Professional Documents
Culture Documents
in an Organization
ABSTRACT
Security of information is one of the major concern for any starting or developed institution.
Modern world is based on sharing information. But security must be maintained because
information on the wrong hand is a dangerous thing. In order to ensure information security, the
organization must take appropriate security measures to make sure no information is leaked or
passed to unauthorized users A theoretical framework is developed for securing information is
discussed in this article. Further discussion on the reasons for securing information system in an
organization, the methods and the benefits of securing information system. After a study of
different information security frameworks in the literature, one comprehensive information
security framework has been chosen for this project.
INTRODUCTION
Information security means protecting information (data) and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction. Information
Security management is a process of defining the security controls in order to protect the
information assets. Information security, sometimes shortened to InfoSec, is the practice of
preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording
or destruction of information. An organization has to adequately protect its data from being
compromised as the consequences possible security breaches could be significant for the
reputation of the company. Todays technology is growing and changing rapidly in our global
society, therefore the need of securing the information has become an essential concern for
organizations. Technology and humans are integrated and working at harmony in networked
working environments in our world. Employees are accomplishing their daily tasks and
assignments by interacting with information technology elements. Appropriate technological
systems are being implemented based on the organizations structure and future use.
According to Thomson and Solms (2005), information is a fundamental asset for all the
organizations; therefore, the need of protecting the information and information systems is
inevitable through the information security i.e. by securing the information system. Information
is crucial, and lifeblood for companies, since all the daily actions of employees and employers
are depending on information. Particularly, organizations are trying to protect their assets
while keeping up and coping with the technological changing environments. Organizations
should protect their assets using various types of information such as traditional documents, text
messages, video, email, audio, RFID using different systems and technologies like databases,
documents, records, content management systems, social networking tools and mash-ups and
these systems began to be hosted externally such as cloud computing (Hardy and Williams,
2010).
Information system is the combination of hardware, software, infrastructure and trained
personnel organized to facilitate planning, control, coordination and decision making in an
organization. Therefore, securing information system means the process or methods of keeping
and controlling information useful for the organization for growth and survival. By securing
information system, it means information security system i.e applying security measures to make
the information saver from unauthorized user. Information security system is the practice of
defending information from unauthorized access, disclosure, disruption, modification,
inspection, recording or destruction. Information security is the protection of information within
a business, and the systems and hardware used to store, process or transmit this information
(Whiteman and Mattrod, 2003).
This paper is theoretical and because of the importance of information system to individuals,
organizations, government agencies or parastatals, this paper looks at securing information
system in organizations. This paper is therefore designed to critically look at the past studies on
the concept of securing information systems (information system security) as well as the
theoretical framework.
CONCEPTUAL FRAMEWORK
According to Bocij etal (1999), controls on information systems are based on the two-
underlying principle- to ensure accuracy of the data held by the organization and to protect the
information against loss or damage that will be detrimental to the organization. Therefore,
organization must make sure that the information is from the right source without any element of
biasness. Data that are processed are sourced through using the appropriate techniques. There is
need for back-up of information so that it can be easily retrieved when lost or damaged.
Design safe systems. Reduce exposure to hackers and thieves by limiting access to your
technology infrastructure. Minimize points of failure by eliminating unnecessary access to
hardware and software, and restricting individual users and systems privileges only to needed
equipment and programs. Whenever possible, minimize the scope of potential damage to your
networks by using a unique set of email addresses, logins, servers and domain names for each
user, work group or department as well.
Conduct screening and background checks. While rogue hackers get most of the press, the
majority of unauthorized intrusions occur from inside network firewalls. Screen all prospective
employees from the mailroom to the executive suite. Beyond simply calling references, be
certain to research their credibility as well. An initial trial period, during which access to
sensitive data is either prohibited or limited, is also recommended. And it wouldnt hurt to
monitor new employees for suspicious network activity.
Provide basic training. Countless security breaches occur as a result of human error or
carelessness. You can help build a corporate culture that emphasizes computer security through
training programs that warn of the risks of sloppy password practices and the careless use of
networks, programs and devices. All security measures, from basic document-disposal
procedures to protocols for handling lost passwords, should be second-nature to members of your
organization.
Avoid unknown email attachments. Never, ever click on unsolicited email attachments, which
can contain viruses, Trojan programs or computer worms. Before opening them, always contact
the sender to confirm message contents. If youre unfamiliar with the source, its always best to
err on the side of caution by deleting the message, then potentially blocking the senders account
and warning others to do the same.
