Tuesday, November 20, 2018

Solutions to the Problems of our current Security State


Introduction
            The International Organization for Standardization and the International Electro-Technical Commission (ISO/IEC) 17799:2005 establishes the guidelines and the general instructions for initiating, implementing, maintaining, and improving the information security management in every organization. The standard outlines general guidance on the commonly accepted goals of information security management. It has the best practices of controls in the outlined areas of information security management. The scope of the standard states that it is not available for the public use as an ISO standard but has a significant contribution to the management of information security. The research paper seeks to address the problems of the current security state by providing the necessary solutions by (ISO/IEC) 17799:2005 guidelines.  
Security policy
            The security policy targets information management that seeks to provide direction and support of the information security according to the requirements of the organization and the relevant laws and regulations. It is the mandate of the management team to have an elaborate laid out policy guidelines that align with the business objectives. The policy should also show the support for the information security and also have a commitment to the maintenance of an information security policy for the target organization (Doherty & Fulford, 2005). The information security policy should have approval by the management ad also offer the implementation guidelines. It outlines the policies, principles, standards, and the compliance requirements that have significance to the organization. All the users within the organization should have an insight of the information security policy hence necessary to be relevant, accessible, and easy to grasp and apply its content (ISO/IEC 17799:2005).     
Organization of information security
            The information that circulates within the organization arises from both the internal and the external environment. It is important to manage the information security within the organization by use of a management framework to oversee and control the processes. The management team requires approving the information security policy, delegating certain duties, and coordinating the implementation of the security policies across the organization. The management team has a crucial role in supporting the security within the organization by giving clear directives, being committed, and offering timely responses to security concerns. Information security requires proper coordination by the heads of the different sections with the organization with certain roles and responsibilities. There ought to be a defined allocation of the information security responsibilities for all the parties to have a role to play in enhancing the security of the information used within the organization (Siponen & Willison, 2009). Another important aspect of organizing information security has confidentiality agreements that reflect the need to protect information by all the parties.
            The management of information security and its implementation requires regular reviews to ascertain that it meets the needs of the organization and also match with the global security status. The results of the review should align with the direction of information security as outlined in the information security policy document. Another key issue in the organization of information security is maintaining the information and the process facilities that have access to buy the external parties. There ought to be control of the access to the information processing facilities as well as the communication of information by the external parties. It is necessary to have a risk assessment if external parties require accessing the information facilities of the organization. It helps to determine the implications of security as well as the required controls. Any risks identified should be mitigated through the appropriate controls before granting entry to the information security facilities.        
Asset management
            Every organization has particular assets of concern that require proper control and maintenance to ensure that there is security of the information used. The organizational assets require appropriate protection and proper accounting. The custodians of the assets should be identified, and the responsibility for the maintenance of their controls has specific people to attend. The owner better maintains some assets according to the control guidelines. The assets require having an inventory that tracks their movement and maintenance within the organization. The inventory has a list of all the assets and the information necessary for recovery from a likely disaster. Other details to consider include the type, format, location, backup information, licensure, and its value to the business. The major types of assets include information, software, physical, services, human resources, and the intangible assets. The information assets entail the databases and data files, system documentation, user manuals, training materials, contracts and agreements, and audit trials among others.  The software assets include the application and system software as well as the system development tools. The physical and service assets include the computer equipment, communication facilities, computing and communication services, and the general utilities (International Organization for Standardization and International Electrotechnical Commission, 2005).
            The assets that and information related to information processing facilities should have a right of ownership that is responsible for appropriate classification and takes into consideration the access control policies. The ownership may be a business process, defined set of activities, application, or a set of data. Information is an essential asset of the organization and should have a classification by need, priority, and level of protection when handling the information. The highly sensitive information should have an additional level of protection.        
Human resources security
            The management of the human resources is becoming a critical issue due to the increased compromise to data and information security. It is paramount to ensure that the employees and other external parties understand their responsibilities and are accountable for their actions to reduce the risk of theft, fraud, and the misuse of the information processing facilities. There ought to be a comprehensive overview of the security responsibilities before the employment as part of the terms and conditions of employment to comply. It is also necessary to have thorough screening for all the staff both internal and external regardless of the position of leadership to ascertain the security of the human resources. The users of information either employees or the third party users should sign an agreement to bind them to the security roles and responsibilities. The security of the human resource should be a major consideration before, during, and after the employment (Luo, Brody, Seazzu & Burd, 2011). The employees ought to acquire training and awareness for the security procedures and proper use of the information processing facilities to minimize the security risks. The termination of employment should accompany proper management of the exit by returning all the equipment and removal of all the access rights.     
Physical and environmental security
            The physical environment that hosts the organization premises should have protection against unauthorized physical access, damage, and interference with the premises and information. The sensitive information and the related processing facilities ought to be in secure areas having defined security parameters. The areas should have the appropriate security barriers and controls as well as protection against unauthorized access, damage, and interference. The associated risks to the unauthorized access to certain areas should be analyzed and mitigated appropriately. The areas that contain information and information processing facilities should have security parameters like walls, Manning, or use of card control entry gates (British Standards Institution, 2005).
