Introduction
The International Organization for Standardization and
the International Electro-Technical Commission (ISO/IEC) 17799:2005 establishes
the guidelines and the general instructions for initiating, implementing,
maintaining, and improving the information security management in every
organization. The standard outlines general guidance on the commonly accepted
goals of information security management. It has the best practices of controls
in the outlined areas of information security management. The scope of the
standard states that it is not available for the public use as an ISO standard
but has a significant contribution to the management of information security.
The research paper seeks to address the problems of the current security state
by providing the necessary solutions by (ISO/IEC) 17799:2005 guidelines.
Security
policy
The security policy targets information management that
seeks to provide direction and support of the information security according to
the requirements of the organization and the relevant laws and regulations. It
is the mandate of the management team to have an elaborate laid out policy
guidelines that align with the business objectives. The policy should also show
the support for the information security and also have a commitment to the
maintenance of an information security policy for the target organization
(Doherty & Fulford, 2005). The information security policy should have
approval by the management ad also offer the implementation guidelines. It
outlines the policies, principles, standards, and the compliance requirements
that have significance to the organization. All the users within the
organization should have an insight of the information security policy hence
necessary to be relevant, accessible, and easy to grasp and apply its content
(ISO/IEC 17799:2005).
Organization
of information security
The information that circulates within the organization
arises from both the internal and the external environment. It is important to
manage the information security within the organization by use of a management
framework to oversee and control the processes. The management team requires
approving the information security policy, delegating certain duties, and
coordinating the implementation of the security policies across the
organization. The management team has a crucial role in supporting the security
within the organization by giving clear directives, being committed, and
offering timely responses to security concerns. Information security requires
proper coordination by the heads of the different sections with the
organization with certain roles and responsibilities. There ought to be a
defined allocation of the information security responsibilities for all the
parties to have a role to play in enhancing the security of the information
used within the organization (Siponen & Willison, 2009). Another important
aspect of organizing information security has confidentiality agreements that
reflect the need to protect information by all the parties.
The management of information security and its
implementation requires regular reviews to ascertain that it meets the needs of
the organization and also match with the global security status. The results of
the review should align with the direction of information security as outlined
in the information security policy document. Another key issue in the
organization of information security is maintaining the information and the
process facilities that have access to buy the external parties. There ought to
be control of the access to the information processing facilities as well as
the communication of information by the external parties. It is necessary to
have a risk assessment if external parties require accessing the information
facilities of the organization. It helps to determine the implications of
security as well as the required controls. Any risks identified should be
mitigated through the appropriate controls before granting entry to the
information security facilities.
Asset
management
Every organization has particular assets of concern that
require proper control and maintenance to ensure that there is security of the
information used. The organizational assets require appropriate protection and
proper accounting. The custodians of the assets should be identified, and the
responsibility for the maintenance of their controls has specific people to
attend. The owner better maintains some assets according to the control
guidelines. The assets require having an inventory that tracks their movement
and maintenance within the organization. The inventory has a list of all the
assets and the information necessary for recovery from a likely disaster. Other
details to consider include the type, format, location, backup information,
licensure, and its value to the business. The major types of assets include
information, software, physical, services, human resources, and the intangible
assets. The information assets entail the databases and data files, system
documentation, user manuals, training materials, contracts and agreements, and
audit trials among others. The software
assets include the application and system software as well as the system
development tools. The physical and service assets include the computer
equipment, communication facilities, computing and communication services, and
the general utilities (International Organization for Standardization and
International Electrotechnical Commission, 2005).
The assets that and information related to information
processing facilities should have a right of ownership that is responsible for
appropriate classification and takes into consideration the access control
policies. The ownership may be a business process, defined set of activities,
application, or a set of data. Information is an essential asset of the
organization and should have a classification by need, priority, and level of
protection when handling the information. The highly sensitive information should
have an additional level of protection.
