Case Study-Identifying Threats as a Chief Information Security Officer

Questions: What are the countermeasures to those threats, and how do they fit within the Situational Crime Prevention framework? How does the current law help or hinder your countermeasures? Are there any proposals for laws that would assist? Is your problem of international scope and, if so, how? Answers: Introduction MacGillivray (2013) presumed that risk assessment determines the qualitative as well as quantitative value if risk in relation to current business situation and related threats. On the contrary, Wilson (2015) argued that being a complete site risk assessment need to follow the rules and regulation of law and maintain the requirements of contractor. However, there are four different processes of risk assessment that allows the comply law and maintain requirement of contractor such as identification of hazards, reviewing effect, assessing risk and applying controls. This report firmly focuses of identifying the threats as a Chief Information Security Officer (CISO) and develops a scope for mitigating threats from the point of view of large organisation. 1. Fits with a profile Policy Profile: In large multinational enterprise, there are there profiles of threats. However, in this report policy profile is selected. As chief information security officer (CISO) in multinational company has to take responsibility of protecting threats of large collection of intellectual property. It needs to prevent because large portion of the business holds this part such as money transaction, communication with the shareholders, online marketing, online targeting, etc. Dlamini (2013) stated that Chief Information Security Officer is plays the important role as a senior level executive in term of aligning initiatives regarding security. Apart from that, Chief Information Security Officer plays the role and responsibility of enterprise programming, set of business objectives that relates to business security, ensure the assets of information security and develop technology for measuring treats as well as protecting those threats. From the point of view of Armstrong et al. (2011), more than 60 percent organisation in corporate industry acknowledge with the presence of their dedicated Chief Information Security Officer. Therefore, Chief Information Security Officer takes the entire responsibility regarding security such as development of proper way for protecting threats in all levels like technological aspects and physical aspects within the workplace of business organisation (Sans.org, 2015). In the organisation, technological aspects are business IT system, communications, applications that perform for risk assessment in external directories of the organisation (Mellott et al. 2012). Moreover, Chief Information Security Officer takes the roles and responsibility of adopting procedure and policies that ensure security in daily operations of the organisations. Apart from that, Chief Information Security Officer also takes the responsibility for security management activities along with the technical and physical security implementation of organisations. In terms of security management activities, Chief Information Security Officer provided training to their staffs for building awareness of security, planning for management if disaster recovery, purchasing of security products such as different types of software like antivirus, development of secure communication and business practice (Hunter, 2011). Furthermore, in order to protect the organisation from security threats, Chief Information Security Officer must ensure the securit y breaches. Within the corporate sector, Chief Information Security Officer plays the following responsibilities such as Figure 1: Roles and Responsibility of Chief Information Security Officer (Source: MacGillivray, 2013, pp- 781) Organisation Representative: Chief Information Security Officer acts as the representative within the organisation with humble respect (Siegel, 2010). Apart from that, they enquiries to the stakeholders of organisation such as partners, customers, target market in terms of security strategy. Law Enforcement Agency: Within the organisation, Chief Information Security Officer is the only person who deals with law enforcement agencies and pursues the source of attack. Moreover, CISO identifies the information theft that caused by the employees of the organisation. Plan and Test: CISO is responsible for security breaches in terms of testing and planning. Balance Security: In order to identify the risk factors and organise strategic business plan by the CISO within the corporate sector. Apart from that, CISO has to take responsibility for determining solution of related problem. Develop security procedure and policies: CISO the most responsible person for developing procedures and policies in order to protect the business application such as information system, database, etc. 2. Profile Completion As a Chief Information Security Officer (CISO) in large multinational enterprise, several problems had been identified such as tax record theft, gap of protection and monitoring, poor e-mailing standard, poor choice of network, social engineering etc. Following diagram display the problems that faced within the workplace of multinational enterprise Figure 2: Identified problems within the multinational enterprise (Source: Created By Author) Problems According to Smith (2013), sophisticated attacks are the real threats against high critical system in network. In corporate IT system, there are several threats that has layered approach towards the enterprise such as Threats 1 (Virus) Threats 2 (Phishing) Threats 3 (Hacks) Threats 4 (Blended Attack) Mellott et al. (2012) argued that shared frequency is the top