The increased use of digital devices like notebook computers, tablets, and smartphones has exposed individuals and organizations to information security risks. Technological development has made it possible for criminals to hack into the network systems of organizations and steal critical information. Thus, institutions require using diverse security control families to guarantee the safety of their information. Control families should not impede organizational productivity or affect employee performance adversely.
The case study involved Seymour Power Inc., an international firm that deals with designing and building power generating plants. Mike, a senior consultant in the firm, became a victim of information theft after traveling to China to finalize a business deal with Chitze Limited (Lawrence, Olson, & Douma, 2015). Mike had limited knowledge of technology, hence was unaware of the possible security breaches that could arise. After arriving in China, he became a target of multiple security attacks, which happened without his knowledge. At the Beijing airport, the Chinese government infected his laptop with malware that stole usernames and passwords (Lawrence et al., 2015). The hotel that Mike booked had installed spyware in the WIFI system, which stole the password of his email account (Lawrence et al., 2015). It also copied information about Seymour Power Inc.’s Virtual Private Network (VPN) configuration and username. However, it was hard for hotel management to view the information that Mike accessed after logging into the VPN. The breaches damaged Mike’s laptop, making it hard for him to use it during the trip.
Information Security Control Families
Technological growth is contributing to new developments in the aviation industry. Hence, there is a need to have effective information security controls to warrant the safety of pilots, passengers, and airline companies. Some control families that are at the disposal of airline businesses include access control, configuration management, and identification and authentication.
Access Control (AC)
Airline companies have adopted blockchain technology to ease the storage and retrieval of client information and data security. Access control enables firms to protect their data by making sure that only approved persons have access to information. The different departments within an airline company require varied data. Access control ensures that employees in one department do not view information that is not related to their job specifications (Nieles, Dempsey, & Pillitteri, 2017). Moreover, it assists in controlling the level of admittance that is allowed to different employees. It helps airline businesses to prevent unauthorized utilization or manipulation of data.
Configuration Management (CM)
Configuration management is different from access control in that the former focuses on ascertaining and preserving the veracity of information systems. Configuration management does not restrict the use of information systems, unlike access control. The introduction of beacons technology has enabled employees working in airline companies to offer customized services to travelers (Hannigan, Hamilton, & Mudambi, 2015). Workers share information with clients based on their needs. Configuration management is invaluable since it helps airline companies to scan their systems to ensure that they are not compromised. This control technique “allows the entire system to be reviewed to ensure that a change made on one system does not have adverse effects on another” (Nieles et al., 2017, p. 61). It enables an airline company to audit its system to guarantee that activities like the connection to the Internet do not compromise security.
Identification and Authentication (IA)
Identification and authentication control works almost the same as access control. Nevertheless, for IA, a user must provide information such as a username or password to confirm their identity (Nieles et al., 2017). Many airline companies use the Internet of Things (IoT), which enables crews to monitor and troubleshoot airplanes for possible engine or system failure (Hannigan et al., 2015). Infringement of such technology may have devastating impacts on crews and passengers. Companies use AI to prevent unauthorized persons from accessing the airplane system. Moreover, it assigns different access privileges to crews to ensure that malicious employees do not interfere with the functions of the aircraft.
Information security threats may have low, moderate, or high impacts on an organization’s system. Thus, it is imperative that a company tailors its controls to the impacts of anticipated risks. Organizations choose baseline controls depending on numerous assumptions (Sharma & Navdeti, 2014). They include the postulation that not all information is sharable. At times, such general assumptions do not meet the specifications and the environment of the information system. Thus, there is a need for tailoring controls. This security technique helps to address risks that emanate from internal users and advanced persistent threats (APT) (Sharma & Navdeti, 2014). In other words, tailoring controls helps to address unforeseen threats.
Controls for Different forms of Data
The cases of people losing electronic devices are common across the globe. Some gadgets contain critical and classified information that may have devastating impacts if it is accessed by malicious persons. Thus, it is essential to protect one’s data whether physical, in transit, or at rest. A physical asset refers to data stored in Universal Serial Bus (USB) drives, external drives, DVDs, and smartphones (Sharma & Navdeti, 2014). One of the controls that protect a physical asset is encryption. Encryption software like BitLocker helps to ensure that unauthorized persons do not have access to information stored in USB drives (Sharma & Navdeti, 2014). The software may also be helpful in safeguarding a company’s tablets and smartphones.
Data at rest refers to information kept in media like databases and hard drives. One of the controls used to protect data at rest is the trusted platform module (TPM) chip. Sharma and Navdeti (2014) allege that TPM is “a slow cryptographic hardware processor which can be used to provide a greater level of security than software encryption” (p. 2128). Organizations can use self-encrypting hard drives (SEDs) to protect data at rest. Data in transit refers to information that is being moved from one site to another via a network (Sharma & Navdeti, 2014). Such information is vulnerable to sniffing and eavesdropping. Data in transit may be protected through a VPN. Privacy Enhanced Mail (PEM) control is used to protect emails.
Confidentiality, Integrity, and Availability (CIA) Security Goals
The goal of confidentiality is to ensure that unauthorized individuals do not have access to data. Information is power, hence, there is a need to protect it. Implementing file permission and encryption can help to guarantee confidentiality. The objective of integrity is to make sure that unauthorized individuals do not modify information. It helps to preserve the value of data. The goal of availability is to guarantee that authorized persons have access to information at the right time. The use of backup helps to make sure that information is readily available.
Preserving the integrity of an organization’s information is paramount to its success. Airline companies can use access control, configuration management, and identification and authentication to prevent unauthorized access to information. Tailoring controls helps to address unforeseen internal and external risks. Conversely, encryption assists in protecting data in transit, at rest, and in physical stores. Information control methods are meant to preserve the confidentiality, integrity, and availability of data.
Hannigan, T. J., Hamilton, R. D., & Mudambi, R. (2015). Competition and competitiveness in the US airline industry. Competitiveness Review, 25(2), 134-155.
Lawrence, C., Olson, G., & Douma, B. (2015). Information security in a world of global connectivity: A case study. Information Systems Education Journal (ISEDJ), 13(2), 14-20.
Nieles, M., Dempsey, K., & Pillitteri, V. Y. (2017). An introduction to information security. Web.
Sharma, P. P., & Navdeti, C. P. (2014). Securing big data Hadoop: A review of security issues, threats and solutions. International Journal of Computer Science and Information Technologies, 5(2), 2126-2131.