Implementing and Evaluating ISO 27001:2013 Framework in a Corporate

The ISO 27001:2005 is an international policy of best practice that was developed and published by the International Organization for Standardization (ISO) (Murphy, 2015; Sio-iong, Hoi-shou, & Hideki, 2015; Tarantino, 2008). Additionally, the practice is employed in establishing, maintaining as well as promoting security programs for organizations. On the other hand, the Information Security Management System (ISMS) is considered to be a set of integrated processes that oversee the management of various security programs policies as well as procedures (Terroza, 2015; Humphreys, 2007; Humphreys T., 2005). This essay is an implementation of the ISO 27001:2005 framework in the Effat University Jeddah in order to develop an ISMS system for the institution for it to achieve its objectives.

Current State of Security in the Universitys IT infrastructure

In an organization, ISMS addresses the staffs behavior as well as processes (Calder, 2011; (Cohen, 2012). Additionally, it also addresses the data maintenance and security as well as technology. Also, the ISO 27001 is considered the primary specification for developing an ISMS in an organization (Krutz & Fry, 2009; Nahari & Krutz, 2011). In this case, the implementation of the ISMS for the Effat University Jeddah will aid the institution in attaining its objectives. Additionally, the technical design, as well as the current security infrastructure for the Effat University Jeddah, is reasonably well designed as well as documented. Nevertheless, the university lacks a formal written ISMS for their internet gateway in the institution. Additionally, the system administrators maintain as well as operate the universitys internet gateway on an ad hoc basis. Also, there are no written plans as well as policies that govern the operations of the internet gateway. Subsequently, the IT infrastructure has been unable to sufficiently fulfill its security goals in running the universitys business successfully as well as effectively.

Effat University Jeddahs ISMS system

Requirement Status Interpretation Compliance Status

ISMS Scope Specified

In draft

Done In the university, the ISMS system will have five primary roles. These will include protecting the universitys intellectual property rights, financial interests, university records and students records among other useful data and completive edge. It will also protect the Universitys IT infrastructure and network as well as its application program, operations, and services. Also, the ISMS system will safeguard the interests and privacy of all employees, students, staff, and stakeholders and also aid in retaining their trust with Universitys IT infrastructure. Also, the ISMS will aid the University in its compliance with the law as well as in defending itself against legal actions. Ultimately, the ISMS system will aid the university in maintaining its reputation. Compliant

Non-compliant

Information Security Policy

User Access Control and Authorization

Specified

In draft

Done

Access to official university information shall be restricted to all other persons except authorized users with a legitimate reason for accessing such information.

The database service team at the university servers shall maintain a list of the restricted applications that may be used by any university stakeholder.

In the event of a security bypass in an application on the universitys database, an alert message will be sent through email to the designated database support team. Compliant

Non-compliant

Reporting Access Violations

Specified

In draft

Done

The IT operations teams at the university will maintain a system of issuing reports pertaining successful as well as unsuccessful log on attempts in case of official requests.

The IT operations team will manage the process of detecting as well as reacting to various systematic attacks on the universitys server systems, which they support.

Compliant

Non-compliant

Resource Access Logs

Specified

In draft

Done

The IT operations team in the university shall be responsible for managing three primary logs in areas supported by their operating systems. Additionally, the management will be for at least 90 days for every server that they support.

System access logs: successful, as well as unsuccessful log attempts, will be noted.

Activity logs: all functions executed by the universitys system administrators will be noted.

Operating system access logs: all invalid attempts to access different operating system resources will be noted. Compliant

Non-compliant

Confidentiality Classification

Specified

In draft

Done

Classification confidential: shall be put in place for users digital records containing sensitive information between passed between different university officials, staff, and agencies. Moreover, each person that will be authorized to access confidential information will be offered an access login username and password, which is expected to be retained safely without sharing with an authorized person.

Classification restricted: it shall be employed to mark the universitys sensitive information related to financial as well as contractual records. Also, it shall cover information in which its disclosure can result to:

Adversely compromise the integrity and confidentiality provisions of the stakeholder.

Create difficultness in safeguarding and maintaining the effectiveness of the universitys operations.

Cause a substantial financial loss for the institution or facilitate an unjust gain or disadvantage to some stakeholders of the university.

Breach the proper undertaking and maintenance of confidentiality of information issued that third parties or essential stakeholders of the institution.