security threats from the point of view of corporate sector. Michael (2012) stated that more than 72 percent enterprises receive threats emails as well as file. However, according to the survey report of DTI, percentage rate of emails threats raises to 83 percent for large multinational companies. According to the Symantecs Security Threats Report Trojan Horses and Worms is the first class malignancy that damages files in corporate sector. Moreover, due to after attack virus or the virus of back door create many difficulties in IT system. As a Chief Information Security Officer at large multinational enterprise identified that back door virus, generate code that exploits database as well as corporate armour. For example, in 2014 it had been identified that the company left the MyDoom back door. However, the Deadhat and doomjuice subsequently exploited it. As a result, the company face huge challenges such as unable to provide report to high-level management about stock inventory; information related customer was not found in database, information regarding employees and marketplace also missed. Moreover, still the company cannot develop proper procedure in protecting the back door of their IT system. However, the company exposed the primary attack of back door by installing antivirus and activating firewall technology. It is also a big threat that specially occurs in banking sector. Majority of customer of bank received e-mails where they were asked to fill up from with bank details along with user id and password. As Chief Information Security Officer at the large multinational company it had been seen that threats from worms virus is also another problem that dismissed the remote system of PCs for the company especially in their mail server. Worms virus send cascade volumes via e-mails into the mail server of company and attack their services. From the point of view as a Chief Information Security Officer, it was most sophisticated attack. Coronado (2012) argued that majority of mail virus provides malicious code with the e-mail to recipients. It is the smarter technology regarding threats in corporate sector. Majority of companies in corporate sector were threaded by so-called buffer overflows. SQL injection is the technique of hacking in the security industry. SQL injection forces the database and track information from database of the company (Padayachee, 2012). SQL injection hack the information from database that related to public consumption such as details of products, details of contract, price rate of products, etc. During the playing role of CISO in large multination company, it had been seen that plenty of marketers were ready to pay for protecting their business related information and plenty of hackers were worked on this project. According to the founder of NGS software, hackers create a breach during the share of information in network and steal the information. It is the combination of phishing and hacks. Due to this attack, majority of companies is not able to protect valuable information such as consumers information. Solutions In order to mitigate or protect those threats, majority of companies incorporate sector implement firewall protection, installed anti-virus software in their IT system. However, both of these technology only protect the computer from further attacks but unable to prevent the threats that comes vice mass e-mailing. Apart from that, developing firewall protection techniques and installing anti-virus software, companies are not able to protect sophisticated threats like SQL injection. Oshri et al. (2007) argued that in order to protect or combat sophisticated level treats enterprise in business sector need to develop following additional security layers in place of firewall protection and antivirus. IT systems security department has to adopt three layers in terms of protecting sophisticated threats. First Layer Second Layer Third Layer In this layer, group member of IT system has to activate the suspect elements using the prevention technology such as RSS method. Apart from that, has to monitor the anomalous request in e-mails. Intrusion prevention system will be the best method for suspecting threats elements because it monitor the data traffic and watches the unexpected element with deep attention. Moreover, IT department of corporate sector nee to check the new software before going using it in online. Therefore, IT department of the company has to adopt the process of penetration testing for their new software. In the second layer, IT department of the company has to add defences. Virus not only attacks in computer bout also known as the attacker of back door. Therefore, when IT staffs installed antivirus system in their computer need to activate the prevention of back door. Apart from that, Armstrong et al. (2011) suggested IT system for any organisation especially in large multination sector was very much complicated process. Therefore, they need to implement security management system. In this layer, department of IT system needs to represent the good risk assessment. Online system will be the best method in order to bring vulnerability with the high business opportunities. Therefore, they need to implement internet security system with using the calculation of company. They have to select the appropriate vulnerable with protecting measures. It helps in cutting risk. This process will allow in protecting external security threats or sophisticated threats. 