Running Head: SAMSUNG STRATEGIC INFORMATION SECURITY 1

Samsung strategic information security

Name:

Student number:

Course:

Institution:

Instructor:

Date:
Samsung strategic information security 2

ABSTRACT

Samsung is an electronics and smart appliances technology enterprise. Samsung enterprise

conducts its operations across the world. The following research paper focuses on Samsung

customer information security solution. Information security is the protection of a company's

private information from use, access, obliteration or inspection by unauthorized personnel. Lack

of proper protection can lead to malicious manipulation of information leading to business

failure as a result of miscommunication between the interdependent information users. Enterprise

information security policy (EISP) ensures that various users have the necessary information

while protecting confidential information from unauthorized access (Bateson, 2010). The paper

also features substantial background information of Samsung’s security elements and provides

guidelines on how to raise the standards of the enterprise information security policy.
Running Head: SAMSUNG STRATEGIC INFORMATION SECURITY 3

Introduction

In the twenty-first century, technological advancement has enhanced the way enterprises carry

out their day to day business activities. Samsung, as one of the leading players in offering

technological appliances and services, has played a vital role in this advancement. To achieve

this level of success, all the stakeholders ought to have a close business relationship with

consulting on ways to achieve better results. With operations all over the world, the risk of

having the enterprise's private information susceptible to tampering is high. This is because of

the broad scope of both the internal and external environments that the business operations take

place. This security risk has to be mitigated for Samsung to maintain a competitive edge in the

market. Competition comes with industry players trying to win a bigger clientele base (Kim,

2010). This may prompt Samsung safeguarding confidential information from competitors who

may try to access it. To ensure the enterprise retains trust and aspires for growth, strategic

decisions need to be made to avoid information leak (Parsons, 2002). Vital information to

customers as well as to the employees should be readily available. To achieve this, EISP must be

incorporated in Samsung operation structure.

Company profile

Samsung is a multinational conglomerate based in Samsung town, South Korea. Under the

Samsung brand, it has affiliated businesses making it the largest business corporation in South

Korea. Lee Byung-chul started the corporation as a trading company in 1938. The group

specialized in areas including food processing, securities, insurance, and textile. Today Samsung

is in construction, shipbuilding, and electronics. Electronics majorly consist of semiconductors

Samsung strategic information security 4

and mobile phones as the primary source of income. Samsung influences the media, politics and

economic development.

Samsung affiliate companies include Samsung Engineering, Samsung Electronics, and Samsung

C &T. There are fifty-nine unlisted and nineteen listed Samsung affiliate companies in Korea

stock exchange.

Information security systems

There are three main types of information security that organizations like Samsung should put

emphasis; Physical, communications and network security. Samsung has allocated substantial

amount of resources in these three areas as follows;

Physical security is the protection of human resources, hardware programs and data from

potential loss or an event that may cause damage (Hoboken, 2007). Damage may result from fire,

natural disaster, theft or terrorism. Installation of surveillance and an alarm system in the

Company help to mitigate the above risks. Security lights, intrusion detectors, surveillance

cameras and heat sensors also perform the above function.

Sensor shelving and movement is part of physical security system that uses light and movement

to detect burglary. Upon the sensors detecting movement and the impulse of the thief, the LED

light triggers an activity which sends signals that alert security. Visual intelligent software used

together with the shelving system has also enhanced monitoring from a central point (Peltier,

2005). Security personnel from a surveillance room can concentrate on many outlets at the same

time hence saving time and resources while enhancing efficiency.

Samsung strategic information security 5

Contingency plan

It is imperative for Samsung to respond to emergencies and unfavorable conditions resulting

from internal and external environments. A contingent plan enables the organization to prepare

in advance on ways to handle an emergency (Probst, Insider threats in cyber security, 2010).

Contingency plans can also be viewed as strategies that are implemented when the actual event

does not happen. A contingency plan requires the active participation of the employees. The

following key processes should be followed to ensure continued existence of the business.

 Develop the contingency planning policy statement. In so doing, it aids in the

identification of the benefits and risks. The leadership of the company is at a better place

to handle the uncertainties if there is preparation

 Conduct the business impact analysis (BIA). The analysis helps the management in

deciding when a contingent action should be taken. This is because a risk has been

identified; for example, if there is a power shortage at Samsung a power generator should

be used as an alternative.

 Identify preventive controls. The controls should be set in a way that Samsung core

activities run as usual. In case a particular production machine is faulty, there should be a

technical team with mechanical skills to rectify the machine back to operation. This team

should be different from the routine machine operators.

 Create contingency strategies. The strategic plan should be economical. During adverse

events, costs of operations are expected to escalate; thus managers should prepare for

possible outcomes that sway from the expected.

 Develop an information system contingency plan. This step requires the enterprise to

estimate how the contingency will capitalize on mitigation of the associated situation.
Samsung strategic information security 6

 Ensure plan testing, training, and exercises Available lead time allows the organization to

develop an advanced action plan. The step should include different measures since

specific early warning signals may not necessarily result in the right decision making.

