Information Systems Security, 16:47–53, 2007 Copyright © Taylor & Francis Group, LLC ISSN: 1065-898X print/1934-869X online DOI: 10.1080/10658980601051490 Designing Networks that Enforce Information Security Policies Alex Malin, CISSP Los Alamos National Laboratory, Los Alamos, NM, USA One boy is eating peanut butter off a spoon. Another boy is munching on a bar of chocolate. One of them trips and slips. “Hey, you put peanut butter in my chocolate.” “Well you put chocolate in my peanut butter.” They’re both angry until they taste the combination. Both boys smile as they eat. Americans of a certain TV generation will remember the commercial for a candy bar that combines chocolate with peanut butter. The notion that a child who doesn’t like chocolate will touch peanut butter, or visa versa, is universal. In the world of networking there has been a similar phenomenon. Once upon a time and not long ago, network infrastructure managers generally were adamant that network devices should not do security. Routers should route and switches should switch. Routers shouldn’t be firewalls and shouldn’t mirror traffic for intrusion detection. Switches shouldn’t VLAN or generate flow records. While there have always been exceptions and grey areas, there were many who believed that chocolate and peanut butter should never touch. Convergence of Network Infrastructure and Network Security Devices Address correspondence to Alex Malin, CISSP. E-mail: amalin@lanl.gov When vendors first shipped network infrastructure gear that was loaded with security features, customers were understandably skeptical. There were performance issues –memory and CPU were costly and precious. For many, the added complexity of configuring and maintaining security features wasn’t worth the cost. Resistance was also philosophical and sometimes territorial. While the debate between lovers of chocolate and lovers of peanut butter may be eternal, there is no question that attitudes in the network operations center are changing. After witnessing mobile malicious code bringing a network to its knees, network managers understand in a tangible way that they have a stake in making security work. Information security managers are increasingly being heard when they articulate the ethos that security is a business enabler. Meanwhile, the integration of security features into network infrastructure devices has matured considerably. Network switches and routers subdivide networks and may be configured to restrict traffic between zones to enforce security policies. They create and enforce VLANs and provide 47 stateful firewalls for single ports or groups of ports. Network infrastructure devices prioritize traffic to meet availability requirements for critical systems and enhance the security of services such as VOIP. They sniff traffic and may be configured to generate flow records used to identify indicators of malicious activity and to characterize traffic for network forensics investigations. Network devices may participate in complex identity management schemas, detecting when users or systems connect to the network and then segregating or quarantining systems or users to strictly enforce security policy criteria. Vendors are more reliably delivering security features at an acceptable cost. Network infrastructure devices will be increasingly capable of enforcing information security policies and demonstrating compliance. A new generation of network engineers is better equipped to configure and maintain a complex system of security in myriad networking devices. New software simplifies the task of configuration management. When business managers ask network and information security managers the relatively simple question–can you prevent a worm from infecting us again—the answer is probably still a bit too complex and may depend on technology that is still some years from full maturity. But the answer clearly includes the integration of security capabilities into network infrastructure components. Opportunity for Information Security Managers As more security managers become involved in the selection of network infrastructure components, there is a greater opportunity to forge an alliance with network and business managers and to participate meaningfully in network design. This raises the question—how may this increasing influence be leveraged to meet the broader objectives of an information security program? The intent of this article is to offer information security managers an approach to secure network design that is aligned with an information assurance program’s objectives and is readily communicated to management colleagues. This article advocates making security policy enforcement a central element in network design. It defines a set of principles and provides examples for segmenting computer systems Malin into security policy zones, leveraging the capabilities of network components to enforce security policies more effectively. Networks That Enforce Information Security Objectives The central idea of the architecture proposed here is that computer networks should be split into distinct network zones. These zones should be organized with the primary objective of articulating and enforcing appropriate security policies. In this context, security policies include all information security objectives that may be addressed through technical mechanisms. In the typical flat computer network, where every client workstation can reach every other workstation and server, there is an implicit assumption that a common security policy applies to all computer systems. The reality is that not all computer systems and computer users warrant this implied trust. Can every system that connects with the network be trusted with the same level of confidence? Can every computer system be securely configured and maintained with equal facility? Does every computer system have an identical requirement for system availability? Are the integrity and confidentiality requirements of all data identical? Do all computer users need equal access to all systems and all data processed and stored on the network? A network segmented into security policy zones makes these various levels of trust explicit. It also facilitates identifying the variations in risk related to different classes of computer systems and mitigating these risks through technical measures. Dr. Peter Stephenson, a writer, consultant and researcher, describes the theoretical foundations for this concept in several articles referenced at the end of this work. He defines a security policy zone as a network segment for which the same security policy may be defined for all computer systems within that zone. Stephenson’s central idea is to identify computer systems that share a common security policy and place these systems into distinct network zones. To accomplish this, systems are evaluated by their criticality, the type of information they process and store, various requirements for secure system ­configuration and maintenance, and the relative 48 trustworthiness of users who access these computer systems or the information they store. All systems in a security policy zone share a common policy and relative priority for many aspects of technical information assurance. An architecture based on security policy requirements facilitates a clear assessment of risk for each zone and the application and enforcement of protection mechanisms that are appropriate for each class of computer assets. The segregation of systems into security policy zones leverages the capabilities of networking devices to enforce policies more effectively. By clarifying the various requirements for confidentiality, integrity, and availability for each network zone, we may more easily map information security goals to tangible objectives. Mitigation efforts are more easily identified and prioritized. And since most technical measures may be audited, it also greatly simplifies the task of defining metrics that demonstrate continuous improvement in meeting these goals. Network Zones and System Availability Not every network manager will readily agree that networks should be segmented. A flat network simplifies the task of routing and switching packets between source and destination. A network infrastructure device that restricts traffic to meet security objectives in effect slows down the delivery of packets, raises questions about the reliability of the network, and complicates the task of troubleshooting network problems. The information security manager should acknowledge the tradeoffs between the benefits of splitting networks into discrete zones and the added costs and complexity associated with schemes that segment the network. It is natural for the network manager to ask, “What is in it for me?” The best way to demonstrate the value of security policy zones to the network manager is likely in the area of system availability. Two instances where these benefits are easily articulated are in the creation of high-availability network segments and the prevention and mitigation of worms. These will each be examined in some detail. Assuring the availability of network-critical systems and services may easily justify the costs ­associated 49 with filtering internal network traffic. The creation of a high-availability network zone simplifies the task of devising policies that protect these systems, leverages the capabilities of network devices to apply technical measures that mitigate threats to system