Information Security Standard for an Organization
Introduction
Technological advancement has its own advantages and drawbacks. Apart from speeding up information processing and sharing, there are encompassing vulnerabilities in information technology that organizations need to address. Information contained in systems are at risk of attacks from external forces resulting to significant loses in critical information. Legislations enacted relevant laws to standardize security approach and to eliminate imminent vulnerabilities. The National Institute of Standards and Technology (NIST) released the Special Publication 800 series to guide organizations in implementing security in their own systems. However, not all organizations are in complete compliance with the rules set in the NIST publication regarding security standards. Organizations adopt different approaches when it comes to information security. These differences will be explored by identifying at least two technical standards, provide description of each and determine the impact of the technical standards on the organization.
Adopted Technical Standards
The discussion will focus on two organizations that implements two types of technical standards. Certicom is a subsidiary of Research in Motion, the makers of Blackberry handsets. The company is specialized in creating hardware and software solutions for RIM and other affiliates including development of core communication platforms for the National Security Agency (NSA). The company’s information security standards were based on FIPS 140-2 guidelines applied on the company’s cryptographic module (certicom.com, N.D.). Encryption is a form of security module integrated into the information system to protect critical data from being read naturally by the human eye. When encrypted, data is being transformed into codes, which only decrypting software can interpret (csrc.nist.gov, 2013). On the other hand, LogLogic the company specializes in security management compliance reporting is implementing another type of information security standard based on ISO/IEC 27002:2005 requirements. LogLogic collects and analyzes event and activity data within a network to point out potential policy breach and non-adherence. Basically, LogLogic monitor’s information system and search for evidence of violations in accordance to the best practices outlined in the security policy, asset management, access control, system maintenance and development and business continuity management.
Standard Overview, Requirements and Issues
ISO/IEC 27002:2005 and FIPS 140-2 are two different information security standards implemented in the organization to serve specific purposes. FIPS 140-2 requirements vary according to level from 1 to 4. Each level encompasses security integration from lowest to the highest with different sets of requirements. As for Certicom, the encryption level requirement in only at level one, which needs at least one algorithm for security function approved by NIST. There is physical mechanism needed to implement Level 1 cryptographic module, however, given the simplicity of the level requirement, Certicom still incur 30% algorithm flaws, which violates the FIPS 140-2 standards including a 48% failed cryptographic functions (certicom.com, N.D.). ISO/IEC 27002:2005 on the other hand is a set of policies wherein an organization’s current information security infrastructure is being evaluated based on the policies.
For LogLogic, it is important to maintain adherence to the policies under the ISO/IEC 27002:2005 because its business concept is based from the standard compliance. The requirements of ISO/IEC 27002:2005 are for the organization to maintain information security controls stipulated in Annex A while improving, establishing ISMS suite (LogLogic, 2011). It is rare that organizations such as LogLogic to obtain ISO/IEC 27002:2005 certification because of the strict compliance measures that should also reflect in the organization’s reporting and auditing. Rarity of certification approval encompasses the difference between ISO/IEC 27002:2005 and FIPS 140-2. No bank in the United States is ISO/IEC 27002:2005 certified even Google took years to get certified while FIPS 140-2 is being implemented in the majority of businesses and organizations that conduct secured transactions.
The constituting issues in the use of the two standards are based on how efficient the organization is in complying with the rules of the two standards. For instance, Certicom had compliance issues because the algorithms in cryptographic module failed in the test. Therefore, instead of getting a level 4 certification, the organization only got level 1 certification. As compared to ISO/IEC 27002:2005 standards that require 100% compliance or there would be no certificate issued at all. The problem with FIPS 140-2 compliance with Certicom is that the security blanket structured for the encryption program was still proven to be susceptible to cracking unlike the ISO/IEC 27002:2005 standard that actually looks into the overall aspect of information security from the physical to virtual infrastructure and all must be in unison.
Impact to the Organization
Complying with ISO/IEC 27002:2005 and FIPS 14-2 standards demonstrates how the organization is serious about protecting its valuable information and assets. LogLogic was able to improve its business and information security infrastructure. Furthermore, LogLogic was able to strengthen the value of its core product and services including its reputation as a compliant organization by simply maintaining and applying the recommended security measures in ISO/IEC 27002:2005 standards. Certicom on the other hand is continuously working to developing its current cryptographic module and algorithms to obtain higher certification level.
References
Certicom.com (n.d.). FIPS. Retrieved September 15, 2013, from http://www.certicom.com/index.php/fips
Csrc.nist.gov (2013, August 13). Computer Security Division - Computer Security Resource Center. Retrieved September 15, 2013, from http://csrc.nist.gov/groups/STM/cmvp/standards.html
LogLogic (2011). ISO/IEC 27002 Compliance Suite Guidebook. Support Manual for Compliance Suite Software Release 3.2. Retrieved from https://docs.tibco.com/pub/loglogic_compliancesuite_iso_edition/3.2.0_march_2011/Compliance%20Suite%20Guide%20Book.pdf