Standard and its Impact on Information and Communication Technology - Research Paper Example

ISO 27001 Standard and its Impact on Information and Communication Technology Author Name School of Computer Science, Engineering and Mathematics - style "Affiliation" Flinders University of South Australia PO Box 2100, Adelaide 5001, South Australia John.Roddick@flinders.edu.au - style "Email Address" Abstract The need to determine information security performance is generated due to some economic, regulatory and organizational reasons. In this scenario, various available policies, rules and guidelines check performance and quality measurement generally, and information security performance measurement primarily, as a basic requirement. In addition, a large number of standards exist today in order to allow the organizations to set up their security priorities and apply measures accordingly. Additionally, there are many organizations that define these standards and guidelines. Some of these standards organizations include International Standard Organization (ISO), Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology (NITS). This paper presents a detailed discussion on ISO 27001 standard that is developed by ISO. The basic objective of this research is to present a detailed analysis of this standard and how this standard is being used by the companies in order to ensure the security and safety of their significant assets. Keywords: ISO, NIST, Standard, FIPS, Security, Privacy. 1 Introduction With the emergence of the new technologies and systems, there has been seen a lot of progress and developments in the Information Communication Technologies and Engineering practice. There is no doubt about the positive effects of technological developments on world’s economy as well as society. But there are a lot of undesirable and adverse effects, such as misused personal information and intellectual property, considerable monetary damages, and possible coercions to precarious structure, community security, and nationwide safety (Burd, 2006). which are sighted now a days. The information is the basic asset of businesses and in ethical terms, it can be called as the intellectual property, which must not be used without taking any authorization from the author of that information. There have been seen security breaches and misuse of private information related cases seen in Australia (Tow, et al., 2010), such as the case of Vodafone Hutchison Australia where the customer’s private information was misused (OAIC, 2013). Such incidents has exploded the strict requirements for the information security to contest the risks and uncertainties involved, as the information is essence of any business (Tarte, 2003). Employment of the Information Security or putting the information security goal into practice is not a stress-free job, it prerequisites apposite management and governance to ensure the effective security system in any organization. With respect to it, there must be a well-defined policy and standard application which should be pursued for improving the security controls (Berger, 2010). Dhillon and Backhouse (2000) have contended that in contemporary setting of society and workplaces, where the dispersed control system and excessive information sharing, the systems and technologies are more susceptible to the outer environmental alterations and dynamics (Dhillon & Backhouse, 2000). This needs to build a standard for security of information, which resulted in ISO 27001. The purpose of this report is to discuss the aims and structure of ISO 27001 as well as the impact of this policy or standards on ICT and Engineering Practice. It has two sections, where in the first section, the ISO 27001 standards ix thoroughly explained, and in the second section, the impact of these standards are discussed with respect to the ICT and Engineering practice.. 2 ISO 27001 ISO 27001 belongs to the family of ISO 27000, a part of the ISO standards. ISO 27000 provides set of rules and regulations, and guidelines to apply these rules in any organization, which make sure that the information technology is properly managed in the organization. Among these, the ISO 27001 is primarily based on the information security management system. It is grounded on the British Standards 7799. It is impersonal to the technology and any retailer or wholesaler, and an information management standard, which provides an appropriate way of governance in three portions and recommends the elements present in any successful or well-organized information security management system (ISMS). More than the guidance, it offers some important requirements which are needed to be fulfilled in order to get the certification or clearing the audit. So it explains what actually is demanded from the organization to ensure the information security, or with regard to the effective information management system (Calder, 2013). 2.1 Aims of ISO 27001 ISO 27001 standards has following aims and objectives (ISO 27001, 2005): 1. It is aimed to declare and distinct all the particulars to institute, execute, function, monitor, appraise, maintain, and enhance the ISMS documentation right in accordance with the organizations’ specific risks and threats it is facing. 2. It has also the objective of postulating the essentials for application of ‘security controls’ which is also tailored to the requirements of that specific organization. 3. The purpose of the ISMS applied in the organization is to guarantee that satisfactory and balanced security controls are chosen in order to safeguard the most critical capital of organization, which is “information”. 4. It certified that the organizational information is fully secured by fulfilling all the particulars declared in the document, thus aimed to provide guarantee to the stakeholders. 