Free ISO 27002 Essay Sample
ISO 27002 essentially refers to a number of information security controls that illustrates the "best practices in information security" (ISO 27000 Directory, 2010). Derived from the 17799 standard, ISO 27002 is required to be selected while executing a security strategy. The genesis of 17799 standards can be traced from the 'code of ethics' that were published by the DTI in UK, a document which was later published as BS7799-1. It was from this document that we got ISO17799. The resultant document from ISO17799 publication was republished as ISO17799 subsequently updated in 2005(ISO 27000 Directory, 2010). What we have today as ISO27002 was realized in 2007 after these processes characterized by publication and republication that I have just enumerated.
Normally, ISO 27002 controls which are essentially a reflection of 17799 have been structured into sections in the ISO 27002 volume. The twelve sections comprise of; risk management and treatment, security policies, organization, asset management, Human resource, Communications and operations, Physical & environmental, access control, BCM, compliance, IS incident management, and information systems development, acquisition, and maintenance(ISO 27000 Directory, 2010). In this paper I will only be discussing two of these sections namely; security policies and access control.
The importance of the IT infrastructure and information to any organization can not be gainsaid. This is essentially the main reason why organizations the world-over finds it necessary to devise and implement proper security policies that they wish to apply in protecting their IT infrastructure and information. Any single security policy requires not only to be complete but also up-to-date and consistent with the organization's needs (Wallace, & Webber, 2006). They (security policies) should also mitigate the entire range of risks that an organization might be facing while still determining the most effective and efficient controls. In order that organization can secure their information organizations are advised to adopt the so-called ISO 27002 information technology - Code of Practice for Information Security Management'.
The reason for this is because these codes offers fantastic framework for the creation and execution of a corporate programme for protecting and preserving information asset (Wallace, & Webber, 2006). Security policies essentially establish standards and guiding principle for accessing the firm's information and application systems. An important aspect of an information security policy is that it assists the communication of security processes to users thereby making them comparably more aware of probable security threats and related risks (Wallace, & Webber, 2006). The moment the information security policy has been created it requires not only to be established in the organization but equally important, to be enforced, otherwise it will not make any sense developing these guiding principles and then failing to make use (enforcing) of them in the organization.
It is mandatory that each of the security policies that have been developed by an organization not only be complete but also up-to-date and representative of the needs of the organization (Solms, & Solms, 2009). The security policies ought to mitigate the risks that the organization faces and their respective controls. After developing and putting in place the set of security policies to guide in protecting its IT infrastructures and information, an organization require to communicate them to the entire staff in order to ensure that all members making up the staff body have an in-depth understanding of these security policies and what is required of them as far as they are concerned.
Factors to consider when implementing security policies:
There are a number of factors that an organization ought to consider when implementing the security policies that it has developed. First, the organization ought to understand that the transmission of a virus does not only affect the system of the recipient but also has the potential of damaging the organization's reputation in a major way (Whitman, & Mattord, 2009). Secondly, sending email through the internet and other insecure public lines can greatly compromise the integrity and the confidentially of the information that is being transmitted, something that can be likened with a post card which basically can be accessed by virtually everybody (Whitman, & Mattord, 2009). Thirdly, confidential files might be conveyed through the internet by attaching them in emails thereby violating confidentiality and possibly leading to losses. Fourthly, relying upon messages from the email is normally not advisable simply because from a legal perspective such messages are normally not authenticated (Whitman, & Mattord, 2009).
Personal email message sent by an individual to another either within or out of the organization through it system, might ends up being construed as coming from the organization and thereby resulting in serious information security concerns (Kelley, et al, 2009). Correspondence that has been sent from a mail box of an individual within the organization could probably be considered personal, thereby preventing the organization from reviewing or inspecting them. Lastly, transmitting a copy or two of a file to a fellow workmate or colleague on your network, not only brings about unnecessary duplicates but also compromises the reliability of the original file or document (Kelley, et al, 2009).
Security policies just like any other set of policies in any other setting require to be applied in a certain way for them to achieve the required results. In the case of information security policies there is a way they are supposed to be applied in the workings of the organization for them to protect it from inadvertent or intentional violation of information security. It is in this regard that an organization need to craft the so-called Acceptable Use Policy, which is better and more effective if it is prepared by a consortium of several stakeholders within the organization, top among them being; the IT department, security staff, and the legal department(Calder, & Watkins, 2010).
This acceptable use policy should address a number of issues. First, it should try as much as possible to limit the vicarious liability for anything illegal, through either omission or commission, on the organization (Calder, & Watkins, 2010). This vicarious liability might emanate from libel, violation of confidentiality, or any illegal content. The Acceptable Use Policy ought to state clearly that any breach of any law or even contract is forbidden. The policy also needs to touch on issues of offensive material so that it can cushion the organization from any litigation that might emanate from racial or sexual harassment (Calder, & Watkins, 2010). The Acceptable Use Policy also ought to address issues to do with confidential information and the distribution of intellectual property (Calder, & Watkins, 2010).
For an Acceptable Use Policy to be good it requires to incorporate a number of elements. First, it should prohibit any watching pornography whatsoever. This is because internet can be used to download pornography instead of using it in the right manner (Calder, 2009). The effect of this habit might be devastating to the organization in terms of time wasted, distraction from the core duties and responsibilities, and the likely court cases of sexual harassment that might be induced by continued watching of pornography. Second, employees need to be advised on how to protect their privacy consistently, either through deleting personal email always or through other means (Calder, 2009).
There is always a tendency to leave personal email undeleted which is one of the surest ways of compromising individual privacy in an organization. The next element has to do with the restriction that an organization requires to place on the storage of emails. The organization is also required to implement archiving of all email messages that are considered important to an organization (Calder, 2009). Organizations also need to place a rule requiring personal message to only be opened when dealing with a particular complain that is likely to be settled or addressed in one way or the other with that opening of a rather closed and personal message (Calder, 2009).