 Ensure plan maintenance. A developed contingency program should be communicated to

the intended recipients in the concerned operation sector (Kim, 2010). Communication

and rehearsal of contingency steps should be exercised and necessary improvements

made.

Communication security is whereby telecommunication takes place without interruption while

avoiding unauthorized interception of information transfer between the clients. Samsung has

secure servers that store data that has been uploaded into the corporation servers. Only highly

skilled personnel who have gone through rigorous recruitment process access the servers. This is

to ensure that there is no unauthorized access which may lead to alteration or misuse of

confidential information. Encryption of information ensures minimal chances of stray access. To

identify the device in which the communication emanates, Samsung uses cookies. These cookies

create a means to facilitate the collection of data on how the website is being used. Web

experience is also optimized

Network security involves taking preventive software and physical measures aimed at protecting

the given networking infrastructure from alteration, unauthorized access, misuse, improper

disclosure or destruction (Kim, 2010). Network security works by combining multiple layers of

defenses in the network and at the edge. Layers of network security implement the policies and

controls.

This creates a secure environment for Samsung programs to run the hardware and network users.

The network administrator controls access to data to users with assigned identifications and
Samsung strategic information security 7

password only. Samsung users who need to access this information are required to create

accounts that capture bio data that is necessary for creating an identity.

Samsung customer Information Security Solution consists of two groups of features that provide

different types of security:

 SecuThru™ Lite, a server-less authentication and pull printing solution with card

authentication, access, and security-based print release functionality that holds print jobs

until the authentication process is complete.

 Additional embedded functions that meet IEEE Std2600.1 (P2600) requirements

(Samsung.com)

Information security model

CIA triad (CISO 2015) is one of the security models adopted by Samsung. Ideally, it is

designed to enhance information security within Samsung. The main components of the

principles under which it functions are Integrity, confidentiality, and availability.

The integrity principle involves having an accurate data which trustworthiness and consistency is

stable in the given time of use (Rabasa, 2010). The process of relyia alteration. Erroneous change

by authorized user can be a source of risk. This should be mitigated by ensuring there are user

access controls to reduce cases of data tampering. Backups should be set in place to ensure lost

data can be restored in the event of situations like a server crash. A service provider should

ensure the clients' information does not leak to an unintended user.

Confidentiality in information security is getting information to the required entity while

ensuring no unauthorized accesses. Depending on the level of risk associated with a given data,

the standard of strictness varies. Highly confidential data requires a higher investment in
Samsung strategic information security 8

security. Unauthorized access may lead to increased cost of regaining trust to a point where it

can result in loss of business.

One of the data confidentiality techniques involves having employees trained on handling risk

prone data. With sensitized personnel handling risk prone data, the probability of mishandling is

reduced. Trainees should also have knowledge on how to deal with unfavorable events. A secure

password to access information is a key factor in best practice procedure. Strong passwords

include the use of unique names, a combination of letters and numbers (Ballad B. , 2012).

There are two known ways of ensuring online transaction confidentiality. First is the use of data

encryption and an account number data. There is a set procedure that involves the use of

passwords and ID. Confidentiality methods like tokens, key fobs, and biometrics are also used.

Samsung encourages its customers to ensure personal information or passwords are kept within

reach of only the authorized user. Mobile phones, for example, ought to have passwords only

known to the owners.

Availability principle on information retrieval should be timely and available whenever required.

Samsung on a routine conducts hardware maintenance. Faulty machines are also repaired and

new ones brought to replace completely worn out ones. Installation of proxy servers helps to

prevent intruders’ unauthorized activities such as hacking or denial-of–service attack (Rashvand,

2010).

Samsung, with mobile phones as a major line of enterprise source of income, adopts a mobile

security model. Having forged a partnership with Booz Allen Hamilton is provided with a

comprehensive mobile risk assessment. Mobile security models have seven fundamentals.
Samsung strategic information security 9

Business Management and Governance: This domain concerns policy and is focused on the

organization’s goals and the comprehensive business strategy that runs the company. The

domain seeks to discover the threats that organizations face and relating them to business

requirements, such as what devices the organization uses, the sources of the devices, and

deciding on trusted sources and locations. Using this information, the organization has a better

grip on handling business risk, establishing the most suitable mobile policies and refining capital

investment towards efficient and secure application of mobile tools and services.

Legal Policies and Regulatory Requirements: The next area of focus is legal policies and

regulatory requirements to warrant conformity and the correct administrative practices,

guidelines and standards for the field in which the organization operates. It pays attention to the

established regulations for dealing with prerequisites that are particular to the field of operation

or geographical location, including mobile-specific regulations, data management, privacy, and

employee work-hours specifications.

