The Importance of Information Security Management

Security can be obtained by using several strategies with the combination of reducing the danger and providing protection from the different type of damage or risk. Every organisation must have a security management system which develops security strategies for planning, organising, staffing, directing and controlling the total system. Proper security reduces unwanted hazards by the proper management system. This information security generally focuses on the protection of organisational information with integrity, confidentiality and availability by using protection mechanism. There are three main components of information security doors are computer security, network security and data security. For understanding the strategic information security valuation and for improving the security system, the organisation Yahoo and its information security system will be analysed and evaluated in this assignment.

Yahoo provides huge effort on protecting their system as well as the information about the users. The main reason for this protection is to ensure that the uses of this organisation enjoy the use of Yahoo with trustful experience and maintenance (Ahmad et al. 2014). Different measurements which are applied by the Yahoo team for providing the best quality of security system to the customer are:

Second-time sign-in verification code- while the process of turning on settings of Yahoo the user required to enter second time information which is given by Yahoo by using electronic SMS verification code. This process also secures the shining account from other location or device if proper information is not provided (Azaria et al. 2015).

Transport layer security- the transport layer security is one type of encryption used by Yahoo for transmitting multiple information like payment information or Financial Service information.

Secure storage- Yahoo also deploys standardized procedural physical and technological safeguards for protecting the user’s personal data with the relevant piece of law or regulations.

On-demand passwords- if the user of Yahoo wants an on-demand password for re-linking the account from other mobile devices then Yahoo arrange a new set of password if the number of the mobile devices already entered by the user (Baskerville  et al. 2014).

Education and training- Yahoo has currently developed how company-wide education program and training program for the employees of this organisation. The main reason behind this education and training program is to aware the employees of the security system (Policies.yahoo.com. 2018).

Vendors and partners- for certain circumstances the use of Yahoo has to share the personal information with vendors and partners. However, in this case, Yahoo protects the personal information for maintaining the confidentiality agreement with its customers.

Yahoo’s Information Security Measures

Access to information- Yahoo develops their setup very carefully which is best known for the limitation of access for the person the setup of this accounts is made up by Yahoo for protecting the information about the services and products of the customers, which is significant and confidential for the user (Cassidy, 2016).

The security policy of Yahoo is associated with describing its approach to privacy based on Maktoob from Yahoo. However, encouraging the uses of this company for visiting the detailed reference link is one of the mandatory policies of Yahoo. The main reason of this detail reference link is to provide further information about the specific services and products, which are absolutely relevant at the Yahoo website (de Witte et al. 2018).

Maintaining the security of this organisational services Yahoo has developed their own team. This organisational leader believes that providing security need for full proof planning and teamwork. The security system also includes the security of the organisational data instead of customer’s information or user’s information. For that, the safety Centre is developed by this organisation for various tips and tools for maintaining the security (Flores et al. 2014). According to this organisational policy maintenance protection of this organisational data will help them in developing their business and also reducing the multiple numbers of risks for unauthorised access in the organisational data.

Except that the guideline of this organisational security also provides basic information to the users about the use of internet or information storage Technology. The website of this organisations stated that data transmission by using information on Internet storage Technology could not be a hundred per cent secure (Galliers and Leidner, 2014). In addition to that, the organisations still continue to evaluate these technological practices and implement those enhancements for providing the best quality of security for using the practices and technologies of Yahoo.

In the year of 2016 at the month of July discovery has made that over is 500 millions of Yahoo account is affected by these account data hackers. There are two different data breach which is identified those are in 2013 and 2014 (Hajli and Lin, 2016). At the initial phase, it has been believed that around 1billion account uses of Yahoo is affected due to this data breach. But some the evaluation made later in October 2017 shows that over 3 billion Yahoo account user is impacted because of both of this data breaches. According to the reports is data breach of Yahoo is considered the largest Discovery in the world of internet. the study shows that the specific information which is taken include email addresses, names, date of birth, security questions, passwords, telephone number, etc (Henson and Garfield, 2016). At the circumstances, Yahoo report it the breach of data at the year of 2014 manufactured the web cookies. This process of web cookies restricts the false login credentials, as well as the hackers, can gain access without a password to any account they want. In the year 2016 July, there is 200 million account user of Yahoo. In the year 2013 has developed a new project for providing better security to the customers and their passwords. This process started by abandoning the last encrypting data technology which is known as MD5 (Huang et al. 2014). The MD5 system is easier to hack by the hackers according to the sources. The Carnegie Mellon University and their software engineering Institute have issued a public warning in the year of 2008 which is vulnerable alarm system for this organisation. But after implementing the new system the previous system is considered to the date a long time before 2013.

