Strategic Information Security for Apple Company
Introduction
Strategic information security is a critical area within the current rapidly transforming IT environment. It is necessary to establish the kind of risks to information security facing a company and the ways of managing the risks (Wylder 2003). A strategy is necessary for defining the goals and objectives relating to information security and the ways of achieving them. Strategic information security relates to setting the long-term goals and objectives and realizing the directions, necessary resources, and the barriers to their achievement. Thus, companies should have in place an information security strategic plan to ensure that the information systems are monitored and managed for possible risks (Doherty and Fulford, 2006). Therefore, the discussion relates to strategic information security at Apple Company, one of the leading technology firm in the world as well as the current situation of the company in terms of controlling risk, protection mechanisms, personnel and security, law and ethics, and a report on the potential of the PRT Network Monitor for the company.
Controlling Risk
Controlling risks involve the steps taken by the company in monitoring and managing threats to the information systems of the company. The focus is normally on the main controls as well as the control functions and the policy in place within the company relating to the management of risks to information security (Xu et al. 2011). Being a company within the technology world, Apple has put up serious measures to ensure that risks are controlled within the company’s information systems. The corporate structure of the company plays an important role in controlling risks. The company has to ensure that it deals with the potential risks that might negatively affect its operations, including the information. The company is among those firms, which implement the five important ways of controlling risks. The five measures taken by the company include the “acceptance, avoidance, transference, mitigation, and exploitation” (Anderson and Moore 2006, p. 611). It is important to note that whatever the approach, it depends on with the nature of the risk.
Risk acceptance suggests the method of accepting a risk, while it is recognized and included in the risk management system. It means that the risk might not be such a major one that it requires taking action. The management accepts that the risk might occur and be prepared to deal with it in case it occurs (Belanger and Van Slyke 2011). The strategy is assumed for minor risks that might not have a major impact on the project or the information systems of the company and might not be worth spending many resources. Such are risks that are easy to address in case they occur.
Avoidance of risk is another common strategy assumed by Apple depending on the nature of the risk. The strategy is applied when there is such a huge impact on the company in case the risk occurs. A good example of such a situation is avoiding a risk of changing the information system at a time when the company is busy launching a new product (Whitman and Mattord, 2011). However, the system can be changed after completing the launch when the resources of the company can be committed to only one process.
Transfer of the risk is another strategy that is commonly used within the company. The strategy is popular in information projects where there are many players, especially when the company is developing and launching a new product. The risk and its impact are normally transferred to another person or another department (Belanger and Van Slyke, 2011). For instance, the company may transfer the risk to a third party writing its software code. In this case, the third party will be involved in the management of the risk involved in the process of developing the code.
Depending on the risk, the company also uses the strategy of mitigating it. The technique is basically a risk management approach, where the management seeks to limit the impact of the risk once it occurs (Whitman and Mattord 2011). In developing a new information system, mitigation might involve effective training for the team involved in using the system to mitigate the risk to the information therein.
The company can also exploit the risk of its information. It is possible for a risk to have a positive impact on the company, which can be exploited for the benefit of the company. In such cases, the company will want to maximize the chances of the occurrence of the risk (Mylonas et al. 2011). For instance, in the case where the access to information from another company depends on Apple divulging its information, the company may take this risk to understand the level of competition.
Protection Mechanisms
Security Access Control
Security access control (SAC) is a critical part of ensuring information security at Apple. The approach is necessary to guarantee that access to critical information and information systems is only possible for the authorized persons. The company has a lot of information that it might want to secure from unauthorized persons such as information on an upcoming product. Thus, only the authorized persons will be allowed within the room or the system where such information is stored (Belanger and Van Slyke 2011). To ensure this control is not compromised, the company has in place various access control measures such as authentication, biometric access control, and authorization.
Authentication involves the act of determining the person’s identity to allow access or entry. The main objective is to verify the person or system in the event that one wants to interact with an information system. The approach has another goal, that of collecting information on the manner in which the user is accessing the system (Chen and Zhao 2012). Some of the ways used by Apple for authentication purposes include user id and password, physical security devices like a computer chip, and biometrics.
