Cistern Security Systems Risk Management

Executive Summary

Due to the expanding market and improvements in technology, Cistern Security Systems (CSS) has been forced to hire more staff, most of whom are drawn from the local population. It has also been found out that the new staff is inexperienced on matters relating to the latest technologies in the security systems. This anomaly was discovered two months ago when we won a contract to fix CCTV surveillance cameras. The staff could not complete the task and the company had to hire staff from other firms, besides, the project was delayed and CSS had to pay a hefty fine as per the agreement.

The report aims to analyze the potential risk posed by inexperienced personnel on the performance of Cistern Security Systems. The main factors that contributed to such a scenario were difficulties to attract international experts, limited local knowledge and poor planning. A risk situation was modelled to describe the main factors that led to the risk situation. The proposed mitigation measures that CSS came up with included proactive forecasting, local recruitment workshops, training centres, and competitive pay packages. The team used the following tools to test the efficacy of the proposals: power field, severity and occurrence matrix, system approach and Hood Schools of Thoughts. The uncertainty level of the risk is level 2. The firm also used Porters FIT theory to analyze the feasibility of the mitigation measures.

Overview of the Risk Situation

Cistern Security Systems (CSS), one of the leading providers of security solutions, has undergone major expansion in the last seven years, this has included expanding operations into overseas markets, adopting modern security platforms, and venturing into other security services such as internet data security and tracking of goods in transit. During this period of rapid expansion, the company has strived to hire the most qualified staff in its technical and sales teams, whether from the local Saudi market or expatriates to meet the growing job demands (Brown 1995).

CSS has continually recruited new staff with the realization that the success of any organization depends largely on its staff. However, the company has been operating on a shoestring budget and has not been able to attract the most qualified staff while some of the most qualified personnel have been lured by better deals from other firms. Consequently, the firm has had to hire less qualified staff with no prior experience and retrain them through field experiences.

However, the nature of services that CSS has recently ventured into requires a thorough knowledge of security operations that require both knowledge and experience. This situation has created a crisis in the company since only a small percentage of the staff can perform their roles satisfactorily. At times, the temporary staff has been hired to assist in the operations and other instances, CSS has had to sublet contracts that it won.

This paper will analyze the staff short of talent risk that has a huge drawback on the performance and success of the organization, especially in undertaking projects that require expertise, experience and precision. Security operations are quite complex and sensitive and any flaw could cost the company millions of dollars in the form of contract fines, loss of contract and legal fees. Besides, the image of the company will be tarnished and once this happens, winning public confidence would be a daunting task that could take years.

Several reasons have led to a shortage of experienced and qualified staff in installing CCTV surveillance cameras and other security solutions as outlined below:

  • In the early 2000s, the demand for personnel in security firms was low due to the small number of security firms that were operating in Saudi Arabia at the time, this caused several young experts to seek employment in other sectors. This was coupled by fact that security personnel were paid poorly as compared to other sectors such as oil drilling, above all, many people despised security jobs as they were considered low-class (McCahill 2002).
  • During the late-1990s and early 2000s, there was an increase in global demand for individuals who were highly qualified in security systems. This increase in demand was caused by an increase in general crime fears among people in developed nations, especially Europe. These opportunities attracted qualified personnel from Saudi Arabia as the pay-packages were better. This depleted the country of qualified and experienced individuals.
  • Frequent political upheavals and threats of terrorism have discouraged expatriates from taking up job opportunities in Saudi Arabia.
  • Poor forecasting & planning by the Labor Office. Had CSS known that there was a shortage of personnel and that their demand would increase in the late 2000s and early 2011, the firm would have started recruiting and hiring the security experts several years back to give young employees enough time to develop their skills. These early preparations would have prevented a shortage of experienced staff (Tse 2005).
  • The final cause of qualified and experienced staff in Cistern Security Systems stems from the small operating budget. The organization continues to face competition for qualified staff from more-established firms such as STESA, Allcom, Abr Aman AFSTS, and IBD-Tech. All of these companies pay better than CSS and attract highly experienced staff from the company (Norris & Armstrong 1999).

Characteristics of the Risk Situation

The workforce risk shall be analyzed in regards to two major characteristics, i.e. frequency of occurrence and severity of the loss.

As CSS is expanding, it is facing competition for security system experts from other firms, this has forced it to hire less qualified and inexperienced staff and retrain them through on-field experiences. This implies that staff inexperience will be much pronounced in the first few months. However, due to the intricate nature of some security system operations, such as CCTV installation, fresh employees may encounter several difficulties for a longer time. Thus, the frequency of workforce risk is considered high (Carrera 2008).

Secondly, the complex nature of some security systems means that staff must have a working knowledge of these systems. Therefore, mistakes are more common and this increases financial losses. Besides, any mistakes arising from the inexperience of staff may cause delays in the completion of a contract, resulting in fines, and hiring temporary staff to work on contracts (Tsoukala 2007). This further drives up financial losses. Therefore, the severity of the loss is considered high as well.

Severity of Loss vs. Frequency of Occurrence matrix.
Figure 1: Severity of Loss vs. Frequency of Occurrence matrix.

From the matrix table in Fig. 1, it is evident that the severity of loss and frequency of occurrence is high, hence an organization should strive to avoid the risk. However, in a situation similar to the one in our company, the risks should be eliminated and sufficient measures introduced to prevent their occurrences in the future, thereby reducing financial losses.

Bubble Chart for Risk Prioritization.
Figure 2: Bubble Chart for Risk Prioritization.

Figure 2 illustrates the growth dimension of the workforce risk over time. The inexperience of the personnel combined with the complexity of some security operations requires urgent attention and actions to reduce financial losses (Honess & Charman 1992).

The System Model

It is imperative that a holistic view of the risk situation is considered and the factors that caused it assessed. A system model shows all the major factors that led to the risk situation and illustrates the relationship between these factors as illustrated below:

Workforce Risk

The System Model is shown in Fig. 3 illustrates the factors that caused CSS to hire inexperienced personnel and the factors that led to this anomaly. It can be seen that most of the problems were because of organizational inefficiencies (Lyon 2001). The concept of a power field can enable us to understand the environment in which the organization operates.

The power field plot
Figure 4. The power field plot

The Power Field Plot gives the most effective mitigation measures that can be used by CSS on factors that are under its influence. The organization cannot reverse the fact that most experienced staff are close to the retiring age, or that people are refusing to work in Saudi Arabia due to security concerns. These factors have forced CS to opt for a younger, less experienced workforce that, instead, has turned out to be a liability (Balzacq 2006).

Proposed Mitigation Measures

The risk mitigation measure considered in this paper is aimed at avoiding or preventing employee-based risks from occurring in the future. Since CSS has already hired inexperienced employees, they cannot sack them according to since this is prohibited by the Saudi labour laws. This leaves the company with the option of enrolling these employees through intensive training programs to improve their expertise.

New system model showing mitigation measures
Figure 5. New system model showing mitigation measures

Mitigation of the organizational issues

Proactive Forecasting and Planning: CSS needs to make forecasts accurately for its future operations. The forecasts need to centre on the expected growth and attempt to relate this to the number of staff required.

Mitigation of the local talent factor

  • Recruitment Workshops: CSS can visit local universities and technical colleges to encourage young people to specialize in the security systems as well as provide these fresh graduates with lucrative offers to allure them to joining the organization.
  • Training Centers: The organization should build a real-time training centre where the inexperienced personnel can get hands-on training that will expedite their learning curve in an environment where training mistakes will not be costly. Also, the organization should provide its inexperienced personnel with detailed procedures and guidelines of the operation to eliminate the risk of mistakes and improvisation (Cazemier 2000).

Unintended Effects and Secondary Mitigation Measures

Implementation of these mitigation measures reduces risks arising from the limitations of the workforce. However, new unplanned effects may arise from these measures as shown below:

Unintended Effects & Secondary Mitigations
Figure 6: Unintended Effects & Secondary Mitigations

From the figure above, the preliminary set of mitigation measures have brought in a new set of problems, these include:

  • Operation costs of the recruitment exercise. Since the exercise will be done in conjunction with the local universities and technical colleges, the expenses will be substantially reduced.
  • Costs of running the training centres: the staff will pay part of the money used for their training, and to prevent poaching from other firms, the retrained staff will sign a five-year contract with the company.
  • Higher wages paid to temporary staff: they will be employed temporarily while the rest of the staff are in training, although they will cost the company a substantial amount, the long-term benefits of the training program will exceed the costs.

Effectiveness & Sustainability of the Risk Mitigation Measures

Several theories that can be used to reduce workplace risks have been postulated. However, each one of these theories requires an assessment before they are implemented, this is because the implementation costs can exceed the expected benefits (Ericson & Haggerty 1997). Since operations at CSS require specialized skills, and any mistake can prove costly to the company economically and in terms of image loss, it must proactively ensure that staff have the right expertise.

The designs doctrine can be used to illustrate the advantages of having the right skills at all employment levels. The organization must ensure that the workforce is trained on the latest technologies in security systems (Bon van 2004). However, before the training commences, CSS should consider the effects that may arise and calculate their magnitude so that they can be minimized.

The residual uncertainty level of the organization must be determined so that its future performance can be evaluated. The residual uncertainty is defined as the improbability that remains after the best possible assessment of the company has been performed (Courtney, Kirkland & Viguerie 1997). The companys growth prospects can be evaluated so that future resource requirements can be estimated, this can help in averting the debacle witnessed at CSS. The organizations future growth will be affected by factors such as economic performance and competitors strategies. Consequently, the residual uncertainty level is level 2 alternative futures.

The key factors that will determine the success of the mitigation measures are:

  • The organizations ability to efficiently and accurately analyze the security systems market to plan for the required personnel.
  • The commitment of the inexperienced personnel to learning and improvement because all the training activities will not succeed unless the employees are willing to develop and learn from their mistakes.
  • They hired consultants willingness to be active in both training and job operations.

For the organization to sustain a competitive advantage over its competitors, it needs to achieve strategic positioning and order fit (Porter 1996). Positioning establishes how and what activities the company performs, and how these activities relate to each other. CSS should take a needs-based positioning to serve its customers where it can supply all components of security systems that it sells. For example, when it is installing CCTVs, it should be able to supply the cameras, hard drives, display screens, and back-up devices (Fyfe & Bannister 1996).

