Security and risk management is an important aspect in running any organization. Risk refers to the vulnerability of suffering from harm of a loss. However, it is impossible to uphold high security standards and counter threats that arise from time to time. Organizations should therefore, carry out periodical risk analysis to identify the presence of possible exposure. The risks should then be managed to levels that are acceptable. Management of a security program is a framework that ensures risks are understood and managed appropriately (Allen & Julia, 2001). According to Andrew, once security management program is implemented, immediate follow up is often carried out to ensure that it is running effectively.Given a risk profile of a small organization in the United Arab Emirates of three people buying and selling a product; the process of identification and assessment of risks in the organization and incorporating it with the organization’s culture is a key aspect to security program management (Allen & Julia, 2001). Therefore, building a secure organization requires the implementation of sustainable information security model. The managers should acknowledge shaping ethics within their organizations and create a climate that will ensure the success of their companies. As a result of this, they need to uphold high compliance with the regulatory laws as well as meeting the expected standards. However, this is not a simple task and should be addressed as a challenge towards the better good of the organization. The standards that the organization must meet should be referenced in the building and updating of the organization’s security policies. (Allen & Julia, 2001).
In addition to that, to chase the challenges of compliance, organizations must make comprehensive compliance that will be part of a regular culture rather than the annual audit that is commonly used in many organizations. In retrospect to that, the security management process requires proper risk analysis before putting in place a respective management program and rules (Borodzicz, 2005). The rules apply to a specific organization and they compose a well-reasoned set of security protocols and practices that are considered to be well accepted throughout certain categories of organizations. The courts find these rules to be standard against which the actions of the organizations are measured. The rules also outline the diligence for protecting integrity, privacy, confidentiality, and information that is within the care of a given organization (Borodzicz, 2005).
Implementation of a sustainable information security model in building a secure organization also requires improvements in funding. Constraints like tight budgets, lack of incentives, inadequate resources, disagreements over different approaches of addressing information security, and increased number of responsibilities are likely to be encountered (Calder & Watkins, 2010). To address these challenges, organizations go through external and internal audit that produces audit findings. An audit finding will then present points that need enforcements, and in turn put into place a comprehensive information security program that will meet the challenges. Organizations should therefore overcome the challenge of shrinking budget, improve their security focus, provide a common approach and increase their number of stuffs (Calder & Watkins, 2010).
The benefits of having a sustainable information security model includes: provision of a structured approach, which will gradually implement security programs (Allen & Julia, 2001). It provides room for an organization to improve the structure of its security governance. In addition to that, program implementation will be based on the reality on the ground. Communication within the organization is also improved. Last but not least, every audit cycle will strengthen the security program of the organization. The available approaches will provide a clear comparison between the past and the recent information security progress.
An organization with a sustainable and secure information security model has a better image compared with those having difficulties with their information security models. Furthermore, it bears a greater reputation within the public domain compared to the insecure ones. The organization will rank highly in terms of priorities if they are to be compared amongst themselves. In conclusion, poor security management will not be conversant with compelling security risks (Allen & Julia, 2001). They will have a false sense of security and accept certain unknown levels of risks by default. Apart from that, the organizations will not be in a position to understand whether the resources diverted for building of a secure information security model have been effectively used or not.
- Allen & Julia. The CERT Guide to System and Network Security Practices. Reading. MA: Addison- Wesley , 2001.
- Borodzicz, E. (2005). Risk, crisis and security management. West Sussex, England: J. Wiley & Sons.
- Calder, A., & Watkins, S. (2010). Information security risk management for ISO27001/ISO27002. Cambridgeshire: IT Governance Pub.