VirtualSpaceTours.com is an Australia-based company operating in the area of virtual space tourism. The company sells and organises virtual tours to the Moon, Mars and other Planets over the Internet. The company strategic mission is to pioneer the virtual space tourism and mixed-reality research for future mixed-reality tourism. Over the next 10 years, the company will focus on two strategic objectives:
In the new position, you have realised that the company does not have any effective information security control in place. Therefore, you start to develop an information security strategic plan for the company and have drafted the strategic plan structure as follows:
Background of the current information security environment in Australia
The company VirtualSpaceTours.com is based at Australia, and is engaged in the business of Selling, and organising virtual tours over the internet. Thus, internet and other information technology principles and techniques are the chief components of the business of the company. In addition to this, the information technology practices would aid the company in range of business operations such as international trade, finance, marketing, to corporate social responsibility management and the overall strategic planning.
However, according to the recent Global State of Information Security Survey (GSISS) conducted by the PWC, cybercrimes and information security threats are consistently hindering the national and the economic prosperity of Australia. Thus, the report is aimed at describing the various facets of the information security practices in Australia and implementing the best practices in the organisation.
The report beings the description of background of the current information security environment in Australia, in terms of trends, threats and issues. The report further highlights the responsibilities of the CISO, Information Security Executive Manager, and Information Security Technical Council. The report concludes with the definition of the strategic objectives with respect to the information security of the company and the proposal of key initiatives for the fulfilment of the listed objectives.
Cybercrime are a major threat to a country’s economic and financial wellbeing and this includes the country of Australia as well (Australian Cyber Security Centre, 2018). These crimes are popular among the criminals because of the potential to earn large and instant profits. In addition to this, there lies a low risk of the identification of the criminals and the prohibition of the related activities. One of the popular means of extorting funds from a wide range of the victims is Ransom ware. The wide success of the financially motivated criminal threats exposes the organisations like the VirtualSpaceTours.com, the area of work of which is on the lines of the virtual reality and the storage of the same is on cloud. Currently the company is a new player in the field of virtual reality technology. The company is giving a tough competition in not only the markets of Australia, but all over, the world because of its unique technology that organises virtual tours to Moon, Mars, and other planets. The company has earned itself a strong base of 1 million customers around the globe and is growing at an unprecedented pace.
The mission of the information security office of the company is to make the information security considerations an integral part of the job, habits, and conduct of the employees of the company VirtualSpaceTours.com, and thus embedding the information security principles in day to day operations of the enterprise. Developing and implementing a successful information security programme within the organisation will include a mutual understanding and coordination between the top management and the employees. The same would require the shaping up of the overall culture, strategies, policies, employee practices, and processes of the entity within the Australian legal and technological framework as laid down by the Australian Cyber Security Centre (ACSC). This would be in addition to the Notifiable Data Breach Scheme as laid down by the Australian Information Commissioner (OAIC) under Part IIIC of the Privacy Act 1988 (Privacy Act) (OAIC, 2018). Thus, alongside the laying down of the implementation procedure of the information security principles, the mission is also to prescribe the framework for the measurement, and updating of the said principles from time to time.
Roles and responsibilities of the CISO, Information Security Executive Manager, and Information Security Technical Council
The first step of the process of implementation of the information security principles for the enterprise is the assembling of the team members. The combination of the team members is crucial to ensure that the principles reach at every level of the organisation, technological infrastructure is up to date, engagement of all the employees, legal and regulatory compliances, and the overall legitimacy and the longevity of the information security programme.
A CISO must be an expertise in the areas of information security, good security governance, People, and the overall progress management (World Economic Forum, 2017). A CISO’s crucial role would include the functions such as communicating with the working group, aligning the information technology and the security goals of the enterprise, participating in the drafting of the information security principles and the strategy, and the representation of security at the executive level (Australian Government, 2018). In addition, he or she must provide a comprehensive insight to the senior management of VirtualSpaceTours.com, about the security developments, risks, and potential courses of action that can be taken.
