Information Security Management Standards - Report Example

System Security Plan Team Member s (those who participated in the work) Number Introduction. In a world where there are more security threats to information, there is an increased need for investment into and implementation of security controls in an organization. Having in place appropriate security controls can be of great benefit to the assets and operations of an organization (NIST, n.d.). There are three types of security controls namely operational security controls, management security controls and technical countermeasures or safeguards. All the three work together in an organization’s information system to ensure that the availability, integrity and confidentiality of the system together with all the information stored in or passed through it remain intact (Alghananeem, 2014). My organization seeks to boost the security of its information system from hackers and other potential threats from both within and outside the organization. My organization is a telecommunication company, providing mobile and data services. The amount of personal information that passes through our systems every day is enormous. Many distributed systems spread across the many departments in our company depend on the mobile phone network in many ways. This forces the organization to constantly refresh the information security systems every often to ensure that the system is not compromised (Humphreys, 2008). This paper shall discuss the system that my organization has settled upon, highlighting all its features and how this new security plan will ensure that the organization does not lose or have data distorted from an invasion or crushing of the system. 1. SYSTEM IDENTIFICATION/SCOPE OF ASSESSMENT 1.1 System Name/Title/Unique Identifier The security system that our organization decides to implement should be able to support the amount of data passed through it every day, while at the same time protecting all the information in it from access by unauthorized persons. To that effect, the organization funded research into the most appropriate information security system, with all the desirable security features. In order to assess the level of vulnerability of the system, the organization selected the most suitable system. The selected system is the RA-5. The RA-5 belongs to the family of Risk Assessment and is under the class of Management (Tiller, 2006). 1.2 Security Categorization In recognition of the fact that the security categorization plays a major role in guiding the comprehensiveness and frequency of the scans for vulnerability, we categorized the security system as being of high priority (Kim & Solomon, 2012). 1.2.1 Information System Type The type of information system is management information system. This is because the information within the organization that is essential in the making of important decisions by the management and their storage will be analyzed and examined to ensure that their safety from access by unauthorized individuals is guaranteed. All the data in the possession of the company will be safely filed after the assessment (Humphreys, 2008). 1.2.2 Scope of Assessment The information security system assessment that the company has adopted will assess all areas within the systems of the organization that are considered to be points of vulnerability. The assessment will cover the physical aspects and the systems run by computer software to ensure that all the vulnerable areas are identified to facilitate the implementation of the appropriate security measures (Saeed & Pejasi, 2005). 2. Management CONTROL Management control is one of the three security control classes. Management control is about the steps that the management can take to ensure that the information system of the organization remains secure. Management control require managers and other stakeholders in respective positions to instill into the organization policies that will regulate the use of the information security system with the aim of limiting instances of misuse. Further, in industries with higher chances of attack, the management need to pass and implement measures to protect the system from external attacks. For our organization, there are several steps that the management undertook, as shall be discussed later in this paper. 2.1 Selected Control The Management security control that was appropriate for the organization was Risk Assessment. Risk assessment allows the organization to perform tests so that they can detect the areas that are most vulnerable to attack or collapse. In that case, research on the system and an audit has to be performed. It is through the audit that the management will know the requirements of the system, in particular the areas that need to be replaced and those that need further support (Tiller, 2006). 2.1.1 Family Control #1 The first family control is scanning for vulnerabilities. Scanning for vulnerabilities would initiate the process aimed at ensuring the security of the information security system (Humphreys, 2008). The importance of scanning the system for vulnerabilities lies in the fact that it identifies the weaknesses in the system before any other security steps have been taken. Scans for vulnerabilities can be done regularly and on schedule or randomly. The management makes the decision on when to undertake scans of the entire system. The event that vulnerabilities are detected, they are reported. At this instance, the management may make a decision to employ techniques and tools that can scan for vulnerabilities (NIST, n.d.). The techniques and tools that are used will detect flaws in the software, improper configurations and enumerating platforms. Further, it will measure the impact that the vulnerability has on the system, aside from formatting the system and constructing transparent test procedures and checklists (Kim & Solomon, 2012). The techniques and tools employed then analyze the reports and results from the assessment of security controls. They will then remediate the vulnerabilities that it analyzes and decodes them to be legitimate based on the risk assessment of the organization. The information that it obtains from the entire process of scanning for vulnerabilities