Question

ANALYSIS

Direction: Answer the following question carefully

Guideline:

The students can solve the assignment as a group if they like. Your answer must include the following:

- Your answer must be coved and discussed for each section.

- Also, you must support the answer with an appropriate example in detail: i.e how to implement the example in this section.

- You can answer the question by group: each group consists of 2 students, one of the students must be a leader for the group, and the leader will present the idea after answer the solution.

Q1 Imagine the scenario showing that you are the head of control department in your company required to prepare a strategic plan for the company to achieve the ISO/17799, Analysis the sections of ISO/IEC 17799, support your answer with appropriate example,

Your answer includes the explanation and example for each section.

Sections

Explanation

(How to implement the example for each section)

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

Application:

Q1. Marking scheme:1 mark for each of the complete explanation, and 1 mark for each of the complete reflected example.

Answer 1

Based on the assignment, ISO/IEC 17799 establishes the guidelines and general principles for initiating, maintaining, implementing, and improving information security management in an organization or the business. The objectives or the goals outlined to provide general guidance on the commonly grounded accepted goals of the Information Security Management System (ISMS). The ISO/ IEC comprises the information security standards that published jointly by the team of International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

As an employee, who is the head of the control department in the company and required to prepare a core strategic plan for the company’s information security to achieve the ISO/17799 and here we analyze the sections for the detailed brief about the security standardization of information’s. The ISO 17799 provides the practical guidelines and policies for developing organizational security controls system and effective security management practices for the business.

The ISO/IEC 17799 includes the best practices of control objectives, security cores, and controls in the following areas of information security management, and the purpose is to identify by a risk assessment (key structure of the ISO 17799):

(a) Security policy: The establishment of security policy is well packed with policies related to security of information and how it connected to the broader ISMS and it will provide interested parties the right confidence they need to trust what sits behind the security policy. Example: The top management of company ABC advocate the security policy for the information protection and building trust within the stakeholders to associate with the company.

(b) Asset management: This aspect involves the aspect or requirement of a management system towards the asset management of the business. This provides a core framework to establish the policies, processes, objectives, and governance and facilitates the asset management of an organization's achievement of its strategic goals. Example: The Company XYZ ensure to prepare the policies based on the asset management and ensure to track the information related to the assets in efficient ways. The Company has to meet all the standards for keeping the norms in place.

(c) Organization of information security: This model helps to establish a management framework to initiate, collaborate, and control the implementation and operations of information security within the purview of the organization. Example: Company ABC is handling the websites of the projects and it is mandatory to ensure the security of the information. In the time being, the Company has to consider the importance of information security to protect it from threats.

(d) Human resources security: The human resource is a crucial part of the organization and it operates the employee recruitment, hiring, compensation, and other financial records of the company. The section manages the data threats and gain the confidence of the human resources. Example: The Company HR Manager, ABCD ensures to register the files, records, and details regarding the employees under the policy of ISO to secure the information.

(e) Physical and environmental security: The programs that define the measures or controls that in-directly protect the organization's data from loss of connectivity and further availability of computer processing in information management caused by theft, flood, fire, intentional destruction, mechanical equipment failure, unintentional damage, and power failures. Example: The head controller of the company have to consider the security arrangements to secure and regain the information during the time of distress or calamity in nature. The manager of the organization has to ensure the data are secured and reserved for further utilizations.

(f) Access control: It is crucial to determine the Access Control Policy (ACP), user access management, and application control within the purview of information security management. This security technique which completely regulates who, where, or what can view, access, or use the information resources in a computing environment. Example: The IT executive in the department cannot access the Management Information System (MIS) of the company due to a lack of access to the particular network.

(g) Communications and operations management: In the scenario, the Information technology systems have the process of large quantities of universal data. These information systems – include computers, mobile devices, networking equipment, storage media, and other related IT components – must be managed well so as to protect information. Example: The head of the IT has to assign the respective person to manage the communication networks and operations management to ensure the best security in the system.

(h) Information systems acquisition, development, and maintenance: It is crucial to attain development models, acquisition of systems, the development of core structures, and the timely maintenance of the system for the better management of the information. This is to ensure that the security mechanism is an integral part of the information systems. Example: The department has to consider the security mechanisms in a better way if any lack of management arises in the long run of the operations. This failure of employees will affect the overall security in systems acquisition, development, and maintenance.

(i) Business continuity management: To counteract the interruptions to every business activity and to protect the critical business processes from the impacts of major failures of information systems and to ensure their timely resumption. Example: In the organization, information security is directly connected with the business continuity management, the team of employees has to track and monitor the security of the information because of the sensitive nature of information management.

(j) Compliance: This is to avoid the breaches of any law, regulatory, statutory, or contractual obligations of the information management and of any kind of security requirements. Example: The department under the IT has to consider and monitor the legal aspects of the breach or contractual obligations of the information security in the real world collaborations.

Conclusion

The above sections are very crucial and important in the security aspects of information security management. Each organization is very unique in culture and operation, therefore each business will face different threats, issues, and vulnerabilities. It is very important to understand the controls that mentioned in the standard algorithms are not as organized or well prioritized according to any specific criteria. Each control has equal importance, validity, and considered at the information systems and business project requirements specification and every design stage. Failure to meet this will result in less cost-effective measures, a threat to the security management of information, or even failure in achieving adequate security for the organization.