INFORMATION SECURITY MANAGEMENT Executive Summary The report had been made for understanding the importance of information security for any organization. The Multinational Payment Card Company had been largely benefitted with the implementation of the information system. The information threats and factors of risk had been analyzed in the report that includes theft of private data and confidential information, information lost and occurrence of fraudulent, technical flaws of information system, and environmental disaster and calamity. The proposed structure for information security includes formation of security policies, threat identification, analysis of threats, and security measures analysis. Security policies along with the help of Deming cycle had been very crucial for securing the information system at Multinational Payment Card Company. Table of Contents Introduction 3 1. Overview of the scenario 3 2. Information threats and risk factors at Multinational Payment Card Company 4 2.1 External threats to the information system of Multinational Payment Card Company 5 2.2 Internal threats to the information system of Multinational Payment Card Company 6 3. Structure for information security and risk assessment at Payment Card Company 8 3.1 Security policies for Multinational Payment Card Company 8 3.2 Deming cycle for information security in Multinational Payment Card Company 9 3.3 Risk assessment for information system of Multinational Payment Card Company 13 4. Advantages of Information security system 14 Recommendations 14 Conclusion 16 References 17 Introduction The information system has been very helpful for developing faster operations and system process for any organizations. The processing, storage, management, and security of the information are very crucial for any organization (Peltier 2013). The implementation of information security system would be helpful for developing faster system integration and secured operations in the organization. However, the development of the technology has also resulted in brining many security risks for the information system. The various hacking tools and techniques can be used for extracting information from the company’s database. Hence, the deployment of the information security options would help in dealing with the above stated security threats and risk factors. The following report has been made for critically evaluating the impact of the risk and information security threats for an organization. The selected case study is of an Australian based Multinational Payment Card Company. The report would analyze about the various security issues and problems of the information threats and their impact on the operations of the Multinational Payment Card Company. The development of a strong and secured security system and strategies would be evaluated in the following report. Finally, the report would provide an insight on the advantages of the secured information system and some suggestions for improving the security options. 1. Overview of the scenario The Australian based Multinational Payment Card Company is a card payment services provider and it has the main centre at suburbs of Brisbane. The company has call center facilities at Singapore and Suva. The call centers take care of the clients and provide them with optimized payment services. The company requires transferring the details of their clients to the respective call centers. It would enable the company to keep their client’s information at the call centers along with contact information and payment details. However, the management of the call center allows its employees to work from home with the help of network connections. It would enable the employees to access the data and information about the payment card company’s clients. The access to the data via home network can result in the information leakage and data thefts. The vulnerability of the information stored over in the network and its transmittal had made it prone to thefts and modification. Hence, the situation have give rise to conflict with the global security policies followed by the payment card company. It is required to form a strong security policy and develop strategies for dealing with the issues of threats to information transferred over the company’s network. 2. Information threats and risk factors at Multinational Payment Card Company The information threats and factors of risk have been resulted due to external reasons and internal reasons (Fernandes 2014). The Multinational Payment Card Company has to transmit their client’s information by using the communication medium. The communication medium can be infiltrated and it can be used for modifying the data and information of the company. The following points have classified the risk and threats of the information transferring process for Multinational Payment Card Company. 2.1 External threats to the information system of Multinational Payment Card Company The external threats to the information system can be defined as the threats that have been induced and initiated from external points (Fernandes 2014). The information transmittal and storage in the Multinational Payment Card Company have been outsourced and there is a strong probability of the data and information being hacked and misused. The information infiltration by any external source and leaking the data to external users are considered in the external risk factors and threats to the information system of Multinational Payment Card Company. Some of the external threats that can affect the information processing and deployment of the data transfer at the company are explained in the following points: Theft of private data and confidential information: The information transmittal and storage have been done from a single sourced of information system database of the Multinational Payment Card Company. The main storage is located in the head office of the company that is located in the suburbs of Brisbane. The technological advancement had made it possible for transferring the data on a global scale (Alsalamah et al. 2016). However, the same technological development has also made it evitable for being intercepted and hacked. The transferred data consists of information like client’s contact and payment options. The theft