safeguardsintheworkplace
TRANSCRIPT
Running head: INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 1
Information Security: Best Safeguards in the Workplace
Adam Richards
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 2
Information Security: Best Safeguards in the Workplace
Abstract
Information security refers to the means in which one can detect and prevent the
unauthorized users from accessing the network, the computer, and the personal information.
Information security is very vast, and various casual users never think about it. It is a worst thing
that an individual can do nowadays more so with standard technology in the live today (Eric &
Goetz, 2009). An individual must care and take concern about all the levels of the information
security as the breach in the security could lead to the financial ruin, stolen off the trade secrets,
and even the personal embarrassment.
The intruders always come from various places, which may be even an individual who
works in the same workplace. The complexities of the software nowadays lead to the
vulnerabilities to the exposure. For that matter, the every user must stay on the top of the
security. It implies that one need to apply the latest operating system and the software patches.
The firewalls and up-to-date scanning software for the virus should also be maintained. This
paper aims to discuss the various types of the attacks on the computers and numerous security
threats to the network. It will also cover the preventive measures utilized to minimize the
exposure to the attack. The paper will focus on the best safeguards in the workplace and more so,
the best technology that will block the security (Stanton & Stam, 2013).
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 3
Introduction
There are numerous threats to the security of the information in the workplaces yet there
are no particular, definite means of preventing all incidents, which may befall the information.
The attack on the confidential information in the workplace can be minimized by developing
proactive security practices, which will encompass most of the known threats to the information.
In the workplaces, there are different levels of the information of the customers and various
records of the financial information on the computers (Ortmeier, 2012). The best ways of
preventing the loss or the corruption of the information for the organization are to develop well-
rounded security practice. It contains the proactive solutions that include the security hardware
and the software as well as the policies for the physical safety.
The hardware security solutions begin with the protection of the firewall of the
computers. Other physical protection includes the restrictions put on the access of the network
closet as well as the smart card access to the sensitive information contained within the
computer. All the cablings and the ports unused within the computer will be closed and secured
in accordingly (Stallings & Brown, 2011). The access to the computers with the sensitive
information will be limited, and only the individuals with the proper clearance will be allowed to
have access to the sensitive information such as the financial information of the customer.
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 4
Common Threats to Information Security
Various organization experiences different threats to their security of information. Those
organizations face the security threats across the board starting from the external attacks that are
on the websites, the internal attacks, and the data corruption or the misuse of the data. The
computer viruses is an issue for all the companies worldwide since they use the information
systems within the organization, or they practice the business transactions with the firms that use
the information systems (Jain et al., 2010). The viruses’ threats come from the emails, removable
storage devices, the websites, or any other entry points in the computers utilized by the workers
in the workplaces.
Another threat is the attack caused by the distributed denial of the services on the
computers that contain the confidential information. They are internet-based attacks and they
flood the system with various packets to bog it down. It makes the services not to operate in the
normal way, bringing the system down in terms of its functionality. Another attack is the
backdoor entry into the system (Vacca, 2012). This type of the attack involves getting the
information in the system through the unintended way of accessing that information. It can be a
program installed on the system to create a loophole for the credential information.
All these threats lead to different risks depending on the kind of the effects it could cause
to the information. For example, the computer virus may affect the whole network since it may
spread from one computer to another computer. The denial of service attack would affect the
individuals that access the websites from the external sources but not the internal users. The
backdoor attack could change very sensitive information depending on where it is granted to
access that information (Kaufman et al., 2012). Thus, it calls for the safeguarding of the
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 5
credential information from the attacks. There are various ways in which the organization can
protect itself from the various threats that may rise.
The firm may need to have the software for the anti-virus and have a constant updates for
such software in the cases of the computer viruses. Even though there are tools that the
organization can use to prevent the denial of services attacks, it should best protect itself by
using both the preventive measures and the monitoring measures (Teer et al., 2014). It will
enable the organization to take an immediate action when a possible attack occurs. The best way
to prevent the backdoors attacks is having the continuous tests for the penetration issues and
other tests on the reoccurring basis.
