Assessment of Technology centric Strategies for information security Essay

Assessment of Technology centric Strategies for information security in an organization - Essay Example It is a "best practices" strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy recommends a balance between the protection capability and cost, performance, and operational considerations." [National Security Agency] Fahey (2004) graduated from the SANS GSEC course and uses their systematic approach to addressing risk through defense in depth. The SANS approach promulgates an efficient and cost effective methodology for improving security. The organization for which he works already had a number of policies, each designed to address a multi-layered approach to IT security such as operations security, physical security and contingency and disaster recovery. Furthermore external security personnel routinely came to the organization to perform security audits. He was concerned that one area which had not been addressed was: "a systematic procedure designed to protect against electronic attacks from hackers. This was due in part to the false sense of security which comes from being behind a firewall and partly from a lack of experience in the information security field." (Fahey, 2004, p3) In putting together a Defense in Depth security policy one must consider the characteristics of one's adversary, the motivation behind an attack and the class of attack. An adversary may be anyone from a competitor to a hacker. They may be motivated by theft of intellectual property, denial of service or simply pride in bringing down a target. Classes of attack include passive or active monitoring of communications, identity theft or close-in attacks. Besides deliberate attacks there may also be inadvertent attacks on the system, such as fire, flood, power outages - and most frequently - user error. Information Assurance is achieved when information and information systems are protected against such attacks through the application of security services such as: Availability, Integrity, Authentication, Confidentiality, and Non-Repudiation. The application of these services should be based on the Protect, Detect, and React paradigm. This means that in addition to incorporating protection mechanisms, organizations need to expect attacks and include attack detection tools and procedures that allow them to react to and recover from these attacks. No system is perfectly secure, and it has been argued that no system needs to be. To achieve Information Assurance focus must be balanced on three elements: People, Technology and Operations. "Security goals have their own contradictions because confidentiality, integrity, privacy, accountability, and recovery often conflict fundamentally. For example, accountability requires a strong audit trail and end-user authentication, which conflicts with privacy needs for user anonymity." (Sandhu 2004, page 3) Fahey's methodology for evaluating risk used the confidentiality, integrity, and availability (CIA) approach which emphasizes the importance to the organization of a particular information asset. This approach focuses budget managers on the real threats to reputation and therefore the business' ability to survive against its competitors. Fahey focuses on 3 security risks in his article: passwords, policies and patches. Fahey's risk assessment relies heavily on SANS assessment of the top 20 risks for networks in 2003/4. This brings to light the

IBM in 2009 Case Study Example | Topics and Well Written Essays - 250 words

IBM in 2009 - Case Study Example IBM was facing competition from low-cost network servers in the markets. In addition, the markets had alternative products, which were cheap, for example, the PCs. The company faced the challenges of owning their own softwares. They relied on the software from Microsoft. In addition, they did not have their own specialized application software. The company acquired assets worth $3 billion from lotus. The asset added to the general capital of the company. The company has the risk of losing customers, if they do not provide experts who would advise clients on the new business model (Charles & Gareth 85-87). There are questions that the management has to answer if they want a new model to be a success. They have to ask themselves where the company would get the resources for outsourcing and consultation. In addition, they should determine the best marketing tools of making the internet advertisement a success. The management has to ask themselves how they will improve the customer experience if they want to transform the company into a customer driven corporation (Marsh 100). For a company to get the best outsourcing and consultancy resources, the paper recommends for the management to upgrade its computer solutions into the state-of-the art. In addition, the company has to hire experts to conduct internet marketing. Lastly, IBM has to produce goods that meet the customers taste (McDonald