Coming into a project in which a person has been hired solely to develop and implement a tactical, operational and strategic framework can be a daunting task. In this instance a medium-sized insurance company has hired a consultant to come in and develop an Information Technology Policy Framework. This framework will incorporate not only the technology to mitigate the security threats but also the initial assessment, policy development, awareness and accountability of the program. The goals of the policy implementation will follow the lifecycle of the project’s implementation which includes developing the initial framework, defining the goals and objectives of the policy, instilling periodic reviews to ensure continual improvement and measurements, development of documentation and manuals and increasing awareness of the policy to ensure compliance, adoption and integration into the culture of the company.
With any implementation or cultural change there must be a formulation of conviction among leadership to drive the change as well as a proven framework which not only provides a best practice framework but also can provide a proven track record for success in providing the security regarding the IT framework. There are multiple security frameworks to reference and build from including NIST (SP 800-53), ISO / IEC 27000 series, and COBIT. As a consultant for the medium-sized insurance company it would be best to fit a framework that closely resembles the needs of the business. The NIST (SP 800-53) is utilized for all U.S. federal information systems and provides guidance on entities regulated by federal governance. The ISO/IEC 27000 series provides a broader and more flexible framework which is based on best practices for information security management, risk management, control implementation and information security system design (SANS Institute 2003). The goal of implementing a new policy for this organization is to cover more than just technology and the integrity of data but also build a culture of security with the means to uphold the policy and represent accountability laterally and vertically throughout the corporation.
The ISO/IEC 27000 series of standards used to establish a model for establishing and operating an information management system (CabinetOffice 2008). The series includes multiple standards or a family of standards that address differing areas needed to create an effective and efficient management system. All of which are needed to be incorporated within the insurance company’s new policy. The purpose of the standard is not to show you exactly how to establish an Information Management system but to provide an overview of information system security, define key items, illustrate requirements for certification, provide guidance for implementation of the system and provide standardization for implementation dependent upon what type of security policy will be implemented.
In order to define an IT security policy framework it is important to understand what a policy is supposed to do. This policy will provide the insurance company the course of action which will influence and direct the actions of the employees regarding the information technology security. This policy will drive the procedures or actions that will need to be taken to operate the business. This policy will also define quantifiable objectives, metrics for accountability and exception processes in case there is a need for a documented deviation from the process. The goal is to have a policy that is understandable, clear, concise and provide the framework for procedures to be built. The policy will consist of multiple parts including the purpose, scope, impact, actions and accountability measures. Within this policy there are seven areas regarding core security principles that will be incorporated into the policy. These are identification and compliance, asset management, asset protection, acceptable use, vulnerability management, threat assessment, continuity, physical security and awareness (SANS Institute 2005). Each area will be addressed within the policy and procedures will be developed based on the high level policy.
An effective security management policy will provide the groundwork for the mitigation of potential threats the company’s data and information. While protection of information is vital this corporation is dealing with multiple layers of data governance that must be protected not only for the customer but also due to outside rules and regulations enforced by federal, state and other outside entities (Kizza, J. 2010). This increases the level of pressure to implement a policy that is standardized and accepted as adequate by governing bodies. This is accomplished through validations and certifications of the implemented information technology security systems. Alignment of the company’s policies to U.S. laws and regulations will establish compliance and a level of confidence in the company’s security measures.
With this alignment and policy generation there comes challenges within each of the seven domains of the IT Security Policy framework. Asset identification can be cumbersome to retroactively address all of the assets in the inventory. This requires a physical view into what he company owns and could require multiple work hours to conduct. The policy would include all new assets purchased with barcoding to track and monitor assets. This leads into the management of those assets. The management of the security assets will be based on role based access control and segregation of duties to ensure not one person has total control of the security of the systems. Protection of these assets will have procedures based on every asset that contains securable data based on the best practices. Acceptable use will be addressed to ensure compliance among the users of the systems to ensure that they are not inadvertently or maliciously creating a risk to security. A list of vulnerable assets and their risks will be outlined as well as procedures to mitigate those risks. Threat assessment will follow suit with business continuity in which all threats will be monitored and documented in the same fashion across the business units and business continuity will ensure standardization of the information technology security systems. The physical security of the system will be handled by all individuals assigned to the departments that utilize the information. This coincides with implementing a culture of information security which will be addressed in the security awareness initiative. Increased awareness of IT security and a top down promotion of the new policy will ensure a greater likelihood of success.
CabinetOffice. (2008). HMG security policy framework. Retrieved: http://webarchive.nationalarchives.gov.uk/+/http://www.cabinetoffice.gov.uk/media/111428/spf.pdf
Kizza, J. (2010). Computer network security. New York, NY: Springer Science Business Media.
SANS Institute. (2003). Applying the OSI seven layer network model to information security. Retrieved: http://www.sans.org/reading_room/whitepapers/protocols/applying-osi-layer-network-model-information-security_1309
SANS Institute. (2005). Building a security policy framework for a large, multi-national company. Retrieve: http://www.sans.org/reading_room/whitepapers/awareness/building-security-policy-framework-large-multi-national-company_1564