Solutions to the Problems of our Current Security State
By
TABLE OF CONTENTS
INTRODUCTION1
SECURITY POLICY1
Risk Assessment and Management2
Information Security in Relation with Users of Organization's Services3
ORGANIZATIONAL SECURITY3
ASSET MANAGEMENT5
HUMAN RESOURCES SECURITY5
PHYSICAL AND ENVIRONMENTAL SECURITY6
Areas of Security6
COMMUNICATIONS AND OPERATIONS MANAGEMENT7
Operational Procedures and Areas of Responsibility7
Services of Third Party7
System Acceptance and Planning8
Protection against Malicious Code8
Backup8
Administration of Network8
ACCESS CONTROL9
Requirements of Business9
User administration9
Access Authorization/control9
INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE10
Requirements of Security for Information Systems10
Cryptographic Controls10
System File's Security10
INFORMATION SECURITY INCIDENT MANAGEMENT11
Responsibility for reporting11
BUSINESS CONTINUITY MANAGEMENT11
Planning of Continuity11
COMPLIANCE12
Compliance with Official Requirements12
REFERENCES13
Solutions to the Problems of our Current Security State
Introduction
This paper will discuss the current state of compliance and information security in organizations along with the political and cultural challenges associated with the information security management in organizations. The reality an individual face in an organization is that sensitive electronic information exists everywhere-particularly on laptops and other mobile storage devices. When this information is stolen, lost or otherwise make a mess of intangible and tangible costs for an organization. This is important to identify and understand the solutions to the problems of our current security state.
Security policy
Security policy includes the support and commitment for information security. In organizations, policy for organization security must be a main subject. As the advent of networks and electronic communications, non-profit, government, public, or private organizations must have firm practices of information security, in order to maintain a higher level of stability for information systems and business processes. Continuity of business includes securing information systems from common software and hardware instances and, mainly ensuring that those are protected from outside and inside hazard. The board of directors is mainly responsible for making security policy for an organization (McAdams, 2004).
Risk Assessment and Management
An approach of an organization towards security must be based on assessment of risk
Organization must continuously evaluate the risk and assess the need of security measures. These security measures must be assessed based on the role of an organization, for the establishment of research in relation to practical feasibility, cost and efficiency
An overall assessment of information systems risks must be performed on annual basis.
Assessment of risk should prioritize, quantify and identify the risks according to relevant method for identifiable risks
Risk assessments must be performed when implementing changes affecting information security. Identified methods of risk assessment must be used, like ISO/IEC 27005.
It is the responsibility of CSO to ensure that the processes of risk assessments are coordinated in accordance with the information security policy (Cavusoglu, 2004)
The owners of the system must be responsible for guaranteeing that risk assessment in the particular region of responsibility is executed in accordance with the information security policy.
Information Security in Relation with Users of Organization's Services
In a good practice of security policy, security responsibilities and roles of contractors and employees are defined
A background monitoring is performed of all appointees at different positions, according to relevant regulations and laws
An agreement of confidentiality must be signed by contractors, employees or other who can gain access to internal and/or sensitive information(Kankanhalli, 2003)