Information Security Plan - Research Paper Example

? Information Security Plan October 9, Information Security Plan INTRODUCTION: Computer audit entails safeguarding the company’s holdings. The research delves on the information security risks. The research delves on the on implementing programmes that will reduce or eliminate information security threats in an Australian company setting. Information Security Plan’s safeguarding of company assets policy ensures the Australian company’s business continuity. BODY: a) Identification and description of the organisation’s physical holdings (property) that may be at risk As recently appointed head of a security team that is responsible for protecting the information holdings of a business organisation of some 60 staff, the head current task is to ensure the safeguarding of the company’s holdings. The organisation is housed in a detached, multi-storeyed building located in the central business district of an Australian city. The company owns several assets that may at risk (Hall 2012, 273). The company’s physical holdings include the tables, chairs, computers, cabinets, calculators, printers, fax machine, scanner, delivery equipment, production equipment, inventories, and air conditions. The company’s employees use the tables, calculators, and chairs to process their daily activities like recording business transactions. The business transactions include selling the company’s goods and services. Further, the company’s employees also use the chairs to accomplish their daily responsibilities of processing the sales and purchase of inventory items (Brigham 2010, 105). In addition, the employees use the chairs whenever they prepare their monthly reports. The employees use the chairs because it would be too taxing for the employees to stand up the whole day while encoding the company’s business transactions. Management assigns one chair t each employee. Furthermore, the company also uses the computers to encode confidential information (Narang 2006, 377). The confidential information includes the customer names, the amount of sales generated from each customer. In addition, confidential data incorporates the customer’s telephone number, the customer’s address, and other customer information. The employees use computers to analyze each business proposition or project. In addition, the company’s employees file their printed records in the cabinet (Schlesinger 2007, 2). The cabinet contains confidential printed records of the company’s daily transactions. The transaction records include the number of items bought by the company’s current and prospective customers. The transaction records include the amount and quantity bough from the current and prospective suppliers. Likewise, the company uses the printers to print the required hard copy reports (Stickney 2009, 366). The company also uses the printers to print sales letters that are submitted to the company’s current and prospective customers. The company uses the printers to submit purchase requisitions to the company’s current and prospective suppliers. The employees use the printers to prepare their monthly reports or presentations. In addition, the company uses the fax machines and scanners to send information to entities outside the company’s premises (Hussey 2010, 11). The fax machines and scanners hasten the transfer of printed copies. The use of the fax machines and scanners eliminate the process of sending confidential data through the post office, snail mail. Normally, the fax machines can be used as telephones. In the same manner, the company uses delivery equipments (Hussey 2010, 11). The delivery equipments include trucks, cars, and other delivery vehicles. The company uses the delivery equipments to deliver the sold products to the company’s current and prospective customers. In addition, the company harnesses the delivery equipments to retrieve the purchased products from the company’s current and prospective suppliers. Further, the company owns inventories (Mendell 2006, 21). The inventories include products that are on display on the company’s store shelves. The customers enter the store premises to buy the inventories, generating profits for the company. The company also acquires office supply inventories like pencil, ruler, folder, tape, printer paper, and other items. The company also has production supplies. The production supplies include items that are used in the production department. Furthermore, the company owns production equipments (Mendell 2006, 21). The company uses the production equipments to transform raw materials into salable products. The machines are bought at very high prices. The production equipments are acquired through long term loans. Identification and description of the organisation’s human holdings (employees) that may be at risk The company hires employees to sell the company’s products and services (Clark 2008, 12). The company hires employees to do administrative or other work responsibilities like preparing financial statements. Further, the business entity pays the company security guard to prevent theft of company assets. The entity pays the production employees for producing the company’s salable products. Identification and description of the organisation’s electronic information holdings (properties) that may be at risk The company owns software. The software includes Microsoft Office 2010 (Damien 2011, 146). The Microsoft Office software is used in the preparation of statements seeking collection of the customers’ debts. The same software is used for preparing documents requesting to buy products from the company’s current and prospective suppliers. Further, the software also includes QuickBooks accounting software (Nelson 2008, 