ITM 438 MOD 4 Case
docx
keyboard_arrow_up
School
Trident University International *
*We aren’t endorsed by this school
Course
438
Subject
Information Systems
Date
Jan 9, 2024
Type
docx
Pages
6
Uploaded by adrianaamore14
1
Information Security Systems
Adriana M. Moreno
ITM 438 – Information Security Management and Assurance Trident University International Steve Gralewski
November 6, 2023
2
Information Security Systems
Information security is more important today than ever before. Technology is changing and
growing every single day, growing more sophisticated as time goes on. It seems that the easier or
more convenient life seems to get through the use of technology, the more compromised our
information seems to become. Information security, or INFOSEC, is an integral part of every
business or organization. It protects not only digital information, such as information that is
stored in the cloud for example, but also written or stored information as well, to include
proprietary information or even ideas. Businesses and organizations need to ensure they are
keeping not only their information secure, but also the information of their customers. It seems
that you hear of a data breach from a company that was hacked almost monthly, if not more
often. This compromises the integrity and the reputation of the company, as well as puts the
customers at risk for fraud, identity theft, and much more. INFOSEC practices make it possible
for businesses or organizations to keep data in the hands of those who need to access it, keep any
kind of deletion or modification of said data at bay. All this to say that INFOSEC is having to
adapt as often as the new technology dictates and changes as well.
3
Three Components of INFOSEC
There are three components or pillars which guide the INFOSEC within a business or organization, these are known as the CIA triad (Chai, 2023). The pillars are; confidentiality, integrity and availability. First is confidentiality, more specifically data confidentiality; this meaning that data within an organization is only accessible to those whom need to have access to
it, either a user or someone who needs access to information to complete their job to do what is needed (DOT Security, 2023). The next pillar is integrity; to ensure a company is keeping this pillar protected, they create systems to bolster their infrastructure by backing up data, and creating contingency plans in the event of a data breach, which are much more likely to occur these days (DOT Security, 2023). The final pillar is availability, or data availability. This refers to
the ability to access information when needed, by those whom are authorized to use it; such as after a data breach or an attack, the employees who need access to the information may not have it as soon as they need it, which can delay the productivity or even the profits of the company or organization (DOT Security, 2023). Differences in Laws and Ethics
In general, our society is guided by both laws and ethics; it is the bedrock on which a modern civilized life is built. Laws are defined as “rules that mandate or prohibit certain behavior in society” (University of Arkansas Grantham, n.a.). Every state, country, tribe or governing body has laws, they are all different but all aim to maintain some order among people on a daily basis. Laws are derived from ethics “which define socially acceptable behaviors” (University of Arkansas Grantham, n.a.), it is not socially acceptable to steal, therefore there are laws to prevent the act of theft for example, and those actions are prosecutable by law; the
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
4
severity of which depends on where this act is being carried out in. The key difference here is that laws carry the weight of the government or entity behind them (University of Arkansas Grantham, n.a.). Ethics on the other hand do not carry this weight, but tend to go against the cultural norms of the area or region (University of Arkansas Grantham, n.a.). The reason why laws and ethics are so important in relation to INFOSEC is due to the fact that businesses and organizations today run effectively and successfully by adhering to said laws and ethics; if a company was found to be collecting the data of its users while unbeknownst to said users, this would open the company up to litigation in court as a right to privacy is looked at as an ethic as well as a law to a certain degree. Not only would the company be open to litigation in court, but their reputation could also be completely destroyed as users would no longer trust them not to collect their data without their knowledge. This would be an important thing for any kind of INFOSEC professional to know so they could ensure they themselves were working within legal and ethical bounds, as well as allow them to report it to said company if they were working outside those lines in any capacity. Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley Act (SOX) was signed into federal law on July 30, 2002. This law was created in response to the several large accounting scandals that took place in the early 2000’s such as Enron, which was one of the largest at the time. This scandal was discovered when a whistleblower who worked for Enron at the time discovered that the company was hiding
the company’s debts and losses using creative accounting techniques to hide the truth from investors and the public (Cornell Law School, 2021).
5
There are two sections within SOX that pertain directly to INFOSEC, without actually mentioning INFOSEC; Section 302 and Section 404. Sections 302 states that “the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) must personally certify that financial reports are accurate and complete” so these two positions within companies are now held personally liable for any information that is found to be inaccurate or incomplete (Stults, 2004). Section 404 states that “a corporation must assess the effectiveness of its internal controls and report this assessment to annually to the SEC” (Stults, 2004). The reason why this relates so heavily to INFOSEC is because these systems depend on technology to run properly and stay within compliance with the SOX law, as well as the SEC. This information, which now would more than likely be stored on servers or even still be physical paperwork or documents, which could potentially become compromised if said information was not stored or protected properly, which is exactly what INFOSEC’s job is to protect.
6
References
Chai, W. (2023, February 10). What is the CIA triad? definition, explanation, examples: TechTarget
. WhatIs.com. https://www.techtarget.com/whatis/definition/Confidentiality-
integrity-and-availability-CIA Cornell Law School . (2021, April). Sarbanes-Oxley act
. Legal Information Institute. https://www.law.cornell.edu/wex/sarbanes-oxley_act DOT Security. (2023, October 24). What are the 3 components of information security?
https://dotsecurity.com/insights/blog-what-are-the-components-information-security Stults, G. (2004, July 25). An Overview of Sarbanes-Oxley for the Information Security Professional
. SANS Institute. https://www.sans.org/white-papers/1426/ University of Arkansas Grantham. (n.d.). Legal,ethical,and professional issues in information security
. garantham.edu. https://content.grantham.edu/at/IS211/ch03.pdf
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help