Guidelines For Effective Information Security Management Essay.

What Is The Guidelines For Effective Information Security Management.

Physical security

Developing an appropriate security policy is a must for securing the network. In order to develop an effective security policies following are some of the key sections that needs to be addressed while creating the draft for the policy [1]. Following are some of the key sections that ACME should incorporate into the security policy.

It defines how all the networks that is related to the hardware and the infrastructure is protected. ACME is not having proper plan for the physical security of the network and hence having policies for the physical security is one of the most important for overall network security [2]. Hence this serves as the one of the key sections of the network security policy.

It is another important section of the security policy. It defines how the information is collected and processed. The primary data centre for the AMCE is having the framework which is running the enterprise application and also the email data of the company. Hence the data security is important.  It also includes how the data is communicated through which network [2]. It also defines how the data should be accessed and who the authorised user for the data are. Hence this section is also an important one for the security policy.

This sections defines how +data should be backup. This section is also very important as without proper backup, data cannot be secured effectively for long term. This section thus defines procedure and strategies to backup data properly.

It defines how the data is available to the user who are accessing the data outside the organizations premises. AMCE is having two multi-tenant datacentres which are kept isolated. Hence it is necessary to protect the data centre from remote access. The policy for this section defines the roles and responsibility of the networks administrator, it guides the administrator how to grant remote access to the network and the data [4]. It also clearly specifies what to do and what not to do while administrating the network so that the security of the network is not compromised and it maintains proper standard.

It defines how the network should grant the access to the user of the ACME. The section is also an important one for formulating the effective network security policy as keeping the network out of the reach of the users who are not part of the authenticated users is an important step for securing the network [3]. Hence effective security policy for this section is an important one for the network security

Data Security

The section defines the way the data should be encrypted. It also sets the standard for the tools and techniques that is required for the encryption to implement. The encryption is particularly important for the security of the data communicated through the network [5]. Hence the section is also important and effective policy is important for this section as well.

In order to authenticate the network access, strong policy is needed.

Overview:

The policy is about the implementation of strong and secure password for the security of the network

Scope:

To increase the level of authentication for accessing the network

Policy:

Users of the network should have the proper username and password for accessing the network. The username and the password has to be strong and secure. RFC 2350 Expectations for Computer Security Incident Response specifies that user name and password is necessary for protecting information from the outsider.  These information is highly sensitive id viewed from the network security point of view.

Enforcement:

 These information about the username and password have to be kept secret and should not be shared outside. Anyone having this intention or caught doing the same will be subject to legal action

Overview:

The policy will help to properly deploy the firewall and increase the security of the network. One of the requirement for the ACME is to have a policy that keeps the general staff away from accessing the data between two divisions which should not be permitted.

Scope:

To have proper policy for the firewall implementation and comply with the standards. Access to the internet for the company comes through firewall. Hence it is required to have proper standard for creating policy for the firewall protection

Policy:

 In order to keep the outsider out of the network, deployment of the firewall is also an effective technique. Hence firewall have to be implemented in the network design. The firewall will monitor each and every activity that consists of network access. The firewall should be design such that it protects the network form the outsider by implanting a strong security layer which is not so easy to break. However if the security of the firewall is not up to date it might not be as effective [7].

According to the ISO 27001 standard, in order to remove the bug, the firewall has to be updated with the latest security patches. Additionally the license for the firewall has to be brought from the reputed and trusted vendor to ensure and strengthen the security. 

Data backup

2.2 Policy for the data backup:

The task of data backup is an important as well as critical task as it affects the security of the data as well as the network. The policies for the data backup is defined in this context.

Overview:

The policy will create an effective way to ensure the security of the data as part of the network security. Proper standard and implantation procedure along with the enforcement of the policy has been discussed as well. 

Scope:

To have proper measure for protecting the data and increase the data security

Policy:

When discussing about the data security and specially the data backup in this context, the first and the most important step is to create a local backup. Hence proper plan and procedure have to be ensured for providing local backup of the data.  The data backup has to be done according to Standards Board of Information Systems Audit and Control Association (ISACA) which recommend local data backup as one of the important step for securing the information. The IT team has to be properly trained so that the job is carried out with the professional standard and the data is backup effectively [4]. 

Enforcement:

The status of the data backup has to be evaluated in regular interval for ensuring data availability and integrity. 

Overview:

The policy outlines how to select proper cloud providers and how to implement cloud service as an alternative way for ensuring the information security. The option of having cloud storage not only gives an extra option for the data backup , it also provides a versatile means to store and access the data. 

Scope:

To have increased data security. The cloud providers manage the data backup and there is no need for the organization to think about that. Hence it is an effective solution.

Policy:

According to National Information Security Standards Technical Committee However before choosing the cloud provider, it should be verified whether the provider is a trusted one [8]. Additionally an initial assessment has to be formed about the provider which will cover the points like market presence of the provider, security standards and policies applied and customer response.

Only after the assessment is performed, the cloud provider should be chosen based on that.

Reference:

[1] L. Navarro, "Information Security Risks and Managed Security Service", Information Security Technical Report, vol. 6, no. 3, pp. 28-36, 2017.

[2] G. Kovacich, "Information Warfare and the Information Systems Security Professional", Information Systems Security, vol. 6, no. 2, pp. 45-55, 2017.

[3] J. Chenoweth, "Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management", Journal of Information Privacy and Security, vol. 1, no. 1, pp. 43-44, 2017.

[4] J. Woulds, "Information privacy and security — A regulator's priorities", Information Security Technical Report, vol. 2, no. 1, pp. 7-42, 2016.

[5] G. Stewart, "A safety approach to information security communications", Information Security Technical Report, vol. 14, no. 4, pp. 197-201, 2015.

[6] J. Broderick, "Information Security Risk Management — When Should It be Managed?", Information Security Technical Report, vol. 6, no. 3, pp. 12-18, 2017.

[7] A. Jones, "How do you make information security user friendly?", Information Security Technical Report, vol. 14, no. 4, pp. 213-216, 2017.

[8] M. Zelkowitz, Information security. Amsterdam: Elsevier Academic Press, 2017.