The federal government has enacted several laws aimed at improving protections related to identity theft. Many states have also taken legislative action regarding identity theft protections. Businesses are faced with the challenges of understanding and following federal and state laws in order to ensure customer and employee information is protected.
Finance plays a crucial role in the development and operation of an effective and efficient information security (IS) program. On one hand, the role of finance in security relates to expenditures and business priorities.
Many companies have begun extending employee monitoring to include off-hours or off duty activities. Mujtaba, Griffin, and Oskal (2004) attribute reduction in employee privacy rights, including employer monitoring off-hours, to recent terrorist attacks such as the Columbine shootings and the events of 9/11 (p. 35). Companies pursuing a risk management strategy that includes off duty monitoring of employees must proceed cautiously to avoid legal action from employees for privacy violations.
Both identity theft and medical identity theft have significant negative impacts for the victims. Since the victim’s identity has been stolen, the process of establishing that the victim did not actually complete the financial transactions is lengthy and difficult.
In the 2007 article, “Strategic risk management: Creating and protecting value,” Beasley describes Enterprise Risk Management (ERM) as, “an emerging business practice […] that emphasizes a top-down, holistic approach to effective risk management for the entire enterprise” (p. 26). As Beasley explains, ERM is distinguished from traditional risk management because ERM “strategically [considers] the interactive effects of various risk events with the goal of balancing an enterprise’s portfolio of risks to be within the stakeholder’s appetite for risk” (p. 26); whereas, traditional risk management is a “silo […] approach, where risks are often managed in isolation, with minimal oversight [of affects to the enterprise as a whole]” (p. 26). Beasley describes an ERM framework known as, “The Return Driven Strategy Framework,” and describes how the framework could have helped in several real cases where risks became issues.
Intrusion detection systems (IDS) seek to identify malicious network traffic. Intrusion prevention systems (IPS) advance IDS technology with the ability to dynamically adjust network and systems configurations to block malicious traffic as it is detected. As Gonzalez, Paxson, and Weaver (2007) state, “stateful, in-depth, inline traffic analysis for intrusion detection and prevention is growing increasingly more difficult as the data rates of modern networks rise.” In order to better understand the technical challenges and associated innovations associated with IDS and IPS, the author proposes to conduct a review of the literature on the subject of next-generation intrusion prevention systems.
Secure information systems design theory is an area of information security that continues to need additional research. Models such as Siponen et al. provide a theoretical framework for SIS design that organizations and security practitioners can implement and utilize. However, further research and development is needed to continue to meet modern threats.
Many organizations are implementing biometric access controls to help ensure security policies are effective. By incorporating a biometric into authentication and identity verification procedures, an extra measure of precaution is taken that improves the certainty that the person is who they say they are. Biometrics utilize physical, behavioral, a combination of both physical and behavioral characteristics to identify a person (Zorkadis and Donos, 2004). Of the many biometrics available for use, fingerprinting is one of the oldest and most widely used.
When using company assets, employees generally do not have a reasonable expectation of privacy. As shown by the case of Smyth v. Pillsbury, even in cases where a private e-mail account interfaces with a monitored business e-mail system, the employee should not have an expectation of privacy.
Aerospace and defense contractors that work with the US Department of Defense are required to comply with one or more regulations governing security and the handling of classified information. The National Industrial Security Program (NISP) provides compliance requirements for private industry handling classified information on behalf of the US government. Specifically, the NISP publishes the National Industrial Security Program Operating Manual (NISPOM). NISPOM Chapter 8 provides certification and accreditation requirements for facilities processing or handling classified information. Similarly, the Director of Central Intelligence Directive 6/3 (DCID 6/3) defines the certification and accreditation processes for information technology projects that require Top Secret (TS) or Secure Compartmentalized Information (SCI) clearances.
Send me an e-mail message.
Call me at (520)762-4962
Connect via Skype:
Schedule a meeting:
@itbrian on:
