The importance of the manager’s role in securing Norwood System’s use of information technology
The organisations or associations must understand that information security must include the team of Norwood System managers from the field of information security and IT (Galliers and Leidner 2014). They have three kinds of role
Informational role: Deals with collecting, handling, and utilizing data via which one can achieve any goal.
Interpersonal role: Deals with connecting with the bosses and his subordinates that assist in the completion of the task (Layton 2016).
Decision role: Deals with a selection of correct methodologies, facing challenges and solve problems.
List and discussion of the key characteristics of information security that Norwood Systems must be aware of
Norwood Systems must be aware of confidentiality, integrity, availability, identification, authorization and accountability that information security offers.
Confidentiality deals with restriction of data to the specific individuals and avoids the rest. The securities measures involve are information order, secure database record, general security applications’ approaches and encryption process (D'Arcy, Herath, and Shoss 2014).
The integrity of data is compromised when it is presented to corruption, or other interruption of its authentic phase and corruption mainly occurs while data is being transmitted. Therefore, the state of a data can be identified whether it is complete or corrupted (Peltier 2016).
Availability of data means that the data can only be accessed by authorised or approved clients
Identification and authentication are established by client name or client ID.
Authorization deals with the permission of an individual by the specific authority to access, change and delete the substance of the data resource (Galliers and Leidner 2014).
Accountability of data incurs when a control gives assurance that each movement attempted can be attributed to a computerized process.
The dominant categories of threats to information security that will affect Norwood Systems
Compromises to Intellectual Property: It comprises trademarks, trade secrets, patents and copyrights; IP is secured by copyright laws, carries the desire of legitimate attribution and possibly needs the acquisition of authorization for its utilization, as specified by the law (Galliers and Leidner 2014).
Deviations in Quality of Service: Norwood Systems’ data framework relies upon the effective operation of numerous related interdependent supportive networks, it includes power lattices, information and telecommunications systems, service providers, and janitorial staff too.
Espionage or Trespass: While an unapproved individual of Norwood Systems accesses data an organization is trying to protect; this is called as espionage or trespass.
Software Attacks: The software attacks happen while one individual of Norwood Systems design and execute software to attack one’s system (Ogiela 2015).
Theft: The theft can be controlled effortlessly utilizing a range of measures, from locked doors to trained security work force. It can be also controlled by the establishment of alert frameworks. However, in the case of electronic theft, data is copied without owner’s acknowledgement (Law, Buhalis and Cobanoglu 2014).
Discussion of the key characteristics of leadership and management in Norwood Systems
A successful leader impacts employees to make them willing to achieve targets (Flores, Antonsen and Ekstedt 2014). Here in Norwood Systems, one is expected to show others how it is done and exhibit individual traits that ingrain a yearning in other employees to follow, the leadership gives a reason, proper route and inspiration to the employees that follow.
By correlation, a manager directs the assets of Norwood Systems. The manager makes budgets, approves consumptions and hires workers. An effective manager can become a successful leader.
Differentiate information security management from general business management
One of the kind elements of information security management is known as the six Ps- Project Management Planning, Protection, People, Policy, Programs (Lowry and Moody 2015). The InfoSec management works like all other management units, yet the primary objectives of the InfoSec management team of Norwood Systems are distinctive in that they concentrate on the protected operation of the organization.
Law and ethics that Norwood Systems must adopt
Laws are formally received principles for acceptable conduct in current society whereas ethics are socially acceptable conduct (Jayanthi 2017). The primary contrast between laws and morals is that laws bear endorse of a governing expert which ethics cannot. Norwood Systems must abide by the law and ethics and should make their company’s security system strong.
The ethical foundations and approaches that underlie modern codes of ethics
Norwood System has built up sets of principles and additionally codes of morals that individuals are relied upon to follow. The codes of morals can positively affect a person's judgment with respect to computer utilization (Andress 2014). It is the individual duty of security experts of Norwood Systems to act morally as per the arrangements and methodology of their superiors, their expert organisations, and the laws of society.
Identification of major national and international laws that relate to the practice of InfoSec
Constitutional law— this law involves U.S. Constitution, a state constitution, or neighbourhood constitution, standing rules, or sanction.
Statutory law— this law involves an authoritative branch particularly entrusted with the creation and distribution of laws.
Regulatory or administrative law— this law involves an official branch or approved administrative organization, and incorporates official controls (Stergiopoulos et al. 2017).
Common law, case law, and precedent— this law involves a legal branch or oversight board and includes the translation of law in light of the activities of a past as well as board
Discuss current laws, regulations, and relevant professional organizations
The recent laws, regulations related to the organisations are privacy of PHI, Defense information protection, national cyber infrastructure protection (Refer to Appendix A)
Identification of the roles in Norwood Systems that are active in planning
An association's leaders to actualize compelling planning, usually start from already created positions that openly express the association's entrepreneurial, moral, and philosophical viewpoints (Kolkowska and Dhillon 2013). Specific documents have developed based on the viewpoints-mission, value and vision statement. Norwood Systems management should look at these mission, value and vision statement.
