Security Policy Framework in IT

The ISO/IEC 27000-series is a collection of security standards issued jointly by the worldwide organization for standardization. The series provides a framework and guidelines for managing information security through the use of various security controls aimed at lowering information security risks (Evans, 2016). It has one of the biggest scopes, covering much more than privacy, cyber security, and confidentiality. The system encourages all companies to assess their information risks and implement controls and procedures to mitigate them. Due to the ever-changing nature of information risk and security, the framework includes the feature that encourages continuous feedback and amendment of policies in order to effect changes thus effectively dealing with threats and vulnerabilities. For an insurance company, The ISO/IEC 27000-series is important since it focuses on how the information is being managed rather that what information is being managed (Evans, 2016).

Importance of Establishing Compliance of IT Security Controls with U.S. Laws and Regulations

Control frameworks that are compliant with the government laws contribute to business success in their own way. COBIT provides a good way in which business goals would be met while at the same time ensure better performance of the business, better use of IT resources and ensures that goals of the organization are explicitly stated (Peltier, 2016).

ISO27001 is a framework that is important in establishing ISMS. This is important in accessing risks, implementing controls and ensuring that documentation is updated (Shao & Chen &Mao & Ott, & Qian, 2016).

NIST 800-53 is important for businesses since it gives them detailed controls that have enhancements tailor-made specifically for assessing controls.

Method of establishing compliance of IT security controls with U.S. laws and regulations

Audits

Once control framework has been implemented, it is critical for the company to seek both internal and external auditors in order to edit the framework. During the process of audits, gaps are uncovered and if they are mitigated, the program would ultimately be more complete. When doing the audit, the auditors must be careful in to address reasonable risks and this is because organizations do not normally execute all controls at all times (Harkins, 2016). It would be important for the organization to have mitigating controls that detects anomalies and controls them before they become major problems. When doing audits to test the security framework, it would take many forms such as interviewing, testing samples and even reviewing the policy and procedures. It would be important to conduct a test to determine penetration. Each audit should be taken seriously in order to determine effectiveness of the framework. Existing controls can be modified if need be (Harkins, 2016).

How Organizations Can Align Their Policies and Controls with the Applicable Regulations.

An organization can either use parallel or an integrated approach. A parallel approach assigns the function of alignment to regulations solely to the IT department while an integrated approach views IT security as part and parcel of the organization (Peltier, 2016). When important, information security becomes an important aspect that influences other elements of business. The company should devote some of its resources to information security and treat it like other elements of the business. Information security should be viewed as protecting the company from harm and helping in achievement of objectives. Management support and information security policies would enable the company adhere to applicable regulations (Peltier, 2016).

Business Challenges Within the Seven Domains in Developing an Effective IT Security Policy Framework.

User Domain

The users can destroy data in the system whether intentionally. Users can also insert infected drives into work computers affecting the whole system (AlHogail, 2015).

Work Station Domain

This is the place where work takes place and it is the computer of an individual user. Hackers can find vulnerability in the work station domain allowing them to connect remotely and steal data. Workstation software can have certain vulnerability that allows installation of malicious software into the computer. Failure of hard drive of the workstation could also result in loss of an enormous amount of data.

LAN Domain

It is a trusted route that connects all computers. Worms and viruses can spread through LAN, infecting all computers leading to data loss.

WAN Domain

It can allow anonymous installation of software that can affect the system. The service provider can have service outage any time limiting access.

LAN/WAN Domain

They are normally filtered by firewalls. A hacker can penetrate the network and have access to files. Unnecessarily open ports can permit unwanted access through the internet (AlHogail, 2015).

System, Application and Storage Domain

Made of user-access serves that supports emails and databases. Attacks can cripple the email server and destroy data.

Remote Access Domain

A remote mobile user can access the network through VPN or Remote connection from the office can be unsecured. VPN tunneling can be hacked (AlHogail, 2015).

IT Security Policy Framework Implementation Issues and Challenges

Security standards and regulations play an important part in helping organizations manage and measure security and this has been done by provision of guidelines and procedures that would enable the company to develop a good IT security framework. However, there are challenges with the standards leading to difficulty in implementing them especially in small and medium-sized insurance companies (Webber & Smith, 2014).

Evaluation of the framework using Common Criteria is very expensive but does not increase the level of security. When using the method, much time is wasted trying to prepare evolution evidences and other documents consuming a lot of time and resources.

ISO 27001 relies upon risk analysis thus they are not convenient for insurance companies since they depend on asset values (Evans, 2016). However, risk analysis can use other resources in order to meet security requirements of companies. Other things such as company reputation could be used as an asset that needs protection thus putting the clients into the risk.

Conclusion and Recommendation

Insurance organizations need to keep the challenges in mind and adopt a plan that would take the challenges into consideration when implementing the security framework. The organization should have an in-depth knowledge of the standards enabling them to design frameworks that would address and mitigate any security issues in their organization. Long range plans that would mitigate risks are also important (Webber & Smith, 2014).

Recommendations

IT security control frameworks and standards give the direction to developing a successful information technology security framework (Peltier, 2016). Before the framework is implemented, it would be important to have a continuous review of operating procedures and implementation of control strategies that would make the framework effective and enable it to be implemented easily. It would be important to do an audit of the company in order to ensure that the framework is implemented easily. Doing an audit would bring to light the major challenges thus a solution can devised before the framework is implemented.

References

AlHogail, A. (2015). Design and validation of information security culture framework. Computers in human behavior, 49, 567-575.

Evans, L. (2016). Protecting Information Assets Using ISO/IEC Security Standards. Information Management, 50(6), 28.

Harkins, M. W. (2016). Introduction. In Managing Risk and Information Security (pp. 1-16). Apress.

Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.

Webber, M., & Smith, M. (2014). Foreign policy in a transformed world. Routledge.