The ISO 27001:2005 is an international policy of best practice that was developed and published by the International Organization for Standardization (ISO) (Murphy, 2015; Sio-iong, Hoi-shou, & Hideki, 2015; Tarantino, 2008). Additionally, the practice is employed in establishing, maintaining as well as promoting security programs for organizations. On the other hand, the Information Security Management System (ISMS) is considered to be a set of integrated processes that oversee the management of various security programs policies as well as procedures (Terroza, 2015; Humphreys, 2007; Humphreys T., 2005). This essay is an implementation of the ISO 27001:2005 framework in the Effat University Jeddah in order to develop an ISMS system for the institution for it to achieve its objectives.
Current State of Security in the Universitys IT infrastructure
In an organization, ISMS addresses the staffs behavior as well as processes (Calder, 2011; (Cohen, 2012). Additionally, it also addresses the data maintenance and security as well as technology. Also, the ISO 27001 is considered the primary specification for developing an ISMS in an organization (Krutz & Fry, 2009; Nahari & Krutz, 2011). In this case, the implementation of the ISMS for the Effat University Jeddah will aid the institution in attaining its objectives. Additionally, the technical design, as well as the current security infrastructure for the Effat University Jeddah, is reasonably well designed as well as documented. Nevertheless, the university lacks a formal written ISMS for their internet gateway in the institution. Additionally, the system administrators maintain as well as operate the universitys internet gateway on an ad hoc basis. Also, there are no written plans as well as policies that govern the operations of the internet gateway. Subsequently, the IT infrastructure has been unable to sufficiently fulfill its security goals in running the universitys business successfully as well as effectively.
Effat University Jeddahs ISMS system
Requirement Status Interpretation Compliance Status
ISMS Scope Specified
In draft
Done In the university, the ISMS system will have five primary roles. These will include protecting the universitys intellectual property rights, financial interests, university records and students records among other useful data and completive edge. It will also protect the Universitys IT infrastructure and network as well as its application program, operations, and services. Also, the ISMS system will safeguard the interests and privacy of all employees, students, staff, and stakeholders and also aid in retaining their trust with Universitys IT infrastructure. Also, the ISMS will aid the University in its compliance with the law as well as in defending itself against legal actions. Ultimately, the ISMS system will aid the university in maintaining its reputation. Compliant
Non-compliant
Information Security Policy
User Access Control and Authorization
Specified
In draft
Done
Access to official university information shall be restricted to all other persons except authorized users with a legitimate reason for accessing such information.
The database service team at the university servers shall maintain a list of the restricted applications that may be used by any university stakeholder.
In the event of a security bypass in an application on the universitys database, an alert message will be sent through email to the designated database support team. Compliant
Non-compliant
Reporting Access Violations
Specified
In draft
Done
The IT operations teams at the university will maintain a system of issuing reports pertaining successful as well as unsuccessful log on attempts in case of official requests.
The IT operations team will manage the process of detecting as well as reacting to various systematic attacks on the universitys server systems, which they support.
Compliant
Non-compliant
Resource Access Logs
Specified
In draft
Done
The IT operations team in the university shall be responsible for managing three primary logs in areas supported by their operating systems. Additionally, the management will be for at least 90 days for every server that they support.
System access logs: successful, as well as unsuccessful log attempts, will be noted.
Activity logs: all functions executed by the universitys system administrators will be noted.
Operating system access logs: all invalid attempts to access different operating system resources will be noted. Compliant
Non-compliant
Confidentiality Classification
Specified
In draft
Done
Classification confidential: shall be put in place for users digital records containing sensitive information between passed between different university officials, staff, and agencies. Moreover, each person that will be authorized to access confidential information will be offered an access login username and password, which is expected to be retained safely without sharing with an authorized person.
Classification restricted: it shall be employed to mark the universitys sensitive information related to financial as well as contractual records. Also, it shall cover information in which its disclosure can result to:
Adversely compromise the integrity and confidentiality provisions of the stakeholder.
Create difficultness in safeguarding and maintaining the effectiveness of the universitys operations.
Cause a substantial financial loss for the institution or facilitate an unjust gain or disadvantage to some stakeholders of the university.
Breach the proper undertaking and maintenance of confidentiality of information issued that third parties or essential stakeholders of the institution.
Disadvantage the university in either commercial or policy dialogues
The undermining of all the overall management of the university as well as its operations.
Compliant
Non-compliant
Data Support Operations
Specified
In draft
Done
The university IT systems that host confidential personal information, especially data collected from students and staff, shall be protected in accordance with the universitys standards of best practice. Additionally, for the systems to be fully operational, they must operate:
A firewall
An encryption system
An appropriate patch
An updated anti-malware protection system.
