IT Security Frameworks allow for organizations to align their policies, standards, and procedures to govern an IT infrastructure. For a medium-sized insurance organization, the best choice in IT Security Framework is the ISO 27000 series, as it is the most diversely applicable. The ISO 27000 series was designed by the International Standards Organization and provides a broad information security framework applicable to many different types of organizations (Granneman, 2015). The series itself is divided into sub-categories based on content, and involves a certification process in order to benefit from the best practice it contains (Kuligowski, 2009). The ISO 27000 Security Framework was specifically designed for information security matters, which benefits the medium-sized insurance organization we are consulting for. It specifies requirements for the establishment, implementation, monitoring and review, and an overall management and control framework for managing information security risks (ISO, 2016). For an insurance organization, a key guideline for implementation is ISO/IEC 27015: Information Security Management guidelines for financial services (Kuligowski, 2009). Through utilizing the ISO 27000 family of standards, the company’s information will be kept secure, and the organization will gain better security of financial information, intellectual property, employee details, or other information entrusted to them by their customers. [“Write my essay for me?” Get help here.]
IT Security Policy
The insurance organization will be committed to safeguarding the confidentiality and integrity of all physical and electronic information assets it has access to. The overall goals will be to: ensure compliance with current laws and regulations, maintain requirements for confidentiality, protect against information theft, motivate employees to maintain responsibility for information, ensure the protection of personal data, and to comply with the ISO 27000 standards for information security (Hostland, Enstad, Eilertsen, & Boe, 2010). To maintain information security throughout the organization, the security policy will focus upon confidentiality, integrity, and availability. Every user of the company’s information systems will have to comply with this policy, and violation will result in loss of access to secure information.
The owner of the security policy will be the owner of the organization itself, and he will designate his own Chief Security Officer (CSO) to be responsible for security-related documentation. A system owner will be designated to work with the IT department on day-to-day running of security infrastructure, including allowing access of information to particular users. Further, system administrators will exist to administrate the systems themselves, as well as to protect information (Hostland, Enstad, Eilertsen, & Boe, 2010).
To protect the security of information at the company an information security policy will be enacted to ensure that users know how to keep information secure. To classify zones of access for different types of information, we will it into three categories: sensitive (unauthorized access can cause damage), internal (inappropriate for unauthorized access), and open (unauthorized access is okay) (Hostland, Enstad, Eilertsen, & Boe, 2010). Sensitive information will be in security zones that require specific password protection or key cards to access them, and will only be available at certain times. Internal information will be contained in areas where authorized individuals can access them with company-known passwords and key cards during normal office hours. Finally, open information will be in areas with no access restriction during ordinary office hours. System owners and administrators will be able to designate an employee’s access to these areas and the types of information they contain via the company network. Employees who gain access, passwords, and key cards to specific areas are required to keep them to themselves, and report if they think their information was shared. No employees may grant others access to restricted areas. Further, employees should always lock their computers, with rotating passwords per month, to ensure that there is no unauthorized access. Throughout the day, system administrators should be monitoring network access, to ensure that unauthorized individuals are not accessing the network. If any breaches of security are detected by system administrators, or if any sensitive or internal information is shared by a user to an unauthorized individual, they have the responsibility to report the breach to system owners. . [Need an essay writing service? Find help here.]
It is important that the organization complies with U.S. laws and regulations such that all information presented and signed off can be confirmed as true and unaltered. If laws and regulations are not complied with, the organization cannot become a member of such things as the stock market (Quality IT Solutions, 2016). To align with these standards, the organization must enforce the compliance of employees with its IT Security Policy Framework.
Business Challenges within the Seven Domains of IT Infrastructure
The seven domains commonly found in an IT infrastructure include the user, workstation, LAN, WAN, LAN-to-WAN, system and application, and remote access domains (Vincent, 2014). The User Domains covers all of the users that have access to the other six domains. Business challenges within this sector include the ability of users to access, share, destroy, and potentially alter important data. The Workstation Domain is the computer where individual users do their tasks, the challenges of this domain include the potential or software vulnerabilities or hardware failures that lead to the sharing of, or loss of data. The LAN Domains contains all of the workstations, hubs, switches, and routers, and faces the challenges of keeping out attacks that could go through it to hit the entire network. The WAN Domain consists of the internet and semi-private lines. This can be a challenge in the case of major network outages or DOS and DDOS attacks to the network. The LAN-to-WAN Domain is the boundary between the trusted and un-trusted zones, and is commonly filtered with a firewall. This boundary faces the challenges of keeping out attacks attempting to access the internal network, as well as managing the open ports of the firewall. The System and Application Domain consists of user-accessed servers such as email, this faces the challenges of being contained within a primary data center which could be attacked or corrupted. Finally, the Remote Access Domain allows for mobile users to access the network remotely via VPN. This is challenging as this communication is difficult to secure, and the tunneling can be attacked and accessed (Vincent, 2014). [Click Essay Writer to order your essay]
Implementation Issues and Challenges
Keeping the organization in compliance with industry and federal rules can be difficult due the vast amount of technology widely available today. One of the largest challenges is ensuring the compliance of employees, and not allowing them to fall prey to threats such as phishing. To overcome this, it is important to fully educate employees on the information policy, and the methods that people may use to access important information. Another implementation challenges lies in mobile devices and laptops. Accessing networks outside of the office and sharing data from them can be an issue in security. To protect these devices IT departments should enable remote-wipe, and should configure them such that only certain applications can be downloaded and accessed, and such that information stored and transferred is encrypted.
To develop an effective IT Security Policy, we must define the high-level security goals to reduce operational risk, protect the organization against legal action for possible violations, and create it such that it can be understood by all employees in various roles within the organization. A security policy extends to more than just the technical infrastructure, as the last line of defense in protecting information from outside attacks is the employees. In this, employees should be educated about protecting the organization’s assets, and the policy drafted should be easy for employees to understand and become familiar with.
Granneman, J. (2015, July 23). IT security frameworks and standards: Choosing the right one.
Hostland, K., Enstad, P. A., Eilertsen, O., & Boe, G. (2010, October). Information Security Policy Best Practice.
ISO. (2016). ISO/IEC 27001 – Information security management. (ISO)
Kuligowski, C. (2009). Comparison of IT Security Standards.
Quality IT Solutions. (2016). The Importance of Information Security Compliance.
The ISO 27000 Directory. (2013). An Introduction to ISO 27001, ISO 27002….ISO 27008. (The ISO 27000 Directory)
Vincent, S. (2014). Business Challenges Within the Seven Domains of IT Responsibility.Retrieved from ITS 305 – Security Policies and Auditing