and the assessment of security controls is then communicated to the relevant personnel in the company to assist in the elimination of similar vulnerabilities in all the other information systems run by the organization (Alghananeem, 2014). The vulnerability scans need to be comprehensive and occur frequently. The analysis of vulnerability in applications and custom software may need additional and specialized approaches and techniques. Tools such as source code reviews, application scanners based online and source code analyzers will be essential. Scanning for vulnerabilities involves searching for certain protocols, ports and services that devices or users should not access and for information flow mechanisms that are either operating incorrectly or are improperly configured (NIST, n.d.). The organization may consider employing tools that help in expressing vulnerabilities in the CVE naming convention along with those that use OVAL to examine the system for any vulnerabilities that may exist. Other sources that of information on vulnerabilities in an organization’s information security system are the NVD and the CWE. The organization can also use assessments of security control like red team exercises as a source of information on potential vulnerabilities (Saeed & Pejasi, 2005). 2.1.2 Implementation Status: The implementation of this control has been implemented by the organization. All the areas of vulnerability have been identified, therefore the organization will need to act on the recommendations arising from the scan. The organization’s management ensured that the scan for vulnerabilities took place as per the regulations of the organization after detecting weaknesses in the information security system. 2.1.3 Control Implementation: The organization, after the detection of the areas of vulnerability, decided to employ tools that would scan for vulnerabilities in the information security system of the organization. These tools had the capability to regularly update and inform the relevant personnel on the list of the vulnerabilities of the information system that have undergone a scan. The organization then updates the data on that list on its database. The procedures that the organization employed to scan for vulnerabilities were those that proved that they scan deep into the system and in across all the information systems that the organization runs (Chew, 2008). After that, the organization made an effort to discern the information in the information security system that unauthorized parties can discover. The organization then employed tactics that will assist in the security of the information security system such as privileged access authorization. Privileged access authorization involves limiting access to some documents in the system to selected employees in the organization, limiting access to a few individuals reduce the chances of misuse of the system or access by malicious people from within and outside the organization (NIST, n.d.). This assisted in making the selected activities for scanning for vulnerabilities to be more thorough. The organization also used automated mechanisms to measure the results arising from the scans for vulnerability against previous tests. This was important in the determination and assessment of trends in the vulnerabilities in the information security system (Kim & Solomon, 2012). 2.2.1 Family Control #2 The second family control selected by the organization was Risk Assessment Update. These are measures taken by the organization to get notifications of significant changes in the system. Further, the management gets regular updates on the facilities that accommodate the system and any other conditions that may have an effect on the system. 2.2.2 Implementation Status: The implementation of the controls has increased knowledge on the areas in the information security system vulnerable to attacks (Mouratidis & Giorgini, 2007). Further, the organization was able to determine the information stored in the information security system that hackers and other malicious individuals may need to access. The organization was also able to implement measures to further protect the information security system such as implementing the privileged access authorization to restrict the access of some valuable information to a selected few individuals within the organization. The organization was also able to detect unauthorized software that was in the information security systems. The organization then set up an independent penetration team to conduct an analysis of the vulnerabilities in the information security system, aside from performing penetration testing based on the analysis of the vulnerability and come up with a determination of the chances of the information security systems being exploited (Saeed & Pejasi, 2005). 2.2.3 Implementation of Control: The organization has introduced the use of software to protect the parts of the hardware that support the system to reduce the chances of the security system collapsing under attack. This is considered a preventive measure. In addition to that, the system has acquired anti-spyware software and customized antivirus software to enforce the security of the information system. The anti-virus and anti-spyware are set to update themselves automatically. 3. Technical CONTROL The technical control involves the technical aspects of ensuring that the information security system remains secure. The details on the technical control procedures adopted are as discussed in this section. 3.1 Selected Control The organization selected Communications and System protection procedures and policy because it was the most appropriate technical control for the company. 3.1.1 Family Control #1 The first family control adopted by the organization was the development and dissemination of policies concerning the security of the information security system of the organization. The organization set out to discuss and come up with a policy that is documented and formal to guarantee the security of the information system. The policy that the organization was designed to addresses the roles, scope, commitment of the management, compliance, purpose, responsibilities and the coordination among the entities of the organization in support of the security of the information security system (Bowen, Hash & Wilson, 2006). In addition to that, the policy adopted by the organization concerning information security was intended to formalize and document the various procedures that the organization settled on to assist in the full adoption and implementation of the communication and system protection policy and associated controls regarding systems and communication protection (NIST, n.d.). 