Information Security Management System at the National Mineral Company - Case Study Example

Name Tutor Course Date Scope The ISO/IEC 27000 provides specific guidelines applicable for establishment, implementation, maintenance and improvement of an organizations information security management. ISO/IEC 27000 also provides guidelines for handling risks associated with organization’s information. the generic nature of ISO/IEC 27000 makes it applicable to all types of organization. Normative References This entire document or parts of it are normatively referenced and are essential for application. The citation of the following document and its amendment in future apply- ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary Terms and Definition For the application of this document, the stipulations and clarity provi.ded in the ISO/IEC 27000 apply. Context of the Organization 1. Vision The National Mineral Company stands as the recognized storehouse of all information related to mineral resources. Due to this advantage, the company is aims to deliver quality services to the mining industry to include the various investors, stakeholders and public. The National Mineral Company also aims to increase electronic access to all information and providing high status to employees’ interests and development. 2. Mission National Mineral Company has a mission to establish stewardship of all the minerals in the United Kingdom. The goal is to be attained through expanding development opportunities by exploration, documentation and extraction. In addition, the National Mineral Company seeks to provide support to increasing investments in the mining industry. 3. The National Mineral Company Mining is one important economic activity in many parts of the world including the United Kingdom. Mining industry is often a very complicated venture characterized by exploitation and dominance. Small ventures may find it challenging to engage in the mineral business and earn a reasonable profit. Connections, regulation of activities and instrumental policies and laws are needed to provide an equal ground to all ventures in the mineral business. The National mineral company is one of the top companies based in the United Kingdom. The company acts as the custodian to the entire mineral and mining industry in the United Kingdom. The custodian duties involve authority and control of mineral resources within the boundaries of the United Kingdom. National mineral company provides direct employment opportunities to an estimated 20, 000 people who live within the various districts that practice mining. The duties of the company are mainly co-ordination and regulation. Specific of the organization There are specific objectives that provide the operational grounds of the national mineral company. The objectives provide an important baseline of understanding the range of information that National Mineral Company requires. The company ensures that there is compliance and consistency by all mine operators guided by the mining legislation. By the year 2017, the company aims to achieve new heights by approving codes of practice and guidelines. Currently, 50% of miners in the U.K comply with the legislations that govern the mining sector, environment and other related laws. The national mineral company continuously aims to support the industry in terms of technicality by the year 2016. Working relations and occupational welfare is another area of interest of the company. National mineral company aims to improve working relations in the various duties and mandate of the company by the year 2015. National Mineral Company targets to establish fair, transparent and relevant laws that promote investments, control mineral operations and prevent environmental contamination by the year 2017. The final prospects of national mineral company are to develop standards of procedures that guide the various operations in the technical division that will ensure conformity with the Company Act 1979, the Mining Act 1989 and the Mining Regulation. The standards of operating procedures are to be attained by the year 2017. Inventory of National Mineral Company’s assets National Mineral Company has a range of information assets that can be classified in two major categories, tangible assets and intangible assets. All the information assets are located in the headquarters of the company and have confidentiality, integrity and Availability categorized into levels of high, medium or low. Thirty-nine information assets can be identified in the company providing services in various departments that include the management (LM), human resource (HR), information technology department (IT), Finance department (FN). The assets that belong to the LM department include mineral property management system, customer records database, and LM file share. All these are intangible assets in the managerial department. One information security asset owned by LM that is tangible includes the LM desktop computer. The human resource department owns three intangible assets that include employee record database, HR file share, and human resource management system. The department also own tangible assets that include the HR desktop computer and company contracts. Intangible assets within the information technology department include the IT file share, intranet web content, window operation system, antivirus security center application, cartography application, windows office suite application, Microsoft SQL application, active directory database and E-mail system. The tangible assets within the IT department include APP server, file servers, DC servers, Database servers, backup server and tape unit, E-mail server, web server, IT laptops, wireless routers, endpoint threat protection, core switches, network cabling and data center room. The finance department also has tangible and intangible assets. Intangible assets owned by the finance department include the payroll database, FN file share, and payroll system. The tangible assets owned by the finance department include the FN desktop computer and the cash register. National Mineral Company also has an additional asset owned by the board known that is the building. Scope of Organizations Information Security Policy The National Mineral Company in the United Kingdom has a well-established security policy that is consistent with the current ISO certification of ISO27001:2013 (International Financial Data Services. pp 6). The company intends to develop security standards that are applicable to the Information Security Management System (ISMS). Information security policy in National Mineral Company aims to improve confidentiality, integrity and availability of all mineral industry information held by the company. The security policy scope includes 14 domains numbered from A5 to A18. The domains include information on security policy, organizing of the security policy, information on assets and human resources management, information on physical and environmental security, communication, access control of information, acquisition of information and maintenance. Other areas include incidents that require information security management, business progress management and compliance information. All of the mentioned domains include control objectives that state the goals and a complement control that provides way by which the goals can be achieved. In addition, all the associate of the company’s information security are mandated with maintaining the information security on the desktop, servers and networks. Any weakness in information security must be accounted and addressed in time and with effectiveness. There are principles that govern the scope of the security policies adopted by the National