Abstract
Information security is critical for organizations in this era where there is a high reliance on the information. Therefore, this highlights the importance of companies to put in place strategic information security, including the approaches that are important in ensuring information security. Samsung is the company being analyzed regarding the approaches it assumes in its strategic information security efforts. The company has assumed some methods for controlling risks, including defense, transferal, mitigation, acceptance, and termination. Besides, the company uses various means of ensuring the protection of information and systems, and to guarantee a high level of security; the firm attracts skills relevant to information security management. The personnel working for the company must be guided by the laws and ethics established. The report also includes a recommendation for the use of the PRT Network Monitor to monitor its network for security issues and vulnerabilities
Strategic Information Security for Apple Company
Introduction
Companies in the current dynamic environment cannot operate without adequate measures to ensure the security of their information. Thus, companies, regardless of the sector they operate in should adopt strategic information security (Pearlson, Saunders, and Galletta 2016). For a company to be effective, its security team should monitor the information systems for possible vulnerabilities and work towards remediating them. Strategic information security suggests that the company has put in place the strategies necessary towards achieving security of the information systems and the information therein. Such efforts are evident in Samsung, one of the leading electronics and IT companies globally (Klein et al. 2003). Due to the vast amount of information within the systems of the company, the management is required to be vigilant in ensuring its security. The report begins with a discussion of the ways of controlling risks of the company and the protection mechanisms used by the company, followed by a section on personnel and security and then the aspect of law and ethics relating to information security. The final section before concluding the report is of the possibilities offered by the PRT Network Monitor in identifying and addressing issues with the security.
Controlling Risk
For the company, ensuring controls on risks entails the efforts it makes in ensuring that threats to information security are monitored and managed effectively. Samsung is always on the lookout to ensure that the management of IT has an understanding of the risks that could affect the company and have in place effective measures to address them. The company has adopted a team within its IT department that plays the role of monitoring the systems and preventing risks from adversely affecting the operations of the company (Xu et al. 2011). The kind of measure used depends on the nature of the risk and the potential effects it has on the company’s information systems. Five of the approaches commonly used by the company in controlling risks include defense, transferal, mitigation, acceptance, and termination (Anderson and Moore 2006, p. 611). The approaches are applied depending on the possible risk affecting the company.
Defense
Defense against possible risks is a strategy that is common in the management of risks within organizations. The management of information involves the players, providing greater protection against the various risks that can affect information security. Defense ensures that there are measures in place to defend the system against the risks (Anderson and Moore 2006). Using an effective line of defense allows the company to engage in other activities without worrying about the possibility of managing or mitigating a risk.
Transferal
The management of the company, depending on its nature, can transfer risks. The kind of control for risks happens when the company is working on a project with various players. Mostly, the risks are transferred to outside service providers when working on a complicated project such as launching a new product (Anderson and Moore 2006). For instance, in using cloud computing, the risk involved in the management of information infrastructure is transferred to the service provider. As such, this leaves the company’s resources free to manage other risks within the company, especially those that cannot be avoided.
Mitigation
Mitigation of a risk by Samsung involves the efforts assumed to minimize the effects of a risk once it has occurred. In some cases, it is not possible to avoid risks, especially when dealing with networked information systems. Thus, mitigation is the most common control of risks, such as providing training for the IT team when the company develops a new information system (Anderson and Moore 2006). By doing so, the company mitigates the effects of the risk involved, especially when there are inadequate skills when using a new system.
Acceptance
Acceptance of risk is possible within the company based on the type of risk the management is dealing with. The strategy is assumed when they are faced with a threat that is not of the magnitude that warrants taking of an action. The risk is normally addressed to prevent adverse effect if it happens. Given the approach to risks, the method cannot be adopted for major risks, but for those whose effect is not expected to be major (Belanger and Van Slyke 2011). The resources that could have been used in preventing the risk can be used for other serious operations. Accepting the possibility of a risk is something that the company does in dealing with smaller risks.
Termination
Termination of a risk is not a commonly used strategy by Samsung in controlling risks to information security. However, the approach involves elimination of risks to the information security; hence, should be the strategy of choice. Indeed, the strategy can be used by altering a practice or process that is inherently precarious to eliminate the risk (Belanger and Van Slyke 2011). The management is normally keen on a process or practice that poses a risk for the company and removes the same from the area of business where it occurs. However, it should be done without affecting the normal operations of the business.
