Posted: November 25th, 2022
Company Z provides telephony services to customers. These services include VoIP. You are hired to create a security assessment for company Z for an upcoming audit by the counties authoritative agents to certify company Z compliant to ISO 17799 Standard for The professional Practices for the Business Continuity Planner and ISO 27001/27002. In this security assessment you are asked to conduct a complete
You may use web resources as references, however make sure to include all your resources and cite from them with author, year of publication, and the corresponding page or paragraph numbers. MINIMUM 2700 WORDS, 13 SCHOLARLY APA REFERENCES. I HAVE ATTACHED A SAMPLE PAPER, DO NOT PLAGIARIZE! DUE 1/18/2020 AT 10AM EST
Running head: SECURITY ASSESMENT FOR Z WIRELESS
SECURITY ASSESMENT FOR Z WIRELESS 5
Security Assessment for Z Wireless
Dr. Elliott Lynn
ISSC 641 – Telecommunications and Network Security
Z Wireless as a leading telecommunications company has always excel on all compliance with the different regulations not only on the US but also around the world where ever their customers are. As we get close to the next audit for compliance with the ISO 17799, Standard for the Professional Practices for the Business Continuity Planner, Z Wireless will conduct a security assessment to verify, acknowledge and correct any discrepancies that it may have that are not according to the ISO 17799 regulations. The assessment will be divided on 4 main segments: network security threats, network security vulnerabilities, risk assessments, countermeasures and mitigation.
Table of Contents
Organization of Information Security 5
Asset Management and Control 6
Human Resources Security 6
Physical and Environmental Security 7
Communications and Operations Management 8
Information Systems Acquisition, Development and Maintenance 8
Business Continuity Management 9
Security Assessment for Z Wireless
The ISO 17799 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization (ISO, 2005, para1). Following the BS ISO IEC 17799 SANS Checklist we can have a better understanding of the assessment we are going to receive during the audit and focus our efforts to comply with every single item. The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities (ISO/IEC 27035, 2016). The checklist is divided on several topics that we need to address with different teams assigned to each topic. The topics are: Security Policy, Organization of Information Security, Asset Management, Human Resources Security, Physical and Environmental Security, Communications and Operations Management, Access Control, Information Systems Acquisition, development and maintenance, Information Security Incident Management, Business Continuity Management and Compliance (Thiagarajan, 2006). All these segments can be divided over the Z Wireless Management (Human resources, support services, customer support, finance, etc.) for every expert on their area can comply with the needed regulation. Training by the Information Technology specialist will be provided since there are going to be the leading team controlling the different divisions and managing the schedule. Competition of all the task and understanding of the regulations is essential to complete the assessment.
Security threats are in an evolving stage all the time. As technology grows the security threats have become more frequent and specific. The capabilities of wireless technologies and devices have brought the data accessible everywhere. Personal or not the information stored on the mobile wireless devices are as vulnerable as locally save on the user’s computer (The Barking Seal, 2008). Providing safe service for customers should be #1 priority for service providers and since today these devices are capable of so much, their security should be always guarantee. Security policies addressing the vulnerabilities of Z Wireless and constant monitoring and review of the policies will provide that extra element needed to provide the customers with a safe service where they can exchange information without thinking over the security threats. Implementation of education to the employees and creation of user guides will also be a great starter for everyone on Z Wireless to comply with the needed regulations.
The information organization is a very crucial element that will provide not only better organization of information but also a better management and faster reactions. Z Wireless will create a security organizational flow that will provide an active and interactive way to manage the security measures. Defined responsibilities around the different areas over the organization and contact lists with description of the contact agency for in case of an emergency Z Wireless with have an updated list that will provide them with the contact information so it can be contacted and resolve the problem. All security policies and assessments should be documented and organized for the auditor to access and have a glimpse of how the business policies have been evolving during the years and how they have addressed past vulnerabilities. Once it is clear that the security professional completely understands management’s opinions, it should be possible to introduce a security framework that is consistent with it. The framework will be the foundation of the organization’s Information Security Program, and thus will service as a guide for creating an outline of the information security policy (Bayuk, 2009).
