Information Security and Governance for Deorham Corporation

Question: Describe about the Report of Information Security and Governance for Deorham Corporation. Answer: Introduction The report highlights the aspects of IT security, governance and ethics in information management for SMEs. The SME chosen for this assessment is named as Deorham Corporation, the management perceives security is often a human issue. The human aspects of information security and governance issues are briefly assessed and discussions provided. It is also important to note that SMEs are dependent on information and make use of information systems extensively in their business operations to sustain in the competition. SMEs view security outsourcing as an option to protect their information assets and standardize IT security and governance aspects within their organization. Due to these reasons, the management of Deorham desires to outsource their information security to lower costs, but at the same time, the management wishes to understand the security issues involved in outsourcing. SME Security Security for SMEs is highly essential because they invest heavily in IT to achieve objectives in a connected world. SMEs make use of online systems and internet technologies to cater to their customers and partners online. In this scenario, the IT systems of SMEs are vulnerable to attacks from external sources on the internet. An example of IT security risk is shown in figure 1. Figure 1: Illustration of potential threat to a company from the internet (Susanto et al. 2011) SMEs in their business operations are more reliant on data and privacy. This scenario creates the need for SMEs have the need for more robust security measures provided by IT governance in order to effectively ensure their IT investments are aligned correctly with their business objectives. IT Governance (ITG) refers to IT leadership and management of information systems by applying international standards. Some global standards in governance include, ITIL, COBIT, CMMI, and so on. These standards provide industry best practices for IT security, ethics and governance processes that can be tailor made to any organization to protect information. ITG is viewed as establishing IT strategically with business in order for SMEs to achieve maximum business value, provide effective controls within the organization, accountability, and manage performance and risks. At the same time, establishing ITG requires significant amount of resources and expertise within the SME (Susanto et al. 2012). Human Aspects of Security Deorham decides that security is highly essential in ensuring IT governance, risk management, and compliance but initially, would like to assess the human aspects of security. Usually, threats are increasingly attributed to employee behavior and hence, there is a need for information security practices implementation and its adherence by all employees. The need for implementing robust security and governance in IT is to protect data from threats such as information leak, email phishing attacks, increased use of personal devices in business transactions and other IT misuses. Good security practices are also necessary for Deorham to cultivate and reinforce a culture of security in the organization and to avoid internal misuse, along with protection from external threats (Dojkovski et al. 2010). In spite of the growing need for security, Deorham faces problems in managing security effectively. Security issues are mostly related to inadequate employee skills related to information security, budget constraints, and non-availability of adequate resources for information security (Symantec, 2009). In addition to this, close links between the national culture and SMEs is viewed as another factor which influences individual ethical decision making (Dojkovski et al. 2010) in Deorham. The characteristics found in Deorham includes, The organizational culture of Deorham is more informal in nature, which is typical of many SMEs. Deorham due to its SME nature have employees responsible for more than one role. In such a situation, a formal communication procedure is not found effective by employees. The risk of information leak, system vulnerabilities due to shared passwords is an issue. Staffs in Deorham are more responsive, as their SME culture allows staffs to change plans and procedures while executing business processes and operations. This lets managers and staffs to make quick decisions to meet demands in their environment (Gupta and Hammond, 2005). This creates a need for a structured ITG framework which is adaptive to changing demands. The company is more flexible. New ideas and changes are quite rapid in Deorham for future actions, including changed roles for staff. In this situation, if the changes are not well documented, this can cause IT security risks (DArcy and Greeny, 2009). Here IT administrators face the challenge of repeatedly changing passwords, access levels