Question

Establishing an effective Information Technology Security Policy Framework is critical in the development of a comprehensive security program. Additionally, there are many security frameworks that organizations commonly reference when developing their security programs. Review the security frameworks provided by NIST (SP 800-53), ISO / IEC 27000 series, and COBIT. Assume that you have been hired as a consultant by a medium-sized insurance organization and have been asked to draft an IT Security Policy Framework. You may create and / or assume all necessary assumptions needed for the completion of this assignment. Write a three to five (3-5) page paper in which you: Select a security framework, describe the framework selected, and design an IT Security Policy Framework for the organization. Describe the importance of and method of establishing compliance of IT security controls with U.S. laws and regulations, and how organizations can align their policies and controls with the applicable regulations. Analyze the business challenges within each of the seven (7) domains in developing an effective IT Security Policy Framework. Describe your IT Security Policy Framework implementation issues and challenges and provide recommendations for overcoming these implementation issues and challenges.

Answer 1

Information Security Framework (ISF)

When Chris opened that file, there was a breach on Best Stock's network targeting the firm's information base. The file contained a specialized worm or virus which was programmed to steal passwords of users logged on to the network the same time as it was released.

Best Stocks could have protected itself from these issues if it had implemented some form of information security using a certified information security frameworks (ISF).

Information security frameworks are a collection of standardized policies, procedures and guides, meant to direct a firm or any organization, which adopts its use, on how to protect its hardware, software, data, information, network, computing devices, users and clients from potential security breaches through their use of the firm's resources or services.

There are three main reasons for using the information security frameworks:

• Ensure legal compliance with the country of operation's Data Protection Act.
• Assure customers of their personal data safety and privacy.
• Protect the entire firm from network security breaches and invariably, company's data breach.

There are several frameworks available which help in addressing key information security concerns like the popular ones listed below:

• Control Objectives for Information and Related Technology (COBIT): A product of vendor-independent organization IT governance professionals. Its key point of focus is on reducing technical risks in an organization.
• ISO 27000 Series: This was developed by the International Standards Organization and offers a much wider coverage over a company or organization's processes. It can also be applied to all types and sizes of organizations.

An example of a security policy, driven by the ISF mentioned above, are made up of sections or domains which address the company's operational processes or infrastructure as follows:

Security Policy Scope : This addresses the coverage scope of the security policy document and defines the roles and responsibilities to drive the document organizational-wide.

Organizational Security : This addresses the organization's security needs covering its staff, customers or clients, suppliers and other vendors handling key processes on its behalf.

Risk Assessment and Treatment : This helps define potential risks and subsequent responses to reduce its effect on the organization.

Asset Classification : The value of an asset determines the level of sophistication its protection would be. In order to implement this, the company's assets irrespective of its size or use are classified and protected.

Human Resources Security : This deals with the processes involved with staff engagement, onboarding and termination processes.

Physical and Environmental Security : Protection of the firm's building and physical entry access, as well as protection of the environment from the dangers which could have an impact on the building itself.

Communications and Operations Management : This section addresses the communication and operational channels of the organization. Protecting each channel on a need to know and access basis.

System Access Controls : This addresses the requirements and standards for the granting and maintenance of access to staff on systems, applications, and network.