Identifying the Potential Threats in Relation to Chief Information Sec

Question: You are the Chief Information Security Officer (CISO) for a large multinational enterprise with a very large collection of intellectual property that represents a major portion of your business holdings.What are the threats against your corporate network, where do they come from and what do you need to mitigate against them? Answer: Introduction Risk Assessment is involved in examining the potential measures so that risks can be controlled in any given workplace. The organizations are actively involved in placing effective policy so that risk in the workplace can be controlled and better environment can be provided to employees. Thus, both qualitative and quantitative value of risks is determined under risk assessment by the organizations. The four different processes such as exposure identification, reviewing effect, risk evaluation and application of control is useful so that workplace activities can be managed effectively. The current report will be focusing in Identifying The Potential Threats In Relation To Chief Information Security Officer and finding solutions to gauze the threats. Fits with a profile Policy Profile The responsibility of CISO in a multinational company is to remain protected from the threats relating to many intellectual property collections. The CISO needs to protect these as the large section of the business comprises intellectual property such as cash trade, online marketing and targeting, conversation with shareholders, etc. As per Fitzgerald (2007), CISO act as a senior level executive that is accountable for lining up security initiatives so that technologies and information assets of the business are protected. On the other hand, Gaines Oringer (2012) stated that a CISO has different duties and responsibilities such as: Forming and employing security related policies Making sure of data privacy Administrating regulatory compliance Working with other executives to develop plan for business continuity and for disaster recovery Establishing security architecture for the organization Managing computer security of the company Apart from that, CISO is also involved in delivering consulting services in context to information security right through the organization so that effect of risk can be minimized. Moreover, the information security program can be implemented by the CISO. As per Gilbert (2012), around 60% of organizations are receiving benefit from the Chief Information Security Officer in securing their important data. Therefore, CISO also carries their activities with full determination to provide long run benefit to the organization. Further, the physical and technological aspects are considered by CISO to protect the organization and workplace from probable threats such as health and safety risk or wastage of resources risk. Gray (2006) discussed that in organizations, the technological aspects can be communications, IT system, and software application for assessing risk in the organizations. On the other hand, CISO takes responsibility regarding the activities of security management so that each department of the organization can be protected from the risk or threats. Moreover, CISO is effectively involved in providing training and development to staff to remain aware about the rising risk and handle it effectively and also providing learning about best antivirus so that secure environment can be formed. Tina (2012) proposed that CISO can do the following responsibilities: Responsibilities of CISO Organization Representative: CISO can as a representative on behalf organizations and provide relevant information to organizations customers, partners and shareholders in regards to security strategy. Plan and Test: CISO can be involved in planning information security program for protecting the organization from risk and the test the program whether it can provide better result or not. If it does then CISO recommend it to organizations senior department. Law Enforcement Agency: CISO deals with law enforcement agencies so that threats or risk can be monitored and possible action can be taken (Freeman, 2007). Further, CISO can track the theft done by the employees. Form security procedure and policies: CISO is effectively involved in developing procedure and policies for information system security, database and training procedure for staff. Balance Security: CISO also take active part in balancing the security in all levels of organization so work can be carried in most productive way. Profile Completion The problem that has been registered while working as a chief information security officer relates to poor standard of e-mailing, theft of tax record, differences in protection and monitoring, social engineering, less effective network, etc. The further problem that occurred in workplace can be explained as: Virus The information in database gets damage and confidential file gets corrupted. Around $1.2 billion damage has been done within 15 days over the internet. Blended Attacks The hacker or