Although manpower plays an important role in the overall security scenario, it is difficultin today's world to imagine a circumstance in which manpower-aided infrastructure is notdeemed collateral for any successful safety (Chen and Mariam Zahedi 2016). Difficult technologies cannot fully replace manpower; since both have their fundamental flaws and alsostrengths, it is vital to have a proper mix of technology and manpower. This chapter attempts to portray the technology available, both important technology aswell as that which is specialized for a particular industry. Although certain technical inputsare important, the option of advanced equipment depends on the understanding of thehazard, the form of product being generated and the importance of the commodity beingcreated. Much also depends on the management's propensity to invest in protection, particularly as one visualizes that there is no return on investment in security and returnscannot be quantified. The equipment listed here covers a wide range of products and theirneeds emerge in terms of the type of product or industry that one retains in terms of itscriticality (Cheng et al. 2013).

Types of Information Security Policies

Management needs to define three kinds of information security policies to create a complete information security policy (Swanson and Guttman 1996). I. Enterprise Information Security Policy (EISP)}} [1]

III. System-specific security policies (SysSP)

Specific security measures for the device do not match such regulation styles. These can often be designed to act as specifications or protocols that can be used to install or manage processes such as configuring a network firewall and running it. The specific security practices of the networks can be classified into two groups:

  • Management guidelines SysSP: A management guidance manual SysSP is developed for management and provides advice on the deployment and integration of technologies as well as a summary of the reasonable behavior that persons in the enterprise will follow in order to promote information security (Choudhury and Sabherwal 2003).
  • SysSP technical specifications: The management policy is formulated in collaboration with the boss and the system administrator; the system administrator may need to develop a different kind of management policy (Chu et al. 2015). For example, if the ISSP might allow user passwords to be updated on a quarterly basis, system administrators might put a technological control inside a particular system request to impose this policy.

Development of Information Security Policy

The implementation of information security policies consists of a two-part project: the policy is designed and implemented in the first phase, and the compliance mechanisms are generated in the second part in order to ensure that the policy is consistently used within the organization. Projects for policy development should be well prepared and supported, properly organized, and completed on time and within budget (Chu et al. 2018). The Security Systems Design Life Cycle (SecSDLC) can be used to direct the policy development programs.

Exploration stage: The policy development team should: seek senior management (CIO) assistance in this process.

  • • If the project gets senior management sponsorship, it has a better chance of success.
  • • The more the top management participates, the quicker it will be to execute.
  • • Represent the project policy objectives well.
  • • Involve the same persons who will be impacted by the proposed policies.
  • • The committee should be made up of the legal department, human resources department and end-user members.
  • • Obtain a project manager capable of leading the project from start to finish. Analyzing stage: The following tasks should be included in this phase:
  • • Undertaking a fresh or latest risk assessment or IT audit documenting the organization’s current information security needs.
  • • Selection of main resources of information and existing policies.

Design stage: This step should include a strategy for how to execute the policy and how to validate delivery. Organization leaders shall accept and read the regulations.

Implementation stage: The policy development department is drafting the regulations during this process. The department will ensure the regulations are enforceable as written documents, and that they are published, interpreted, and accepted by those to whom they refer.

Maintenance stage: In this process, the policy development team manages and updates policy if needed to ensure that it stays successful. The program should be linked to a framework through which problems associated with it can be freely recorded. It should be checked regularly, too.

Approaches to the Implementation of Information Security Policy

There are two ways to achieve the application of an information security policy: the top- down strategy and the bottom-up approach (Chua et al. 2012).

The bottom-up strategy is implemented by executives and technicians. The system administrators are trying to enhance their applications in this strategy. Systems and network engineers provide extensive expertise that can greatly improve the security of information in the enterprise.

We know the risks that can be dangerous to their processes, and we know what measures and strategies are required to secure their technologies. This strategy is rarely successful as preparation is not organized by the top management, such as collaboration between agencies and the creation of an appropriate budget.

There is structured coordination in the top-down strategy, which starts from top management, and a dedicated leader that provides funding and recommends the mechanism for execution. Top management has adequate money, provides guidance and creates strategies, protocols and processes.

Policies, Standards and Practices

Policies are a set of rules that set out permissible and unacceptable conduct within an organization (Cram et al. 2016b). Policies guide how to allow use of the technology. The information security strategy consists of high-level comments relating to information privacy throughout the company and it should be produced by the senior management. The legislation outlines the roles and responsibilities of the police, and the type of information that needs defense. We should not state exactly which program or machinery is operating properly. In other documentation called standards, procedures, guidelines and practices this type of information should be stated.

Requirements are detailed statements about what needs to be done to abide with the policies. Standards endorse and promote the development of a cyber-security strategy. These promote making sure of the organization's compliance integrity. The guidelines usually describe the security controls involved with introducing particular technology, hardware, or applications.

