The organization EvolveNet of Australia that collaborates with multiple companies and provides VOIP services in the country. As an ICT service provider the information assets for the company incorporates a few key informational frameworks in the organization, related data indexes. In addition to that the details of the users, their call records, inward and web servers alongside the VOIP site of the company. Different other hardware resources, for example, workstations, VPN concentrator, hardware equipment’s for the networking purpose, DMZ firewalls and so on used in the organizations business procedures.
Therefore in order to protect the above mentioned resources that are important to carry out the routine operations in the organisation in order to provide uninterrupted services to its customers. It is important to develop and maintain an information security structure in the organization to protect the assets (Baskerville, Spagnoletti & Kim, 2014, p.145).
In order to secure the, information technology assets of the organization and the customer information store in the data base, it is suggested to use the ISO 27001 security standard for the organization EvolveNet.
Business problem and threat scenario
The main problems that interrupts business of the organization of the EvolveNet are lack of security to the stored data as well as to its IT assets. The most important threats that can impact severely are the data integrity, confidentiality and availability threats. As the Confidentiality of the stored and transmitted information by the users through the IT systems of the organizations/EvolveNet are at risk (Alreemy et al., 2016, p.909). This threat may impact on the EvolveNet can severely impact due to the weak security policies as well as security loopholes present in the framework.
Other threats like the availability and integrity of the data of the users are also at stake. Due to the gaps in the security framework like unprotected sharing of information inside or outside the organization without proper security the integrity of the information and the information systems may suffer adversely. Other threats like the password breaches, unauthenticated access to the system, IP spoofing etc.
Scope of the security charter
The security framework selected for the organization following is the scope decided considering the context of the security requirement of the organization.
The data which is to be incorporated into the data security policy and framework
This strategy applies to all data made or got in the course of business of the organization in all configurations, collected at any time. This approach applies to data held or transmitted in paper and electronic configurations or imparted verbally in discussion or via workstations from the employees of the organization.
The people influenced by the Policy Framework
The strategy structure applies to all the users of the organizations or customer’s data. Clients incorporate all representatives’ executives of the organization, all contractual workers, providers, and outer analysts and guests who may have access to the specific organizational data.
The area in which the Policy Framework applies
The strategy system applies to all areas from which organizational data is gotten to including utilization in the business or testing purpose.
As EvolveNet works universally, through its grounds different areas and through courses of action with accomplices in different locales the dispatch of the arrangement structure and the Information Security Group should incorporate such wide grounds and worldwide exercises and might pay due respect to the respective compliance policies that may be relevant (Tot, Grubor & Marta, 2015, p.149).
Business benefits from framework
Business benefits from the Framework
Lesser audits leading to reduced cost: By accepting and implementing a globally accepted security standard like ISO 27001 certification helps in the reducing the requirement of the information security audits and consequently reducing the related cost for the audit.
Avoiding adverse impacts of the data breeches: Use of the well accepted data framework can help the organization to avoid the penalties due to the non-compliance with the concerned regulations (Alreemy et al., 2016, p.908).
Better accountability and improved structure: As the business of EvolveNet is growing rapidly, thus use of this framework will helps in the determining the responsibility and accountability of a particular segment of an information security framework and any incident that happens in that particular segment.
Functional business requirement for the data security framework and procedures
Presently the following are the loopholes in the security framework used by EvolveNet which is to be covered by
For EvolveNet there are multiple loopholes discovered in the present frame work that is being used in protecting its Information assets. Some of them are
- Data truncation Log data related with the EvolveNet was not ensured by the present frame work.
- For the privileged functions no log is available to the organization.
- Gaps in data security approaches and procedures, for example, rare surveys and reviews of the stored data and access levels, deficient examination and lack of checking of the security status
- Gaps related with the staff individuals from EvolveNet, for example, resistance of clear work area and clear screen strategies alongside unattended frameworks (Tot, Grubor & Marta, 2015, p.157).
- It is also found that, the installation of the rouge/untrusted software is not restricted by the organization.
- Test data utilized by the testing group was not protected properly.
- Use of unprotected email to share delicate business data by the staff of the organization.
- Inefficient training program is used to train the new employees.
- Key administration process was not being followed in the organization.
- Absence of from a portion of the web servers
Key success indicators
There are mainly six success indicators or components that are important in order to make a data security framework successful. Firstly, Individuals in the organization are basic element for the success of the implemented security frame work (Baskerville, Spagnoletti & Kim, 2014, p.141). The top level management of the organization should identify and allocate different tasks and responsibilities for the same. In addition to that, it will help the organization to find out who is responsible for an incident and to whom the incident has to be reported. General practices or procedures of the organization may vary by the way they are composed an operated in the organization (Tu & Yuan, 2014). In a few however not all practices a significant part of the organization and basic leadership is disregarded to hone administrators enabling the employees of different sections to focus on what they are good at.
