System Security Plan
Selecting and Ensuring Compliance with Security Frameworks. 2
Identifying Critical Information Assets. 3
Risk Assessment and Management 6
Review of Security Controls. 6
Physical and Environmental Protection. 8
Production, Input, and Output Controls. 8
Data Integrity and Validation Controls. 9
Selecting and Ensuring Compliance with Security Frameworks
Introduction
While examining some of the most common threats which are faced by organizations, virtually all of them fall under one of the three most common categories: IT, human error or behaviour, or third-party access or relationship. Human error is one of the most frequent cybersecurity breach enablers by creating weak security spots which can easily be exploited by cybercriminals. Companies can easily repel a vast majority of the identified cyber security-based threats and risks by creating a robust digital safety culture and creating awareness within their organization.
One way which this can be achieved is with the implementation of a cybersecurity framework such as the ISO 27001. The ISO 2700 is a globally accepted security framework and is rapidly becoming and growing into a management standard in all business sectors. One of the reasons for its growth is that the basic requirements for the frameworks certification process are regarded as best practices for any information security management system (Dhillon, 2018). The ISO 27001 is also recommended because it is also used in enabling staff members to efficiently manage the entire security program of the organization in one place in a consistent manner and cost-effectively.
However, for the successful implementation of the security framework, several resources and technologies are required. Any implementation process, the most crucial element which an organization should always consider involving is its internal employees. Employees and business stakeholders are key to the success of any business project. Once involved, enough time should be put aside to create an awareness program and ensure that all stakeholders are conversant and understand the basics of the framework’s requirements and guidelines.
Identifying Critical Information Assets
Organizations operating in the public sector are some of the most important suppliers of goods and services to the world. Their activities include education, civil protection, transportation, and the creation of employment opportunities. If these activities get threatened, lack quality, or are unreliable; it can result in several problems to the community at large (Artiukh, 2018). The strategic alignment maturity model employed and designed by Luftman is commonly used in providing organizations with the most fitting tools and procedures required to provide insights into the IT and business relationship. They are hence enhancing activity delivery. The fundamentals of the models are as shown in the below image.
Certification Process
The strategic alignment maturity model is commonly used as a form of a survey in assessing and determining the position the organization stands at with regards to its maturity, and preparation for certification. As soon as maturity is understood, the gathered information can prove vital in providing a roadmap to the organization to identify potential prospects that can promote the harmonious existence and relationship between IT and business. The strategic alignment maturity model consists of five significant levels in which organizations must meet their requirements to proceed to the next level while preparing for the ISO certification process.
With information security breaches on the rise and becoming now the new normal, corporate security teams get compelled to take dedicated and drastic measures aimed at reducing the risks and consequences of suffering a damaging security breach. With the use of ISO 27001:2013, this is achieved by following the steps defined in the certification process. Which are as follows;
- Preparation
- Establishing scope, context, and objectives.
- Establishing a management framework.
- Conducting a risk assessment.
- Mitigating risks by implementing controls.
- Monitor, measure, and review.
- Conduct an internal audit.
Control of Management
The protection of an organization’s critical infrastructure is one of the most crucial aspects that management and security teams should place much more focus upon. This can easily be achieved with the inclusion of a strategic plan. It’s important for it can be used in providing an organization with a sense of direction, measurable and foreseeable goals, as well as business outlines (Wang, 2016). Strategic planning as a security improvement tool offers guidelines on the fundamental day-to-day running and decision making. Furthermore, it can aid the organization in changing security approaches, regulations, and policies while moving forward. As well as in evaluating progress.
Strategic Planning
In so doing, the very first phase of strategic planning is establishing and defining the organization’s goals and mission statement. Which in this case, mainly involves the establishment of a flexible and favourable working environment which is designed to provide security to the organization’s critical information assets. As the internet grows, so does both the number of security breaches being recorded and the level of sophistication by the malicious attackers. As a result, several security policies have been developed over time to help organizations curb these threats, some of which their implementation is highly recommended and most often considered as security best practices.
Risk Assessment and Management
Risk management is critical in developing a set of policies and standards to be used in securing the information systems applicable within DHMS, such as workstations and networks. Risk management will also ensure in providing a disciplined and structured process with the capability of integrating best practices in risk assessment and information security, which are part of the system development life cycle.
Review of Security Controls
Considered as best practice in risk assessment and management practices, it is advised to have a review of the security controls which are in place developed to help protect the business information infrastructure. The first and major policy in place is the Access Control Policy, ACP. This is one of the most crucial policies which is required by a vast number, if not all, cybersecurity frameworks such as the popular ISO security framework. An access control policy is majorly used in outlining and defining the level of data and information access, which is to be assigned to each employee. Which majorly depends on the role and position the employee has within the organization (Gajmal, 2018). Some of the standards defined in access control policy include computer access, network access controls, and user access.
The information security policy is yet another which should already have been implemented. Its main role is to provide a set of guidelines and procedures to all employees and users of an organization’s information within the breadth of the organization or its network. All of which are required to comply with the set guidelines and rules to ensure the security of the organization’s information. The information security policy goes hand in hand with the change management policy, which is used in providing a formal process with regards to any changes to the organization’s security operations, IT infrastructure, and the software development process.
