information systems security for Monsha’at
1.0 INTRODUCTION
The report is about information systems security for Monsha’at. Monsha’at is based in Saudi Arabia and specializes in aiding SMEs (small and medium-sized enterprises). Henceforth, the report outlines the information systems security challenge that Monsha’at experiences, and proposes a solution for the same. The target for this proposal is the management of Monsha’at. The management has the resources and capacity to make security changes within the firm, and monitor progress.
Accordingly, the report is organized in various sections. The first section is the introduction, which outlines the company profile. The business problem follows this section, and then the proposed solutions. An assessment of the impacts of the proposed solution follows in section four. The fifth section is a roadmap for the implementation of the plan. The conclusion and recommendation conclude this report. Don't use plagiarised sources.Get your custom essay just from $11/page
1.1 The Company Profile
Monsha’at specializes in the SME sector. Founded in 2016, Monsha’at is a General Authority for Small and Medium Business Enterprises (“About Monsha’at,” n.d). Accordingly, the business supports, sponsors, and develops the SME sector to heighten their productivity and attain global standards in terms of practice. Again, the firm aims to culture and spirit of entrepreneurship and innovation among SMEs. Monsha’at hopes that these SMEs will contribute to 35% of Saudi’s GDP by 2030 (“About Monsha’at,” n.d). Other than financial support, the organization gives administrative and technical assistance to the businesses. Monsha’at also partners with the financial sector and helps activate the banks to lend funds and be more involved in establishing programs that support SMEs. Notably, the organization also has elaborate service centres, which address regulatory and electronic services to private and private entities. Monsha’at is driven by SME growth.
1.2 Vision and Mission
Accordingly, the mission of the company is: Develop and support SMEs to enable them to prosper by driving cooperation forward with our strategic partners in the public, private and non-profit sectors, both locally and internationally (“About Monsha’at,” n.d).
The vision states: To make the SME sector an essential engine for economic growth in Saudi Arabia and an enabler in achieving Vision 2030 and beyond.
1.3 Business Strategy and Strategic Goals
Monsha’at has strategic Vision 2030 goal in the SME sector. Forthwith, the SMEs should drive economic growth, increase GDP to 35%, and compete favourably with the G20 countries (“About Monsha’at,” n.d). Monsha’at aims for making Saudi Arabia’s SME globally competitive.
Equally, the organization has a business strategy to attain the goal. Monsha’at supports innovation, enables growth, develops capacity, facilitates various business processes, and creates job opportunities for Saudis through better regulation, smooth financing, and partnership with international companies (“About Monsha’at,” n.d). According to Monsha’at‘s service category (n.d.), Monsha’at has supporting pillars four supporting pillars, which include: promoting entrepreneurship, capacity development, increase growth, facilitating businesses, and opening up funding horizons.
2.0 BUSINESS PROBLEM
2.1 Statement of the Business Problem
Information systems security is an issue for Monsha’at. The organization stores a lot of data from various sources. The sources include the SMEs, government and private agencies, and Monsha’at’s internal operations. With so much valuable data, it is imperative to make sound security measures so that the information does not fall into unauthorized hands or even theft (Popescul & Cuza, 2018). Equally important is to safeguard the data from loss in case of calamities, such as fire or natural risks. The existing security measures also need to be updated to meet the regulatory and industry standards, as well as present security threats. As the demand for data increases, challenging existing security measures, it is of paramount importance that Monsha’at guarantees its information will not be used or accessed without consent.
Failure to improve the system’s security has repercussions for the firm. For one, the reputation of Monsha’at would be at risk, which would destroy corporate relations. Further, loss of data can inhibit decision-making and is costly to retrieve (Poepscul & Cuza, 2018). Monsha’at will also be vulnerable to hacking, which will result in information theft. Again, the employees can share Monsha’at’s data with the wrong people or organization, whether intentionally or accidentally. Henceforth, security is mandatory to safeguard data and ensure the smooth running of the organization.
2.2. Analysis of the Business Problem
Various factors contribute to the security challenge:
Employees: Employees are a potential risk and the weakest link to the security chain. Unscrupulous workers can access and use the information to their own benefit. At the same time, the laborers can unintentionally share private content (Alotaibi, Furnell, & Clarke, 2016). Other factors like lack of motivation to adhere to rules, fatigue, and emotional state threated data security. When the employees lack knowledge of systems security, they may be unable to identify security and endanger company data.
Passwords: Although passwords exist, most of them are weak. It is possible to predict some passwords. Furthermore, workers can easily share passwords, making them ineffective.
Internet Service Provider (ISP) and the procedures: The institution has unrestricted access to the internet, and any device can access the internet as long as they have the password. In itself, the password is easy to obtain as every worker has it. The bring your own device (BYOB) incentive also means that workers can access Monsha’at’s data on their computers. With personal devices, it is easy for anyone to acquire the firm’s contents (Poepscul & Cuza, 2016). Not all the portable computers are secure and can be used with USB sticks to create a malware access point into Monsha’at’s network.