73). The QuickBooks software replaces the manual recording of business transactions. The same software is used to generate financial reports. The financial reports include the balance sheet and the income statement. Furthermore, the company uses the SPSS statistical software to process analysis of research data (Griffith 2010, 9). The company gathers research data from customer surveys. The survey results are inputted into the SPSS software. The software generates statistical tool outputs. The SPSS outputs include analysis of variance, mean, and median. In addition, the above company’s software manages the company’s confidential records (Nelson 2008, 4). The software is use to record the company’s daily business transactions. The software is used to keep to storage and safekeeping the company’s business records. The software contains the confidential information pertaining to the customers’ names, addresses, telephone numbers, purchases amount, debt amounts, discount terms, and other financial information. The software contains the confidential information pertaining to the suppliers’ names, addresses, telephone numbers, purchase amounts, debt amount, discount terms, and other confidential purchase data. The software contains records of company policies, employees’ 201 file summaries, and other confidential information. b) Identification and description of the actual and potential physical threats to the organisation’s information holdings There are actual and potential physical threats to the organizations’ information holdings (Gregory 2007, 289). Unexpected floods may drown the company’s computers. When this happens, the flood waters literally destroy the stored data to unrecoverable levels. In some areas of the United States, floods are normal occurrences that indicate actual threats. On the other hand, floods do not crop up in some parts of the United States, indicating potential threats. Further, earthquakes are physical threats to the organization’s information holdings (Gregory 2007, 285). No one can predict where the next earthquake will strike. Thus, earthquakes are classified as potential threats. Some people may say that the San Andreas Fault, in California, increases the possibility of an earthquake. However, there are rare earthquake incidents in California. Earthquakes are not like rains. Rains are more frequent than earthquakes. Earthquakes may damage the computers, the keepers of confidential business information. In addition, fires are physical threats to the organizations’ information holdings (Gregory 2007, 271). Fires may gut the entire building, destroying the computers. However, some fires may not damage the computers, especially when the firefighters arrive to save the computers from being burned to ashes. When computers are burned, the information stored in the computers will forever be lost. Identification and description of the actual and potential human threats to the organisation’s information holdings There are actual and potential human threats to the organizations’ information holdings (Rajasekaran 2008, 170). Some unauthorized individuals may retrieve confidential information from the computer database. A dissatisfied employed may hack the company’s computers. When the computers have no passwords, unauthorized persons can easily access, copy, and alter any confidential company information from the computers. The absence of security guards may allow unauthorized persons to enter the company’s restricted computer room, allowing the intruder to retrieve, alter, or delete some files, folders, and other confidential company information. Further, another person may unintentionally erase confidential files that are stored in the computers (Rajasekaran 2008, 170). When this happens, the company may not be able to retrieve the deleted files, folders, or other relevant confidential company information. The same person can also replace some numbers in the original files or folders. Consequently, the innocent office clerk prints the falsified or erroneous financial data reports. Furthermore, an employee may accidentally bump the computer (Hales 2006, 552). Consequently, the computer falls to the floor and breaks up. The breakup destroys the files that are stored in the destroyed computer’s hard disk. The bump sometimes occurs when employees are careless. Likewise, a thief or thieves may steal from the company’s premises (Shelly 2007, 371). The thief or thieves may ransack the company’s cash drawer. In addition, the intruders may forcibly bring out the stolen computers from the company. When this happens, the company will not be able to retrieve the confidential financial data that were stored in the computers which were taken by the thief or thieves. Identification and description of the actual and potential electronic threats to the organisation’s information holdings There are actual and potential electronic threats to the organizations’ information holdings (Parsons 2012, 36). Viruses cause havoc to computers. Viruses destroy the computers’ data files. Some viruses completely erase the confidential company records. Other viruses allow the hackers to steals confidential company records. Further, other viruses allow the hackers to steal the computer users’ passwords. Some viruses help hackers steal the company’s credit card and other confidential information. Further, the viruses allow the hackers to steal the credit card and other bank information (Shelly 2007, 178). The hackers can use the stolen information to buy goods from stores using the credit card information of the hacked victims178). The hackers can use the stolen company information to gain profits. The company can sell the stolen information to interested parties, including the company’s