Mobile applications: The fourth are domain centers on mobility applications, including apps

for tablets. This is a critical component, since two in five enterprises are affected by dangerous

mobile apps from rogue marketplaces. It is critical to know how apps are developed for specific

devices and how to understand the threat model that applies to each. This understanding must

underpin how apps are developed and managed in order to ensure their integrity. Finding out

whether to build own app store or use someone else’s matters. How to assess the security of the

applications one develops, as well as the ones used from third parties, and how they connect to

back-end systems and services is a point to note. While this ties back to infrastructure, the focus

here is on data movement and application integrity.

Samsung strategic information security 10

Data protection is a core factor of mobile security models (Probst, 2010). This domain aids in

understanding the life cycle management of data in the mobile environment. The protection of

data and its integrity validation especially when in transit. Protection in performing access

control checks and using tools such as data loss prevention (DLP) to detect malicious activity. In

addition to destroying data at the end of its useful life or when it’s no longer needed or required.

This domain enables a user to understand what data is being moved on and off of devices, what

mechanisms are being used to protect data at rest or in transit, and who or what has access to the

data. It requires confirmation of management as intended as well as validation that data is

destroyed in line with specific regulations and requirements. Data destruction is one area in

which many companies perform poorly (Rabasa, 2010). In industries such as financial services,

healthcare and government agencies, there is a life cycle associated with data. The cycle

mandates that data must be destroyed after a certain amount of time or when it is no longer

needed, reducing the opportunity for abuse. The Data Protection domain will help one

understand the risks to data and what actions should be taken to protect it hence meeting ones’

requirements and needs.

Mobility End Points. Understanding the abilities of mobile devices and tying these capabilities

back to the business–based security requests is key to success. This domain helps users

understand what devices are appropriate for which purposes within the business. The use cases

require device-level encryption at rest and in transit, the access controls suitable to meet ones’

needs. One requires a life cycle management policy that ensures devices are configured correctly

when initially deployed and throughout their life cycle (Chang, 2011). Required also is a

decommissioning process that takes into account the need to remove evidence of the applications

and data that may have been stored on the device.

Samsung strategic information security 11

Risk and Threat Management: Finally, the mobile security assessments consider risk and threat

management, looking at incident management and threat response for mobility environments.

Identify how this fits with the overall risk management program and legacy infrastructure. There

is a lot involved, including vulnerability assessments, paper exercises, and pen testing, all of

which are mainly focused around legacy infrastructure, not mobility. A mobile threat program

should be in place or leverage one from a partner (Parsons, 2002). Also have in place a device

loss prevention strategy. Find out whether one can locate and erase data or even brick a device

and what the threat requirements are.

By undertaking such an extensive security assessment, the organization will have peace of mind

that users can embrace mobility. This gives them the improved productivity and flexibility that

they require, in a secure manner that reflects the particular business requirements.

Conclusion

In conclusion, Samsung like many businesses today face information security challenges. This is

because the running of a business is largely dependent on information systems that are under the

threat of unauthorized information access. If information is tampered with, there is a risk that the

business may fail. Due to Samsung broad nature of business environment, there has been

continuous improvements on its information security. This aids to ensure that Samsung systems

are updated and monitored on a constant mode.

Samsung strategic information security 12

References

Andress, J. (2011). The basics of information security. Waltham, MA: Syngress.

Ballad, B., Ballad, T., & Banks, E. (2011). Access control, authentication, and public key
infrastructure. Sudbury, Mass.: Jones & Bartlett Learning.

Chang, K. & Wang, C. (2010). Information systems resources and information security.
Information

Dhillon, G. (2007). Principles of information systems security. Hoboken, NJ: John Wiley &
Sons.

Esecurityplanet.com, (2015). Woolworths Mistakenly Leaks $1 Million in Gift Cards - eSecurity

Planet. [online] Available at: http://www.esecurityplanet.com/network-security/woolworths-
mistakenly-leaks-1-million-in-gift-cards.html [Accessed 27 Aug. 2015].

Kim, D. & Solomon, M. (2012). Fundamentals of information systems security. Sudbury, Mass.:
Jones & Bartlett Learning.

Original Security Bank (London, E., 2000. Plan of the Original Security Bank, established in
Norfolk Street, Strand: London. London: Printed by J. Bateson.

Pachova, N. I., Nakayama, M. & Jansky, L., 2008. International water security : domestic
threats and opportunities. Tokyo ; New York: Tokyo ; New York United Nations University
Press.

Parsons, T. N. & Lingard, J. R., 2002. Lingard's bank security documents. London : LexisNexis
Butterworths.

Peltier, T., Peltier, J. and Blackley, J. (2005). Information security fundamentals. Boca Raton,
Fla.: Auerbach Publications, pp.12-20.

Probst, C. W., 2010. Insider threats in cyber security. New York: Springer.
Rabasa, A., 2010. Money in the bank : lessons learned from past counterinsurgency (COIN)
operations. Santa Monica: Rand Corp.

Rashvand, H., Salah, K., Calero, J. and Harn, L. (2010). Distributed security for multi-agent
systems – review and applications. IET Inf. Secur., 4(4), pp.188.

Systems Frontiers, 13(4), pp. 579-593. Woolworths’ Information Security Policy 16