Another important and must-have policy is the incident response policy. Every organization in almost any business sector is susceptible to several threats and risks. However, secured an organization IT and network infrastructure may be, it is recommended that management should introduce an incident response policy in the case that an incident occurs. In which the policy will be used in providing both the organization and its employee’s guidelines on how to manage the occurred incident as well as remedies aimed at reducing the impact on business operations.
Operational Controls
Personnel Security
When it comes to us protecting our businesses, as well as the occupants of the buildings, one of the recommended actions to achieve this is with the implementation of access control. Where access control can be understood as the general practice of authorizing users into a system and guaranteeing that the users are who they claim to be with appropriate access rights. While at a much higher level, it is understood as the selective restriction of access to specific data and information.
However, access control is more than just the authorization of user access; it is also a security protocol that helps in ensuring the adequate protection of data from several types of intruders. There exist several different models applicable for access control systems that businesses are required to choose from to use in their facility; some outperform others. Access control systems arise in three substantial distinctions: DAC, RBAC, MAC.
Physical and Environmental Protection
In controlling the environmental and physical protection status of the organization, there is a need to put in place a security control strategy that measures and validates the authorized personnel or stakeholders into the business premises. Hence, the Mandatory Access Controls comes into play. Organizations which often require an elevated emphasis on the classification and confidentiality of data and its physical environment is where Mandatory Access Control is usually implemented.
With Mandatory Access Controls, only the system custodians or personnel and owners have complete management of the access controls, however, not permitting the owners to chip in who should have access. With MAC, all end users are classified and provided with labels that get used to allow them to have mandatory access through a series of security protocols established under security guidelines.
Production, Input and Output Controls
The RBAC is often the most necessitated type when concerning access control systems. Over time, it has become one of the most highly coveted models in the business industry. In systems which are RBAC based, access rights are granted and allocated by the overseer of the system and get sternly based on the user’s position or role within the organization. With most of the user’s privileges often getting found on the limitations, which are defined by the job description. This model makes the process much easier usually because rather than assigning several end users individual access, the system administrator only has to focus on the job titles while assigning access.
Many developed technologies can support the various types and models of access control. In some cases, multiple technologies may be required to work in accord to achieve the desired or necessary level of access control. Having already covered the concept of access controls and the access control various models, there are various technologies which can be adopted by system administrators in controlling user access both physically and logically, such as firewall systems including Pfsense which provides snort configurations for such purposes.
Data Integrity and Validation Controls
In ensuring the security and integrity of the businesses data, the most recommended access control to implement as a validation control is the discretionary access control (DAC). The DAC as a model of the access control system is one which places the responsibility of deciding and granting user access to the business owner, which can be physical, in a specific location or digitally. Compared to the other types, DAC is often the least restrictive. Mainly because it, in essence, consents business owners to have comprehensive control over any or all systems, or object they may own as well as the already installed and configured programs which are associated with those systems.
Technical Controls
The digital world has, over time, become a rather scary and dangerous place, one which a vast number of people have grown to fear, and one which few businesses feel they are passably protected against. Every day, new cases about data breaches, cyber-attacks, new threats, adversarial groups, zero-day attacks, and a barrage of new technologies that claim to be able to solve these problems are heard of with some of these new technologies acting as logical extensions to the current security platforms already in place.
However, the fundamental problem observed with the efficacy of these new and updated technologies is the fact that they are designed with the belief that the organization has and intends to implement them on top of a solid programmatic foundation, which is not always the case for most organizations (Gabillon, 2020). An organization’s strategic plan should be developed with this in mind before the initial implementation of any new technology, ensuring that several recommended policies, procedures, and frameworks are in place before introducing any new technology. Examples of such critical policies organizations should have implemented and included;
i. Acceptable Use Policy
When building a security strategy or an information assurance plan, the very first step to be undertaken by an organization should be to understand and identify the critical assets and infrastructure which need protection. The AUP is used to instruct on the best practices and constraints that personnel should adhere to while using the organization’s IT assets to access the corporate network. It is often regarded as an onboarding policy for new employees, which they are required to sign before being granted any access.
ii. Remote Access Policy
This policy is used in outlining and defining the most acceptable and recommended strategies to be applicable for all personnel who would require the use of remote access to the organization’s information infrastructure and internal networks. This policy is recommended as an essential requirement for all organization which has a spread network infrastructure, with the essential ability to encompass into rather more insecure networks, such as unmanaged home networks, and local coffee houses.
References
Dhillon, G., Torkzadeh, G., & Chang, J. (2018, June). Strategic planning for IS security: Designing objectives. In International Conference on Design Science Research in Information Systems and Technology (pp. 285-299). Springer, Cham.
Artiukh, R. V., Kosenko, V. V., Malyeyeva, О. V. & Lysenko, E. V. (2018). Managing the risks of information and communication network in the context of planning the security of critical infrastructure systems.
Hsu, C., Wang, T., & Lu, A. (2016, January). The Impact of ISO 27001 certification on firm performance. In 2016 49th Hawaii International Conference on System Sciences (HICSS) (pp. 4842-4848). IEEE.
Gajmal, Y., & Thooyamani, K. P. (2018, December). A Survey on Access Controls in Cloud Computing. In 2018 4th International Conference on Computing Communication and Automation (ICCCA) (pp. 1-4). IEEE.
Gabillon, A., Gallier, R., & Bruno, E. (2020). Access Controls for IoT Networks. SN Computer Science, 1(1), 24.