cyber criminal applies different methods to crack the security system of the organization (Gottschalk, 2002). Phishing The shareholders, employees and customers has little faith on the use of implemented IT system in the company Application Specific Attack The cyber criminal with the use of SQL rob the valuable data relating to customers detail, employees total production, etc. Problems Threats 1: Virus According to Hunter (2011), shared frequency is prime threats that affect the company. On the other hand, around 72% of the business house receive offensive or threats emails. In the recent survey by DTI, it has been found that the email threat percentage has risen to 83 percent. Moreover, the report of Symantecs Security Threats states that Worms and Trojan Horses effectively involved in damaging the documents of corporate house. Further, as a CISO it has been identified that back door virus leads to higher difficulties by generating codes which damage the database of company (Armstrong, Simer Spaniol, 2011). Threat 2: Blended Attacks It is regarded as the grouping of hacks and phishing. This particular threat makes company to lose their valuable data such as companys product or equipment budget or customers details. Threats 3: Phishing It is also considered most effective threat that mostly connected with the banking sector. It has been send customers do their transaction and use their id and password for different purpose such as filling bank form online. Thus, as a chief information security officer, it has been noticed that worms or virus damage the remote system of computer that erase the data (Cresson Wood, 2002). Moreover, cascade volumes are being sent by worms into the mail server of the enterprise and important files of company can be attacked. Therefore, criminals with the use of phishing can access the sensitive information such as credit card information, passwords or usernames and thus important can be theft by the hackers (Dlamini, 2013). Threats 4: Hacking Hacking is done by the attackers to erase or steal the information for their own purpose or just for sake of fun. Moreover, SQL injection is done by the hackers to enter into the security system of the company so that confidential information can be accessed and publish it in public. The hackers try to break the system so that details about customers, employees, strategies plan, and worksheet plan can be robbed and use it for their business (Fitzgerald, 2007). Apart from that, it has been observed while being engaged as CISO that number of marketers were willing to invest for protecting themselves from the threat of hacking so that they maintain their workplace safe and secure. Further, a breach is created by the hackers so that information can be stole while information is being shared over network (Gray, 2006). Solutions In order to protect the important documents or file from the possible threat, the security department of IT system can develop the following layers: First Layer: The prevention technology like RSS method can be effective for the group member in activating suspect element. On the other hand, the anomalous request has to be monitored that may have been received in e-mails (Boihme, 2013). Moreover, the intrusion prevention system can be useful in knowing the threats as the system can monitor the unexpected entries and data traffic. Second Layer: In this layer, a defence has to be added to get protection from virus. Moreover, when an antivirus system is being installed then prevention of back door has to be activated so that any virus could not enter into the system (Warley, 2011). Further, security management system has to be implemented for better protection from malicious threat or viruses. Third Layer: The internet security system has to be enforced for acknowledging vulnerability with business opportunities. Therefore, using the calculation, the system has to be installed and appropriate vulnerable has to be selected with protective measures. Thus, it can be effective in lowering down the risk (Coronado, 2012). Moreover, external security threats can be controlled through this system. Situational Crime Prevention Framework The framework can be valuable in forming strategies so that security virus can be prevented along with phishing and blended attacks. Existing Approaches to the situational prevention The framework is effective in building internal connection among the security breaches for the organizations. According to Garber (2012), instrumental fusion is developed by situational crime which allows in structuring activity among traditional crime and organizational. Moreover, the situation lens can help organization in scanning the malicious code or activity of virus that may be delivered by hackers through e-mails. On the other hand, MacGillivray (2013) mentioned that spillover effect can be useful in limiting the future security breaches in context to selected multinational enterprises. Therefore, organization can be able to track information related to rob information, products, etc from the prevention