Solutions to the Problems of our Current Security State

By



TABLE OF CONTENTS

INTRODUCTION1

SECURITY POLICY1

Risk Assessment and Management2

Information Security in Relation with Users of Organization's Services3

ORGANIZATIONAL SECURITY3

ASSET MANAGEMENT5

HUMAN RESOURCES SECURITY5

PHYSICAL AND ENVIRONMENTAL SECURITY6

Areas of Security6

COMMUNICATIONS AND OPERATIONS MANAGEMENT7

Operational Procedures and Areas of Responsibility7

Services of Third Party7

System Acceptance and Planning8

Protection against Malicious Code8

Backup8

Administration of Network8

ACCESS CONTROL9

Requirements of Business9

User administration9

Access Authorization/control9

INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE10

Requirements of Security for Information Systems10

Cryptographic Controls10

System File's Security10

INFORMATION SECURITY INCIDENT MANAGEMENT11

Responsibility for reporting11

BUSINESS CONTINUITY MANAGEMENT11

Planning of Continuity11

COMPLIANCE12

Compliance with Official Requirements12

REFERENCES13

Solutions to the Problems of our Current Security State

Introduction

This paper will discuss the current state of compliance and information security in organizations along with the political and cultural challenges associated with the information security management in organizations. The reality an individual face in an organization is that sensitive electronic information exists everywhere-particularly on laptops and other mobile storage devices. When this information is stolen, lost or otherwise make a mess of intangible and tangible costs for an organization. This is important to identify and understand the solutions to the problems of our current security state.

Security policy

Security policy includes the support and commitment for information security. In organizations, policy for organization security must be a main subject. As the advent of networks and electronic communications, non-profit, government, public, or private organizations must have firm practices of information security, in order to maintain a higher level of stability for information systems and business processes. Continuity of business includes securing information systems from common software and hardware instances and, mainly ensuring that those are protected from outside and inside hazard. The board of directors is mainly responsible for making security policy for an organization (McAdams, 2004).

Risk Assessment and Management

An approach of an organization towards security must be based on assessment of risk

Organization must continuously evaluate the risk and assess the need of security measures. These security measures must be assessed based on the role of an organization, for the establishment of research in relation to practical feasibility, cost and efficiency

An overall assessment of information systems risks must be performed on annual basis.

Assessment of risk should prioritize, quantify and identify the risks according to relevant method for identifiable risks

Risk assessments must be performed when implementing changes affecting information security. Identified methods of risk assessment must be used, like ISO/IEC 27005.

It is the responsibility of CSO to ensure that the processes of risk assessments are coordinated in accordance with the information security policy (Cavusoglu, 2004)

The owners of the system must be responsible for guaranteeing that risk assessment in the particular region of responsibility is executed in accordance with the information security policy.

Information Security in Relation with Users of Organization's Services

In a good practice of security policy, security responsibilities and roles of contractors and employees are defined

A background monitoring is performed of all appointees at different positions, according to relevant regulations and laws

An agreement of confidentiality must be signed by contractors, employees or other who can gain access to internal and/or sensitive information(Kankanhalli, 2003)

Regulation of IT must be ...