Kudler Fine Foods IT Security Report and Presentation Security Considerations
CMGT/400
Kudler Fine Foods IT Security Report and Presentation Security Considerations
According to Whitman and Mattord (2010), The ISO 27000 series is one of the most widely referenced security models. Referencing ISO/IEC 27002 (17799:2005), the major process steps include: risk assessment and treatment, security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development, and maintenance, information security incident management, business continuity management, and compliance
…show more content…
|determine the severity of |
| |commitment and sets out the organizational| | |the security. |
| |approach to managing information security.| | | |
|Review of Informational |Whether the Information Security Policy is|The security policy |Without the review of |Each policy should be |
|Security Policy |reviewed at planned intervals, or if |should be reviewed as |security policies they |reviewed periodically to |
| |significant changes occur to ensure its |business practices, |will most likely become |ensure its effectiveness. |
| |continuing suitability, adequacy and |hardware, software, and |out dated and lose | |
| |effectiveness. |the way in which |usefulness. |Each policy owner will be |
| | |information is shared | |responsible for the review |
| |Whether the
During SDLC phase one, the initiation phase, “the need for a system is expressed and the purpose of the system is documented” (NIST, 2008). Some of the expected outcomes from this phase would be a project plan and schedule; system performance specifications outlining the operational requirements, system design documents, and a document that defines roles and responsibilities. The corresponding RMF step, security categorization, establishes the foundation for security standardization among information systems and provides a vital step towards integrating security into the information system (NIST, 2008). During this step, the type(s) of information processed by the information system are identified and the information system is categorized to determine the level of protection requirements to put in place. Some of the expected outputs of this step include a security project plan and schedule, documented system boundary, the system categorization, and the security roles and responsibilities. These two process steps are very similar except the focus of RMF is on information security related functions. In some cases, SDLC produces the expected outputs that RMF requires, and the security professionals only require a copy of the documentation for their records. For example, the system design document often depicts the system boundary. The reason this step is so critical is that it
1.1Security CategorizationUsing either FIPS 199 or CNSS 1253, categorize the information system. The completed categorization should be included in the security plan.
1. The scope of the RFP states the State want a review of its entire system security
Management defines information security policies to describe how the organization wants to protect its information assets. After policies are outlined, standards are defined to set the mandatory rules that will be used to implement the policies. Some policies can have multiple guidelines, which are recommendations as to how the policies can be implemented. Finally, information security management, administrators, and engineers create procedures from the standards and guidelines that follow the policies.
After the information system is installed, the IS security controls must be monitored and assessed on a continuous basis. Continuous monitoring ensures the security controls in place are effective. In this step, there are five tasks. The first task requires managers to determine the security impact based on the threat environment. The second task is conducting assessments on certain security controls as outlined in their Continuous Monitoring Strategy. The third task is correcting discrepancies found in the assessment. The fourth task requires updating the Security Authorization package based on the previous results. The fifth task requires the appropriate officials to make a risk determination and acceptance by reviewing the reported security
12. Why is a methodology important in the implementation of information security? How does a methodology improve the process?
To guide and assist organizations with implementing the security program that is appropriate for their needs, certain industry accepted standards have been designed and made available to the market. NIST is popular predominantly in the USA – a recent survey found that 82 percent of 150 IT and security professionals in the federal government said their agencies are either fully or partially implementing the
The Information Technology (IT) Security Certification and Accreditation (C&A) process evaluates the implementation of an IT system or site against its security requirements. The process produces evidence used by a designated manager as part of the basis for making an informed decision about operating that IT system or site. The NSTISSI2 NATIONAL INFORMATION SYSTEMS SECURITY (INFOSEC) GLOSSARY No. 4009 September 2000 defines certification as a “comprehensive evaluation of the technical and non-technical security safeguards of an IS to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements” and accreditation is a “formal declaration by a Designated Approving Authority (DAA) that an IS is approved to operate in a particular security mode at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards” (SANS Institute, 2007, p. 1).
In today’s complex IT system because of the wide abundance of threats and deliberate attempts to attack networks and IT assets, it is crucial to have a stream-lined process which attempts to incorporate security as an integral part of the development process as opposed to including security measures after the development cycle has finished. System Development Lifecycle (SDLC) is a hypothetical method created for the design and step-by-step implementation of general information system in business organizations using six different phases. Security System development lifecycle (SecSDLC) uses the same six phases to implement the security project except that its intent and scope is specific to the particular threats identified and designing
The newest standards are ISO 26000, which standardizes social responsibility, and ISO/IEC 27001, which is a developed management system to standardize information security (ISO, n.d.). The most well-known and best-selling standard of the ISO governing body is ISO 9000, which was developed in 1987 (ISO, n.d.). ISO 9000 is for quality management standards. Quality management includes standards that help the organization identify processes that can be developed and employ constant performance improvement. ISO 9000 has been utilized by many national and international companies to constantly improve performance and processes, but ISO 9000 usually involves a manufacturing company.
Have a good Information Security Governance that translates into a set of policies, processes, and responsibilities associated with structures and people in the organization. It makes it possible to clearly establish the decision-making process and the guidelines for the management and use of IT, all in a way that is aligned with the organization's vision, mission and strategic goals. It also ensures the alignment of IT plans with business plans, which the anticipated benefits are actually being generated. Allowing the organization to recognize all risks (and opportunities) for the business by deciding the appropriate plans to mitigate, accept or avoid them. Having fundamental performance measurement throughout this process, monitoring and monitoring strategy implementation, use of resources and delivery of services.
ISO 9004-1 addresses internal procedures such as organizational goals, management responsibilities, training, and servicing. As in the ISO 9001 series, this series also contains twenty clauses. This is also the standard, which provides for the most misunderstandings. It is important that companies completing the certification process understand the relationship of this standard to the other ISO 9000 family standards. Clauses within the ISO 9004-1 standard provide the foundation for completing certain ISO 9001 requirements.
ISO/IEC 27001 is the most popular IS the ISO/IEC 27000 standard series. As per its credentials, ISO 27001 is meant to offer an archetypal for implementing, establishing, monitoring, improving, maintaining, reviewing, and operating an ISMS. ISO 27001 is technology-neutral and utilizes a rundown list of risk-based approaches (Disterer, 2013; ISO, 2014). Its specifications describe a six-part process of planning:
In this section include open or closed IT audit findings, risk derived findings, internal assessments, at the time of approval of the security plan.