Premium Essay

On the Development of Comprehensive Information Security Policies for Organizations

In: Computers and Technology

Submitted By DrKimChee
Words 565
Pages 3
On The Development of Comprehensive Information Security Policies for Organizations The article selected for review is titled, “On the Development of Comprehensive Information Security Policies for Organizations.” The article is from the International Journal of Academic Research; the authors are Fahad T. Bin Muhaya, Fazl-e-Hadi, and Abid Ali Minhas. The article offers guidelines on the development of information security policies for organizations based on a proposed framework.
The introduction of the article emphases the importance of protecting information, “Information security failures have gradually damage many progressing organizations; ruining its repute, reducing customer trust and ultimately lose its market share.” I believe is this a very strong introductory statement. The introduction of the article also implies that a new form of terroristic attacks may come from breaching organizations and accessing sensitive information. The authors further suggest that information security comprises of three elements which are human, organizational, and technological vulnerabilities. The article objective is clearly stated as a tool on how to develop or improve information security.
The development approach when viewing an organizational structure is defined in the article as threats versus defense. The article identifies security policy issues at the environment, application, cryptography, network, and physical layers. This is a simple definition but I feel that viewing a problem in its most basic form is the first step to developing a resolution. The authors’ issues in threats verses defense at the environmental layer are awareness, readiness, training, and attitude. The threat of awareness is information loss due to lack of knowledge and privilege misuse with a defense of conducting awareness programs to understand the threat of information loss.

Similar Documents

Premium Essay

On the Development of Comprehensive Information Security Policies for Organizations

...Annotated Bibliography Assignment 1 Gary L. Williams Information Assurance Research Literature RSC 830 January 20, 2015 Dr. Emily Darraj Annotated Bibliography Assignment 1 The purpose of this assignment is to examine the topic cybersecurity via an annotated bibliographic review of multiple dissertations. This assignment will work toward the identification of a future dissertation topic within this field and also towards the identification of research material in support of the final dissertation. The annotated bibliographic reviews contained within this paper will work to provide information that will support my future research and provide experience in garnering and explaining the salient tenants of research material. NOTE: This paper will not include proper APA formatting as citations have been bolded to ensure the professor can discern where citations begin and end. Curtis, S. K. (2012). Commitment to cybersecurity and information technology governance: A case study and leadership model. (Doctoral dissertation). Retrieved from the ProQuest dissertation and thesis database. (UMI No. 3569139) The problem as described by the author in this quantitative study is senior managers are not using web analytic technology (WAT) and there is a lack of literature describing why this is the case. The purpose of this study is to “examine how management consultants perceive WAT” (p. 22). This study has seven hypotheses. Unified theory of acceptance use of technology...

Words: 3359 - Pages: 14

Premium Essay

Cis 462 Wk 4 Assignment 1 It Security Policy Framework

...4 ASSIGNMENT 1 IT SECURITY POLICY FRAMEWORK To purchase this visit here: http://www.activitymode.com/product/cis-462-wk-4-assignment-1-it-security-policy-framework/ Contact us at: SUPPORT@ACTIVITYMODE.COM CIS 462 WK 4 ASSIGNMENT 1 IT SECURITY POLICY FRAMEWORK CIS 462 WK 4 Assignment 1 - IT Security Policy Framework Establishing an effective Information Technology Security Policy Framework is critical in the development of a comprehensive security program. Additionally, there are many security frameworks that organizations commonly reference when developing their security programs. Review the security frameworks provided by NIST (SP 800-53), ISO / IEC 27000 series, and COBIT. Assume that you have been hired as a consultant by a medium-sized insurance organization and have been asked to draft an IT Security Policy Framework. You may create and / or assume all necessary assumptions needed for the completion of this assignment. Write a three to five (3-5) page paper in which you: 1. Select a security framework, describe the framework selected, and design an IT Security Policy Framework for the organization. 2. Describe the importance of and method of establishing compliance of IT security controls with U.S. laws and regulations, and how organizations can align their policies and controls with the applicable regulations. 3. Analyze the business challenges within each of the seven (7) domains in developing an effective IT Security Policy Framework. More...

Words: 793 - Pages: 4

Premium Essay

White Paper

...An ISS White Paper Security Strategy Development Building an Information Security Management Program 6303 Barfield Road • Atlanta, GA 30328 Tel: 404.236.2600 • Fax: 404.236.2626 Security Strategy Development Information Security Management A sound information security management program involves more than a few strategically placed firewalls. These safeguards, while important, are only truly effective as part of an overall information security management system. The integration of existing security technologies and processes into a cohesive framework for security management will ultimately reduce inefficiencies and redundancy and ensure the manageability of those solutions. A comprehensive security program should contain the proper balance between people, processes and technology to effectively manage risk with minimal impact on normal business operations. In order to build an appropriate information security program, an organization should assess and define their specific security requirements, design a solution that meets those unique requirements, deploy the necessary policies, technology and procedures, and continuously maintain, adapt and improve that solution. An organization’s overall security strategy will provide a framework for defining those elements necessary in building and maintaining a sound security management program. Strategic planning can take many forms, but the end result should yield a documented approach for achieving goals set within the...