Hang up and call back. So-called "social engineers," or cons with a gift for gab, often prey on
unsuspecting victims by pretending to be someone theyre not. If a purported representative from
the bank or strategic partner seeking sensitive data calls, always end the call and hang up. Then
dial your direct contact at that organization, or one of its public numbers to confirm the call was
legitimate. Never try to verify suspicious calls with a number provided by the caller.
Think before clicking. Phishing scams operate by sending innocent-looking emails from
apparently trusted sources asking for usernames, passwords or personal information. Some scam
artists even create fake Web sites that encourage potential victims from inputting the data
themselves. Always go directly to a companys known Internet address or pick up the phone
before providing such info or clicking on suspicious links.
Use a virus scanner, and keep all software up-to-date. Whether working at home or on an
office network, it pays to install basic virus scanning capability on your PC. Many network
providers now offer such applications for free. Keeping software of all types up to date is also
imperative, including scheduling regular downloads of security updates, which help guard
against new viruses and variations of old threats.
Keep sensitive data out of the cloud. Cloud computing offers businesses many benefits and
cost savings. But such services also could pose additional threats as data are housed on remote
servers operated by third parties who may have their own security issues. With many cloud-
based services still in their infancy, its prudent to keep your most confidential data on your own
networks.
1Stay paranoid. Shred everything, including documents with corporate names, addresses and
other information, including the logos of vendors and banks you deal with. Never leave sensitive
reports out on your desk or otherwise accessible for any sustained period of time, let alone
overnight. Change passwords regularly and often, especially if youve shared them with an
associate. It may seem obsessive, but a healthy dose of paranoia could prevent a major data
breach.
Bruvold, W. H., Parlette, N., Bramson, R. M., & Bramson, S. J. (1983). An investigation of the
item characteristics, reliability, and validity of the inquiry mode questionnaire. Educational and
Psychological Measurement, 43(2), 483-493.
Churchman, C. W. (1971). The design of inquiring systems: Basic concepts of systems and
organization.
New York: Basic Books.
Courtney, J. F., Croasdell, D. T., & Paradice, D. B. (1998). Inquiring organizations. Australian
Journal of Information Systems, 6(1), 3-15.
Davis, C. J., Fuller, R. M., Tremblay, M. C., & Berndt, D. J. (2006). Communication challenges
in requirements elicitation and the use of the repertory grid technique. The Journal of Computer
Information Systems, 46(5), 78-86.
Dhillon, G. (2001). Violation of safeguards by trusted personnel and understanding related
information
security concerns. Computers & Security, 20(2), 165-172.
Dhillon, G., & Torkzadeh, G. (2006). Value-focused assessment of information system security
in organizations. Information Systems Journal, 16(3), 293-314.
Eriksson, D. M. (2003). Identification of normative sources for systems thinking: An inquiry into
religious ground-motives for systems thinking paradigms. Systems Research and Behavioral
Science, 20(6), 475-487.
French, S. (2007). Web-enabled strategic GDSS, e-democracy and Arrow's theorem: A Bayesian
perspective. Decision Support Systems, 43(4), 1476-1484.
Hammond, J. S., Keeney, R. L., & Raiffa, H. (1999). Management in action: The hidden traps in
decision making. Clinical Laboratory Management Review, 13(1), 39-47.
Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in organizations:
Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154-
165.
McIntyre, J. J. (2003). Participatory democracy: Drawing on C. West Churchman's thinking
when making
public policy. Systems Research and Behavioral Science, 20(6), 489-498.
Mitroff, I. (1974). The subjective side of science. New York: Elsevier.
Richardson, S. M., Courtney, J. F., & Paradice, D. B. (2001). An assessment of the Singerian
inquiring organizational model: Cases from academia and the utility industry. Information
Systems Frontiers, 3(1), 49-62.
Senge, P. M. (1993). The fifth discipline: The art and practice of the learning organization. New
York:
Doubleday. Siponen, M., & Iivari, J. (2006). Six design theories for IS security policies and
guidelines. Journal of the Association for Information System, 7(7), 445-472.
Straub, D., & Collins, R. W. (1990). Key information issues facing managers: Software piracy,
proprietary databases, and individual rights to privacy. MIS Quarterly, 14(2), 143-156.