User Account

All Pages

Information security management standards

Assignment Help Business Management
Reference no: EM131937558

Please paraphrase the below

Information Security Management Standards, Best Practice and the Insider Threat

Information security management is the subject of many best practice guides, reg- ulation specific for different sectors of business, legislation and international stan- dards. The vast majority of these approaches focus on regulation and in doing so, ad- dress a number of prime insider threats including fraud and theft. There is an empha- sis on setting the appropriate security culture from the top of the organisation, and indeed in the informal field observations confirmed senior management attitude as a significant factor in increasing or decreasing insider risk. There are risk methodolo- gies that profile attackers and their motivations but interestingly these methodolo- gies are not included in many of the mainstream information security management standards and best practice guides. This section considers the ISO 27000 family of security management standards and the specific guidance available for managing the insider risk.

General Security Management Standards

There are a number of standards which are used to design and implement informa- tion security management controls and processes. The majority of these standards are control-focused and concentrate on responses to particular types of information security risk. The family of standards which underpins information security man- agement is the ISO 27000 family. The two main standards are ISO 27001 which

presents the ISMS and ISO 27002 which presents the control set used by the ISMS to respond to context [22, 23]. The control set breaks down into twelve areas each of which are characterised in terms of the dimension of information security that they relate to. There are various controls that can be used to respond to the risk from insiders [21]. Table 1 presents the control classifications defined in Annex A of ISO 27001:2005.

As Humphreys discusses, all ISO 27002 control areas have relevance for re- sponding to the insider threat [21]. Broadly speaking, three distinct categories of controls can be identified: controls used to identify insiders from outsiders, con- trols used to identify unexpected insider behaviour and controls used to influence the development of an organisation's security culture. The majority of the controls in this final category can be found in the set of controls termed "Human Resources Security", which are guidelines to be followed upon recruitment and prior to or post employment. These include, amongst others, personnel screening, disciplinary processes, awareness programs, incident reporting and response. In this category, emphasis is also placed on security policy, awareness programmes and security ed- ucation. Access control and authentication methods, both physical and logical, are the main control groups used to differentiate between insiders and outsiders (e.g., segregation of duties, controls for advanced users or for specific technologies, i.e., mobile devices). This differentiation is also partly carried out using controls that relate to asset management and information classification, labelling and handling.

The event monitoring, compliance and information security incident manage- ment categories are the main control groups for determining unexpected insider be- haviour. Finally, the standards include controls for continuity management to min- imise the impact of the insider threat. Business continuity and resilience planning is an important response for risks which are either difficult to analyse, complicated to respond to or where the risks are unknown. Insider risks can often be categorised in this way, and therefore a business continuity framework and controls that provide resilience offer a way of reducing the impact of an attack from an insider and reduce the need to define insiderness.

Guidelines Focused on the Management of the Insider Threat

Similar guidelines to the ones found in ISO 27002 are also included in the 16 tech- niques suggested by the CERT's guide for insider threat prevention and detection, as found by examining 150 cases of insider incidents that were detected and reported [8]. The controls are not general but are specifically designed for insider threat pre- vention and detection. These include access control, logging and audit, personnel measures equivalent to the ones of ISO27002, physical and environmental controls, controls for software development, change management, policies, awareness and training programs, backup and recovery and incident response. The 16 proposed practices, their relevance to ISO27002,

Reference no: EM131937558

Questions Cloud

Exchange online and skype for business online : Your company is implementing Office 365 SharePoint, Exchange Online and Skype for Business Online how will you conduct the following:
How do corporations go public and continue to grow : Assume that you recently graduated and have just reported to work as an investment advisor at the brokerage firm of Balik and Kiefer Inc.
Will right-to-work laws result in the further decline : Based on this information, is this a company that you would want to work for? What surprised you about the salary information that you found?
Find approximate probability that money will double : What is the approximate probability that your money will double in value in a single year? (Do not round intermediate calculations).
Information security management standards : Information security management is the subject of many best practice guides, reg- ulation specific for different sectors of business, legislation
Inherited some money and have opportunity to invest : You recently inherited some money and have the opportunity to invest it in a government bond which will pay you $55,000 when it matures in 10 years.
Types of insider misuse : Along with the variety of insiders is associated a variety of types of insider misuse. One immediate categorization involves user intent, as in intentional
How much would pay in taxes : Assume the production chain for an economy is characterized by the following transactions: Business Purchases Sales Mine $0 $200 Steel Mill $200 $1000 Car.
Determining the types of insiders : Differences among users may involve physical presence and logical presence. For example, there may be logical insiders

Reviews

Write a Review

Business Management Questions & Answers

  Gain competitive advantage

Discuss how a company or industry could use vertical integration and information systems to gain competitive advantage.

  Company upgrading from microsoft server

For a company upgrading from Microsoft Server 2008 to Microsoft Server 2012 Is it possible that the new Hyperviser in Server 2012 will help the company recoup some of it's cost in more efficient use of it's hardware resources and energy costs with..

  Evaluate the ethical dilemma under two ethical frameworks

Research a company that has been in the news due to ethical problems.  Evaluate the ethical dilemma under two ethical frameworks.  Analyze what part whistleblowers played in the exposure to the company.  Discuss how employment-at-will affected the em..

  Explain various levels and types of strategies firm may use

Analyze the five forces of competition to determine how they impact the company. Discuss the various levels and types of strategies the firm may use to maximize its competitiveness and profitability.

  Use nonstandard work arrangements

In your opinion, can employers expect highly engaged employees who seek to improve the performance of the firm if they continue to use nonstandard work.

  Question based on global business environment

what steps Townscape will need to make to meet the needs of these government agencies and why these steps are necessary. Lastly, discuss how Townscape should respond to these concerns.

  Predict two ways you will be able to apply the concepts

Give most important concepts you have learned about marketing strategy. Predict two ways you will be able to apply these concepts to your employment and career in the future.

  Contrast how a health care plan might address this problem

Recent data show that Americans consume, on average, more than three times the recommended level of sodium per day in their food and beverages. High salt intake contributes to high blood pressure and its complications-stroke, heart attack, congestive..

  Explain in brief sales and marketing modules in ERP system

Identify potential sources of software and Determine five criteria you will recommend be used to evaluate each of alternative providers

  Recommend the information on daily sales report

How would you recommend the information on daily sales report, daily call reports, productivity report, pipeline, and sales forecast to be presented to management?

  Important aspect of being a valuable project manager

An extremely important aspect of being a valuable project manager within an organization is the ability to offer advice to decision makers about whether or not to pursue a project in the first place.  As such, the first step in project management ..

  Why is it important to ensure generational differences

Why is it important to ensure generational differences are appropriately handled? Share an example of a misunderstanding you witnessed that was due to generational differences.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd