Threats to Organizational Security

This study aims to create the different organizational considerations while implementing a information security program within the work force. Organizational security is one of the major concerns of the organizations in today’s world. In the earlier report, the different threats related to data security as well as the other aspects such as the consequences of the system failures had been identified and discussed in details. This report mainly focusses on the development and implementation of an appropriate security software for the company that eliminates all the earlier discussed risks and threats related to data security and other security parameters. The ISO standards that the security programs must follow will also be discussed in the following paragraphs. A proper certification will also be studied and recommended to the company and a security application that makes use of the ISO standards as well as the recommended certificate will be recommended to the company.

Information security is one of the primary focus of yahoo ad invest a lot of tie and expertise in developing the security programs within the organization. Yahoo is aware of the fact that its users have a lot of trust in yahoo data security policies, they are assured about the security and privacy of their accounts, and other information stored in yahoo databases. Some of the main security measures incorporated by yahoo are:

Second-time sign-in short service message verification code – Users needs to authenticate themselves by typing in a verification code sent through SMS to their mobile phones. It ensures better verification and security of the accounts (Murashkin et al. 2013).

Transport layer security – It is an encryption method used to securely transmit payment as well as other financial information.

Secure data storage- Different physical as well as technological security strategies are incorporated in the organization in order to secure the information.

On-demand recovery passwords- Yahoo can provide on demand passwords to the users in case they want to link the accounts for another mobile device provided the user has already entered the mobile number (Horalek, Matyska and Sobeslav 2013).

Training and education – Adequate training has to be provided to the employee regarding the security program that will be incorporated in order to keep them informed and educated about the same.

Vendors and partners – Even if Yahoo has to share any kind of confidential information with its partners or vendors for any business tasks or decisions, it makes sure to maintain the privacy policies and agreements in the first place.

Developing an Appropriate Security Software

Access to information –

The security setup at yahoo is very tight and it makes sure to limit the access to the information. Users can only access the secure data based on their importance and hierarchical level in the organization.

Chief information security officer (CISO):

Yahoo has hundreds of employees who work towards the security of the organization as a whole. These employees perform different security tasks, which also include data and information security. The chief security officer is just not concerned about the physical security of the organization, but also caters to the electronic and data security within the organization. The present chief information security officer (CISO) at Yahoo Inc. is Bob Lord. He replaced Ramses Martinez who was the earlier chief security officer on October 2015.

A chief information security officer is the highest authority within Yahoo Inc who is directly responsible for the overall physical as well electronic data security within the organization, thereby helping the organization to achieve an overall competitive advantage. One of the major role of the chief information security officer is to ensure that there is a strong inter department connection within the organization and there are no acts of vandalism or maintaining any kind of secrecy within the employees. The job of the CISO is to ensure an optimum level of transparency as well as harmony within the employees of all departments and all hierarchical levels while working together. This in turn also ensures an overall security of the organization as a whole. For instance, when the company will start thinking a worrying less about the different vulnerabilities related to the data security, the employees will be able to work more in harmony and better cooperation with each other. In other words, the chief information security officer will be responsible to reduce any kind of friction between the different departments to ensure a smoother and safer workplace (Herath et al. 2014).

Chief information security officers are just not concerned about the physical security of the different yahoo data centers across the world, but they are also concerned about the information technology (IT) infrastructure and electronic data security. They should always ensure that the security policies are maintained and the company is always at a safer position and a competitive advantage as well. A major part of the CSO’s job is to work with the employees of executive levels to understand the basic drawbacks and security concerns faced by the mid-level employees. Through this, the basic concerns can be addressed and accordingly financial decisions can be taken implement newer security strategies and ideas within the organization. Bob Lord also reserves the power and rights to oversee decisions taken by some security director at any particular branch or data center of yahoo, keeping in mind the overall security and welfare of the company as a whole.

ISO Standards for Security Programs

Product security Engineer:

Binu Ramakrishnan is presently the product security engineer at yahoo who heads all the different product and information security tasks within the organization. He is concerned with the protection of the networks as well as the data in the servers and other applications within the organisation. He is concerned about protecting as well as securing the IT systems. This can include securing the network, infrastructure, data security, server’s security, cloud computing security measures etc. Securing important information such as personal information of customers, financial worksheets, and other confidential data are the major part of the roles of an IT product security officer. He is also responsible for deciding and providing access to other employees and users within or without the organization to important data and databases through multiple user authentication and verification strategies (Harkins 2013).

