- List and describe the options available for the location of the information security functions within the organization. Discuss the advantages and disadvantages of each option.
Information security function should be located where it can best address enforcement of polices within the organization. One option of locating information security function is in the IT department. This location is convenient because the information security department spends time daily with IT department and thus up to date information is ensured. Also, the IT staffs understand all technological issues that affect information security and therefore the best people to handle it. This location, however, can bring the conflict of interest between the senior employees. It also gives an implication that information security is a technological issue which is not. Another option is physical security. This option facilitates communication between individuals with security responsibilities. It also provides long-term preventative viewpoints on security activities which minimizes costs. This option, however, may unintentionally give powers to the people in charge who may see themselves as exceptional individuals taking part in criminal justice process which can create differences between the information security functions and physical security functions.
The third option is Administrative services. This option acknowledges that all workers should work with the information security department hence acting as a middle manager between the CEO and other workers within the organization. The one disadvantage, however, is that the administration does not have all knowledge about information security technology which may hamper their communication to the top management. Last location option is in the Insurance and risk management department. This location is good at prioritizing risk and ensures security information function is not compromised. On the other hand, the risk manager may lack all IT skills thus need for extra coaching which may be costly (Eaton, 2013).
- What are the critical considerations when dismissing an employee? Do these change according to whether the departure is friendly or hostile, or according to which position the employee is departing from?
Security information is very critical to an organization and must be handled with care. Whether the dismissal of an employee arises from a hostile or friendly circumstances, an organization must ensure the employee do not have a contact to the organizational security information. When an employee is being dismissed, all files must be returned to the store or destroyed. The organization must also consider that an employee may have foreseen his termination and started taking information home like files. In such a case, the system should be scrutinized after the employee has left and any access to the organization system by the particular employee disabled. This should be critically carried out in case an employee was in a position that handled the company’s information. Other considerations include changing door locks, cabinet locks, key card access and securing removable hardware and media.
- What are the three primary aspects of information security risk management? Why is each important?
Risk management process involves assessment of information security risks. This ensures the security requirements of an organization are understood together with all the risks associated with an organization’ assets. The three major aspects of information security risk management include identification of assets and identification of threat and identification of vulnerabilities to the identified assets (Lomas, 2013). Assets are physical and nonphysical infrastructures of an organization. They are most important in generating revenue of an organization. These assets have economic values which should be protected. The second aspect is threats. Threats have the ability to damage or completely shut down the network of an organization and consequently lead to a heavy loss. They may occur in physical form or in the form of programs like viruses. Identification of threats is important to put in place preventive measures and keep the organisational network safe. Finally is vulnerabilities. They are loopholes within an organization which can give a third person access to the system. This poses a great danger to the system since it can be damaged.
Eaton.J.Robert.(2013) Security and Personnel.Principles of Security Systems.
Lomas, E. (2013). Information Security Risk Management: Handbook for ISO/IEC 27001. Records Management Journal.