An arrangement of well-defined procedures should be characterized and aligned with the different business processes as well as to the responsibility structure characterized by the top level management and once more, by its exceptionally nature this will differ crosswise over practices for various evident reasons in the organization.
In addition to that, it is also important implement policies that specifies every aspect of data security that requires monitoring should be characterized simply and unmistakably. Approaches should be taken for the areas like information reinforcement, encryption, and remote data recovery and intrusion detection.
As discussed in the previous sections the present rules and the procedures are not sufficient in order to meet industry benchmarks and that furnish hones with usable and reasonable criticism on how inadequacies can be moved forward due to the inefficient data protection policies and measures.
Controls shape the base of any information security framework. Here controls incorporate characterizing accountabilities, responsibilities and reviews. Responsibility in this context is characterized by law in regard of who are the lawful caretakers of data in a training or in the procedures. A training needs to decide the degree to which what is really occurring in a training consents to the law (Tot, Grubor & Marta, 2015, p.159). This would be the beginning stage for characterizing controls. For instance, while a specialist may not be anticipated that would play out a day by day go down of information, a specialist may be selected as responsible for guaranteeing this was finished frequently as per process and furthermore to check in some suitable way this was being finished.
A fitting way for example may be that the training administrator really leads the check and reports at a month to month meeting to the employees who is responsible. Obligations are those designated obligations and undertakings did by all partners in the training from specialists to receptionists. Plainly obligations must be adjusted to accountabilities and checked routinely. Ultimately, reviews are one vital sort of check process completed that gives input on what is really occurring rather than what should be going on.
For a training to be present with all consistence, standard preparing and refresher preparing will frame an imperative segment of a training's movement (Tu & Yuan, 2014). At the end it can be stated that, the main objective of the information security framework cannot be accomplished without concentrating on the consistent change and improvement of the framework (Alreemy et al., 2016, p.911). From numerous points of view the component of continuous change is the most vital part of the implemented framework in light of the fact that the system ought to take into consideration change. In this different failures, data breaches helps towards finding the loopholes in the framework inside a controlled environment and thus improving the framework to prevent the occurrences of the different threats.
In order to implement the ISO 27001 as the security framework for the EvolveNet so that the organization can protect its IT assets and the customer information on the databases of the organization. For this implementation process the required resources are used information security policy in the organization, the risk assessment process for the information assets, information about the existing risk treatment process in the organization, detailed security objectives of the organization (Tot, Grubor & Marta, 2015, p.162). In addition to that, the evidence of the competence of the employees or representatives working in implementing the information security process, the documents related to the operational planning as well as controls to mitigate the risks relate to the information system (Tu & Yuan, 2014). At the end the results of the risk assessments for the information technology assets and the evidences of monitoring of the information security procedures are also required for the implementation of the New security framework having compliance with ISO 27001 standard.
Like other organizations, EvolveNet too presently confronts a worldwide revolution in the administration of the data that straightforwardly influences their data administration practices (Baskerville, Spagnoletti & Kim, 2014, p.147). There is an expanded need to concentrate on the general estimation of data secured and conveyed—in terms of enabled services by the organization. In the current circumstances, it is important to concentrate on the security of data that had been on ensuring the IT frameworks that procedure and store most by far of data, instead of on the data itself. In any case, this approach is excessively thin, making it impossible to fulfil the level of reconciliation, process affirmation and general security that is currently required by the organization (Tot, Grubor & Marta, 2015, p.165).
As the employee strength for the organization is not provide the following is the estimated budget for an average organization with 70 employees for the implementation of the ISO 27001 framework for the information security and also the IT assets of the organization.
For the Precertification Phase one the organization will require $20,000. This phase includes the activities like Scope Definition for the framework to be implemented, Assessment of the risk that can have severe impact on the IT assets as well as to the customer database (Baskerville, Spagnoletti & Kim, 2014, p.145). In addition to that Gap Assessment, Risk Treatment Plan etc.
In the precertification phase 2 it requires $18,000 for completing the activities like Gap closure, selection of the registrar for the risks, Internal ISMS Audit, related artifact development, Risk occurrence and Incident Response, On-site Certification Audit Support by the professionals (Tu & Yuan, 2014).
In the next phases the organization has to have Certification Audit by the professional that requires $10,000. At the end the overall cost for the certification will require $48,000.