Compliant
Non-compliant
Secure Data Backup
Specified
In draft
Done
All backups of the universitys data will be placed under an encryption protection and in line with the IT sectors data security protections best practices. External drive backups will also be stored in a secure physical location with multiple layers of authorization requirements to access them. Also, data backup containing imperative university data must be stored in the following areas:
A safe room
A computer center
An approved off-campus media storage facility. Compliant
Non-compliant
Data Transfer Mechanisms
Specified
In draft
Done
University data will be transferred only via secure universitys transfer mechanisms.
Any data being moved from the university to a different location using a portable device like a mass storage device or a laptop must be encrypted. Additionally, the encryption must be in line with the IT industrys best practices as well as applicable policies and regulations.
Compliant
Non-compliant
Information Security Awareness Drill Specified
In draft
Done
The data protection awareness training at the university shall be implemented in the university staffs induction process.
A recurrent security awareness program shall be implemented and also maintained to refresh the staffs self-awareness pertaining data protection constantly. Compliant
Non-compliant
Responsibility for Data Security Specified
In draft
Done
The ultimate responsibility for safeguarding the universitys data rests on the chairman of the IT department. Nevertheless, all staff functioning in the university must:
Must comply with all the outlined security procedures, including the maintenance of data confidentiality as well as integrity.
Every staff member shall be tasked with the responsibility of operational security of the various IT systems they employ in their work.
Every IT systems user must comply with the outlined security requirements of the university that are currently enforced. Also, they shall be required to promote confidentiality, integrity as well as the availability of all the university information they use and also ensure that it is of the highest standard. Compliant
Non-compliant
Conclusion
In conclusion, the current security infrastructure for the Effat University Jeddah is reasonably well designed as well as documented, but it lacks a formal written ISMS for their internet gateway in the institution. Additionally, the adopted ISMS is compliant with the ISO 27001:2005 certification, which is an international policy of best practice that was developed and published by the International Organization for Standardization (ISO). Ultimately, the universitys new adopted ISMS policy covers user access control and authorization, reporting access violations, and resource access logs. Additionally, the ISMS for the university also focuses on confidentiality classification, data support operations, secure data backup, data transfer mechanisms, information security awareness drill, as well as the responsibility for data security.
Â
References
Calder, A. (2011). Implementing Information Security based on ISO 27001/ISO 27002. Hogeweg: Van Haren.
Cohen, E. B. (2012). Issues in Informing Science & Information Technology, Volume 9 (2012). Santa Rosa: Informing Science.
Humphreys, E. (2007). Implementing the ISO/IEC 27001 Information Security Management System Standard. London: Artech House.
Humphreys, T. (2005). Are You Ready for an ISMS Audit Based on ISO/IEC 27001? London: BSI British Standards Institution.
Krutz, R. L., & Fry, A. J. (2009). The CSSLP Prep Guide: Mastering the Certified Secure Software Lifecycle Professional. New York: John Wiley & Sons.
Murphy, G. (2015). SSCP (ISC)2 Systems Security Certified Practitioner Official Study Guide. New York: John Wiley & Sons.
Nahari, H., & Krutz, R. L. (2011). Web Commerce Security: Design and Development. New York: John Wiley & Sons.
Sio-iong, A., Hoi-shou, C. A., & Hideki, K. (2015). Iaeng Transactions In Engineering Sciences: Special Issue For The International Association Of Engineers Conferences 2014. Singapore: World Scientific.
Tarantino, A. (2008). Governance, Risk, and Compliance Handbook: Technology, Finance, Environmental, and International Guidance and Best Practices. New York: John Wiley & Sons.
Terroza, A. K. (2015). Information Security Management System (ISMS) Overview. The Institute of Internal Auditors, 1-30. Retrieved from https://chapters.theiia.org/bermuda/Events/ChapterDocuments/Information%20Security%20Management%20System%20(ISMS)%20Overview.pdf.
Â
Â
Request Removal
If you are the original author of this essay and no longer wish to have it published on the thesishelpers.org website, please click below to request its removal:
- Research Paper in Public Health: Use of Big Data Analytics to Prevent Medication Errors
- Movie Review Example: Digital Nation
- Essay on the Mobile Application for Small-scale Business
- Essay on Inventory Trees
- Implementing and Evaluating ISO 27001:2013 Framework in a Corporate
- Essay Example on Business Intelligence Systems
- Choosing an Internet Service Provider