availability, and facilitates defining metrics that demonstrate success. One example of a high-availability zone may be termed the utility zone, consisting of communications infrastructure (telephone, computing), physical plant infrastructure (electricity, heating, cooling), and the safety and security infrastructure (ambulance, fire, police, 911, security badging systems). These and other systems essential to an organization’s operations may be isolated from other network elements, providing stronger assurance that the computer systems that are critical to the delivery of utility systems and services are protected appropriately and that related communications are appropriately prioritized. Most network routers and switches can be configured to prioritize packet delivery for communications to or from specified network segments or VLANs. The creation of a utilities network zone is the critical first step toward prioritizing these communications. The utilities zone may be further subdivided to create zones that reflect an organization’s priorities and values. For example, systems that are essential for life and safety may be given highest priority for TCP/IP communications. Another likely high-availability zone would consist of the systems on which all other network services depend. In most network environments this would include DNS, authentication, and directory systems. A network design based on the concept of security policy zones isolates systems so that like protection strategies may more easily be identified and applied. Firewall filters set at the router or switch provide a technical means of enforcing these policies along the principle of least privilege. Ingress filters can allow only DNS-related traffic to the DNS servers, for example. Egress filters may be applied to prevent and detect attacks on these critical servers. The high-availability zone also provides a means to protect critical servers and services when a new threat emerges. In many network environments, operational requirements may dictate the patching schedule for high-availability systems. In some organizations, there is a reluctance to scan these ­systems Designing Networks that Enforce Information Security Policies for vulnerabilities. This may yield a diminished degree of assurance for the systems that are most important to an organization. When firewall filters enforce the principle of least privilege, exposure to new threats at the network layer is reduced. In environments where high-availability systems cannot be patched immediately, ingress/egress filters may also be reconfigured quickly to apply a workaround that mitigates a new threat. Defense Against Worms Segmentation of the network can also add significantly to a multi-layered defense against worms. A network separated into security policy zones combats the spread of mobile malicious code in several important ways. By isolating classes of systems most likely to become infected with malicious code, and by establishing choke points in the network between these higher-risk segments and the rest of the network, we have an opportunity to prevent the spread of an infection to the remainder of the network. The architecture proposed here provides a mechanism to identify and isolate systems (e.g., laptops and remote access) that put other systems at risk. In a network architecture that defines both high-availability zones and high-risk zones, classes of systems that have high-availability requirements may be protected from less trustworthy zones. This raises the likelihood that high-availability requirements will be realized when worms breach perimeter defenses. By leveraging firewall capabilities in network infrastructure devices, we may prevent the spread of mobile malicious code at relatively little cost. Many worms exploit weaknesses in services that listen on easily identified ports, including 135, 137, 139, and 445. In many network environments, a firewall filter placed between high-availability and high-risk zones may be configured to block this traffic. In environments where some traffic on these higher risk ports is necessary, ingress and egress filters may be configured to explicitly allow this traffic to a limited set of sources and destinations while blocking this port traffic to and from all other hosts. This adds a layer of protection to high availability systems and reduces the risk that a worm infection will lead to a network-wide denial of service. Malin Commercial intrusion prevention appliances that detect and block attack code provide a strong layer of defense between high-risk zones and the remainder of the network. If the intrusion prevention vendor puts sufficient resources into signature development and maintenance, these devices can offer a significant defense against the entry of worms into the network and against the spread of worms that have breached gateway defenses. As the convergence of network infrastructure and network security devices continues to mature, we may expect intrusion prevention capabilities to be bundled into many network infrastructure devices. The segmentation of the network into security policy zones creates choke points that are ideal locations for deploying intrusion detection systems. The capabilities of network infrastructure devices may be combined with intrusion detection systems to detect and prevent the spread of malicious code and limit the likelihood that a denial of service results from a worm infection. For example, if a computer in a security policy zone that consists of laptop computers attempts to connect to 1,000 other systems on port 445 in under a minute, it is fairly likely that it has been infected. Many routers and switches are capable of generating flow statistics that can be used to characterize malicious traffic. When combined with software processes that identify infections, an infected computer may be automatically blocked at the switch or put into quarantine for remediation. Controlling Access to the LAN Computers that connect from remote locations raise questions with regards to confidence and trust. These systems may reside on networks that are not as well protected as the enterprise network. The host computers may not be as securely configured or as well maintained as computer systems directly under the control of one’s own organization. There are few technical mechanisms to assure that remotely connected host computers are in compliance with an organization’s security policies. In a flat network, where any workstation can reach every other workstation and server, it is significantly more difficult to apply technical measures that address variations in assurance and trust. A 50 ­ etwork segmented into security policy zones pern mits the architect to address variance in risk posed by different channels of network access. Access from locations that are less inherently trustworthy may be grouped into distinct security policy zones. This may include VPN, dialup, and partner or subsidiary connections. Wireless networking is another example of network access that may be inherently less trustworthy. By isolating network connections such as wireless or VPN into separate segments or VLANs, it becomes easier to apply security policies to these connections that are commensurate to their level of trust. It is also easier to change this policy quickly in response to future threats. Once a network has been segmented into security policy zones, the communications between zones may be studied to identify network traffic that is necessary and legitimate. Ingress and egress filters may then be applied to permit this traffic and block all other traffic, based on the principle of least privilege. The security policy zone architecture facilitates the application of technical measures to mitigate risk posed by variations in assurance and trust. Traffic may be filtered based on the principle of least privilege. Intrusion detection and intrusion prevention devices may be placed at chokepoints between security policy zones to protect information confidentiality, integrity, and availability. A network segmented into security policy zones allows the architect to identify classes of systems that are inherently less trustworthy, place these systems in distinct network zones, restrict traffic between zones, and monitor and audit traffic to enforce and demonstrate compliance. Protecting Information Confidentiality and Integrity Many organizations have policies that identify higher protection requirements for specified classes of information. In many environments, law or regulation requires this. Multinational organizations must comply with an array of local laws and regulations. Security policy zones present a significant opportunity to protect data confidentiality and integrity and to demonstrate compliance requirements. 