Article Preview
TopIntroduction
Operations security is an extremely important aspect of an organization's information security program (Fisher, 2011) and plays a major role at every stage of information processing cycle. It pertains to activities that take place while keeping computer networks, computer systems, applications, and computing environments up and running in a secure and protected manner; ensuring that people, applications, equipment, and the overall environment are properly and adequately secured (Harris, 2013). Operations security is the centre for all other information system security (Henrya, 2011). Therefore, a high level of confidentiality and integrity should prevail throughout the data processing cycle; when data resides on database systems, on network devices, when transmitted across the network, and when it reaches the designated person.
Organizations, irrespective of type and size, public or private, commercial or non-profit, collect, process, store and transmit information electronically. These activities are carried out through information systems, specifically computer hardware systems, software applications, processes and procedures, communication networks, and people. Information traversing information systems is subject to deliberate and accidental threats since information systems have inherent vulnerabilities (ISO/IEC 27002:2013, 2013). Thus, there is the need for organizations to perform day-to-day operational security activities to keep information systems safe.
Accordingly, organizations are making efforts to protect critical and sensitive data at every state of information (storage, processing, and transmission). The computer crime and security survey conducted by Computer Security Institute (2011) found that 64% of the organizations’ information security program has improved owing to regulatory compliance efforts. Compliance with legal requirements, such as Sarbanes-Oxley (SOX) for financial reporting and governance has impacted IT (information technology) security systems, practices and internal controls (Brown & Nasuti, 2005). The Health Insurance Portability and Accountability Act (HIPPA) also required healthcare organizations to “safeguard the confidentiality, integrity, and availability of electronic protected health information” (Hoffman & Podgurski, 2007, p. 7). Another regulation that influenced information security programs was the Federal Information Security Management Act (FISMA), which required all U.S. federal agencies and international banking industry to develop, document, and implement a program that provides information security for the systems that support its operations and assets (Pabrai, 2006).
Developing countries are not left out in enacted laws and regulations to protect information resources. A recent Data Protection Act 843 of Ghana aims at protecting the privacy of the individual and personal data by regulating the processing of personal information, and the process of obtaining, holding, using or disclosing personal information (Data Protection Act, 2012). The Act ensures protection of the privacy of the individual and personal data. Moreover, the Electronic Transaction Act 772 of Ghana (Electronic Transactions Act 772, 2008) focuses on developing “a safe, secure and effective environment for the consumer, business and the government to conduct and use electronic transactions” (p. 6). Despite these regulatory compliance efforts, a recent survey rather finds decline in fundamental security practices (PWC, 2015). The sub Saharan Africa is increasing becoming notable for cyber fraud. A recent report ranks Ghana second in Africa (after Nigeria) and seventh in the world with respect to internet related crimes (Joy Online, 2013). A similar report also indicates that about 82 cyber crimes occur in Ghana every month; that is on average about 1000 crimes a year (Joy Online, 2013).