The product security officer at yahoo is also responsible for developing and implementing security measures securing the network by using firewalls, data loss prevention (DLP), creating virtual private networks (VPNs) and intrusion detection system/intrusion prevention system (IDS/IPS), network access control (NAC) as well as making use of enterprise antivirus applications such as Kaspersky internet security etc. He is also responsible for designing local area networks (LAN), wide area network (WAN) as well as virtual LAN (VLAN), thereby ensuring improved and enhanced security within the organization. Binu Ramakrishnan is the present officer at yahoo who takes care of all these functions within the organization.

Suggestions to improve security personnel hierarchy:

The hierarchical structure within the organization can be improved with respect to different parameters for the overall development of the organization as well as better and improved security within the organization. Some of the recommendations can be briefly explained below as:

There should be a systemized Board of Directorsin the headquarters and it should be ultimately taking care of the entire corporate security governance of the organization.  It should be able to take critical decisions on the information security risks that prevail within the organization. However, this presently does not happen within Yahoo and most of the security responsibilities are explicitly delegated by the board to the lower executive directors, led by the chief executive officer (Chou 2013).

The different Executive Directors within Yahoo should have the flexibility to give an overall direction of strategic as well as competitive benefit, by getting the different security principles approved and implemented by all employees within the organization.

Security Measures at Yahoo

The Chief information security office (CISO) should be handling tasks such as managing IT Operations, Risk factors, performing compliance as well as internal audit, as well as the

Yahoo should try to focus on conducting more security awareness programs and campaigns for its security personnel and help them develop a strong understanding of the ISO/IEC 27002 standards (Zeki et al. 2013).

The managers across the organization should ensure that all the employees are biding by the ethical as well as security guidelines while taking any business decisions. They should also ensure that all thephysical, procedural as well as technical controls comply with the security guidelines to prevent any sort of privacy breach or data misuse within/outside Yahoo workplace.

Yahoo should also look forward to hire more efficient information asset owners (IAOs). They are the specialized managers in an organization who are responsible for securing any particular information asset by making use of their LSC or SC.  IAOs in yahoo should have the authority to assign tasks to managers, related to information or data security but they are themselves responsible for the proper implementation of the tasks and the security policies. This is presently not happening within Yahoo work culture and the management should consider this to be implemented (Flores, Antonsen and Ekstedt 2014).

The information asset owners (IAO) should also be held responsible and answerable for the risk mitigating measures as well as action plans within the employees in case they are not performing up to the mark. They should personally look into critical risk factors and policy exemption scenarios to prevent discrimination and employee unrest as well. IAO’s should make sure that the exemption process is executed successfully by the managers under their own supervision in case of any extreme security related issue.

In order to implement the above-discussed hierarchical changes within Yahoo to ensure an improved security program within the organization can be summarized in eight points as discussed below:

Management Support for Change

All the employees will be gladly accepting the change in the organizational change in structure if they get to see a proper support from the entire organization. It will be of utmost importance for Yahoo to make sure that there is adequate communication as well as training programs arranged especially for the leadership teams to ensure a smooth transition of responsibilities. This in turn will also create newer job opportunities within yahoo Inc. If the employees are not comfortable in understanding or relating to the changes in the security policies within the organization, they will not even consider implementing them themselves and it will be a total failure for the organization (Duffield 2014). In turn, it can cause vandalism among employees and other threats within the organization itself in case any employee is dissatisfied with any other colleague or is not happy about the working principles within the organization itself and has a revengeful mentality toward the organization. Employee job satisfaction plays a major role here.

The Role of Chief Information Security Officer

Case for Change

No organization wants namesake kind of a change may it be in the security program or any other departments. A case for the change is all that is required.  It is calculated based on surveys on comment cards from customers, customer satisfaction, employee satisfaction survey, defect rates as well as business goals (Siponen, Mahmood and Pahnila 2014). Budget pressures in order to implement a new security program as well as for implementing, the above discussed changes in hierarchy should be taken into consideration, which will also need the organization to schedule proper training sessions for the finance departments as well (Peltier 2016).