framework. Apart from that, Michael (2012) pointed that hypotheses structure of knowledge has been developed by situational crime prevention and it helps in directing the staffs as per routine wise. Further, flexibility is being increased and maintenance of proper security can be gained and affect of external threat can be lowered down. On the other side, Oshri, Kotlarsky Hirsch (2007) discussed that providing assistance and guidance to other can be valuable in avoiding number of security attacks with the system of information technology. Therefore, the situational crime prevention can be effective in controlling the security problem from the workplace of MNC. Further, the framework can provide guideline to CISO for including staffs so that higher monitor can be done on the illegal activities of the hackers or cyber attackers. Law Multinational Enterprise Current Law Privacy and Electronic Communication Regulations 2003: The organizations can adopt the system under data protection act section 11 that can help the individual in controlling security whenever there is an unexpected mail from the direct market. Moreover, the regulation provides assistance in the use of communication and electronic media such as cold calls, texts, e-mails, etc if it is employed for marketing (Padayachee, 2012). Terrorism Act 2006: The act delivers the guideline for developing wide array of offences in regards to information security terrorism. In section 19 of the act, it has been mentioned that organization should disclose hacking information rate from IT system (Cs.jhu.edu, 2015). Malicious Communication Act1988: The legal articles can be made by the company for providing information to other parties. Moreover, the act requires that before sending any data malicious activities has to be addressed so that it does not affect other network or system. Therefore, the information can be transferred in more secure manner. Proposed Laws for Multinational Organizations Privacy and Electronic Communication Regulations 2011: The information security can be maintained and secured in much better way as a CISO under this law. The amendment policy of Regulations Act 2011 proposes that company has to oblige it in regards to use of cookies in social sites or internet websites and also receiving mails in the mail server (Sans.org, 2015). Therefore, more secure system can be developed for the information system. Digital Economy Act 2011: This particular act can assist the company in regulating appropriate media for preventing threat whenever the information is being shared within the network or adopting market opportunities on the basis of networking websites of social media (Tina, 2012). On the other hand, digital media act 2010 is effective in dealing with issues related to online such as obligations from the providers of internet service. Therefore, act can help in handling online security of the company. International Scope Viruses: The problem of virus is being faced by many domestic industries along with international ones. The virus attack seriously damages the important information of the company. For instance, in 2008 around 10% of the computer system was affected that were linked to internet by the Morris Worm. Further, it has been found from the report that almost 60000 computers are affected by Morris Worm and access the data available in the computers (Gilbert, 2012). Therefore, due to this worm many industries of world were left with missing important files. Moreover, other viruses such as Trojan Horses, Mapson, trile.C, etc are damaging the computer system of world entities. Phishing: Phishing is also one of the major international problems that affect the information security of the world companies. For instance, Cornell University student received an e-mail with the subject of IT Service Desk Support in January 2015. Further, in the mail it was required that student has to upgrade their personal university email account and they were asked to provide details about the bank account into the mail body of the system (Bristol.ac.uk, 2015). Therefore, it can be understood that, phishing can reach out to global companies as well and make them to do what are feed by the cyber criminals. Hack: Hacking is one of the prime threats in global scenario. Many of baking industry is subjected to hacking. The number of hackers tries to enter into the system of banking industry in order to exploit the information so that they can either use it for their own purpose or destroy it. Therefore, numbers of bankers are actively involved in anti hacker program to safeguard the information from illegal hacking (Gilbert, 2012). For instance, New York Times internal network was hacked in 2002 by a hacker and information was accessed from the database of NYT. Moreover, Mark Zuckerbergs personal facebook page was hacked in 2013 (Dlamini, 2013). Blended Attacks: The blended attack has risen in recent years internationally. Due to this attack numbers of small firm are not able to secure their server and attackers attack the system and access data. For example, in