competitors. Some viruses cause the computers to lock up or performed disturbing acts. Such unwarranted computer acts, including removing some of the computer operation normal functions, may infuriate the computer users, employees of the company. b) Design of a security plan that describes counter-measures that will manage the threats that put the organisation’s information holdings at risk First, all employees are required to used passwords when they access restricted computers (Dube 2005, 49). The passwords prevent unauthorized persons from viewing, deleting, or altering the original files that are stored in the computer. The employees must use long passwords and high security passwords to prevent hackers from detecting the computer users’ password. Second, the company should hire security guards (Doherty 2005, 32). The guards will not allow the unauthorized persons from entering the company’s premises. The guards will check all the bags of persons exiting the company’s premises to ensure that thieves will not scamper away from the company’s premises, bringing along stolen computer units, other hardware, and other company holdings. Third, all employees must use proper identification cards (Pfleeger 2011, 41). The identification cards will help company personnel, including the security guards, from allowing entry of unauthorized individuals. The company must use high quality identification cards. Some thieves can change the pictures of stolen company identification cards. This occurs when the company uses outmoded or cheap identification cards. Fourth, the company must install CCTV cameras (Matchett 2003, 71). With the CCTV, the security office room head can view all the entry and exit points of the company. The security officer can inform the security guards to confront suspicious persons entering the company’s premises. The CCTV records all movements of people entering and leaving the company’s territory. The CCTV tapes can be used to identify thieves or robbers who are caught conducting their illegal acts within the company’s premises. Fifth, the company must install antivirus software (Bosworth 2012, 28). The antivirus software will be able to detect viruses. Consequently, the antivirus program will delete the encroaching viruses. The antivirus program will prevent Malware from detecting the computer users’ passwords, credit card numbers, bank accounts, income statements, balance sheets, statement of cash flows, and other confidential company and employee information. The antivirus will also be able to weed out the hacker’s illegal interference. Sixth, the company requires gate pass approval for all persons bringing inventory and other company assets from the company’s premises (Fischer 2012, 382). The security guards are required to check all items brought outside the company’s premises. Only items that have the approved item gate pass will be allowed to exit the company’s premises. The gate pass must be signed by authorized company personnel. In addition, it is required that two individuals will approve the gate pass request. The two signors should be the employee’s head and another high ranking company officer. The purpose for the two signatures is to prevent or reduce collusion among the employees. Collusion occurs when two or more employees or officers connive and conspire to steal company property. Seventh, the company must implement an inventory count once every month (Albrecht 2010, 280). The inventory count will impress on management the possibility of theft of company property. When the inventory count is lower than the number of items listed company’s inventory record, there is a strong probability that company assets were stolen. However, there is also another probability that the inventory record count is erroneously recorded. When this happens, the company will instruct its employees to correct the erroneous recording. Disaster Recovery Processes The company should backup its confidential data to ensure business continuity (Blokdijk 2008, 16). Each day, all employees are required to back up the files to two other locations. The computer user must back up its files in the computer’s hard disk. In addition, the computers must back up its computer files with the company’s main server hard disk. Third, company must store its second back up file using the cloud computing hard disk. Cloud computing allows the company to store its data in the cloud’s hard disk. This way, the company can easily recover data from a computer that is stolen, or original data is erased, altered or deleted. d) The company must develop the following robust and pragmatic training programmes for management staff members and contractors: The Australian company must implement a comprehensive information security education and awareness programme. Management, staff, and the contractors will adhere to the programme guidelines. First, a seminar will be conducted to impress on all company employees of the importance and compulsory requirement to use passwords (Parsons 2012, 36). The seminar will train the employees to create 15 letter and number combination passwords. The long passwords will reduce the hackers’ ability to detect and use the employees’ passwords. Second, a seminar will be conducted to keep everyone on their toes for intruders. The employees are trained to spot suspicious persons roaming within the company’s premises. The employees are taught to immediately report the suspicious persons to the security guards for immediately investigation. Third, a seminar will be conducted to explain to the employees the importance of backing up their confidential company information (Shelly 2007, 424). The employees will be taught to save the same file in three locations. The files will be saved