Apple commonly uses biometric access control for the purpose of gaining access to information systems (Chen and Zhao 2012). It is worth noting that biometrics is the use of personal identifiers such as a retinal scan, voice verification, fingerprints and palm identification, among others to verify the user and thus grant access.
Authorization refers to the act of determining the person or system’s level of access. The approach is commonly used when the person is allowed access but with limited controls (Chen and Zhao 2012). As such, authorization will determine what level of access to provide.
Types of Firewalls
Firewalls are an essential part of information security by Apple, which refers to the software or hardware used for preventing access to a network by unauthorized persons. Apple is one of the leading technology companies in the world. Thus, it is highly networked, making the information within the network at risk.
Thus, the company has implemented serious measures among them the use of firewalls. Some of the commonly used firewalls by the company are the packet filtering firewall, application-level firewalls, stateful inspection firewalls, and dynamic filtering firewalls (Mylonas et al. 2011).
Packet-filtering firewalls are those whose operations are on the router. Once a packet on the network is received, it plays the role of comparing it to some established criteria (like permitted packet type, IP addresses, port number, etc.) and then either dropping or forwarding it (Mylonas et al., 2011). Under those premises, this firewall ensures the security of the network at the router.
Application layer firewalls refer to the hosts that play the role of running proxy servers. They do not allow any traffic in a direct way between networks and are involved in performing detailed logging and examining the passing traffic passing. Given the fact that the proxy applications are the software that runs on the firewall, this becomes the best place for controlling access to the network. The firewall can be utilized as network address translators, given that after passing through an application, traffic enters on one side and goes out through the other (Mylonas et al. 2011). Hence, this masks the origin of the conversation passing through the network, thus ensuring security.
The stateful inspection firewalls carry two purposes, which include examining every packet and keeping track of the packet to establish if it is a part of the initiated TCP session. Whatever packet is not part of the session is dropped. The use of this firewall ensures a high level of security compared to packet filtering firewall (Mylonas et al. 2011). However, it makes a network perform a lot of work, which might potentially slow it.
The dynamic filter firewalls play the role of monitoring the status of the active connection. It utilizes the information in determining the network packets that should be allowed to pass through the network. The firewall records important information, including the like IP addresses and port number sessions to make the determination of which packet to allow or bar (Mylonas et al. 2011). In essence, this kind of firewall ensures greater information security than one that uses a static packet filter.
Justification of Selection
Use of firewalls is necessary for the information systems at Apple because of the level of interconnection between and within different branches of the company. Given the reality that information is always passing through the network, it helps to have in place measures, which ensure that unauthorized access does not occur (Portokalidis et al. 2010). The use of application layer firewalls is primarily because the company has different networks and different communications going through the network. It is important for the security of the network if the origin and termination of the conversation are masked. In this case, it minimizes the chances of access to the information by an unauthorized user, person, or system.
Personnel and Security
Information security for Apple depends on the use of the most qualities information security personnel, carefully selected, trained, and developed. While the basic skills in information security are necessary, the company has been interested in individuals who have additional skills in ethical hacking. Particularly, the ethical hackers have important skills in monitoring, measuring, and responding to security risks and threats in the organization. The person responsible for information security of the company should be qualified in identifying and managing information security risks and responding to threats when they occur. Having the skills makes it possible for the person to penetrate on a network, allowing for the identification of vulnerabilities and working to fix them (Berndtsson 2011). Therefore, the candidate should be knowledgeable of the techniques that can be used by attackers. In addition, the person should have the skills in designing information security systems and effectively managing them. The person should demonstrate the knowledge of handling secure networks. The person should also have knowledge in relation to regulatory, fiscal, and legal issues relating to information security.
Law and Ethics
Laws are different from ethics as used in information security within organizations. Laws refer to the rules, which an organization adopts and enforces to codify the behaviors that are expected from the members of the organization. Ethics, on the other hand, are founded on the cultural morals of the organization; they are fixed customs or moral attitudes of a group. Laws differ from ethics because the former has sanctions of the authority.
Technology has been developing so fast such that it has remained hard for the legal system to catch up. Thus, even in Apple, there have been challenges establishing laws relating to information security. In some cases, it becomes hard to establish the thin line between what is illegal or legal in regards to information security. However, the company has established some of the things that amount to a crime in relation to information security (Goode 2010). While malicious access to information can amount to unethical action, stealing of information or information tools is a crime and thus, illegal. Private law is used within the organization to regulate the use of information. Some of the laws that the company observes include The Computer Security Act of 1987; The Communication Act of 1934; and The Electronic Communications Privacy Act of 1986 among others.