The risk mitigation measures should reduce the initial uncertainty of the risk situation to be sustainable. The mitigation measures should reinforce each other to minimize the risk and thus the third-order fit optimization of effort is the most suitable here, the model is shown below:

Integrated System Diagram.
Figure 7. Integrated System Diagram.

The figure above illustrates how the initial sets of mitigation measures and secondary effects will reduce the risks related to inexperienced personnel.

Conclusion

Classification of risks can be done concerning their frequency of occurrence and severity of a loss. This case study enables one to evaluate risk situations in organizations, the exercise involved tracing risk situations from the sources, mitigation measures, and secondary mitigation measures, and finally the analysis of the efficacy of the mitigation measures. Several models were used during the case study that enabled CSS to solve the workforce risk situation, however, it should be noted that not all organizations can employ these models to solve risk situations. This system approach greatly depends on the perception of the analyst and thus it is subjective. The analysis introduced several tools that analyze the effectiveness of the proposed mitigation measures.

References

Balzacq, T. (2006), Security versus Freedom, Aldershot: Ashgate.

Bon van, J. (2004). IT-Service management: Introduction to basic operations of ITIL. Amsterdam: Van Haren Publishing.

Brown, B. (1995). CCTV in Town Centres: Three Case Studies. Police Research Group, Crime Detection and Prevention Series, Paper No.68, London: Home Office Police Department.

Carrera. S. (2008). Security and our Freedom, Aldershot: Ashgate.

Cazemier, J. (2000). Security Management, Stationery Office. London: Sage.

Courtney, H. Kirkland, J. and Viguerie, P. (1997). Strategy Under Uncertainty. Harvard Business Review, Nov-Dec 67-79.

Ericson, R. &. Haggerty, K. (1997). Policing the Risk Society. Oxford: Oxford University Press.

Fyfe. R. and Bannister. J. (1996). City watching: closed circuit television in public spaces. Area 28(1): 37-46.

Honess, T. and Charman. E. (1992). Closed Circuit Television in Public Places: Its Acceptability and Perceived Effectiveness. Home Office Police Research Group, Crime Prevention Unit Series, Paper no 35, London: Home Office.

Lyon, D. (2001). Surveillance Society, Buckingham: Open University Press.

McCahill, M. (2002). The Surveillance Web: The Rise of Visual Surveillance in an English City. Cullhompton: Willan Press.

Norris, C. &. Armstrong. G. (1999). The Maximum Surveillance Society: The Rise of CCTV. Oxford: Berg.

Porter, M. (1996). What is Strategy? Harvard Business Review, Nov-Dec 61-78.

Tse, D. (2005). Security in Modern Business: security assessment model for information security Practices. Hong Kong: University of Hong Kong.

Tsoukala. A. (2007). Terror, Insecurity and Liberty, London: Routledge.

Information Security Management System: ISO 27001

In light of the recent information breach issues and the increase in the number of cyberattacks, the significance of information security has become especially high. By leaving loopholes in its information security management (ISM) approach, a company not only jeopardizes its own success but also endangers every single staff member working for it. The exposure of people’s personal data to the third party is inadmissible; therefore, it is crucial that a proper assessment tool for the efficacy of the information security management approach should be introduced into the company’s framework.

Although the current ISM strategy has proven to deliver quite positive results for the entrepreneurship in question, it may have several debts according to the current ISO 27001 standards, particularly, in terms of executing control over the provision of information security. Therefore, a tool that will allow for consistent supervision of the subject matter should be introduced into the framework with a preliminary test (Hsu & Marinucci, 2012).

According to the existing description of the standard, the process of facilitating a control over the data management processes in a company is crucial to the security of its members. Seeing that the tools for executing control over the data flow processes occurring in a company are very numerous, the current standards state that it is up to the managers to locate the appropriate ones. However, the supervision thereof is imperative:

The selection of controls is dependent upon organizational decisions based on the criteria for risk acceptance, risk treatment options and the general risk management approach applied to the organization, and should also be subject to all relevant national and international legislation and regulations. Control selection also depends on the manner in which controls interact to provide defence in depth. (ISO/IEC TR 27008:2011 Information technology — Security techniques — Guidelines for auditors on information security controls, 2014)

The above measure is doubtlessly essential. Without the provision of an appropriate control tool, the outcome of the information transfer may turn out to be detrimental to the organization and harmful to its members. Therefore, the requirement in question can be deemed as essential to the overall success of the organization and the security of its members.

In order to conduct the assessment of the company’s IMS security, one will have to adopt an elaborate system of audits that will allow for a detailed analysis of the current system status and locate the possible dents in its framework. To be more accurate, regular inspections permitting to check whether thee employees follow the existing information safety requirements should be viewed as the primary instrument for assessing the current information security rates (Williams, 2013).

However, apart from the tool above, the introduction of self-regulation needs to be considered. It is crucial that the staff members should realize the importance of the measures undertaken by the company. Consequently, it will be required that the company members should be able to take responsibilities and make important decisions on their own, therefore, assuming their professional responsibilities. As a result, a rapid increase in cyber awareness can be expected as the employees will accept the existing safety standards more eagerly and follow them diligently.

One must admit that it would be far too naïve to expect an immediate improvement in the information management process. Although the above framework provides a set of rigid rules that prevent the instances of exposing the staff members to a possible cyber attack, it still may fail as long as there are employees who are unaware of the basic principles of information security. Nevertheless, the application of the above model is expected to have a gradual positive influence on the security rates in the company. Particularly, it is assumed that the use of the framework in question will help the staff members recognize the need to follow the existing rules as well as apply them in a more orderly fashion (Fitzgerald, 2011).

Indeed, scrutinizing the current information management environment in the organization, one must mention that the employees display a disturbing lack of concern for the usage and further transfer of data. Once the company members recognize the necessity to secure information, fewer threats will be posed to the entrepreneurship and its employees. Therefore, the ISO 27001 principles regarding data security control need to be followed closely. By complying with the principal guidelines of ISO 27001, the organization will create prerequisites for its staff members to develop responsibility toward carrying out their workplace tasks (ISO/IEC 27001 – Information security management, 2014).

In other words, the promotion of the above framework as the foundation for the informational security of the company will promote the concept of Corporate Social Responsibility (CSR) among the staff members. By definition, the above phenomenon serves as the means of controlling the behavior of the employees so that they should not break the primary rules of the company, including the ones related to the provision of information security. Specifically, the employees will be able to develop an intrinsic understanding of the significance of the information security. Consequently, fewer instances of being exposed to the threat of a cyberattack ill emerge in the future. Moreover, a successful promotion of the above approach will create premises for reducing the threat rates to zero.

Reference List

Fitzgerald, T. (2011). Information security governance Simplified: From the boardroom to the keyboard. New York, NY: CRC Press.

Hsu, D.F., & Marinucci, D. (2012). Advances in cyber security: Technology, operations, and experiences. New York, NY: Fordham University Press.

ISO/IEC 27001 – Information security management. (2014). Web.

. (2014). Web.

Williams, B. L. (2013). Information security policy development for compliance: ISO/IEC 27001, NIST SP 800-53, HIPAA standard, PCI DSS V2.0, and AUP V5.0. New York, NY: CRC Press.

Information Security Management: Legal Regulations

Introduction

Rapid technological advancement and globalization have entailed new challenges in organizational information security management. The level of data collection and sharing across various media has drastically increased. Moreover, new technologies allow public and private enterprises and institutions to process personal information at the largest scale than ever to pursue their own goals. The given developmental trends are associated with major risks of confidential data breaches, which can violate a natural person’s rights for the protection of personal data. Multiple national and international regulations and standards are created to address this problem. All organizations are expected to abide by laws requiring them to ensure a sufficient degree of data protection enacted at both state-wide and nation-wide levels and to follow recommendations outlined in international managerial guidelines and standards. Considering this, the present paper aims to evaluate the significance of the regulatory aspect of organizational information protection endeavors and identify the extent to which they may facilitate or hinder the work of security managers. To attain the formulated objectives, the review of state, national, and international regulations and standards, as well as recent literature findings, will be performed.

Levels of Information Security Management

Data security measures as such can be divided into three major levels: legal, organizational, and technological. It is possible to say that laws and regulations form the basis of data protection: they ensure compliance with state standards in the field of information protection and include such elements as copyright, decrees, patents, and job descriptions. It is valid to say that a well-built security system, which takes into account all relevant laws and policies, does not violate user rights and data processing standards. Thus, the significant effect of the legal component of data protection management on the organizational-level procedures cannot be underestimated. National laws and standards directly affect the formulation of rules for confidential information processing, staff recruitment, overall work with documentation and data carriers, design of access control protocols, etc. within a company. In their turn, these organizational information protection practices become realized at the technological level of security management through programs, cryptographic protocols, and so on.

U.S. Laws on Protection of Personal Data

A lot of companies nowadays deal with the personal information of their customers and employees. Overall, personal data can be defined as any information directly or indirectly related to a personal data subject, i.e., a person who shared this information with a company or another individual (i.e., data controllers). Organizations are obliged to follow certain rules linked to secure data processing to minimize possible harm to individual identity, financial status, and so on. However, at the current moment in the United States, no comprehensive federal laws are regulating personal data processing. Most of the active national laws, such as the Federal Trade Commission Act, the Health Insurance Portability and Accountability Act, the Financial Services Modernization Act, and others, apply to certain types of data and spheres, e.g., medical, financial, personal data in telemarketing, and so on.

Based on the observations provided above, it is possible to say that the application of different national laws and standards to organizational operations in terms of data storing and processing to a distinct extent depends on the type of information used by an organization, its sphere of performance, etc. In some cases, security managers and personnel, in general, have to abide by some stricter and specialized rules. For instance, in governmental organizations, a small number of employees may deal with classified data related to the field of national security, e.g., information on measures against terrorism.

Safeguarding of the classified information is guided by Executive Order 12958 that outlines specific procedures, which an organization should follow, including determination of authorized personnel, the establishment of uniform protocols for prevention of unauthorized access, an update of automatic distribution mechanisms, as well as sanctions imposed in case inefficient security measures are identified (U.S. National Archives and Records Administration 2016). Overall, the law guides the organization in the arrangement of data security protection in a way that avoids causing harm to relevant stakeholders due to inappropriate handling of information, and when speaking about classified governmental information, the stakeholder group may include the nation as a whole. At the same time, explicitly open organizations may face no security risks because they store and process only highly accessible mass information. Nevertheless, in the majority of contexts, the illegal access is associated with multiple risks.