Policies: The Company’s security policies are unknown to some workers, despite a public copy. Additionally, these policies need to be updated to address present security issues and include legal and ethical considerations.
3.0 PROPOSED SOLUTION
3.1 Assumptions
Various assumptions guide the solutions
- All the employees are computer literate
- The workers operate a device, whether personal or organizational, within Monsha’at.
- The workers have at least basic knowledge of systems safety.
- The workers are competent enough to apply the security systems if trained.
3.2 Proposed Solution
Multi-Layered Protection
Multi-layered protection entails using various protection mechanism simultaneously to guarantee security. Crossler, Belanger, and Ormond (2019) state that applying various security behaviors at the same time is effective in mitigating threats, as opposed to only one alternative. Monsha’at should have a firewall, scan computers for spyware, regularly update software, use anti-virus, and manage the passwords. Utilizing these security options, concurrently will safeguard data from internal and external threats. For instance, the management can keep track of any unauthorized logins or failed attempts. With a firewall, only authorized internet users will access Monsha’at’s internet. The password, which should be changed regularly, will limit access to information. The firm can also observe data traffic and clean out any potential viruses. Regular software updates will ensure the efficient running of the software and prevent exploitation by hackers. A multi-layered system safeguards the system from various threats.
3.2 Alternatives
Monsha’at should create strict security policies. Policies aid in creating a security culture within the firm (Sadaf & Dhanapal, 2018). Through this culture, the employees can minimize malicious use of information systems and devices. Accordingly, Monsha’at should have an elaborate policy that focuses on access, reporting, ethics, and consequences. The workers should know what is expected of them when using computers, such as being monitored by the management. Equally, employees should know the consequences of sharing organizational information intentionally or unintentionally. The disciplinary actions should include legal recourse if the worker is found guilty. For example, if an investigation reveals that worker Y leaked data, he or she should face a jail term or compensate Monsha’at. Monsha’at should also list out values that guide the application of the policy to enhance ethics and compliance. Tough policies ensure data safety.
Employee training on systems security is also critical. Yerby and Floyd (2018) state that training on security awareness is vital in lowering the threats to information systems. The workers should be regularly trained on security issues to keep them abreast with the latest measures. For instance, if Monsha’at introduces a new security feature, the employees should learn its use. Training also reduces errors, which are a leading threat to system security (Heussinger & Kranz, 2017). Educating workers on policies is crucial so that no one can claim ignorance if caught on the wrong. Besides, training helps employees know how they can mitigate security threats and the appropriate reporting channel. Training equips workers with the capabilities to manage security issues.
A secure internet also promotes systems security. Alhassan and Quaye (2017) posit that securing the internet is useful in identifying network threats to an organization and promotes accountability. Henceforth, Monsha’at should begin by restricting internet to internal devices. In this case, people can only access Monsha’at’s internet when they are within the building. There will also be a firewall to secure the internet from unaccepted access. At the same time, an IP address should regulate computer use. To illustrate, information and transactions can only be done by devices within the organization. A secure internet limits hacking and access to company data.
3.3 Financial Consideration
Having multilayer protection is not very expensive. The costs are associated with purchasing software, which can cost a total of SAR 3000. Annual renewal and maintenance can cost SAR 20,000 on an upper scale. Setting up passwords is not an additional cost as this can be done internally.
Comparatively, setting up policies is fairly cheap. The organization can have internal consultations with the managers from all the departments. The policies can then be posted on the firm’s website and internally on notice boards. The main cost would include printing paper, ink, and adhesives, which would be less than SAR 500.
Employee training is expensive. Training involves trainer fees, learning materials, and refreshments. Given that it should be done regularly, the costs can escalate depending on the frequency of the meetings. The total costs can exceed SAR 30,000.
A secure internet is affordable. Setting up the password and firewall can be done by the IT department.
3.4 Risk Consideration
Multi-layered protection is very low risk. This is because once the software and programs are installed, it is easy to monitor the system. Further, the disruption from daily routine will not be frequent, except when updates occur (Crossler et al., 2019). The updates also do not take long. The multi-layers track online activities, and it will be easy to find any discrepancies.
In contrast, policies are high risk. Even if the workers are aware of the laws and consequences of breaking them, there is no guarantee that data will be secure if no other protection efforts are made (Sadaf & Dhanapal, 2018). Although useful, policies must be accompanied by other security measures.
Training has medium risks. The workers can take proactive measures to prevent unauthorized access to information like in the case of malware. Being proficient in security systems and various software also prevents accidents or incidences where security is breached. It also promotes accountability. However, other factors, such as emotions, peer pressure, and work environment, can influence adherence to the skills taught (Yerby & Floyd, 2018). Moreover, if the security features remain the same, workers can use their knowledge to access data.
Secure internet has a medium risk. Restricting use to devices within the organization and limiting internet access can diminish external threats (Alhassan & Quaye, 2017). Nonetheless, the management must be aware of any new threats to the system.