Vision statement: The Vision statement proclaims the goal of the organisation and the details where the organisations want to go and achieve, the vision statement also states the future plans (Refer to Appendix C).
Values statement: The values statement contains the associations’ principles on how the particular goals will be achieved and as well as the conducts that must abide by the organisations’ employees (Refer to Appendix D).
Mission statement: The mission statement describes how the organisations plan and design to achieve the goal or the plans they have made for future (Refer to Appendix B).
Strategic organizational planning of Norwood Systems for information security (InfoSec)
Norwood Systems must adopt the general strategic planning to secure their Cloud Corona.At first, the association's general strategic plan is converted into key objectives for each operation, the subsequent stage is to make an interpretation of these procedures into assignments with particular achievable, quantifiable, and time-bound goals (Safa et al. 2016).
Discussion of the importance, benefits, and desired outcomes of information security governance and how such a program would be implemented for Norwood Systems
Plan, objective and benefits of information security governance
Norwood Systems in their premises must plan and analyse the benefits
- Proper strategic plan
- Establishment of the plan objectives step by step
- Measurement of advancement of the plan objectives
- To verify that the objectives are fulfilled well (Stergiopoulos et al. 2017)
- To validate that the requirements of the plan or product properly met
Outcomes of information security governance
- Strategic arrangement of InfoSec with business methodology to help hierarchical targets
- Risk administration by executing proper measures to oversee and moderate threats to data assets
- Resource administration by using InfoSec information and foundation productively and successfully
- Performance estimation by measuring, checking, and announcing InfoSec administration measurements to guarantee that authoritative destinations are accomplished (Posey et al. 2014)
- Value conveyance by enhancing InfoSec interests in help of authoritative goals
Program implementation plan by Norwood Systems
- Creating and advancing a culture that perceives the criticality of data and InfoSec to the Norwood Systems.
- Verifying that administration's interest in InfoSec is legitimately lined up with hierarchical systems and the Norwood System's risk environment (Stergiopoulos et al. 2017).
- Mandating and guaranteeing that a far reaching InfoSec program is produced and executed.
- Requiring reports from the different layers of administration on the InfoSec program's viability and adequacy.
Explanation of the principal components of InfoSec system implementation planning in Norwood System
InfoSec system implementation planning creates a key data security design with a dream for the future of data security at Norwood Systems, understands the essential business exercises performed by Norwood Systems, and in view of this comprehension, recommends suitable data security arrangements that interestingly ensure these exercises, develops activity designs, plans, spending plans, status reports and other best administration communications planned to enhance the status of data security at Norwood Systems (Safa et al. 2016).
Planning in the organizational planning scheme
- The CIO and CISO assume critical parts in making an interpretation of general key arranging into strategic and operational data security designs.
- When the CISO reports specifically to the CIO, the CIO charges the CISO and other IT office heads with making and receiving plans that are reliable with and steady of the IT system as it underpins the whole hierarchical procedure (Jayanthi 2017).
- It falls upon the CISO to go past the plans and endeavours of the IT gathering to guarantee that the InfoSec design likewise specifically bolsters the whole association and the techniques of different speciality units, past the extent of the IT design (Peppard, Galliers and Thorogood 2014).
Information security policy and its central role in a successful information security program
Policies are critical reference archives for inner reviews and for the determination of legitimate disputes about administration's desired steadiness approach reports can act as clear proclamation of Norwood Systems management’s expectation (Hajli and Lin 2016).
Role in a successful information security program
The policy is an arrangement of "Authoritative rules that manage certain conduct inside the association". A Standard is "A definite proclamation of what must be done to conform to approach, at times saw as the principles representing arrangement consistency". The guidelines are "Non-required proposals the worker may use as a kind of perspective in following an approach" (Flores, Antonsen and Ekstedt 2014). The procedures are "Well ordered directions intended to help workers in following arrangements, principles and rules". Norwood Systems must understand the potentials of information security program and must implement in their office premises.
The three major types of information security policy and discussion of the major components of each
Enterprise information security program policy
- An enterprise information security policy (EISP) allocates duties regarding the different zones of InfoSec, including maintenance of InfoSec strategies and the practices and obligations of end users (Ogiela 2015).
- Specifically, the EISP guides the improvement, usage, and administration prerequisites of the InfoSec program, which must be met by InfoSec administration and other particular security capacities.
Issue-specific information security policies
Statement of Purpose includes the scope and opportunities of the technology and responsibilities, authorized access deals with user access, protection and privacy, unauthorized use of equipment deals with criminal and offensive use and other copyrighted issues (Flores, Antonsen and Ekstedt 2014). It can be well estimated that Norwood Systems must look at the policy.
Systems-specific policies are created by the administration to control the execution and arrangement of innovation, it is applicable to any technology that influences the classification, honesty or accessibility of data, it informs technologists of administration plan.
Explanation of what is needed to implement effective policy in Norwood Systems
By implementing industry-acknowledged practices and developing suitable strategies accordingly. The strategies must be studied and read by all the Norwood Systems representatives (Baskerville et al. 2014). Then all the employees or the workers of the company must listen and abided by all the strategies. The pioneers and his subordinates must stay connected constantly all the time and must stay updated.
