- All Best Essays, Term Papers and Book Report

Information Security Technology Effectiveness in Current Organization

Essay by   •  February 6, 2013  •  Research Paper  •  1,344 Words (6 Pages)  •  1,470 Views

Essay Preview: Information Security Technology Effectiveness in Current Organization

Report this essay
Page 1 of 6

Information security Technology Effectiveness in Current Organization

Information security effectiveness and efficiency depends on how the organization design security policy, security plan, and how well it implements. In this paper, I will evaluate the effectiveness of security technologies and methodologies in my current organization and also will determine uncertainty, risk of each type of threat and possible additional control needed to make the security more robust and effective.

Effectiveness of the security technologies and methodology

My current company is very mature in terms of security control, technology and methodology. It understands that security is an ongoing process and to make sure security is effective and get the full benefit, it always needs monitoring, review and verification. Company arrange internal security audit every six months and external audit once in a year and based on that outcome, company upgrades technology, methodology or modify policy as and when required. "The final key element of an information security program is ongoing testing and evaluation to ensure that systems are in compliance with policies, and that policies and controls are both appropriate and effective" (GAO Report, 2004). Senior executives of the company take full initiative at personal level to make sure security technology and methodology are up to the standard and can help the organization to comply with all the required government and industry specific regulatory reporting.


There is nothing 100% secure, so uncertainty is always there. The Monte-Carlo model is a good tool to capture uncertainty in information security modeling parameters like frequency of intrusion, damage, vulnerabilities, etc., and it can predict the impact of the uncertainty on the projected result. In my current company following are the list of uncertainties.

* People - Internal threat - intentional or unintentional mostly because of employee negligence - 10 % uncertain.

* Process - Wrong information upload and delete or manipulation some critical process document - 50 % uncertain.

* Software - Virus or malware attack, unauthorized access and hacking - 20 % uncertain

* Hardware - Natural disaster, terrorist attack, electrical spark, sabotage - 10 % uncertain.

* Database - Unauthorized access, sabotage - 10 % uncertain.

These all uncertainty numbers can vary from year to year and with more historical data these numbers will be more accurate.

Risk for each threat

Each threat has it own risk value based on the asset it impacts. The valuation process is based on the value company will lose in case the information asset is damaged or modified (asset value) multiplied by annual rate of occurrences (ARO) multiplied by (1- control effectiveness) multiplied by (1+ uncertainty).

In my current company following are the risk values for different assets.

Asset Name Asset Value ($) Threat Description Controls in Place ARO Uncertainty Risk Value ($)

People - Unix System Administrator 80,000 Internal threat - intentional or unintentional mostly because of negligence. Very High (.9) Low (.05) .1

( 90 % certain) 80,000 X .05 X (1-.9) X (1+.1) = 440

Process - Application support run book 50,000 Wrong information upload and delete or manipulation some critical information Low (.5) Very Low (.001) .5

( 50 % certain) 50,000 X .001 X (1-.5)X(1+.5) = 37.5

Software - In-house developed - Loan Approval recording and controlling system 200,000 Software threats related to in-house are primarily security and virus issues. Like spyware, viruses, or other malicious software. And data delete or leakage during transmissions because of application hacking. High(.8) Medium

(.1) .2

( 80 % certain) 200,000X.1X (1-.8) X (1+.2) = 4800

Hardware - 49,000 Threat to hardware relates to accidental/natural disaster or deliberate damage, war outbreak, earthquake, fire outbreak, flooding, windstorm, electrical spark, internal/external sabotage, theft, equipment break down Very High(.9) Medium

(.1) .1

( 90 % certain) 49,000 X.1 X (1-.9) X (1+.1) = 539

Database - Oracle 11g database 150,000 Database Communication Protocol and Platform Vulnerabilities.

Denial of Service, un authorized access to data from both internal and external front.

Very High(.9) Medium

(.1) .1

( 90 % certain) 150,000 X .1 X (1-.9) X (1+.1) =


Additional controls

To prevent security threats technological controls may



Download as:   txt (9 Kb)   pdf (113.7 Kb)   docx (12.7 Kb)  
Continue for 5 more pages »
Only available on