What is the purpose of information security?
There are many reasons why you should protect the information you use on your computer, including:
· Ensuring that your information remains confidential and only those who should access that information, can
· Knowing that no one has been able to change your information, so you can depend on its accuracy (information integrity)
· Making sure that your information is available when you need it (by making back-up copies and, if appropriate, storing the back-up copies off-site)
What does a manager have to do if the information is not accurate, safe nor relevant?
If the information is not accurate, safe nor relevant, the manager has to send for it to be recollected and examine the process to see why it was not relevant. After getting the accurate information needed, a security policy should be established and maintained.
What are the stages in securing information?
1. Manage Your Technology Life Cycle
Old computer technology is less secure than new technology. Newer technology implements the latest tools (like intrusion protection), so one of the best things you can do to protect your business is to use the latest technology.
In fact, you should develop a technology lifecycle plan for all of your computer hardware and software assets. Consider replacing computers after four years; budget 25% each year for new technology to replace the old.
2. Establish a Password Policy
This one is really simple: make sure your computers, servers, wi-fi connections, etc., all have password protection. Adding open devices and connections to your network is just inviting trouble.
Close those connections now, using unique passwords for each user. Use strong, complex passwords, as many security professionals (and companies like Microsoft) have been recommending for some time. Require that passwords be replaced every month or every quarter. Lock out an account after “n” failed login attempts. Disable past employee accounts immediately.
3. Back Up Your Data Frequently
Everyone I talk to says they have a back-up plan and, of course, they perform backups. But are their servers backed up frequently enough? And what about individual PCs – do they have data or apps that aren’t on the servers? Are they backed up, ever? Should they be?
Are backups taken off-site? Have you tried to restore your backups to a computer that is NOT in the original location? Are you using cloud-based apps but wonder if your cloud-based data are backed up appropriately? (Bizmanualz new Onpolicy Procedure Management Software eliminates the need for backups at the user level.)
And have you tested your backup process lately? Trust me — when you’re trying to recover your system from an attack or a fatal system error is not when you want to find out your backup process doesn’t work.
4. Use Malware and Virus Protection
It happens — people inadvertently download something they shouldn’t (social engineering techniques are that effective). The next thing you know, that computer — even your whole network — is compromised.
You need to develop a computer security policy. Consider centralizing your anti-virus and anti-spyware management instead of having each user responsible for their own devices. Enable frequent virus scanning and frequent, automatic updates. Monitor your anti-virus subscriptions — you can’t afford to let them lapse.
5. Secure Your Mobile Devices
Your company may be facing increasing liability exposure from employees housing data in PDAs, laptops, or cellphones. If your employees have access to sensitive information (think “WikiLeaks”), you need to develop a Mobile Device Management Plan that addresses digital rights management, data loss prevention, data security, and other IT internal controls. Consider anti-virus device security and data protection that includes the ability to wipe a device, in case it’s misused.
And, if you don’t want employees using their personal devices to handle company information…what’s your policy on that and how do you enforce it?
6. Train Your Employees
Imagine you’ve created a new password policy, invested in anti-virus software, and developed a Mobile Device Management Plan but you haven’t told anyone. How useful will those measures be?
You must communicate your policies and train your employees how to implement computer security methods. You can’t just tell everyone in an email that “here’s our policy”, and leave it at that. You have to show everybody how important it is and how it’s done.
You have to ensure that all employees understand the new password policy, how anti-virus software keeps your computer safe, what “acceptable use” is, and the importance of protecting their mobile devices.
7. Restrict Access to Your Data
Microsoft Windows, Linux, and other operating systems have their own kind of user access controls. Using them means you have to identify what each user login requires for data, network, or peripheral access (e.g., read only, read/write, execute). If you allow too much freedom of access, you increase the risk of misuse, data loss, etc., but if you make restrictions too tight, you’ll get far too many user complaints. There’s a very fine line between too much and too little — that line often isn’t easy to find, and it moves around a lot.
8. Implement a Contingency Plan
A computer, IT, or data center disaster recovery plan is an important element of securing your computer data. There are more than hackers and trusting (or untrustworthy) employees — there are acts of nature that threaten your business’s continuity, too.
You never know when fire, flood, tornado, riots/uprisings, robbery, or other catastrophic events will occur but if one (or more) of them does strike…how long will it take you to get your business back online? Without a disaster plan in place, it will take too long.
Your plan should cover hardware and software replacement, data recovery, and key configuration, restoration, or installation details. It should include appropriate software license numbers, insurance numbers, and key contractor or supplier numbers. It should cover testing, validation, and performance criteria. Furthermore, you need to thoroughly test your recovery plan before you need it.
