Kudler Fine Foods IT Security Report and Presentation Security Considerations
According to Whitman and Mattord (2010), The ISO 27000 series is one of the most widely referenced security models. Referencing ISO/IEC 27002 (17799:2005), the major process steps include: risk assessment and treatment, security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development, and maintenance, information security incident management, business continuity management, and compliance (Chapter 10, Security Management Models). 1. Risk assessment and treatment
2. Security policy: Focuses mainly on information security policy 3. Organization of information security: For both the internal organization and external parties 4. Asset management: Includes responsibility for assets and information classification 5. Human resources security: Ranges from controls prior to employment and during employment to termination or change of employment 6. Physical and environmental security: Includes secure areas and equipment security 7. Communications and operations management: Incorporates operational procedures and responsibilities, third-party service delivery management, systems palnning and acceptance, protection against malicious and mobile code, backup, network security management, media handling, exchange of information, electronic commerce services and monitoring 8. Access control: Focuses on business requirement for access control, user access management, user responsibilities, network access control, operating system access control, application and information access control, and mobile computing and teleworking 9. Information systems acquisition, development, and maintenance: Includes security requirements of information systems, correct processing in applications, cryptographic controls, security of system files, security in development and support processes, and technical vulnerability management 10. Information security incident management: Addresses reporting information security events and weaknesses and management of information security incidents and improvements 11. Business continuity management: Information security aspects of business continuity management 12. Compliance: Includes compliance with legal requirements, compliance with security policies and standards, and technical compliance and information systems audit considerations
The “SANS: SCORE” (2012) website provides a free audit checklist for organizations to verify if they comply with the ISO 27002. The following table represents the SANS audit checklist as it relates to Kudler Fine Food’s frequent buyer program.
|Security policy: Focuses mainly on information security policy | |Section |Audit Question |Security Considerations |Security concern if |Mitigation | | | | |removed | | |Information security policy|Whether there exists an Information |A security policy is |Without a security policy |Define what needs to be | |document |security policy, which is approved by the |necessary to guide all |in place the restriction |protected in order to | | |management, published and communicated as |access or to block |of information would be |develop a security policy. | | |appropriate to all employees. |access to information. |lost. Uncontrolled access|The importance of the...