Module 3 - Case Politics & Legislation

Module 3 - Case Politics & Legislation

Introduction

The purpose of this paper is to explore the various major standards and legislations in information security. A detailed description of their fundamentals is presented together with a reflection on whether they are achieving their intended purpose. The study proceeds with the discussion on the implementation process of two of these standards and the challenges that are faced by an organization in their implementation. Finally, an account in presented on the way regulations regarding information security must be formulated and the factors that need to be taken into consideration while formulating regulations and policies for information security.

Major legislations and standards in information security

ISO/IEC 27002

ISO/IEC 27002:2005 is a globally followed and implemented information security standard which started off from the BS7799-1, which was initially devised by the BSI - the British Standards Institute. ISO/IEC 27002:2005 denotes a code of practice for the management of information security and its purpose is to serve as a practical guideline and common ground for the development of and effectual management practices and organizational information security standards. The ISO/IEC 27002 standard entails best practices recommendations and guidelines for ten major domains of information security including; compliance, business continuity management, information security incident management, information systems maintenance, development, and acquisition, access control, communications and operations management, environmental and physical security, human resources security, asset management, organization of information security, and security policy.

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard was established by various leading credit card companies as members of the PCI standards council for the purpose of enhancing the data security of payment accounts. The PCIDSS comprises twelve main requisites that count in software design, network architecture, procedures, policies, security management, and other significant measures. The specified requisites are classified into six broad areas; building and maintaining a secure network, maintenance of an information security policy, monitoring and testing networks on regular basis, implementation of strong measures for access control, maintenance of a vulnerability management program, and protecting data of the cardholder (Siponen, 2006).

COBIT

COBIT or the Control Objectives for Information and Related Technology is an open and trusted standard which is being increasingly employed by a variety of companies all over the world. Arguably, COBIT is the most suitable framework of controls for helping an organization in ensuring alliance amid the employment of information technology and its corporate objectives, since it emphasizes on the business requirements which are satisfied by every control objective. COBIT imparts good practices all through a process framework and domain and presents tasks and functions in a logical and manageable structure. The good practices of COBIT stand for the consent of professionals and experts. They are thoroughly emphasized on control rather than on execution or implementation. Such practices assist in optimizing the investments facilitated by IT, ensuring in the delivery of services and providing an initiative against which to adjudicate when failures occur.

ITIL

ITIL - The Information Technology Infrastructure Library is an assortment of the finest ...