Words: 1442 - Pages: 6

Premium Essay

Human Security

...United Nations Development Programme Human Development Report Office This note should be read in conjunction with the Regional/ National Human Development Report Toolkit. While the toolkit provides general guidance on preparing a Regional or National Human Development Report, this note gives specific suggestions on how to approach the concept of human security as a topic for such a report. Human Security A Thematic Guidance Note for Regional and National Human Development Report Teams BY OSCAR A. GÓMEZ AND DES GASPER Contents What is Human Security?............ 2 Getting Started...................................... 4 Selecting objectives and themes...... 4 The process.................................................... 6 Many important aspects of human development relate also to people’s security: loosely defined as people’s freedom from fear and freedom from want in a broad sense. Applying a human security approach offers an opportunity to analyse many issues in an informative way. This note explains how one might go about doing that. Human security relates to much more than security from violence and crime. A report team wanting to look at the security of people’s livelihoods (economic, food, environment or health security) might apply a human security approach. Human security can also be used to look into personal, community and political security. Indeed, human development reports from around the world have applied the approach in other innovative ways. But...

Words: 7478 - Pages: 30

Premium Essay

Humen Resource Manegment

...Human Resource Management Review journal homepage: www.elsevier.com/locate/humres Human resource information systems: Information security concerns for organizations Humayun Zafar ⁎ Department of Information Systems, Kennesaw State University, 1000 Chastain Road, MD 1101, Kennesaw, GA 30144, United States. a r t i c l e i n f o Keywords: Human resource information system Information security Information privacy Security policies Security legislation Security architecture Security training Risk analysis a b s t r a c t We explore HRIS and e-HR security by presenting information security fundamentals and how they pertain to organizations. With increasing use of enterprise systems such as HRIS and e-HR, security of such systems is an area that is worthy of further exploration. Even then, there is surprisingly little research in this area, albeit that extensive work is present in regard to HRIS privacy. While focusing on HRIS and e-HR security, we introduce aspects of HRIS and e-HR security and how it can be enhanced in organizations. A research model is also presented along with propositions that can guide future research. © 2012 Elsevier Inc. All rights reserved. 1. Introduction A human resource information system (HRIS) is an integrated computerized system used to acquire, store, manipulate, analyze, retrieve, and distribute pertinent information about an organization's human resources (Kavanagh, Gueutal, & Tannenbaum, 1990). HRIS is similar...

Words: 7376 - Pages: 30

Premium Essay

Public Policing vs Private Security

...Public Policing Versus Private Security Comparison Alan Shank AJS/502 September 9, 2013 Christopher Eberle Public Policing Versus Private Security Comparison Comparing public policing and private is important in the criminal justice field as the criminal justice field moves toward a future of technological changes and the desire to keep the public safe while keeping costs down. To examine these two separate areas of criminal justice they will be broken down to see how each one is structured and the primary goals for each one. Public policing and private security can be used to describe the methods that we use in the world to keep people and their goods safe. First, we will examine Private Security; in its simplest form, the term “private security” refers to the protection of people, property, and information (Encyclopedia of Crime and Punishment, 2002, pp. 1253). Society recognizes that the broader role of private security is for individuals and businesses to pay a fee to protect their persons, private property, or their interests from hazards (Encyclopedia of Crime and Punishment, 2002, pp. 1253). Private Security has developed throughout history along with Public Policing. Private Security has its roots in the middle ages under the system of Feudalism (Encyclopedia of Crime and Punishment, 2002, pp. 1253). Land barons and kings hired retainers (infantrymen)...

Words: 2165 - Pages: 9

Premium Essay

Lp4: Review Questions

...vulnerabilities, to an organization’’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level. Why is the identification of risks, by listing assets and their vulnerabilities, so important to the risk management process? It is a starting point for the next step in the risk management process –– risk assessment. 2. According to Sun Tzu, what two key understandings must you achieve to be successful in battle? Know the enemy and know yourself. 3. Who is responsible for risk management in an organization? Each community of interest has a role to play in managing the risks that an organization encounters. Which community of interest usually takes the lead in information security risk management? information security community 4. In risk management strategies, why must periodic review be a part of the process? To verify the completeness and accuracy of the asset inventory, review and verify the threats to and vulnerabilities in the asset inventory, as well as the current controls and mitigation strategies. Must also review the cost effectiveness of each control and revisit decisions on deployment of controls. Managers at all levels must regularly verify the ongoing effectiveness of every control deployed. 5. Why do networking components need more examination from an information security perspective than from a systems development perspective? Networking components need more examination from an information security perspective than...