Reasons for Safeguarding the Credential Information
The organizations have different reasons as to why they should protect their confidential
information, which may include the legal, the ethical, and the regulatory requirements depending
on the nature of the firm. There are various things that will happen for the organization that does
do not store its information, according to the regulatory requirements such as the fines to the
licenses. Such fines cut off a large portion of the profit percentages of the firm. The company
also has the ethical reasons to protect its information (Eric & Goetz, 2009). The security
practices protect all the information and not just the information that are under the regulations
alone. The best security practices that the company should consider is compiling the regulatory
controls, the ethical controls, and the legal controls. It will make such organization to take the
most restrictive control for each area and apply to all the system.
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 6
Security goals
The first security practice is setting the security goals, which entails listing of the various
issues that the security control will target to achieve. The first security goal is the confidentiality,
and it involves determining the needs for the access to the information by the employees. It puts
some of the limitations to the access of the information through different layers of the security
(Stallings & Brown, 2011). The initial layer will just be the protection of the hardware for the
access to the information. It will then increase with the use of the password for the protections
and the restrictions to the users. Another target of the security practice is the integrity. It involves
granting each user a password for the access to the required information.
The computer will not allow the external users to access the information. Another
objective of the security practice is to attain the availability, which involves giving both the
formal and the written guidelines for every employee (Stanton & Stam, 2013). The computers
will be connected in the manner that it becomes accessible in all the locations with no remote
access. The information will also be linked with the cloud-based way of storage to back up the
information for easy recovery. All the sensitive and significant information are to be located
offsite but totally accessible.
The physical security
Another practice is to come up with the policies for the physical securities. Under this
section, the physical controls of the entries will be set in most of the offices so that they can
provide high security at least amount of the capital. The management needs to lock the external
access points of the building to allow the entry of the permitted employees. It can be achieved
through issuing of the key fobs and the smart cards to each employee. Another one is checking
on the security of the offices, facilities, and even the rooms. All the facilities that are internal and
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 7
the rooms must be controlled individually according to the information that is gathered in the
initial consultation with the organization (Ortmeier, 2012). The access to the individual offices
will be dependent on the risks associated with security. The security may be as simple as just
having the mechanical locks on the doors to the use of the smart cards and fobs to access the
sensitive areas.
Besides, one may need to employ the security guards to the areas that require an
additional level of the protection. Another one is the protection of the loading areas and the
isolated deliveries. It involves monitoring all the external regions of the company using the
surveillance equipment. The material may consist of just a simple security patrols to the
utilization of the CCTV systems, thermal, and the audio monitoring. The extent in which the
security system will be used depends upon the sensitivity of the information that are in the
location. There will be a high level of monitoring in the isolated areas using the night vision
cameras and even increasing the number of the security personnel to take the patrols (Stanton &
Stam, 2013). One can also employ the bright zones in the perimeters of the facilities to deter the
physical breaches of the company's security.
The information Systems Security
One will initiate the protection of the workplaces to ensure that all the information
systems are secure. The company will have to review all its locations to determine the potential
threats. The management will then set the policies that reflect an adequate protection of the
assets and the workers depending on the levels of the threats found. The types of the securities
offered to the employees include the typical fire and the medical protection (Stallings & Brown,
2011). The policy may be escalated so that it can provide the protection in the form of the guard
dogs and the armed guards depending on the perceived level of the threat.
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 8
Another way of protection the information systems is closing all the unused cablings and
the ports for the networks. One need to close any cable that is disconnected from the workstation
at the hub to prevent the individuals from having access to the information on the computers
(Stallings & Brown, 2011). To enhance the computer security, the security administrators need to
disable different protocols such as the SNMP and the FTP using the Web Image Monitor and the
SmartDeviceMonitor. It helps to prevent the theft of the user names and the passwords. It also
reduces the risk of the outside threats from the getting into the computer networks via the unused
printer and MFP port.
