Thursday, April 30, 2015

Security Compliance Standard



In my future career role of an Information Security Manager, I aspire to work in the field of Information Security Management. My responsibilities will include coordinating and executing security policies and controls, as well as assessing vulnerabilities within the company. I will also be responsible for data and network security, security systems management, and security violation investigation. One of the framework that closely relates to these is the international standard of ISO/IEC 27001.

What is ISO/IEC 27001?
ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector to keep information assets secure.

How is it useful?

More and more organizations today are embracing online opportunities to promote their business and establish their position in the marketplace through the use of mobile devices and apps, not to mention social networking sites. While doing so, these companies are greatly increasing the number and sophistication of threats targeted at them. Today's companies have no choice but to protect themselves by implementing the ISO/IEC 27001 standard.
ISO/IEC 27001 provides a management framework for assessing and treating risks, whether cyber-oriented or otherwise, that can damage business, governments, and even the fabric of a country's national infrastructure.

How will it impact my role?
As an Information Security Manager, my chief responsibility will be establishing, implementing and continually improving the information security management system (ISMS) and act as an interface between the top management and the operational business areas. Knowledge about the key elements of the ISO/IEC 27001 standard will help me to correctly interpret and implement security measures in a practice oriented manner. The compliance of ISO/IEC 27001 will help me achieve the following tasks:

Technical:
·         Approve appropriate methods for the protection of mobile devices, computer networks and other communication channels
·         Propose authentication methods, password policy, encryption methods, etc.
·         Define required security features of Internet services
·         Define principles for secure development of information systems
·         Review logs of user activities in order to recognize suspicious behavior

Communication:
·         Define which type of communication channels are acceptable and which are not
·         Prepare communication equipment to be used in case of an emergency / disaster

Human resources management:
·         Perform background verification checks of job candidates
·         Prepare the training and awareness plan for information security
·         Perform continuous activities related to awareness raising
·         Performing induction training on security topics for new employees
·         Propose disciplinary actions against employees who performed the security breach

Relationship with top management:
·         Communicate the benefits of information security
·         Propose information security objectives and security improvements/corrective actions
·         Report on the results of measuring
·         Propose budget and other required resources for protecting the information
·         Notify top management about the main risks
·         Advise top executives on all security matters

Risk management:
·         Teach employees how to perform risk assessment
·         Propose the selection of safeguards
·         Propose the deadlines for safeguards implementation

Asset management:
·         Maintain an inventory of all important information assets
·         Delete the records that are not needed any more
·         Dispose of media and equipment no longer in use, in a secure way

Incident management:
·         Receive information about security incidents
·         Coordinate response to security incidents
·         Prepare evidence for legal action following an incident
·         Analyze incidents in order to prevent their recurrence

Business continuity:
·         Coordinate the business impact analysis process and the creation of response plans
·         Coordinate exercising and testing
·         Perform post-incident review of the recovery plans

Conclusion
For me to be an efficient Information Security Manager, it is imperative that I know what constitutes a security compliance standard and how to implement it in an organization. ISO/IEC 27001 is one such comprehensive security standard that will help both me and my company to maintain the confidentiality, integrity and availability of all our information and assets, as well as, protect against any potential cyber-attacks.

Sources:

http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
http://www.itgovernance.co.uk
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)