Security Information Security and Risk Management in Term Paper

SECURITY

Information Security and Risk Management in IT

This essay is designed to present and discuss both an assessment of information security and risk management in IT systems and a comparative discussion of important academic theories related to security and risk. In the first section, An assessment, a conceptual framework will emerge including reference to important terminology and concepts as well as an outline of legislation and authorized usage examples. In the second section, Comparative discussion, is a brief discussion of comparison on the academic theories.

Conceptual framework

To begin any work of this nature, it is important to clarify important terminology and concepts. First, an information technology (IT) system is also known as an application landscape, or any organism that allows for the integration of information and communication technology with data, algorithmic processes, and real people (Beynon-Davies, P., 2009 (1)(2)). Every organization consists of some type of IT system in which this integration of processes, activities, information, and technology provides a landscape for decision-making, operations, management, leadership, and any (or all) other organizational functions (Beynon-Davies (1)(2)). IT systems can be

The next important concept to define is that of information security. This concept is about protecting information from the unauthorized access to it for any/all of the following purposes: viewing, disclosing, modifying, exploiting, copying, critiquing, or destroying (or any other unauthorized (mis)use). The people whose information exists within these systems and who interact with these systems count on the confidentiality of the data and the integrity of the processes. The people who create and manage these systems (for whatever purpose) count on effective and efficient functioning and protocols for security and risk management.

The same can also be said for risk management. Risk management is a process for maintaining information security and protocols for it in the case that threats do arise. In fact, the risk management process is one of identifying any opportunity for a threat to arise, assessing the nature and (possible) outcomes of such threats, and prioritizing the focal points for when and where threats may arise.In other words, risk management is about identifying, assessing, and prioritizing risks as well as organizing and implementing protocols for minimizing, monitoring, controlling, and addressing the potential impact of such risks should they arise (Hubbard, D., 2009).

The tasks of information security and risk management within IT systems are important issues that all organizations have to deal with to some degree. The complexity of these issues varies depending on the purposes of the system, the size of the organization, and, of course, the nature of the organization, the number of systems it runs, and the sensitivity of the data its systems contain. Another important point is to acknowledge the overarching protocols that are established by legislation regarding information security and risk management.

Some examples of information security legislation and government protocols are listed and described as follows:

1. HIPAA (Health Insurance Portability and Accountability Act): Signed into law in 1996 and since updated appropriately. This Act seeks to make information more secure from any access/usage outside of strict health care boundaries.

2. U.S. PATRIOT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) Act: Signed into law in 2001, it is intended to minimize the restrictions on any law enforcement agencies and essentially make information less secure when these agencies justify access for evidence or intelligence gathering processes or threat assessments related to domestic or global terrorism.

3. Sarbanes-Oxley (Public Company Accounting Reform and Investor Protection OR Corporate and Auditing Accountability and Responsibility Act OR SOX) Act: Signed into law in 2002, to establish and enhance the standards on public accounting firms, public company boards, and management firms in response to a series of serious corporate responsibility and accountability scandals that affected national security markets. This Act seeks to make information more secure and management requirements more stringent. (SEC, 2011).

4. GLBA (Gramm-Leach-Bliley Act or Financial Services Modernization Act): Signed into law in 1999, to….....