51 Computers that process and store sensitive information may be placed in distinct security policy zones. This facilitates the deployment of protections commensurate with the value of the data protected and allows for more finely tuned prioritization of host security measures. Logical access to these segments may be restricted to computer users who have authorized access to these classes of information. For example, all users should generally have ready access to web-based information on benefits or human resources policies, but access to confidential human resources information may be restricted appropriately. An analysis of this sort lends itself to the easy identification of potential violations in security policy. By placing like information systems into discrete zones, traffic flows between zones may more easily be filtered and restricted to comply with an organization’s security requirements. Implementation of VLANs is a common approach to the creation of information protection zones. Many organizations approach the problem of identifying information protection zones by creating departmental VLANs. For example, all desktop computers and information servers belonging to the accounting department may sit on a common VLAN. Filters are set so that most other user VLANs cannot route to the accounting department’s VLAN. This presents a network layer barrier to prevent accidental or deliberate disclosure or alteration of sensitive information. In environments where confidentiality of data in transit must be assured, network devices such as routers may be configured to provide point-to-point encryption. The confidentiality of information that is passed over wireless networks may be assured by encrypting traffic between wireless clients and wireless access points. Server Zones and System Administrator Zones In many organizations, there are important differences in the requirements that govern the protection of host computers and servers. Separating servers into a distinct security policy zone facilitates the clarification of policy appropriate to this zone and strengthens an organization’s ability to the enforce policy through network infrastructure devices. Designing Networks that Enforce Information Security Policies How quickly do server patches need to be applied as compared with workstations? How often do servers need to be scanned for vulnerabilities as compared with workstations? Are there more exceptions to the common policy based on operational requirements? Are there different flavors of operating systems? Are there different requirements for server availability? The complexity of managing servers adds to the challenge of configuring and maintaining hardened systems throughout the enterprise. Separating servers into a distinct zone (or zones) facilitates the establishment of measures to protect these systems appropriately. Placing the desktop computer systems used by system administrators in a distinct security policy zone addresses several risk factors related to system administration. System administrators have a unique level of access to business-critical systems and information. The establishment of a system administrator zone facilitates auditing the actions taken by those with authorized system administrator access. It also provides a network layer of defense that reduces the likelihood that an unauthorized user can accidentally or maliciously gain root access to servers, limiting exposure in a situation where an adversary gains or abuses access to the LAN. Once server and system administration zones have been established, access to the server zone may be restricted to the network zone or VLAN used by system administrators. Access to the system administrator zone may likewise be restricted to reduce the likelihood that an unauthorized user may gain logical access to a system administrator’s workstation. The chokepoints in the network created by the establishment of these zones are ideally located to detect attempted or successful attacks directed against these important segments. They may also be used to audit system administration actions, offering a layer of deterrence against abuse. They also enhance our capacity to demonstrate compliance and continuous improvement through metrics. Host Security This article has described an architecture based on security policy zones. It has described how Malin ­ etwork infrastructure devices may add additional n layers of defense, enforcing inter-zone routing policies at zone borders and preventing and detecting the propagation of malicious activity. The last section of this article describes how an architecture based on security policy zones may serve to strengthen host security. Host security represents the final layer of defense against attack. The redistribution of hosts into security policy zones may improve host security in three important areas: requirements for each zone are more clearly defined; policies directly address the unique needs of each zone; and efforts to harden, scan, and patch systems are more readily prioritized. In many organizations, the advent of mobile malicious code has exposed weaknesses in system hardening and patching. Worms exploit weaknesses in system configuration, often targeting default settings that expose systems to vulnerabilities. Worms typically attack systems that have known vulnerabilities for which security patches are available but have not been installed. Newly built systems are particularly at risk. Few organizations can achieve 100 percent compliance with policies that govern system configuration and security patching. It is an open question whether the current model for distributing critical security patches will ever attain 100 percent saturation. In an environment where consistent hardening and patching may not be attainable, better prioritization is needed to provide a higher degree of assurance that more critical systems get the attention they need. The security policy zone architecture directly addresses the need to identify the security policy requirements for various classes of computer systems. In many computing environments, institutional security policies that describe hardening requirements are more generalized and cannot address unique needs. Systems are scanned on a schedule that cannot address diverse needs. With the segmentation of systems into security policy zones, the requirements and scheduling for hardening, scanning, and patching systems may more appropriately reflect the risk to each zone and each zone’s purposes and unique needs. 52 References Biography Stephenson, P. (2004). The Application of Formal Methods to Root Cause Analysis of Digital Incidents. International Journal of Digital Evidence, 3:1. Stephenson, P. (2003). Modeling of Post-Incident Root Cause Analysis. International Journal of Digital Evidence, 2:2. Stephenson, P. (2001). S-TRAIS: A Method for Security Requirements Engineering Using a Standards-Based Network Security Reference Model. http://www.sreis.org/old/2001/papers/sreis018.pdf. Alex Malin, CISSP, is an intrusion detection system architect and incident response manager for Los Alamos National Laboratory. His interests include assuring information confidentiality through technical controls and integrating security into network design. 53 Designing Networks that Enforce Information Security Policies Information Systems Security, 16:355–356, 2007 Copyright © Taylor & Francis Group, LLC ISSN: 1065-898X print/1934-869X online DOI: 10.1080/10658980701752864 Security Sickness in the Health Networks Introduction Harold J. “Rockie” Grimes Indianapolis, IN, USA When people ignore warnings of health problems and do not take care of themselves they can become very sick - so it is with the networks in hospitals that support patients. When people responsible for the heath network ignore security warnings and do not take care of security, the network becomes “sick” from Viruses, Worms, and other maladies. Working network security for a medical organization can be a rewarding job to one who desires to contribute to the health and welfare of his fellow man. We understand that a patient’s welfare, and even the possibility of his or her very life, is dependent upon advanced medical devices residing on hospital networks. Such devices include heart and premature infant monitoring, and devices that triangulate to pinpoint accuracy the concentration of X-rays for the destruction of cancer cells. There are also devices that give doctors the ability to review MRIs and X-rays in their offices or in operating rooms. We must not forget to include the latest ability of getting up-to-date medical procedures and information from the Internet. The medical equipment field has grown in leaps and bounds into the network arena and so has the use of the Internet. The introduction of these medical miracle devices and the dependence upon the Internet has increase the security threat to networks and to the possibility of violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements. Modern medical devices are miracle workers to the personnel who serve the patient and the bane to security of the network. More and more modern devices are based on Microsoft Windows operating systems (OS), whereas older medical devices were based on a proprietary OS that provided some security by its obscurity. It seems many vendors who provide these systems seem to go for the quick buck and not worry about security threats. They then try to hide behind the misunderstood Food and Drug Administration (FDA) requirement, which implies that system changes after FDA approval requires recertification. Vendors claim this requirement includes patching the OS. They continue to make this claim even after the FDA addressed this in 2005 when it basically stated that security patches could be implemented without prior approval of the manufacturer if network security is at risk. Address correspondence to Harold J. “Rockie” Grimes E-mail: rockie0655@hotmail.com  The FDA issued a guidance document titled Guidance for Industry—Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software (see http://www.fda.gov/cdrh/ comp/guidance/1553.html) 355 So what is the cure to this security sickness in health networks? There is no quick fix or magic pill to cure this disease. What is required is a fat pungent pill of educational training and maybe some political tap dancing. The education and political tap dancing are directed toward the individuals who hold the purse strings for purchasing medical equipment. We must approach them with a smoothing salve of political correctness and feed them the fat pungent pill of security awareness education. We need them to be aware of the security issues that endanger the very health of the patients we are here to serve. Teach them the right questions to ask the vendors, try to woo them with their snake oil widgets that will cure all ails. We also need to stitch up the gap in their procedures that do not require security reviews and approvals before monies are spent. There is no fast cure for this sickness. There does exist some Band-Aids that cover up this festering Grimes sore in security. Blue Lane Technologies’ product, Sentrigo’s Hedgehog Enterprise package, and IBM’s Internet Security Systems Virtual Patch Technology are only three of many of those dressings that provide protection while waiting for the cure. So, our mission is threefold to help our patients the Health Networks. 