Pharmuniverse Case Writeup
We recommend following ISO 27001 model of information security management. It is a model of information security management based on the standard ISO / IEC 27001. It formally defines the mandatory requirements for an Information Security Management System.
Controls and Control objectives for this specific case can be derived from the clauses 5 to 15 of ISO/IEC 27001.
First let’s discuss few characteristics of the current measures in place at PharmUniverse.
1. Currently there are minimal measures (like firewalls) in place for information security.
2. No one in the top level management understands Information security at a deeper level and hence do not appreciate its importance. There is an impression that funding for information security might be suspended in the future.
3. Research is the division where information security is critical, as it is discussed in the case that loss of this information can cause loss of competitive advantage.
4. One of the ways this can happen was through disgruntled employees leaving the research team to join competitors.
5. Only superficial analysis was done on the existing controls.
Now, since one of the high priority threats to contain is leakage of information through employees, it is important to implement the following clauses from Clause 8 ( Human Resources Security):
1. 8.1.3 (Hiring Requirements and Conditions) which ensures that future employees accept the terms and conditions on Information security and comply with code of conduct for employees.
2. 8.3 (Termination and Change of Employment) will help regulate the manner in which former employees leave the organization.
3. 8.3.1 (Termination Responsibility) contains conditions that can extend for a period of time after termination.
4. 8.3.2 (Return of Assets) – If the employee has important knowledge on ongoing operations, it must be documented and transferred to the organization.
5. 10.8 (Exchange of Information) aims to maintain the security of information and software
Controls and Control objectives for this specific case can be derived from the clauses 5 to 15 of ISO/IEC 27001.
First let’s discuss few characteristics of the current measures in place at PharmUniverse.
1. Currently there are minimal measures (like firewalls) in place for information security.
2. No one in the top level management understands Information security at a deeper level and hence do not appreciate its importance. There is an impression that funding for information security might be suspended in the future.
3. Research is the division where information security is critical, as it is discussed in the case that loss of this information can cause loss of competitive advantage.
4. One of the ways this can happen was through disgruntled employees leaving the research team to join competitors.
5. Only superficial analysis was done on the existing controls.
Now, since one of the high priority threats to contain is leakage of information through employees, it is important to implement the following clauses from Clause 8 ( Human Resources Security):
1. 8.1.3 (Hiring Requirements and Conditions) which ensures that future employees accept the terms and conditions on Information security and comply with code of conduct for employees.
2. 8.3 (Termination and Change of Employment) will help regulate the manner in which former employees leave the organization.
3. 8.3.1 (Termination Responsibility) contains conditions that can extend for a period of time after termination.
4. 8.3.2 (Return of Assets) – If the employee has important knowledge on ongoing operations, it must be documented and transferred to the organization.
5. 10.8 (Exchange of Information) aims to maintain the security of information and software