The roles and responsibilities of the information security technical council would be to contribute their expertise in the information security practices, and ensuring that the up to date technical measures are adopted by the entity. The role also includes assessing the technological, risk, management of the said risk, offering guidance to the senior management and overall aid in the decision-making. The council must equip themselves and the senior management of the entity with the knowledge of national legislations of Australia and the other international laws as applicable to the business of organising and selling the virtual tours. In addition, the council is required to draft the contracts with the outside parties and the employees, monitoring the employee behaviour, as per the legal framework (Ben-Asher and Gonzalez, 2015).
The role of the information security executive manager is to bridge the gap between the employees and the management. This would in turn include the practices such as awareness raising, training and communication. The role will also include the practice of developing an overall effective communication channel at various levels of the entity, and to ensure the effective use of messages.
The strategic objectives of the company VirtualSpaceTours.com are listed as follows:
Assessment and development of the information security resources, policies and objectives: The information security strategy is the long-term plan and is required to be supported at the higher level of the entity; a policy document defined the roles, responsibilities, and the hierarchies for implementation. The definition of the strategy would prepare the existing employees for the upcoming challenges and the roles, in a clear manner; and would aware the new employees to understand, recognise, and comply with the company policies (Densham, 2015). These must also be updated from time to time as per the changing business scenario. In addition, existing infrastructure, hardware and the software must be assessed.
Strategic objectives of VirtualSpaceTours.com
Involving the managers at the various levels. The leaders of the entity would lead from the front and would be responsible for the overall decisions and the financial planning. An imperative budget is required to be set and the necessary financial resources must be procured for acquiring the new infrastructure (Fielder et. al, 2016). The middle level managers must formulate the individual departmental targets and the reporting system, and make the employees aware of the vision of the company. They must act as the communicating channel with the employees, and the various other departments. They must welcome the feedback from the employees and provide the overall support.
Conducting of the training and awareness programmes: Another strategic objective is to impart the necessary training and awareness to the specific target groups. This refers to the imparting training of using the hardware and software to the concerned audience, that include the individuals, departments, or teams that are consistently facing the cyber security challenges, data breaches, and information hacks. This specifically applies to the finance department and to the ones dealing with the information with respect to the patents, copyrights, trademarks, customers, employees, suppliers, and such (Gupta, Agrawal and Yamaguchi, 2016).
Ensuring compliance with policies and procedures: The next objective is to oversee that the policies as laid down above are complied with and the negligent staff is ensured of the disciplinary action being undertaken. Continuous feedback must also be encouraged for the risk reviews and the occurrence of the security incidents (Johnson et. al, 2016).
Reporting the cyber threats internally and externally: The last strategic objective is to make the reporting of the cyber-attack, and threats as easily as possible, and through a proper communication channel. While the employees would be allowed to correct the mistakes and the negligence; but would also be penalised for damages and losses. The reporting would be allowed to be done through the organisational structure, help lines, and the service desks. The devising of the automated and technological ways to immediate addressing of the incidents is another incidental objective (Knowles et. al, 2015).
Updating of the framework and the plan: The information security plan must be regularly updated in light of the new challenges, practices, and the updates in the computer and network industry (Liu et. al, 2015). These are crucial for the effective implementation of the information security plan.
The key initiatives that can be undertaken by the organisation are described as follows:
Key initiatives for effective information security implementation
Lead from top to bottom: The most important initiative that the managers must take is to take initiative at each level of the enterprise. The leaders must communicate the significance of the information security and the importance of contribution towards it from each employee.
Understanding of the business of the entity and the risk assessment: It is critical to gain knowledge about the existing culture, practices, and the beliefs of the company to align the same (Luiijf and te Paske, 2015). It is necessary to quantify the risk so that the same can be mitigated. As per the assessment, it can be said that as the entity is working in a core information technology industry, therefore the same is at high vulnerability of the activities like spoofing, data breaches, and related crimes.
Definition of the main goals, target audience, the accountability, and the success matrix: The next initiative that must be undertaken must be clear definition of the goals and the cyber resilience structure of the entity. The target threats and the audience must be identified, and the same must be evaluated in light of the current capacity of the entity (Safa, Von Solms and Futcher, 2016). The threats can be further identified from the report of the Australian Cyber Security Centre (ACSC) that outlines the range of cyber adversaries that are targeting the Australian networks and the entities. The entity can also take advices from ACSC on how to defend itself online.