Human
resources security
The management of the human resources is becoming a
critical issue due to the increased compromise to data and information
security. It is paramount to ensure that the employees and other external
parties understand their responsibilities and are accountable for their actions
to reduce the risk of theft, fraud, and the misuse of the information
processing facilities. There ought to be a comprehensive overview of the
security responsibilities before the employment as part of the terms and
conditions of employment to comply. It is also necessary to have thorough
screening for all the staff both internal and external regardless of the
position of leadership to ascertain the security of the human resources. The
users of information either employees or the third party users should sign an
agreement to bind them to the security roles and responsibilities. The security
of the human resource should be a major consideration before, during, and after
the employment (Luo, Brody, Seazzu & Burd, 2011). The employees ought to
acquire training and awareness for the security procedures and proper use of
the information processing facilities to minimize the security risks. The
termination of employment should accompany proper management of the exit by
returning all the equipment and removal of all the access rights.
Physical
and environmental security
The physical environment that hosts the organization
premises should have protection against unauthorized physical access, damage,
and interference with the premises and information. The sensitive information
and the related processing facilities ought to be in secure areas having
defined security parameters. The areas should have the appropriate security
barriers and controls as well as protection against unauthorized access,
damage, and interference. The associated risks to the unauthorized access to
certain areas should be analyzed and mitigated appropriately. The areas that
contain information and information processing facilities should have security
parameters like walls, Manning, or use of card control entry gates (British
Standards Institution, 2005).
The maintenance of the equipment security helps to
prevent loss, damage, theft, and compromise of the assets thereby interrupting
the main operations of an organization. The equipment ought to have protection
against the physical and environmental threats. It is necessary to protect both
the on-site and the off-site equipment to limit the risk of unauthorized access
to information. It also ensures that there is protection against damages and
losses. There may be special controls for the protection against physical
threats, and also to safeguard the support facilities to the equipment (International
Organization for Standardization and International Electrotechnical Commission,
2005).
Communications
and operations management
Communications and operations management is a critical
aspect in the determination of the level of security within an organization.
For the operation procedures, there ought to be the correct and secure
operation of the information processing facilities. The organization requires
having defined responsibilities and procedures for the management and operation
of the information processing facilities. They should have proper
documentation, maintenance, and availability to the users in need of them.
Another consideration is the third party service delivery management that
requires an appropriate level of information security and service delivery that
aligns with the third party service delivery agreements. It is the mandate of
the organization to check the implementation of delivery agreements and also
monitor the compliance with the agreements (ISO/IEC 17799:2005).
The organization ought to have mechanisms in place to
minimize the risk of system failures through planning and preparation. Planning
ensures that the resources deliver to the required system performance. Another
consideration is the operational requirements if the new systems that should be
developed, documented, and tested before acceptance and use. The acceptance
should have agreed on security controls in place to avoid unlikely exposure.
The integrity of software and information are important
considerations in information security. The software and information ought to
be free from any malicious and codes. Precautions are necessary to prevent and
detect the likelihood of a malicious code or unauthorized mobile code. The
software and information processing facilities are subject to malicious codes
like viruses, network worms, and the logic bombs which users should be aware.
Hence, it is necessary to have controls that prevent, detect, and eradicate the
malicious code (DiMase, Collier, Heffner & Linkov, 2015).
Backups are necessary to maintain the integrity and
availability of the information and related processing facilities. It is an
information security measure that requires routine procedures to implement the
backup policy and strategy. The management of the network security is a crucial
aspect in ensuring information security. It helps to protect the information in
the networks and that of the support infrastructure. The important
considerations in network security management are the data flow, legal
implications, monitoring, and data protection. The sensitive information should
not pass over the public networks (Waldron, 2008).
The mode of media handling is a determinate factor in
information security. Appropriate media handling prevents unauthorized
disclosure, modification, removal, destruction, or the interruption of the
business activities. Media should have control and physical protection by
employing appropriate operating procedures to protect the documents, computer
devices, and the input and output system documentation from unauthorized
access.
The exchange of information should adhere to the policies
in place as well as the relevant legislation. Thus, it is necessary to have
procedures and standards to protect the information and physical media and also
maintain the security of information and software in use.
Access
control
There should be restricted access to information,
information processing facilities, and the business processes depending on the
business and security requirements. The
access control guidelines should align with the policies on information
dissemination and authorization. Only the authorized users can have access to
information systems, and formal procedures should be in place to control the
access rights. The authorized users have a responsibility to prevent
unauthorized access, and compromise of the information and the associated
processing facilities. The users should be aware of their mandate to adhere to
the access controls especially in the use of passwords. Another aspect is the
prevention of the unauthorized access to the network services since it can lead
to compromise of the security of the network services. There should also be
controlled access to the operating systems to only the authorized persons.