At the same time, some state laws address the issue of data security with greater scrutiny than the federal ones. Some of them are reactive. For instance, California Civil Code §1798.82 requires owners of electronic confidential data to disclose any breach of the security to individuals whose computerized personal information was received by an unauthorized person (Jolly 2017). Also, a limited number of active state regulations can be prescriptive and preventive, e.g., the Massachusetts Regulation (201 CMR 17.00): a comprehensive law outlining a detailed list of administrative procedures and technical security protocols aimed to avoid security breaches (Jolly 2017). It is possible to say that compared to reactive regulations, such comprehensive preventive laws assist security managers in developing organizational information protection architectures and description of information security programs much better than reactive, fragmented, and industry-specific regulations by guiding them through these processes.

Security Threats and Regulatory Capacity to Tackle Them

In general, the laws on data privacy requires organizations, which have access to personal data, to not disclose it to third parties without the consent of a personal data subject. It means that any operator of personal data must ensure a sufficient level of security and confidentiality. Overall, to apply the best data protection measures, not only should security managers assess threats to information security, but also evaluate possible damages in advance. This recommendation is included in various international standards for data protection, i.e., ISO/IEC 27002:2013. It means that the organization must identify what to protect, what types of threats (internal or external) it faces, and what methods can be considered more effective in mitigating those threats.

First of all, to ensure the security and confidentiality of information, it is necessary to determine what types of media are used to process it, and what level of access (open or closed) is associated with those media. The types of data carriers can be as follows: print media, electronic and web-based sources, corporate telecommunications equipment, documents, software, and so on. Distinct types of data carriers are associated with different kinds of security threats to confidentiality and integrity of personal and organizational information. Secondly, security managers should take into account distinct types of confidential data, which can include either technical information (e.g., passwords and usernames, etc.) or subject information (i.e., actual information vulnerable to security threats). The protection of technical information can be especially challenging in the context of growing data synchronization where employees request access to data on multiple devices (Mallery 2013). Along with this, Mallery (2013) states that the trend for storing and sharing data online, in cloud-based and similar commercial services, raises some additional privacy and confidentiality issues because, in this case, a company provides access to almost a limitless amount of data to third parties, i.e., service providers.

It is worth noticing that even if the information is stored in a computer or intended for computer use, threats to its confidentiality may be non-technical. One of such threats, which is often difficult to be defended from, is attributed to abuse of authority. For instance, within multiple security systems, a privileged user (e.g., a system administrator) can read any (unencrypted) file, access the mail of any user, etc. Additionally, service engineers usually get unlimited access to the equipment and are capable of bypassing the software protection mechanisms.

It is possible to say that the U.S. federal and state breach notification laws do not significantly help companies mitigate the mentioned information security risks as they primarily aim to alleviate the adverse consequences of breaches post-factum. The major problem is that active U.S. preventive and reactive regulations may do not apply to all industries and states. Moreover, as stated by Guffin (2012), the lack of comprehensive and unified regulation of information security issues often results in the situation when different (and often conflicting) federal and state regulations can relate to the same legal incidents. Such overlaps may significantly complicate the organizational compliance with laws.

At the same time, it is implied that noncompliance with legal regulations and laws on data protection entails threats to information security, which, in turn, can lead to multiple adverse consequences for both data subjects and data controllers including the imposition of various punitive actions and sanctions. Along with this, security managers in organizations can refer to national and international standards and guidelines, such as “Start with Security: A Guide for Business” by the Federal Trade Commission, as well as the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standards. The given documents usually comprise a list of best security practices, both administrative and technical. However, compliance with them does not exempt companies from legal obligations.

Although it is not mandatory for enterprises to follow the standards, the referral to them may provide multiple benefits for them. First of all, standards and managerial specifications are developed based on the accumulated experience and knowledge, primarily related to procedural and program-technical levels of information security. Such documents list approved, high-quality solutions and methodologies formulated by the most qualified specialists. Secondly, compared to laws, such standards as ISO/IEC 27002:2013 aim to reconcile different points of view including perspectives of both data controllers and data subjects. Thus, standards may provide security managers with information about effective mechanisms for productive and beneficial interaction among all involved parties.

As it was already mentioned above, the availability of a comprehensive law on information protection across multiple industries and organizations can largely facilitate the establishment of corporate information security systems. The General Data Protection Regulation enacted in the European Union in 2016 is a bright example of such unified legislation. Not only does this law aim to ensure the protection of natural persons’ rights about the processing of personal data by data controllers, but also provides a detailed list of procedures, which the latter must implement to maintain a consistent level of protection of personal data subjects’ freedoms and rights, and sets the criteria for showing the compliance with the law. For instance, the law states that “the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default,” including the measures of “minimizing the processing of personal data,…transparency about the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features,” etc. (European Commission 2016, p. L119/15). However, the regulation provides a generalized orientation to follow, which gives organizations a chance to choose an appropriate method of security protection, based on their overall strategic goals and objectives.

The way available laws and regulations are implemented at the administrative level in an organization is key to information security. Nevertheless, the discussed state, national, and international regulations do not dictate which practices to use precisely. Thus, security managers can utilize a creative and innovative approach to performing organizational security management activities, development, and planning of architecture and planning solutions. The only requirement is to ensure that the applied information protection practices do not contradict relevant laws and meet quality and efficiency requirements.

According to Holtfreter and Harrington (2016), the number of data breaches due to external factors including theft, hacking, or loss by the individuals who are not related to the organization prevails nowadays and equals nearly 70 percent of all data breach cases. However, employees’ actions and misconduct have greater significance in this regard and are associated with far more important implications for organizations than the actions performed by the third parties. The internal factors defining data breaches include improper protection of data, theft, or hacking by employees with a high or a low probability of fraudulent intent, and unintentional loss of data (Holtfreter & Harrington 2016). To address the problem of both internal and external unauthorized use of confidential data, security managers must utilize a set of organizational-regulatory and technical measures to increase security and minimize threats to confidential information.

One can locate detailed recommendations regarding organizational security solutions in international standards. The ISO and the IEC (2017) suggests starting with the allocation of responsibilities and imposition of access restrictions; development of policies regarding the use of the mobile device and teleworking practices, covering such measures as cryptographic techniques, requirements for physical protection, and malware protection, etc. The ISO and the IEC (2017) also recommend implementing such human resource practices as screening before the recruitment, confirmation of qualifications, and so on. Overall, it is implied that the understanding of assigned duties and responsibilities about data security among employees is the key to effective data protection. Thus, the organization must ensure that a person authorized to access confidential information is competent enough. Moreover, it is essential to eliminate possible conflicting areas of responsibility to eliminate the risks of intentional and unintentional misuse. Moreover, Chander, Jain, and Shankar (2013) note that ethical norms and rules adopted by the company can contribute to better information security protection. Such norms may not be obligatory as the legal regulations. However, the failure to promote compliance with them can lead to inappropriate and harming employee behaviors.

In general, comprehensive data protection acts and standards, such as the General Data Protection Regulation and ISO/IEC 27002:2013, outline managerial rules reflecting such principles as system complexity, reliability, and continuity. They emphasize the importance of considering all possible threats to various stakeholders and the selection of appropriate methods and interrelated processes, both technical and non-technical, that would be included in a comprehensive information protection system. The regulations also make it clear that a high standard for data security management should be equally applied to all areas of data protection. Lastly, these regulations require security systems to be effective continuously, which means that managers should keep up with technological advancements, should update the security system regularly, and inform the personnel about occurred changes promptly. The consideration of the given principles, legal norms, and standards can help security managers increase the efficiency of information security strategies in their organizations.

Conclusion

Overall, information security implies the implementation of legal, administrative, and technical measures aimed to ensure the protection of sensitive information from unauthorized access, modification, deletion, dissemination, etc.; to maintain the confidentiality of sensitive data; and realization of rights for access to those data by subjects and responsible controllers. The conducted analysis of the state, national, and international laws on information security across industries reveals that to a varying degree they address such issues as prevention of personal data misuse; timely detection of unauthorized access incidents, as well as mitigation of their adverse consequences; determination of sanctions for data breaches; and continual control over the information security system and its functioning.

The analysis also revealed that in the United States, there is currently no comprehensive and unified federal law aimed to protect the rights of natural persons for safe processing of personal data and to regulate organizational efforts in data protection across the industries and sectors. Most of the legal regulations related to data security specialize in particular areas, such as federal information system security, healthcare, financing, commerce, and telecommunications. At the same time, several state laws address the problem to a different extent, focusing mainly on breach notification requirements. It can be suggested that the development of a comprehensive document comprising both preventive and regulatory regulations may provide a substantial basis for the establishment of sound information security systems in organizations of different types and would allow eliminating possible controversies due to overlaps in federal and state laws.

As for security protection standards, they are usually associated with greater practical utility compared to laws because they summarize high-quality, credible recommendations formulated by experts in the field of security management. In most of the cases, the utilization of standards and guidelines in practice is not obligatory, yet it can help security managers develop more efficient data protection strategies and architectures and, in this way, may allow protecting organizational interest better. Security managers may also utilize professional recommendations and guidelines to develop a unique information protection framework that would support the fulfillment of specific corporate goals and would suit the overall strategic orientation of the company in a more effective way. Thus, it is valid to conclude that standards, as well as legal regulations, largely support the work of security management teams.

Reference List

  1. Chander, M, Jain, SK & Shankar, R 2013, ‘Modeling of information security management parameters in Indian organizations using ISM and MICMAC approach”, Journal of Modelling in Management, vol. 8, no. 2, pp. 171-189.
  2. European Commission 2016, . Web.
  3. Guffin, PJ 2012, . Web.
  4. Holtfreter, R & Harrington, A 2016, , Fraud Magazine. Web.
  5. International Organization for Standardization & International Electrotechnical Commission 2017, Information technology − security techniques − code of practice for information security controls. Web.
  6. Jolly, I 2017, . Web.
  7. Mallery, J 2013, ‘Building a secure organization’, in JR Vacca (ed), Computer and information security handbook, Syngress, Amsterdam, Netherlands, pp. 3-24.
  8. U.S. National Archives and Records Administration 2016, . Web.