            The maintenance of the equipment security helps to prevent loss, damage, theft, and compromise of the assets thereby interrupting the main operations of an organization. The equipment ought to have protection against the physical and environmental threats. It is necessary to protect both the on-site and the off-site equipment to limit the risk of unauthorized access to information. It also ensures that there is protection against damages and losses. There may be special controls for the protection against physical threats, and also to safeguard the support facilities to the equipment (International Organization for Standardization and International Electrotechnical Commission, 2005).            
Communications and operations management
            Communications and operations management is a critical aspect in the determination of the level of security within an organization. For the operation procedures, there ought to be the correct and secure operation of the information processing facilities. The organization requires having defined responsibilities and procedures for the management and operation of the information processing facilities. They should have proper documentation, maintenance, and availability to the users in need of them. Another consideration is the third party service delivery management that requires an appropriate level of information security and service delivery that aligns with the third party service delivery agreements. It is the mandate of the organization to check the implementation of delivery agreements and also monitor the compliance with the agreements (ISO/IEC 17799:2005).      
            The organization ought to have mechanisms in place to minimize the risk of system failures through planning and preparation. Planning ensures that the resources deliver to the required system performance. Another consideration is the operational requirements if the new systems that should be developed, documented, and tested before acceptance and use. The acceptance should have agreed on security controls in place to avoid unlikely exposure.
            The integrity of software and information are important considerations in information security. The software and information ought to be free from any malicious and codes. Precautions are necessary to prevent and detect the likelihood of a malicious code or unauthorized mobile code. The software and information processing facilities are subject to malicious codes like viruses, network worms, and the logic bombs which users should be aware. Hence, it is necessary to have controls that prevent, detect, and eradicate the malicious code (DiMase, Collier, Heffner & Linkov, 2015).
            Backups are necessary to maintain the integrity and availability of the information and related processing facilities. It is an information security measure that requires routine procedures to implement the backup policy and strategy. The management of the network security is a crucial aspect in ensuring information security. It helps to protect the information in the networks and that of the support infrastructure. The important considerations in network security management are the data flow, legal implications, monitoring, and data protection. The sensitive information should not pass over the public networks (Waldron, 2008).
            The mode of media handling is a determinate factor in information security. Appropriate media handling prevents unauthorized disclosure, modification, removal, destruction, or the interruption of the business activities. Media should have control and physical protection by employing appropriate operating procedures to protect the documents, computer devices, and the input and output system documentation from unauthorized access.
            The exchange of information should adhere to the policies in place as well as the relevant legislation. Thus, it is necessary to have procedures and standards to protect the information and physical media and also maintain the security of information and software in use.              
Access control
            There should be restricted access to information, information processing facilities, and the business processes depending on the business and security requirements.  The access control guidelines should align with the policies on information dissemination and authorization. Only the authorized users can have access to information systems, and formal procedures should be in place to control the access rights. The authorized users have a responsibility to prevent unauthorized access, and compromise of the information and the associated processing facilities. The users should be aware of their mandate to adhere to the access controls especially in the use of passwords. Another aspect is the prevention of the unauthorized access to the network services since it can lead to compromise of the security of the network services. There should also be controlled access to the operating systems to only the authorized persons. Mobile computing and teleworking are increasingly threatening the security of the critical information for the organization, hence necessary to control their use (International Organization for Standardization, 2005).        
Information systems acquisition, development, and maintenance
            The acquisition, development, and maintenance of the information systems require adhering to the prescribed security controls. Information systems require a high level of security and their design and implementation supporting the business process is important for the security requirements. There should be correct processing in applications to prevent errors, loss, and unauthorized misuse of information. There can be additional controls for the systems that handle sensitive and valuable information. The controls also have the validation procedures of the input data, internal processes, and the output data. The access to the system files and the program source code ought to be restricted to the public access to avoid exposure of the sensitive data (ISO/IEC 17799:2005).     
Information security incident management
            The organization requires having a formal method of reporting of the information security events and weaknesses to allow the timely and corrective action to be taken. All the users should be aware of the procedure in place to report the events and weaknesses that may have an effect on the security of the organization. There should be a consistent and effective approach to the management of information security incidents. The organization should have procedures in place to handle the information security events and the weaknesses effectively upon reporting (Siponen & Willison, 2009).
Business continuity management
            There are several information security aspects of business continuity management that are necessary to hinder the interruptions to business activities.  They also help to protect the critical business processes from effects of failure. A business continuity management process helps to lower the impact on the organization and recover from losses in the event of security breaches. The business continuity management includes the controls to reduce the risks, lower the consequences of undesirable events, and ensure the availability of information for the business processes (Herbane, 2010). 
Compliance
            The need to comply with the legal requirements seeks to avoid breaches of the law and regulations as well as the security requirements. Information systems are subject to certain statutory, regulatory, and contractual security requirements. It is also necessary to comply with the security policies and standards, as well as the technical requirements. There ought to be an audit of the compliance with the appropriate security standards and documented security controls. Other considerations are the information systems audit t safeguard the operational systems and audit tools (ISO/IEC 17799:2005).  
Conclusion
            The need to have adequate information security measures cannot be understated in the present world due to the increased security threats. There are incidents of security breach quite often even in the organizations that have reliable measures against such occurrences. The complex nature of the mode of operation of the people behind the breaches makes it necessary to have policies and guidelines on how to improve the security status.
  