1. Get the temporary patch solution funded and installed. 2. Feed the fat pungent pill of security education and enlightenment to those who control the purchasing of medical equipment. 3. Patch up the security gap in policy that does not require security reviews and approvals prior to monies being spent. If we can accomplish all this then the prognosis is good—only minor irritants with an occasional hiccup or two. 356 Information Systems Security, 16:246–256, 2007 Copyright © Taylor & Francis Group, LLC ISSN: 1065-898X print/1934-869X online DOI: 10.1080/10658980701744861 Information Security Policy Development and Implementation Avinash W. Kadam MIEL e-Security Pvt. Ltd., Education Services, Mumbai, India ABSTRACT Development of the information security policy is a critical activity. Credibility of the entire information security program of an organization depends upon a well-drafted information security policy. Most of the stakeholders do not have time or inclination to wade through a lengthy policy document. This article tries to formulate an approach to the information security policy development that will make the policy document capture the essentials of information security as applicable to a business. The document will also convey the urgency and importance of implementing the policy, not only in letter but also in spirit. Introduction Address correspondence to Avinash W. Kadam, MIEL e-Security Pvt. Ltd., Education Services, C-611/612/Floral Deck Plaza, Mumbai 400014, India E-mail: awkadam@vsnl.net Rudyard Kipling probably had no idea that his Six Honest Serving Men would be employed by modern day computer scientists, engineers, and architects for diverse applications. John A. Zachman used them for defining Enterprise Architecture whereas John Sherwood used them for defining Enterprise Security Architecture. These faithful servants serve anyone seeking a deeper understanding of any complex subject. They are the six simple questions starting with: what, why, how, who, where, and when. If you persist in getting the answers to these six questions, a seemingly impossible task such as developing an information security policy, which is relevant to the business, covers major risks and is practical to implement can actually be done with confidence. Let us look at the policies which are developed for other business functions. We will look only at two examples, the financial policy and the human resources policy, and ask our six honest men to find if these policies indeed do what they are expected to do. We will simultaneously map the possible answers to these questions about information security policy. What do these policies contain? The financial policy provides overall direction which the organization should take for having sound financial basis and which leads to successful business operations. The human resources policy provides the basis for attracting the right talent and retaining them,  http://www.zifa.com  http://www.sabsa.org 246 by employing right people for the right job for the right remuneration. Does the organization’s information security policy identify the information, which is critical for the business? Does it provide the direction to perform the business functions in a safe and secure manner? Why are these policies defined? The financial policy contains the accumulated financial wisdom on what is appropriate for the business. It provides for the consistency of financial decisions. The human resources policy is based on the sound values of human dignity and fair treatment. This provides an anchor for the right way to deal with people. Does the organization’s information security policy provide a clear insight into the information security issues while dealing with the business processes? How are these policies used? The financial policy is always referred to while making the business decisions. The human resources policy is consulted while taking complex decisions affecting the careers of the employees. Is the organization’s information security policy referred to when a decision about the right approach for the information usage is to be taken? Who uses these policies? The senior management constantly refers to both the financial policy as well as human resources policy to evaluate any decision to be taken by them. Does senior management refer to the organization’s information security policy to confirm whether their decisions conform with such a policy? Where are these policies used? The financial policy is used for taking all the financial decisions by the company. The universal applicability of the policy ensures consistency of all the actions. Similarly, the human resources policy is the guiding light for all the decisions taken pertaining to the people, irrespective of whether the decisions are taken at the corporate level or at the remote branch location. Is the organization’s information security policy followed universally within the organization and do all the information security decisions demonstrate consistency? When are these policies used? The financial and human resources policies are used almost constantly. The organization stops functioning if it ignores using these policies. Can we say the same about organization’s information security policy? Is it used each time an information access is granted or revoked? 247 HOW TO SELL INFORMATION SECURITY POLICY TO THE ORGANIZATION After reviewing the answers to the six questions, we realize that we have a lot of work to do before the information security policy is considered as important for the organization as the financial or human resources policy. The usual skeptical question will be, if we are surviving quite well without an information security policy so far, why do we need it now? We will have to do much internal convincing or selling before converting the organization into believing in the importance of the information security policy, and implementing it in a wholehearted manner. We always needed financial policy to run a successful business. I am sure that we had sound financial policy even in the days of businesses based on barter. The human resources policy became essential in the industrial age because labor unions demanded fair treatment to the workers. It has taken centuries of effort for both financial policy as well as human resources policy to become well accepted and considered essential for sound business. Comparatively, the information age is very young. Although we started using information as a major resource during the past few decades, the major thrust to the information age came from the commercial exploitation of the Internet, which started hardly a decade ago. This is probably one of the reasons for the casual approach we witness while dealing with information security. Where do we begin our efforts? The answer is of course, at the very top. But do you think that you will get the top management’s attention and interest if we do not talk the same language that they speak, and show the same concerns about the business as they have? How do we get the mind space of the CEO, CFO, and other C-suite occupants? Let us ask our six honest serving men. What are top management’s concerns? How do we grow business, make it efficient and effective, and beat the competition? Do we, as information security experts, have some information security concerns which could affect the business? Can we recommend some information security approaches which will help grow the business and make it more efficient, effective, and beat the competition? Why is top management indifferent about information security policy? Of course the business Information Security Policy Development and Implementation pressures, competition, pressure on margins, and anxieties about success or failure of new initiatives are some factors, but the most important factor is the fear of the unknown. Most of the senior management is not conversant with the IT field at present though the awareness is increasing. They will get interested only if the application of the information security policy shows appreciable positive gains. So, it is the primary task of the information security experts to demonstrate the gains through