Another security measure for the information system needs to be on the server
equipment. To address the primary concern of the information systems, one must understand and
identify the type of the information assets to be protected. It may include the personal
information, the business information as the databases of the customers or any other sensitive
information. Other ones may contain the information of the national security and the ability of
the company to operate and use its network. A need also arises in the protection of the physical
infrastructure, which supports the information systems (Stanton & Stam, 2013). The control of
the access to the computers and the workstations is very vital. The administrator will restrict the
access to the main servers and the network hub to an absolute minimal amount of the authorized
workers. If the computers and their components are secured electronically yet vulnerable to the
physical destruction, then it may need more protection.
The equipment also needs to be maintained since they are the integral parts of the
security and the functions of all the companies. The administrators will reduce the general
operation costs by designing a standardized maintenance program that performs the routine
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 9
maintenance on the system (Stanton & Stam, 2013). There will also ne need to secure the laptops
and the roaming equipment. The individuals with the highest ability of the clearance and the
accessibility should connect the laptop to the company's server.
Access Control Practice
Another practice is the control of the access to the information stored in various
computers of the organization. Under this part, there will be authentication of the credentials to
establish the qualified users within the system (Kaufman et al., 2012). Using the authentication
credentials assist to determine the control of the access to the sensitive information with the
computers of the company. The security administrators should set the credentials for the
transparency to the users. They can also configure the user policy in the way that only specified
users can create, import, and even manage the credentials.
Using the credentials also assist to monitor and offer safety to the information and the
computers. The incidents of the identity theft or any other issue can be detected before many
damages by observing the person accessing the information and the reason as to why he or she
have to obtain that information (Jain et al., 2010). The use of the passwords is a defensive way of
protecting the computers that store the information. However, most people are not fond of using
the stable and secure enough passwords, which leads to the attack on the information system by
the intruders.
Three keys should be used to safeguard the passwords for the company. One should use
at least fourteen characters or even more and also ensure that a variety of the characters is used.
The passwords should also cover the entire keyboard but not just the letters and the characters
seen in most cases (Stanton & Stam, 2013). When one follows these simple rules, the strength of
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 10
the password will be enhanced exponentially compared to the person who uses the birthdates or
any other thing that is easy to remember the password.
Another method of authentication is through the utilization of the multifactor
authentication. The multifactor authentication will take the password as a single factor
authentication and add it to the secondary physical token so that it can grant the access to the
computer and the information inside them (Kaufman et al., 2012). This method of authentication
is crucial since one will still require the physical item to access the information even after
acquiring the passwords. It makes the security high since it creates some layers of obtaining the
information from the computers.
One can also use the biometrics as another method of authentication to the access of the
information from the computers. However, use of the biometric is for the advanced level of the
security and very sensitive information. The method allows for the single signing on the account,
which is the property of the control to the access of the multiple independent but information
systems that relates to one another (Jain et al., 2010). In the cases that an individual does not
necessarily need to authorize the identity of various systems, he or she will use the SSO permits
to access all the computers and the systems. It has the permission of obtaining the information
without necessarily using the passwords. The single sign-on ensures that there is a reduction in
the human error, which is an important component of the failures of the system. Thus, it is highly
desirable yet very difficult to implement.
The access control does not just come on its own. There must be strategies set in
achieving those access control to the information. The first strategy is the use of the discretionary
control access to the information. This approach allows every user to control the access to the
information. It is typical default mechanism for the access control in most of the desktop
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 11
operating systems. It has a list of the access control associated with it (Vacca, 2012). The list
contains the users and the authorizations for the access of every user or the group of the users. It
is used in the front position of the computers meant for few individuals that enter the data in the
system. It also provides the more flexible environment, but it increases the risk of the availability
of the information to the unauthorized users.
Another strategy to control the access of the information is the mandatory access control.
It takes a hierarchical approach to ensure that it controls the access to the resources. The system
administrator controls the access to the information. The mandatory access control issues the
labels for the security, which is assigned to all the information on the computers. The users of
that information are also classified and put into different categories. It is evaluating the users as
they try to access the information with a cross reference to the clearance levels (Stallings &
Brown, 2011). It is the most secure control environment for the access to the information.
However, it requires some considerable planning before it is implemented effectively. After its
implementation, it imposes high overhead to the computer management since it needs a constant
updates and the account labels.
