Management and Administration for Information Security

Managementand Administration for Information Security

Managementand Administration for Information Security

Everyorganization existing in the world has a mission, goals andobjectives to be accomplished. In this digital generation, manyorganizations are using information technology systems to help themprocess information for the realization of their missions.Additionally, risk management plays an important role in safeguardingorganization crucial information asset, and thus its mission, fromrisk emanating from adoption of information technology. The majorintention of the risk management process is to protect the entireorganization and its capability to exercise its mission, and notnecessarily its information technology assets. Therefore, this paperwill deal with administration and management of information security.

Mostsignificantly, the aim of adopting risk management is to help theorganization to achieve its mission by securing the informationtechnology system that process, store, and transmit crucialinformation, enabling business management to make well-informeddecisions based on the risk management practices so as to justify thecosts of adopting IT systems. Additionally, risk management helps inaccrediting (or authorizing) the information technology systems basedon the support of records and documentation emanating fromundertaking risk management. For example, when an anonymous hackerbreaks into a server and deletes crucial and classified information,the organization is affected adversely. The lost information mayinclude financial statements, cash flow statements, fiscal budgetsand other important records that the organization cannot functionproperly in its absence. Potential investors and existing investorsmay lose trust and confidence in an organization when importantinformation or records are lost. Overly, an organization isdestabilized since important records concerning suppliers and debtorsare lost and this implies that there will be unforeseen loss ofrevenue. Additionally, when the records concerning the employeesconcerning payrolls are lost the organization, employees aredemoralized due to the delays in payment (Whitman &amp Mattord,2012).

Equallyadversely, when a fire destroys IT assets such as computers, most ofthe activities are halted since both governmental and privateorganization relies on information systems for them to functionsmoothly. For example, when the computers of the National Guard depotare destroyed by the fire, important information is lost. The impactof the incidence is tremendous as store material valuation is nolonger undertaken and the sources (suppliers) of materials cannot beestablished since there is no record that can prove. Similarly, whena tornado hits a private power company for quite some time, theinfrastructures undergo almost total destruction. The infrastructuresthat are subject to destruction in a private Power Company includebut not restricted to power-generating and power-transmittinginfrastructure, as well as information technology infrastructure.This incidence implies that the private power company has to closedown its major operation until repair and re-installation ofinfrastructure is complete. The risk of tornado is a huge blow to theprivate power company (Whitman &amp Mattord, 2012).

Moreover,when corporate information technology employees strike, leaving theorganization with core employees for indefinite amount of time, mostof the organizational activities are halted since most of theactivities rely heavily on IT support. Therefore, without IT supportthere is low productivity due to reduced efficiency caused by absenceof information management systems. Consequently, organization reportsdecreased profits and thus, organization employees cannot do muchwithout the support of information technology employees.Additionally, when there is non-authorized access to information fromgovernmental corporate server the risk is immense as it can be usedagainst the corporation for personal interests. Therefore, it isnecessary for both governmental and private organization to securetheir information systems for the purpose of accomplishing theirgoals, objectives, and missions (Whitman &amp Mattord, 2012).

Aunique business management involved is the risk assessment andmanagement which focuses on helping business stakeholders tounderstand risks so as to permit effective and efficientdecision-making process to be applied to manage and contain risks.This unique business management requires to be employed at everydesign and planning stages together with other subsequent operationaldeployment stages, review and monitoring of risks, and ensuring thatthe risk of information security is managed. Therefore, it isimportant for the organizations to evaluate the management of costsand benefits during development and implementation of an informationsystem (Robert&amp Dorothy, 2014).

Thecost-benefits of the information management system should always bebalanced through adaptation of appropriate governance model. Most ofthe changes in the information technology system development mayimply the requirement of a new justification approach. Although manyorganizations make elaborate budget and time schedules, most of theIT systems exceed both cost and time estimation. Therefore, there isa need for a unique business management such as risk management tocarry out such cost-benefits analysis involving an IT system andmanagement of information security. Thus, there is a need forevaluation of the activities that determine whether the informationsecurity function adds value and whether cost-benefit management issufficiently organized (Robert&amp Dorothy, 2014.

Beforethe electronic records management (ERM) is implemented, theorganization ensures that there is integration of the ERM with otherorganizational initiatives excellent project management sufficientresourcing suitable team composition and early identification ofbenefits of the implementation process. Therefore, the implementationmethodology involves a number of steps. The first step involvescarrying out of the preliminary investigation. A group of experts areassigned with preliminary investigation obligation of determining thefeasibility of the implementation process of the electronic recordsmanagement. The second step involves analysis of the businessactivity that will be incorporated in the implementation process soas to avoid unnecessary activities that are not cost-effective(Franks,2013).

Thethird step involves identification of the requirements for therecords as per the ISO requirements. The requirements should complywith the global best practices for electronic records managementimplementation such as ISO/TR-15489-2. The forth step involvesidentification of the strategies that are oriented to satisfy theidentified requirements so as to achieve effective implementation ofthe electronic records management. Designing the electronic recordssystem is another implementation step that should be undertaken tocome up with the best design that is easy to implement andcost-effective one. After coming up with the optimum design, actualimplementation of the records system is carried out. This step isfollowed by the post-implementation review so that the whole processis monitored and evaluated to detect and fix any possible errors(Franks,2013).

Duediligence compels organizations to establish and implement aneffective system of policies, procedures, and controls to detect andprevent violations of laws and policies. Therefore, the duty due careor diligence is the legal requirement that business management shouldnot cause any risk of harm or unreasonable harm emanating fromcareless actions. Therefore, business management must use duediligence and due care when performing on behalf of the organization.Moreover, business management must perform their responsibilitiessuch as protecting organization information system in good faith andin a non-negligent way. They must do so by providing employees withsafe working environment to avoid frequent strikes and labor turnover(Vallabhaneni&amp Association of Professionals in Business Management, 2008).


Mostof the organizations have rethought on how they can minimize the riskof adopting information systems. They have realized that informationsecurity is a different function from the business unit that isconcerned with information systems. Therefore, it is theresponsibility of the business management to secure the operation anduse of the information assets. Additionally, it is important for theorganization to carry out effective implementation process of theelectronic records management while being conscious of time and costsinvolved.


Franks,P. C. (2013).&nbspRecords&amp information management.Print.

Robert, D. &amp Dorothy, E. (2014). StrategicInformation Management: Challenges and Strategies in ManagingInformation Systems.Routledge, Nottingham.Print.

Vallabhaneni,S. R., &amp Association of Professionals in Business Management.(2008).Corporatemanagement, governance, and ethics best practices.Hoboken, N.J: Wiley.

Whitman,M. &amp Mattord, H. (2012). Managementof Information Security.CengageLearning, Boston.