the application of the information security policy. Do we have something to offer to reduce the pressure? Can we contribute our might toward the new initiatives by some measures of information security? How do we conduct the business in an ever changing scenario? How do we keep the leading edge? Can information security policy identify ways to cope with the changing scenario and keep the business at the leading edge? Who are the people top management can trust to handle the complexities in the new information age? Can information security experts identify new ways of handling the information resources in a reliable manner, and safeguard the company’s intellectual property? Where will top management look for successful approaches of handling new age initiatives? Can the information security policy provide the direction? When does one spot information as a valuable resource and create a differentiating factor? Can the information security policy provide that differentiation between a successful organization and others? You may frame many different questions using the same six words. Your focus should be to find: ⦁ ⦁ ⦁ ⦁ ⦁ ⦁ What value the information has for the business Why information security makes business sense How you can help make the information secure for the business Who is responsible for making the information secure Where you deploy your resources to make the information secure When you know if the security measures are indeed successful Finding answers to these questions will definitely improve the top management perception of the information security. Kadam BUSINESS IMPACT ANALYSIS The concept of business impact analysis (BIA) looks out of place here. We usually talk about BIA when we discuss business continuity and disaster recovery plans. In my opinion, BIA should make its appearance right in the beginning when we conduct the interview with the top management for formulating the information security policy. The depth, coverage, and details of BIA will gradually increase as we do more detailed business impact analysis. BIA is the best tool to understand the importance of information security for the organization, and also to make the top management realize how much they depend on information security for a successful business. How do you conduct BIA where the top management is involved? First, identify what are the critical business processes for the organization. A critical business process usually has the following features: ⦁ ⦁ ⦁ ⦁ ⦁ ⦁ It is one of the star performers for the business. It is associated with the brand value. Its failure could severely impact the organization. Any delays for this business process are unacceptable. Major investments have been made in perfecting the business process. Major technical investments have been made in making the process efficient. Based on the answers to these questions, you may classify the business processes as critical, important, and routine. Even a single affirmative answer may provide adequate reason to name the business process as critical. It does not mean that you should ignore the routine processes. It only means that the routine processes can be delayed or deferred without having major impact on business. One of the examples of routine processes could be the payroll processing. If this is delayed, employees can still be paid but if the just-in-time delivery of goods is not done just in time, you may have serious impact on business. Now that we have identified critical business processes, we take the help of our six honest serving men. Can we formulate questions to do a BIA with the help of what, why, how, who, where and when? Let us attempt some of these questions. 248 Table 1 What? Why? How? Who? Where? When? Business impact analysis for business process ‘A’ Confidentiality Integrity Availability What is the critical information for this process which should be confidential? Why this information should be confidential? How will the business be affected if the information does not remain confidential? Who is responsible for the confidentiality of this information? Where do you store this information to ensure its confidentiality? When does the confidentiality of this information become critical? What is the critical information for this process which should be always accurate and reliable? Why this information should be accurate and reliable? How will the business be affected if the information is unreliable? What is the critical information for this process which should always be available? Why this information should be always available? How will the business be affected if the information is not available when needed? Who is responsible to ensure the availability of this information? Where do you store this information to ensure its availability? When does the availability of this information become critical? Who is responsible for the integrity of this information? Where do you store this information to ensure its integrity? When does the integrity of this information become critical? Your objective is to understand the impact of information security on the business, favorable or otherwise. The top management is in the best position to articulate their perception by answering questions like the following: ⦁ ⦁ ⦁ ⦁ ⦁ ⦁ ⦁ What is the critical information for running the business process? Why is it critical? How can you run business if this information is not available to you when you need it? Can you run the business if the information is not correct or if it is stolen? Who is responsible for guarding the information? Where it is located? When does the information become critical for your business? When you pose these questions, you can keep some examples ready to explain the concept. You can also give examples of some actual information security incidences and the impact these had on (hopefully other people’s) business. Do you need a quantitative assessment of the business impact of loss of confidentiality or integrity or availability at this stage? Probably not, but noting down the responses is important. You may get these responses quantified during subsequent interviews with the middle management and the operational staff. It will help you to develop the answers into a fully quantified statement when the risk mitigation measures are decided and their costs have to be justified. 249 We can design a matrix around our six questions and the three pillars of security, namely confidentiality, integrity, and availability (see Table 1). These interviews will reveal the business impact resulting from loss of confidentiality, integrity, or availability of information as perceived by the senior management. Capturing their concerns will help us in formulating the top level information security policy which will be understood and accepted by them. Top Level Information Security Policy How does the BIA help us in formulating the top level information security policy? Actually, we have just found out all the reasons why there should be a top level information security policy? The answers that we got from asking the six questions for the three attributes for all the critical business processes can be summarized in the top level information security policy. We may even write the policy as if we are writing answers to the six questions. The top-level information security policy may look something like this. “(What?) The organization recognizes information as one of the key resources, which helps in running a very successful business, delivering various goods and services (we may be more specific here) to our customers and meets expectations of the stakeholders. Information Security Policy Development and Implementation (Why?) We are very proud of the efficiency and effectiveness we have achieved by our fine tuned business processes (can be more specific). These business processes critically depend on our information systems (can be more specific). Any damage to any information that we possess can adversely impact our business. We strive to maintain all the information with utmost confidentiality, integrity, and make sure that it is available whenever and wherever it is required to be accessed by legitimate users. (How?) We are aware that we constantly face threats to our information systems. These threats could disrupt our business processes and cause severe losses (can be more specific). It is our intention to deploy all possible resources to ensure that we are able to thwart any such threats and maintain the customers’ and stakeholders’ confidence in us by having appropriate technical, procedural and administrative measures in place. We have defined these measures against specific threats and risks in our detailed information security policies. (Who?) The information security measures will be implemented by our information security team, headed by an information security officer, who directly reports to an information security forum (ISF), which is chaired by the CEO. The members of the ISF will be business unit heads and other responsible persons. (Where?) The information security measures will be deployed throughout the organization and all the business processes (can be more specific) will be under the purview of this policy. Any breach of this policy will lead to appropriate disciplinary action. (When?) Information security is a major concern for the organization. We will have incidence management teams working 24×7 to promptly resolve any incidents. We will ensure that all the persons