The new technologies allow a company to compete efficiently and to obtain the available information where and when it is needed, so they have become an essential tool to offer products and services with higher quality.
This information aims to understand how Information Services operates and manage cybersecurity. As well as is focused on the understanding of the Cyber Essential Plus certificate that the UK provides to organisations that comply with the security controls enunciated by this certificate.
Security Management must, therefore, ensure that the information is correct and complete, is always available to the business and is used only by those who are authorised to do. UK government has implemented a scheme that helps on the Information Systems of the organisations. The name is Cyber Essentials which validates that the company has in place the necessary procedures, for example, to minimise the threat of an attack on the computer infrastructure in the organisation and on the computers or devices used by employees and users. As well as to regularly evaluates and updates IT security to eliminate the risk of any disruption to the organisations’ activities
Security Management needs to set up a reasonable and characterized security arrangement to control every different procedure. Additionally, builds up a Security Plan that incorporates the fitting degrees of security both in the services provided to customers and in the service agreements marked with inward and outer providers. Moreover, actualize the Security Plan, screen and assess consistence with the arrangement, proactively screen security levels by breaking down patterns, new dangers and vulnerabilities and lead intermittent security reviews. (Limited, A, 2019)
So based on this information, there are some opportunities and challenges that Napier University is facing on Information Services and Security.
Implementation of Security Measures
Firstly, it is the responsibility of the Security Management to coordinate the implementation of the protocols and security measures established in the Security Policy and Plan. These employees should be in charge of:
- Define policies and procedures
- Implement
- Monitor
Also, it is important for companies to:
- Allocate the important assets.
- Generate the important reference documentation.
- Collaborate with the Service Center and Incident Management in the dealing with and goals of security-related episodes.
- Install and keep up the important equipment and programming devices to guarantee security.
- Assist with Change Management and Delivery and Deployment Management to guarantee that no new vulnerabilities are brought into creation frameworks or test conditions.
- Propose RFCs to Change Management that assure security levels.
- Collaborate with Service Continuity Management to guarantee that the honesty and classification of information are not traded off in case of a calamity.
- Establish data get to arrangements and conventions.
- Monitor systems and system administrations to distinguish interruptions andassaults.
In this context, a global vision of the infrastructure, applications and services included in the organisation is required, as well as intelligent and efficient data crossing in real-time to identify patterns that may indicate that a security incident is taking place and allows companies to respond quickly to such alerts.Furthermore, to guarantee the security of an organisation, it is fundamental to identify and manage security incidents in real-time, in order to prevent attacks, information leaks, fraud and to comply with the requirements of international security regulations such as ISO 27001.
It is not possible to improve what is not known, so it is essential to evaluate compliance with security measures, their results and compliance with the policies from the Electronic Information Security Policy. Although it is not essential, it is recommended that these evaluations be complemented by external or internal security audits carried out by personnel independent of Security Management. These evaluations/audits should assess the performance of the process and propose improvements that will be reflected in RFCs to be evaluated by Change Management. (Limited, A, 2019)
Independently of these periodic evaluations, specific reports should be generated each time a severe security-related incident occurs. Again, if Security Management deems it appropriate, these reports will be accompanied by the corresponding RFCs.
Internal Audit stats the general framework within which to frame all the sub- processes associated with Security Management. The complexity and intricate interrelationships have a clear overall policy setting out such aspects as objectives,responsibilities and resources. In this Internal Audit guideline, the audit must have a member of the Security Team (Data Controller or Data Protection Officer) and a coordinator to following the guidance of the policies.
Any Information Services (Technical Services) manager acting as a Duty Manager can authorize emergency action to be taken when necessary to implement this policy. Long- term intervention requires a DPO and at least a Board Director.
The challenge that most companies are facing up is related to out of date policies and procedures; An opportunity is to revise all these policies and put into practice new procedures. The Institute of Internal Auditors recommends providing dynamic leadership for the global internal audit profession. The exercises on the side of this crucial pushing and advancing the worth that inward review experts add to their associations, giving exhaustive expert, instructive and advancement openings, norms and other reasonable expert direction, and accreditation programs, look into, scatter and advance information with respect to inside review and its fitting job in charge, hazard the board and administration to specialists and partners and teach professionals and other significant crowds about prescribed procedures in interior evaluating. (Institute Internal Audit, nd)
Right Security Management isn’t the duty (restrictive) of “security specialists” who are ignorant of different business forms. In the event that users (students or staff ) fall into the enticement of building up security as a need in itself, we will restrict the business openings offered by the progression of data between the various operators included and the opening of new systems and correspondence channels (Limited, A, 2019). It is additionally fundamental for Security Management to stay up with the latest with new dangers and vulnerabilities against infections, spyware, forswearing of administration.
As well if a new policy is put in place, this could minimize any service interruptions caused by viruses or computer attacks. As well information is accessed when needed, and confidentiality of data and the privacy of clients and users are preserved. Also, improves client and user perception and confidence in the quality of service. (Limited, A, 2019)
The main difficulties in implementing Security Management can be that the staff does not receive adequate training for the application of security protocols because Cyber Essentials Plus does not need specific training but companies should provide training to staff members in order to achieve those Cyber Essentials goals (for example-how to detect Phishing emails) But again, Cyber Essentials is focused in the implementation of the necessary changes to achieve those goals stated in the Cyber Essentials UK website.
In an organisation like an university that is providing education to a vast range of people and also staff members who are also users of the ICT it is essential to fulfilling with all the certifications like Cyber Essential Plus to make sure that the organization is almost 100% secure. Furthermore, this university should try to provide training sessions relate to Cyber Security to make sure that all users (students and staff members) have the know-how on understanding a possible failure of the security system. Nowadays, the phishing/spam attack shows the lack of security system.
In order to be strong in the increasingly competitive educational system market, universities have a proper customer service and without providing adequate support to the services offered, this universities could fail to provide an excellent service and do not create value from it. A good example is how a Help Desk that could provide with surveys to users to learn how is the service provided.