Enterprise informational assets are defined and the required level of control for each has been identified. Safeguards are in place, ensuring that all informational assets receive the appropriate level of protection (Jones, 2000). Providing wireless devices to thousands of users and scaling up to millions, all over the globe needs to be controlled and managed for it to be successful. Z Wireless provides devices to their users but also needs to have working antennas, computer systems and a network infrastructure to provide their customers a competitive service to stay with or ahead of their competitors. Inventory and classification of information is crucial to comply with the ISO 17799 and more crucial for the business to know where everything is. Handling millions of devices might not be an easy task but with a well-organized database and clear classifications for each different device and information it can be compliant with the different regulations. Organization is key and proper classification will provide not only the auditor with proper access to the different organization methods the business has.
The Human Resources area is a very crucial area that manages lots of personnel information. The role of an HR professional in upholding your company’s security policies begins during the staff recruitment process. Legally, you can conduct background checks on prospective hires as long as you gain the consent of those individuals. Pre-employment checks usually include criminal history investigations and credit reports. Financial services companies and other firms that handle cash and sensitive data often eliminate people with poor credit or past convictions from the applicant pool after reviewing background checks (John, 2016). The procedures and management of information on this area are very important for the mitigation of data leaks. It is very important to always have in consideration the areas and data flow.
Employees handling personal data in an organization need to receive appropriate awareness training and regular updates in an effort to safeguard the data entrusted to them. Appropriate roles and responsibilities assigned for each job description need to be defined and documented in alignment with the organization’s security policy. The institution’s data must be protected from unauthorized access, disclosure, modification, destruction or interference. The management of human resources security and privacy risks is necessary during all phases of employment association with the organization. Training to enhance awareness is intended to educate individuals to prevent data disclosure, recognize information security problems and incidents, and respond according to the needs of their work role (“dlwoodbe”, 2015). The defined responsibilities to comply during the different employment procedures like pre-employment, during employment and termination of employment procedures should be very clear and complete.
Z Wireless having different types of assets and multiple locations physical security and prevention policies will vary depending over the asset and environmental hazards of the asset location. Physical and environmental safeguards are often overlooked but are very important in protecting information. Buildings and rooms that house information and information technology systems must be afforded appropriate protection to avoid damage or unauthorized access to information and systems. In addition, the equipment housing this information (e.g., filing cabinets, data wiring, laptop computers, and portable disk drives) must be physically protected. Equipment theft is of primary concern, but other issues should be considered, such as damage or loss caused by fire, flood, and sensitivity to temperature extremes (Calero, 2016). Also the wireless devices that every user will carry should have an insurance policy that will not rest on Z Wireless but that it will be cover by the manufacturers. Also every wireless device with connection capabilities should have a dedicated software capable of sending the location of the device if lost or stolen.
Communications encompasses the breadth of digital data flows both within an organization and between external entities across network infrastructures. These flows now include data, voice, video, and all of their associated signaling protocols. Securing these information flows as they traverse Intranets, Extranets, and Internet requires effective network infrastructure management as well as controls, policies, and procedures. This chapter provides guidance in planning, developing, and implementing the most essential elements of a Communications Security strategy.
Operating procedures must be documented and readily available to the teams for which they have relevance. These procedures should cover methods that reduce the likelihood of introducing or enhancing risks due to accidental or ill-advised changes. Before authoring documentation, it is often very important to identify up-front who the intended audience is. For instance, documentation that is intended to have value for new hires (continuity) often requires a greater degree of detail than steps for staff who regularly perform operations tasks (Chapple, 2003).
Information systems security begins with incorporating security into the requirements process for any new application or system enhancement whether that application is purchased from a vendor or internally developed (Bareja, 2011). Designing security requirements in systems is most effective at the early stages of system development. Similarly, security requirements are presented to the vendor during the requirements phase of a product or cloud service purchase. Formal testing should be done to determine whether the product meets the required security specifications prior to purchasing the product or moving the application to production. l. Regardless of the formal or informal lifecycle methodology employed, security can be incorporated into information systems acquisition, development and maintenance by implementing effective security practices in security requirements for information systems, security in development and support processes and test data (“dlwoodbe”, 2015). The implementation of newer technology is essential for Z Wireless to continue in business. Today’s competition is looking for the way to implement and develop new ways of communications and it’s up to Z Wireless to stay on the game to maintain their customers. The maintenance of the different assets and past technology where the current technology is based on and is needed for it to continue working is an essential part of the business that needs to comply with today’s regulations and continue performing as intended.
In today’s global communication system, where mayor network chains are geographically dispersed yet interconnected, organizations don’t even have to be in the same region of the world for their operations to be affected adversely by a catastrophic event (Proviti, n.d.). Business Continuity Plans are an integral part of all organized Information Security activities. The plans are a well-reasoned, step-by-step approach to determine the how, when, where, who, and what will be needed should a disruption of normal operations occurs. Recent history has demonstrated that plans are a necessity regardless of the size, location, or mission of an organization. And the plan must address the continuity of security and privacy under less than ideal circumstances (ISO, 2013).