3. Situational Crime Prevention Framework In order to mitigate the problem, organisation has to adopt situational crime framework within their IT system. There are various attempt of situational crime prevention framework that helps in organizing security breaches for the multinational company. Ekblom (2010) argued that framework of situational crime prevention provides part view that helps in developing strategies for preventing security virus and phishing as well as blended attacks for the company. Existing Approaches to the situational prevention: Situation crime prevention framework provides the straightforward approach that allows in drawing internal connection between the security breaches for enterprise. Apart from that methodology of situational crime prevention, provide the framework that helps in successful changes via emphasizing the organisational security. Through it, organisation can overlap the spheres of hackers partially. Moreover, Johnson (2008) argued that situational crime gives the instrumental fusion that is allow in developing activity between organisational and traditional crime. Through the situation lens, organisation can scan the security or the malicious code that sent by the hackers via e-mails. Spill over effect of situational crime prevention reduces the opportunities of future security breaches for selected multinational enterprise. On the other hand, Warley (2011) cited that applying the situational crime prevention framework, organisation is able to develop inherent different between the hackers and security of organisation such as tracking the information about products, stolen information about customer base and target market research, etc. On the contrary, Willison Siponen (2009) noted that situational crime prevention scripted the hypotheses structure of knowledge that individually guides the IT staffs routine wise and efficiently increase the flexibility of maintaining proper security and protecting external threats. Apart from that, situational crime prevention provides systematic sequence of preventing security that breaking down the spatially, temporarily, functionally, etc in a strict sequential order. The events of web-interconnected crime were understood by the complex crime. Apart from that, variation of the situational model gives power for controlling equation for territorial. Moreover, Johnson (2008) assumed that offering assistance to other will helps in preventing security attack within IT system. Model of situational crime prevention will be the most valuable profound extension in order to mitigate problem of security within workplace of multinational organisation. Situational crime prevention framework will provide the guideline to Chief Information Security Officer to involve individual staffs as witness of identifying problems in terms of discouraging intervention. This intervention can prevent the network of business and can centre the ecological niches for set up new process of protecting information in network. Most importantly, situational crime prevention framework helps in connecting the IT system with the various forms including structure of logistics, scripts, structure of enterprise, etc. This can help in mitigating security factors tha t determine and discourage threats. 4. Law Boihme (2013) suggested that in order to protect IT system within the multinational enterprise, several law need to implement or involved within the business process, These can allow in maintaining legal compliant in information security system during the time of storing and handling data or information in network. 4.1 Current Law of Multinational Enterprise Privacy and Electronic Communication Regulations 2003: The data protection act section 11 will allows the company in adopting the system that helps in controlling security individually when the organisation received information from direct market. However, the methodology of privacy and electronics communications regulations provides the way of use of electronics and communications media such as e-mails, text, cold calls, etc when use for marketing. Apart from that, this regulation will allow the company for preventing security. Terrorism Act 2006: Garber (2012) depicted that terrorism act 2006 provides the guideline for creating wide range of offences in terms of information security terrorism. In section number 19 within the act, it has been imposed that organisation disclose the rate of hacking information or the security forces from their IT system (Bristol.ac.uk, 2015). It has been also understand that failure in implementing terrorism act cannot disclose relevant information in the internet. Malicious Communication Act 1988: Malicious communication act 1988 allows the company in making legal articles for sending or delivering information to others. In order to send e-mails or text message to the stakeholders such as customer, suppliers, shareholders, etc, malicious communication act provides the purpose of cause anxiety via internet or social networking sites. 4.2 Proposed Laws for Multinational Enterprise Privacy and Electronic Communication Regulations 2011: This law will be better for maintaining information security as a Chief Information Security Officer in the large multinational company. The amendment policy of Privacy and Electronic Communication Regulations act 2011 obliged the company about the use of cookies in their internet websites or received e-mails into mail server (Cs.jhu.edu, 2015). It will allow in seeking the consent for developing more privacy in information system. Digital Economy Act 2010: As the company share information within network and adopt market opportunities based on social media networking websites, this act helps in regulating appropriate media that prevent threats. However, Schneier (2013) explained that digital media act 2010 deals with the online issues such as obligations from the internet service providers, copyright infringement in terms of handling the online security for organisations. 