Yahoo’s Data Breaches

It has been found that in the 20 years of history the organisation Yahoo Inc has invested as well as developed the security program for providing the best quality of protection to their uses. But the total process becomes failure after investing millions of dollars in security initiatives.

The failure of Yahoo has caused the company to pay around 35 million dollars. According to data from the US Securities and Exchange Commission, more than 500 million Yahoo accounts are stolen by the hackers (Jamroga and Tabatabaei, 2016). But the fine is issued by the commission because the organisation no this failure of security information system from December 2014 but they disclose the data breach at the year of 2016 September. However, these facts are also denied by most of the experts by saying that Yahoo has paid the main fine for not informing about this situation to the investors of the company. According to the director of the commission, the entire public organisation have to develop a proper procedure and control system for evaluating various disclosure of personal information but not informing the incidence to the investors of the organisation (La Torre et al. 2018). According to the Justice Department of the US, the hack has been done by the Russian agents and various other criminals are in the process of attempting to prosecute. Yahoo has given this information after the agreement of purchasing of Yahoo by Verizon. But due to this circumstance, Verizon did not make a great to purchase all of Yahoo by lifting some of the portions of Yahoo behind.

The management of information security is an essential area which needs to understand by Yahoo for its future. The information security is associated with the Governance of the organisation for providing an appropriate security system and privacy to their customers or users. Confidentiality, integrity and availability are three different pillars which can be understood by knowing two different information security models (Laszka et al. 2015). Those are CNSS security model and the C.I.A triad model. The use of both of the model is useful because the CIA triangle model is associated with expanding more comprehensive characterization of information by using the element confidentiality, availability and integrity.

The other hand the CNSS model is a more complex process which covers the three dimension of information security by implementing various policies and guidelines for controlling the elements. In this process the total security system is distinguished into 3 segments one is storage, the other one is processing and the final one is the transmission (Pearlson et al. 2016).

Information Security Governance

The role of these three information security elements is important to understanding because for protecting these areas, proper knowledge is required.

Confidentiality- it is known as an attribute of information which helps in providing protection of the data from unauthorised individuals or organisations by the process of exposure or disclosure. Protecting the confidentiality of data or information the various measurement which is included in the management of information security are secure document storage, information classification, general security policies and its application, encryption and finally providing proper knowledge or education about the data to the end users and Custodians (Peltier, 2016).

Integrity- this attribute of data associated with describing how the information is completely whole and uncorrupted. This attribute of information threatens when destruction corruption damage appears in the authentic stage. Corruption can only find out in the process when the data or information is stored, entered or transmitted.

Availability- availability is known as the third attribute of data which is associated with the correctly formatted taxability of using them without any obstruction or interference.

Privacy- The total process of information security is developed for protecting the data or information from unauthorised access by providing the user’s confidentiality is known as privacy. It has to understand that privacy is not the freedom of using the data but to protect the data for the approved person who has provided it (Posey et al. 2014).

Authentication- this concept is also a very important understanding for evaluating the case of Yahoo. The access control mechanism of authenticity provides verification and validation for using the data by pointing out the unauthorised identities who tries to control the data.

Governance- in the case of Yahoo the role of governance is somehow missing which has caused this huge failure of the internet. Therefore understanding governance is important for Yahoo for developing a better business in the future years (Rebollo et al. 2015). Governance is considered as a set of practices and responsibilities of the Organisational Management for achieving their goals by providing strategic direction and minimising the risk factors responsible.

For maintaining the information security management six principles are very essential which need to maintain, those are policy, planning, program, people, protection and project management. For providing information security the organisation has to develop different categories of planning. Such as business continuity planning, incident response planning, disaster Discovery planning, policy planning, Technology rollout planning, risk management planning, security program planning, etc (Safety.yahoo.com. 2018).

Confidentiality, Integrity, and Availability

Except that, every organisation has some policies to maintain this is also applicable to the information security system. The organisations have to include the information security system for developing the policies of the organisation. For managing the information security organisation has to include Enterprise information security policy, system specific policies and issues specific security policy.

In addition to that, developing proper programs or operations is essential for providing training and education about security to the organisational employees in the different designation (Shameli-Sendi et al. 2016). In addition to that protection, functions will help in executing various risk management activities list control and risk assessment process. The use of protection Technology, protection mechanism and tools are also effective for providing protection (Shehzad et al. 2016).

