Information Technology Security Policy Framework, Reaction Paper Example

Abstract

Information security management has become extremely prevalent as more and more of individuals information and vital data is stored, transferred and used in information technology systems.  With the ease of access and use of personal information there is also a rise in the need for laws and regulations governing the use, access and security of that data.  Accompanied by the laws and regulations there are also specific techniques and best practices that can be implemented at each level of access to mitigate the risk of security breach and provide control over the integrity of the information.  Each area of information security has specific focal points for ensuring data security and includes risk mitigation as a keystone to data integrity.

Information Technology Security Policy

Despite the increase in network and data center security with the most up-to-date and technologically advanced security modules, there is still the potential for a security breach posing a threat to the network.  Criminals and other people with malicious cyber intent are currently exploring and creating new ways to bypassing or superseding security software in order to gain access to classified material such as banking information, personal data, competitor’s intellectual property or other information that may provide a potential advantage or gain to the criminal.  The potential loss of data integrity or corruption to personal medical information is a direct violation of HIPAA and requires a significantly higher level of security and awareness to ensure protection.  Information security requires a high level of rigor regarding safeguarding the information, ensuring it is used appropriately and serves its intended purpose.  To ensure that these key areas are focused upon there are rules, policies, regulations and laws that support the environment to create an environment that can adequately safeguard the private information.  There are specific rules and regulations that govern specific subject areas regarding areas such as patient information, employee data, demographics, credit card data, social security numbers, financial information, research and development, intellectual property and disclosure options to name a few (Cappelli, 2012).  Data is a powerful tool and protecting that information falls into the responsibility of many parties.  All the way from the individual making the transaction to the corporation that is utilizing that data to better serve their customer, each level must follow the regulations and comply with the laws governing information security.  This information is gained by taking advantages of potential weaknesses in the security systems by physical or opportunistic methods.  These loses could result in the loss of business critical information or loss of a competitive advantage, both of which could negatively impact the company as a whole. Accordingly, information or data is vital for organizations. They need to protect their data from competitors, hackers, cyber criminals and many more. (Calder, 2008) This paper will highlight implementation of the proposal for an ISO 27001 compliant information security management system (ISMS) for the pharmacy in order to implement a standard to ensure confidentiality, availability, and integrity of data.  The focus is on the mitigation by prevention, detection, correction or acceptance of the physical and logical vulnerabilities associated with networks and data.

Change and Implementation

With an implementation or organizational change there must be a push by leadership in not only facilitation the change but also driving the change.  The project to implement the security plan should be driven from a proven and structured framework that would enhance the credibility of the project, establish the boundaries of the project as well as establish the best practices to ensure an environment of success.  Many security frameworks exist including structures to build and implement the requirements based on NIST (SP 800-53), ISO / IEC 27000 series, and COBIT.  For the security framework to meet the growing organizational demands and enhanced security requirements the best fit would be determined on a framework that meets those expectations.  For example, the NIST (SP 800-53) is incorporated in all the U.S. federal information systems and provides guidance on entities regulated by federal policy and regulations.  The ISO/IEC 27000 series is more generalized and inherently more flexible in its application and framework adherence.  This structure is focused on the best practices for information security management, risk management, control implementation and information security system design (SANS Institute 2003).  The objective for the implementation of the new information technology security policy is to cover all of the technological requirements surrounding security of the data, infrastructure, networks, communication methods, systems, software and people but also to instill a policy that incorporates a level of accountability throughout the organization.

The ISO/IEC 27000 series of standards used to establish a model for establishing and operating an information management system (CabinetOffice 2008).  This series incorporates multiple standards as a collection that addresses key areas within the Information Security environment to ensure an effective and efficient policy is implemented.  The framework outlines the main milestones of the policy including establishing an information system, overview of the security system as a whole, definitions of key terms and attributes, accountability requirements, certifications and guides on implementing the system.  The series includes multiple standards or a family of standards that address differing areas needed to create an effective and efficient management system.

