IT Security Policy, Research Paper Example

Security Frameworks are essential in helping to protect your company from any outside IT intrusion. As the security consultant for a medium-sized insurance company, mapping out the right security framework for the business is essential in keeping the interest of business, clients, and their private information.

There are several security frameworks to choose from that fit right in the right company for this company. This series is ISO/IEC 27002 (Code of Practice for Information Security Management), developed from the (ISO) and by the (IEC). ISO/IEC 270002 is a popular framework due to flexibility in working with companies large and small, or location. This standard provides organizations with best-practice recommendations on information security management. The standard directs its recommendations to management and security personnel responsible for information security management systems. (Kim & Solomon, Pg 349)

Just like the predecessor ISO 27001, ISO/IEC 27002 follows the approachable objectives and outlines that the standard specifies and outlines for the recommended security controls within each section. They include: security policy, risk assessment, asset management, human resources, physical and environmental security, operations, access control, information systems, development, information security incident management, business continuity, and compliance.(ISO, 2008) This section will write out a framework using the ISO/IEC 27002 standard for the insurance company.

Purpose

To construct and control the IT system in order to improve the quality of work and protect employees and clients from unauthorized access to information. Ensure that these protections are accomplished through a consistent manner with the company and the workflow. This policy focuses on risk assessment, identification, and management. The main goals of this policy are to minimize business damage, ensure business continuity, and maximize return on investment through a secure information technology security framework.

Scope

The scope of this policy to implement the ISO/IEC 27002 policy that creates an effective framework for overall security management to the information security management system. This policy will cover all employees, consultants, agents, security, technical hardware systems, and others working on the premises of this Company.

Roles & Responsibilities

The following standard, ISO 27002 is used. In the framework, we outline the following definition as a set of standards to that focuses on Information Systems Management (ISM). The role of the head of the information management has the responsibility of data quality and guidance of data control. Data security administrators are in charge of granting access rights and accessing threats to the IA program. The responsibility of managing risk assessment and security is left to the Information Security departments. All employees are responsible for reporting any security breaches in or incidents of this policy to the head of the IT security department.

Authority

This policy is supported by the head of the HR, the president of the company, and its Board of Executives.

Objectives

The objectives of this policy operate on a need-to-restrict basic including the following outlined principles of risk assessment, security policy, human resources, security physical, and access control.

Standard

This policy is compliance with the ISO 27001 practice standard for information security management. Single reference point design for identifying the range of controls needed.

Implementation: Human Resources

All employees are subject to pre-employment screening, which include a background and drug tests. All personnel will sign a confidentiality agreement. Human Resources will inform management and other departments of employee hiring and firing.

Security Policy

All Employees and personnel will be required to wear of visible identification issued at all times while in the company. The security system which maintains the access control will be adequately secured.

Physical and Environmental security

Access to outside premises and information support infrastructure will be monitored to prevent, detect unauthorized access to these areas. The access list of the door access system will be reviewed by the Security Department on a timely basis and reviewed by the head management. Photography or video recording will not be allowed inside restricted areas without prior permission

Access Control

Access Cards will be provided with access for a specified period, not exceeding the specified time, and be personnel. The visitors in areas other than designated should be assisted by an employee. Visitor’s purpose of visit must be logged in the visitor’s register.

Compliance is a serious issue with policies. It is necessary to the laws and to the company for employees to be compliant with the policy. The ISO 27002 policy is broken down into several controls that adhere to the plethora of government regulations and compliances. By following them, the of the company and employees violating them is decreased. By implementing the standard correctly in the policy framework is set up to evaluate risks and controls to keep the company and all assets in compliance.

In the user domain, there are several risks that include user awareness, security violations, and personal devices that connect to the system. (Johnson, 2008) The workstation domain, much like the user domain is vulnerable to personal devices connecting to the infrastructure, which can cause severe security risks. Unauthorized access to workstations and software leave workstations open to viruses and intrusion. Lan domain policy must address unauthorized access to LAN, systems, application, and data. LAN to WAN domain is serious as this is where the infrastructure of the company accesses the internet. When connecting the system the challenges include intrusion, access to the domain, and probing of the domain. WAN domains connects to networks, but the challenges that face the business are that it is open and easily accessible to everyone, and vulnerable to eavesdropping from outside sources. The remote access domain connects users through remote access, much like the user and the workstation domain, personal devices such as cellphones pads leave the system open to intrusion, hackers, and unauthorized access. The last domain is the system/application domain, which faces challenges to access to data centers and files from cloud computing or server operating intrusion. All these challenges should be addressed in the policy and outline with a plan to solve them.

ISO 27001 defines methods and practices of implementing information security in organizations with detailed steps on how these implemented. They aim to provide reliable and secure communication and data exchange in organizations. Also, it stresses on a risk approach to accomplishing its objectives. This standard dives deep into ways to implement its sub-objectives. This puts managers who are looking for clarifications on implementation, at an advantage. However, it fails to achieve the goal of integrating into a larger system.

References

David, Kim & Micheal G. Solomon. (2010). Fundamentals of Information Systems Security. Retrieved from http://my.safaribooksonline.com/book/certification/securityplus/9780763790257/in

Introduction to ISO 27002. (2008). The ISO 27000 Directory. Retrieved From http://www.27000.org/iso-27002.htm

Johnson, Robert & Mark Merkow. (2010). Security Policies and Implementation Issues. Jones & Bartlett Learning.