October 2010 a virus was discovered named Zeus MitMo in order to defraud web banking users. Therefore, the attackers managed to get the authentication code that was sent by the bank and as a result they emptied the bank account of customers (Bullguard.com, 2015). Therefore, cyber criminals can send viruses to any location via emails or instant message to enter into the information system of the users or companies for their own benefit. The other virus such as love bug has potential to destroy the information. Conclusion From the whole report, it can be concluded that information security system should be prime focus to protect the files or documents from the potential threat of hacking, blended attacks, phishing and viruses. However, the report has concentrated in understanding the possible effect of threats and proposing solution that can help in lowering down the impact of those online threats. On the other hand, the role of Chief Information Security Officer is important in addressing the threat that can hamper the industry and its various departments and overall workplace. Apart from that, situational crime prevention framework is effective in acknowledging the possible threat and provided some idea that is helpful in mitigating the information security risk. Moreover, it also helped CISO to identifying the threats and provides training to staffs for tacking the threat issues. Further, the current and proposed law is valuable in facing internet challenges and also international scope has been st udied to know the impact of online threats. References Armstrong, S., Simer, L., Spaniol, L. (2011). Models of technology management at the community college: The role of the chief information officer. New Directions For Community Colleges, 2011(154), 87-95. doi:10.1002/cc.449 Boihme, R. (2013). The Economics of Information Security and Privacy. Berlin, Heidelberg: Springer Berlin Heidelberg. Bristol.ac.uk, (2015). Retrieved 4 February 2015, from https://www.bristol.ac.uk/media-library/sites/infosec/migrated/documents/guide.pdf Bullguard.com,. (2015). Rise of the blended attacks. Retrieved 4 February 2015, from https://www.bullguard.com/bullguard-security-center/internet-security/internet-threats/rise-of-the-blended-attacks.aspx Coronado, A. (2012). Corporate Computer and Network Security. Journal Of Information Privacy And Security, 8(4), 81-84. Cresson Wood, C. (2002). Dont Let Role of Information Security Policies in the Arthur Andersen/Enron Case Go Without Mention to your Chief Executive Officer. Computer Fraud Security, 2002(5), 11-13. doi:10.1016/s1361-3723(02)00513-4 Cs.jhu.edu, (2015). Retrieved 4 February 2015, from https://www.cs.jhu.edu/~rubin/courses/sp07/Reading/newlawis.pdf Dlamini, R. (2013). The role of the strategic and adaptive Chief Information Officer in higher education. Educ Inf Technol. doi:10.1007/s10639-013-9269-5 Fitzgerald, T. (2007). Clarifying the Roles of Information Security: 13 Questions the CEO, CIO, and CISO Must Ask Each Other. Information Systems Security, 16(5), 257-263. doi:10.1080/10658980701746577 Freeman, E. (2007). Regulatory Compliance and the Chief Compliance Officer. Information Systems Security, 16(6), 357-361. doi:10.1080/10658980701805050 Gaines, A., Oringer, A. (2012). ERISA. New York, NY: Practising Law Institute. Garber, L. (2012). Security, Privacy, and Policy Roundup. IEEE Security Privacy Magazine, 10(2), 15-17. Gilbert, F. (2012). Thirteenth annual Institute on Privacy and Data Security Law. New York, N.Y.: Practising Law Institute. Gottschalk, P. (2002). The role of the Chief Information Officer in formal strategic information systems planning. International Journal Of Technology, Policy And Management, 2(2), 93. doi:10.1504/ijtpm.2002.001760 Gray, P. (2006). Manager's guide to making decisions about information systems. Hoboken, N.J.: John Wiley Sons. Hunter, M. (2011). Identifying Issues of the Chief Information Officer Role through Qualitative Interviews. International Journal Of Sociotechnology And Knowledge Development, 3(2), 42-52. doi:10.4018/jskd.2011040104 MacGillivray, B. (2013). Heuristics Structure and Pervade Formal Risk Assessment. Risk Analysis, 34(4), 771-787. Michael, K. (2012). Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. Computers Security, 31(2), 249-250. Oshri, I., Kotlarsky, J., Hirsch, C. (2007). Information security in networkable Windows-based operating system devices: Challenges and solutions. Computers Security, 26(2), 177-182. Padayachee, K. (2012). Taxonomy of compliant information security behavior. Computers Security, 31(5), 673-680. Sans.org, (2015). Retrieved 4 February 2015, from https://www.sans.org/reading-room/whitepapers/assurance/mixing-technology-business-roles-responsibilities-chief-information-security-of-1044 Tina, T. (2012). Certified Chief Information Security Officer (CCISO) Secrets To Acing The Exam and Successful Finding And Landing Your Next Certified Chief Information Security Officer (CCISO) Certified Job. Dayboro: Emereo Pub. Warley, R. (2011). Juvenile Homicide. El Paso: LFB Scholarly Pub. LLC.