Information Security Management Standard: BS7799 Framework

Structure of BS7799 Framework

BS 7799 is an Information Security Management Standard, the creation of which started in the 1990s.

The first part of BS 7799 (that has been adopted as ISO/IEC 17799) is named the “Code of Practice for Information Security Management” and consists of 10 headings that include 127 security controls, which are further detailed (Gamma Secure Systems, 2001). The implementation of each control is not necessary for every firm, but their number ensures the possibility of customizing the guidelines for a particular business. The second part of BS 7799 that appeared in 1998 is called the “Specification for Information Security Management Systems” and is meant for the assessment and registration of firms (BSI, 2002, para. 6).

Following 1998, the standard continued to develop. The new BS7799-3 is a framework that is consistent with ISO 27001 (BS7799 and ISO 17799 Awareness, n.d., para. 3). The latter standard has been characterized as an “internationally recognized best practice framework for an information security management system” (BSI, 2015, para. 2). Therefore, while still carrying the name of the standard created in the past century, BS7799 is adapting to the changing environment.

The BS7799 framework is aimed at improving the security of information through several controls (Trinity Security Services, 2004, para. 4). The ten primary control areas include “security policy, security organization, asset control and classification, personnel security, physical and environmental security, communications and operations management, access control, systems development and maintenance, business continuity management, and compliance” (Trinity Security Services, 2004, para. 5; Gamma Secure Systems, 2001, para. 4-8, Theobald, 2005, p. 6). To sum up, BS 7799 is aimed at providing security for all the assets of an organization in compliance with the specifically created security policy and through specifically created systems and procedures. The protection is directed against external and internal threats (see personnel and environmental security) and is required for the possibility of uninterrupted business conduct. Finally, BS 7799 is concerned with regulation and law compliance. As a result, BS 7799 provides a framework for defining, managing, and minimizing a wide scope of the external and internal risks that typically threaten information with the intent of covering all the possible threats (BSI, 2002, para. 6-7).

The structure of BS7799, based on Theobald
Figure 1. The structure of BS7799, based on Theobald (2005).

In consistency with its aims, the key elements of BS 7799 include information policy, standards, procedures, and records (see Fig. 1). Obviously, the first three elements are customised; the last one is of particular importance for the process of reviewing the effectiveness of a system. The latter is a crucial part of the BS7799 implementation methodology (Theobald, 2005, p. 9).

Implementation Methodology

The second part of BS7799 defines the methodology for the implementation of the framework. The methodology can be boiled down to the four-step guideline that is characterised by the Plan, Do, Review, Act (PDRA) framework. Every step is supposed to direct people, exploit systems, and define the processes to ensure the consistency of the company’s actions (Trinity Security Services, 2004, para. 3-4).

The methodology of BS7799 implementation
Figure 2. The methodology of BS7799 implementation (Trinity Security Services, 2004).

The idea of PDRA was not created exclusively for BS7799, but it is used to implement the standard (see Fig. 2). As can be seen from the figure, the key aims of the first part of the methodology include the processes of defining the policy, objectives, and selecting the standards that are two key elements of the BS7799 system (see Fig. 1). Procedures, the third element, are also planned during the first stage and implemented during the second one. As for the records that are the fourth element of BS7799, they are used during the Review stage of the implementation process. The Acting stage includes the actions aimed at correcting the procedures or objectives in consistency with the information concerning the effectiveness of the current ones (Trinity Security Services, 2004, para. 3-8; Theobald, 2005, p. 7). This stage serves to “encircle” the methodology, ensuring its repetitiveness and adaptiveness.

Advantages and Disadvantages

According to BSI (2002) and BSI (2015), the primary advantages of BS 7799 include:

  • A consistent security policy: the first element of BS 7799.
  • Adaptiveness: reviewing the work of the security is embedded into the implementation framework (see Fig. 2).
  • Increased security and protection through the identification of risks and placement of appropriate controls.
  • Customization possibilities.
  • Security education.
  • The usage of internationally recognized standards results in improved credibility: customers realize that their information is safe.
  • Saving costs: reduced number of threats means a reduced number of breakdowns and attacks. As a result, less money is spent on the process of fixing the problems.
  • Compliance with new regulations and the law.

Possible disadvantages include the following points.

  • Possibly outdated: while being revised, the standard is still based on the framework that was developed in the 90s.
  • Customization difficulties.
  • Practical problems that are difficult to predict in theory (Qi, Qingling, Wei & Jine, 2012, p. 355).

The two final disadvantages can be explained by the fact that BS 7799 is a framework that is expected to be general. The number of controls of the first part demonstrates the fact that the framework must have predicted most difficulties. The rest of the problems are expected to be solved by local risk management.

References

BS7799 and ISO 17799 Awareness. (n.d.). Web.

BSI. (2002). Information security. Web.

BSI. (2015). Web.

Gamma Secure Systems. (2001). BS7799 How it Works? Web.

Theobald, J. (2005). Web.

Trinity Security Services. (2004). Is BS7799 For You? Web.

Department of Homeland Security Management Department and Technological Support Center

Executive Summary

The department of homeland security is the third largest department in the American government. Therefore, it requires specialized management in order to enhance its performance and assure the fulfillment of its basic role of ensuring the internal security of the American population at all times. In addition, the department has various other subdivisions, thus making synchronization of their functions for the achievement of a main goal difficult.

As a means to remedy the situation, this paper proposes the establishment of a separate department, viz. the management department and the construction of a center where the department’s team can apply the use of technology and labor to ease the management of all the sub departments at once. The aim is to create better service delivery, ease some tedious tasks such as prioritizing, and create savings on resources.

Problem identification

The department of homeland security is a cabinet department that the United States government established in November 2002 in response to terrorism. On September 11, 2001, terrorists from the infamous terrorist group, Al Qaeda, hijacked planes and crashed them into the twin towers of the World Trade Center and on the Pentagon in Washington (Department of Homeland Security, 2013).

Since then, the government of the United States has been on a high alert by using the department of homeland security to protect its civilian population and secure its borders within and in the areas surrounding the United States. Although the formation of the department has led to the decline of terrorist activities within and outside the United States, the department faces various challenges with one of the major ones being the management and oversight of the department.

Although the American government established the department as a single unit, it has since then subdivided into several different units each performing a different role from the other in the accomplishment of a common goal. In addition, the different departments have employed the use of thousands of people in the fulfillment of their duties, thus making management difficult although not impossible, for the cabinet, the branch of the government that formed the outfit.

In order to understand the problem and its intricacies, it is helpful to understand a government in the form of a business organization in terms of its need to generate income through the utilization of capital expenditure in the form of finances and people. Every business organization strives to make as much profit as possible while reducing its expenses with regard to the amount of money it spends on supplies, payment of recurrent bills, and salaries and wages.

In the same way, governments generate income through taxes, levies, and business transactions with multinational corporations and other governments. Proper management is an integral part of the business aspect of any government, as it ensures that the government gets enough income to provide its citizens and residents with quality services, infrastructure, security, and various other social amenities (Collins, 2001).

It also ensures that the government has the ability to participate in international trade for purposes of obtaining goods and services that it cannot provide for its citizens and residents within its borders. The management process also ensures that governmental departments receive proper funding and employees perform their tasks according to required standards regardless of the number of departments in existence.

The department of homeland security, as a branch of the government, goes through most of the same management problems by having to synchronize its various sub departments while ensuring the accomplishment of its main purpose, viz. national security. A management program is thus necessary for proper maintenance of its objectives and performance of its functions with regard to the purpose for its formation. This paper proposes the establishment of the management program and explains its significance, functions, and execution.

Objectives

One of the objectives of this analysis and consequent proposal for a management department is to provide an avenue through which the department of homeland security can centrally monitor the activities of its sub departments and their employees. This aspect is important especially in the analysis of strengths and weaknesses of each sub department and subsequent proper allocation of duties.

The formation of the management department also ensures that the department does not lose its supervisory power through the allowance of employee autonomy. Although it is crucial to allow employees to maintain their autonomy, the same principle presents a risk to the department in the form of leakage of vital information and fraudulent interactions between employees and outsiders (Buckingham & Coffman, 1999).

Thirdly, the formation of the department would allow employees a simpler procedure to air their issues. Although law enforcement officers form a majority of employees at the department of homeland security and thus work under specific legal regulations, it also consists of employees with expertise in other fields such as technicians and researchers.

It is important for all the players in each of the subdivisions to have an avenue through which they can express their concerns, especially if they need more help that goes beyond the jurisdiction of their respective departments.

Another objective is for the department to have the ability to filter, supply, and accurately circulate information to the various subdivisions of the main department. The importance of this aspect lies in the need for a government department to prioritize issues based on their importance and impact.

This move would enable the department to monitor activities in its various sub departments from a central location and determine issues that require immediate attention. For instance, it would be easier to form connections concerning threats by the same perpetrators that affect different departments.

For instance, it would be easier to connect the link between an attack that requires the attention of the United States Coast Guard and the Immigrations and Customs Enforcement department and form a single unit of personnel from the two departments to use the same resources. As opposed to dealing with the matter departmentally and using separate resources for the same goal, the former option would allow sharing of information between the two departments and save on resources for both departments.

Operating activities of the department’s subdivisions centrally would foster teamwork among the different sub departments. The department of homeland security’s sub departments includes the Federal Emergency Management department, the U.S Immigration and Customs Enforcement, the U.S Coast guard, the Secret Service, and the Transport Security Administration.

The sub departments currently operate as autonomous entities, thus enabling the application of more focus when dealing with issues and more discretion in their operations (Covey, Roger & Merill, 1994).

Although the application of discretion and autonomy is important depending on the nature of the issues and reduces burdens on other sub departments, teamwork would enable the various units within the departments more access to information that would create new perspectives on various issues and make problem solving easier. Teamwork makes it easier for the entire department to accomplish its purpose, viz. maintenance of security within and around the country’s borders in contrast to specialized units working separately.

Significance

Solving the management challenge is important to the department as it forms part of the main reasons for the success or failure of the department in the fulfillment of its functions. Establishment of a central management department would ease the process of providing the cabinet, which is the overall supervisory body, with reliable feedback on the needs and progress of the entire homeland security body.

It would also boost accountability, as leaders of the various subdivisions of the department would have to account for their various decisions and better analyze situations before making any decisions.