Two possible products and technical solutions
For implementing ISO 27001 in order to protect the data assets, the first product that can be considered is the Microsoft Azure. In case of using the Microsoft as the solution to integrate the data and the organizational applications on cloud, it helps the organization to choose and implement additional encryption techniques utilizing a wide range of approaches. The organization can control the encryption methods to be used for encrypting thee data and the related keys. In-built TLS cryptography technique of Azure enables the organization to encrypt communications within and between the organizations as well as from Azure to on-premises datacentres of the organization. In addition to that, it also encrypts the communication from Azure to users and administrators.
Another option is the Amazon AWS cloud services. As the platform protects the data of the organization (EvolveNet), by first detecting an incident in the databases of the Organization, then specialized teams address the incident and restores the information system at a previously secured state. In the last step, AWS conducts a deep root-cause analysis of the incident so that the incident does not happen again.
Estimated delivery timeframe
In order to implement the security framework for the given organization, it will take 18 months for the completion. The main steps in the development of the information security framework are briefed below,
Notwithstanding administration duty the fruitful execution of data security inside an organization will rely upon a few elements, eminently:
- Information security strategy, destinations and exercises reflect business targets.
- Recognition that data security is a business issue not an information technology issue.
- An approach and system to executing, looking after, observing, and enhancing data security that is predictable with the organization culture and includes partners (Alreemy et al., 2016, p.915).
- A sensible appraisal of the security risks.
- Provision of assets for data security administration.
- The presence and utilization of an organization security engineering.
- Effective advancement of data security to all directors, staff and different gatherings to accomplish mindfulness.
- Appropriate mindfulness preparing and training to all staff.
- Establishing a compelling data security episode administration process.
- Processes to quantify the security framework assess its execution and sustain into the change procedure. Pointers of a successful IS structure include:
- The Board or proportionate requires and gets customary reports about data security execution and occasions.
- Information security is a standing thing on the motivation of hazard administration boards of trustees up to official level.
- Information security risk levels are set by the official level and mirror the office's hazard hunger.
- Business unit supervisors are in charge of the security of the data supporting their operations.
- The inborn data hazards in basic business forms are comprehended and recorded.
- Individuals are considered responsible for any security ruptures in which they take an interest, regardless of whether deliberate or unplanned (Alreemy et al., 2016, p.915).
- Regular audit of data security items and administrations to guarantee they are cost friendly.
Security risks and threats confronted by the EvolveNet can be addressed as it were be tended to when an data information security framework is set up and outfitted with particular controls that the top level management of the organization may use to coordinate employee use of data in order to secure the business and its consumer data. Such an information security framework can empower EvolveNet to make arrangements for human behaviour in their data security activities, so as to develop a worthy level of data security culture inside the organization. As it were, there is a requirement for a data security administration structure that considers the specialized and procedural controls of the past, yet that likewise takes human behaviour into account. Such a structure can be used to develop the adequate level of data security culture keeping in mind the end goal to limit the security risks and threats postured to data resources of the organisation.
Alreemy, Z., Chang, V., Walters, R., & Wills, G. (2016). Critical success factors (CSFs) for information technology governance (ITG). International Journal of Information Management, 36(6), 907-916.
Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), 138-151.
Beckers, K., Heisel, M., Solhaug, B., & Stølen, K. (2014). ISMS-CORAS: A structured method for establishing an ISO 27001 compliant information security management system. In Engineering Secure Future Internet Services and Systems (pp. 315-344). Springer International Publishing.
Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for information security management. Journal of Information Security, 4(02), 92.
Hai, H. L., & Wang, K. M. (2014). The critical success factors assessment of ISO 27001 certification in computer organization by test-retest reliability. African Journal of Business Management, 8(17), 1.
Maarop, N., Mustapha, N. M., Yusoff, R., Ibrahim, R., & Zainuddin, N. M. M. (2015). Understanding Success Factors of an Information Security Management System Plan Phase Self-Implementation. World Academy of Science, Engineering and Technology, International Journal of Social, Behavioral, Educational, Economic, Business and Industrial Engineering, 9(3), 884-889.
Stoll, M. (2014). An Information Security Model for Implementing the New ISO 27001. Handb. Res. Emerg. Dev. Data Priv, 216.
Tisdale, S. M. (2016). ARCHITECTING A CYBERSECURITY MANAGEMENT FRAMEWORK. Issues in Information Systems, 17(4).
Tot, L., Grubor, G., & Marta, T. (2015). Introducing the Information Security Management System in Cloud Computing Environment. Acta Polytechnica Hungarica, 12(3), 147-166.
Tu, Z., & Yuan, Y. (2014). Critical success factors analysis on effective information security management: A literature review.