Disadvantage the university in either commercial or policy dialogues

The undermining of all the overall management of the university as well as its operations.

Compliant

Non-compliant

Data Support Operations

Specified

In draft

Done

The university IT systems that host confidential personal information, especially data collected from students and staff, shall be protected in accordance with the universitys standards of best practice. Additionally, for the systems to be fully operational, they must operate:

A firewall

An encryption system

An appropriate patch

An updated anti-malware protection system.

Compliant

Non-compliant

Secure Data Backup

Specified

In draft

Done

All backups of the universitys data will be placed under an encryption protection and in line with the IT sectors data security protections best practices. External drive backups will also be stored in a secure physical location with multiple layers of authorization requirements to access them. Also, data backup containing imperative university data must be stored in the following areas:

A safe room

A computer center

An approved off-campus media storage facility. Compliant

Non-compliant

Data Transfer Mechanisms

Specified

In draft

Done

University data will be transferred only via secure universitys transfer mechanisms.

Any data being moved from the university to a different location using a portable device like a mass storage device or a laptop must be encrypted. Additionally, the encryption must be in line with the IT industrys best practices as well as applicable policies and regulations.

Compliant

Non-compliant

Information Security Awareness Drill Specified

In draft

Done

The data protection awareness training at the university shall be implemented in the university staffs induction process.

A recurrent security awareness program shall be implemented and also maintained to refresh the staffs self-awareness pertaining data protection constantly. Compliant

Non-compliant

Responsibility for Data Security Specified

In draft

Done

The ultimate responsibility for safeguarding the universitys data rests on the chairman of the IT department. Nevertheless, all staff functioning in the university must:

Must comply with all the outlined security procedures, including the maintenance of data confidentiality as well as integrity.

Every staff member shall be tasked with the responsibility of operational security of the various IT systems they employ in their work.

Every IT systems user must comply with the outlined security requirements of the university that are currently enforced. Also, they shall be required to promote confidentiality, integrity as well as the availability of all the university information they use and also ensure that it is of the highest standard. Compliant

Non-compliant

Conclusion

In conclusion, the current security infrastructure for the Effat University Jeddah is reasonably well designed as well as documented, but it lacks a formal written ISMS for their internet gateway in the institution. Additionally, the adopted ISMS is compliant with the ISO 27001:2005 certification, which is an international policy of best practice that was developed and published by the International Organization for Standardization (ISO). Ultimately, the universitys new adopted ISMS policy covers user access control and authorization, reporting access violations, and resource access logs. Additionally, the ISMS for the university also focuses on confidentiality classification, data support operations, secure data backup, data transfer mechanisms, information security awareness drill, as well as the responsibility for data security.

References

Calder, A. (2011). Implementing Information Security based on ISO 27001/ISO 27002. Hogeweg: Van Haren.

Cohen, E. B. (2012). Issues in Informing Science & Information Technology, Volume 9 (2012). Santa Rosa: Informing Science.

Humphreys, E. (2007). Implementing the ISO/IEC 27001 Information Security Management System Standard. London: Artech House.

Humphreys, T. (2005). Are You Ready for an ISMS Audit Based on ISO/IEC 27001? London: BSI British Standards Institution.

Krutz, R. L., & Fry, A. J. (2009). The CSSLP Prep Guide: Mastering the Certified Secure Software Lifecycle Professional. New York: John Wiley & Sons.

Murphy, G. (2015). SSCP (ISC)2 Systems Security Certified Practitioner Official Study Guide. New York: John Wiley & Sons.

Nahari, H., & Krutz, R. L. (2011). Web Commerce Security: Design and Development. New York: John Wiley & Sons.

Sio-iong, A., Hoi-shou, C. A., & Hideki, K. (2015). Iaeng Transactions In Engineering Sciences: Special Issue For The International Association Of Engineers Conferences 2014. Singapore: World Scientific.

Tarantino, A. (2008). Governance, Risk, and Compliance Handbook: Technology, Finance, Environmental, and International Guidance and Best Practices. New York: John Wiley & Sons.

Terroza, A. K. (2015). Information Security Management System (ISMS) Overview. The Institute of Internal Auditors, 1-30. Retrieved from https://chapters.theiia.org/bermuda/Events/ChapterDocuments/Information%20Security%20Management%20System%20(ISMS)%20Overview.pdf.