5. It is made for all kinds of organizations in spite of regarding their scope, nature, structure, and kind. 2.2 The Structure of ISO 27001 ISO 27001 has used the process approach which must be applied for the purpose of development, execution, and monitoring of the information security management system. This process approach is well-known as “P-D-C-A model”. This model is the abbreviation of plan, do, check and act, which is applied to the information security management system procedures. This process has four steps which are explained below in context of the information security management system (Calder, 2013). 2.2.1 Plan It is the planning phase for the information security management system, where the whole system is established. In this phase, the first step is to create the security policy according to the organizations’ strategic objectives. Then the objectives, processes and practices with respect to the information security management system are established. All of the planning is done in consideration with the risk management and enhancement of the information security in order to deliver the best outcomes which are right according to the international objectives and practices of the organization. 2.2.2 Do It is the execution phase in the information security management system processes. In this phase, the whole system is implemented in the organization according to the information security management system policy defined in the first phase. All controls (technical, procedural, human) are also applied in addition to the ISMS processes. 2.2.3 Check It is the monitoring and appraisal phase, where the executed policy is checked and appraised. The performance of the executed system is evaluated on the basis of information security management system’s defined policy and also assessing that the aims and objectives are met or not. In addition to this, the performance report along with the applied experience is presented to the management for the purpose of measuring the performance and review. 2.2.4 Act In this phase the system is maintained and enhanced. After a careful review of the execution phase, the information security management system is augmented by taking remedial actions and precautionary steps. Then all the risks and uncertainties are reviewed and the possible solutions are applied, and along with that the policy is updated with inclusion of new information. In this way, the information management system is updated on the continuous basis and the continuous improvement is attained. In this way, the process approach or PDCA model ensures the continuous improvement in the information security management system. The ISO 27001 is based on the four clauses from 4th to 8th clause, where the PDCA model is applied. The structure of ISO 27001 started by the general introduction, aims and objectives, as well as the explanation of the scope and application of the information security management system. In this, it is explained that the ISMS system can be applied for any organization and then normative references and basic definitions are provided in second and third clause. Following are the four clauses on which the ISO is based (ISO 27001, 2005): In the first clause, the PDCA model is required to be applied on the ISMS. The plan for the information security is established, executed, monitored and improved on the continuous basis. For establishment of the ISMS, the scope and limitations, policy according to the organizational characteristics and nature, and the risk evaluation technique have to be defined as set by the clause. The possible threats and uncertainties are to be identified according to the organizational nature, which it possibly face. The whole risk management plan is developed and then sanctioned by the management. The overall plan and implementation documents has to be evaluated and approved by the management. All the documents required for the purpose of controlling the reviews and records are defined by the clause and they are needed to be maintained. Fifth clause has the requirement of management commitment for application and evaluation of the information security management system. It is essential for the management to be involved in the establishment, implementation, monitoring and review of the ISMS, in order to ensure their commitment to the project. They must ensure the policy is in line with the organizational strategic objectives and also the appropriate communication is to be established for better implementation. Management has to provide proper resources and training budget must also be allocated as the training and development of the security personnel. Sixth clause involves the internal audit is to be accompanied to make it sure that all the requirements and essentials are met by the information security management system applied to the organisation. It is to review that the ISMS system is executed and controlled effectively or not. All the roles and responsibilities are defined and also evaluated. Seventh clause involves the management review the whole documents from start to end and compare the planned performance with the actual performance. In this clause, the management review input and output are defined and explained. At the end, the identified flaws are considered and any corrective steps are taken to combat them. Along with that the clause has also defined some precautionary measures. In this way the continuous improvement is ensured (ISO 27001, 2005). 