One may also use the role-based access control as another method of controlling the
access to the confidential information in the workplaces. It takes the approach of the real world
in structuring the access control. Under it, the access to the information is based on the job
functions of the users within the organization whereby the computer system belongs. It assigns
the permission to every role within the established roles (Teer et al., 2014). For an instant, an
accountant in the company will just be assigned to the roles of the controller whereby he or she
will gain access to the information that are relevant to all the accountants. This mechanism
applies to implementing the policy of the separation of the duties. It is obtained through the
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 12
statistical and the dynamic regulation of the actions of the users by establishing and defining the
roles, the role hierarchies, the relationships, and the constraints.
Remote Access
Another security practice to safeguard the credential information in the workplace is the
application of the remote control. For one to provide a secure remote access to the information,
he or she should evaluate carefully the needs of the employees to connect remotely (Kaufman et
al., 2012). After confirming that the employee require the access to the information, a grant
access on the per-user basis is issued. When the restrictions are not put in place, the users that are
connected to the Internet through the remote access will be in the position of doing anything
from the onsite computer. The most significant thing to consider in the security is the way in
which the remote clients will provide the authentication.
There may be a computer level authentication if the internet protocol security is used for
the VPN connection. It takes place through the exchange of the computer certificates or the pre-
shared keys during the time when the IP security is established. The dialling of the users will be
authenticated suing the Remote Authentication Dial-in User Service, also known as the
RADIUS. When the users log into the RADIUS, the router will send the authentication request to
the RADIUS server (Jain et al., 2010). The communication process that is between the RADIUS
server and the client are authenticated and encrypted using the shared secret not transmitted
through the network and grants the access for the user.
Network Security Practices
The administrators need to implement some policies that relate to the network security.
The system of the organization is the combination of the LAN network for various purposes such
as the inventory purposes in every store and location. It enables the wireless scanning of the
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 13
information for the purpose of the controlling the information and shrinking of the credential
information (Vacca, 2012). The network is an imperative thing in the organization since it will
allow for the sharing of the information. Thus, it calls for the services of the network security.
The first service is the authentication for the access to the system, which is in the form of the
encryption by the passwords and the taking into the account the levels of the access for every
user.
The credential information will only be availed to the users cleared to access them the
way the network administrator determines. The authentication will be used any time in which the
information is obtained to ensure that the user has some reason to access the information
(Kaufman et al., 2012). The access control to the network will be another service. It is the
fundamental principle of the high standard of the network security since it ensure that the access
to the computer system is authorized on the basis of the need to use.
IT Department
The management of the organization should create the IT department and split it into two
units so that they can handle the functions of the Information Technology. The first category
needs to control the way in which the hardware and the software are installed. They will also
handle the updates of the various software and handle the issue of granting the access to the
information to multiple users whenever they require such information. They should also deal
with the day-to-day training that the company needs (Stallings & Brown, 2011). These training
include creating the awareness among the employees on the way in which they can handle the
incidents of the security threats. On the other hand, the second department of the IT should
handle the security side of the things such as the cyber-attacks and the natural disasters. They are
also expected to carry out the planning for the power outages and any assessment of the risk or
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 14
anything that deal with the security of the information of the company. Thus, it will lead to an
efficient way of handling the security issues in the workplaces.
Information Security Governance
The governance refers to the way in which the board and the executive management of an
organization set the responsibilities and the practices to various employees with the target to
provide the strategic direction. It ensures that the workers achieve the set objectives. The
management also ascertains that the management of the risks is appropriately, and they also
verify that the resources of the enterprise are used in a responsible manner (Teer et al., 2014).
The leadership of the security management group will have to monitor and manages all the
structure of the organization and the processes that ensure that they safeguard the credential
information. The governance of the information security handles the application of principles of
the corporate governance. The responsibility of the executive management is to provide the
strategic direction and ensure that the set objectives of the company concerning the security
issues are accomplished.