The acceptable use policy should clearly put across a strict restriction on any personal use of the organization facilities. And because this automatically restricts any use of organizations facilities to strictly business use, it is important that it state clearly all the use that qualifies in this category (Calder, 2009). It should also go ahead to state the punishment that is likely to be meted out on anybody caught contravening this rule. The Acceptable Use Policy should also state the limit of organization in monitoring personal internet communication or email. This is especially important because there are some employees who might contest this action terming it as intrusion of privacy. Lastly, employees should be accorded a chance to give explanation on their actions. This is important because it enables an employee to feel that justice has been done even in cases where he or she has been found to be in the wrong.
Just like I mentioned enforcement is as important as the existence of the so-called Acceptable Use Policy. Because there is always a possibility of employees failing to follow certain elements that I have enumerated, the management of the organization requires to crack the whip whenever such a violation occurs. In such incidents the management requires to be guided by this Acceptable Use Policy in punishing or even in extreme cases, dismissing employees who might have gone against this clearly-stated Acceptable Use Policy. In order to be sure that the security policy has the capacity to be relied on in the circumstance that I have enumerated the security policy ought to be consistent with a number of policies that I have enumerated below.
Requirements of the security policy:
First, the security ought to be in writing (NetVision, 2011). The essence of the policy being in writing emanates from the fact that being in written form it can be referenced at any time. Communication of the security policy to the whole range of the staff in any organization is another important requirement of the security policy (NetVision, 2011). The absence of proper communication in any organization normally opens the floodgates of violation of security policies after they have been formulated. Another important measure that should be undertake in order to reduce conflict with employees as far as adhering to security policies are concerned is to set out in advance the permissible uses of the internet and the email (NetVision, 2011). This way there will never be an excuse from any employee to the effect that he or she was never informed of the permissibility or lack of it.
Acceptable online behavior is another thing that requires to be set-out from the out-set in order to check any untoward behavior in course of accessing the internet. For instance, the management might prohibit any access to pornography from the organization's internet. Privacy rules ought also to be defined from the out-set which just like acceptable online behavior preempts any untoward behavior that is likely to occur (OWASP, 2009). It is also extremely valuable to provide a statement of the monitoring that the organization intends to be undertaking (OWASP, 2009). This is important because anytime any employee is caught engaging in any untoward or unethical behavior he or she will not claim not to have been aware of the existence of monitoring.
In the same breath the organization requires to stipulate clearly the probable disciplinary action(s) that are likely to befall a person who is caught contravening these acceptance use policies. As we have observed all information security policies ought to conform to the ISO 27002 standards, simply because this standard offers best practice recommendations that can be used in the management of information security. Let's look at several policies that are based on this standard (ISO 27002) which can be used to develop a security policy for any organization, or the so-called security policy template.
Information Security Policy - 5.1:
Information security policy - 5.1 is essentially a security policy of high level which has been supplemented by extra security policy documents that offer exhaustive policies and guidelines involving specific security controls (Ruskwig, 2011).
Email Acceptable Use - 7.1.3
The main reason why an organization provides access to email to its staff members is basically to enable them communicate effectively and efficiently amongst themselves, other organizations, or even other partner organizations, in course of their day to day duties and responsibilities (Ruskwig, 2011). In this regard that this policy has been developed and especially to guarantee effective and efficient time use, while preventing any illegal improper email use.
Internet Acceptable Use - 7.1.3
The provision of internet to the staff of any organization is informed by the need to assist them in course of their day to day duties. Through internet the staff members can be able to access the wide range of information that is available in the web, they can also communicate with other people both within and out of the organization (Ruskwig, 2011). It is in this regard that this policy has been developed and put in place in order to guarantee effective use of time, and to prevent and illegal and improper use of the internet.
Secure Extranet Acceptable Usage - 7.1.3
A secure extranet basically refer to a Wide-Area Network (WAN) that is secure and which guarantees secure communication between organizations that might be linked to the WAN (Ruskwig, 2011). Staff might be allowed to have access to the secure WAN (extranet) in order to assist them in their assignment. In this case they might be allowed access to organization's email facility. However, members of staff have to be made to not only read but also understand the Acceptable Usage Policy.
Working In a Foreign Country - 7.1.3
This policy looks at the staff use of equipment of the organization in a foreign nation together with access to the organization's information while in that foreign nation (Ruskwig, 2011). The sensitivity of the threat of the organization information or data being intercepted or stolen in a foreign country can be gainsaid. This is the reason why this policy ought to not only apply to all staff members but also be observed strictly.
Information Backups - 10.5.1
This policy essentially describes the strategy that an organization can use to backup its information and also its software application systems (Ruskwig, 2011).
Infrastructure Hardening - 12.6.1
Hardening basically refers to the process of protecting the system through minimizing its surface of susceptibility (Ruskwig, 2011). Naturally, the more function a certain system performs, the larger its surface of susceptibility. The best way to reduce the possibility of an attack is by removing any software, services or user accounts that are not only unrelated but also needed by the planned system functions (Ruskwig, 2011). The possibility of attack can also be reduced further by obfuscation, which simply involves making it harder for the potential attacker to recognize the system that is being attacked.
Technical vulnerability and patch management - 12.6.1
The major objective of this policy is to keep all those components that makes-up the organization's information technology infrastructure up-to-date with the most recent updates and patches (Ruskwig, 2011). This policy basically illustrates the procedures that need to be adopted for vulnerability and patch management.
Reporting Information Security Incidents - 13.1.1
This policy defines the right procedure of reporting an incident of information security.