9. Block Would-Be Intruders from Your Network
First, you can’t do this perfectly but you can at least make it more difficult by installing a business-class firewall and updating it regularly. Close all the firewall ports you’re not using. Don’t use older WEP security (see #1, above) but invest in newer, stronger technology like WPA2. Always make sure you’re up on the latest threat prevention methods.
Restrict access to DNS zone transfers, which hackers can use to read your DNS records and obtain your server details. Add an Intrusion Protection System (IPS) that monitors network and system events for malicious activity.
10. Close Holes in Your Security
As we often say in the quality field, “You don’t know what you don’t know.” This is true for security, as well. To find the holes in your computer security system, perform some type of regular security audit and network inspection. Check your firewall and server logs for signs of threat.
See that you’ve implemented measures to address the first nine points above. Secure your computer network. Enable automatic updates. Deploy Windows Server Update Service (WSUS) and Windows Update for all PCs and workstations. Be sure your anti-virus and other malware prevention systems are being automatically and regularly updated.
I also recommend hiring an independent computer security expert to audit your information security system and conduct system tests (penetration testing, leak testing, etc.) from time to time. You can also look for software applications, like The Secunia Personal Software Inspector (free download), that scan your installed software to identify potentially unsafe (e.g., out-of-date) programs and offer downloads to the latest software patches.
Decision making can be classified as either structured or unstructured. Why is top level management more associated with unstructured decisions, while the lower level has more contact with structured decisions?
Top Management
The top level of management deals with decisions that are the broadest in scope and cover the widest time frame. Typical titles of managers at this level are chief executive officer (CEO), chief operating officer (COO), chief financial officer (CFO), treasurer, controller, chief information officer (CIO), executive vice president, and senior partner. Top managers include only a few powerful people which are in charge of the four basic functions of a business-marketing, accounting and finance, production, and research and development. Decisions made at this level are unpredictable, long range, and related to the future, not just past and/or current activities. Therefore, they demand the most experience and judgment. Examples of unstructured decisions include deciding five year goals for the company, evaluating future financial resources, and deciding how to react to the actions of competitors.
Lower management
The largest level of management, lower (operational) management, deals mostly with decisions that cover a relatively narrow time frame. Lower management, also called supervisory management, actualizes the plans of middle management and controls daily operations-the day to day activities that keep the organization humming. Most decisions at this level require easily defined information about current status and activities within the basic business functions-for example, the information needed to decide. This information is generally given in detail reports that contain specific information about routine activities. These reports are structured, so their form can usually be predetermined. Daily business operations data is readily available, and its processing can be easily computerized. Managers at this level typically make structured decisions. A structured decision is a predictable decision that can be made by following a well defined set of predetermined, routine procedures.
DSSs include knowledge-based systems. A properly designed DSS is an interactive software-based system intended to help decision makers compile useful information from a combination of raw data, documents, personal knowledge, or business models to identify and solve problems and make decisions.
· WWhy information must be managed properly by the levels of management?
Information is needed for decision making at all levels of management.
Managers at different organizational levels make different types of decisions, control different types of processes, and have different information needs.
Three classical levels of management include:
o Strategic (top management)
It entails specifying the organization's mission, vision and objectives, developing policies and plans, often in terms of projects and programs, which are designed to achieve these objectives, and then allocating resources to implement the policies and plans, projects and programs.
o Tactical (middle management)
Middle, or tatical, managers receive strategic decisions from above as general directives. Using those directives as guidelines, they develop tatics to meet those strategic directives. That is, they make decisions concerning how and when specific resources will be utilized. Usually, a middle manager will be responsible for several operational managers.
o Operational (lower management)
Operational managers are responsible for daily operations. They make decisions concerning a narrow time span about the deployment of small groups of clerical and/or shop floor workers.
· InInformation needed by the manager must have a value that is: up to date, detailed and accurate. Try to explain the purpose of these points and give examples of your answers!
o Accurate (information which is reasonably determined to be factually correct)
o Up To Date ( reflecting the latest information or changes)
o Detail (true information including all the facts)
· TTry to describe what information is needed by the managerial level in carrying out its functions in terms of planning, organizing and controlling
o Planning
The planning function establishes goals and objectives to pursue during a future period. It spans all levels of management. Top managers are involved in strategic planning that sets board, long-range goals for an organization. These goals become the basis for short-range, annual operational planning; during which top and middle managers determine specific departmental objectives that will help the organization makes progress toward the broader, long-range goals.
Ex: General Manager determines the objectives, policies and plans of the hotel.
o Organizing
Organizing is management’s plan for obtaining the objectives of the establishment throught the arrangement of position, job tasks and people.
Ex: HOD analyzes job description and set the tasks for each position.
o Controlling
The process of control is to measure progress, compare it with plans or standards and take corrective action.
Ex: Front office supervisor supervises all front desk procedures (reservation, reception, operator, etc) set by the higher management.