Protection Mechanisms
Security Access Control
Samsung achieves information security through the implementation of security access controls. The SAC is used to ensure that there is no access allowed to where the information is stored, especially by unauthorized persons. The access controls only allow the people authorized to access the information to prevent illegal or malicious access. Samsung assumes the measures to protect its information and that of its clients and suppliers. The management of information by the company has some measures that allow the prevention of access by unauthorized persons (Belanger and Van Slyke 2011). The measures include authentication, authorization, and biometric access control, which are all effective in ensuring control of access to information.
In authentication, the security system determines the identity of any person seeking access to information systems. The system is used as a means of confirming whether the individual seeking entry should be allowed. The system collects information from the person seeking entry, especially relating to the way the person seeks access. Samsung has in place some important ways of authenticating the individual, including the use of user id and password and using physical security devices like a computer chip (Dozier et al. 1998). Only the person who has such information is allowed entry or access to the information.
Besides authentication, authorization is also used by Samsung to determine the level of admittance allowed to an individual seeking access to an information system. The strategy is useful in the event that an individual is allowed to access, but only to a certain extent (Dozier et al. 1998). The aspect of authentication can also be used to bar unauthorized persons to information or an information system.
On the other hand, biometrics refers to the use of individual identifiers in the process of ascertaining a person and granting access. The information used includes fingerprints, palm identification, voice verification, and retinal scan (Dozier et al. 1998). Biometrics has become common access controls used by companies in today’s business environment. The system allows access to a person whose biometric information is available within the system.
Types of Firewalls
Firewalls are used in information security as network security systems, which monitor and control network traffic entering and exiting the network based on established security rules. Samsung has implemented various firewalls in its history of ensuring information security. The systems control access to networked information systems to prevent threats and attacks (Desai, et al. 2002). Among the commonly used firewalls by the company, include the packet filtering firewall, application-level firewalls, stateful inspection firewalls, and dynamic filtering firewalls.
Packet filtering firewalls. The packet filtering technique is used in network security as a means of controlling access to a network by monitoring packets that are coming in and exiting the network, allowing them to pass or barring them based on the Internet Protocol (IP) addresses, ports, and protocols of the source and destination (Davidoff and Ham 2012). The firewall operates at the router of the network.
Application-level firewalls. The application layer firewall provides security to the network by running proxy servers. This server prevents and scrutinizes the passage of suspicious packets through the network. The approach has been suggested as the most effective given that there is no direct entry of packets (Davidoff and Ham 2012). The user cannot establish the origin or destination of the packet because the proxy server masks the information.
Stateful inspection firewalls. There are two functions done by the stateful inspection firewalls on the network. The first one is an examination of the packets coming through the system and examining them to find out if they make up the TCP session initiated within the network. The packets that are not part of the session are not allowed to pass (Davidoff and Ham 2012). In fact, this approach provides a high level of security by preventing the passing of suspicious packets. Nonetheless, it has a limitation in that it makes the network perform a lot of work.
Dynamic filtering firewalls. The dynamic filter firewalls is important in a network as it allows the connections to be monitored for any suspicious communications. Thus, there are some packets that will be allowed, and others prevented based on the status of the connection. Such information as port number and IP address for each packet is analyzed to determine what to allow or not (Mylonas et al. 2011). With such information, the network is kept safe because suspicious communications are denied entry.
Justifying the Choice of Firewall
The network of Samsung, which is a largely networked company, should remain secure from suspicious and malicious access to the information within. Thus, depending on the type of connection, specific firewalls are used. The most commonly used firewall by the company is the application layer firewall, which is considered the most beneficial, based on the security needs of the company. The proxy server ensures that no malicious access to the network is allowed by scrutinizing various communications. In this case, such attacks like denial of service among other threats are prevented.
Personnel and Security
Indeed, to guarantee a high level of information security by Samsung, the management has to ensure that the employees have the most relevant knowledge, skills, and experience. Information on the most relevant skills and experience required for a person to manage information security for the company is available on the company’s website. The company seeks a person who has the basic training on the development and management of information systems. Information risk management is another area of concern for the company (Jung 2014). The person should be able to perform such actions as ethical hacking to establish the potential risks in the information systems of the company and remediate them before they negatively affect the company.
Information security specialist should have the skills required to monitor, measure, and respond to security risks. Identification and managing information security risks are important parts of the process since they ensure the company’s vital processes are not interrupted by security threats and incidents (Jung 2014). The skills necessary for implementing the information security mechanism are also required for the person to get the job. As such, the specialist is required to ensure the security of the networks of the company and thus, there is a need for ongoing training and development as threats keep on changing. In essence, the person should understand these changes and respond to them appropriately.
