VIEWS: 491 PAGES: 8 CATEGORY: MBA POSTED ON: 2/24/2010
Why is it required to have an ICT policy prior to an IT security policy? Why ICT Policy required prior to IT Security Policy? In what way does the ICTA ICT policy help the organizations to enable their services using information systems? What are the shortcomings in the ICTA ICT policy? What difficulties would the organizations face in implementing ISO27000 standards?
CS5105 - Information Security Assignment: Relationship of ICT policy and IT security policy R.Ahilan 1. Why is it required to have an ICT policy prior to an IT security policy? Answer Plan: ICT Policy and its IT Security Policy Why ICT Policy required purpose and its purpose prior to IT Security Policy? ICT Policy and Its Purpose The Policy is a course of action adopted and pursued by a government, part ruler, statesman, etc. It is the realm of those in power. These days, organizations should realize that proper usage of IT not only ensures data confidentiality, but can also offer competitive advantages. Policy is to be a guide for an organization is using ICT’s to achieve overall development within organization and delivery of services. IT assists in benchmarking each organization’s activities against the area which need attention and where rectification needs to be carried out. IT policy basically includes information, communication and technical issues ICT policy generally covers three main areas: telecommunications (especially telephone communications), broadcasting (radio and TV) and the internet. It may be national, regional or international. Each level may have its own decision-making bodies, sometimes making different and even contradictory policies. 1 Some of the important purposes of the ICT policy are listed below: Source: [WWW1]: http://www.kantei.go.jp/foreign/it/security/2001/g2.html#3 • Increasing the benefits from information technology • Helping people and organizations to adapt to new circumstances and providing tools and models to respond rationally to challenges posed by ICT • Providing information and communication facilities, services and management at a reasonable or reduced cost • Improving the quality of services and products • Encouraging innovations in technology development, use of technology and general work flows • Promoting information sharing, transparency and accountability and reducing bureaucracy within and between organizations, and towards the public at large • Identifying priority areas for ICT development (areas that will have the greatest positive impact on programmes, services and customers) IT Security Policy and its purpose The IT Security Policy is being documented to enhance the sense of security among the organizations’ staff members, thus preventing any information from being used at the personal discretion of those who handle it. Some of the main purposes of the IT Security Policy have been listed below: • Protect people and information • Set the rules for expected behavior by users, system administrators, management, and security personnel • Authorize security personnel to monitor, probe, and investigate • Define and authorize the consequences of violation • Define the company consensus baseline stance o n security • Help minimize risk 2 • Help track compliance with regulations and legislation Information security policies provide a framework for best practice that can be followed by all employees. They help to ensure risk is minimized and that any security incidents are effectively responded to. Why ICT Policy required prior to IT Security Policy? As discussed above, ICT policy will build the disciplined foundation addressing following ICT characteristics to build the IT Security policy top of it: Accessibility, Transparency, Efficacy, Efficiency, Inter operational, Confidentiality, Integrity, Availability, Accountability, Equity, Roles and Responsibilities and the like. Furthermore, defining, stating and implementing ICT policy will guide the organization with clear rules and regulations. This will facilitate the proper usage of computers, emails and the internet, and eliminate the external threats and help preventing internal security breaches. It will also improve the transparency and efficiency in its business. Enforcing of IT security policy after the ICT policy will enable the prerequisites met and let enjoy the better quality experience. IT Security policy also can be considered as the sub set of ICT Policy. 2. In what way does the ICTA ICT policy help the organizations to enable their services using information systems? Answer Plan: How ICT policy helps the Introduction to ICTA and its organizations to enable their Roles in Policy Making services using IS? 3 Introduction to ICTA and its Roles in Policy Making The Information and Communication Technology Agency (ICTA) of Sri Lanka is the single apex body involved in ICT policy and direction for the nation. Wholly owned by the Government of Sri Lanka, ICTA is the implementing organization of the e-Sri Lanka Initiative [WWW2: http://www.icta.lk]. Their vision is: "To harness ICT as a lever for economic and social advancement by taking the dividends of ICT to every village, to every citizen, to every business & to re-engineer the way government thinks & works". Roles of ICTA can be categorized into below: • Development of ICT Human Resources • Building the information infrastructure • ICT investment and private sector development • Creating an empowered knowledge based society • Re engineering government delivering citizen services How ICTA ICT policy helps the organizations to enable their services using IS? In our country Sri Lanka, Information Systems are being looked as a threat to the most of the organizations’ staffs because of the digital divide, non dissemination of ICT to their regions and the like. Being ICTA as a government organization and being protected by the ICT policy it increases the easiness in implementation and trustworthiness in IS. Since it is available in all three languages, it made awareness of the policy from top to bottom of the staffs’ level. And also ICTA ICT policy enables organizations being able to work together more easily, electronically and information being reusable from one agency to another. 