Compliance has become one of the biggest challenges facing businesses today. Failing to have the right controls and culture in place could mean forking out millions in fines (SANS, 2010). Basically, the foremost goal of compliance is to make sure that companies fulfil their responsibilities and effectively manage the risk of doing harm to their reputations. Many businesses, however, question the need for compliance and its associated costs. But there is a catch, and not bothering to have the right controls in place could result in hefty fines as well as reputational damage (ISO, 2013). Z Wireless will have to educate and train the employees for every regulation to comply with every regulation. The development of internal policies will promote the compliance of the regulation within the wireless community, but for this to happen the organization needs to give adequate support to the compliance management system.
The security assessment and compliance verification will not only provide Z Wireless with an up to date compliance that will ensure the business continuity, but it will also provide their customers with the confidence to continue using their services and also bring new customers from other telecommunication companies. The compliance management system should drive continuous improvement in the compliance program. When non-compliance occurs, the organization should take action to control and correct it, and/or manage the consequences. The ISO 17799 check list is an essential tool that can help the business with the compliance of the regulation. Information security continues to evolve and develop new ways to affect the users. The continuous education to the users and employees as an open communication with the development and management team will create an effective communication with everyone for the security and development of Z Wireless.
Bareja, D. (2011). 10 security incident management best practices. Retrieved December 18, 2016, from http://www.computerweekly.com/tip/10-security-incident-management-best-practices
Bayuk, J. (2009, June 16). How to write an information security policy. Retrieved December 25, 2016, from CSO, http://www.csoonline.com/article/2124114/strategic-planning-erm/how-to-write-an-information-security-policy.html
Calero. (2016). Assets. Retrieved December 18, 2016, from https://www.calero.com/clm/assets/
Chapple, M. (2003, August). Wireless networking security policy. Retrieved December 18, 2016, from http://searchsecurity.techtarget.com/tip/Wireless-networking-security-policy
“dlwoodbe”. (2015, October 2). Human resources security – 2014 information security guide – Internet2 Wiki. Retrieved December 18, 2016, from https://spaces.internet2.edu/display/2014infosecurityguide/Human+Resources+Security
ISO. (2005). ISO/IEC 17799:2005. Retrieved November 20, 2016, from http://www.iso.org/iso/catalogue_detail?csnumber=39612
ISO/IEC 27035 security incident management. (2016). Retrieved December 18, 2016, from http://www.iso27001security.com/html/27035.html
ISO. (2013). ISO IEC 27002 2013 information security in plain English. Retrieved December 18, 2016, from http://www.praxiom.com/iso-27002.htm
John, C. (2016). What role does HR play in enforcing a security policy? Small Business Chron. Retrieved from http://smallbusiness.chron.com/role-hr-play-enforcing-security-policy-39619.html
Jones, P. (2000, July). Organizational Information Security from Scratch – A Guarantee for Doing It Right. Retrieved December 18, 2016, from SANS, https://www.sans.org/reading-room/whitepapers/standards/organizational-information-security-scratch-guarantee-541
Proviti. Guide to Business Continuity Management. Retrieved December 25, 2016, from https://www.protiviti.com/sites/default/files/united_states/insights/guide-to-bcm-third-edition-protiviti
SANS. (2005, August ). ISO 17799 Checklist. Retrieved December 18, 2016, from SANS, https://www.sans.org/score/checklists/iso-17799-2005
SANS. (2010, August 10). Practical Approaches to Organizational Information Security Management. Retrieved December 18, 2016, from https://www.sans.org/reading-room/whitepapers/leadership/practical-approaches-organizational-information-security-management-33568
SANS. (2014, June ). Wireless Communication Policy. Retrieved December 18, 2016, from SANS, https://www.sans.org/security-resources/policies/network-security/pdf/wireless-communication-policy
The Barking Seal. (2008). Every company needs to have a security program. Retrieved December 18, 2016, from Applied Trust, https://www.appliedtrust.com/resources/security/every-company-needs-to-have-a-security-program
Thiagarajan, V. (2006, June 15). SCORE: Checklists & Step-by-Step Guides. Retrieved November 20, 2016, from http://www.sans.org/score/checklists/
Place an order in 3 easy steps. Takes less than 5 mins.