Law and Ethics
Organizations have put in place laws and ethical guidelines relating to their operations. The two concepts differ regarding their enforcement. Laws are the rules adopted and enforced by an authority to guide operations within an entity. Ethics are the codes of behavior founded on the morals of an organization. Ethics emerge from what the organization decides as moral and responsible behavior. Ethical issues, thus, are not necessarily illegal and cannot be penalized in law.
Ethics guides the working of the staff at Samsung Company, especially when dealing with the company’s information systems. Ethical guidelines are formulated and communicated to the workers in such a manner that every person understands. There are also ethical issues that do not have to be codified such as the issue of unethical access to private information. There are various ethical considerations within the company. First, there is unethical access to the networks and classified information of the company. Secondly, there is the interfering with the network such that one denies access to information to other users, stealing information for personal use, and clogging the network such that other users are unable to access it for communication (Daniel 2014). The ethical guidelines direct the relationships between the company and the employees, as well as between the employees themselves.
Within the field of technology, there have been various laws that relate to information security. The laws are adopted by Samsung to ensure the safety of their networks and information. However, there are areas of information security that are not covered by the current law, suggesting the need to come up with new legal codes. Some of the acts that relate to information security and adopted by Samsung include The Electronic Communications Privacy Act of 1986, The Communication Act of 1934, The Computer Security Act of 1987, and The Electronic Communications Privacy Act of 1986. The laws spell out what is illegal as far as information security is concerned (Arkin 2008). While there are acts that amount to unethical behavior, others are illegal actions and can be punishable by law. For instance, stealing a network device to deny access to other users is a crime. The acts that are against the law, rules, and regulations of the company are clearly outlined.
PRT Network Monitor Report
The installation and use of the PRT Network Monitor was only for 24 hours, but the system was able to identify various issues and limitations within the network that needed to be fixed to improve the effectiveness of the network and also to prevent the possibility of a security attack. The working of the network was as effective as it needed to be due to the issues identified, although it was not possible to identify them without using the tool for monitoring it. Use of the PRT Network Monitor is necessary for individuals and companies to provide the continuous reviews of the network and ensure there are no issues affecting its working and threatening to affect the information security of the network.
Following the short time the PRT Network Monitor was used, it was possible to identify several issues and limitations with the network. The monitor realized that the computers connected to the Internet were running on antivirus that was almost outdated, which would potentially leave the computers under threats of virus attacks. The monitor on the computers identified outdated software programs in the system. Such are cases that caused the computers to be vulnerable to other information security threats as it would be easy to miss out on the potential risks.
Besides the issues and limitations identified on the computers creating the network, others concerns identified were within the network itself. The monitor indicated any suspicious traffic that was not part of the established connection. Such could have been as a result of some efforts by hackers to have access to the network and carry out an attack, including stealing or compromising the information (Choromański et al. 2013). Due to the lack of a properly functioning monitoring system, such risks could not have been identified and rectified. The monitor also indicated problems with the servers such as irregular starting and going off, which affected the optimal working of the network.
In addition, there were other issues identified relating to the adequacy of the memory space for the information through the network. The PRT Network Monitor discovered that the available hard disks were running out of space. As such, packets passing through the network from unknown or suspicious sources were identified. Such a situation would cause loss of vital information if not rectified. The PRT Network Monitor allowed for the use of operational strategies in addressing issues with the security of information (Lohmann and Guala 2009). The monitor presented information on unusual behaviors, which negatively affected the optimal working of the network and possible risks to information.
It is worth appreciating that knowing the status of the system help to maintain the working and security of the networks. In addition, it is risky and costly to wait until there is a security threat or incident to act. Thus, it is necessary to install and use some measures of identifying problems with the network for the purpose of addressing them (Choromański et al. 2013). Individuals and companies, including Samsung, can benefit from installing the PRT Network Monitor to observe their networks and get the report on potential issues and limitations.
Conclusion
Companies must have a strategic information security plan to ensure that they do not suffer the cost related to a security threat. Samsung is one of the companies that have invested in strategic information security measures. The company uses controls for risks and protection mechanisms to ensure the security of its information. Samsung also ensures a comprehensive recruitment program to attract staff within its security systems that have the necessary skills and experience. In fact, laws and ethics guide the operations of the company. Use of the PRT Network Monitor is recommended for the company to ensure effective monitoring of issues and limitations within the company’s network in case a timely remedy is required.