Communication and implementation of the change

Employees depend on the management to effectively communicate any changes within the organization to them. Rumors about the change can cause resistances to be created for the change itself. Yahoo should be proactive enough to communicate the changes and ensure adequate training programs on the new security policy (Kang et al. 2015). The employees should not get any kind of surprises in case a new security policy is implemented within the organization.

There should also be a tentative date of roll out of the new security plan within the organization and a pre roll out testing phase of the new security program within the organization to keep the employees well informed about the changes (Ford 2014).

Planning a suitable training program

Yahoo Inc. will need a prior approval of the training sessions for the upper management in order to conduct the training and development programs. The different aspects of the training programs such as security policy milestones, its implementation costs, tentative dates as well as deliverables have to be covered in the training modules. Commitment form the employees as well as their understanding of the learning outcomes should be ensured by Yahoo management (Daya 2013).

Traditionally, Yahoo used to believe in its password and pin model of data verification and user authentication. However to combat the ever increasing incidences of data theft and security breach it recently came up with a concept called ‘yahoo account key’ which enables the user to log into his yahoo account without having to enter a password. It makes use of push notifications to help users login faster and safer into their yahoo email accounts. Yahoo considers user friendliness more important than the information security and relies on a simple technique of tapping a button to sign in, instead of making its user memorize long complicated passwords. This particular model is not very secure and is not helping much in securing the sensitive information and the use data (Dadelo  et al. 2014).

Product Security Officer Responsibilities

The open systems interconnect or the OSI model of security should be incorporated in the Yahoo workplace in order to secure the data even more (Bora et al. 2014). This model is ISO/IEC 7498 certified and should be incorporated within Yahoo Inc. because of its multiple benefits. Some of the benefits of the OSI model are:

1. Overview: This model gives an overall security of all the different aspects of the organization may it be physical security or electronic data security.
2. Authentication: It helps in providing excellent user authentication techniques such as single sign on and account keys (Kumar and Lin 2013).
3. Access control:  Efficient access control is also provided in the office premises making sure not all employees, users can access all the information rooms or server rooms.
4. Non-repudiation: Signature authentication of the certificates used in this model are never questioned and are extremely authentic and credible.
5. Integrity: This model maintains an integrity in its strategies and makes sure that the security policies comply with the different ethical compliances set by the government.
6. Confidentiality: The confidentiality of the data and other information is preserved under this model (Pathan 2016).
7. Audit: Internal as well as external audits are carried out to ensure that the employees are adhering to the different security policies within the organization.
8. Key Management: The security management teams in general, find it very easy to work in accordance with this model; therefore, it should be incorporated in yahoo.

The different threats faced by yahoo in terms of security parameters can be described below as:

• Yahoo recently announced in 2014, an incidence of data breach, which affected around 500 million users across the world (Muslukhov et al. 2013).
• Cybercrime, which is again a major threat for Yahoo (Colesky, Futcher and Niekerk 2013). Professional hackers had been able to crack the MD5 technology which was been used by Yahoo back in 2013 (Shameli, Barzegar and Cheriet 2016). Even today, Yahoo needs to be careful about the theft related threats that still exist within the organization.

The risk factors that exist within the organization related to information security are:

• Vandalism among the employees in due to dissatisfaction towards another employee or towards the organization as a whole, for personal as well as professional reasons. Employees can purposely cause or help in data theft if they have any kind of grudge towards the organization (Jouini, Rabai and Aissa 2014).
• End users can prefer other companies due to the previous history of data breach faced by yahoo.

There are multiple advantages for the suitability of this model for Yahoo. Firstly, it is ISO certified so there is no question about its credibility. Secondly, it believes in industry standardization therefore allowing third party applications to integrate with the Yahoo security programs (Omar 2017). Using this process security related issues can be troubleshot more easily since the working in the different layers of the OSI model are clearly differentiated form each other (Huang et al. 2017).

Conclusion:

Therefore, it can be concluded from the above report that even though Yahoo has security concerns with its data security, there are mitigation techniques that can be implemented in order to come up with an improved information security system. The security personnel organizational hierarchy can be revised and an ISO certified security model like the OSI model can be used to ensure improved security and smoother business operations. These changes if properly implemented can take the security levels within the organization to newer heights in the future. IN the earlier report, the different threats and risks were identified and in this report, the techniques of designing an appropriate security program for the organisation has been clearly identified. The risk analysis shows that risks such as employee vandalism should also be prevented within the organization, which can be ensured by keeping in consideration the level of employee satisfaction within the organization. Other information security techniques such as audit trails can also be introduced in the organization through which managers can keep a track on who accessed what information at what point of time and the system from which the information was accessed. Therefore, it can be concluded that provided all the threat mitigation techniques are properly implemented, Yahoo will be able to achieve optimum information security within the organization and which in turn will help in improving customer satisfaction for the company.