4 ICTA as an autonomous agency, government owned but with a more flexible ‘private sector style’ mode of operation, and attracting Sri Lankan professionals including some from overseas, has helped ICTA to meet and successfully overcome major obstacles to progress, which would have brought any other institution to a grinding halt. Barely two and a half years old, ICTA is already showing remarkable agility and ability to respond to the ever changing environment,and has made extremely satisfactory progress to date. This has served to simply underline the importance of building local capacity to drive complex initiatives of this nature ICTA manages to retain core staff and when this is not possible, ensure the institutional learning mechanisms are in place to allow as smooth a transition as possible. It further enabled in infrastructure development, cost savings in service delivery, purchasing, communication, etc, electronic commerce and secure transactions and development of technological standards in the organizations. 3. What are the shortcomings in the ICTA ICT policy? • The ICT policy has been built based on large amount of assumptions such as, o certain required skills already available in the local private sector o local private sector and NGOs would gear up to add capacity and skill sets o anticipating the organizations from across the different sectors would look to establish partnerships with one another to address the diverse needs of complex projects went false and wrong. Hence ICTA policy is not yet powerful. • Policy has been built by prevailing laws and regulation in the country, this enabled the limitations in the policy • Enough infrastructures have not developed as it necessary, hence implementation of the policy fully is a major problem • Digital dived in the country. • Policies for data managing system haven’t been incorporated 5 • IT literacy rate of the country is law. • It is not yet accepted in national level • Low awareness of the citizen. • Political influences. • Low caring of government organization. 4. What difficulties would the organizations face in implementing ISO27000 standards? Answer Plan: Difficulties in Enforcing the Understanding of ISO27000 Standard Standard Understanding of ISO27000 Standard (From the Material: International Standard, ISO/IEC 27000, last updated- 2009/05/01) ISO/IEC 27000 is part of a growing family of ISO/IEC Information Security Management Systems (ISMS) standards, the 'ISO/IEC 27000 series'. ISO/IEC 27000 is a new international standard entitled: "Information technology - Security techniques - Information security management systems - Overview and vocabulary". The standard is known informally, if incorrectly, as "ISO 27000". The standard was developed by sub- committee 27 (SC27) of the first Joint Technical Committee (JTC1) of the International Organization for Standardization and the International Electrotechnical Commission. ISO/IEC 27000 provides: * An overview of and introduction to the entire ISO/IEC 27000 family of Information Security Management Systems (ISMS) standards; and * A glossary or vocabulary of fundamental terms and definitions used throughout the ISO/IEC 27000 family. Information security, like many technical subjects, is evolving a complex web of terminology. Relatively few authors take the trouble to define precisely what they mean, an approach which is unacceptable in the standards arena as it potentially leads to confusion and devalues formal assessment and certification. As with ISO 9000 and ISO 14000, the base '000' standard is intended to address this. 6 Difficulties in Enforcing the Standard • This standard is an enhancement to the usual British standard. Hence, this is much more focused on British organizations and people. • Implementation needs below prerequisites to be satisfied. This increases the burden to the organizations. o Awareness of the need for information security o Assignment of responsibility for information security o Incorporating management commitment and the interests of stakeholders o Enhancing societal values o Risk assessments determining appropriate controls to reach acceptable levels of risk o Security incorporated as an essential element of information networks and systems o Active prevention and detection of information security incidents o Ensuring a comprehensive approach to information security management o Continual reassessment of information security and making of modifications as appropriate • High cost factor involved in all the below pre and post implementation activities: o Purchase the Standard o Consider Training o Assemble a team and agree your strategy o Review Consultancy Options o Undertake a Risk Assessment o Develop a Policy Document o Develop Supporting Literature o Choose a registrar o Implement your Information Security Management System o Gain registration o Continual assessment • Risks and overheads involved in standard implementations for SMEs 7 o Lack of alignment of the information security policy, objectives, and activities against the organizational objectives o Lack of professional approach and framework for designing, implementing, monitoring, maintaining, and improving information security consistent with the organizational culture o Lack of visible support and commitment from all levels of management, especially top management o Lack of understanding of information asset protection requirements achieved through the application of information security risk management o Lack of information security awareness, training & education for the employees o Lack of information conveyance to all employees and other relevant parties of their information security obligations set forth in the information security policies, standards and motivating them to act accordingly o Absence of information security incident management process o Absence of effective business continuity management approach o Absence of a measurement system used to evaluate performance in information security management and feedback suggestions for improvement. 8
Pages to are hidden for
"Questions and Answers about ICT"Please download to view full document