in usage areas in databases. Deorham relies on particular individuals with high levels of expertise and skills in carrying out a particular function, a usual practice in SMEs (Sharifi, 2010). SMEs face human issues such as personality clashes which can result in damage for the firm. Deorham being a small environment, where if things could go wrong, there are very few options to solve the problem. Training is a major challenge faced by SMEs, the staffs must also be trained on information security and governance aspects. SMEs encourage people to pick new skills and apply them in business areas for new initiatives. This encourages staffs to develop an attitude to develop new initiatives as beneficial for Deorham. At the same time, some staffs in SMEs demonstrate inadequate skills and knowledge, which forces skilled personnel to combine their expertise in more areas. This leads to SMEs seeking more generalist individuals than specialists. Deorham must take adequate care to isolate IS security aspects from getting overlapped with building staff proficiency in business transactions. The cost for SMEs incurred in employing and supporting staff members is high because staffs are required to pick more than one skill. Therefore, in Deorham this can lead to increased costs of software license, hardware, and other essential tools. In order to have an established ITG for Deorham, the ISO introduced ISO/IEC 38500 standards based on Australian AS 8015 standard (Ramin Communications, 2016) with a focus on public and private organizations including SME. These standards provide necessary guidance to ensure ITG along with fulfilling ethical obligations. For instance, ISO/IEC 18500 emphasizes on responsibility for individuals and groups to understand their role in ITG, security, and ethics. The standard also supports the management to implement policies related to human behavior (Sharifi, 2010) and make decisions as appropriate to overcome challenges in Deorhams IT systems. Deorham can also consider adopting a reference framework such as COBIT or ITIL in overcoming their security issues in IS (Olaitan and Flowerday, 2016). For example, the COBIT standard provides control objectives to ensure appropriate enterprise information using IT resources and processes to respond effectively in fulfilling business requirements, illustrated in figure 2. Figure 2: An illustration of COBIT standard[1] The management of Deorham must ensure IT will govern three main tasks that include, Evaluating the current and future use of IT Aligning IT plans and procedures with business plans and objectives Conformance to procedures/plans and monitoring performance versus plans In this manner, human aspects related to IT security and governance issues can be eliminated in Deorham. Security outsourcing assessment SME can have a significant impact on business success provided by IT investments and decision-making processes. When IT investments are planned properly, the advantageous of implementing an ITG model can enhance competitive advantage and can decrease IT failures (Wessels and Loggernberg, 2006). In view of these views on outsourcing IT security for Deorham, the management considers involving external parties to provide the much-needed ITG framework and to establish security and compliance standards. Outsourcing of IT security refers to an external organization will assume continuous responsibility for provisioning of ITG, security, compliance and risk management for Deorham under a mutually agreed contracting named service level agreement (SLA). Deorham wishes to outsource their IT security and governance to reduce costs and to focus on core business activities and initiatives (Bachlechner et al. 2014). In recent years more selective models of outsourcing such as cloud computing models offer aspects such as security, compliance to ISO standards and ITG (Martens et al. 2011). Cloud is being increasingly adopted by many organizations and Deorham in their quest to outsource IT can consider adopting a cloud model which provides IT services along with security and ITG compliance in accordance with the SLAs given by the cloud service provider. However, it is important to note that there are many factors to consider in outsourcing IT security and deploying ITG mechanisms. Deorham due to its limited resources and budgets must ensure IT applications align correctly with business objectives in order to have cost-effective and efficient security governance standards while choosing an outsourcing provider. Deorham to implement an ITG framework must understand that their owner-manager and employees holding key positions are influenced by external links to some extent (Bergeron et al. 2015). This assumption must also be looked into while assessing ITG, ethics, security and outsourcing. At a conceptual level, the ITG framework for realizing IT value in the context of SMEs is illustrated in figure 3. Figure 3: A framework for ITG mechanisms for SME (Bergeron