Secondly, the proposed management department would reduce cases of missed opportunities and wrong assessment of situations through the interconnection of information from various divisions to form links that depict the true picture of the situation. This aspect would largely enable the divisions to make calculated and objective decisions, thus improving the overall security situation in the country.

For instance, if the September 11, 2001 bombings had occurred after the formation of the department of homeland security, factoring in the function of the proposed management department, it would have been possible for the department to detect a link between anomalies in Washington and New York. Such detection would have reduced the impact the attack had on the security of the nation and maybe prevented the attack all together.

The management center would also play a huge role in the improvement of security through the availability of information. An analysis of previous covert government operations in past years indicates that lack of adequate information has dire consequences on the outcome of security operations important for national security.

A good example of such a case is the Bay of Pigs operation by the United States against Cuba for the protection of the nation from imminent threat in 1961 (Erwin, 2013). The operation failed due to lack of sufficient information regarding the fact that Fidel Castro himself was in charge of a defense operation against it.

The management center would also greatly improve service delivery by the various divisions to Americans. The goal of the entire department of homeland security is to provide security to American citizens and residents.

Therefore, by ensuring that the relevant divisions accomplish their duties to Americans, the management department would ensure that homeland security fulfils its duties to the country. The task is different from the function of the Federal Emergency Management Department, as the management department of homeland security would have countrywide reach and work to prevent the occurrence of avoidable federal emergencies.

Another significant advantage that the creation and implementation of the management department would have for homeland security is that it would significantly improve the oversight role of the cabinet over the main department and its sub departments while maintaining the cabinet’s need to avoid unnecessary supervision.

In essence, the management department would take over part of the cabinet’s supervisory role and report to the cabinet where necessary. The importance of this move to the cabinet is that it allows the cabinet to take a step back, observe the operations of the entire homeland security department, and form policies for the remediation of any outstanding shortcomings in the department.

Additionally, the cabinet would also have more time to attend to crucial matters such as finances and policymaking. Without proper policy on issues of finances, operations at the department of homeland security and others in its category would suffer inadequate funding, crippling their performance.

Methods

One of the main methods that the management department would apply in the achievement of its purpose would be the use of technology as the main tool for communication, which is a crucial component of its operation. The invention of mobile phone communication and the Internet has enhanced communication through easing access to information and distribution of the same.

The Internet has also born the development of social media, which has enabled people to transverse international boundaries without having to cross national borders. One of the main advantages of the Internet and social media is the creation of connections between individuals in different places, which has enabled the creation and development of relationships.

Secondly, the Internet has enabled access to information on significant events around the world as they happen, thus improving the response time to the same whenever necessary.

Thirdly, people no longer rely on books as the only source of information as they can get the same directly from the source, established authors, and those with similar potential. However, as with every other technological discovery, the Internet also has its disadvantages with the main one being the possible access to private information.

Cases of cyber crime such as hacking of Internet accounts and breaking international intellectual property rights have in been on the rise in recent years. The advantages of technology and the Internet in particular often outweigh the disadvantages and it is possible for the management department to utilize such advantages. For instance, in the recent years, the United States government has applied the use of hacking to intercept and monitor information flowing inside and outside its borders for security purposes.

In 2012, the Department of Homeland Security reported on its website that there were 691 arrests, 432 indictments, and 334 prosecutions related to intellectual property rights infringements in that year (Department of Homeland Security, 2013). It also noted that the Internet has contributed greatly to the growth of incidents of small packages of counterfeit goods shipped to the country through private mail and express carriers.

According to a similar report by the Global Intellectual Property Center (2013), the department has increased surveillance on the sources of these packages and the websites involved leading to the taking down of 697 websites by the Immigration and Customs Enforcement department. According to the same report, the United States Customs and Borders Patrol reported seizures made in 2012, amounting to 22,848 (Global Intellectual Property Centre, 2013).

Although the statistics are impressive, combination of both agencies would yield better results, not necessarily by increasing seizure, but mostly by preventing the development of such illegal activity. It would be the management department’s duty to coordinate combined operations by both agencies and similar others resulting in a reduction of resource application for the benefit of the agencies and the overall department of homeland security.

Although the individual divisions would retain the ability and mandate to recruit their employees of choice, the management department would play a supervisory role concerning the duties available to the employees at any given time.

The main advantage this would have is that it would ease the need for each individual division to sort through and prioritize issues, thus making it easier to distribute tasks among their employees. The prioritization of issues by the management department would also serve to improve the quality of work each individual division handles.

Personnel, equipment and facilities

The establishment and functional operation of the management department would require the recruitment and specialized training of personnel competent in the evaluation of situations and prioritization of issues in order to make the project a success. This assertion means that the department of homeland security would have to select carefully individuals based on academic qualification and skill set. In consideration of the skill set of each individual, the management can go about the evaluation by two ways.

First, it can select individuals with expert skills in specific areas such as research and analysis or choose individuals with numerous skills, and such a combination would enable them operate different tasks in the department. The advantage with specialized employees is that they possess extensive knowledge on specific issues that could prove valuable.

However, they usually lack flexibility, which would force the department to conduct an extensive training program before employment. As a result, the operation of the department would take a considerably longer period to actualize. On the other hand, if the management chose to employ individuals with two or more skills for each of its numerous stations, it would need fewer employees, which can prove advantageous, especially in instances where resources are limited.

The only disadvantage with this strategy is that the management department would have to expect mistakes or cope with lower performance in the beginning and improvement as the project takes effect. The use of multi-skilled employees also fosters innovative ideas that would be of great use to the management department especially in complex and emergency action situations.

The department of homeland security would also have to establish a center where the department can operate from and afford the team the best quality technology available to ensure that the team’s performance remains at its best. The security function of the department of homeland security heavily relies on prevention than defense, and thus hi-tech equipment is crucial to the achievement of the management department’s goals.

Equipment that would enable the detection of threats, compile information regarding the various divisions, analyze the information, and enable the team of experts make strategic decisions based on the same. High-speed computers and reliable Internet and satellite connections would be part of the essential equipment necessary for the project.

Budget

The budget for the project would largely depend on the financial position of the department of homeland security and the order of priority it applies in the division of its funds. The current budgetary allocation for the entire department is approximately sixty one billion dollars, which is available for division among eight sub departments (Department of Homeland Security, 2013).

The Homeland Security Management Department would be the ninth sub department in the list. As a new project, the budgetary allocation would depend on the current overall position and the funds available for new projects, as it is important to recognize that the rest of the sub departments would still be operational.

Evaluation

The establishment of the department would ease the operation of the entire homeland security department. Therefore, it is a necessity for the improvement of the department’s performance and service delivery. Its benefits outweigh the expenses that would usually constitute its disadvantage and is thus practical and achievable.

Reference List

Buckingham, M., & Coffman, C. (1999). First, Break All the Rules: What the World’s Greatest Managers Do Differently. New York, NY: Simon and Schuster.

Collins, J. (2001). Good to great: Why some companies make the leap and others don’t. London, UK: Random House Business Publishing.

Covey, S., Roger, A., & Merill, R. (1994). First Things First. New York, NY: Free Press Department of Homeland Security. (2013). Homeland security and defense structure. Retrieved from www.HomeLandSecurityResearch.com

Erwin, C. (2009). Covert Action: legislation background and possible policy questions. New York, NY: Congressional Research Service.

Global Intellectual Property Centre. (2013). United States Chamber of Commerce. 7 Sept. 2013, from www.coc.gov/gipc/

Information Security Management

Introduction

Information is critical to the functioning of every organization. It defines its operations and activities. The concept of security management is thus elusive and focuses on organizational security. Organizations have remained active in terms of acquisition of information management systems.

These systems are meant to aid organizations in securing their information. This paper discusses the concept of information security basing on the case.

The paper looks into the practice of information management and security taking into account the ethical and legal matters which surround information security and management.

At the initial stages of operation, most information is saved within an organization. This is backed by the argument that there are fewer transactions at this period. As firms expand their operations to include many external players, the concept of preserving and securing information becomes elusive.

The issue of information security management in Stratified Custom Manufacturing began to be addressed when the company entered and successfully implemented an initial public offer. This denoted that the firm was officially entering the public trading environment, hence exposing itself to competitors.

Most current organizations have information management departments which help in preserving and controlling the flow of information within and without the organization.

Companies embracing the use of information and communication technology in discharging organizational functions are often prone to security risks. Information security is thus a great concern for these companies.

Information security is critical in safeguarding company data. Information security entails the safeguarding of company information from the external environment as well as technological faults or threats.

A substantial number of legal and ethical issues touch the implementation of information security by companies (Whitman &Mattord, 2011).

According to Information Systems Audit and Control Association (2010), information security is a detailed management issue that calls for managerial attention. Stratified Custom Manufacturing established a broader information management security department.

The security team of the company is focused on several aspects of information security. This is reflected in the top security management team positions. The company has other security managers under control of the senior.

There are a manager in charge of administrative security, a technical security manager and a security and compliance manager, among the others.

In addition to this, the company has a broad policy framework for information management. This forms the ground on which department draws the guidance on information security management.

Policies in security management in organizations seek to guide and set limitation to the level of information sharing in an organization. Information belonging to organizations is secured and limited to viewing only by accredited entities.

Policies on information security stipulate on the way information is shared within and without the organization.

A violation regarding the access and the use of company information is easily identified, so the necessary steps will be taken to deal with it. Those identified breachings of the information security rules are punished in different ways.

One of the means used to punish information security offenders is by denying them privileges to access and use the information belonging to the organization. This takes place in different ways, for example, by barring such people from accessing information devices.

The other way of punishment is deactivation of access details of the individual to retrieve or view the company information.

In some cases, information security offenders are prosecuted and forced to pay fines or compensation for the damage caused to the company (Whitman & Mattord, 2011). In most cases, assessment of the risk caused is done before the users are punished.

Information security management is complicated by the growing patterns and trends of management that encourage the sharing of information between different organizations.

With the prevailing trends and use of information technology, it is difficult to secure organizational information. Piece of legislation on information security management also varies making it difficult for organizations to formulate policies on information security (Straub, 2008).

Ethical issues also touch the managerial practice of security management. The main issue in information security management is the level to which organizations conceal their information. Companies are encouraged to share information and access more external sources (Whitman &Mattord, 2011).