working for the organization are appropriately trained so that they can be vigilant whenever they are using the information. We will also educate our customers so that they can promptly notify us if they notice any information security incidents and need our help (e.g., receiving a suspicious email).” The top level information security policy should be signed by the CEO to carry the message effectively. The above draft gives us a starting point to create an ideal information security policy that reflects top level concerns of the organization. It will be Kadam specific to the organization and will reflect all the efforts spent in conducting a BIA. BIA will provide enough material to list the real concerns about any compromise of information and how it could affect the organization. An information security policy thus designed will be owned by the top management as their contributions in identifying various critical things that may impact the business, will be clearly mentioned. They will also understand that their involvement is the key success factor. All the concerns that were identified during the BIA will be subsequently followed through during the formulation of detailed information security policies. THREAT IDENTIFICATION We have now got a Top Level information security policy for the organization. This is an excellent document to get the top level commitment and clearly state the intentions of the organization regarding information security. But it is still a statement of intention and not enough to develop implementable policies. For this, we need to first identify all the threats to the information. The threats we will identify will not be just a general perception of threats. These will now be more specific as we know what the really critical business processes are. The BIA has given us a good insight into this aspect of the business. We also know which aspects of the information security, that is, confidentiality, integrity, or availability are critical for the particular business processes. So, we should be able to narrow down our list to the more realistic threats that can pose danger to the critical information assets. We can also create plausible threat scenarios. By now we have got a good idea about these from conducting the BIA sessions that we had with the top management. We can also take help of our six honest serving men and make a table which will reminds us not to forget any of the contributing threat factors. Please notice that there could be different types of threats which affect the three pillars of information security. A threat which compromises confidentiality may not cause loss of integrity or cause unavailability. We need to identify each of these separately, as shown in Table 2. The questions for threat identification can be asked to the middle management as well as the operational staff. These persons will be facing such 250 Table 2 Identification of threats for business process ‘A’ Threats to Confidentiality Threats to Integrity Threats to Availability Why? How? Who? What are the threats to confidentiality of critical information supporting this business process? Why these threats exist? How can these threats actually act? Who will carry out the threat actions? What are the threats to integrity of critical information supporting this business process? Why these threats exist? How can these threats actually act? Who will carry out the threat actions? Where? When? Where can the attack happen? When can the attack happen? Where can the attack happen? When can the attack happen? What are the threats to availability of critical information supporting this business process? Why these threats exist? How can these threats actually act? Who will carry out the threat actions? Where can the attack happen? When can the attack happen? What? Table 3 What? Why? How? Who? Where? When? Identification of vulnerabilities for business process ‘A’ Vulnerability corresponding to the threats to Confidentiality Vulnerability corresponding to the threats to Integrity Vulnerability corresponding to the threats to Availability What are the vulnerabilities corresponding to the threats to confidentiality? Why these vulnerabilities exist? How can these vulnerabilities be exploited? Who will exploit these vulnerabilities? Where this may happen? When this may happen? What are the vulnerabilities corresponding to the threats to integrity? Why these vulnerabilities exist? How can these vulnerabilities be exploited? Who will exploit these vulnerabilities? Where this may happen? When this may happen? What are the vulnerabilities corresponding to the threats to availability? Why these vulnerabilities exist? How can these vulnerabilities be exploited? Who will exploit these vulnerabilities? Where this may happen? When this may happen? threats in their normal day to day operations. Their answers will give us a greater insight into the threat perception. This in turn will help us in focusing our efforts in creating detailed Information Security policies which address these specific threats. The answers that we are seeking from our six faithful serving men are: ⦁ ⦁ ⦁ ⦁ ⦁ ⦁ ⦁ ⦁ ⦁ ⦁ What are the realistic threats to information for our business processes? What are the natural threats? What are the manmade threats? Why do these threats exist? Is there a strong motivational factor for the manmade threats? Are there strong environmental factors which cause the natural threats? How may the threats materialize? Who are the major suspects? Where will we be hit? When are we most prone to these threats? Once again, remember to ask these questions for each type of information security requirement: confidentiality, integrity, and availability. 251 VULNERABILITY ASSESSMENT—OR HOW WELL THE ORGANIZATION IS PREPARED AGAINST THESE THREATS This will be the next logical step in our journey to develop the information security policy. Even without a formal policy, organization will usually have a few security measures in place. We will try to discover what these are and assess their adequacy. Once again we take the help of our six honest serving men and start probing the middle and operational management into revealing the various practices in place. Some of these practices may even be documented by means of staff notices or departmental circulars. We should collect all of these and study them before conducting the interviews. This will help us understand the current state of information security implementation in the organization. Notice the complex phrase “vulnerability corresponding to the threats.” It means we want to discover if there are any specific vulnerabilities that can be exploited by specific threats to confidentiality/integrity/availability (see Table 3). Information Security Policy Development and Implementation Table 4 Vulnerability of individual components of information systems ‘A’ supporting a critical business system Confidentiality In So Ha Pe Integrity Se Da In So Ha Pe Availability Se Da In So Ha Pe Se De What? Why? How? Who? Where? When? The answers that we are seeking to our six questions will be: What are the weaknesses in your defense system which may cause leakage of confidential information or unauthorized modification of information or unavailability of critical information? Why these weaknesses are there? Has no one noticed these before or these have been left open hoping that no threat will ever exploit this vulnerability? How a threat will take advantage of these vulnerabilities? If you were the enemy, who knows about these vulnerabilities, how will you use the knowledge to cause maximum damage? Who will most benefit from the knowledge of these vulnerabilities? Will someone be strongly motivated to cause harm to your business? Where will the attack take place? What is the most vulnerable spot? When will the attack take place? When is your organization most susceptible? While seeking answers to these questions, we will realize that each individual question seeks to discover the vulnerability of the basic component which will be the weakest link in the system. Thus, the vulnerabilities of a business process can be narrowed down to the individual components that constitute an information system. The components of an information system are (first two letter of each of the information system components are underlined. These abbreviations are used in the columns of Table 4 and 5): Information (or the data) − Data, databases, data warehouses, Software − Application programs, DBMS, System Kadam Operating Hardware − Servers, desktops, networking devices People − Management, users, contract workers Services − Internet, HVAC, power Documents − Agreements, contracts, legal papers Thus we can trace the vulnerabilities of the information system to the vulnerability of an individual component. We can use the Table 4 to identify and document if any of the information system component is vulnerable to any of the threats identified during our study. Identifying Action Plans We need a number of detailed information security policies to address the multitude of vulnerabilities of the information system components which could be exploited by threats and compromise the confidentiality, integrity, or availability of our critical business systems. We need to formulate individual policy statements which address each of these vulnerabilities and the way to control them. We can use the Table 5 to pair the threats and vulnerabilities and link them to the information system components under attack. Remember, one threat can exploit multiple vulnerabilities of multiple components. The next step will be to define the action statements against each threat and vulnerability combination for each of the affected information system component so that we can reduce the possibility of the threat exploiting the vulnerability of the component and compromising the security. 