An organization is a particular entity of people having a collective goal/purpose to be achieved over a targeted period of time. There are certain types of organizations that take various forms such as partnership business, individual, business or one which includes a hybrid organization. In that respect, a hybrid organization is one that operates both in public and private sectors at the same time.
It incorporates voluntary associations, non-governmental organizations, among other types (Pieterse, Caniels, & Homan, p. 818). What is common among all these types of organizations is they need to safeguard every piece of detail away from any unauthorized personnel. This practice of securing data, regardless of their form that may either be physical or electronic from individuals who are ineligible for its access is what is popularly termed as Information Security. In short form, it can be simply referred to as InfoSec. To that extent, InfoSec proves critical in the development confidence that will ensure that the management of functions of the business assures the stakeholders of the integrity of the data and processes that the firm carries out or operates. This paper will focus on matters information security based on a fictional company.
Working as a consultant in a certain non-governmental organization based in the state of Illinois, there appears to be a need of safeguarding the intellectual property and data in this organization. Sandburg Youth Sports Association (SYSA) is the name of the organization where I work as the Information and Communication Technology consultant. My role consists of functions pertaining to ascertaining that the operations of the technological systems are smooth and functional. Moreover, I am meant to facilitate improvements as well as enhancement of process functions to ascertain the success of the operation of business functions. The company SYSA was founded in the year 1996 by one Mr. Timmy Christopher. I chose this specific entity because as a sportsman and having a deep interest in technology; it quenches my passion. At the same time, SYSA gives me the opportunity to give back to the community in terms of the skills I acquire through what I learn there.
Description of the Organization
Sandburg Youth Sports Association (SYSA) is one of the few non-governmental sports organizations in the United States whose central aim is to use sports and technology to broaden the socioeconomic gap in the community while also effecting enhanced use of technology as a weapon of change in the society. This organization serves mostly the youth in the state of Illinois but is not limited to this state alone, but is also open to the rest of the members of the surrounding publics and the United States as a whole. To that extent, SYSA is an organization that is dedicated to the development of the community through the championing of sports activities. In that esteem, the SYSA is an organization that empowers members of the community towards the achievement of their goals and aspirations. It is a sure way of ensuring that the community members are mobilized effectively to enhance their effective management of sports talents. For that reason, I am proud to be associated with SYSA especially based on the fact that I am tasked with the responsibility of handling its technical functions.
The organization comprises mostly of volunteers who offer their time and services in return for knowledge and skills that they acquire from experts based on the firm. However, some sections of the organization comprise of fully employed personnel who play the most significant part in running the organization. In total, there is an estimate of about 20 highly qualified employees and another 30 volunteers, including myself, who are dedicated to ensuring that the operations of the business are successful. Together, the various individuals work alongside each other to facilitate the success of the initiatives put forward by the firm’s objectives. The company ensures that staff members work cohesively to meet the objectives of the organization effectively. In my capacity, I ensure that the technical systems are well maintained to ensure that the functionality is effective and that all technical processes are operational.
Structure of the Organization
SYSA is run by highly self-motivated individuals and operates on a Matrix management method whereby each department consists of two or three bosses who are well-trained experts and are assisted by other volunteers whose work is to ensure that everything runs in order as per the objectives of the organization (Galvin, p. 5). The SYSA headquarters located in Illinois is supported by ten other zones in the same state. Inside the gated headquarters, there are offices which facilitate the running of the organization at large. Other structures include a payable gym service which is open not only to the staff, but also to members of the community and a fully stocked and functional library.
The main task handled by the Executive Director of this organization is to oversee all the day to day programs and offer directives whenever called upon to. Second to the Executive Director is the Human Resource Manager whose responsibility is to maintain and enhance human resource programs, policies, and practices. The other departments i.e. the Library and the Gym are manned by two overall managers who have volunteers under them to assist in their work.
Regulatory requirements. In its aim of providing opportunities to the youth through sports and technology, SYSA is fully aware of the regulatory compliances they are supposed to adopt in its structure. The services and daily activities carried out within the SYSA headquarters are ISO certified and meet the International Standards. In the United States of America, any reported case of breaking the laws and regulations of the organization attracts a criminal or civil penalty.
Risks. As stated above, the SYSA organization deals with various data mostly in the gym, the library and the other 10 zones involved. This data may be financed in terms of money payable in the gym or library fines, statistical data in the library or even the zonal information from the SYSA organization came into existence. With all this in mind, there is the need to protect and safeguard the physical and electronic information fed in the organization. Some of the potential risks facing the organization’s information may come through manipulation of the zone data in ones’ own selfish interest. One may also try to hack into the gym department’s system and edit their financial statements in their favor or even clear the debts illegally. Hence, there is a need to put measures in place to avoid and prevent any potential loss to the organization.