References
British Standards Institution. (2005). Information technology -- Security techniques: Code of        practice for information security management. London: British Standards Institution.
DiMase, D., Collier, Z. A., Heffner, K., & Linkov, I. (June 01, 2015). Systems engineering           framework for cyber-physical security and resilience. Environment Systems and     Decisions: Formerly the Environmentalist, 35, 2, 291-300.
Doherty, N. F., & Fulford, H. F. (October 01, 2005). Do Information Security Policies Reduce     the Incidence of Security Breaches: An Exploratory Analysis. Information Resources            Management Journal, 18, 4, 21-39.
Herbane, B. (January 01, 2010). The evolution of business continuity management: A historical    review of practices and drivers. Business History, 52, 6, 978-1002.
International Organization for Standardization. & International Electrotechnical Commission        (2005). Information Technology: Security Techniques: Code of practice for information      security, Geneva: ISO/IEC.
International Organization for Standardization. (2005). International Standard: Information          technology - Security techniques - Code of practice for information security         management. Geneva: International Organization for Standardization.
ISO/IEC 17799 (2005): Information Technology_ Code of Practice for Information Security         Management [LITD 17: Information Systems Security and Biometrics]
Luo, X., Brody, R., Seazzu, A., & Burd, S. (January 01, 2011). Social Engineering: The    Neglected Human Factor for Information Security Management. Information Resources         Management Journal (irmj), 24, 3, 1-8
Siponen, M., & Willison, R. (2009) Information security management standards: Problems and     solutions. Information & Management, 46(5), 267-270.
Waldron, M. (January 01, 2008). Developing an information management strategy:  Business        Information Review, 25, 2, 101-104

Sherry Roberts is the author of this paper. A senior editor at MeldaResearch.Com in best custom research papers if you need a similar paper you can place your order for custom college essay services.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Buy thesis Online for Cheap

We are keen on ensuring that, any time students Buy thesis Online papers from our website, they get good grades that align with their expec...

  • Organizational change
    Question 1 There are different specific practices that successful project managers adopt in their roles. Successful managers recognize t...
  • Management
    Customers are the most integral component that promotes the survival and success of any business establishment. The overall reason that a ...
  • Report about Benchmark Test in Power System
    Introduction In past few years, there has been a tremendous increase in the emphasis on power consumption and cooling of computer system...