Mobile computing and teleworking are increasingly threatening the security of
the critical information for the organization, hence necessary to control their
use (International Organization for Standardization, 2005).
Information
systems acquisition, development, and maintenance
The acquisition, development, and maintenance of the
information systems require adhering to the prescribed security controls.
Information systems require a high level of security and their design and
implementation supporting the business process is important for the security
requirements. There should be correct processing in applications to prevent
errors, loss, and unauthorized misuse of information. There can be additional
controls for the systems that handle sensitive and valuable information. The
controls also have the validation procedures of the input data, internal
processes, and the output data. The access to the system files and the program
source code ought to be restricted to the public access to avoid exposure of
the sensitive data (ISO/IEC 17799:2005).
Information
security incident management
The organization requires having a formal method of
reporting of the information security events and weaknesses to allow the timely
and corrective action to be taken. All the users should be aware of the
procedure in place to report the events and weaknesses that may have an effect
on the security of the organization. There should be a consistent and effective
approach to the management of information security incidents. The organization
should have procedures in place to handle the information security events and
the weaknesses effectively upon reporting (Siponen & Willison, 2009).
Business
continuity management
There are several information security aspects of
business continuity management that are necessary to hinder the interruptions
to business activities. They also help
to protect the critical business processes from effects of failure. A business
continuity management process helps to lower the impact on the organization and
recover from losses in the event of security breaches. The business continuity
management includes the controls to reduce the risks, lower the consequences of
undesirable events, and ensure the availability of information for the business
processes (Herbane, 2010).
Compliance
The need to comply with the legal requirements seeks to
avoid breaches of the law and regulations as well as the security requirements.
Information systems are subject to certain statutory, regulatory, and
contractual security requirements. It is also necessary to comply with the
security policies and standards, as well as the technical requirements. There
ought to be an audit of the compliance with the appropriate security standards
and documented security controls. Other considerations are the information
systems audit t safeguard the operational systems and audit tools (ISO/IEC
17799:2005).
Conclusion
The need to have adequate information security measures
cannot be understated in the present world due to the increased security
threats. There are incidents of security breach quite often even in the
organizations that have reliable measures against such occurrences. The complex
nature of the mode of operation of the people behind the breaches makes it
necessary to have policies and guidelines on how to improve the security
status.
References
British Standards
Institution. (2005). Information technology -- Security techniques: Code of practice
for information security management. London: British Standards Institution.
DiMase, D., Collier, Z.
A., Heffner, K., & Linkov, I. (June 01, 2015). Systems engineering framework for cyber-physical security
and resilience. Environment Systems and Decisions:
Formerly the Environmentalist, 35, 2,
291-300.
Doherty, N. F., &
Fulford, H. F. (October 01, 2005). Do Information Security Policies Reduce the Incidence of Security Breaches: An
Exploratory Analysis. Information
Resources Management Journal, 18,
4, 21-39.
Herbane, B. (January
01, 2010). The evolution of business continuity management: A historical review of practices and drivers. Business History, 52, 6, 978-1002.
International
Organization for Standardization. & International Electrotechnical
Commission (2005). Information
Technology: Security Techniques: Code of
practice for information security,
Geneva: ISO/IEC.
International
Organization for Standardization. (2005). International Standard: Information technology - Security techniques - Code of practice for information security management. Geneva: International
Organization for Standardization.
ISO/IEC 17799 (2005):
Information Technology_ Code of Practice
for Information Security Management
[LITD 17: Information Systems Security and Biometrics]
Luo, X., Brody, R.,
Seazzu, A., & Burd, S. (January 01, 2011). Social Engineering: The Neglected Human Factor for Information
Security Management. Information
Resources Management Journal
(irmj), 24, 3, 1-8
Siponen, M., &
Willison, R. (2009) Information security management standards: Problems and solutions. Information & Management, 46(5), 267-270.
Waldron, M. (January
01, 2008). Developing an information management strategy: Business
Information Review, 25, 2,
101-104
Sherry Roberts is the author of this paper. A senior editor at MeldaResearch.Com in best custom research papers if you need a similar paper you can place your order for custom college essay services.
No comments:
Post a Comment