Words: 817 - Pages: 4

Premium Essay

Executivememo

...Memorandum The role of The State of Maryland information and information technology systems are critical assets of the State and are vital in delivering resources to Maryland citizens. These assets are important to the services that agencies provide to businesses, educational institutions, citizens as well as to local and federal government entities. All information produced with State resources for the operation of the State belongs to the State of Maryland. All employees, agencies and contractors of Maryland are responsible for safeguarding such information from modification, unauthorized access, disclosure and destruction. This Policy provides a minimum level of security requirements that will provide the confidentiality, integrity and availability of Maryland IT asset, when implemented. For this reason a comprehensive Information Security standard and system ought to be implemented so that there can be suitable management of security across all the present functions and to provide the required security and guarantees with the regards to information requirements. This would include aspects of confidentiality, integrity, and availability which are crucial aspect of any security standard. A comprehensive review of the Information Security implementation within the State of Maryland will make it possible to establish how this has been impacted by the set forth security standards in addition to changes introduced by legislative developments and processes. In essence, this will deliver...

Words: 634 - Pages: 3

Premium Essay

Emerging Cybersecurity Policies in the Federal Government

...Emerging Cybersecurity Policies in the Federal Government Information Assurance Officer and Risk Management Analyst Department of Defense. Emerging Cybersecurity Policies in the Federal Government Information Assurance Officer and Risk Management Analyst Department of Defense. CSEC 655 UMUC Individual Assignment 1 September 16, 2014 CSEC 655 UMUC Individual Assignment 1 September 16, 2014 Table of Contents Emerging Cybersecurity Policies in the Federal Government 3 Emerging Policies and Practices 4 Defense in Depth (DID) 5 Security Risk Frameworks 6 Test Driven Development 8 Business Service Frameworks 9 Acceptance and Preparation for Failure 11 The Federal Government and these Emerging Policies and Practices 13 The Feds and Defense in Depth 14 The Feds and Security Risk Frameworks 14 The Feds and Test Driven Development 16 The Feds and Business Service Frameworks 17 The Feds and Acceptance and Preparation for Failure 19 How could the Feds continue to improve 20 References 22 Emerging Cybersecurity Policies in the Federal Government One of the largest and most important enterprises there is to protect in the cyber security realm are the various networks that make up the federal government. This massive undertaking to secure the systems, networks, and data of the various governmental agencies is a never ending uphill battle. The requirements of the federal government enterprise to be globally far reaching, as well...

Words: 6354 - Pages: 26

Premium Essay

It Law and Ethics

...In this chapter readers will learn to identify major national and international laws that relate to the practice of information security as well as come to understand the role of culture as it applies to ethics in information security. Chapter Objectives When you complete this chapter, you will be able to: Differentiate between law and ethics Identify major national and international laws that relate to the practice of information security Understand the role of culture as it applies to ethics in information security Access current information on laws, regulations, and relevant professional organizations Set-up Notes This chapter could be completed in a single class session, if there is sufficient time to cover the material. Unless the students have not had the opportunity to read the material in advance (in some settings, the textbooks are not made available until the first class meeting), it may be prudent to have a general discussion of the topic, with detailed lecture to follow at the next class meeting. The subject matter can be covered in 1.25 to 2.5 hours. Lecture Notes and Teaching Tips with Quick Quizzes Introduction As a future information security professional, it is vital that you understand the scope of an organization’s legal and ethical responsibilities. To minimize the organization’s liabilities the information security practitioner must understand the current legal environment and keep apprised of new laws, regulations, and ethical issues...

Words: 4470 - Pages: 18

Premium Essay

Cap Study Guide

...the subject information (e.g. rules of behavior)? a. System owner 2. Who has the authority to formally assume responsibility for operating an information system at an acceptable level of risk? a. Accrediting Authority 3. Who is responsible for ensuring that the appropriate operational security posture is maintained for an information system and in many organizations is assigned responsibility for the day-to-day security operations of a system? a. Information System Security officer 4. Who is responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls? a. system owner, and/or the senior agency information security officer 5. Who is the highest-level senior official or executive within an organization with the overall responsibility to provide information security protections commensurate with the risk and magnitude or harm? a. The head of agency (or chief executive officer) 6. The six steps of the Risk Management Framework and what occurs on each step. a. Step 1: Categorize i. Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis. b. Step 2: Select i. Select an initial set of baseline security controls for the information system based...