5. International Scope The raised problem within large multinational company not only the problem of that particular company but also it faced by several companies internationally. Viruses It is the common problem in internet security that faced by several companies. It has been potentially identified that majority of companies faced problem due to virus attack. For example, Morris worm affected 10 percent in all computers that connected with the internet in 2008. From the report it has been identified that Morris worm consist more than 60000 computers and access their information. Due to affect of Morris worm various companies in the world missed important files from their computer. Apart from that, the virus that found in IT system of large multinational company named Trojan Horses creates lot of troubles during accessing disks or drive. Phishing It is also an international problem from the point of view of information security. For example, in January 2015, student of Cornell University received e-mails where the subject was IT Service Desk Support. In this mail mentioned that student need to upgrade their personal university email account due to upgrade the system. In order to activate new account student were asking for input bank account details into the mail body. There are also several examples in phishing that generate same problems like large multinational enterprise. Hacking It is the most common term in information security system. Majority of bank industry closely related with this term. It is also in international security threats like large multinational company. There are majority of hackers who tries to hack system in banking sector. As a result banker involve anti hacker in order to protect their information or transaction of money in internet. In 2002, one hacker hack the internal network of New York Time and access several information from their database. Apart from that, in 2013 one hacker hacks the personal Facebook page of Mark Zuckerberg. Blended Attacks This is also important security threat that is seen internationally. Majority of small organisation or computer users are unable to manage security in their own server. Attacker send virus through the emails and access information of the computer. One of the most famous viruses for accessing information was love bug. Conclusion This report deals with the information security system especially threats and solution for those threats. However, this report firmly discuss about the threats of a large multinational enterprise where researcher work as a Chief Information Security Officer (CISO). The potential threats that faced by the company were threats from virus attack, information hacking, phishing, blended attack. However, in order to mitigate the problem provides solutions. Moreover, analyse the threats and its solution with situational crime prevention. Apart from that, in this report analyst represent some laws that relates to information security for the organisation. Reference List Books Boihme, R. (2013). The Economics of Information Security and Privacy. Berlin, Heidelberg: Springer Berlin Heidelberg. Ekblom, P. (2010). Crime prevention, security and community safety using the 5Is framework. Houndmills, Basingstoke: Palgrave Macmillan. Johnson, M. (2008). A typology of domestic violence. Boston: Northeastern University Press. Schneier, B. (2013). Economics of information security and privacy III. New York, NY: Springer. Smith, R. (2013). Elementary information security. Burlington, MA: Jones Bartlett Learning. Warley, R. (2011). Juvenile Homicide. El Paso: LFB Scholarly Pub. LLC. Willison, R., Siponen, M. (2009). Overcoming the insider. Commun. ACM, 52(9), 133. Journals Armstrong, S., Simer, L., Spaniol, L. (2011). Models of technology management at the community college: The role of the chief information officer. New Directions For Community Colleges, 2011(154), 87-95. Coronado, A. (2012). Corporate Computer and Network Security. Journal Of Information Privacy And Security, 8(4), 81-84. Dlamini, R. (2013). The role of the strategic and adaptive Chief Information Officer in higher education. Educ Inf Technol. Garber, L. (2012). Security, Privacy, and Policy Roundup. IEEE Security Privacy Magazine, 10(2), 15-17. Garber, L. (2014). Security, Privacy, Policy, and Dependability Roundup. IEEE Secur. Privacy, 12(3), 6-8. Hunter, M. (2011). Identifying Issues of the Chief Information Officer Role through Qualitative Interviews. International Journal Of Sociotechnology And Knowledge Development, 3(2), 42-52. MacGillivray, B. (2013). Heuristics Structure and Pervade Formal Risk Assessment. Risk Analysis, 34(4), 771-787. Mellott, M., Thatcher, J., Roberts, N., Carter, M. (2012). An Examination of the Role of Military Medical Chief Information Officer. Military Medicine, 177(7), 850-855. Michael, K. (2012). Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. Computers Security, 31(2), 249-250. Oshri, I., Kotlarsky, J., Hirsch, C. (2007). Information security in networkable Windows-based operating system devices: Challenges and solutions. Computers Security, 26(2), 177-182. Padayachee, K. (2012). Taxonomy of compliant information security behavior. Computers Security, 31(5), 673-680. Siegel, D. (2010). The leadership role of the municipal chief administrative officer. Canadian Public Administration, 53(2), 139-161. Wilson, N. (2015). New Chief Dental Officer: a changed role. Br Dent J, 218(1), 1-1. Websites Cs.jhu.edu, (2015). Retrieved 28 January 2015, from https://www.cs.jhu.edu/~rubin/courses/sp07/Reading/newlawis.pdf Bristol.ac.uk, (2015). Retrieved 28 January 2015, from https://www.bristol.ac.uk/media-library/sites/infosec/migrated/documents/guide.pdf Sans.org, (2015). Retrieved 28 January 2015, from https://www.sans.org/reading-room/whitepapers/assurance/mixing-technology-business-roles-responsibilities-chief-information-security-of-1044