  • • Procedures, processes and protocols define how the directives will be followed by workers.
  • • Preferred measures enforcing expectations are the guidance. Guidelines should be seen, according to Cram et al. (Cram et al. 2016a), as best practices which are highly recommended. For example, a requirement may allow passwords to be ten characters, and a supporting recommendation could clarify that making sure the password expires after 30 days is also best practice.
  • • Instructions are step-by-step guidance for regulation, protocols and procedures execution. For example, a protocol can specify how to install Windows securely by providing detailed steps to be taken to protect the operating system, so that the procedure, requirements and instructions involved are followed.

Governance of Information Security

In order to satisfy Cronan and Douglas (Cronan and Douglas 2006), cyber-security regulation is characterized as a series of actions on how computer protection can be handled at the management level. Information security, which includes maintaining the secrecy, credibility and quality of corporate data, helps to reduce the numerous threats that may be detrimental to business information by implementing appropriate security measures. There are various security standards and protocols that need to be addressed in order for organizations to adopt an appropriate set of controls to handle information security effectively. Such safety requirements and recommendations come from both internal and external channels within an enterprise.

In order to properly handle information security, it is important to address all internal and external security requirements, and to prevent possible effects of any weakness in information security. Such security requirements include IT system specifications, civil, administrative, and contractual requirements, as well as knowledge protection, privacy, and quality requirements as understood by the company. Together with guidelines on agreed safety standards, such as BS 7799 and other best practices, these requirements provide the foundation for an effective approach to information security (Crossler and Belanger 2009; Crossler et al. 2013, 2014).

With respect to formal criteria and protocols, information security policies and best practices are important since they have helped to promote the ideals of global information protection and to help develop partnerships between organizations and their stakeholders. BS 7799 is an example of such a norm that provides guidance on how organizations should manage information security, by providing information security advice focused on ten broad categories of security control. The norm is seen as a starting point for organizations to focus on an effective strategy for information security. Governments around the world have decided to create various regulatory and procedural standards with a view to inspiring, promoting and strengthening efforts to secure private records. There are different kinds of legal requirements which should be fulfilled by organizations. These include different specific fields and also country-specific laws and statutes (Culnan and Williams 2009).

With respect to internal specifications, IT architecture concerns relevant to information security help to define criteria to protect the critical infrastructure that makes up the information support. Company information issues related to information security help identify certain criteria essential to safeguarding the secrecy, credibility, and availability of critical company information data. Such issues are resolved through a risk assessment that aims to recognize and evaluate various risks. First, a risk management procedure is carried out, in which appropriate security measures are identified and enforced with the goal of minimizing these possible risks (Cuppens et al. 2013).

There are two essential approaches of information technology governance that help to achieve a successful corporate governance approach for resolving the business information danger. Next, there is a side of governance that requires executive and committee leadership. We are required to set the course and policy for the information security, overseeing their organization’s information security activities. Through coordinating the information security activities of an organization, the CEO and the board will adopt a corporate information security strategy that reflects their dedication to information security and promotes the organizational purpose, goals and strategies for information security. When monitoring the information security activities of a company, executive management and the board must have periodic reports from multiple administrators in corporate organizations to closely analyze and evaluate their procedures and practices so that they can be reviewed against rules or laws and strengthened if appropriate. First, there is the operations aspect that concerns how an organization's protection policy will be handled and executed. It is how numerous department heads and other administrators are dedicated to enforcing the organizational information security strategy with the aid of traditional procedure codes. An outline of the Code of Practice is BS 7799, which includes appropriate security safeguards that can safeguard the secrecy, credibility, and quality of company information and advice, and incorporate information security into the day-to- day operations and functions of the organization (D'Arcy and Devaraj 2012).

ISO 27001 certification gives the existing information security system extra security, without altering the structure of information security processes. ISO 27001 respects transparency, quality and honesty as fundamental principles in its specifications. The implementation of ISO 27001 requirements can be of great help to organizations; it can promote the development of a robust structure that provides the organization and the knowledge assets with protection. The ISO 27001 standard can help in the assessment, implementation and maintenance of a cyber-security human resources system (D'Arcy and Greene 2014).

In fact, a new standard costs a lot of time to introduce. Yet obtaining ISO 27001 certification for organizations would help to reduce the money spent on IT security operations, as well as helping to improve compliance procedures, while minimizing or even eliminating reliance on third-party providers. Therefore, if its members recognize the need for a cybersecurity control system, companies will maximize the benefits.

It can also be very useful to look for ISO 27001 certificates for organizations because it can help top management improve the way they comply with information security within the organization. The framework includes criteria of processes and procedures to be implemented by the administration to ensure effective management of the information system.

  • [1] Issue-specific security policies (ISSP) III. Systems-specific security policies (SysSP) I. Enterprise information security policy (EISP) An organizational information security strategy lays out the strategic direction, reachand language for the security initiative of the company, and provides responsibilityfor various information management fields. The EISP offers guidance for the information security program's creation, deployment and management prerequisites. II. Issue-specific security policies (ISSP) Issue-specific policies include detailed instructions and clarification on the use ofa tool, such as a procedure or equipment used by the company, to all members ofthe organization. The ISSP of each organization will address specific technology-based systems, which often need to be modified.
< Prev   CONTENTS   Source   Next >