Security for Networks With Internet Access Term Paper

Security for Networks With Internet Access

The continual process of enterprise risk management (ERM) has become an integral component of successful organizational assessment, because the process of accurately identifying various risk factors, and interpreting their potential advantages and disadvantages, ensures that a business remains capable of anticipating and addressing internal and external contingencies. The following ERM implementation plan for the security of internet-accessible networks is intended to provide a navigable framework for the development of a comprehensive ERM standard, including procedures to guide internal auditing and the construction of a capable and contemporary cyber law policy. Within the organizational structure of any complex enterprise, such as a small software development business, the continual exchange of data necessary to facilitate operational efficiency allows for the presence of clearly identifiable risk factors, including hazard risks, financial risks, operational risks, and strategic risks. The purpose of any ERM plan is to assess the various risks associated with the network of online interactions which occur daily between employees, customers, suppliers, investors, and other key stakeholders in the organizational hierarchy, while providing clear standards of conduct intended to mitigate said risks. The threat of external interference with organizational objectives must be mitigated through the application of an effective security and cyber law policy, while the resolution of internal risks associated with employee abuse or misuse of proprietary data is best resolved through strictly applied access control methods. Finally, a clearly distinguished set of cyber law guidelines crafted in congruence with legal precedent for digital media, as established by recent American jurisprudence, must be developed to apprise all members of the organization with relevant copyright, patent, and privacy statutes.

Of the four primary types of risk identified above (hazard risks, financial risks, operational risks, and strategic risks), the operational risks associated with the generation, storage, and exchange of proprietary or otherwise sensitive data is by far the most pressing from on organizational perspective. The threat of external malfeasance, in the form of data theft, hacking, and other nefarious activities designed to stunt the company's continued growth. As the world of modern commerce becomes increasingly digitized, with massive hangar-like buildings used to house the thousands of computer servers necessary to store billions of gigabytes of essential data, large organizations have become keenly aware of the need to safeguard their files and archives from prying eyes. Today's globalized marketplace brings a wealth of advantages in terms of accelerated commerce, but along with these benefits comes an array of threats, from the anarchistic campaigns of targeted computer hackers to infiltration by a competing firm. The field of information security and data protection has emerged to formulate effective defenses against these insidious database invaders, and within the broader spectrum of information technology (IT), data protection has quickly risen to the forefront of the executive decision making process. Several empirical studies have demonstrated that "as organizations use automated information technology (IT) systems to process their information for better support of their missions, risk management plays a critical role in protecting an organization's information assets, and therefore its mission, from IT-related risk" (Stoneburner, Goguen & Feringa, 2002), and it is the responsibility of competent managers to understand and apply the concepts of risk management to the technological aspect of their operations.

Every company that engages in commerce, whether domestic or international, must maintain extensive digital records documenting various transactions, and with the specter of identity theft looming large as ever, effective data protection risk management is a crucial component in assuring customer's sensitive information is shielded. While achieving a 100% data protection rate is obviously the goal of every IT manager, it is more realistic to expect that incursions will occur while managing this risk effectively through preventative measures. Although the majority of major "organizations try to avoid costly information security breaches, organizations cannot make their information 100% secure all of the time" which is why "managing the risk associated with potential information security breaches is an integral part of resource allocation decisions associated with information security activities" (Bodin, Gordon & Loeb, 2008). This process of anticipating security breaches within a data network involves assessing overall strengths and weaknesses and diverting resources appropriately, which is why the most effective managers are expected to maintain a working knowledge of information security and data protection methodology. By recognizing the fact that "in most organizations, the network itself will continually be expanded and updated, its components changed, and its software applications replaced or updated with newer versions," while remembering that "these changes mean that new risks will surface and risks previously mitigated may again become a concern" (Stoneburner, Goguen & Feringa, 2002), the shepherds of today's most complex organizations can assure that the constant stream of data they produce is protected from the growing list of technological threats.

The traditional conception of information security has always been predicated on the protection of physical data, with reams of paper files stored in secure cabinets behind locked doors, but the internet revolution has largely refocused the emphasis on safeguarding digital data from external intrusions. However, as experienced IT network security analysts know all too well, "the subject of computer networking is enormously complex, involving many concepts, protocols, and technologies that are woven together in an intricate manner & #8230; (and) to cope with this scope and complexity, many computer networking security structures are organized around the 'layers' of a network architecture" (Kurose & Ross, 2012). While the field of modern information security emphasizes a multilayered approach to preserving system integrity, including the use of firewalls, cryptographic algorithms, access control, and other data protection techniques, erecting effective barriers to provide physical security should still be prioritized by any competent information security officer. As anybody with experience in the information technology (IT) industry can attest, the integrity of a firm's digitized data and software is only guaranteed when the underlying hardware systems are fully functioning and operable. Simply put, information security is a profession which requires a comprehensive approach, one involving both the protection of data itself and the safeguarding of server farms and other devices used for data storage. A consensus has developed within the ranks of information security officers as to how physical security should be properly deployed, with most experts agreeing that "physical security protection for IT equipment and systems should be established, based on defined perimeters through strategically located barriers throughout the organization" (Peltier, Peltier & Blackley, 2005). By analyzing and evaluating the various physical security methods employed by information security officers, it is possible to determine which of these approaches provides the most effectual results.

The first task for an information security officer to consider when developing a physical security plan is the size and scope of the operation being defended. For large corporations, commercial operations, or political organizations which require the use of massive server farms to facilitate the transfer and storage of digital data, it is essential to erect a multilayered system of defensive capabilities (Layton, 2007). Smaller entities like independent businesses will typically require only a single server to support their operations, and for these firms the physical security conditions will not be nearly as exhaustive. It has been observed through an extensive process of trial and error that "for a large server farm, several concentric rings of technology-based protection and access control might be appropriate whereas, for the distributed version, simply keeping individual servers in locked rooms might be sufficient" (Peltier, Peltier & Blackley, 2005), and a close familiarity with the size and scope of an individual firm should be the goal of every information security officer. When one realizes that "the nature of a physical security for a data should be one of concentric rings of defense -- with requirements for entry getting more difficult the closer we get to the center of the rings" (Peltier, Peltier & Blackley, 2005), this fundamental insight should guide the subsequent construction of a physical security system. The entrances to a firm's server farm location should immediately be secured through the installation of key card locking mechanisms, or better yet, facial recognition software, to preclude unwanted intrusions. A secondary system of physical security can also be implemented by ensuring that, if and when a breach does occur, that the valuable data stored within a server farm cannot be tampered with or taken. These contingency plans are usually based on the discharge of water or gas within the server farm containment room, with the goal being the physical degradation of stored data before it can be externally accessed. By implementing a combination of these methods which is customized to fit one's individual firm, an information security officer can be assured that the servers and hardware under his or her stewardship are as safe as the data they store.

When the late Rear Admiral Grace Murray Hopper, a retired general who was lauded for ushering the United States Navy into age of modern computing, prognosticated in 1987 that "someday, on the corporate balance sheet, there will be an entry which reads, 'Information'; for in most…