The executive managers also oversee that the risks associated with the attacks on the
credential information are managed appropriately. They also validate the utilization of the
resources in a responsible manner for the functions of the information security. The objectives of
the information security should be addressed at the highest levels of the management team of the
organization for effectiveness and sustainability.
The Test Plan for the Disasters Recovery
Setting the test plan for the disaster recovery is another significant security practice in the
workplaces. The security administrators should come up with a definite set plan for handling the
disaster recovery that has risen due to the attack on the information. The first test program is the
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 15
walk-through designed to give the whole firm with the opportunity of meeting and discussing the
disaster recovery plan (Teer et al., 2014). It also provides the individual steps that should be
taken if there is an issue with the intrusion. Its purpose is to provide the feedback by every single
department in the regards to the issues with the disaster recovery plan and to determine the
effective way for the overall project in the company.
Another method is the simulations, which involves a design set to provide the company
with the mock disaster and the test responses to each department. It is an effective means of
gauging the effectiveness of the disaster recovery plan and the way in which it interacts well
throughout the organization. It also enables the employees to understand the functions and the
fundamentals of the disaster recovery plan (Vacca, 2012). Under the test program, there should
also be the checklists that provide an outline for the disaster recovery plan and ensure efficient
supplies. The list determines the existence of any small issues that may cause the bottlenecks or
the shortfalls in the disaster recovery plan. Another one is the parallel testing, which is
performed in conjunction with the checklist test and the simulation test. It involves comparing
various information from different sources.
Firewall System
Another security practice is the incorporation of the firewall system into the computers
that are in the workplaces. There are various types of the firewall systems that can be
incorporated into the computer system. The first one is the packet-filtering router firewall
system. It sorts the contents of the packets and the addresses of the TPC/IP of the packets. They
are useful as a first line of the defense (Ortmeier, 2012). Another one is the use of the screened
host firewall system. This type of firewall system allows for the control of the access to and from
the information in the single host through the router that operate at the network layer.
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 16
The single host is a bastion host, which is a highly defended and has a high point that can
resist the attack. This type of firewall system is usually adequate and could be a viable choice for
most of the companies that have minimal chances of the breaches. Another type of the firewall
system is the screened subnet firewall system (Teer et al., 2014). It involves variation of the
dual-homed gateway and the screened host firewall. It isolates separate components of the
firewall into different computers. It enables the ability for the throughput and the flexibility.
Thus, it is the most complex type of the firewall since it does not increase the complexity of the
security of the system.
Conclusion
The security practices is a very significant function in the workplace. There are always
the records for the customers, the workers information, and much more confidential information.
This paper has discussed the best practices for the security measures and the security monitoring
within the place of work to safeguard the confidential information. The organization that follows
these practices will have an organizational structure designed in a better way of managing the
security threats (Eric & Goetz, 2009). The business will not incur much loss due to the
corruption of the data. The IT department will also spend less amount in taking care of the
information since there will be a constant monitoring of the information system a laid down
procedures of curbing up the threats. Additionally, the secrets of the firm will also be secure
since there will be surveillance survey for the monitoring of the information, making them safe.
INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 17
References
Eric, M., & Goetz, E. (2009). Embedding information security into the organization.
Jain, A. K., Ross, A., & Pankanti, S. (2010). Biometrics: a tool for information security.
Information Forensics and Security, IEEE Transactions on, 1(2), 125-143.
Kaufman, C., Perlman, R., & Speciner, M. (2012). Network security: private communication in a
public world. Prentice Hall Press.
Ortmeier, P. J. (2012). Introduction to Security: Operations and Management. Pearson Higher
Ed.
Stallings, W., & Brown, L. (2011). Computer Security. Principles and Practice.
Stanton, J. M., & Stam, K. R. (2013). The Visible Employee: Using Workplace Monitoring and
Surveillance to Protect Information Assets--without Compromising Employee Privacy Or
Trust. Information Today, Inc.
Teer, F. P., Kruck, S. E., & Kruck, G. P. (2014). Empirical study of students ‘computer security
practices/perceptions. Journal of Computer Information Systems, 47(3).
Vacca, J. R. (2012). Computer and information security handbook. Newnes.