Apple requires upholding of a high level of ethical behavior in the use of information systems to ensure security. The people creating and using technology have the responsibility of ensuring that the use is in an ethical manner. Therefore, an ethical framework established by the management of the company guides the use. Some of the ethical concerns within the company are the use of information to harm the company, its employees or clients, the interference with the company’s network, using computers to steal information, and copying or using proprietary software devoid of paying for it among others (Goode 2010). Such acts might not amount to illegal actions, but they are unethical according to the rules and regulations of the company.
PRT Network Monitor Report
After using the Paessler’s PRT Network Monitor, it becomes easier to identify problems on the network, and thus, implement effective measures in addressing them. The Network Monitor provides not only monitoring of local networking and performance of the local personal computer but also the performance of the entire network. The decision to install the PRT Network Monitor was informed by the need to implement what would help in identifying problems and limitations within the network before they occur or become detrimental (Song et al. 2012). The information technology infrastructure required ongoing reviews to ensure information security. The easy-to-install PRT Network Monitor points to the areas that require rectification due to possible security issues and limitations. The monitor will inform the user of the safety level of the network.
By using the PRT Network Monitor for 24 hours, it was possible to realize various issues with the local PC and the network. Such are problems that can be easily manipulated to perpetrate an attack on the network. The monitor indicates the case where the installed antivirus scanners were not running as required on the personal computers. It specified that the scanner required to be updated since the computers were left vulnerable to virus attacks. The monitor indicated the case where the Windows operating system was not running on the latest version such that it was hard to get the latest security updates (Song et al. 2012). The limitations triggered possible attacks that were easy to miss because of the lack of a monitoring system. The monitor also showed the CPU and traffic peaks that were unusual; hence, indicating the potential for an attack. In addition, the PRT Network Monitor also indicated suspicious traffic on the network.
The servers for the network had issues that were easily missed because of the lack of an effective monitoring system. They were only identified following the installation of the PRT Network Monitor. In this case, the monitoring system revealed that there were servers that would constantly restart at night without the notice of the user. Given that this occurred during the night, it was not easy to identify the problem. Computer memory is another area where the PRT Network Monitor identified a possible limitation (Song et al. 2012). In fact, the monitor revealed that the hard disks were almost full leaving the user vulnerable to lack of enough memory space. The PRT Network Monitor indicated the need to upgrade the network connections because of the increase in bandwidth usage.
Use of the PRT Network Monitor was effective and provided room for operational measures to address security issues and limitations. The monitor exposed all the unusual behaviors, with the related sensors being switched in the “unusual” status. It allowed effective checking of the connections to the network, a situation that enabled the identification of those issues that presented a risk to the network by not passing through the firewall and from sources that were unknown. The monitor would also indicate any interconnections between sensors that were strange (Song et al. 2012). The PRT Network Monitor provided the monitoring data in details as well as the historical reports relating to the components of the network.
Instead of waiting for a security threat or incident to perform the necessary remediation, the PRT Network could help to recognize the possibility of the attack beforehand. The reality highlights the need for PRT Network Monitor that will indicate all the threats and ensure adequate time to correct them before they become security threats (Islam and Zareen, 2014). In essence, the PRT Network Monitor is a tool that companies and home users should invest in.
Conclusion
Strategic information security is critical for all organizations as it protects against security threats and incidents that might be costly to the organization. From the analysis of Apple, it is evident that the company has put in place effective measures to ensure the security of its information and information systems. By using effective approaches to controlling risk and protection mechanisms, it is possible for the company to ensure a high level of information security. The company also hires personnel with the necessary skills and expertise in information security to achieve the objectives. Apple has established laws and regulations as well as ethical principles relating to the use of information. As such, the information security can be guaranteed by using effective monitoring tools to identify possible risks before a threat occurs. In this case, the reality is possible with the PRT Network Monitor. Therefore, installing the PRT Network Monitor will make it possible for a company, regardless of the size to identify potential issues with their computers and networks and work on them before they negatively affect the company.