Free Research Paper On It Security Policy Framework


NIST special publication 800-53 Application provides the guidelines for organizations in the process of system audits to discover security and system needs. The guidelines are formalized and documented to facilitate the implementation of accountability and audit policies. Moreover, AU regulations stipulates the establishments of clear auditable events, documentations, auditing storage facilities, audit process mal-practices and failures, review, analysis and reporting. Other important essentials include information disclosure and monitoring, generation, non-repudiation, audit reduction, and session auditing. The above measures facilitate the detection of system vulnerabilities in an organization and subsequent development of control mechanisms and measures.
The implementation of NISTSP 800 53 will facilitate the development, dissemination and update of formalized access policies and other procedures that gather for the management and coordination of the system. The Act stipulates the effective methods for account management, access enforcement, control of information flow, duty separation and least privileges. It will also manage other factors such as session controls, automatic marking, and management of publicly-accessible content, user-based collaboration and access control. The guidelines apply to specific and general use with clear implications on the system security status, forensic audit quality and effective controls (Ipswitch, 2012).
In addition, NIST SP 800-53 provides the much needed agency-level risk evaluation, assessment, and vulnerability scanning. These procedures ensure efficient management of security and proper mitigation of impending threats as a result of exposure. The controls provide the procedures and policies that guide the implementation of the highlighted security controls and enhancements in compliance with the federal laws (NIST, 2013).
ISO/IEC 27000 is a set of standards which when put into use specify the complete implementation of the Information Security Management Systems. ISMS is a combination of policies, procedures and human and machine resources that constitute the adherence to the CIA triad- Confidentiality, Integrity and Availability in an organizations physical, personal and organizational layer.
ISO/IEC 27000 series is under development as more work is advanced to the completion of ISO/IEC 27000 to ISO/IEC 27010. The completion will cover the fundamental requirements of ISMS applicable to any organization regardless of the size, objective or structure. ISO/IEC 27001 defines the requirements of ISMS while ISO/IEC 27002 establishes the implementation guidelines and principles. An ISM is audited against ISO.IEC 27001 before certification for compliancy. There are a number of third party providers that provide third party certification and support for improved implementation throughout the certification period.
COBIT is a framework created by Information System Audit and Control Association specifically for information technology management and governance. Its scope of operation includes the technical, control and business risks of an organization. COBIT framework provides a host of operation practices across domains and process frameworks. The business orientation is aligned to consolidating the IT goals with business models and metrics and provides a mechanism for measuring achievements and identifying the responsibilities. The process orientation of COBIT segments the process model into four domains including panning and organization, acquisition and implementation, delivery and support, monitoring and evaluation. The domain is hierarchically placed higher in the level and has been harmonized with other related IT standards and practices such as ISO 27000 series and NIST standards.


Some information is categorized as high risk and its exposure may cause harm or the information is protected under the law. Great care is thus required to protect such information from misuse. Names of persons, credit or security card numbers, and individual financial information are examples (Bacik, 2008). An enterprise Security policy is mandated to protect such information.
Confidential information is characterized by the limited public availability and the damage it can cause when it is lost or delivered to the wrong person. The damage may include financial losses, tainted reputation or security threat to the members of the Insurance Company.
5.1 Storage

Confidential information should be stored in dedicated file servers but not hard disk and drives.

5.2 Copying
The number of duplicates produced from confidential information should be kept at a minimum and a record of its distribution kept (Vacca, 2006).
Confidential data should be immediately deleted when it is no longer in use. Those found in hard copies should be destroyed without delay.
The physical security of such information should be prioritized where possible. All the information should be kept under lock and key and holders of access rights is authorized.
5.3 Disposal
The Insurance Company policy for the destruction and disposal of obsolete and damaged computers should be followed strictly. Information in such instruments can cause a lot of damage when leaked after repairs.
5.4 Portable devices and media

There are guidelines that regulate the removal and use of portable devices to prevent misuse.

Users should seek permission to remove and use confidential information from the owners. The Insurance Company should be satisfied that the removed information is necessary and will be used in the right manner. Confidential information should be encrypted when transferred via portable devices to minimize damage in case it is lost.

The password coding of the encrypted information must not be stored in the same location with the device.

5. 5 Information exchange via Email.
5.6 Enforcement.
Confidential information that is suspected to be leaked or lost should be reported to the Insurance Company Data Protection Management as soon as possible.

Failure to comply with the policy will lead to severe consequences (Birkland, 2010).

The different policies and acts are important because they control the formulation and use of various technologies, standards and procedures in the US. An organization faced with poor awareness and management of DRBC plans among other complications can benefit from its implementation. The implementation of the NIST SP 800-53 is the only viable solution to control and manage such inefficiencies. The Act will ensure the development of formal well documented steps for carrying out training and security awareness. Therefore, the training needs will be continuously implemented in the organization for the benefit of all users.
Protection of information is a vital exercise for the success of the company. However challenges do exist that may compromise the security of such information. Some of the impending challenges to the implementation of IT security framework outlined above include lack of awareness and poor management of the existing policies among the staff and information users. In order to overcome these challenges, a framework such as COBIT entailing the four dimensions of security policy implementation outlines best practices that need to be adhered to by all users. In protection of confidential information, staff must be made aware of best practices of creating, keeping and managing passwords. Through deliver and support domain, staff adjusts to the environment to minimize threats by tuning controls, policies, and procedures.


Fitzgerald, T. (2012). Information Security Governance Simplified: From the Boardroom to the Keyboard. CRC Press.
Bacik, S. (2008). Building an effective security policy architecture. CRC PressINC.
Birkland, T. A. (2010). An introduction to the policy process:Theories, concepts, and models of public policy making. M.E. Sharpe