Information Technology Security Policy Framework

Information Technology Security Policy Framework

Name:

Tutor:

Course:

Date:

Information Technology Security Policy Framework

Question 1

A security Policy Framework in information technology refers to the principles and tactics put in place as a tool for protecting individuals and their assets. These properties include information and infrastructure. The laws governing these outlines originate from relevant authorities within the government and apply to all hardware, software, and networks. There are different types of security frameworks. One such structure is the HITRUST CSF. This security component is common in health facilities as a way of protecting crucial information from malicious individuals (Shoniregun, Dube, and Mtenzi, 2010).

This framework is compliant to internationally accepted standards such as ISO and COBIT. Additionally, it is appropriate for organizations of all types and sizes. It bases its operations on the factors that induce insecurity in the health centers by considering the principles governing the sector. This depresses security-related ambiguity in the industry especially with regard to sensitive information. Through the incorporation of alternative controls in its system, this security framework improves information safety in case of some glitches in the main structure.

While implementing this type of framework, the involved parties ought to consider certain factors. To start with, they need to consider the intricacies in the firm’s information scheme. It is also essential to analyze the controls in the company’s security program. While designing this framework for an organization, the first step involves classification of the assets and administrative procedures needed to accomplish the task. An analysis of the industry’s components according to the risks involved is also an integral step in the implementation process.

The next phase is the assessment of the organization’s information that needs securing. The security framework’s manual should guide the system’s designer in order to attain desirable outcomes. One should then interview relevant stakeholders before conducting several protection tests on the firm’s security structure. Identification of alternative controls is also vital in the assessment phase. The last step is the remediation process, which involves documentation of any observed risks, as well as tracking all relevant activities (Shoniregun, Dube, and Mtenzi, 2010). This stage will enhance the safety of the company’s information and thus acquire the needed success.

Question 2

It is crucial for all commercial organizations to comply with the country’s security standards. This is because, through these safety principles, companies are able to mitigate any forms of security risks. It also offers the firm a competitive lead since customers will be confident that their information is safe. Moreover, it reduces the company system’s maintenance cost. The unified method is the most suitable way of complying with the nation’s security laws. In this approach, the company identifies the principles that concur with its safety requirements and uses them to assess the susceptibilities in the system (Ferrari and Thuraisingham, 2006). The related department should then implement the lowest level of these safety measures in order to comply with the set regulations.

Commercial organizations can align their strategies and controls with the valid guidelines. This will ensure that the company follows the required procedures while still maintaining its doctrine. This is achievable through tailoring the rules to meet their security objectives. The business institution can also implement the minimum level of the regulation depending on its safety needs. This is possible through assessment of the business units’ scope and the risks involved. Use of alternative controls can also help in compliance with the set standards (Ferrari and Thuraisingham, 2006).

Question 3

There are seven domains in a security framework. Although these spheres of influence improve the system’s efficiency, several challenges make the process difficult. For example, in the user domain, the main challenge is the lack of sufficient knowledge in the workforce on the importance of adopting safety measures. The workstation field also faces glitches in terms of harmful software such as viruses and as such, the system is made susceptible. Moreover, in the LAN sphere of influence, a single unprotected machine can pose a great threat to the whole structure. This challenge is somewhat similar to that of the LAN-WAN domain, which involves trusted and unreliable zones in the same network hence threatening the security structure (FutureTech and Park, 2012).

In the remote access field, a company can risk the safety of its information because of malicious invasion through the internet. Likewise, the WAN sphere does not offer complete privacy since the lines chartered from private information technology firms are accessible by a number of other organizations. The application domain also faces difficulties related to specialization of information. For example, technicians may be the only people in a company who comprehend safety issues regarding e-mail servers. This challenge brings complexities to the security process (FutureTech and Park, 2012).

Question 4

One major implementation issue in the HITRUST CSF security framework is the variation of the involved risks (Quigley, 2005). According to the guidelines in this structure, the complexity of the company’s safety threats determine the approach that the technicians employ in the implementation process. This leads to several challenges within this framework. To start with, a high level of risks in the system may cause constant failures in the security scheme. In addition, the alternative controls used may threaten the safety of the company’s information because of unprotected interactions.

For this reason, the information technology department of a company ought to analyze various aspects before implementing the HITRUST CSF framework. This is in order to ensure compatibility of the security structure with the company’s safety requirements. Furthermore, the commercial organization needs to document all possible risks and formulate alternative controls for mitigation purposes (Quigley, 2005). Tracking of all online activities within the firm will help depress security threats.

References

Ferrari, E., & Thuraisingham, B. M. (2006). Web and information security. Hershey PA: IRM Press.

FutureTech (Conference), & Park, J. J. (2012). Future information technology, application, and service: FutureTech 2012. Dordrecht: Springer.

Quigley, M. (2005). Information security and ethics: Social and organizational issues. Hershey PA: IRM Press.

Shoniregun, C. A., Dube, K., & Mtenzi, F. (2010). Electronic healthcare information security. New York: Springer.