Information Technology Security Policy Framework, Essay Example

With an implementation or organizational change there must be a push by leadership in not only facilitation the change but also driving the change. The project to implement the security plan should be driven from a proven and structured framework that would enhance the credibility of the project, establish the boundaries of the project as well as establish the best practices to ensure an environment of success. Many security frameworks exist including structures to build and implement the requirements based onNIST (SP 800-53), ISO / IEC 27000 series, and COBIT. For the security framework to meet the growing organizational demands and enhanced security requirements the best fit would be determined on a framework that meets those expectations. For example, the NIST (SP 800-53) is incorporated in all the U.S. federal information systems and provides guidance on entities regulated by federal policy and regulations. The ISO/IEC 27000 series is more generalized and inherently more flexible in its application and framework adherence. This structure is focused on the best practices for information security management, risk management, control implementation and information security system design (SANS Institute 2003). The objective for the implementation of the new information technology security policy is to cover all of the technological requirements surrounding security of the data, infrastructure, networks, communication methods, systems, software and people but also to instill a policy that incorporates a level of accountability throughout the organization.

The ISO/IEC 27000 series of standards used to establish a model for establishing and operating an information management system(CabinetOffice 2008). This series incorporates multiple standards as a collection that addresses key areas within the Information Security environment to ensure an effective and efficient policy is implemented. The framework outlines the main milestones of the policy including establishing an information system, overview of the security system as a whole, definitions of key terms and attributes, accountability requirements, certifications and guides on implementing the system. The series includes multiple standards or a family of standards that address differing areas needed to create an effective and efficient management system.

The design of the security framework is based upon those requirements and best practices pulled from the ISO/IEC 27000 series of standards. The flexibility of the series allows for the framework to be put in place but also facilitates the needs of the business prior to operationalizing the policy. In order to define an IT security policy framework it is important to understand what a policy is supposed to do. The policy has a few primary objectives to accomplish. The first and foremost is the purpose to drive the procedures and processes to operate the business in an environment protected by security measures. In order to drive this behavior there will be measurable and definitive milestones that will occur to ensure adherence. Adherence includes the documentation of the requirements, accommodating audit stipulations, documenting and passing milestone tollgates as well as the continual periodic review based upon the needs of the business. The core functionality of the policy is to establish the principles in which the business’s security efforts are guided. The core principles are outlined by the SANS institute and include identification and compliance, asset management, asset protection, acceptable use, vulnerability management, threat assessment, continuity, physical security and awareness (SANS, 2005). Each of these areas will have their own section and will be fully explained as it pertains to the organization’s security needs. In regard to implementation there are seven other focal points that incorporate the domains of security including access controls, security operations, monitoring and analysis, risk, response and recovery, cryptography, networks and communication, as well as malicious code and activity (Kizza, 2010). Each of these areas incurs its own set of needs and requirements.

The importance of a security management system lies within its owneffectiveness.An effective security management policy will provide the groundwork for the mitigation of potential threats the company’s data and information. While protection of information is vital this corporation is dealing with multiple layers of data governance that must be protected not only for the customer but also due to outside rules and regulations enforced by federal, state and other outside entities (Kizza, J. 2010). The effectiveness is influenced by the level of correlation between the company’s policy and the regulating entities outside of the organization. It is critical to align the internal policies and procedures with the external forces of government, federal and state, or other governing bodies such as international, administrations or other areas. This alignment of the company’s policies to U.S. laws and regulations ensure compliance and confidence of the company’s security measures.

Implementing the project will require best practices not only with IT Security but also best practices in project management to ensure the project is implemented on budget, meeting scope and within schedule. The challenges faced such as adherence to the policy, accountability of the policy and future maintenance will be driven by leadership to ensure the right resources are allocated to run the project; promote accountable behavior; and provide sustainment actions to ensure adherence and meet future security requirements.

References

CabinetOffice.(2008). HMG security policy framework.Retrieved: http://webarchive.nationalarchives.gov.uk/+/http://www.cabinetoffice.gov.uk/media/111428/spf.pdf

Kizza, J. (2010). Computer network security. New York, NY: Springer Science Business Media.

SANS Institute. (2003). Applying the OSI seven layer network model to information security.Retrieved: http://www.sans.org/reading_room/whitepapers/protocols/applying-osi-layer-network-model-information-security_1309

SANS Institute. (2005). Building a security policy framework for a large, multi-national company. Retrieve: http://www.sans.org/reading_room/whitepapers/awareness/building-security-policy-framework-large-multi-national-company_1564