The information helps organizations in improving strategic management practices. They get to know the tactics of management that are used by other organizations performing well in the market. Competition between organizations is open.

They are encouraged to practice positive competition as they work on improving the service delivery to their customers. Therefore, the open release and sharing of information is one of the methods of open competition.

The other point on ethics and information security is that firms are required to improve their relations with employees. Building healthy relationships and motivating work environment enhance information security in organizations. This step has proved to be more effective than other methods (Whitman &Mattord, 2012).

Conclusion

The responsibility for information security has become an organizational matter more than a concern of legislative bodies. Organizations need to actively participate in and work on improving their systems by making them less prone to information leakage.

The model of information security management taken by Stratified Custom Manufacturing is a desired step in ensuring that the company information is secure.

References

Information Systems Audit and Control Association.(2010). Certified Information Security Manager review manual 2011. Rolling Meadows, IL: ISACA.

Straub, D. W. (2008). Information security: Policy, processes and practices. Armonk, NY [u.a.: Sharpe.

Whitman, M. E., & Mattord, H. J. (2011). Readings and cases in information security: Law and ethics. Boston, MA: Course Technology, Cengage Learning.

Whitman, M. E., & Mattord, H. J. (2012). Principles of information security. Boston, MA: Course Technology.

Cenartech Company Security Management

Security management is a key factor of success of any firm in the present world. Different firms subject their staffs to a lot of information, which ends up in the hands of mistrusted people, hence posing a significant security threats. Moreover, the world is growing through dynamism in management of security. Security breaches can lead to organization collapsing, if security management is not effective.

Therefore, in order to cope with the insecurity, most of the senior personnel are required to devise relevant tactics and hold security awareness campaigns to alert their employees about appropriate security decisions.

The employees should be taught about the factors that can impair legitimate security management for their organizations. The aim of this paper is to examine Cenartech Security Case, which revolves around the security management.

When firms recruit dishonest employees into the system, they may breach security and fail to follow the right procedures for relevant security management. The CEO of Cenartech should recommend other ways for solving the problem solving, such as training the employees about making proper security measures for their organization.

All employees should be made to understand the security policies, as well as their responsibilities. The employees should be motivated for them to be security conscious when disseminating any information, in order to maintain high standards if confidentiality (Whitty, 2011).

In Brian’s case, he negligently left a VPN installer disc lying on the desk, which eventually was accessed by the wrong person. Lack of awareness about proper security decisions in his organization led him to many tribulations, which he could have avoided if he had observed confidentiality of the information (Jeanne & Roberts, 2003).

The idea of employees sharing password was also not effective because vital information could leak to the outside, hence, creating a chance for criminals to access the system (Mattord, 2011). Instead of using password, Brian could have implemented biometric method as an alternative way to log in to the accounts. This method would ensure that a uniquely identified person accesses information.

Brian could have used an alternative method in order to minimize the security threat of information, thus, his method was not perfect because it had a few identifiable limitations. One of the limitations is that the people holding the accounts in the organizations have to be physically present to allow access to information (Whitty, 2011).

Given a chance as a CEO of this firm, I would transform it for a better tomorrow. After learning the problems experienced in Cenartech firm are mainly due to poor management practices, which resulted from negligence and lack of cooperation among the departments, I would establish various measures.

Firstly, in order to mitigate the risks, I would ensure that security is not for a single department, but for the organization as whole. All the players in the organization should work as a team to ensure their resources are secure.

If the human resources department manager had been taking into consideration what Brian was reporting, the issue of the person trying passwords on other computers could have been resolved in the first reporting. However, the problem was not resolved after firing the person who was involved.

The issue only seemed to resolve when Brian had a one on one meeting with the CEO who recommended the IT and HR department to work hand in hand.

Secondly, I would offer training to the employees about security awareness and provide them with the measures that can protect the organization’s information asset. Everyone should be responsible for security of the information in order to enhance smooth running of the company. Additionally, I would implement policies such as imposing heavy penalties to anyone violating the security information rules.

In addition, I would recommend all the computer users especially in the IT department to be equipped with required skills to counteract information frauds and should be made to comply with the company’s policies (Hinson, 2003).

The IT department where Brian is working has twelve personnel, but they do not have much IT skills. Brian improvises a manual to assist them in maintaining security in the system. Moreover, it was unprofessional for Brian to be employed in the department, since they depended on consultants to manage their complicated networks.

The last thing is to ensure managers keep information related in their areas, and analyze it for some inferences. The impact of good information is seen when we compare Brian and Jim characters. Brian kept so much information on IT than his boss did, to an extent it made the human resources manager to be puzzled. It is through the following of his records that Brian got the wind of what engineers were doing at lunchtimes.

Jim was somehow careless by dismissing Brains reporting, since the report displays that Jim never took Brian’s information seriously to an extent of failing to inform him when they caught the person who was trying to have unauthorized access to the system.

In conclusion, security of information in an organization should be maintained to avoid violation of company value. It is clear that breaching of security management is mainly through negligence of the organizations’ employees.

This results from lack of proper training, security awareness, and personal responsibilities. Therefore, the employees should be well trained about security decisions, and be made security practitioners through proper guidance and supervision.

References

Hinson, G. (2003). The true value of information security awareness. Web.

Jeanne, K., & Roberts, K. (2003). Correct! Prevent! Improve! : Driving Improvement Through Problem Solving and Corrective and Preventive Action. Milwaukee: ASQ Quality Press.

Mattord, W. (2011). Readings and Cases in Information Security: Law & Ethics. New York: Cengage Learning.

Whitty, G. (2011). Information security management policy. Web.

Richmond Amtrak Station’s Security Risk Management

Introduction

Amtrak Main street station was a railway station which was opened to serve Chesapeake and Ohio. The roads were under the design of Wilson and Richard. The road caused a war between Spanish and Americans in 1898. The war caused economic hardship, which delayed road construction. The passengers of Seaboard Air Line were then shifted to a station in Broad Street. The Chesapeake and Ohio maintained its customers and offices on the terminal of Main Street up to the time when Amtrak owned the service. There was a flood that caused destruction on the station’s first floor. The flood was an outcome of the James River overflow, which was caused by Hurricane Agnes. It forced Amtrak to stop its services to passengers on the 15th of October 1975. In 1983, the development corporation of SWA re-opened it like a shopping mall after it had remained closed for some years (Great American stations, 2013; Stanton, 2003).

During the negotiating period, a fire broke out damaging the upper floors and the building’s roof on 7th of October 1983. The damage was repaired, and it was officially opened in 1985, although it ran for a short period of time. A night club was also brought in the building though it never lasted. Health offices in the building were then opened.

There was a passage of the actin 1991, which allowed the preservations of the building that existed before constructing new ones. This became an opportunity for Victoria Badger to raise the station again, which was a gateway to different modes of transport. It was later on purchased by the Virginia state, and thereafter it was taken by Harry Weese Associates of Washington (HWA). Gensler bought the building after Harry Weese Associates’ founder died. Gensler then renovated the building, which included life safety facilities, security, wiring of the network, and elevators. The outside of the building was also renovated. The renovations had a positive impact because it raised Amtrak services. The renovations were also done for safety purposes (Plant, 2004).

Identification and assessment

There is a need of strengthening Amtrak main business systems so as to overcome future challenges that might be caused by lack of financial stability. Amtrak lacked strategic plans that provide clear goals of the corporate. Some departments in Amtrak made purchases independently and failed to stick to the procedures involved in procurement policies.

Amtrak has insufficient data on its expenditures of goods and services and this is a great barrier to their knowledge of their buying power and reduction of costs. Amtrak has poor management on food and beverage management contracts. This has contributed to loss due to financial loss. Amtrak has failed to be subject to various mechanisms that are base for results accountability (Plant, 2004).

Threat identification and assessment

On 5th of October 2013, there was a train terror attack which was planned by hundreds of people. On 1st of August 2013, a camera caught train drivers sleeping and reading books while on duty.

On 19thNovember 2013 an Amtrak train was hijacked in Philadelphia. On 23rdof April, there were reports on terror attack plots on a train traveling from Canada to America.

Hazard identification and assessment

Hazard is a situation which has the ability of destroying health and people’s safety. Fog is a natural disaster which might cause serious crash due to lack of vision. Heavy rains also cause accidents by causing heavy floods.

Hazardous materials spills from trains might cause mass incident to people. People in the respective areas might inhale the poisonous gas which might deteriorate their health hence death. A high speed also leads to mass death. This is on increase due to jams caused on traffics (Verton, 2004).

Vulnerability identification and assessment

Vulnerability assessment is the identifying of threats from hazards to population. Definition and classification of system resources is the identification of strengths in an organization to assess vulnerability. Also assigning of levels which are vital to resources is a crucial way of assessing vulnerability.

The person who discovers a security hole needs to disclose it as soon as he/she identity’s it. Development of strategies in order, to solve the possible risks first that might seem serious is an important step in vulnerability assessment.

Risk assessment

It can be defined as the identifying of hazards, analyzing and evaluating the hazards association, and determining the required ways to outdo the hazard (Sanchez, 2004). Fig1 one below is an example of how risk is assessed.

Risk Assessment Matrix

Risk Assessment Matrix.
Fig 1: Risk Assessment Matrix.
Risk Assessment Matrix.
Tab 1: Risk Assessment Matrix.

The level of hazard consists of a number and a letter. The number

  1. means the event severity of death, loss of system or permanent damages.
  2. Shows injury that is severe, major damages of systems or permanent severe damage.
  3. Shows an injury that needs treatment, sickness, damage of systems, and environmental damage that is immitigable.
  4. Shows minor injury and minimum damage of the environment.

Letter (A) represents the frequency of the damage occurrences, (B) means that risk occurs severally, (C) means the risk would likely to occur sometime in life, (D) the risk occurrence is unlikely to occur or it may occur in future, (E) Occurrence might never occur. According to the table each table is related with the category of risk. Categories of risks are vital to team managing the risk to differentiate possible serious hazard threats that may cause death and property loss from minor possible risk (Biesecker, 2008).

Cost benefit analysis and counter measures selection

Consequences.
Fig 2: Consequences.
Consequences.
Tab 2: Consequences.

Figure 2 above indicates the need of securing mass transit due to numerous terrorist attacks. A security system should be responsible for assessing risks. They should also assess individual risks elements and their consequences.

