Building an Information Assurance Plan with ISO 27002
Building an Information Assurance Plan with ISO 27002
This proposal has been assembled to address the void of a Information Assurance (IA) program at the Heavy Metal Engineering (HME) Corporation. The proposal will layout an IA plan for HME that includes an overview of IA requirements and discusses the fundamentals of the of the IA approach. The proposal includes an approach to implementing the recommended framework and a risk mitigation strategy for the business. Methods for incident response in the case of an unwanted intrusion occurring will be covered. The last part of the proposal will cover the HME disaster recovery plan for the worldwide organization.
Information Assurance Standards & Framework
HME is an international organization, so the information assurance accredited framework chosen for HME is one that is created by the International Organization for Standardization (ISO). The ISO has produced an ISO 27001 series Information Security Management Systems (ISMS) standards. Like all other ISO standards, this published standard does not recommend what is specifically necessary but outlines areas where security-related standards are necessary as Moeller (2010) points out. The ISO 27002 standard, is a discussion about information security guidelines and assists in implementing a course of action for the management of information security and risk management as described by Peltier (2013). The 27002 document, as Layton (2016) points out has quickly become a best practice standard and point of reference for measuring information security around the world and therefore is proposed for use by HME. The 27001 document contains a brief description of the controls for the organization that will be reviewed with HME to identify which are relevant and prepares a plan to implement them.
The first step to rolling out the ISO 27002 standard is that the HME will identify its own information security needs and requirements as Moeller (2010) describes. Doing this requires performing an information security risk assessment. The risk assessment will focus on the identification of significant security threats and vulnerabilities in addition to performing an assessment of how likely it is that each will cause a security incident. This process will assist HME in pinpointing the enterprise's unique information security needs and requirements. The ISO 27002 framework includes four essential elements directly related to establishing information security at organizations as described by Peltier (2013). First, the organizational management will need to support the information and security and risk management plan and team. Second, a methodology or framework will need to be rolled out, maintained, monitored and improved to fit in with the culture of the organization. The third factor is to be sure management approves a budget to support the implementation plan. The fourth and last factor, as Peltier (2013) points out is to implement and use a system to measure the information security management performance.
There are six indirectly related success factors outlined in the ISO 27002 document for organizing the information security and risk management area as described by Peltier (2013). The first is that business objectives and security policy, purpose and activities need to be in sync. Risk management and assessment along with security requirements must be well understood is the second indirect success factor. The third is that the employees, managers any other organizations and parties must have an awareness of the information security initiatives. The managers and staff along with other agencies must receive the information security policies, standards and guidance from security team is the fourth indirect achievement element. The fifth achievement to reach is the successful communication of security awareness out to the employees via seminars, training or private speaking engagement by a security expert. The final or sixth success factor as Peltier (2013) describes having an efficient and effective way to handle the process of security incident management within the organization.
Risk Management Strategy
HME risk management process will be made up of several point-in-time assessments of risk that will be re-evaluated as risks evolve. The process starts by HME profiling resources (assets) and rating them on a sensitivity scale as Wheeler (2014) discusses. The goal is to identify critical resources that need to be protected. Once identified then the threats and vulnerabilities of these critical resources, rate the risk exposure, determine appropriate mitigation strategies, implement controls, evaluate the effectiveness of those controls, and finally monitor changes over time.
Incident Response
Incident response (IR) and Incident Management (IM) is similar when a disaster of any type occurs as described by Peltier (2013). IR and IM concepts document and developed and get utilized no matter why type of disaster that happened. The disaster could occur by computer security breach, a physical security attack or a natural disaster such as an earthquake. There are many processes for handling incident response(IR). Peltier (2013) describes the typical incident response process as preparation, detection, incident analysis, incident containment, eradication, recovery, post-incident activity. An HME IR team will be identified and trained for Incident response and management and the recommend IR and IM methodology delivered as part of the engagement with HME.
Disaster Recovery
Another part of the proposal is to deliver a disaster recovery plan for HME. A disaster focuses on the direct impact of an event as Snedaker (2014) points out. The event that occurs might be that a business needs to recover from server patching or outage, cybersecurity break-in, or earthquake, all these events fall into this classification. The disaster recovery model typically includes many distinct steps during the stages of planning. The process of disaster recovery consists of stopping the effect of a catastrophe as fast as possible and focusing on the immediate result as Snedaker (2014) points out. A disaster could consist of shutting down a computer server that has been broken into, assessing which a flood or earthquake effect computer systems or networks, and determining the steps that are needed to recover from the disaster. The primary goal is to assist HME in getting a disaster recovery plan in place.
Summary
In summary, the proposal will include the HME strategy paper and IA plan that includes an overview of IA requirements and discusses the fundamentals of the of the IA approach at HME. The proposal includes a recommended method to implementing the information assurance framework and an information risk mitigation strategy for HME. A recommended method for incident response in the case of an unwanted intrusion occurring will be incorporated in the strategy document delivered to HME. The last part of the strategy document will outline the HME disaster recovery plan for the worldwide organization. One the strategy is delivered HME will be able to receive significant third party funding for an international joint venture because they have an Information Assurance plan to keep all data assets secure.
References
Layton, T. P. (2016). Information security design, implementation, measurement, and compliance. Auerbach Publications.
Moeller, R. R. (2010). IT audit, control, and security. John Wiley & Sons.
Peltier, T. R. (2013). Information security fundamentals, second edition. CRC Press.
Snedaker, S. (2014). Business continuity and disaster recovery planning for IT professionals, 2nd edition. Syngress.
Wheeler, E. (2014). Security risk management: Building an information security risk management program from the ground up. Syngress.