et al. 2015) There are six major security and governance challenges (Thalmann et al. 2012) quite likely to be faced by Deorham while considering outsourcing. These challenges include, Difficulties in security and compliance requirements: This issue is quite possible when IT security is outsourced to one vendor which sub-contracts with other vendors for this aspect. This is true in the case of the public Deorham in order to overcome this challenge must choose to audit the outsourced vendor to ensure all pre-requisites are met in terms of compliance and security. In this way, more control is ascertained. Issues of heterogeneity in IT services. Currently, no standard interface for IT services is available. Hence, this can lead to problems for Deorham while integrating their internal IT services with security and compliance with an external vendor. This can have a negative impact on IT security. Problems of coordination with outsourced parties. Here, if the outsourced vendor has difficulties to cope with rapidly changing security and compliance requirements with Deorham. Problems in managing relationships. SLAs are the keys to documenting agreements between Deorham and outsourced vendor. However, if the outsourced vendor will subcontract some service with another vendor this can cause issues for Deorham in monitoring security and compliance with the outsourced vendor. Issues of data ownership, data migration. The outsourcing vendor can have access to Deorham data and hence this aspect requires particular attention. Deorham must ensure that has full control of its data. The issue of security awareness. As discussed in the earlier section, people play a major role in SMEs and it becomes imperative for Deorham to ensure that security and compliance are adhered to seriously by all staff. In the case of outsourcing creating awareness on security is highly important and the management must ensure this aspect is taken care by training all staff. The above are some of the challenges explored in IT outsourcing. It can be found that in outsourcing, both technical and managerial aspects are involved. Deorham, in order to overcome them, can consider the following points: Improving the level of maturity within the firm in terms of technical and process related standards will help in overcoming issues of IT heterogeneity, data migrations, and in managing relationships (Kotlarsky et al. 2007). Sharing and disseminating knowledge can be considered by Deorham in the context of audits, coordinating with vendors and in overcoming heterogeneity issues. Detailing all aspects of security and compliance in contracting is highly crucial for successful ITG outsourcing. SLAs must have clear definitions on the role of involved parties (Joint et al. 2009). The aspect of data ownership must also be defined in SLAs (Karn, 2011). Managing relationships with the outsourced vendor (Ranganathan and Balaji, 2007) is important to improve security and compliance capabilities within Deorham. Human resources in Deorham must be management effectively as this aspect is clearly associated with coping with the lack of security awareness. Training is important to improve the capabilities of staff and to achieve security and compliance objectives (Levina and Ross, 2003). The most important aspect in outsourcing is Deorhams readiness and its extent to which it can engage with an outsourced vendor and establish realistic objectives in its security, compliance, and governance. The internal costs and resources must be evaluated thoroughly prior to engaging an external outsourcing vendor (Iacovou and Nakatsu, 2008). Deorham must also consider tools such as governance, risk management and compliance (GRC). GRC tool is software with capabilities to establish appropriate levels of security and compliance standards within the firm based on requirements. This tool can also help in providing an integrated organization-wide approach to align business with technology (Racz et al. 2011). Therefore, Deorham, in order to have a successful outsourcing must look into all these aspects, discussed above. Conclusions The report provides an assessment of security and compliance for SMEs, especially for Deorham Corporation. The recent increase in IT threats has created the need for effective security, compliance and IT governance. Most of IT misuses are associated with human behavior, and the main characteristics of staff behavior in relation to IT security, risk and governance are discussed and illustration provided. It is highly essential for Deorham to reinforce and cultivate a culture of security and compliance in their organization to protect information assets. In addition to internal misuse, Deorham also has to manage external threats. The options for overcoming challenges due to employee behavior are also briefly summarized in the case of SMEs which is applicable for this chosen company. The principles and standards in ITG are also briefly explained for use by SMEs. The