They can do it by inventing programs that screens passengers and baggage. It can also expand its effort by acquiring and sharing with other industries the technological information.

Recommendations and conclusion

Security bodies and departments have to ensure that their limited resources are utilized well to secure rail systems of passengers. They should also conduct risk assessment that involves all elements of risk so as to enhance its strategies of risk by incorporating measures of performance (Stanton, 2003).

Mass transport and systems of rail are crucial components to the nation. They provide around millions of passengers trips weekly. Commuters usually depend on the systems to enhance security on transport sector. There is need for increased security due to previous terrorists’ attacks on transport. There should be various entities that should play a role in assisting the funding and securing mass transit.

References

Biesecker, C. (2008). Amtrak Introduces Mobile Security Teams, Random Luggage Inspection. Defense Daily, 237(33), 4. Web.

Great American stations. (2013). . Web.

Plant, J. (2004). Terrorism and the Railroads: Redefining Security in the Wake of 9/11. F. Review of Policy Research, 21(3), 293-305. Web.

Sanchez, H.(2004). House Transportation Chief Pushes $1.1B for Rail Security. Bond Buyer, 348(31), 909. Web.

Stanton, J. (2003). Think Tank Calls For Renewed Commitment To Amtrak. Congress Daily, p.1. Web.

Verton, D.(2004). Amtrak Lags in Implementing Security Technologies. Computerworld, 38(12), 1-51. Web.

Cistern Security Systems’ Risk Management

Executive Summary

Due to the expanding market and improvements in technology, Cistern Security Systems (CSS) has been forced to hire more staff, most of whom are drawn from the local population. It has also been found out that the new staff is inexperienced on matters relating to the latest technologies in the security systems. This anomaly was discovered two months ago when we won a contract to fix CCTV surveillance cameras. The staff could not complete the task and the company had to hire staff from other firms, besides, the project was delayed and CSS had to pay a hefty fine as per the agreement.

The report aims to analyze the potential risk posed by inexperienced personnel on the performance of Cistern Security Systems. The main factors that contributed to such a scenario were difficulties to attract international experts, limited local knowledge and poor planning. A risk situation was modelled to describe the main factors that led to the risk situation. The proposed mitigation measures that CSS came up with included proactive forecasting, local recruitment workshops, training centres, and competitive pay packages. The team used the following tools to test the efficacy of the proposals: power field, severity and occurrence matrix, system approach and Hood Schools of Thoughts. The uncertainty level of the risk is level 2. The firm also used Porter’s FIT theory to analyze the feasibility of the mitigation measures.

Overview of the Risk Situation

Cistern Security Systems (CSS), one of the leading providers of security solutions, has undergone major expansion in the last seven years, this has included expanding operations into overseas markets, adopting modern security platforms, and venturing into other security services such as internet data security and tracking of goods in transit. During this period of rapid expansion, the company has strived to hire the most qualified staff in its technical and sales teams, whether from the local Saudi market or expatriates to meet the growing job demands (Brown 1995).

CSS has continually recruited new staff with the realization that the success of any organization depends largely on its staff. However, the company has been operating on a shoestring budget and has not been able to attract the most qualified staff while some of the most qualified personnel have been lured by better deals from other firms. Consequently, the firm has had to hire less qualified staff with no prior experience and retrain them through field experiences.

However, the nature of services that CSS has recently ventured into requires a thorough knowledge of security operations that require both knowledge and experience. This situation has created a crisis in the company since only a small percentage of the staff can perform their roles satisfactorily. At times, the temporary staff has been hired to assist in the operations and other instances, CSS has had to sublet contracts that it won.

This paper will analyze the staff “short of talent” risk that has a huge drawback on the performance and success of the organization, especially in undertaking projects that require expertise, experience and precision. Security operations are quite complex and sensitive and any flaw could cost the company millions of dollars in the form of contract fines, loss of contract and legal fees. Besides, the image of the company will be tarnished and once this happens, winning public confidence would be a daunting task that could take years.

Several reasons have led to a shortage of experienced and qualified staff in installing CCTV surveillance cameras and other security solutions as outlined below:

  • In the early 2000s, the demand for personnel in security firms was low due to the small number of security firms that were operating in Saudi Arabia at the time, this caused several young experts to seek employment in other sectors. This was coupled by fact that security personnel were paid poorly as compared to other sectors such as oil drilling, above all, many people despised security jobs as they were considered ‘low-class’ (McCahill 2002).
  • During the late-1990s and early 2000s, there was an increase in global demand for individuals who were highly qualified in security systems. This increase in demand was caused by an increase in general crime fears among people in developed nations, especially Europe. These opportunities attracted qualified personnel from Saudi Arabia as the pay-packages were better. This depleted the country of qualified and experienced individuals.
  • Frequent political upheavals and threats of terrorism have discouraged expatriates from taking up job opportunities in Saudi Arabia.
  • Poor forecasting & planning by the Labor Office. Had CSS known that there was a shortage of personnel and that their demand would increase in the late 2000s and early 2011, the firm would have started recruiting and hiring the security experts several years back to give young employees enough time to develop their skills. These early preparations would have prevented a shortage of experienced staff (Tse 2005).
  • The final cause of qualified and experienced staff in Cistern Security Systems stems from the small operating budget. The organization continues to face competition for qualified staff from more-established firms such as STESA, Allcom, Abr Aman AFSTS, and IBD-Tech. All of these companies pay better than CSS and attract highly experienced staff from the company (Norris & Armstrong 1999).

Characteristics of the Risk Situation

The workforce risk shall be analyzed in regards to two major characteristics, i.e. frequency of occurrence and severity of the loss.

As CSS is expanding, it is facing competition for security system experts from other firms, this has forced it to hire less qualified and inexperienced staff and retrain them through on-field experiences. This implies that staff inexperience will be much pronounced in the first few months. However, due to the intricate nature of some security system operations, such as CCTV installation, fresh employees may encounter several difficulties for a longer time. Thus, the frequency of workforce risk is considered high (Carrera 2008).

Secondly, the complex nature of some security systems means that staff must have a working knowledge of these systems. Therefore, mistakes are more common and this increases financial losses. Besides, any mistakes arising from the inexperience of staff may cause delays in the completion of a contract, resulting in fines, and hiring temporary staff to work on contracts (Tsoukala 2007). This further drives up financial losses. Therefore, the severity of the loss is considered high as well.

Severity of Loss vs. Frequency of Occurrence matrix.
Figure 1: Severity of Loss vs. Frequency of Occurrence matrix.

From the matrix table in Fig. 1, it is evident that the severity of loss and frequency of occurrence is high, hence an organization should strive to avoid the risk. However, in a situation similar to the one in our company, the risks should be eliminated and sufficient measures introduced to prevent their occurrences in the future, thereby reducing financial losses.

Bubble Chart for Risk Prioritization.
Figure 2: Bubble Chart for Risk Prioritization.

Figure 2 illustrates the growth dimension of the workforce risk over time. The inexperience of the personnel combined with the complexity of some security operations requires urgent attention and actions to reduce financial losses (Honess & Charman 1992).

The System Model

It is imperative that a holistic view of the risk situation is considered and the factors that caused it assessed. A system model shows all the major factors that led to the risk situation and illustrates the relationship between these factors as illustrated below:

Workforce Risk

The System Model is shown in Fig. 3 illustrates the factors that caused CSS to hire inexperienced personnel and the factors that led to this anomaly. It can be seen that most of the problems were because of organizational inefficiencies (Lyon 2001). The concept of a power field can enable us to understand the environment in which the organization operates.

The power field plot
Figure 4. The power field plot

The Power Field Plot gives the most effective mitigation measures that can be used by CSS on factors that are under its influence. The organization cannot reverse the fact that most experienced staff are close to the retiring age, or that people are refusing to work in Saudi Arabia due to security concerns. These factors have forced CS to opt for a younger, less experienced workforce that, instead, has turned out to be a liability (Balzacq 2006).

Proposed Mitigation Measures

The risk mitigation measure considered in this paper is aimed at avoiding or preventing employee-based risks from occurring in the future. Since CSS has already hired inexperienced employees, they cannot sack them according to since this is prohibited by the Saudi labour laws. This leaves the company with the option of enrolling these employees through intensive training programs to improve their expertise.

New system model showing mitigation measures
Figure 5. New system model showing mitigation measures

Mitigation of the organizational issues

Proactive Forecasting and Planning: CSS needs to make forecasts accurately for its future operations. The forecasts need to centre on the expected growth and attempt to relate this to the number of staff required.

Mitigation of the local talent factor

  • Recruitment Workshops: CSS can visit local universities and technical colleges to encourage young people to specialize in the security systems as well as provide these fresh graduates with lucrative offers to allure them to joining the organization.
  • Training Centers: The organization should build a real-time training centre where the inexperienced personnel can get hands-on training that will expedite their learning curve in an environment where training mistakes will not be costly. Also, the organization should provide its inexperienced personnel with detailed procedures and guidelines of the operation to eliminate the risk of mistakes and improvisation (Cazemier 2000).

Unintended Effects and Secondary Mitigation Measures

Implementation of these mitigation measures reduces risks arising from the limitations of the workforce. However, new unplanned effects may arise from these measures as shown below:

Unintended Effects & Secondary Mitigations
Figure 6: Unintended Effects & Secondary Mitigations

From the figure above, the preliminary set of mitigation measures have brought in a new set of problems, these include:

  • Operation costs of the recruitment exercise. Since the exercise will be done in conjunction with the local universities and technical colleges, the expenses will be substantially reduced.
  • Costs of running the training centres: the staff will pay part of the money used for their training, and to prevent ‘poaching’ from other firms, the retrained staff will sign a five-year contract with the company.
  • Higher wages paid to temporary staff: they will be employed temporarily while the rest of the staff are in training, although they will cost the company a substantial amount, the long-term benefits of the training program will exceed the costs.

Effectiveness & Sustainability of the Risk Mitigation Measures

Several theories that can be used to reduce workplace risks have been postulated. However, each one of these theories requires an assessment before they are implemented, this is because the implementation costs can exceed the expected benefits (Ericson & Haggerty 1997). Since operations at CSS require specialized skills, and any mistake can prove costly to the company economically and in terms of image loss, it must proactively ensure that staff have the right expertise.