Discussion of the process of developing, implementing, and maintaining various types of information security policies in Norwood Systems
Norwood system can be benefitted from the policy. There are steps which Norwood Systems should follow. It is helpful to see policy development as a three-section project
- In the initial segment of the project, approach is planned and composed
- In the second section, a senior chief or official at the proper level surveys and formally approves the record (Ogiela 2015)
- In the third part of the development project, administration processes are set up to sustain the approach inside the association
The initial part is an activity in project management, while the last two expect adherence to great business practices.
Norwood System (Chosen organization) implementing security policies to enhance their company’s security
Norwood Systems must implement InfoSec system to improve their telecommunication system in their company. Their Cloud Corona service will definitely get improved if they implement the InfoSec system as well as maintain the rules and regulations of the security policies. Their services and their products World Phone, World Credit, World Message, World Wi-Fi will be highly secured implemented the security policies. They have planned to implement all services via their cloud network. To implement all the services in the cloud involves a lot of risks. Therefore, it is absolutely necessary to implement the security features, they must keep in mind the confidentiality, integrity, authorization and authentication. The apps like World Phone World Credit, World Message contains loads of customers’ information, they must ensure and keep the customers’ data safe otherwise the data will be robbed and the system will be compromised, that can lead to a disaster and that will happen the reputation of the company for sure (Coltmanet al. 2015). Since Norwood Systems is relatively a new company they must keep in mind all the security breaches that can happen. As a System Analyst, I am pleased to see the potential changes that the security policies can bring in their company.
It can be concluded from the above discourse that the security policies and the laws that enhance the security of each and every companies. Norwood Systems, an emerging company must implement the security policies in their company to enhance the security features. The managerial role in information security has been depicted in details. The key characteristics involved in the information security like confidentiality, integrity, availability, authorization, accountability have been described in this report as well. The threats to intellectual property, deviations in quality of service, espionage or trespass, software attacks and theft have been well explained in this report. The key features of leadership and management, differentiation between law and ethics have been discussed well in this report. The primary laws related to the practice of InfoSec have been explained too. The role of action in planning in the organisations in the form of the vision statement, mission and vision statement has been elaborately mentioned. The plan, objective, benefits and outcome of the information security governance have been depicted too.
Andress, J., 2014. The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress.
Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), pp.138-151.
Coltman, T., Tallon, P., Sharma, R. and Queiroz, M., 2015. Strategic IT alignment: twenty-five years on. Journal of Information Technology, 30(2), pp.91-100.
D'Arcy, J., Herath, T. and Shoss, M.K., 2014. Understanding employee responses to stressful information security requirements: a coping perspective. Journal of Management Information Systems, 31(2), pp.285-318.
Flores, W.R., Antonsen, E. and Ekstedt, M., 2014. Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Computers & Security, 43, pp.90-110.
Galliers, R.D. and Leidner, D.E. eds., 2014. Strategic information management: challenges and strategies in managing information systems. Routledge.
Hajli, N. and Lin, X., 2016. Exploring the security of information sharing on social networking sites: The role of perceived control of information. Journal of Business Ethics, 133(1), pp.111-123.
Ifinedo, P., 2014. Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), pp.69-79.
Jayanthi, M.K., 2017, March. Strategic Planning for Information Security-DID Mechanism to befriend the Cyber Criminals to assure Cyber Freedom. In Anti-Cyber Crimes (ICACC), 2017 2nd International Conference on (pp. 142-147). IEEE.
Karlsson, F., Goldkuhl, G. and Hedstr?m, K., 2015, May. Practice-Based Discourse Analysis of InfoSec Policies. In IFIP International Information Security Conference (pp. 297-310). Springer, Cham.
Kolkowska, E. and Dhillon, G., 2013. Organizational power and information security rule compliance. Computers & Security, 33, pp.3-11.
Law, R., Buhalis, D. and Cobanoglu, C., 2014. Progress on information and communication technologies in hospitality and tourism. International Journal of Contemporary Hospitality Management, 26(5), pp.727-750.
Layton, T.P., 2016. Information Security: Design, implementation, measurement, and compliance. CRC Press.
Lowry, P.B. and Moody, G.D., 2015. Proposing the control?reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Information Systems Journal, 25(5), pp.433-463.
Ogiela, L., 2015. Advanced techniques for knowledge management and access to strategic information. International Journal of Information Management, 35(2), pp.154-159.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.
Peppard, J., Galliers, R.D. and Thorogood, A., 2014. Information systems strategy as practice: Micro strategy and strategizing for IS. J. Strategic Inf. Sys., 23(1), pp.1-10.
Posey, C., Roberts, T.L., Lowry, P.B. and Hightower, R.T., 2014. Bridging the divide: a qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders. Information & management, 51(5), pp.551-567.
Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model in organizations. computers & security, 56, pp.70-82.
Stergiopoulos, G., Kotzanikolaou, P., Theocharidou, M. and Gritzalis, D., 2017. Risk Mitigation for Critical Infrastructures: AUEB INFOSEC Lab Initiatives.