. Encryption

  4. Virtual Private Networks

  5. Proxy Networks

  6. Wireless Router Firmware & Configuration

  7. Antivirus Software

  8. Malware Blocking Software

  9. Advertisements & Tracking Blocking Software

  10. Server Back-ups


DISASTER RECOVERY

How will your information system be secured in a major disaster? Major disasters include hurricanes, tornadoes, floods, fires, earthquakes, civil unrest, and nuclear war strikes. These events are happening more severely and often than ever. It is not enough to back the system up. Businesses must conduct the system's backups frequently and store them securely offsite. Determining when, where, and how to recover information resources can mean the difference between your company surviving the event and going bankrupt in the aftermath.


Disaster recovery is recovering data and information resources during a disaster. It includes backing up data and storing it offsite, planning to recover data in the event of a disaster, and notifying customers and stakeholders in the event of a data breach. Disaster recovery is a critical component of information systems security. It ensures business continuity and minimizes the risk of data loss.


DEVELOPING A DISASTER RECOVERY PLAN

A disaster recovery plan outlines the procedures to follow during a disaster. It should include a list of potential disasters, procedures for backing up data and storing it offsite, procedures for recovering data in the event of a disaster, a list of essential personnel and their roles in the recovery process, contact information for emergency services and disaster recovery services, and procedures for notifying customers and stakeholders in the event of a data breach.


The disaster recovery plan should include the following:


  • A list of potential disasters

  • Procedures for backing up data and storing it offsite

  • Procedures for recovering data in the event of a disaster

  • A list of essential personnel and their roles in the recovery process

  • Contact information for emergency services and disaster recovery services

  • Procedures for notifying customers and stakeholders in the event of a data breach


Having a disaster recovery plan in place will help minimize the risk of data loss and ensure business continuity in the event of a disaster.


CONCLUSION

Securing the information protects the solvency of a business. Therefore, controlling the information assets and incidental information acquired is essential. Securing a business information system goes beyond security software. Smart implementation of hardware and software configurations adds a layer of protection. In addition, outlining policies and procedures and enforcing them for all people and foreseeable events involved in the information cycle will protect your organization from disasters.


ACKNOWLEDGEMENTS

Sondra Hoffman revised this blog post in collaboration with AI technology. The AI large language model developed by OpenAI, called ChatGPT, was used to generate ideas, generate an outline, and assist with graphics.


Any AI-generated text has been reviewed, edited, and approved by Sondra Hoffman, who takes full responsibility for the content of this publication.


ABOUT THE AUTHOR

Sondra Hoffman is a seasoned MIS professional with over ten years of experience in strategic planning, implementation, and optimization of MIS solutions. She is passionate about helping small businesses thrive through technology and data management. Connect with her on LinkedIn to learn more about her professional background.


CONTACT ME

Contact me today for a consultation on improving your existing information system. Cost-effective approaches are available to drive your business with data.



REFERENCES

IBM Security & Ponemon Institute. (2021, June). Cost of a data breach report 2021. IBM Corporation. https://www.ibm.com/security/data-breach


Tags:

Comments

bottom of page