Describe about the Software Engineering and Management?.
The critical success factors (CSFs) for information security should follow a risk-based approach that targets in protecting an organization’s most critical assets.
Information Security Policy Enforcement and Adaption: Information Security Policy is important in identifying the vital information assets of the organization and thereby accurately categorizing the reasonable, acceptable and unacceptable employee behaviors for ensuring adequate information security (Turner, 2014). Moreover, the organization should ensure that the policy they are adopting fits into their organizational culture.
Staff Awareness and Training: The success factor essentially involves providing adequate and accurate training and education to the employees of the organization (Kerzner, 2013). In addition, it is important that the managers, executives and staff from all levels of the organizations are appropriately aware of the significance of security measures.
IT competencies: It is mandatory to have highly skilled security experts to control the fundamental aspects of information security (Taylor, Fritsch & Liederbach, 2014). Therefore, the company needs to consider adequate amount of investment in hiring IT security experts that are able to confidently deal with any types of data threats.
Examples: Flayton Electronics had adopted the primary security measures for protecting against possible attacks. However, one of the Critical Success Factors (CSFs) is organizational awareness and organizational support, which was significantly lacking in the present case of data breach in Flayton. The most important thing is to relate the CSFs with the core functions of organizational management including planning and organizing payment transactions as well as properly coordinating, directing and controlling (Klimoski, 2016). Apart from that, the company needed to focus more on regular auditing, monitoring of security measures, carrying out periodic checks and business process evaluations.
2. Project Benefits, Organizational Readiness, and Risk Culture
Project Benefits: Flayton Electronics was conducting multiple projects and thereby was obtaining significant amount of growth in their electronics in a comparatively short span of time. The CEO of the company took rapid and huge steps in order to improve and enhance the business, especially after his father retired. The company adopted an aggressive strategy for growing the business capabilities (Von Solms & Van Niekerk, 2013). The CEO was soon able to expand their business and grow a much larger organization compared to when it started out. Therefore, they were essentially gaining significant benefits from the 32 different Flayton stores established across six different states. Growing and expanding their business helped them carrying at least three or four high priority technical projects that are on different phases of implementation at any given moment of time.
Organizational Readiness: In terms of organizational readiness, Flayton Electronics was not adequately prepared for the incident of data breach. The IT competency was not sufficient for handling the security breach in an efficient manner. The planning and prevention of organizational data was mainly the responsibility of technical staff (Whitman & Mattord, 2013). However, the organizational needs to be more focus to engage high-level official such as vice president or director for information protection. For instance, by incorporating preparedness or organizational readiness, the company could efficiently address the required coordination and redistribution of investment that would be specifically important (Teller, Kock & Gemunden, 2014). Precisely, by ensuring and investing on organizational readiness, Flayton could have dealt with the data breach in some other more effective and efficient way.
Risk culture: Risk culture of an organization can be defined by the behavior of individual employees within the organization, which in turn defines the collective capability of that company in identifying the potential risks the company can encounter in future.
The risk culture of Flayton was nothing extraordinary. In fact, the company significantly lacked in maintaining a strong and appropriate risk management culture and approach (Maarop et al., 2015). There was lack of self-audit checks and the PCI compliance was very rarely scanned. Therefore, the overall risk culture of Flayton Electronics can be considered as poor.
3. Project Risk Recommendations
Enhance Risk Intelligence: Flayton should consider on enhancing their risk intelligence and promote risk transparency all every level of the organization (Tu, 2016). In addition, the management should be competent enough to be able to sufficiently communicate the strategic goals keeping proper alignment with the risk strategies.
Monitor and Review Risks: Flayton should focus on running separate processes for continual improvements of the process of implementing risk management based upon a regulatory framework (Peltier, 2013).
Implementing Risk Treatment Strategy: The Company should adopt a suitable and efficient risk treatment and mitigation plan that ensures compliance monitoring and evaluation of the risk consequences (Teller, Kock & Gemunden, 2014). It should essentially incorporate performing regulatory impact assessment, imposing penalties for non-compliance, setting clear objectives of the regulatory framework.
4. Initial Categories of Risk (RBS Level 1 and 2)
The initial categories of risks in the Flayton Electronics case study essentially include the following:
Lack of Cyber Security Policy: The Company needs to clearly identify the security standards for its business. Not prioritizing the security policy can effectively cause potential harm to their business (Kerzner, 2013). Absence of security governance is a significant issue in not being able to detect unauthorized activity.
Confusing Compliance with Cyber Security: The Company may be able to potentially confuse between the adopting a cyber security policy and ensuring compliance (Taylor, Fritsch & Liederbach, 2014). Protecting the organization against hacker attacks is not the same thing as ensuring compliance with security rules.
Careless and Uninformed Employees: A careless worker who is only habituated with his or her daily work schedule is not always expected to be aware of certain situations that may involve potential risks and bring danger to the organization in future (Whitman & Mattord, 2013). Employees should be properly trained and educated with the best practices of security protection.
Lack of PCI Compliance: Flayton’s PCI compliance was only 75 %. In order to ensure appropriate PCI compliance, it is necessary to carry out regular scanning of all the databases and metadata in the system in order to check for any credit card numbers (Kerzner, 2013).
Kerzner, H. R. (2013). Project management: a systems approach to planning, scheduling, and controlling. John Wiley & Sons.
Klimoski, R. (2016). Critical Success Factors for Cybersecurity Leaders: Not Just Technical Competence. People and Strategy, 39(1), 14.
Maarop, N., Mustapha, N. M., Yusoff, R., Ibrahim, R., & Zainuddin, N. M. M. (2015). Understanding Success Factors of an Information Security Management System Plan Phase Self-Implementation. World Academy of Science, Engineering and Technology, International Journal of Social, Behavioral, Educational, Economic, Business and Industrial Engineering,9(3), 884-889.
Peltier, T. R. (2013). Information security fundamentals. CRC Press.
Taylor, R. W., Fritsch, E. J., & Liederbach, J. (2014). Digital crime and digital terrorism. Prentice Hall Press.
Teller, J., Kock, A., & Gemunden, H. G. (2014). Risk management in project portfolios is more than managing project risks: a contingency perspective on risk management. Project Management Journal, 45(4), 67-80.
Tu, Z. (2016). Information Security Management: A Critical Success Factors Analysis (Doctoral dissertation).
Turner, J. R. (2014). The handbook of project-based management (Vol. 92). McGraw-hill.
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. computers & security, 38, 97-102.
Whitman, M., & Mattord, H. (2013). Management of information security. Nelson Education.