Policy 3

profileJohn_matt
replies_needed.docx

Please don’t give me a two to three sentence replies. It has to look bulky. At least 8 to 10 sentences. Thank you

Reply needed 1

When a person goes to buy a suit they look for a specific name brand. There are a variety of name brands on the market and each one of them cost a certain amount of money. Most people associate name brand with quality. The same can be said about holding a certification such as ISO 27001 which is the best-known standard for an information security management system (ISMS) (ISO, 2013). An ISMS is a set of policies and procedures for systematically managing an organization's sensitive data to minimize risk as well as ensure business continuity by pro-actively limiting the impact of a security breach (Rouse, 2011). This briefing is designed to give you an over of the ISO 27001 standard and its requirements along with the benefits of being certified.

Benefits of being ISO 27001 Certified

ISO 27001 is a certification that is recognized globally and is required in some countries. By attaining the certification Red Clay Renovation will stand out amongst its competitors as an organization that goes above and beyond what is required to protect its client’s data. It is also financially prudent to protect Red Clay Renovations data and to meet the legal requirements of nations in which we seek to do business (Itgovernance, 2013). What that means is that Red Clay Renovations will now be able to do business in other countries and increase its profit margins.

What is ISO 27001?

ISO 27001 is a standard that was created by the International Organization for Standardization to help organizations protect their assets and establish a robust ISMS. An ISMS is a combination of policies and procedures that are created based on the organization, its employees and the assets that are being protected. One of the procedures that ISO 27001 recommends is conducting a risk assessment to identify threats and vulnerabilities at an individual asset level and, from there, analyzing and assessing risk (Itgovernance, 2013). ISO 27001 also has a list of best practices that can be used to protect assets.

Standard requirements

ISO 27001 has a number of requirements that must be met before an organization can become certified. One of the main requirement is to write an ISMS policy which is the highest-level document in your ISMS (Kosutic, 2013). Other requirements include asset management, communications and operations management, access control, information security incident management and compliance (Varonis, 2016). Once all the requirements have been met an organizations ISMS must be audited by an organization approved by the appropriate body associated with the EA and IAF and the auditing organization cannot be your consultant – their whole involvement in your ISMS must be limited to their audit (Itgovernance, 2013).

Summery

ISO 27001 is a standard that was created by the International Organization for Standardization to help organizations create an ISMS and protect their assets. The benefits of attaining the ISO 27001 certification are profit increase, the ability to conduct business on other continents and customer recognition for increasing protection to their information. The standard contains a list of requirements that must be met including conducting a risk assessment.  ISO 27001 is a certification that is worth attaining because it will draw the attention of customers worldwide just like the name of a good suit.

 

 

International Organization for Standardization. (2013). ISO/IEC 27001 - Information security management. Retrieved from ISO: http://www.iso.org/iso/iso27001

Itgovernance. (2013, February). Information security. Retrieved from Itgovernance: http://www.itgovernance.co.uk/files/Infosec_101v1.1.pdf

Kosutic, D. (2013). ISO 27001/ISO 22301 Knowledge base . Retrieved from Advisera.: http://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Rouse, M. (2011, January ). Information security management system (ISMS). Retrieved from Techtarget.: http://whatis.techtarget.com/definition/information-security-management-system-ISMS

Varonis. (2016). Understanding ISO 27001 IT Requirements. Retrieved from varonis: https://www.varonis.com/learn/iso17701-it-requirements/

Reply needed 2

Introduction:

     To be consistent with the current technology-centric society, it becomes paramount for companies to adopt an Information Security Program that follows an organizational standard. “A standard is a document that provides requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose” (ISO, n.d., para. 1). With the advancement of cybersecurity threats, we must also implement counter defenses to those threats so that our systems remain protected. This is the prime reason organizations require an information security program that is ISO/IEC 27001 compliant. The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) is an official standard that provides best practice recommendations for information security systems, which is why basing the program off the standard is important (IT Governance, 2016a, para. 1). The purpose of this briefing paper is to highlight the significance of Information Security Programs to corporate officials, state the ways in which the company can benefit from the system, and what policies should be in place to support the program.

Analysis:

     An information security program is defined as an established plan which provides security for the company’s information assets (Applied Trust, n.d., p. 1). Not only does it provide ways to manage/mitigate organizational risks, but it also helps senior management keep their security practices current (Applied Trust, n.d., p. 1). As the responsibility for the overall security and stability of the organization’s information assets falls on senior management and the corporate board, it is vital for them to understand the requirements of a proper information security program (Behm, 2003, p. 7). A comprehensive information security program requires a “designated security officer, risk assessment, policies/procedures, organizational security awareness, regulatory standards compliance, and an audit compliance plan” (Applied Trust, n.d.). A designated security officer is required so that they can take accountability of the execution of the information security program (Applied Trust, n.d., p. 2). Risk assessment is a crucial aspect of any information security program as it helps organizations minimize risk by prioritizing them and choosing appropriate countermeasures based on the severity of the risk (Applied Trust, n.d., p. 2). Policies and procedures pertain to risk assessment as the countermeasures for the risks identified within the assessment are actually implemented into policies and procedures so that there is an official standard for following them (Applied Trust, n.d., p. 3). As the old saying goes, humans are the weakest link in security (Applied Trust, n.d., p. 3). Therefore, organizational security awareness is imperative for a successful information security program so that employees do not fall prey to social engineering attacks and end up revealing company sensitive information (Applied Trust, n.d., p. 3). Complying with regulatory standards such as the “Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Federal Information Security Management Act (FISMA), Sarbanes-Oxley, and Gramm-Leach-Bliley” (Applied Trust, n.d., p. 3) is also an important aspect for a security program. The last requirement for any successful information security program is an audit compliance plan (Applied Trust, n.d., p. 3). This plan will monitor the security of the company’s information assets and verify that it is in full compliance with the information security program (Applied Trust, n.d., p. 3).

     Red Clay Renovations can benefit from implementing an information security program that is ISO/IEC compliant in numerous ways. First and foremost, the program helps protect the company’s information assets, and helps the organization attract new investors and maintain the satisfaction of the company’s existing clients (IT Governance, 2016b, para. 3/4). Secondly, the costs associated with data breaches are reduced since the program follows organizational standards which outline best practice recommendations to maintain the security of the assets (IT Governance, 2016b, para. 5). Furthermore, the company’s reputation is increased as Red Clay Renovations would be known for their upheld posture within the cybersecurity world; this would not only keep the customer base happy, but it will also help convince the company’s employees that they are part of the right firm (IT Governance, 2016b, para. 6/7). Lastly, the company would “comply with business legal, contractual/regulatory requirements and satisfy audit requirements” (IT Governance, 2016b, para. 8/9).

     A policy is a form of documentation that defines the goals of the organization and why they are necessary for the overall success of the company (Dorrian, 2016, p. 1). Hence, they are another significant aspect for a prosperous information security program. The ISO/IEC 27001 standard requires the implementation of policies so that they can serve as a backbone for the information security program. In other words, ISO/IEC 27001 provides organizations security policy templates that they can customize for their company and thus can have an all-inclusive list of security policies (Durbin, 2016, p. 5). For example, the standard states that policies must “provide management direction, designate roles/responsibilities for employees, establish precautions with wireless devices, highlight the significance of security awareness training, and identify the disciplinary process for employees that have violated company conditions, etc. ” (Durbin, 2016). To conclude, the ISO/IEC 27001 standard requires the implementation of policies to support the information security program so that it can enforce stability in administrative processes and procedures (Dorrian, 2016, p. 1)

Summary:

     To summarize, as it is the responsibility of senior management to secure the company’s information assets, it is vital for them to understand what constitutes a successful information security program (Behm, 2003, p. 7). A comprehensive information security program must designate an individual to take accountability of the overall operation, it must prioritize and assess risks, identify mitigation strategies for risks within policies, conduct security awareness training for its employees, follow the ISO/IEC 27001 standard, and monitor the overall operation of the program so that there is no gap in security (Applied Trust, n.d.). Hence, Red Clay Renovations should adopt an ISO/IEC 27001 compliant Information Security Program.

 

 

References

Applied Trust. (n.d.). Every company needs to have a security program. Retrieved from https://www.appliedtrust.com/sites/default/files/assets/resources/every-company-needs-a-security-program.pdf

Behm, R. L. (2003, December 6). The many facets of an information security program. Retrieved from https://www.sans.org/reading-room/whitepapers/awareness/facets-information-security-program-1343

Dorrian, J. (2016). Developing internal policies and guidance documents in CSIA 413. Document posted in University of Maryland University College CSIA 413 6381 online classroom, archived at: http://campus.umuc.edu

Durbin, K. (2016). ISO 27001. Retrieved from https://ecfirst.com/pdf/ISO_27001_Solutions.pdf

ISO. (n.d.). Standards. Retrieved from http://www.iso.org/iso/home/standards.htm

IT Governance. (2016a). ISO 27001 and information security. Retrieved from http://www.itgovernance.co.uk/iso27001.aspx?utm_source=green-paper&utm_medium=infosec-iso27001&utm_campaign=infosec-iso27001-green-paper

IT Governance. (2016b). ISO 27001 benefits. Retrieved from http://www.itgovernance.co.uk/iso27001-benefits.aspx

U.S. Department of Health & Human Services. (n.d.). Business associates. Retrieved from http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html

U.S. Department of Health & Human Services. (n.d.). The security rule. Retrieved from http://www.hhs.gov/hipaa/for-professionals/security/index.html

REPLY 3 Needed

Introduction

   Red Clay Renovations currently handles and stores an immense amount of intellectual property and customer’s

personal data. Many of the jobs that the company under takes require personal information to be collected and

stored. This information is classified as Personal Health Information and Personal Identifiable Data. Red Clay uses

the IS0 27001 standard however it has not been fully implemented within the company. It is pivotal to implement

security standards within all levels of the company.