Words: 5295 - Pages: 22

Premium Essay

Principles of Information Security Chapter 1

...Principles of Information Security, 4th Edition 1 Chapter 1 1 Review Questions 1. What is the difference between a threat agent and a threat? A threat agent is the facilitator of an attack, whereas a threat is a category of objects, persons, or other entities that represents a potential danger to an asset. Threats are always present. Some threats manifest themselves in accidental occurrences and others are purposeful. Fire is a threat; however, a fire that has begun in a building is an attack. If an arsonist set the fire then the arsonist is the threat agent. If an accidental electrical short started the fire, the short is the threat agent. 2. What is the difference between vulnerability and exposure? Vulnerability is a weaknesses or fault in a system or protection mechanism that opens it to attack or damage. Exposure is a condition or state of being exposed. In information security, exposure exists when a vulnerability known to an attacker is present. 3. How is infrastructure protection (assuring the security of utility services) related to information security? The availability of information assets is dependent on having information systems that are reliable and that remain highly available. 4. What type of security was dominant in the early years of computing? In the early years of computing when security was addressed at all, it dealt only with the physical security of the computers themselves and not the data or...

Words: 4896 - Pages: 20

Premium Essay

Public Policing Versus Private Security

...University of Pheonix | Survey of Justice and Security | Public Policing versus Private Security Comparison | AJS/502 | Latisha Lipsey | 5/19/2014 | | Public policing and private security have many similarities as well as differences. There are a couple of different fields of policing, which include private security and public policing. State government, city government, and towns provide the community with public policing to enforce laws and serve and protect the citizens (The Debate on Private Versus Public Policing, 2007). Private security functions include loss prevention duties or protective services. Private security also specializes in closed circuit monitoring services, secret level clearance, and patrol. Public policing has the right to arrest, where as private policing does not have the right to arrest, but they are able to detain someone until law enforcement arrives (The Debate on Private Versus Public Policing, 2007). There are some cases where private security goes undercover, which is similar to public policing, this is to blend in with the environment and also used as asset protection. The vision between public policing and private security has been a little blurred through the years, private police look like and at times behave like public police, and there are also similarities of the job activities and responsibilities (The Debate on Private Versus Public Policing, 2007). But there is a huge difference between the two, in which the hiring...

Words: 1631 - Pages: 7

Premium Essay

Security Policy & Standard, Task 2

...Health Body Wellness Center Information Security Management System (ISMS) File:FYT2_Task2 Health Body Wellness Center (HBWC) promotes medical research, evaluation, and sharing of information between health care professionals. The HBWC’s Office of Grants Giveaway (OGG) provides for the distribution of federally supported medical grants. OGG uses a Microsoft Access database program called Small Hospital Tracking System (SHGTS) to manage the medical grant distribution process. A risk assessment of SHGTS was conducted to evaluate vulnerabilities and establish a baseline of potential threats. This document will outline an ISMS plan for HBWC and provide recommendation of additional steps needed to implement and maintain this plan. Use of the ISO 27000 series certification process will provide a framework for the ISMS. The Plan-Do-Check-Act (PDCA) model provides a step-by-step process for planning, implementing, and management of the ISMS plan. The ISMS outline, network drawing, and additional recommended steps will be discussed below. A1. Business Objectives The first step of any ISMS is the identification of the business objects that need to be included in the planning and maintenance of an organization. Listed below are HBWC’s major objects to be considered when developing ISMS. (Arnason, S, & Willett, K.D, 2008) Staff: Basic users, RAS users, Administrators, Executives, and Database Administrators roles, access levels, and responsibility should be defined. Facilities: ...

Words: 1741 - Pages: 7

Free Essay

Chief Mr.

...The Change Plan PROPOSALS BY THE CHANGE MANAGEMENT TEAM TO THE SECRETARY-GENERAL United Nations NEW YORK, DECEMBER 2011 The Change Plan TABLE OF CONTENTS Acknowledgement ........................................................................................................................................ 01 1. Executive Summary ................................................................................................................................. 02 2. Introduction ........................................................................................................................................... 09 3. Context ................................................................................................................................................... 10 4. The Secretary-General’s Vision ................................................................................................................ 12 5. Deliverable One – Enhancing Trust and Confidence: Towards a more stakeholder and client-oriented organizational culture ............................................................................................. 13 6. Deliverable Two – Engaging Staff: A global, dynamic, adaptable, meritocratic and physically secure work force. .......................................................................................................... 19 7. Deliverable Three – Improving Working Methods: A more open and accountable UN with streamlined procedures...

Words: 35902 - Pages: 144