252 Table 5 Threat—vulnerability pairs and the action statement to address the risks Confidentiality Threat Vulnerability In So Ha Pe Se Integrity Da In So Ha The action statements could consist of a variety of actions. These could include deploying various technical solutions such as firewall, IDS, or antivirus software or defining some physical measures such as barriers or certain administrative (e.g., separation of duty) or punitive (e.g., disciplinary actions) measures. Each of these becomes an action statement. Writing Information Security Policies We now call upon our six honest serving men. The answers to who, what, and why will be included in policies. How, where, and when will be answered by the procedures. The final list of information security policies may be large as each policy will be written with a specific what in mind. The what is answered by the selection of a control objective. The control objective is defined as a “statement of the desired result or purpose to be achieved by implementing control procedures in a particular process” (Cobit 4.1, IT Governance Institute). Further, the control is defined as “means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of administrative, technical, management, or legal nature” (ISO/IEC, 2005, 17799). Who will achieve the control objectives by implementing appropriate control procedures? We need to define specific roles and responsibilities. The responsible persons should clearly know why the control objective needs to be achieved. The why gives the main motivation factor behind the information security policy. It may be a legal requirement, a contractual obligation; it may be required  http://www.itgi.org  http://www.iso.org 253 Pe Availability Se Da In So Ha Pe Se Action Policy statement reference Da because the organization believes it is the best practice to follow. Whatever the reason, it should be stated clearly. We would start the process of writing the information security policies by first selecting appropriate control objectives that need to be achieved. These can be selected from a standard such as ISO 270014 or a framework such as ISO 177994 or COBIT3 or a compliance requirement such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or Basel II or a law such as the European Union Data Protection Act. The selection will depend on the requirements of the organization. The next step will be to write appropriate policies that meet the requirements of the control objectives. This will be followed by writing the detailed procedures. The policies will cover the administrative, technical, management, and legal requirements. While writing the policy, we should ensure that the action statements fall at right places in the policies. For example, if we have identified the threat of information theft and the vulnerability is the weak implementation of the password, affecting confidentiality of the information, then the action plans will be: Administrative − Provide appropriate training. ⦁ Technical − Enforce strong password selection through appropriate parameters. ⦁ Management − Ensure that the password policy is approved by management. − Ensure user acceptance by asking them to sign appropriate form. ⦁ Legal (or compliance) requirements − Define disciplinary action. ⦁ Information Security Policy Development and Implementation Yet another threat could be information theft, unauthorized modification and nonavailability due to weak network security. Then the action plans will be: Administrative − Background check of employees and contractors working in network administration. ⦁ Technical − Access control lists, firewall, server hardening, IDS and so on. ⦁ Management − Periodic review of security incidences ⦁ Legal requirements − Appropriate non disclosure agreements with the networking staff and contract workers ⦁ How Many Policies? You can classify policies in various groups: For defined target group − Everyone in the organization − System managers, administrators − Management ⦁ For specific topics − Information classification − Physical and environmental security − Operations management − Data communication − Network security − Back-up − Access control − Password − Incident management − Business continuity ⦁ Department specific topics − Application development − Compliance ⦁ You may be required to define additional policies for particular topics. For example, the topic of access control could spawn many polices like operating system access control, database access control, remote access control, and so on. Dividing policies into target groups will help you to train the people only for the specific policies. Kadam Writing Procedures and Guidelines Remember, the how, where, and when will be answered by procedures. We need to write answers to these questions. Procedure is a step-by-step method of “how to do it.” It may be a simple thing such as selecting a password or a complex procedure for defining access control rules on the firewall. The “how” should document the entire procedure in as simple a manner as possible. If appropriate, you may use flow charts or decision tables or any other method to convey the message. The “where” will describe the location or the workstation or the right place where the procedure will be performed. For example, a fire evacuation test procedure will be performed in the office or the data center. The answer to “when” in this case may be, last Friday of every month, between 3.00 and 4.00 p.m. Clearly written procedure will be a great help when implementing any policy. You may also include additional guidelines to supplement the procedures. For example, a guideline on how to select a complex password, which is also easy to remember, will be greatly appreciated. IMPLEMENTATION You have completed all the back office work. You made your six honest serving men slog day and night. Now is the time to deliver the great meal that you have cooked. Implementation is the hardest part. The acceptance by the organization depends on many factors. You will have to constantly battle with conflicting demands of security versus ease of use. Implementation cannot be done just by issuing a fiat. Human ingenuity will always find ways of circumventing things which are viewed as obstacles. You have to take the entire organization in confidence. Implementation at the Top Where do you begin your efforts? The answer is, as usual, at the very top. Top management has to give its whole-hearted approval to all the policies you have developed. These policies will have ­proposed many 254 changes. These changes will be of different types. Some will be mere procedural changes, but some may require a totally new approach. Some changes will be technical in nature, others will be administrative. Changes will affect everyone in some way or another. By proposing the information security policy, we are trying to introduce discipline in handling information for the organization. Discipline brings in restrictions and restrictions are usually resented, at least in the beginning. New information security policy may also require additional investment in people, processes, and technology. You will have to prepare budgets and also do a cost/benefit analysis to justify the expenditure. So, you will have to prepare a full report on the new information security policy and present it to the top management forum. The report should include a complete project plan giving details of the activities required to implement various policies. These activities will include procurement and implementation of new equipment or techniques such as firewall, IDS, single sign-on, and so forth. It will also include training plans for the entire organization. It will specify how the implementation activities are to be monitored and reported and, answer the most important questions that top management loves to ask, what is the return on security investment (ROSI). How do you prepare and present the report? Ask our six honest serving men to help us. Explain to the top management the answers to the six questions we are so familiar with: what, why, how, who, where, and when, through your report and presentation: What are the information security risks that were identified? What is the total investment in security? What is the ROSI? Why are these risks so critical? Why is the business impact due to these risks not acceptable? How will information security policies help mitigate these risks? How much money will be spent in procuring the security products and techniques and implementing them? How much time and money will be spent on training all the persons in the organization? Who will be responsible for the successful implementation of these policies? 