Information Security Strategies

Introduction

Information is the most valuable asset available to modern man. With information, one can change the outcomes of financial dealings or, if one is criminally inclined, even perhaps embezzle funds or defraud entire organizations and corporations. Thus it is plain to see that information serves as the gateway to power, and that no major decisions can be undertaken without an assurance that the information upon which they are based is secure, authentic, and unaltered. Considering the inarguable fact that a good deal of modern information is stored on computers these days, it becomes obvious that expertise in the area of information security enacted by means of computer-based system is a veritable necessity for nearly any organization in the current age, be that organization large or small, for-profit or not for profit. However, in devising a strategy with which to approach the topic of securing information for a company or nonprofit, there are several factors which must first be considered. Yet to begin the first steps of such an approach, the very first matter that must be determined is whether to use a top-down approach or a bottom-up strategy. Upon reflection, it becomes clear that for large companies, the ideal strategies are top-down, but for small companies, the bottom-up approach better serves the information security needs.

Large Companies

Considering first of all the case of large companies—itself an undefined term, but which might loosely be posited as those entities whose funds and cash flow are regularly measured at least in the millions of dollars—it can be seen that top-down strategies are quite often the most appropriate means by which to go about securing information. As Alberts and Dorofee so articulately put it, “Most of the current methods are ‘bottom-up’ . . . A better alternative is to start with the organization itself and determine what needs to be protected . . . and develop solutions requiring both technology- and practice-based solutions” (p. 23). This clearly demonstrates that beginning with the upper levels of the organization more aptly serves to create a system by which the information security system devised is congruent with the company’s organizational philosophy and overall strategy. Therefore, large companies are best treated with a top-down approach when it comes to information assurance, and yet when the tables are turned and the discussion instead turns to small companies, instead, the approach becomes quite the opposite.

Small Companies

For small companies, in contrast to large companies, the approach must instead be one of a bottom-up nature, for in the case of a small company, details that would seem minuscule in the instance of serving a large company indeed loom quite large and must thus be treated appropriately as real factors in devising a strategy. As an example, the budget will naturally be less flexible when dealing with a small firm rather than a large one. In addition, particularly when working with very small-scale “mom-and-pop” businesses, such issues such as the number of computers available on the premises can become quite relevant and in fact, can even result in additional limiting factors being placed on the information security system. Taken together, these considerations imply that a bottom-up strategy is more ideal to use when the case being approached is that of a small company.

Conclusion

Overall, when the matter of information security is raised, large companies are best served by top-down strategies merely because of their sheer size, whereas small companies do best with bottom-up strategies. This arises naturally out of the situations generated by the varying sizes of the companies. If those who work with the governance of information systems keep these distinctions in mind, the outcomes will be superior for everyone involved.

Case Study of a Bronx Pawnshop Desiring Information Security Infrastructure

Introduction

At times in the study of any practical human endeavor, it can be considered useful to examine a hypothetical case study complete with details and assumptions. This is true in the science of information systems as elsewhere. Though theory, such as the distinction between top-down and bottom-up approaches, can at times be useful in the education of students of such matters, ultimately, it is necessary also to think in real-world terms and thus to attain a more pragmatic mindset that grounds one in the actual execution of the “ivory tower” concepts articulated by means of theories. Here, one relevant case study to examine comes in the form of a question regarding the needs of a hypothetical pawnshop owner named Mario who works in the Bronx. Once all the necessary details of Mario’s case are taken into consideration, it shall be seen that a bottom-up approach taking into account organizational data, backup systems, cybersecurity threats, and costs is ideal.

Information Categories

In order to best create a system to secure Mario’s data, it is first necessary to ensure that his current means of filing information is well-organized and to do that, one primary consideration is the number and names of the categories by means of which he stores his inventory and records. As Mario is relatively unfamiliar with computers, by his own admission, an information security specialist must first investigate just how well organized his current system is. Does Mario have the items kept at his pawnshops sorted into meaningful categories, such as the overarching umbrella distinctions of items being pawned versus used items simply sold to the shop outright? Are the subdivisions under these large meta-categories meaningful, such as “jewelry”, “electronics”, “musical instruments”, and so on and so forth, finishing with the necessary category, “miscellaneous”? Of course, some might argue that the miscellaneous category is unnecessary and implies a certain sloppiness in the system, but in reality, there will always be items that fit nowhere else, and it is better to have one catchall category than to create multiple individual subdivisions with only one or two items apiece. Taken all together, once Mario’s system is neatly organized, he will have a much easier time of making and defending insurance claims should some ill befall his store. However, having a tidy system alone is not enough; the information must find a home elsewhere off-site, where it will be less vulnerable to fire, theft, or other dangers.