Mineral Company (Perkins pp 6). The information security principles require classification of information into various levels of confidentiality, availability and integrity. The classification should adhere to the various regulation and requirements for the operation of the National Mineral Company. The company’s staff should include information personnel who enables classification of information Information security is also governed by a principle that demand information to be available to all authorized to access unless altered by the Company’s management. Unauthorized personnel and people should however, have no access to secured information. For instance, sensitive information relevant to the top management in critical decision-making processes has security restrictions. Junior staff not tasked with managerial roles has no access to such information. All processing of the company’s information has to undergo standard processes that consider the various classifications established internally. Quick reporting of any breaches to the policies demand or recommendations is to be reported in time for the relevant authority. Such a quick action will ensure that relevant authority within the organization find solution to the emergent issues. Methods and techniques of inquiry The National Mineral Company is destined to operate over a wide area within the boundaries of the United Kingdom. The wide area of operation implies that the company will handle large volumes of data and information. The methods of inquiry-involved research that enabled establish the necessity of a well established ISMS. The research included expert advice from companies that have effectively adopted the ISMS and equally have a wide operational area as well as inventories. Literature review also provided useful information on the procedures of developing and implementation of information security. Justification The International Organization for Standardization and International Electrotechnical Commision (pp v), provides reccomendations that an organization or companies establish information security standards in line with the BS ISO/IEC 27001:2013. According to Hostland, Enstand and Eilertsen (pp 6) security goals are are necessary before any step is to be taken. Most of the information secirity goals are commmon and consistent in all organization and serves the best interests of an organization (John pp 3). The scope of the informtions security system is also consistent with that of the (Terroza). Information is the bloodlife of any organization and thus has to be secure. Various companies have adopted the ISMS and succesfully benefited from the security measures provided by the system. The company is intended to serve as the custodian of all the mineral information in the United Kingdom thus require enough computer system and software. Implementation Success and obstacles The National Mineral Company has a competent team that will enable the implementation of the ISMS. All of the company’s employees are computer literate and can comfortably adopt the system with minimal technical hick-ups expected due to personnel ignorance. The company also has an established training program aimed at developing the technical capacity of the personnel. The policy is likely to serve the best interests of the various departments in terms of availability, confidentiality, and accessibility. The company’s employees have a tendency of showing curiosity whenever a new technology is in place. This curiosity can be an important fuel that will ensure success of the implementation. The National Mineral Company has many data that requires a security system to manage all the data of the organization. Despite the signs of implementation success, the organization will face three major obstacles that include the organizational will to implement, technical and Administrative Capacity to implement and maintain a policy, and the state of the Current systems, whether manual or digital. If the top management fails to adopt the policy proposal, there will be no implementation. In addition, the administration must have the financial capacity to approve implementation of the plan. Current system can also prove to be the major obstacle in denying ample room for improvement of the new policy. The current complexities of the information security system will dictate whether to implement a new one or not. The top management may have some hesitation over adoption of the new system. Effectiveness of the process and improvements According to OECD (pp 59), all the data and information in the National Mineral Company will be available, accessible and safe. The finance department will have enough hardware and software resources to ensure that financial data is well store and secured. The financial information security will ensure accessibility of information to the relevant authorities. The human resource department will equally have the adequate resources to ensure the personnel data and information is well managed and controlled. Management generally will have control and easy access of the National Mineral company assets and resources. There management functions largely benefit from information security in decision making and protecting the best interests of the organization. All the proposed policies are in line with the International Standard Organization recommendations (ISO27001:2013) There can be changes that can improve the performance of the ISMS. Most of the improvements can be obtained from the regular upgrades and recommendations produced by the international organization of standardization (Raggd pp 492). In addition, the PDCA model can provide an important tool for improvement of the ISMS. The PDCA model refers to various phases that the company can follow to improve information security. The phases include the plan phase, the Do phase, the Check phase and the Act phase (Arnason and Willet pp 99). Works Cited Arnason, Thor Sigurjon and D Keith Willet. How to Achieve 27001 Certification: An Example of Applied Compliance Management. CRC Press, 2007. Hostland, Kenneth, et al. "Information Security Policy: Best Practice Document." 2010. GEANT. Retreived on December 8th, 2015 from http://services.geant.net/cbp/Knowledge_Base/Security/Documents/gn3-na3-t4-ufs126.pdf. International Financial Data Services. "Information Security Management System Information Security Policy." 2014. P079A - ISMS Security Policy. Retreived on December 8th, 2015 from http://www.ifdsgroup.com/images/pdfs/ISMS_2014.pdf. International Organization for Standardization and International Electrotechnical Commision. Information Technology,Security Techniques, Information Security Management Systems and Requirements. Geneva: BSI Standards Limited, 2013. John, Peter. "Information Security Policy." 2014. POL_ITS_001: Information Security Policy. Retreived on December 8th, 2015 from https://www.uwl.ac.uk/sites/default/files/Departments/About-us/Web/PDF/policies/Information_Security_Policy_9Jan2015.pdf. OECD. OECD Reviews of Risk Management Policies OECD Reviews of Risk Management Policies: Norway 2006 Information Security: Information Security. OECD publishing, 2010. Perkins, Jethro. "Policy: Information Security Policy." 2013. LSE Governance. Retreived on December 8th, 2015 from http://www.lse.ac.uk/intranet/LSEServices/policies/pdfs/school/infSecPol.pdf. 8th Raggd, G Bel. Information Security Management: Concept and Practice. CRC Press, 2010. Terroza, Klyde Arhnel. "Information Security Management System (ISMS) Overview." 12th May 2015. The Institute of International Audition. Retreived on December 8th, 2015 from https://chapters.theiia.org/bermuda/Events/ChapterDocuments/Information%20Security%20Management%20System%20(ISMS)%20Overview.pdf. Read More