3 Impact of this standard in ICT and Engineering The adoption of ISO 27001 has its impacts over the information communication technologies and engineering practice. There are two chief motives for which the ISO 27001 is useful and being critical to adopt. Firstly, there has been emergence of the security issues in the recent years, such as hackers hacking the accounts and collecting sensitive information, and any other misuse of the information. Secondly, there has been increase in the requirements of the regulatory frameworks for the purpose of the safety and security of information (Calder, 2013). With such security breaches, the information security policy is being demanded everywhere, such as a healthcare system also required a security policy for hospitals as argued by Wiant (2006), and it has a positive impact on the information communication technologies and engineering, as it allows a secure platform to share the information (Wiant, 2006). In addition to this, another study conducted on the law firms also resulted in the importance of security management system in the organization, as they contain a lot of sensitive information about the clients, property papers, and trading secrets (Heikkila, 2009). The ISO has provided with a beneficial framework of the information security, where the information security ISO adoption highly impacts on the ICT technologies. As the Dutta et al (2010) has argued that it ensures the network readiness, which can be defined as the extent of a country or whole nation in terms of taking benefits from the ICT technologies and the engineering practices. This entails that the information security is important for the whole nation, as the nation can get benefits from the ICT technologies if it poses no threats. Thus, the adoption of ISO 27001 can ensure the information security and the more benefits achieved from the ICT technologies (Dutta, et al., 2010; VanWessel & Vries, 2013). Moreover, the importance of cyber security is also realized for the whole country, for that purpose, the Australia has mush focused on the cyber security for national and social security. In Australia, there has been made integrated solutions for the security of the information along with the policies and proper governance (Ahmad, 2013). Therefore, these standards are important for ensuring the benefits from the ICT and Engineering. 4 How to enforce these standards? The legislation and standard of ‘good practice’ for information security is the leading influence on information security. Additionally, it ensures information security by following a company’s viewpoint, as well as offers a realistic establishment for evaluating corporate data and information systems’ security. In order to effectively implement security management standards and techniques we first need to see the nature of security issues and dangers which an organization is currently facing. In this scenario we need to assess some important security issues those need to be managed and handled through simple security solution. For the management and neutralization of serious security and privacy management aspects we need to build and implement an effective business management policy that could effectively oversee security and privacy related aspect. In this scenario, the basic aim of information security management and standard enforcement is to react against the needs of global security management associations. Another aim is to focus on developing some useful strategies for better handling and managing the security related areas. These are also aimed to imitate the majority of modern thoughts in information management and security based policy application. 5 Role of organizations Information security legislations and standards are developed by corporations’ IT managers and security administrators. In this scenario the basic aim of these people is to develop such policy that could enhance the corporate working and operational performance. Moreover, for the development of such legislations and standards for business information, data security and policy enforcement business IT manager is aimed at improving the overall system privacy and assuring the better utilization of corporate information resources. 6 Conclusion The report has presented the overview of the ISO 27001 standards which are aimed to provide the information security management system to ensure the security and safety of the most important asset of the organization that is information. The aims and structure of ISO 27001 has been comprehensively studies. The report has also provided the impact of these standards over the ICT technologies and engineering practice, where it is suggested that with adoption of the security standards, the benefits from the ICT technologies and engineering practices can be achieved far than not adopting the ISO. 7 References Ahmad, A., 2013. Cyber Security- An Australian Perspective on strategy and governance, s.l.: s.n. Berger, D., 2010. Introduction to the Management of Information security. In: D. Garza, ed. Management of Information Security. 3rd ed. Boston: Course Technology, pp. 1-36. Burd, S. A., 2006. The Impact of Information Security in Academic Institutions on Public Safety and Security: Assessing the Impact and Developing Solutions for Policy and Practice, New York: U.S. Department of Justice. Calder, A., 2013. Information Security & ISO 27001, London: IT Governance Ltd. Dhillon, G. & Backhouse, J., 2000. Information System Security Management in the New Millennium. Communications of the ACM, 43(7), pp. 125-128. Dutta, S., Mia, I., Geiger, T. & Herrera, E. T., 2010. How Networked Is the World? Insights from the Networked Readiness Index 2009–2010, s.l.: The Global Information Technology Report. Heikkila, F. M., 2009. An analysis of the impact of information security policies on computer security breach incidents in law firms, s.l.: The ACM Digital Library. ISO 27001, 2005. Information technology — Security techniques — Information security management systems — Requirements, Geneva: ISO copyright office. OAIC, 2013. Guide to information security, Canberra: The Office of the Australian Information Commissioner. Tarte, J., 2003. The Need for Information Security in Today’s Economy, Bangalore: SANS Institute. Tow, W. N.-F. H., Dell, P. & Venable, J., 2010. Understanding information disclosure behaviour in Australian Facebook users. Journal of Information Technology , 25(1), pp. 126-136. VanWessel, R. M. & Vries, H. J. d., 2013. Business Impacts of International Standards for Information Security Management. Lessons from Case Companies. Journal of ICT Standardization, 1(1), p. 25–40. Wiant, T. L., 2006. Information security policy's impact on reporting security incidents. Computers & Security, 24(6), p. 448–459. Read More