of such data would result in severely harming company’s business and reputation. Information lost and occurrence of fraudulent: There is strong possibility that during the transmittal of the data and information, wrong data and information is supplied. The network transmittal is not 100% secure and it is possible that the data transferring might end up in loss of the data (Kasmi and Esteves 2015). The presence of networking disturbance or noises can result in harming the flow of data transfer at Multinational Payment Card Company. It is arbitrary that the information storage is exploited and all important and crucial information is modified for personal gains. The cyber criminal can use the hacking technology for malfunctioning of the information system. It would result in improper data evaluation and wrong feeds of the data. 2.2 Internal threats to the information system of Multinational Payment Card Company The internal threats to the information system of the Multinational Payment Card Company are the factors that are present in the internal structure of information system and organization. The internal factors are more prominent than the external factors of risk and threats at the information system of Multinational Payment Card Company. The risk factors include the factors of technical flaws and environmental disaster (McGough et al. 2015). These threats and risk factors have been explained below: Technical flaws of information system: The most crucial factor for the risk and threat in the storage of the information system is the technical flaws (Cerroni et al. 2014). The technical flaw can be witnessed due to the flaw in structure of the information system design. The lack of stern security options and poor security structure would lead to the issue of the information system infiltration. The weak security strategies and system faults have resulted in forming the errors of the information system (Porzsolt et al. 2013). The cyber criminals can put stain on the flaws of the system and cause data infiltration at the organization. Environmental disaster and calamity: The information system not only has to deal with artificial threats and errors, the natural threat or environmental risk factors are also present (Lee and Evans 2014). The environmental hazards like fire, storm, and other disturbance have impact on the natural processing of information security and compliance. The environmental hazards can result in destroy of the physical storage and tangible tools that is required for communicating. These issues and errors are responsible for hindering the flow of the data transmission and information storage. A figure for classification of the various threats and errors of the information system is shown below: Figure 1: Classification of the risk and threats of the information system (Source: Porzsolt 2013, pp-1179) 3. Structure for information security and risk assessment at Payment Card Company The information security and risk assessment has been helpful for the development of the security policies and compliances for Multinational Payment Card Company. The business requirements at Multinational Payment Card Company require transferring the client’s data and information to the external call centers in Singapore and Suva. The information security for the company explained in the following sub headings would help in forming the most suitable structure for the information system at the company. 3.1 Security policies for Multinational Payment Card Company The security policies for the information system have been made for the forming the framework of security management in the company (Whitman and Mattord 2013). The framework has been made for identifying the various threats and risk factors for the information system. The risk assessment has been helpful for providing the benefit of threat handling and management. Threat identification: The use of information security management has been helpful for finding and identifying the threats possessed in the information system. The identification of the threats would help in understanding the threats, their nature, and the impact of the threat. According to Stahl Doherty and Shaw (2012), it is the most prior step in developing security policies for the threats of information security risk. Analysis of threats: This step is concern with the analysis of the threats and finding out the issues related with it. There are various threats related to the information system implementation (Whitman and Mattord 2013). This phase would help in analyzing the threats for the information system security and deploying the flaws present in them for finding out the appropriate solution. Security measures analysis: In this phase, appropriate measures for the security of the information system is developed. Appropriate measures after completing an analysis of the threats, their impact, and their flaws would be developed in this case. The collected information system must compliance with these developed solutions of the threats. The Multinational Payment Card Company follows the global security guidelines for the information security risk and compliances. However, they can employ some additional security measures with their existing security policies for making sure that the information transmittal is done. 3.2 Deming cycle for information security in Multinational Payment Card Company The Deming cycle is a process for forming security strategies with completion of four standard operations (Dudin et al. 2015). The use of Deming cycle for the security of the information system at Multinational Payment Card Company could be implied for the forming better security options for the information system at Multinational Payment Card Company. The four operations included in the Deming cycle are Plan, Do, Check, and Act. According to Borys Milosz and Plechawska-Wojcik (2012), it is a cyclic order that is rotated back to plan after checking part is completed (and any error of flaw is obtained). The cyclic operations can be used for implementing the security options in the information system of Multinational Payment Card Company. Plan: It is the first phase of Deming cycle operations and involves the process of planning for the security options implementation in the information system of the