global standards are highlighted for their application in SMEs. The effect of outsourced governance, security and complian ce aspects is evaluated and suggestions provided for SMEs. In the case of Deorham Corporation, the major security and compliance challenges in relation to outsourcing are highlighted and briefly explained. These challenges can be applied to SMEs in general. It can be noted that outsourcing entails involvement of two parties agreed on a common goal. Since security and compliance in IT is critical for business success for SMEs, the challenges in relation to Deorham while considering outsourcing are briefly explained. A conceptual framework for ITG deployment in SMEs is also provided as an example. Six major challenge areas in relation to IT security and governance are highlighted in the report. It is important to note that outsourcing involves both, business and technical challenges. The factors to overcome both these challenges along with management perspectives are also provided in the case of Deorham which can be applied for SMEs in general. References Bachlechner, D., Thalmann, S. and Maier, R. (2014) Security and compliance challenges in complex IT outsourcing arrangements: A multi-stakeholder perspective, Computers Security. 40, pp.38-40 Bergeron, F., Croteau, A.-M., Uwizeyemungu, S. and Raymond, L. (2015) IT Governance Theories and the Reality of SMEs: Bridging the Gap, 48th Hawaii International Conference on System Sciences, IEEE Computer Society. pp. 4547 DArcy, J., and Greene, G. (2009) The Multifaceted Nature of Security Culture and Its Influence on EndUser Behavior, Proceedings of IFIP TC 8 International Workshop on Information Systems Security Research, Cape Town, South Africa. Dojkovski, S., Lichetenstein, S. and Warren, M.J. (2010) Enabling Information Security Culture: Influences and Challenge for Australian SMEs, In 21st Australasian Conference on Information Systems, Brisbane, Australia, 2010. pp.1-4 Gupta, A. and Hammond, R. (2005) Information systems security issues and decisions for small businesses, Information Management Computer Security. 13 (4), pp 297-310. Iacovou, C.L. and Nakatsu, R. (2008) A risk profile of offshore-outsourced development projects, Communications of the ACM. 51(6), pp. 89-94 Joint, A., Baker, E., and Eccles E. (2009) Hey, you, get off of that cloud?, Computer Law and Security Review. 25(3), pp.270-274 Kotlarsky, J., Oshri, I., van Hillegersberg, J., and Kumar K. (2007) Globally distributed component-based software development: an exploratory study of knowledge management and work division, Journal of Information Technology. 22 (2), pp. 161-170 Karn B. (2011) Data security e the case against cloud computing, Canadian Privacy Law Review. 8 (6), pp.53-64 Levina, N., and Ross, J.W. (2003) From the vendors perspective: exploring the value proposition in information technology outsourcing, MIS Quarterly. 27 (3), pp. 331-340 Martens, B., Poeppelbuss, J., and Teuteberg, F. (2011) Understanding the cloud computing ecosystem: results from a quantitative content analysis, 10th International Conference on Wirtschaftsinformatik. Zurich, Switzerland. Pp. 466-476 Olaitan, O. and Flowerday, S. (2016) Successful IT governance in SMEs: An application of the TechnologyOrganisation Environment theory, South African Journal of Information Management. 18 (1). https://dx.doi. org/10.4102/sajim.v18i1.696 Racz, N., Weippl, E., and Seufert, A. (2011) Governance, risk compliance (GRC) software: an exploratory study of software vendor and market research perspectives, 44th Hawaii International Conference on System Sciences. Kauai, HI, USA: IEEE. Ramin Communications (2016). AS8015: Australian Standard for Corporate Governance of Information and Communication Technology. Information and Communication Technology Services. [ONLINE] Available at: https://www.ramin.com.au/itgovernance/as8015.html. [Last Accessed 6-Sep-2016]. Ranganathan, C., and Balaji, S. (2007) Critical capabilities for offshore outsourcing of IS, MIS Quarterly Executive. 6 (3), pp.147-154 Sharifi M. (2010) A proposed ITSM-Lite Framework for Small Medium Enterprise in Developing Countries, PHD Thesis, UTM Press, Malaysia. Susanto, H., Almunawar, M.N. and Tuan, Y.C. (2011). Information Security Management System Standards: A Comparative Study of the Big Five, International Journal of Electrical Computer Sciences IJECS-IJENS. 11 (5), pp. 23 Symantec (2009) Symantec Survey Reveals more than Half of Small and Midsized Businesses in Australia and New Zealand Experience Security Breache. Computer World. Thalmann, S., Bachlechner, D., Demetz, L., and Maier, R. (2012) Challenges in cross-organizational security management, 45th Hawaii International Conference on System Sciences. Grand Wailea, HI, USA. pp.5480-5488 Wessels, E. and Loggerenberg J. van, (2006). IT Governance: Theory and Practice. Proceedings of the Conference on Information Technology in Tertiary Education, South Africa, Septemer, 2006. pp.1-3