In the information security program, the role of people is essential because it includes various personnel who are responsible for the security Protection Programs. Developing the projects with proper planning which also include the security of the organisational data. This process also involves the project management for identifying the various activities of information security and also organising, controlling and managing it.

For protecting the information security system the development of law in the US is very effective. However, there are different general computer crime laws and privacy laws which are important to understanding in this case of Yahoo. The United States have general computer crime laws which include the computer fraud and abuse act of 1986 (Soomro et al. 2016). this law has evolved in 1996 and known as National Information infrastructure protection of 1996. After that, the USA forgot act 2001 also important because the incident of 9/11 attacks and extended as The USA patriot improvement and reauthorization act 2005. there is also the computer security act of 1987 which is associated with providing protection of Federal computer system for minimising the acceptable security practices.

The privacy law which is used in the United States includes the federal privacy act of 1974, the health insurance portability and accountability act of 1996. These privacy laws are very important to understand buy Yahoo for developing the organisational policies. The use of this privacy law equally is important after understanding the scenario (Tamjidyamcholo et al. 2014). However, the Australian laws are a little more different than the US laws. the computer offence of criminal court act 1995 is appropriate for the case of Yahoo failure.

There are some general Ethics of information security which are essential to understanding. However, these ethics are considered as metaethics, descriptive ethics, normative ethics and deontological ethics. The Ethics of information security include the different approach for standardizing the framework of using them. Those are the utilitarian approach, fairness and virtue approach, rights approach, virtue approach and common good approach (Turel et al. 2017).

The role of strategic planning involves three different individuals of the organisational internal and external environment. The employees, management and various stakeholders play a very important role in the strategic planning of information security. The planning of the organisation for providing security with the organisational values mission and vision statement takes vital area. The strategic planning development is important for developing the long-term direction for the organisation and allocating and acquisition the various resources according. The organisational chart organisational model plays an essential role in developing information security strategic planning (Webb et al. 2014). From creating the planning different levels of planning coordination between the management and employees help in developing the operational planning and tactical planning.

The information system governance is considered as strategic planning responsibility for information security for the future drawing years. The information technology government institution has incorporated different methods and accountabilities for the management of information security governance. Those include the establishment of objective, the creation of strategic direction, and measurement of those objectives progress, verification of appropriate risk management practices and validation of organisational asset. The various responses of information security governance oversee overall, setting security procedures, policies, programs and training, responsible annual audit system, responsible to security breaches, customers, and public, communicate policies, report security breaches and vulnerabilities (Ahmad et al. 2014).

For an effective information security system development, all formation of policy changes the total scenario. The primary responsibility of the organisation is to set up the information resource security policy for the project objective which includes reduction of risk, implementation of proper regulations, confidentiality, integration and operational continuity. Introduction of policy help in developing a stand for the law and also supported by the legal system and administration.

The model of bull’s eye helps in understanding the implication of policy. According to this model includes policies, networks, systems and applications are for the different area of developing security system. The policy is considered as the first layer for decision making and following the network and Systems application is done (Azaria et al. 2015). However, for implementing an effective policy the policies should be readable understood properly the dissertation and uniformly enforced.

The enterprise information security policy is known as a high-level policy for information security which has set up for strategic scope, strategic direction and enforced on organisational security. Using this policy in the organisation enhance the roles and responsibility of the employees for supporting the information security. There is system specific security policy and tissue-specific security policy. Implementation of proper information security policy helps in developing the security system (Baskerville  et al. 2014). In addition to that distribution of the policy is also an important factor which needs to maintain by organisations. For example hard copy distribution and electronic distribution both are important for understanding the policies by the customers and employees (Cassidy, 2016).

Yahoo is considered one of the famous parts of internet history for the last two decades. The mentioned problems arise in the year 2013 and 14 has created a negative impact on the industry and also billions of customer of Yahoo. The strategic information security system is very essential to develop a famous organisation like Yahoo. The organisation totally ignored the public announcement of Carnegie Mellon University and their software engineering Institute in the year of 2008 which has resulted in their current situation. The various ways of improving the information security system are properly described in the above sections which include different models, law and ethics, strategic planning and organisational information security policies. The use of this multiple Management processes needs to be adopted by Yahoo for reasoning its customers trust by building up the finest information security system for the customers.

Yahoo was not able to keep the trust of the investors because of non-disclosure of this hacking situation. Therefore for regaining the trust of the investors, Yahoo has to develop a better information security system with strategic planning of implementing the system.

