Summary (Information Security Management ) - Essay Example

Comparison of ISO/IEC 27001 and NIST Document Outline ISO/IEC 27001 specifies requirements for the establishment, implementation, monitoring and review, maintenance and improvement of a management. It does not mandate specific information security controls but stops at the level of the management system. In contrast, NIST provides guidance on design and implementation of new security systems; use it as a supplement to gain a deeper understanding in the background and terminology. ISO/IEC 27001 requires that management should systematically examine the organization's information security risks, threats, vulnerabilities and impacts.

To address those risks that are supposed to be unacceptable ISO/IEC 27001 suggests modeling and application of rational and comprehensive suite of information security controls. Comparatively, NSIT lays out on security management by identifying 17 controls organized into three categories: The Management Control section addresses security topics that can be characterized as managerial. The Operational Control section addresses security controls focusing on steps that are, broadly speaking, implemented and executed by people (as opposed to systems).

The Technical Control section implicates on security controls that the computer system executes. Main advantage of NSIT document is network-based IDSs, which are usually passive devices that do not interfere with the normal operation of a network, are very secure against attack and even made invisible to many attackers. A major weakness here is, Network-based IDSs may have difficulty processing all packets in a large or busy network therefore, may fail to recognize an attack launched during periods of high traffic.

The scope of NSIT is limited as it lacks, especially in the area of time defined as “heavy traffic”. In switches that do provide monitoring ports, often the single port cannot mirror all traffic traversing the switch and Network-based IDSs cannot analyze encrypted information. 2. Best Security Practices at the Microsoft IT’s Information Security (InfoSec) and Yahoo! Infosec at Microsoft implies assessing environment to determine specific network security needs, focusing on establishing a process to identify and analyze security risks on an ongoing basis, the risk of starting projects that are not solving biggest security problems.

Secondly, it emphasizes on network protection revision of firewall installation, to ensure that the precise rules and processes to implement and maintain them are still valid .Thirdly, to protect servers and client, Infosec checks to make sure that up-to-date antivirus software on all of the servers and clients are deployed. It suggests that users should always have a backup and recovery strategy in place to restore services and data in an acceptable period of time. Lastly, environment should be monitored by establishing a proactive strategy that audits network to identify configuration of the systems.

They should meet organizational standards and best security practices. Regular revision of client and server logs to track common attack patterns is also very important. Microsoft implicates threart analysis and modeling, thereafter, eradication of threats using security tools. The steps taken at Yahoo! 1 to protect unauthorized access of the information are different from that at InfoSec.Though no data transmission is guaranteed to be 100% secure, Yahoo suggests using Secure Socket Layer (SSL).

This is a kind of encryption, where an icon resembling a padlock is displayed on the bottom of most browsers window during SSL transactions involving financial services. At the time of making payments using credit cards and other forms, customer has to follow certain verification steps like entering credit card number. The information provided is encrypted securely at servers and is shown only as asterisks.Maintaineance of reasonable physical, electronic and procedural safeguards accorded with federal regulations is another secure storage step. Yahoo! prefers working with vendors and partners to maintain sound security .

The employees who come in direct contact with customers to provide products and services related information are abstained from accessing personal information section. Last but not the least Yahoo conducts company-wide education and training programme to constantly educate employees about information security management. To enhance personal safety Yahoo! recommends customers to be vigilant in choosing passwords with maximum strength, updating antiviruses,spywares while, interacting online with strangers.

Reference 1. Yahoo! Inc. (March 28, 2002). Yahoo! Privacy Policy. Retrieved from http://privacy.yahoo.com/privacy/us/security/details.html