4.0 EXPECTED BENEFITS AND BUSINESS IMPACTS
Financial Benefits: The cost of implementing the multilayer system is as follows:
The cost of purchase and maintenance: 3,000+ 20,000= 23,000
The expected benefits is approximated to be: 200,000
Hence, the analysis includes: total benefits divided by costs (“Cost-Benefit Analysis,” n.d.):
200,000/23,000 =8.69, which is then multiplied by 100: 8.69*100= 89.6%
The benefits are 89.6% more than the cost of the multilayer approach.
Quantifiable Benefits: The first benefit is the reduction of irregular system activities by over 80%. This reduction illustrates the effectiveness of the multilayer system. Secondly, there should be 100% use of passwords within the firm. Unauthorized access to information should reduce by 80% as well. There should be a transformation in how the system operates. The management and employees realize the benefit.
Measurable Benefits: The employees should effectively manage the information from the SMEs and other stakeholders. The benefit of this measure is the management.
Observable Benefits: The employees and management will outline their observable benefits. The management, for instance, should feel secure that the system is safe from any threat. In addition, the management should easily monitor the system and identify very few or no security threats to the system. By comparison, the workers should also be at ease that their information is safe from external and internal threats. Furthermore, the laborers should be confident in the security system. The workers should also feel motivated to work using computer tools and software to complete their work. The measure for this benefit is the opinion of the management and the staff, both of whom gain differently.
5.0 ROADMAP (SCHEDULE AND MILESTONE)
The project is to be completed in nine weeks:
| No. | Task Name | Weeks | ||||||||
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | ||
| 1 | Initial meeting | |||||||||
| 2 | Document current systems | |||||||||
| 3 | Complete system analysis | |||||||||
| 4 | Design passwords | |||||||||
| 5 | Create a firewall | |||||||||
| 6 | Obtain anti-spy software | |||||||||
| 7 | Obtain anti-virus software | |||||||||
| 8 | Integrate change into system | |||||||||
| 9 | Undertake initial test | |||||||||
| 10 | Identify issues | |||||||||
| 11 | Rectify issues | |||||||||
| Implementation | ||||||||||
Key:
Represents milestones
6.0 RECOMMENDATIONS AND CONCLUSION
Improving the information systems security is essential to Monsha’at. The organization access information from different sources, such as the SMEs, government, and private agencies. Hence, a secure system ascertains that the details do not fall in unauthorized hands, are lost or stolen. Correspondingly, having a multilayer system protects data from theft, unwanted access or affecting the system’s operation. The multilayer idea is also low risk and inexpensive. Once the necessary measures are taken, the management can easily monitor various activities on the system.
The future will be positive for Monsha’at should it adopt the multilayer security system. For one, it will not be easy to access the system without consent, even if they are employees. Moreover, monitoring access leads to accountability from the workers. This is because of non-reputability in that, a worker cannot deny having accessed the system. Multilayer is also better than single solutions because it addresses many security issues at once.
About Monsha’at. (n.d.). Monsha’at. Retrieved from https://www.monshaat.gov.sa/en/about
Posecul, D. & Cuza, A. (2018). Information security awareness in contemporary organizations – challenges and solutions. Security and Future, 3 (1). Retrieved from https://stumejournals.com/journals/confsec/2018/3/pdf
Alotaibi, M., Furnell, S., & Clarke, N. (2016). Information security policies: a review of challenges and influencing factors. 11th International Conference for Internet Technology and Secured Transactions (ICITST). Retrieved from https://www.researchgate.net/publication/313804253_Information_security_policies_A_review_of_challenges_and_influencing_factors
Sadaf, H., & Dhanapal, D.D. (2018). Information security policies’ compliance: a perspective for higher education institutions. Journal of Computer Information Systems. Retrieved from https://www.researchgate.net/publication/328654098_Review_paper_on_Information_security_policy_compliance
Yerby, J., & Floyd, K. (2018). Faculty and staff information security awareness and behavior. Journal of the Colloquium for Information System Security Education (CISSE), 6 (1). Retrieved from https://www.researchgate.net/publication/330855273_Faculty_and_Staff_Information_Security_Awareness_and_Behavior
Alhasan, M. & Quaye, A.A. (2017). Information Security in an Organization. International Journal of Computer, 24 (1). Retrieved from https://www.researchgate.net/publication/314086143_Information_Security_in_an_Organization
Crossler, R., Belanger, F., & Ormond, D. (2017). The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats. Information System Frontiers, 21 (1).
Cost-Benefit Analysis. (n.d.). Mindtools. Retrieved from https://www.mindtools.com/pages/article/newTED_08.htm
Heussinger, F., & Kranz, J. (2017). Antecedents of employees’ information security awareness – review, synthesis, and directions for future research. Association for Information Systems AIS Electronic Library (AISeL). Retrieved from https://pdfs.semanticscholar.org/7922/e2a9ec8b59a2fe56e6dcf9a33de3dbf9080c.pdf
Our Services. (n.d.). Monsha’at. Retrieved from https://www.monshaat.gov.sa/en/about