in the employees’ computer, company server’s hard disks, and the cloud computing hard disk. The employees are taught that the main reason for backing up their data is to ensure easy recovery of lost or damaged files. Fourth, a seminar will be conducted to teach the employees of the importance o using antivirus software. The trainer explains to the employees that the antivirus software will remove the uninvited viruses. The trainer will explain the different unfavorable effects of viruses on the company’s confidential files and folders. Fifth, a seminar will be conducted to emphasize implementation ethical standards (Bosworth 2012, 26). Ethical standards include doing what is right or true. Similarly, the standards prohibit the implementation of illegal or unauthorized acts. For example, employees must implement the ethical standard stating that offering discounts to customers without management approval is unethical. Sixth, a seminar will be conducted to train the employees to take very good care of the company’s assets (Smallwood 2012, 147). The employees should not take part in any collusion activity. Collusion is an illegal act. An illegal act occurs when two or more employees agree to cooperate and defraud the company of its assets, revenues, or profits. Seventh, a seminar will be conducted focusing the employees’ responsibility to contribute to the company’s goal of safeguarding company assets (Smallwood 2012, 147). The employees are trained to exert extra effort to prevent unauthorized access to company’s confidential files, folders, and other locations. The employees shall be trained to contribute to the reduction of company theft by keeping a watchful eye on suspicious or unfamiliar individuals loitering within the company’s premises. Eighth, , a seminar should be implemented to inform the employees of the importance of reducing threats from physical, human, and electronic threats (Bishop 2003, 498). The employees should be trained how to act in case of emergencies. The emergencies include floods, earthquakes, fires, breakages, and other unexpected threats. Ninth, a seminar will be conducted to explain the checks and balances of the company (Keefer 2001, 19). Under this policy, one person will check the work of another person. Usually, the supervisor checks the work of the subordinate. The seminar will impress on the employees that the checks and balances will uncover any errors or fraudulent recording of company transactions. Consequently, the employees will not venture into committing fraudulent or erroneous acts, such as unauthorized deleting or altering some of the customer’s debts. Tenth, a seminar will be conducted to ensure business continuity. In case of accidental damage, the employee’s automatic backing up of company files in three different locations will ensure recovery of lost data, an immediate incident response strategy. The backing up process ensures business continuity as the lost or damaged business transaction files can be retrieved from other sources. The use of the CCTV, security guards, and long passwords will increase personnel awareness of various threats to the company’s information and eliminate poor password security. CONCLUSION: Summarizing the above discussion, computer audit incorporates safeguarding the company’s holdings. The company has information security risks. Steps and programmes are in place to reduce unauthorized access, damage, and theft of company holdings. Evidently, the information security plan’s safeguarding of the Australian company’s holdings enhances business continuity. REFERENCES: Albrecht, W. 2010. Accounting Concepts and Applications. New York: Cengage Learning Press. Bishop, M. 2003. Computer Security: Art and Science. New York: Addison Wesley Press. Blokdijk, G. 2008. Disaster Recovery. New York: Lulu Press. Bosworth, S. 2012. Computer Security Handbook. New York: J. Wiley & Sons Press. Brigham, E. 2010. Financial Management . New York: Cengage Learning Press. Clark, M. 2008. The Job Description. New York: Nolo Press. Damien, J. 2011. Introduction to Computers and Application Software. New York: Jones & Bartlett Press. Doherty, E. 2005. Computer Security . New York: Author House Press. Dube, D. 2005. Information System Audit and Assurance. New York: Tata Press. Fischer, R. 2012. Introduction to Security. New York: Butterworth Heinemann Press. Gregory, P. 2007. IT Disaster Recovery Planning for Dummies. New York: J. Wiley & Sons Press. Griffith, A. 2010. SPSS for Dummies. New York: J.Wiley & Sons Press. Hales, D. 2006. An Invitation to Health. New York: Cengage Learning Press. Hall, J. 2012. Accounting Information System. New York: Cengage Learning Press. Hussey, R. 2010. Fundamentals of International Financial Accounting. New York: World Scientific Press. Keefer, P. 2001. Checks and Balances, Private Information. New York: World Bank Press. Matchett, A. 2003. CCTV for Security Professionals. New York: Butterworth-Heinemann Press. Mendell, R. 2006. How to Do Financial Asset Investigations. New York: C Thomas Press. Narang, R. 2006. Database management Systems. New York: PHI Press. Nelson, S. 2008. Quickbooks 2008. New York: J. Wiley & Sons Press. Parsons, J. 2012. New Perspectives on Computer Concepts. New York: Cengage Learning Press. Pfleeger, C. 2011. Analyzing Computer Security. New York: Prentice Hall Press. Rajasekaran, V. 2008. Financial Accounting. New York: Pearson Press. Schlesinger, M. 2007. Practical Guide to S Corporations. New York: CCH Press. Shelly, G. 2007. Discovering Computers: Fundamentals. New York: Cengage Learning Press. Smallwood, R. 2012. Safeguarding Critical E-Documents. New York: J. Wiley & Sons Press. Stickney, C. 2009. Financial Accounting . New York: Cengage Learning Press. Read More