IT Security Policy Framework
IT Security Policy Framework will be used as a draft of the medium-sized insurance organization network system. The essence of the IT Security Policy Framework will broadly investigate five distinct risks. These risks are as Financial Risk, Strategic Risks, Compliance Risks, Operational Risks, and other types of Risks.
COSO (Committee of Sponsoring Organizations of the Treadway Commission) Framework will be used as IT Security Policy Framework for Insurance Organization. This framework starts an interspersed process of internal controls. It supports the better ways of managing organization by assessing the efficient use of internal controls. This framework includes five parts:
The main purpose for establishing compliance of IT security controls with U.S. laws and regulations are Operations, Reporting, and Compliance with group entities. The main reason of operations objectives is to make ensure that jobs and goals accomplished successfully. Reporting objectives involve the making of good reports. These reports may be regarding about internal, external, or it may be financial or non-financial. Compliance objectives are groups regarding laws and regulations for their actions and activities. (Soske, S. E, 2013)
Control environment provides discipline, process, and structure. There are five policies which are related to Control Environment: (Soske, S. E, 2013)
Risk Assessment is to examine the risks the entity’s objectives, determining how risks will be handled. There are four policies relating to Risk Assessment: (Soske, S. E, 2013)
Monitoring activities are mostly separate evaluations, activity evaluations and the mixture of two is controlled by the different parts of the internal control. Two policies regarding Monitoring Activities are: (Soske, S. E, 2013)
Policies would be the high-level papers that would strengthen our organization level information security policy. Procedures would have more detail, but would not be an operational process document. Policies and procedures would be substantial requirements that must be met. “The structure of policy information is given as:
The security frameworks provided by NIST (SP 800-53), ISO / IEC 27000 series and COBIT provided you the laws and regulations in which the security policies should be followed. By studying these regulations in the connection of security policies, you can recognize how they can be avoided. (Johnson, 2011)
The seven domains in developing an effective IT Security Policy Framework are: User, Workstation, LAN, WAN, LAN-to-Wan, Remote Access, System Application are managed. (Johnson, 2011). Each domain has unique functions for the data quality and handling. The following individuals analyze the challenge with the security group to ensure data quality in business:
Implementing a governance framework can allow the organization to identify and mitigate risks in an orderly fashion. The IT Security Policy Framework provides the ability to estimate the risk as:
A well-defined governance and compliance framework gives a structured way. To implement the policy control design methods, the framework should specify the mapping to significant laws and regulations. E.g. Sarbanes-Oxley (SOX) Act.
After studying of this analysis, I will face organization’s IT Staff to evaluate my finding. After evaluation of the fields of the policies, the framework would be presented to senior officials. Once the senior officials and CIO have passed or changes made, the policy will then be implemented.
Johnson, R., & Merkow, M. S. (2011). Security policies and implementation issues. Sudbury, MA: Jones & Bartlett Learning.
Soske, S. E., & Martens, F. J. (2013, May). COSO, Committee of Sponsoring Organization of the Treadway Commission, 2011, “Internal Control – Integrated Framework “, American Institute of Certified Public Accountants, Durham, NC. Retrieved January 29, 2016, from http://www.coso.org/documents/990025p_executive_summary_final_may20_e.pdf
VanCura, L. (2005, January 20). SANS Institute InfoSec Reading Room. Retrieved January 29, 2016, from https://www.sans.org/reading-room/whitepapers/awareness/building-security-policy-framework-large-multi-national-company-1564