References:

Bora, G., Bora, S., Singh, S. and Arsalan, S.M., 2014. OSI reference model: An overview. International Journal of Computer Trends and Technology (IJCTT), 7(4), pp.214-218.

Improving the Organizational Hierarchy for Security Purposes

Chou, T.S., 2013. Security threats on cloud computing vulnerabilities. International Journal of Computer Science & Information Technology, 5(3), p.79.

Colesky, M., Futcher, L. and Van Niekerk, J., 2013, September. Design patterns for secure software development: demonstrating security through the MVC pattern. In 15th Annual Conference on WWW Applications, Cape Town (pp. 10-13).

Dadelo, S., Krylovas, A., Kosareva, N., Zavadskas, E.K. and Dadeliene, R., 2014. Algorithm of maximizing the set of common solutions for several MCDM problems and its application for security personnel scheduling. International Journal of Computers Communications & Control, 9(2), pp.151-159.

Daya, B., 2013. Network security: History, importance, and future. University of Florida Department of Electrical and Computer Engineering, 4.

Duffield, M., 2014. Global governance and the new wars: the merging of development and security. Zed Books Ltd.

Flores, W.R., Antonsen, E. and Ekstedt, M., 2014. Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Computers & Security, 43, pp.90-110.

Ford, J.K. ed., 2014. Improving training effectiveness in work organizations. Psychology Press.

Harkins, M., 2013. Managing risk and information security: protect to enable. Apress.

Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J. and Rao, H.R., 2014. Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service. Information systems journal, 24(1), pp.61-84.

Horalek, J., Matyska, J. and Sobeslav, V., 2013, November. Communication protocols in substation automation and IEC 61850 based proposal. In Computational Intelligence and Informatics (CINTI), 2013 IEEE 14th International Symposium on (pp. 321-326). IEEE.

Huang, P.L., Lee, B.C., Wang, C.S. and Sun, C.T., 2017. Relative Importance of the Factors under the ISO-10015 Quality Management Guidelines that Influence the Service Quality of Certification Bodies. Journal of Economics and Management, 13(1), pp.105-137.

Jouini, M., Rabai, L.B.A. and Aissa, A.B., 2014. Classification of security threats in information systems. Procedia Computer Science, 32, pp.489-496.

Kang, R., Dabbish, L., Fruchter, N. and Kiesler, S., 2015, July. my data just goes everywhere:” user mental models of the internet and implications for privacy and security. In Symposium on Usable Privacy and Security (SOUPS) (pp. 39-52). Berkeley, CA: USENIX Association.

Kumar, S. and Lin, E.C., Yahoo! Inc, 2013. Management of network login identities.

Murashkin, A., Antkiewicz, M., Rayside, D. and Czarnecki, K., 2013, August. Visualization and exploration of optimal variants in product line engineering. In Proceedings of the 17th International Software Product Line Conference (pp. 111-115). ACM.

Muslukhov, I., Boshmaf, Y., Kuo, C., Lester, J. and Beznosov, K., 2013, August. Know your enemy: the risk of unauthorized access in smartphones by insiders. In Proceedings of the 15th international conference on Human-computer interaction with mobile devices and services (pp. 271-280). ACM.

Omar, H.O., 2017. Transformational Leadership in Quality Management.

Pathan, A.S.K. ed., 2016. Security of self-organizing networks: MANET, WSN, WMN, VANET. CRC press.

Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.

Shameli-Sendi, A., Aghababaei-Barzegar, R. and Cheriet, M., 2016. Taxonomy of information security risk assessment (ISRA). Computers & security, 57, pp.14-30.

Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), pp.217-224.

Zeki, A.M., Elnour, E.E., Ibrahim, A.A., Haruna, C. and Abdulkareem, S., 2013, November. Automatic interactive security monitoring system. In International Conference on Research and Innovation in Information Systems (ICRIIS) (pp. 215-220).