Multinational Payment Card Company. The process includes making an appropriate plan for solving the situations of the security threats. It would incorporate the analysis of the issues and flaws in the security system and their impact. Do: It is the second phase of the Deming cycle and it involves implementing the plan for the security system of the information system. The strategies made at the planning phase of the cycle are implemented for forming a secured structure of operations in the information system of Multinational Payment Card Company. Check: It is the process in which the implemented plan is checked for any malfunctioning. The process is similar to the feedback system of the project management plan as it helps in checking what has been done in the process of implementing security system. The review of the operations would be used for evaluating the security strategies. Act: It is the final process of Deming cycle and includes the process of implementing some surrogacy solution for implementing in the security of information system. The required changes in the implemented options of security can be used for forming the final structure of the security system in information system. Figure 2: Deming Cycle (Plan-Do-Check-Act Cycle) (Source: Dudin et al. 2015, pp-245) The Deming cycle can be used for implementing IDS/IPS protection and employing advance protection for the information system of Multinational Payment Card Company. The operations of IDS/IPS and advanced security has been explained below: Implementation of IPS and IDS technology: The information security system can be strengthened by implementing the option of IDS and IPS in the network (Modi et al. 2013). The transfer of data from main office of Multinational Payment Card Company in Brisbane to the call centers at Singapore and Suva. The data transfer has been done by the using proper communication system and there are possibilities of network hacking and infiltration. The IDS is used in network for detecting any unwanted entry within the system. The use of the intrusion detection would help in detecting and notifying the unwanted entry in the system. The IPS works for preventing the entry of the unwanted or unauthorized element in the network. The IPS and IDS works in pair as the IDS sends the signal to IPS for acting when it detects any unauthorized entry in the system (Kenkre Pai and Colaco 2015). The IPS halts the main system and prevent the unauthorized access for doing any modification in the system. Figure 3: IDS and IPS in network (Source: (Kenkre Pai and Colaco 2015, pp-409) Advanced security processes: The advanced security processes are useful for improving the efficiency of the operations in the organization of the Multinational Payment Card Company. The use of applications like antimalware programs, cryptographic software, Citrix system, and computer aided dispatch can be used for processing the information security system in the organization (Von Solms and Van Niekerk 2013). The use of such advanced security options would be helpful for dealing with the issues of data theft, information lost, and hacking. The focus on the vulnerabilities would be helpful for finding the appropriate solutions for the organization. 3.3 Risk assessment for information system of Multinational Payment Card Company The risk assessment can be used for forming and establishing the minimum affect of the risk factors (Mahalakshmi and Sundararajan 2013). The use of risk assessment can be used for minimizing the issues of risk in the information system of Multinational Payment Card Company. The risk assessment can be done by using System Development Life Cycle (SDLC). The system development life cycle can be employed for the formation of appropriate measures for the identification of the risk, developing plans for the solution of the risks, and implementing the system (McMurtrey 2013). The phases included in the SDLC are initiation, acquisition, implementation, and operations. Name of the phase in SDLC Operation of the phase Initiation The phase is characterized by the process of initializing the process of risk assessment. The phase is similar to risk identification of the risk management process. Acquisition The phase is categorized for designing and developing appropriate solution for the risk identified. Implementation In this phase, the solution developed is implemented in the information system of the Multinational Payment Card Company. Operation It includes the assessment of the risk for the management information system Multinational Payment Card Company. Table 1: Risk assessment by using SDLC in Multinational Payment Card Company (Source: Chemuturi 2013, pp-172) 4. Advantages of Information security system The implementation of the information security system has been helpful for making sure that the information stored in the information system of Multinational Payment Card Company is private and confidential. The followings are the advantages of implementing information security system at Multinational Payment Card Company: Protection of sensitive data: The use of information security system would be helpful for keeping the client’s data and information transferring to the call centers secured from any external infiltration (Tran Le Ngoc Thanh and Phuong 2013). The protection of the data from misuse and tampering would be helpful for forming the integrated operations confidential and private. Alignment with global security policies: The use of information security system would help in complying with the global security system for the operations of Multinational Payment Card Company. Control of costs: The manual transfer of the information and data would exhaust more amount of money (Motawa and Almarshad 2013). The implementation of the information security system would be helpful for controlling the expense on management of the security and keeping eye on the records and information. Recommendations Some recommendations for the implementation of the information security system at Multinational Payment Card Company are given below. Use of system development: The system development is helpful for forming the support to the risk assessment in the information system of Multinational Payment Card Company. The system development includes the identification of