Proposing questions to assess your organization’s security technology

Answer

ACCESSING ORGANIZATIONAL IT SECURITY

                Regulatory compliance is a factor which is ever-increasing and impacting how firms conduct their business. Information technology firms face a challenge when it comes to establishing a policy based on the new requirements as they struggle to establish concrete controls that can be effectively deployed within the firm. Information security is a critical asset that the firm’s management should consider protecting to uphold legal considerations.[1] This paper documents the questions which the senior managers within a firm can be asks to understand the level of firm’s exposure to risks related with legal compliance. The questions are focused on establishing if the firm is adequately prepared to handle the best practices needed for the legal and non-legal compliance.

Are the critical IT systems within the organization able to observe data confidentiality?

                This is an important question as it seeks to determine if the confidentiality of the data held within the system can be managed. Evidently, cases involving confidentiality breach is one of the common cases reported by the media which suggest non-compliance to the required measures aimed at protecting sensitive customer information.[2] With this question, the senior management will be required to explore other set of sub questions as outlined below.

Can third party users access the information available on the system without proper authorization?

What actions are undertaken to ensure that only authorized people will have an access to sensitive data?

What are some of the back-up plans that the firm is prepared to initiate in the events where they learn of a potential confidentiality breach to prevent the loss of sensitive data?

How is the firm prepared to handle integrity issues?

                With information systems, unauthorized users can have access to the system and hence make alterations to its source. Firms ought to be prepared to show a legal and regulatory compliance to avoid instances of potential integrity breach and concerns. Additional questions to be explored under this area are outlined below.

How can you verify that the information source is genuine and has not alterations whatsoever before trusting the content?

What measures do you have in place to keep off attackers from the system to prevent any form of malicious activities related with the breach of data integrity?

How often do you schedule checks and auditing procedures to ensure that the data integrity is maintained at the required minimum and that the content of information on the system is legit?

Is information always available to the authorized users?

                Information availability is an important element of computer systems suggesting a legal and regulatory compliance.[3] Therefore, this is one of the important areas which should be examined to prevent potential litigations in the event of a breach. Some of the potential questions to be explored in this case are outlined below.

What measures do you have in place to prevent instances of denial of service attacks?

Natural disasters may be beyond your control. However, how do you plan to promote the availability of data and information to all authorized users in the events of a natural disaster or unexpected human actions?

Do you engage in constant system updates?

What measures do you have in place to ensure the normal use of the systems and data availability in the events of system failures?

[1] Jim, Breithaupt and Merkow, Mark. Information Security Principles of Success. Pearson, 2014

[2] Ibid.

[3] Jim, Breithaupt and Merkow, Mark. Information Security Principles of Success. Pearson, 2014