Off-Site Backup

Seeing as the main troubles against which Mario must defend his inventories are burglary and damage to the shop caused by fire, flood, earthquake, or another natural disaster, it is best if the system is defended by means of an offsite backup system in another locale that would be unaffected by the effects of such a catastrophe. A disaster recovery plan is always needed. It can be assumed that Mario, as a person relatively computer illiterate, may feel at first more comfortable with old-fashioned and outdated backup systems such as CD-ROM disks or perhaps, if he is extremely backward in his ways, even floppy disks. An external hard drive is something into which he might be talked relatively easily, seeing as such a system is quite similar to those with which he might be more familiar, but ultimately, it is best if he can be made to understand the advantages of cloud storage. Any system with physical components is simply too vulnerable to the same fates that one wishes never befall Mario’s property. Though a small monthly fee may be required as an ongoing expense in order for Mario to get a truly secure service, cloud storage is ideal for this situation in that the information is held in no one physical place for any real length of time. This is particularly important considering that Mario’s main threats to security may mostly come not from without, but rather from within his own shop.

Threats to Security

Mario must be made aware that the threats to the security of his information systems are primarily found in those he holds closest and trusts most—namely, his six employees, including but not limited to his brother Jose, the man of the troubled past. Employee theft is very common, as is well known, and it is naturally no less common among the seedier lines of work such as that done in a pawnshop. Thus Mario’s new system will do him little good unless he appropriately defends his computer passwords and even ensures that he physically knows the locations of all his keys and has them marked with “do not copy” as appropriate. Though such areas may be outside the normal bailiwick of an information systems specialist, in the case of attending to the needs of a small business, sometimes it can be better to err on the side of caution and go further rather than limiting one’s approach only to that which is normally taken into account. In that vein, the information security specialist might also suggest to Mario that the dividing wall between the two properties indeed be torn down so that Mario, his employees, and the security cameras all have clearer views of both properties at once and thus need to struggle less in order to ensure that everyone, from customers at the busy shop to other employees, is dealing in an honest fashion. Though Mario’s aging six-year-old cameras could be considered a threat to security, in reality, there is not much need to replace one or the other of them until they indeed break beyond the repairs capable of new individual components. A thief at a low-income establishment such as a pawnshop is unlikely to tamper with video in any sophisticated fashion anyway; rather, most likely cameras would be ignored or disabled by simple, rudimentary, brute-force means. In this as well as in other areas, Mario will be pleased to know that his new information assurance system requires relatively little from him in terms of the cost incurred to his business.

Costs

Considering the fact that Mario does not say “money is no object,” it is obvious that costs must be mitigated in this case; however, given the details of the plan already devised, Mario need not worry himself overmuch that costs will be extravagant. It will have already taken the information systems specialist some amount of time to gather the information presented in the case study. This amount of time can be estimated at one to two hours, depending in part upon the length of time undertaken in transport to and from the shop to examine the physical premises, which of course should be counted as part of the time required for the project. The amount of time spent subsequently on organizing Mario’s system to be retrievable remotely and sensible enough to be comprehensible to insurance company agents in the event of a disaster will depend in large part upon how logical Mario’s system was, to begin with. Even the most disorganized system, however, ought to take no longer than a day’s work, thus adding eight hours to the total time billed. Teaching Mario how to use the system and instructing him on password security and other factors may take another three to four hours, bringing the approximate total to twelve to fourteen hours, probably billed at an estimated rate of around fifty dollars an hour for a fee that falls in the reasonable range expected for a small business of five hundred to one thousand dollars for setup. In addition, Mario can, of course, expect to pay the secure cloud storage fees, but these will likely be a paltry ten to twenty dollars per month.

Conclusion

Once Mario’s system is complete, he will be much better assured by the measures undertaken that in the event of theft or another catastrophe, at least his information records will be relatively undisturbed, and all for a reasonable cost. In some ways, it is as much this peace of mind that information security specialists provide as anything. Knowing that one’s valuable assets are protected is key to the mental wellbeing of everyone everywhere. 

Reference

Alberts, C. J., & Dorofee, A. J. (2002). Managing information security risks: The OCTAVE approach. Boston, MA: Addison-Wesley Professional.