Conclusion

In light of the above study, it can be concluded that the maintenance of information security management is different from the general security management process. The procedure is quite complex because of the use of technological protection mechanism. Yahoo is using the strategic information security management system for protecting the data. But there are few data breaches which created a problem for Yahoo and this issue draw this company towards 35 million dollars fine. For controlling this kind of situation in future Yahoo has to develop an improved strategic information security management system for providing the best quality of services and protection to its customers.

References

Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), pp.357-370.

Azaria, A., Rabinovich, Z., Goldman, C.V. and Kraus, S., 2015. Strategic information disclosure to people with multiple alternatives. ACM Transactions on Intelligent Systems and Technology (TIST), 5(4), p.64.

Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), pp.138-151.

Cassidy, A., 2016. A practical guide to information systems strategic planning. Auerbach Publications.

de Witte, B., Frasca, P., Overvest, B. and Timmer, J., 2018. Protecting shared information in networks:: a network security game with strategic attacks. Memorandum Department of Applied Mathematics.

Flores, W.R., Antonsen, E. and Ekstedt, M., 2014. Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Computers & Security, 43, pp.90-110.

Galliers, R.D. and Leidner, D.E., 2014. Strategic information management: challenges and strategies in managing information systems. Routledge.

Hajli, N. and Lin, X., 2016. Exploring the security of information sharing on social networking sites: The role of perceived control of information. Journal of Business Ethics, 133(1), pp.111-123.

Harun, H. and Hashim, M.K., 2017. STRATEGIC INFORMATION SYSTEMS PLANNING: A REVIEW OF ITS CONCEPT, DEFINITIONS AND STAGES OF DEVELOPMENT. planning, 3(2).

Henson, R. and Garfield, J., 2016. What Attitude Changes Are Needed to Cause SMEs to Take a Strategic Approach to Information Security?. Athens Journal of Business and Economics, 2(3), pp.303-318.

Huang, C.D., Behara, R.S. and Goo, J., 2014. Optimal information security investment in a Healthcare Information Exchange: An economic analysis. Decision Support Systems, 61, pp.1-11.

Jamroga, W. and Tabatabaei, M., 2016, September. Information Security as Strategic (In) effectivity. In International Workshop on Security and Trust Management(pp. 154-169). Springer, Cham.

La Torre, M., Dumay, J. and Rea, M.A., 2018. Breaching intellectual capital: critical reflections on Big Data security. Meditari Accountancy Research.

Laszka, A., Felegyhazi, M. and Buttyan, L., 2015. A survey of interdependent information security games. ACM Computing Surveys (CSUR), 47(2), p.23.

Pearlson, K.E., Saunders, C.S. and Galletta, D.F., 2016. Managing and Using Information Systems, Binder Ready Version: A Strategic Approach. John Wiley & Sons.

Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.

Policies.yahoo.com. (2018). Security at Yahoo. [online] Available at: https://policies.yahoo.com/xa/en/yahoo/privacy/topics/security/index.htm [Accessed 25 Aug. 2018].

Posey, C., Roberts, T.L., Lowry, P.B. and Hightower, R.T., 2014. Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders. Information & management, 51(5), pp.551-567.

Rebollo, O., Mellado, D., Fernández-Medina, E. and Mouratidis, H., 2015. Empirical evaluation of a cloud computing information security governance framework. Information and Software Technology, 58, pp.44-57.

Safety.yahoo.com. (2018). Yahoo is now part of Oath. [online] Available at: https://safety.yahoo.com/Security/?guccounter=1 [Accessed 25 Aug. 2018].

Shameli-Sendi, A., Aghababaei-Barzegar, R. and Cheriet, M., 2016. Taxonomy of information security risk assessment (ISRA). Computers & security, 57, pp.14-30.

Shehzad, D., Khan, Z., Dag, H. and Bozkus, Z., 2016. A novel hybrid encryption scheme to ensure Hadoop based cloud data security. International Journal of Computer Science and Information Security, 14(4), pp.480-484.

Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp.215-225.

Tamjidyamcholo, A., Baba, M.S.B., Shuib, N.L.M. and Rohani, V.A., 2014. Evaluation model for knowledge sharing in information security professional virtual community. Computers & Security, 43, pp.19-34.

Turel, O., Liu, P. and Bart, C., 2017. Board-level information technology governance effects on organizational performance: The roles of strategic alignment and authoritarian governance style. Information Systems Management, 34(2), pp.117-136.

Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management. Computers & security, 44, pp.1-15