Threats to Information Security may appear in many forms. The most common threat of all is cybercrime and software attacks. Sabotage and information extortion are also similar avenues of Information Insecurity. A few examples of software malfunctions are observed when the system is attacked by viruses, Trojan horses and phishing attacks, among others. With technology advancing in every dimension every passing day, it is common to hear of organizations’ systems being hacked and money laundering happening now and then. This requires every organization to step up to the task in order to combat these petty crimes which cause organizations millions of shillings. These threats, however, need to be mitigated by setting up countermeasures and safeguards so as to eliminate and block threats.
Policies on the Deliverables
In normal practice, every organization is mandated with the task of providing reasonable policies which will go a long way in ensuring that rules and regulations are followed to the letter, and any discrepancies in the stated laws are punishable. As the consultant of SYSA, I saw it appropriate to come up with a number of policies, according to law, whose aim is to ensure that the objectives of the organization are protected, and any case of unexpected incidences are tackled. The other influence of policy making is the ideology of the company where the values and beliefs of the organization are held in high esteem. It is hoped that any action contrary to the following stated policies is punishable according to law.
Website Private Policy. This is a simple document that discloses how the visitor’s information will be used in the SYSA website. Members will access the gym services will be required to open a portal which they will use in registering their membership. All payments will be made through this site, and members will be made to know that the SYSA systems are fully encrypted. This is aimed to instill confidence in our website visitors and let them know that any information provided either in the gym or library services is secured and that the organization will be responsible for any eventualities.
Breach Notification Policy. In the case of any breach of zonal information, clients’ financial information or interferences with records in the library, SYSA will investigate and notify the individuals affected by any information security breaches. The system of the organization will be updated to the extent that any tampering of the system can be detected and an amicable solution generated before any major damage happens. The Executive Director must be notified with immediate effect any news of breaching through the appropriate channels so that action can be taken. This Breach Notification Policy is aimed to ensure that stored Protected Personal Data (PDD) is not lost, stolen or in any way compromised. In the unseen event that the PDD is interfered with, the policy would recommend immediate disclosure until the issue is resolved. Moreover, major incidents of breaching such as that of Personal Identity Information (PII) are treated exclusively and may attract heavier penalties. The state government will also be notified of this breach, especially when the financial information of the members is in question. Since prevention is better than cure, I would install a Compliance Software on all the systems in the organization. When this software is implemented, it will help the organization manage its compliance data in a more simplified and efficient way (Johnson, p. 311).
Incident Response Policy. In the incident that the security of SYSA has been compromised/ breached, the following Incident Response Policy will be put into effect. After reporting the breaching incident to the state government, an abrupt investigation will be carried out on the potential customers affected. The main aim is to manage the situation in a way that ensures the damage is limited at the same time minimizing the recovery time and any costs whatsoever. Computers affected and infected with unwanted malware should be scanned, and the issue put on notice to all the customers. Any security incident will be handled with immense care based on the severity of the damage.
Disaster Recovery Policy. There may be lapses in the security systems of SYSA. In the case of the system infrastructure failure, an initial risk assessment will be performed to evaluate any possible vulnerabilities. The company personnel are put in charge of the ICT department will set up facilities to ensure backup storage of data. I would also open cloud storage of data on the internet so that in the event of system failure, there is always a backup mechanism available. The organization will be entirely responsible for any losses of financial and other belongings of customers and will work hand in hand with the Insurance Companies to compensate the affected victims. Outsourcing will also be considered as a viable option in the management of these threats that affect the software on the organization’s system. The organization will do everything possible so that the recovery time is minimized so that the operations of the firm return to normality as soon as possible. This policy which has a repeated lifecycle is aimed to provide a systematic plan to manage, implement, maintain and recover any lost resources and data.
Information Security Policy. In a bid to come up with an InfoSec policy, I would create one which protects confidential information about the clients’ details to avoid any possible harm. The organization is in no sole position to secure all information belonging to clients; therefore, SYSA will work in togetherness with the customers and ensure they are familiar with current relevant policies and state regulations. SYSA will make sure to provide a very secure database system and a comfortable work environment for the employed staff, volunteers, and all the other authorized personnel. For SYSA to deliver quality services to their customers, it will make sure all users understand what is required of them in the bid of protecting the confidentiality, integrity, and availability of the information they provide to the organization. SYSA will also respond to feedback as soon as possible and always improve on the possible areas of system lapses.
Risk assessment is a crucial part of Information Security policy as it seeks to research on the vulnerable parts of an organization where information may be handled inappropriately. The process of risk management includes identification and estimation of the value of assets in the organization. Evaluate the potential impact that each thread will have to the assets and data of the organization. Finally, accept the risk and put up control measures to control and mitigate the risks.