255 Have we assigned responsibility for each policy? Where is the implementation planned? Will the implementation happen at all locations or only at selected locations? When is the implementation planned? Will it be a big-bang approach or a phase-wise approach? You will have to be very well prepared to defend your proposal. Especially tricky part will be the response to the questions regarding ROSI. You will have to convince the top management that avoiding a security incident is much cheaper than paying for the losses that a security incident may cause. The return will be the savings from the potential future losses. Once you have got the approval, you have won half the battle. Next step will be to prepare a training program especially for the top management. You will have to clearly explain their ongoing role in information security for the organization. They will have to lead the organization by setting good example. If the boss participates in a fire evacuation drill, no one will pretend to be too busy and avoid such exercises. If the senior management regularly changes the passwords and learns how to encrypt the data on their laptops, no one will complain about the extra work involved to secure the information. The top management will have to “walk the talk” and demonstrate complete adherence to the information security policy that they have endorsed. Implementation at the Operations Level This is where you will train the actual implementation team. The system administrators, network administrator, and various other operations staff will be made familiar with the new information security policy. They would be already familiar with the approach. They would be specifically trained on their areas or responsibilities so that they will have an in-depth knowledge of the technology used and the new procedures to be followed. We will seek help of our six faithful servants to make sure that we do not miss anything of importance. We provide answers to the following questions during the implementation at this level: Information Security Policy Development and Implementation What are the new requirements of the information security policy in individual areas of operation? What are the new products and procedures being implemented? Why these products and procedures were selected? How do these products and procedures work? How do we configure and customize them? How do we test them? How do we maintain them? How do we trouble-shoot them? Who will be responsible for each product and procedure? Where will the products and procedures be implemented? When will the products and procedures be operational? We will have to design the technical training programs for specific security products and procedures selected for the implementation. The operations persons will have to become very well-versed with handling the new security measures. They will also need to be trained on various reporting and escalation procedures. Incident management and response team will require specialized training. The business continuity and disaster recovery team also will need specialized training. All these training programs will have to be completed before the actual implementation. Operations staff should be made responsible for implementing the security controls. This will build their confidence, expertise and the sense of ownership. Implementation for Everyone This can only be done by a major drive to educate everyone. The right message should reach the right people. The training programs have to be designed keeping in mind the actual groups being addressed. The trainer has to talk the language of the audience. The same training that goes well with system administrators will be received with stony silence or yawns by the general users. Only the relevant policies and procedures should be covered for each group. You may have to customize the training programs. The application programming group may require different training programs compared to the helpdesk staff. Kadam The training programs should be designed to provide convincing answers to our six questions. 1. What is the objective of the information security? 2. Why is it necessary to follow the information security policy of the company? Will something really go wrong if we do not follow the policy? Can you give us some examples? 3. How do we work with all these security controls around us? 4. Who is responsible for the information security? Am I really responsible for every piece of information that I access? 5. Where are the security controls? Are they implemented in my area of operation? Are they implemented on e-mail servers, web servers, desk-tops? Are there physical security controls? Where are they located? 6. When these security controls are going to be made operational? You may devise various ways of delivering the training. It could be a classroom training or Webbased e-learning or video-based training. There should be some amount of interactivity in any type of training. The audience should be made to participate in answering our famous six questions pertaining to the training topics designed for them. If they get involved in answering these questions, they will start appreciating the reason for the policy, the necessity of implementing the procedures and more importantly, their own role in guarding the information assets of the organization. You have properly developed the information security policy when the end users can answer the six questions. You have correctly implemented it when they feel responsible for their role. BIOGRAPHY Avinash Kadam is the Chief Knowledge Resource at MIEL e-Security, a company in the domain of Information Security Consulting, Training, Implementation and Audit. He has worked in the I.T. industry for more than 35 years of which the past 10 years were totally focused on Information Security. He has handled major information security consulting projects for large organizations. 256 Sade Montgomery Coll 300 6-24-18 Information Systems Information systems are essential as they are involved in multiple applications that make our lives better, complementing the technology that runs our day to day lives, with various algorithms in continuous development to aid in the working of the information systems. Research questions asked while formulating the thesis There was consideration of various research questions during thesis creation. What is Information Systems and how does it help the running of an institution? What are the advantages of an elaborate information management system? What are the consequences of having a redundant information system? How can the users increase reliability and effectiveness of the information management system? The purpose of writing the paper The paper is informative as it allows the user to understand the workings of an information system. After reading the article, the reader should know the importance of having a well-structured information system, and understand the misgivings of a weak information system. The paper also persuades the reader to always opt for a well-organized information system to store their data. Author’s knowledge on the topic Information systems is the interaction of computer hardware and software, coupled with data and people to attain a given goal (Galliers and Leidner, 22). They allow the safe and efficient sorting of data. An information system consists of two parties, the administrators, and the users. The administrators are mostly involved with updating user information and have access to the whole system. The users have clearance only for the sub-sections that affect them. An efficient information system is therefore well organized, has a great user-interface, has maximum data security and allows the easy manipulation of data by the administrators. As the paper’s author, I believe in an efficient and well-managed data management system, and this will form the basis of my arguments across the paper. A well-formatted information system is of great importance to all the involved parties. Readers’ knowledge on the topic The paper’s readers are my classmates, and we, therefore, share the same necessary information about the information systems. The readers understand the basic terminology involved in this topic, and hence it will be easy to put my thoughts across on the matter. Since the audience is technically acquitted, the paper will focus on more intricate workings of an information system. Since the audience has an inner understanding of information systems, they understand the importance of having an efficient data management system. However, they need to be persuaded by the paper to avoid taking shortcuts as they create data management information systems. Readers’ point of view to understand the topic The readers need to exposition on the effects of a poor information process. The paper will, therefore, have a case study and will show how difficult it is to carry out activities such as data mining to expressly predict future trends of the data. By getting the down-sides of an imperfect system, the readers will always opt for well-structured information systems. Research points Since information systems is a broad topic, the paper has to focus on just a few of its applications. My research will, therefore, focus on the algorithms that will promote a wellstructured user information system. I will also research on the how data can be effectively inputted into the system and manipulation of the data for results such as graphs and pie-charts if and when required. The research will also monitor the recent market trends in data management systems and will add this information to the paper to encourage the readers to adopt them. Work Cited Galliers, Robert D., and Dorothy E. Leidner, eds. Strategic information management: challenges and strategies in managing information systems. Routledge, 2014.
Purchase answer to see full attachment