Term paper on Exercises on Information Security Management

1. Why is the C.I.A. triangle significant? Is it widely referenced?

The significance of C.I.A. triangle can not be overvalued, as the elements of this triangle are the basic notions of information security. These components are confidentiality, integrity and availability of information. Confidentiality, first of all, means that the information is prevented from being disclosed to unauthorized individuals, institutions or systems; the limited access to private data. Especially it is important to maintain the privacy of individuals as their private life should not be the public affair. Integrity, secondly, stands for trustworthiness of the data; it includes the blocking of undetectable modification of information. It is an issue of consistency too. Finally, availability of information guarantees access to the data when it is legal and necessary. Naturally, everything depends on the kind of information. All of them are significant in the terms of computer security and information assurance as well.

The C.I.A. triangle is usually considered every time when the information technology team deals with new software or installs a computer server. It is significant in analyzing the data transport methods and creating databases. What is more, each PC user becomes a member of this team too. Therefore, the knowledge, understanding and evaluation of these core information security goals is crucial for every user.

Still, at the moment these famous core principles are widely argued, as the triad does not include some other important elements like non-repudiation, legality or accountability. That’s why not the classic triangle is gradually leaving for the sidelines and usually combined with other models, like it has been done by Donn Parker who proposed the sox atomic elements of information model. In this model confidentiality, integrity and availability have been complemented with possession, authenticity and utility.

2. Describe top-down strategic planning. How does it differ from bottom-up strategic planning? Which is usually more effective in implementing security in a large, diverse organization?

Strategic planning is an extremely important issue of organizational development, especially when we talk about a large organization with many departments and huge material and intellectual resource bases. Usually strategic management is fulfilled by general managers who act on the behalf of the owners and are responsible for the effective use of resources. The goals of strategic management are developed in special projects and programs as a rule, but still there are different approaches to how strategies are chosen. Top-down strategic planning is the most widely spread model. According to this model, the chief executive officers, often supported by strategic planning teams, decide themselves what way the organization should follow and what general direction should be taken further. Another model is bottom-up strategic planning, and in contrast to the first approach, here the ideas are proposed by the employees. Those ideas are discussed and reviewed, and then the best propositions become the base for further actions.

The benefits of both models are widely disputed, and now it is often said that violent impositions can do no good for the company, as they often meet resistance and skepticism from the staff. The advocates of the bottom-up model insist that no idea can succeed if people don’t like it, and on the contrary, when they like it, they can do maximum to succeed, even if it is not ideal. Top-down planning is often called unworkable and regarded as paper tigers, but still in a big diverse corporation only professionals can really cope with all the mountain mass of information, including the time limitations and budget assets.

3. What criteria should be used when considering whether or not to involve law enforcement agencies during an incident?

In today rapidly changing conditions each company should care much about information security that is an ongoing process and requires much diligence and knowledge to protect information. All the information systems are to be protected from unauthorized access, utilization, disclosure, devastation, alteration, or disruption of information. However, even when all the measures are taken, no one is absolutely insured against information security incidents. Sometimes the incidents are so serious that is almost impossible to do without law enforcement agencies, or the so called “cyber police”. Their first and foremost mission is to protect the assets of organizations and to ensure the continuing operation of information systems and the whole networks. In fact, today these agencies have a lot work, and it seems quite unreasonable to involve them when it is possible to cope without their assistance.

Besides, there are some more arguments against their involvement. The matter is, you have no guarantees that you will receive really competent and effective service, while you will open access to confidential information to people from aside. What is more, this procedure includes serious loss in time and financial resources, so it is important to weigh what will cost more. In any case it is important to have a computer security professional in the staff, because this is one whom the cyber police will like to consult with. Without such a professional it will, certainly, be hard to cope with the consequences of a case. Before the arrival of assistance, it is necessary to determine the evidence of the crime, maybe some non-criminal causes; the indications of some aberrations and abnormal activities to be studied for their nature and causes; any motives or intentions of the crime.