What is ISO 27001

   In the world of information security standards and structure are very important. The company’s current Information

Security approach is inadequate. Utilizing the full guidance of ISO 27001 will improve our approach and mitigate risk.

ISO 27001 is a set of guidelines for an organization to improve their Information Security Management System

(ISO/ISC, 2013). These guidelines can be tailored to fit the needs of Red Clays security approach.

Why is ISO 27001 Necessary?

   The need for Information System security controls have never been more prevalent then today. A high end hotel in

Nashville recently revealed that its point of sale terminal had been comprised for the last three years (Kirk, 2016).

Red Clays Current Information Security posture could expose us to the same risk. However, if the proper standards

are implemented risk can be mitigated.   There are multiple moving parts to a successful information security

program. Alan Calder an expert in the ISO standards field stated that successful technology alone cannot ensure

information security (2013). The requirements outlined in ISO 27001 will assist in developing an effective information

security program.

ISO 27001 Requirements

   There are several requirements to be fully certified ISO 27001compliant. These requirements include a solid

information security policy, employee competence, security risk assessments, evidence assessments and

management involvement (ISO/ISC, 2013). These requirements are designed to allow companies the ability to tailor

their policies to meet there needs. Our needs would cover our local and remote sites as well as any subsidizers.

Summary

   Red Clays current information security posture is in need of revision. This revision should include measures found

in the ISO 20071 standards. These measures must be integrated into every policy and information security training.

A solid Information Security program will reduce risk by putting standard procedures in place.

 

References

Calder, A. (2013). Information Security & ISO 27001. Retrieved September 6, 2016, from http://www.itgovernance.co.uk/files/Infosec_101v1.1.pdf

ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements. (2013). Retrieved September 6, 2016, from http://www.iso27001security.com/html/27001.html

Kirk, J. (2016, September 5). Nashville Hotel Suffered POS Breach for Three Years. Retrieved September 6, 2016, from http://www.databreachtoday.com/news

Follow-up replies needed 4

John,

 

Your break down of ISMS in your opening paragraph is well defined and easy to understand. I think advising the board that ISMS will enable continuity of the organization will make them pay more attention to your briefing. The end of your introduction confuses me because I am not sure who this briefing is for. I think you were supposed to write this briefing for the senior leadership and corporate board for the case study company. I don’t think that you needed to include a breakdown of Red Clay Renovations senior leadership and corporate board because this briefing is for them. Your closing paragraph is good but I would have like to learn more about ISO/IEC 27001 in the body of the briefing. I would have like to see more of the benefits of adopting the standard in the body of the paper.  

Follow-up replies needed 5

John, I think you did a good job in your discussion. Your introduction was well thought-out and addressed the purpose of your post, which is a requirement listed in the rubric. However, I did notice a few concepts within your discussion that I think can be improved. Initially, I noticed that you mentioned the specific officers and directors that constitute senior management and the corporate board. However, you did not explicitly state why an information security program is necessary for them to implement. For example, I think it would have been beneficial if you mentioned the fact that it is the obligation of senior management to secure Red Clay Renovations’ information assets (Behm, 2003, p. 7). Specifically, you could have mentioned the fact that “a comprehensive program begins with a senior management official promulgating an organizational information security policy that establishes the purpose and scope of the program and defines different organization roles and responsibilities by position” (Behm, 2003, p. 7).

     Additionally, I did not see a specific conclusion within your discussion as this is one of the requirements of a briefing paper (Dorrian, 2016a, p. 2). I was a bit confused as to whether or not the last paragraph was your attempted summary. I think it would have been clearer if you included a separate section and titled it “conclusion” or “summary.” I also think you should have reiterated senior management’s position as it relates to ensuring an ISO/IEC 27001 compliant information security program within the conclusion. The last aspect of your discussion that I think needed improvement was your references section as you only included one authoritative source, when we were required to cite three, per the assignment instructions (Dorrian, 2016b, para. 5). In summary, I think you did a good job as you met most of the requirements of the discussion but I would improve it by incorporating the previously mentioned ideas within your post.

 

 

References

Behm, R. L. (2003, December 6). The many facets of an information security program. Retrieved from  https://www.sans.org/reading-room/whitepapers/awareness/facets-information-security-program-1343

Dorrian, J. (2016a). Expanded explanation for discussion question responses in CSIA 413. Document posted in University of Maryland University College CSIA 413 6381 online classroom, archived at:  http://campus.umuc.edu

Dorrian, J. (2016b). Who needs an information security program in CSIA 413?  Document posted in University of Maryland University College CSIA 413 6381 online classroom, archived at:  https://campus.umuc.edu/