Application: Employee Reactions to Security Changes

Employees are often the greatest security threat to an organization. It may be a disgruntled employee who felt he or she was poorly treated or a model employee who simply didn't follow company policy for keeping his or her computer secure.

The case study about coordination between the IT and HR Departments from your textbook in this unit's Learning Resources covers this type of security threat. This case involves a mid-size company with a sophisticated information infrastructure. The director of IT is new, and the head of human resources has been with the organization for some time. As the new IT director begins implementing additional security measures, a security breach occurs.

For this Assignment, you will analyze the above case study from this unit's reading and consider employee behavior, preparation for and prevention of security breaches, and appropriate communication with employees after attacks.

Submit a 2- to 4-page analysis in APA format of the case study. In your analysis, answer the following:

• What about employee awareness and/or mindset may have led to the breach?
• What steps might management have taken to prepare for or prevent this breach?
• Based on your understanding about the attacker and the work environment, how might the company ward off future attacks?
• What information might the company communicate to its employees about the attack?

Readings

• Whitman, M., & Mattord, H. (2012).High-assurance computing: Topics & case studies. Boston, MA: Course Technology/Cengage Learning.
  • Chapter 1, "Introduction to Management of Information Security" (pp. 1-36)Everyone has a role to play when it comes to security. In this chapter you will assess the importance of a manager's function in securing a business's assets.  You will explore the CNSS security model and the differences between security management and general management.
  • Case 1, "Coordination Between an Information Technology Department and a Human Resources Department" (pp. 375-382)This case explores a security breach allegedly initiated by an employee at the Cenartech Security engineering company.  You will consider the evidence provided and begin your analysis on what could have been done to educate the staff and potentially prevent the attack
• Ayyagari, R., & Tyks, J. (2012). Disaster at a university: A case study in information security.Journal of Information Technology Education: Innovations in Practice, 11. Retrieved fromhttp://www.jite.org/documents/Vol11/JITEv11IIPp085-096Ayyagari1035.pdf
• Committee on National Security Systems (CNSS). (n.d.). Retrieved November 25, 2012, fromhttp://www.cnss.gov/The official website of the Committee on National Security Systems.  The CNSS is responsible for providing a forum for discussing policy issues and for setting national information assurance policies and directives.
• National Security Agency: Central Security Service. (2009). TEMPEST certification program. Retrieved fromhttp://www.nsa.gov/applications/ia/tempest/index.cfmThe official website for the TEMPEST Certification Program. This website outlines the details of the program.
• NSTISS. (1994).National training standard for information systems security (INFOSEC) professionals. Retrieved fromhttp://www.cnss.gov/Assets/pdf/nstissi_4011.pdfThis document describes the key terms for Information Systems Security (INFOSEC) for professionals in the disciplines of telecommunication and automated information systems (AIS) security.
• Ponemon Institute. (2012, March 7). Employee behavior blamed for most security breaches. Retrieved fromhttp://www.techjournal.org/2012/03/employee-behavior-blamed-for-most-security-breaches/