ISO/IEC 27000 SERIES
This is a set of standards that are employed to implement an Information Management System. It comprises of policies, procedures, concepts for the interaction of human and computer devices.
ISO/IEC 27000 series is under development as more work is advanced to the completion of ISO/IEC 27000 to ISO/IEC 27010. The completion will cover the fundamental requirements of ISMS applicable to any organization regardless of the size, objective or structure. Implementation of ISO/IEC to manage the security of an organization has immense benefits. ISO 27001 certification is a public statement of an organization‘s ability to safeguard the information of its systems. It ensures that information system and security policies are implemented and are continually evolved to adapt to the changing risk exposure.
ISO/IEC 27001 defines the requirements of ISMS while ISO/IEC 27002 establishes the implementation guidelines and principles. An ISM is audited against ISO.IEC 27001 before certification for compliancy. There are a number of third party providers that provide third party certification and support for improved implementation throughout the certification period.
COBIT
COBIT other hand comprises an established business framework used to manage and govern enterprise information technology resources. COBIT incorporates the latest concepts in enterprise governance and management techniques. Also COBIT provides a set of globally accepted principles, practices, analytical tools, and models for establishing trust and value of information systems. The first standard of COBIT known as COBIT 1 was established in 1996 to address auditing processes. It has however evolved to encompass control, management, IT governance and management of enterprise information technology. Currently COBIT 5 is under development to address not only the governance of IT but also all aspect of business for medium and big corporations. In this digital age, information is equally important for global, multinational, national and local, charities and small to medium enterprises.
Compliance to COBIT enhances increased benefit realization through effective and innovative use of IT resources. The process orientation of COBIT segments the process model into four domains including panning and organization, acquisition and implementation, delivery and support, monitoring and evaluation.
NIST 800-53
NIST develops the guidelines and standards that include the minimum requirements for provision of information security in an agency. It also stipulates the responsibilities contained in the Computer Security Division and sets the minimum standards as envisaged in Title 44, section 3532 (b)(2). Section 1(a) defines the criteria and standards for categorizing information systems and information contained or collected by federal agencies, contractors and private entities as well as categories, guidelines and standards
NIST special publication 800-53 Application provides the guidelines for organizations in the process of system audits to discover security and system needs. The guidelines are formalized and documented to facilitate the implementation of accountability and audit policies.
The Act stipulates the effective methods for account management, access enforcement, control of information flow, duty separation and least privileges. For example, NIST 800-53 is used to manage factors such as session controls, automatic marking, and management of publicly-accessible content, user-based collaboration and access control. The information security access control policy given below is an example.
In ensuring compliance with existing US laws and regulations, NIST, for instance has outlined nine protocols that organizations must follow. This includes classification of information, determination of baseline controls, evaluation of risks assessment and control procedures, documentation of controls among other.
IT ACCESS CONTROL POLICY
4.4 Network Access control
4.4.1 Network use Policy
The university will provide connection to the network for the purpose of research and learning. Network access should be used for academic purposes alone. Students will be granted access to permitted networks while other networks will only be accessed after specific authorization has been granted (Gildas Avoine, 2007).
4.4.2 Authentication for external connection
All remote users will be authenticated in order to access information resources such as financial transactions and examinations. The Chief Security Officer will be responsible for providing this service.
4.4.3 Remote diagnostic Port Protection
Modems attached to systems are protected from unauthorized use by disconnecting diagnostic ports not in use. Third party users must be authenticated before accessing devices through remote ports.
4.4.4 Network segregation.
A risk assessment based on the cost and the impact of routing and gateway technology is performed to grant third parties necessary controls to access networks.
New networks that are developed and tested are segregated from the rest of the University internal network through firewalls to eliminate the effects of malfunctioned software’s.
Confidential information should be segregated and assigned different servers.
4.4.5 Wireless network policy
Wireless networks at the University should be restricted to lock out intruders and third parties.
Computers connected via wireless technology should be restricted to the University library and lecture halls.
4.6 Mobile computing
The university will institute policies that control the use of laptop computers, PDAs and mobile phones on its network.
Security assessment will be carried out based on the following (Gollmann, 2011);
- Introduction of malicious programs on the network
- Use of cryptographic techniques
- Network connection and its use in public places
- Multimedia access
- Access control
Implementation of the above mentioned security policy may be altered by lack of awareness and poor management. Access control privileges are critical for the security of information in an organization. As such, information should be confidential, available and of highest integrity. In order to go past such impending issues, organizations can align relevant standards to define and govern access rights. Industry best practices ensure that only authorized persons only access what is required of them. Likewise, storage of passwords, account information and s must be well stipulated according to defined standards as well as existing federal and state go laws.
Reference
Birkland, T. A. (2010). An introduction to the policy process:Theories, concepts, and models of public policy making. M.E. Sharpe.
Fitzgerald, T. (2012). Information Security Governance Simplified: From the Boardroom to the Keyboard. CRC Press.
Transfer, I. F. (2012). SUPPORTING FISMA AND NIST SP 800 WITH SECURE MANAGED FILE TRANSFER.
