Free Custom «IT Project Management PDCA Exercise» Essay Paper

Proactive approach is required in dealing with the issues of vulnerability and security, which are imperative in information technology. The Plan –Do-Check-Act (PDCA) is one of these approaches that employs the basic principles of the information technology infrastructure library (ITIL). It focuses primarily on continuous improvement, adoption of strategic objectives, review of existing systems and making necessary adjustments. Due to the dynamic nature of system development, frequent maintenance and upgrades are always required. The Plan-Do-Check-Act approach in security can improve this system through effecting appropriate security policies (Eloff, 2005). Planning, implementing, reviewing and acting give a better understanding of the current situation. Given that PDCA aims to enhance system security, this paper seeks to analyze how the PDCA model can be implemented in information technology.

In the PDCA approach, security services can be critically scrutinized to ensure efficiency and objectivity. Over the years, increasing dominance of professional hackers has progressively infringed organizations’ private information. Incidences of wide scale hacking have gradually increased resulting in security problems. Proactive measures should be subjected to a working model in developing a security strategy and decision making to deal with this emerging problem (Humphreys, 2008). Effective planning of organizational system security entails the development of strategic objectives. Each planning process must have specific time-contingent goals and objectives. Planning helps understand the security situation better by collecting relevant information before projecting probable solutions. Duties and responsibilities of all the stakeholders must be defined at this phase.

The system security planning process should be based on continual improvements.

New standards should be set to keep abreast with the changes in the environment acting as a new baseline for further improvements. Objectives of the process mainly include the development of the security policy, security risk assessment, security strategy and security measures. Some of the approaches of achieving these objectives include increasing user accountability, training and development of staff, environmental risk management and establishment of effective business continuity models (Saint-Germain, 2005). These objectives and strategies will be deployed by the organization scrutinizing their efficiency. In this phase, organizations analyze the cause of the security threats, which are mainly external and internal. This is essential in understanding organizational vulnerability and adjustment plans.

Search of the risk sources is mainly guided by the objectives developed at the planning phase. Research on the environmental factors posing threats and vulnerabilities can be a successful way of dealing with the external attacks. Approaches like real-time protection and peer consultation should be adopted to deal with these kinds of threats. Further, continuity of any business system is based on how well the organization is prepared for the disaster and post-disaster recovery. An effective approach to this problem entails investment in the recovery infrastructure during regular information system operations of the organization (Susanto, 2011).

Implementation of a security management policy at any organization is marred with many challenges. Best practices developed during planning may be executed at this phase. A cost constraint is one of the major drawbacks of implementation of complex solutions to security problems. Adopting an impact assessment approach in this phase will be essential in determining the priorities for implementation. Since the policies adopted are different from the previous structures, they aim at imparting change and improving security management.

Implementation of the plan to achieve user accountability involves a series of proactive measures. Use of consensual user logs will provide relevant information for computer forensics in the event of an attack. In addition to the established user database and authorizations, the system used to authenticate a user should be dynamic. Static forms of authorizations can present vulnerability since passwords and login details, once accessed, can be used to compromise system’s integrity in the future (Eloff, 2005).

Staff training and development can be utilized as an opportunity to improve system security. Many threats posed to information systems result from human vulnerabilities. Incompetence and redundancy of skills lead to unprecedented threats. Since computing is a dynamic field, all staff is required to be equipped with the latest information changes and skills. Training of IT security experts in system security and capacity building will enhance their ability to deal with threats.

Environmental risk assessment and business continuity planning are some of the proactive steps toward system security. Physical destruction of information systems must be addressed through the establishment of alternative ways to back up information. Allocating adequate funds for the construction of “hotspots” and “cold spots” in case of emergency will ensure business continuity. Precisely, operations will continue as usual despite the emergence of a risk within the organization. Further, other risk presented by the environment can be addressed through adequate research. Organizations should be always aware of the trends in the information systems security. In addition, a specialized unit should be established to do research and anticipate these potential threats in the market. This will enhance prevention and preparedness in case of an attack (Humphreys, 2008).

The check stage in information security management implies analyzing and assessing the current case against previously set standards. This analysis helps determine if the set measures are effective in the achievement of the goals. Standards suggested during the implementation phase are critically analyzed to ascertain they assist in attaining desired goals (Saint-Germain, 2005). Acceptable performance is determined in line with the best practices.

During this phase, measures like conducting and reviewing the results of vulnerability assessment can be used to understand the scope of vulnerability. This can be done through the analysis of staff’s accountability in the use of information systems. Further, the impact of the training that the staff has received must be evaluated, which can be evident in the new best practices adopted by them (Humphreys, 2008). In particular, this can be seen in measures like effective use of antiviruses and firewalls, network administration and information storage and movement.

Risk management audits can be adopted in this phase to develop a profile of the environment and the risk levels of potential threats. Risk audit will present facts on the internal and external environment. This information will provide evidence on the efficiency of the research and data mining in coping with the security threats. A better understanding of the environment means effective research hence limited number of unknown threats. Known threats are easier to manage as opposed to alien attacks. This information should be regularly collected, analyzed and reported in order to ensure continuous improvement of the system.

Daily monitoring of such activities as system logs, firewall logs and any other forms of intrusion will enhance organizational preparedness. Business continuity planning should be checked to determine how prepared the organization is. Evaluation of the infrastructure established to cope with the security threats should be undertaken. This may include managing the inventory invested in the preparation to a disaster as well as comparing the costs of the risk with organization’s investment in the disaster planning. The ability to cope with the potential risk should be higher than the imminent threat (Susanto, 2011). The act phase focuses on maintenance of the newly adopted security state while providing for the integration of changes and improvements. Decisions of the act phase should be based on the security policy, set objectives, plans, strategies and results from the assessments undertaken at the check phase. The process starts with the analysis of actions implemented in the previous phases. Essential elements to be considered include determining which measures are not efficient or need improvements.

Considering that organization’s employees are now conversant with the new security measures, some of the ineffective security measures can be easily determined. The competency of the trained staff should be contrasted to the improvements in the system security. Development of persistent systems means availability of better expertise among the staff while the contrary requires adjustments, which include improving staff training and development (Humphreys, 2008).

The risk and vulnerability profile of the information system established in the check phase should be used in the act phase for the system improvement. Research and collection of relevant information can be assessed in line with the system implementation. Poorly collected information can challenge the environmental risks evaluation process.

Accountability of staff should be reviewed based on the efficiency and ease to utilize the new security measures. Compliance and accurate execution of the policies implies better security management while the contrary is undesirable. Development of new strategies to motivate and encourage the adoption of new security measures can be used to solve this impasse (Humphreys, 2008).

Business continuity and planning can be evaluated based on the findings of the check phase. This includes ascertaining the extent to which the new baseline has enhanced disaster management. The strategy of establishing alternative work stations can be reviewed in comparison with the system resilience. More resilient post-disaster systems should be funded and established as a part of the infrastructure. Moreover, ineffective recovery plans must be redesigned by utilizing the information from the check phase.