3.1.2 Implementation Status: The intention of this control was to produce the procedures and policy that the organization needed so that it becomes able to implement the selected control enhancements and security controls in the communications and system protection family. The procedures and policy that were employed by the company were in accordance with Executive Orders, policies, standards, federal laws, directives, guidance and regulations concerning the security of the information system. The procedures and policies that existed in the organization were boosted by additional specific procedures and policies in order to further ensure the security of the system. The organization developed the procedures of communications and systems protection for implementation in the entire security program and, in some instances, a specific information system (Saeed & Pejasi, 2005). 2.1.3 Implementation of Control: The organization came up with articulated measures to improve the security levels so that cases of vulnerabilities in the information security system can be minimal. It is imperative to note that the vulnerabilities noted within the information system prompted the organization to take additional measures in the security of the system (Chew, 2008). The policies that the organization adopted and implemented decreased chances of a breach in the information security system by both employees of the organization and unauthorized persons from outside the organization. The management of the organization believes that the policies developed for the security of the entire information system of the organization would serve the purpose for which they were passed. 3.2.1 Family Control #2 The second implementation control was the reviewing and updating of the policies that the organization had put in place for the security of the information system. As the audit revealed the procedures and policies that the organization had formulated had not done enough to ensure that the information security system remains secure. This deduction was reached at after the assessment of the vulnerabilities in the information system. The organization faced the need to develop better policies to improve further the measures that the organization desired to take to ensure the security of the information security system, since some of the old policies in place were outdated and as such could not guarantee the security of the information security system (Mouratidis & Giorgini, 2007). 3.2.2 Implementation Status: The organization passed and enacted all the proposed procedures and policies proposed for the improvement of the security levels. Since the enactment of the procedures and policies, the system has been able to detect any malfunction of the system and any intrusion activities into the system and communicate this information to the relevant individuals. Upon reception of such information, the designated employees have been able to act on time to prevent the system from access by unauthorized individuals from both within the organization and from outside (Alghananeem, 2014). 3.2.3 Implementation of Control: After the implementation of the policies, the information security system was secure. The policies continue to guide the usage of the information security systems, prescribing strict rules over the sharing of confidential data on the information network. Further, the organization employed other measures to improve the security of the information system. These measures include the restriction of access to confidential information on the system to a few selected individuals. These individuals are entrusted with the security and operations of the information system (Saeed & Pejasi, 2005). 4. Operational CONTROL Operational controls consist of the auxiliary measures that the organization can implement so that the security of the information security is a matter of concern to all the employees within the organization. These controls are embedded in the operations of the organization, such that almost every action undertaken by any employee of the organization is concerted towards ensuring the system’s security (Tiller, 2006). 4.1 Selected Control The operational control that the organization found necessary to implement was Training and Awareness. This control was preferable to the organization because it was in line with the policy of inclusivity in the achievement of the goals of the organization (NIST, n.d.). All employees of the organization may need to use the information system in the organization at one point of their engagement with the organization. Therefore, it was prudent that the organization trains some of its employees on the best practices that will ensure that the system remains safe. 4.1.1 Family Control #1 The development and dissemination of policies regarding the creation of awareness to the employees and their training on the security of the information system was the first control. The organization decided to form guidelines for the raining of the employees to ensure that all employees conformed to the security measures that the organization wanted to implement as they undertook their duties at the organization (Bowen, Hash & Wilson, 2006). The management viewed the creation of awareness as an important activity because the employees needed to understand the situation in which the security information system was, aside from each of their contribution towards the security of the system. Further, the employees in the organization were to be trained on the way that the information security system operates, and the measures that every employee was required to take to protect the system. In that regard, the organization developed a training schedule for all employees who use the information system in all levels of management (Mouratidis & Giorgini, 2007). 