the risk, forming control analysis, evaluating impact, determination of risk, and forming recommendations for the control. Figure 4: Recommended System Development for Multinational Payment Card Company Employment of risk prioritization matrix: The use of risk prioritization can be helpful for implementing optimal solutions to the operations of the Multinational Payment Card Company. The risk priority matrix classifies the risk and help in forming effective solution to the risks and threats. Figure 5: Risk priority matrix table Conclusion The report had been made for the forming an analysis of the various risk and information security flaws in an information system. The Multinational Payment Card Company had been largely benefitted with the implementation of the information system. The information threats and factors of risk for information transferring process at Multinational Payment Card Company that had been analyzed in the report are theft of private data and confidential information, information lost and occurrence of fraudulent, technical flaws of information system, and environmental disaster and calamity. The structure for information security and risk assessment at Payment Card Company had consisted of developing security policies and compliances. The security policies for the information system had been helpful for providing the benefit of threat handling and management and it included threat identification, analysis of threats, and security measures analysis. The report had shown that the Deming cycle had been largely important for the security of the information system at Multinational Payment Card Company and it had resulted in forming better security options for the information system. References Alsalamah, S., Alsalamah, H., Gray, A. W., and Hilton, J. 2016. Information Security Threats in Patient-Centred Healthcare. M-Health Innovations for Patient-Centered Care, 298. Balaban, I., Mu, E. and Divjak, B., 2013. Development of an electronic Portfolio system success model: An information systems approach.Computers & Education, 60(1), pp.396-411. Borys, M., Milosz, M. and Plechawska-Wojcik, M., 2012, September. Using Deming cycle for strengthening cooperation between industry and university in IT engineering education program. In Interactive Collaborative Learning (ICL), 2012 15th International Conference on (pp. 1-4). IEEE. Cerroni, S., Notaro, S., Raffaelli, R. and Shaw, W.D., 2014. Subjective risks, scientific information, and food choices: A test of scenario adjustment in hypothetical choice experiments. Scientific Information, and Food Choices: A Test of Scenario Adjustment in Hypothetical Choice Experiments (March 7, 2014). Chan, H.C., Online News Link Llc, 2013. Information distribution and processing system. U.S. Patent 8,457,545. Chemuturi, M., 2013. Requirements Management Through SDLC. InRequirements Engineering and Management for Software Development Projects (pp. 169-175). Springer New York. Dudin, M.N., Frolova, E., Gryzunova, N.V. and Shuvalova, E.B., 2015. The Deming Cycle (PDCA) concept as an efficient tool for continuous quality improvement in the agribusiness. Asian Social Science, 11(1), pp.239-246. Fernandes, L.M., 2014. Emerging security risks and threats to accounting information systems in the rapid changing environment: Implications to management and accountants. ZENITH International Journal of Multidisciplinary Research, 4(6), pp.64-72. Kasmi, C., and Esteves, J. L. 2015. IEMI Threats for Information Security: Remote Command Injection on Modern Smartphones. IEEE Transactions on Electromagnetic Compatibility, 57(6), 1752-1755. Kenkre, P.S., Pai, A. and Colaco, L., 2015. Real time intrusion detection and prevention system. In Proceedings of the 3rd International Conference on Frontiers of Intelligent Computing: Theory and Applications (FICTA) 2014(pp. 405-411). Springer International Publishing. Lee, L. and Evans, A., 2014. Mining for digital gold: bitcoin could create financial gains, but it also may raise IT and business risks. Internal Auditor,71(3), pp.23-25. Mahalakshmi, M. and Sundararajan, M., 2013. Traditional SDLC Vs Scrum Methodology–A Comparative Study. International Journal of Emerging Technology and Advanced Engineering, 3(6), pp.192-196. McGough, A.S., Wall, D., Brennan, J., Theodoropoulos, G., Ruck-Keene, E., Arief, B., Gamble, C., Fitzgerald, J., van Moorsel, A. and Alwis, S., 2015, October. Insider Threats: Identifying Anomalous Human Behaviour in Heterogeneous Systems Using Beneficial Intelligent Software (Ben-ware). InProceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats (pp. 1-12). ACM. McMurtrey, M., 2013. A case study of the application of the systems development life cycle (sdlc) in 21st century health care: Something old, something new?. Journal of the Southern Association for Information Systems, 1(1). Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A. and Rajarajan, M., 2013. A survey of intrusion detection techniques in cloud. Journal of Network and Computer Applications, 36(1), pp.42-57. Motawa, I. and Almarshad, A., 2013. A knowledge-based BIM system for building maintenance. Automation in Construction, 29, pp.173-182. Partsch, H.A., 2012. Specification and transformation of programs: a formal approach to software development. Springer Science & Business Media. Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press. Porzsolt, F., Thomaz, T.G., Constaˆncio, T.I., Silva-Junior, A.G.D. and Nobrega, A.C.L.D., 2013. The risks of information in health care: do we need a new decision aid?. Clinics, 68(9), pp.1177-1179. Stahl, B.C., Doherty, N.F. and Shaw, M., 2012. Information security policies in the UK healthcare sector: a critical evaluation. Information Systems Journal, 22(1), pp.77-94. Tran, S.T., Le Ngoc Thanh, N.Q.B. and Phuong, D.B., 2013. Introduction to information technology. In Proc. of the 9th inter. CDIO conf.(CDIO). Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers & security, 38, pp.97-102. Whitman, M.E. and Mattord, H.J., 2013. Management of information security. Nelson Education. Wintrich, T., Hammer, J., Naber, D.I.D. and Raff, D.I.M., 2015. Next steps in Bosch Diesel System Development to improve performance, noise and fuel consumption. Internationaler Motorenkongress 2015: Mit Nutzfahrzeugmotoren-Spezial, p.167.