The designs doctrine can be used to illustrate the advantages of having the right skills at all employment levels. The organization must ensure that the workforce is trained on the latest technologies in security systems (Bon van 2004). However, before the training commences, CSS should consider the effects that may arise and calculate their magnitude so that they can be minimized.

The residual uncertainty level of the organization must be determined so that its future performance can be evaluated. The residual uncertainty is defined as the improbability that remains after the best possible assessment of the company has been performed (Courtney, Kirkland & Viguerie 1997). The company’s growth prospects can be evaluated so that future resource requirements can be estimated, this can help in averting the debacle witnessed at CSS. The organization’s future growth will be affected by factors such as economic performance and competitor’s strategies. Consequently, the residual uncertainty level is level 2 “alternative futures”.

The key factors that will determine the success of the mitigation measures are:

  • The organization’s ability to efficiently and accurately analyze the security systems’ market to plan for the required personnel.
  • The commitment of the inexperienced personnel to learning and improvement because all the training activities will not succeed unless the employees are willing to develop and learn from their mistakes.
  • They hired consultants’ willingness to be active in both training and job operations.

For the organization to sustain a competitive advantage over its competitors, it needs to achieve strategic positioning and order fit (Porter 1996). Positioning establishes how and what activities the company performs, and how these activities relate to each other. CSS should take a needs-based positioning to serve its customers where it can supply all components of security systems that it sells. For example, when it is installing CCTVs, it should be able to supply the cameras, hard drives, display screens, and back-up devices (Fyfe & Bannister 1996).

The risk mitigation measures should reduce the initial uncertainty of the risk situation to be sustainable. The mitigation measures should reinforce each other to minimize the risk and thus the third-order fit “optimization of effort” is the most suitable here, the model is shown below:

Integrated System Diagram.
Figure 7. Integrated System Diagram.

The figure above illustrates how the initial sets of mitigation measures and secondary effects will reduce the risks related to inexperienced personnel.

Conclusion

Classification of risks can be done concerning their frequency of occurrence and severity of a loss. This case study enables one to evaluate risk situations in organizations, the exercise involved tracing risk situations from the sources, mitigation measures, and secondary mitigation measures, and finally the analysis of the efficacy of the mitigation measures. Several models were used during the case study that enabled CSS to solve the workforce risk situation, however, it should be noted that not all organizations can employ these models to solve risk situations. This system approach greatly depends on the perception of the analyst and thus it is subjective. The analysis introduced several tools that analyze the effectiveness of the proposed mitigation measures.

References

Balzacq, T. (2006), Security versus Freedom, Aldershot: Ashgate.

Bon van, J. (2004). IT-Service management: Introduction to basic operations of ITIL. Amsterdam: Van Haren Publishing.

Brown, B. (1995). CCTV in Town Centres: Three Case Studies. Police Research Group, Crime Detection and Prevention Series, Paper No.68, London: Home Office Police Department.

Carrera. S. (2008). Security and our Freedom, Aldershot: Ashgate.

Cazemier, J. (2000). Security Management, Stationery Office. London: Sage.

Courtney, H. Kirkland, J. and Viguerie, P. (1997). Strategy Under Uncertainty. Harvard Business Review, Nov-Dec 67-79.

Ericson, R. &. Haggerty, K. (1997). Policing the Risk Society. Oxford: Oxford University Press.

Fyfe. R. and Bannister. J. (1996). City watching: closed circuit television in public spaces. Area 28(1): 37-46.

Honess, T. and Charman. E. (1992). Closed Circuit Television in Public Places: Its Acceptability and Perceived Effectiveness. Home Office Police Research Group, Crime Prevention Unit Series, Paper no 35, London: Home Office.

Lyon, D. (2001). Surveillance Society, Buckingham: Open University Press.

McCahill, M. (2002). The Surveillance Web: The Rise of Visual Surveillance in an English City. Cullhompton: Willan Press.

Norris, C. &. Armstrong. G. (1999). The Maximum Surveillance Society: The Rise of CCTV. Oxford: Berg.

Porter, M. (1996). What is Strategy? Harvard Business Review, Nov-Dec 61-78.

Tse, D. (2005). Security in Modern Business: security assessment model for information security Practices. Hong Kong: University of Hong Kong.

Tsoukala. A. (2007). Terror, Insecurity and Liberty, London: Routledge.

Homeland Security’s Risk Management Approaches

Introduction

The realm of the U.S. Homeland Security (HS) is very intricate, which implies that the process of handling available resources and information must be arranged rationally to ensure the further attainment of key goals and objectives (Bullock, Haddow, & Coppola, 2017). The task of risk management (RM), which incorporates the assessment and prevention of internal and external threats to the nation’s well-being, therefore, requires the ability to incorporate both traditional and innovative approaches (U.S. Department of Homeland Security, 2010). The identified challenge has become especially difficult lately due to the creation of cyberspace and the emergence of numerous cyber threats (Bullock et al., 2017). The update on the RM approaches used by the HS can be deemed as a rather timely and fitting choice given the increased risk to U.S. citizens’ data. The adoption of traditional RM techniques, in turn, leads to the efficient management of physical threats such as the possibility of a terrorist attack (White, 2016).

The intention to make the most efficient use possible of the available assets, including its human resources, made HS rather productive in its RM process. Nevertheless, HS needs improved strategies for meeting its capacities and fulfilling its potential. The effort to push the envelope in RM is justified by the fact that cyberattacks become increasingly more intense and persistent over the past few years (Clark & Hakim, 2016). By creating the framework that will allow HS to identify sufficient resources, one will be able to maintain state security levels at the required high level.

RM Strategies Used by HS: Key Patterns

The present-day RM approaches utilized by HS can be described as rather traditional and, therefore, requiring change. For example, the focus on research and development can be regarded as one of the essential advantages of the existing framework (Clark & Hakim, 2016). However, the present-day system could use significant improvements be redesigning the approach toward resource allocation and focusing on the study of threats that the contemporary virtual reality realm contains (White, 2016).

The inclusion of resilience strategies helps mitigate unexpected and undiscovered risks. However, the current resilience approach lacks coherence since the HS does not use its resources to the maximum capacity due to flaws in its RM framework. For instance, the lack of HR-based elements can be deemed as one of the key oversight in creating a strong and well-structured strategy for RM.

Benefits of Current RM Strategies: An Assessment

To its credit, the HS has updated its RM framework recently by the latest risk factors to which the state has been exposed over the past few years. For example, interdisciplinary cooperation has been enforced extensively in the realm of the HS organizational environment (Clark & Hakim, 2016). These endeavors at creating an integrated approach and introduce the principle of resilience into the operations of HS have been quite successful so far. HS has selected several criteria for identifying specific factors as high or low risks, thus, improving its framework for handling security threats (White, 2016). These criteria include “leadership commitment, a corrective action plan, and a framework to monitor progress” (Scott, 2014, p. 3).

The rationale behind the choice made by the HS is evident. The emphasis on leadership is justified by the need to encourage change within the corporate environment actively and overcome reluctance that is very likely to appear among HS staff members. The adoption of a leadership strategy based on the principles of the transformative style will lead to the enhancement of enthusiasm among HS employees (Clark & Hakim, 2016). Similarly, the action plan and the model for supervising employees and institutionalizing change are crucial components of success since they encourage employees to act and entitle them to a set of unique roles and responsibilities. As a result, employees remain motivated and are willing to deliver the best results possible.

However, there are certain flaws in the current approach toward RM. For example, the lack of focus on the connection between HR management and IT security concerns needs to be listed among key problems. HR theories will augment the current RM approach by providing a more sensible approach toward allocating corporate resources, including its staff. Thus, further changes must be made to the HS’s RM.

Possible Improvements: Enhancing Security

Apart from incorporating HR principles into the existing RM approach, one should also develop the tools that will help monitor and control changes in the HS RM process. The use of grant funding should also be explored as a possible initiative for reinforcing the security levels within the HS context. For instance, grants for research in the domain of cybersecurity and the means of reducing exposure to risks by establishing tighter control over the data that is transferred via social networks. Also, creating educational programs that will instruct people in the realm of social networks and blogospheres about maintaining security levels high and reducing the threat of personal data exposure must be regarded as a priority. While a range of present-day HS grants is focused on creating software that will contribute to a rapid boost in cybersecurity levels, the human factor is rarely considered and studied (Bullock et al., 2017). The identified gap must be filled by creating grant options and opportunities for in-depth research.

Conclusion: Importance of RM for HS in the Cyber environment

Because of the lack of success in creating an efficient resource management strategy, HS becomes vulnerable to external threats, particularly, in the cyberenvironment. To its credit, the HS realizes the importance of keeping up the pace with the technological development and, thus, advances its strategies to handle the threat of cyberattacks. However, its current approach toward resources management could use a massive improvement. A reconsideration of how roles and responsibilities are assigned to staff members will entail a change in the speed and efficacy of data management processes. Consequently, gradual improvement can be expected.

The current capacity shortfalls observed in the HS environment are also linked to its IT strategy, which means that the approach toward data management will have to be connected to the HRM strategies utilized in its organizational environment. Therefore, there is an urgent need to integrate HRM concepts into the current RM strategy. The resulting rearrangement of roles and responsibilities will contribute to a more rational usage of corporate resources and, thus, more timely responses to internal and external threats.

The use of the capabilities-based planning approach should be deemed as an important addition to the current framework for RM in the context of the HS. Helping HS to focus on the issues associated with human resources, the identified strategy is bound to help HS develop a coherent device for retaining its cybersecurity levels high. As a result, the personal data of U.S. residents will be kept intact.

References

Bullock, J. A., Haddow, G. E., & Coppola, G. P. (2017). Homeland security: The essentials (2nd ed.). Cambridge, MA: Butterworth-Heinemann.

Clark, R. M., ‎& Hakim, S. (2016). Cyber-physical security: Protecting critical infrastructure at the state and local level. New York, NY: Springer.

Scott, G. A. (2014). Roundtable on reauthorizing the Department of Homeland Security. Washington, DC: U.S. Government Accountability Office.

U.S. Department of Homeland Security. (2010). Quadrennial homeland security review report: A strategic framework for a secure homeland. Washington, DC: Government Printing Office.

White, J. R. (2016). Terrorism and homeland security. Boston, MA: Cengage Learning.