4.1.2 Implementation Status: The policies guiding the creation of awareness and training for the organization’s employees are currently being implemented. Some of the employees have already acquired training on the security of the information while others await their training, which will occur as scheduled. 4.1.3 Implementation of Control: The training of employees on security measures that are necessary for the protection of the information security system was fully adopted and is currently under implementation. However, the system is more secure, with more employees using the information system with more care. 4.2.1 Family Control #2 The documentation of the procedures that will ensure that employees are trained as a matter of policy was the second family control. Since the organization would reassess the information security systems repeatedly, the employees would need training on the new adopted security measures (Chew, 2008). In that regard, the management saw the need to create policies guiding the creation of awareness and training for employees who use the information system. 4.2.2 Implementation Status: The creation of policies is under implementation. It serves as the guiding policy for the training of employees in the organization (Tiller, 2006). 4.2.3 Implementation of Control: Employees are receiving training and are being made aware of the new measures that the organization is taking concerning the security of the information security system. The result of training is evident from the manner in which the information security system is being used. The system is more secure and reliable. 5. CONCLUSIONS/RECOMMENDATIONS – summarize your work. 5.1 Results of Assessment The organization noted weaknesses in the information security system. These vulnerabilities arose both from within the organization and from outside sources. 5.2 Recommendations The organization should restrict the access of data stored in the information security system to only a few relevant individuals (Mouratidis & Giorgini, 2007). This will help in avoiding instances where the organization loses vital information either due to negligence or due to theft. The organization should have the employees in charge of information security to coordinate security activities such as the resetting of passwords to the system and updating software used to secure the system. The organization should also invest in web-based security tools operating as a network within the organization. Web-based security tools that the organization chooses to employ should guarantee timely notifications of threats to the system to enable quick response and mitigation of the effects of the attack (NIST, n.d.). These tools should also undergo regularly monitoring and testing to ensure that they operate optimally and they continue to guarantee the security of the system. In addition to that, the organization should review its information security systems regularly to ensure the detection and removal of harmful or weak software on time before they expose the system to unauthorized access (Bowen, Hash & Wilson, 2006). The organization should invest in anti-spyware software and anti-virus that update automatically so that even when, either on purpose or by accident, the relevant employees fail to perform the updates the system can remain secure. The organization needs to undertake training of its employees on basic security measures such as encryption of sensitive information on employees, especially when the transmission of such information takes place through the system. This training will serve to prevent instances where unauthorized individuals readily interpret data when they get access to it. Employees also need constant reminders to use strong passwords to protect their accounts and the entire system. Another recommendation is the application of audit or oversight procedures to ensure timely detection of information theft or unauthorized information disclosure. These procedures include keeping activity logs on the network and using an updated system that detects intrusion and alerts the relevant authorities on attacks. Others are monitoring of information transfers in and out of the network while checking for compromises and the insertion of a dummy account into every list of customers and monitoring the account for at unauthorized transactions. References Alghananeem, K. M., Altaee, M. A., & Jida, B. K. (2014). The Impact of the Goals of Information Security Standards to Ensure Information Security. Journal of Management Research, 6(2), 74. Bowen, P., Hash, J., & Wilson, M. (2006). Information security handbook a guide for managers. Gaithersburg, MD: U.S. Dept. of Commerce, Technology Administration, National Institute of Standards and Technology. Chew, E. (2008). Performance measurement guide for information security (Rev. 1. ed.). Gaithersburg, MD: U.S. Dept. of Commerce, National Institute of Standards and Technology. Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. Information Security Technical Report, 13(4), 247-255. Kim, D., & Solomon, M. (2012). Fundamentals of information systems security. Sudbury, Mass.: Jones & Bartlett Learning. Managing information security risk organization, mission, and information system view. (2011). Gaithersburg, MD: U.S. Dept. of Commerce, National Institute of Standards and Technology. Mouratidis, H., & Giorgini, P. (2007). Security Attack Testing (SAT)—testing the security of information systems at design time. Information Systems, 32(8), 1166-1183. Recommended Security Controls for Federal Information Systems and Organizations. (n.d.). Clayton. Retrieved September 20, 2014, from http://www.clayton.edu/Portals/604/InfoSec/sp800-53-rev3-final_updated-errata_05-01-2010.pdf Saeed, K., & Pejasi, J. (2005). Information processing and security systems. New York: Springer. Security and Privacy Controls for Federal Information Systems and Organizations - Special Publication 800-53 Revision 4. (n.d.). NIST. Retrieved September 20, 2014, from http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf Tiller, J. (2006). Virtual Security: The New Security Tool?. Information Systems Security, 15(3), 2-4. Read More