Activity Selection and the Implementation: The entity must next select the suitable activities from the range of defences available. The activities can be on the lines of use of the firewalls, authorisation of the activities, and the passwords, using of the online security programme and more. The next initiative is to implement the same into the organisational practices.
Reviewing of results and the reporting of the crimes: The next initiative that must be adopted by the entity is to review the performances of the previous initiatives on a timely basis (Sen and Borle, 2015). In addition, crimes and breaches must be duly reported to the agencies like the Australian Crime Commission, Australian Federal Police, Computer Emergency Response Team (CERT) Australia, and the Australian Signals Directorate. The reporting must be done on the lines of the nature of the attacks and their impact on the entity. In addition, Notifiable data breach scheme also encourages the reporting of the data breaches in the organisations.
The discussions in the previous parts aid to conclude that cyber security and data protection are one of the chief concerns of the entity, specially being in the kind of industry whose major elements are networking, cloud computing, and use of the various computer hardware and software. As reports state, the country Australia is one of the prime regions of the information security crimes and therefore, the entity VirtualSpaceTours.com must keenly develop and improve the existing governance frameworks. Further, to add the entity must adopt key initiatives to enhance the organisational practices to guide the behaviours of the employees, and the members of the organisation. These key initiatives include definition of the roles and duties, efficient use of the infrastructure, review of the practices, and the reporting of the crimes to the agencies and regulators of Australia. It can further be stated that the above-mentioned governance and initiatives are important to guard the organisation from the unauthorised breaches and intrusions that can further undermine the goodwill and identity of the entity.
Australian Cyber Security Centre. (2018) Information security. [online] Available from: https://www.acsc.gov.au/infosec/index.htm [Accessed on 26/09/2018].
Australian Government. (2018) Australia’s Cyber Security Culture. [online] Available from: https://cybersecuritystrategy.homeaffairs.gov.au/sites/all/themes/cybersecurity/img/PMC-Cyber-Strategy.pdf [Accessed on 26/09/2018].
Ben-Asher, N. and Gonzalez, C. (2015) Effects of cyber security knowledge on attack detection. Computers in Human Behavior, 48, pp.5 1-61.
Densham, B. (2015) Three cyber-security strategies to mitigate the impact of a data breach. Network Security, 2015(1), pp. 5-8.
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C. and Smeraldi, F. (2016) Decision support approaches for cyber security investment. Decision Support Systems, 86, pp.13-23.
Gupta, B., Agrawal, D. P. and Yamaguchi, S. eds., (2016) Handbook of research on modern cryptographic solutions for computer and cyber security. United States: IGI Global.
Johnson, C., Badger, L., Waltermire, D., Snyder, J. and Skorupka, C. (2016) Guide to cyber threat information sharing. NIST special publication, 800, p. 150.
Knowles, W., Prince, D., Hutchison, D., Disso, J. F. P. and Jones, K. (2015) A survey of cyber security management in industrial control systems. International journal of critical infrastructure protection, 9, pp. 52-80.
Liu, Y., Sarabi, A., Zhang, J., Naghizadeh, P., Karir, M., Bailey, M. and Liu, M. (2015) Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents. In USENIX Security Symposium pp. 1009-1024).
Luiijf, H. A. M. and te Paske, B. J. (2015) Cyber security of industrial control systems. TNO.
Office of the Australian Information Commissioner. (2018) Notifiable Data Breaches scheme. [online]. Available from: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme [Accessed on: 26/09/2018].
Safa, N. S., Von Solms, R. and Futcher, L. (2016) Human aspects of information security in organisations. Computer Fraud & Security, 2016(2), pp. 15-18.
Sen, R. and Borle, S. (2015) Estimating the contextual risk of data breach: An empirical approach. Journal of Management Information Systems, 32(2), pp. 314-341.
World Economic Forum. (2017) Advancing Cyber Resilience Principles and Tools for Boards. [online] Available from: https://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf [Accessed on 26/09/2018]