The design of the security framework is based upon those requirements and best practices pulled from the ISO/IEC 27000 series of standards.  The flexibility of the series allows for the framework to be put in place but also facilitates the needs of the business prior to operationalizing the policy.  In order to define an IT security policy framework it is important to understand what a policy is supposed to do.  The policy has a few primary objectives to accomplish.  The first and foremost is the purpose to drive the procedures and processes to operate the business in an environment protected by security measures.  In order to drive this behavior there will be measurable and definitive milestones that will occur to ensure adherence.  Adherence includes the documentation of the requirements, accommodating audit stipulations, documenting and passing milestone tollgates as well as the continual periodic review based upon the needs of the business.  The core functionality of the policy is to establish the principles in which the business’s security efforts are guided. The core principles are outlined by the SANS institute and include identification and compliance, asset management, asset protection, acceptable use, vulnerability management, threat assessment, continuity, physical security and awareness (SANS, 2005).  Each of these areas will have their own section and will be fully explained as it pertains to the organization’s security needs.  In regard to implementation there are seven other focal points that incorporate the domains of security including access controls, security operations, monitoring and analysis, risk, response and recovery, cryptography, networks and communication, as well as malicious code and activity (Kizza, 2010).  Each of these areas incurs its own set of needs and requirements.

Importance of Effectiveness

The importance of a security management system lies within its own effectiveness.  An effective security management policy will provide the groundwork for the mitigation of potential threats the company’s data and information.  While protection of information is vital this corporation is dealing with multiple layers of data governance that must be protected not only for the customer but also due to outside rules and regulations enforced by federal, state and other outside entities (Kizza, J. 2010).  The effectiveness is influenced by the level of correlation between the company’s policy and the regulating entities outside of the organization.  It is critical to align the internal policies and procedures with the external forces of government, federal and state, or other governing bodies such as international, administrations or other areas.  This alignment of the company’s policies to U.S. laws and regulations ensure compliance and confidence of the company’s security measures.

Implementing the project will require best practices not only with IT Security but also best practices in project management to ensure the project is implemented on budget, meeting scope and within schedule.  The challenges faced such as adherence to the policy, accountability of the policy and future maintenance will be driven by leadership to ensure the right resources are allocated to run the project; promote accountable behavior; and provide sustainment actions to ensure adherence and meet future security requirements.

Security Policy Requirements

In order to create and maintain a security policy the first step is to ensure that it is in line with current business requirements and processes. That being said the policy must also have a structure in such that it can be enforced with the appropriate repercussions for violating the policy. This will establish the framework on which the policy sits to ensure that what is generated will actually have the ability to be utilized for its intended purpose. This security policy will be developed from the requirements gathered from the multiple business units and in essences by gathering and utilizing the requirements are creating a bond between the end users, leadership and the project team. The role of the policy is to influence people’s actions as well as to guide them so certain goals and objectives are obtained.  The influence is derived from management’s support as well as the end user buy-in during the requirement’s creation.  The business requirements are processed and formed into what we can utilize as a security policy.  The security policy can be derived from the business requirements but it will also need to work in conjunction with the business operations as a whole.  Security of data, segregation of duties, role based access control, data maintenance and availability, risk mitigation and contingency operations all are vital to the business and thus vital for the security policy.

References

CabinetOffice. (2008). HMG security policy framework. Retrieved:http://webarchive.nationalarchives.gov.uk/+/http://www.cabinetoffice.gov.uk/media/111428/spf.pdf

Cappelli, P. (2012). How to get a job? beat the machines. Time: Business & Money. Retrieved: http://business.time.com/2012/06/11/how-to-get-a-job-beat-the-machines/

Kizza, J. (2010). Computer network security. New York, NY: Springer Science Business Media.

SANS Institute. (2003). Applying the OSI seven layer network model to information security.  Retrieved: http://www.sans.org/reading_room/whitepapers/protocols/applying-osi-layer-network-model-information-security_1309

SANS Institute. (2005). Building a security policy framework for a large, multi-national company. Retrieve: http://www.sans.org/reading_room/whitepapers/awareness/building-security-policy-framework-large-multi-national-company_1564