IT SECURITY MANAGEMENT AUDIT

Group Assignment
Team Members:
Abdurrahman Noor-Ul-Haqq Gurib (Team Leader)
Prabha Devi Jeewooth
Varun Mohunah
Jean Terry Castel

Lecturer: Mrs Jennita Appanah

DCY1B
IT207
August 12, 2022

Class Assignment – IT Security Management Audit

Course Code – IT207

As we move further into the 21st century, the importance of ISO 27001‘s emphasis on
information protection is becoming increasingly clear to organizations. In this context, waiting
until it’s too late can be disastrous for an organization’s reputation in the market as a safe
vendor to do business with.

ISO 27001 is an internationally recognized framework that ensures the organization analyses
the gaps in its information security policies and makes changes that meet the best practices of
cybersecurity and awareness amongst staff. This process helps to identify the level of
compliance that your existing management system has in the context of information security
and allows you to mitigate potential threats to your organization before they impact your
bottom line.

We have to realize that management has a mindset and an obligation to improve the business’s
figures and performance. What they need is the Return on Investment (ROI), so, if you are
trying to convince your management team that there is a need for ISO 27001 standard, you
have to talk about investment, not expenditure.

To seek your management’s attention, you have to speak their language. Top management, like
Executives, General Managers, etc., wants to see everything in their profitability. Therefore, it
is important to emphasize how ISO 27001 can be profitable for the business.

Questions:

1. As an ISO 27001 implementer for the company, you need to come up with concrete
layman explanations to show the management why ISO 27001 is important for the
company. (5 marks)

ISO 27001 is a methodical way of managing sensitive corporate data and ensuring its
security. It encompasses the implementation of a risk management method as well as
people, procedures, and IT systems.

But why would businesses choose to undergo the ISO 27001 certification procedure?
First, make sure your cybersecurity program is sufficiently secure. To make
cybersecurity work for the firm rather than against it, the certification process searches
for areas of weakness.
 Second, adherence to ISO 27001 facilitates the two factors that are crucial for every
business: employee and customer trust. If you couldn't ensure the protection of their
personal information, who would opt to use your service or work for your business?

Last but not least, ISO 27001 accreditation is a terrific instrument for streamlining
internal operations, getting rid of outdated procedures, and guiding your company
toward continual progress.

2. Explain how being ISO 27001 certified will increase the profit of the company?
(5 marks)

Although ISO 27001 compliance is not required for any organization, businesses may
opt to attain and maintain it as proof that they have put in place the appropriate security
controls and procedures to safeguard their systems and the private data they own.

Achieving ISO 27001 compliance is crucial as a differentiator in the market and as a

foundation for compliance with other laws and regulations. The standard offers a strong
foundation on which to develop many of the security measures demanded by other
standards, making an organization that adheres to it more secure than one that does not.

1. It will protect your reputation from security threats

The most obvious reason to certify to ISO 27001 is that it will help you avoid security
threats. This includes both cyber criminals breaking into your organization and data
breaches caused by internal actors making mistakes.

ISO 27001’s framework ensures that you have the tools in place to strengthen your
organization across the three pillars of cyber security: people, processes, and
technology.

You can use the Standard to identify the relevant policies you need to document, the
technologies to protect you, and the staff training to avoid mistakes.

2. You’ll avoid regulatory fines

ISO 27001 helps organizations to avoid the costly penalties associated with non-
compliance with data protection requirements such as the GDPR (General Data
Protection Regulation).

Indeed, the Standard’s framework has much in common with the GDPR, and
organizations can use its guidelines to achieve and maintain compliance.
 But the GDPR isn’t the only framework that ISO 27001 can help you with. Its best-
practice approach to information security means it is a suitable starting point for any
number of regulations.

3. It will protect your reputation

By achieving ISO 27001 compliance, you can demonstrate to stakeholders that you take
information security seriously.

This will help you win new business and enhance your reputation with existing clients
and customers. Some organizations will only work with organizations that can
demonstrate that they have certified to ISO 27001.

Cyber attacks are on the increase across Europe and the rest of the world and can have
a massive impact on your organization and its reputation. An ISO 27001-certified ISMS
(information security management system) helps protect your organization and keeps
you out of the headlines.

4. It will improve your structure and focus

As organizations adapt and grow, it won’t take long before people lose sight of their
responsibilities regarding information security.

With ISO 27001, you can create a system that has enough flexibility to ensure that
everyone maintains their focus on information security tasks. Similarly, it requires
organizations to conduct annual risk assessments, which help you make changes where
necessary.

5. It reduces the need for frequent audits

ISO 27001 certification is globally accepted and demonstrates effective security,
reducing the need for repeat customer audits.

3. If this was a Software Development Company, which Information security policies

would be required for proceeding with ISO 27001 certification? You need to list 5
such policies and should justify each policy that you list down with a proper
explanation. (5 marks)

1. Incident Response Policy

The incident response policy is part of an organization’s Business Continuity Plan. It
outlines an organization’s response to an information security incident. The incident
response policy should be documented separately from the Disaster Recovery Plan, as
it focuses on procedures following a breach of data or another security incident.

The policy should include information about the incident response team, personnel
responsible for testing the policy, the role of each team member, and actions, means,
and resources used to identify and recover compromised data. Phases of incident
response include:
  Preparation
 Identification
 Containment
 Eradication
 Recover
 Post- Incident

2. Security Awareness and Training Policy

Security awareness training should be administered to all workforce members, so they
can properly carry out their functions while appropriately safeguarding company
information. Employees must sign a confidentiality agreement and provide proof of
completion when they have finished the training. Management should design the
training to educate users on the security policy of the organization.

Goals for the security awareness and training policy should include education about the
security policy and help develop an understanding of how the policy protects the
business, employees, and customers. The policy must also highlight personnel that is
responsible for creating and maintaining the training. This personnel must learn to
recognize changes in technology that impact security and the organization.

For all users, the policy should include points on maintaining workstations, email and
internet access policies, and employee responsibility for computer security. Key parts
of security awareness training include identifying social engineering tactics, limiting
system downtime, and protecting critical business information.

3. Remote Access Policy

Remote access involves connecting to the company’s network from any host. The
remote access policy is designed to minimize potential exposure from damages that
may result from unauthorized use of resources. This policy should be directed to all
employees and should include provisions for sending or receiving emails and intranet
resources. The policy should also include requirements for VPN access and disk
encryption.

Requirements for remote access should be similar to requirements for onsite access.
The policy should also enforce strong passphrases, logging off when leaving their
device alone, and refraining from connecting to other networks at the same time they
are connected to the internal one. They should also require users to ensure that they are
using the most up-to-date antimalware software and operating systems.

4. Network Security Policy

A complete network security policy ensures the confidentiality, integrity, and
availability of data on the company’s systems by following a specific procedure for
conducting information system and network activity reviews periodically. The policy
ensures that systems have appropriate hardware, software, or procedural auditing
mechanisms. Audit events include failed login attempts, information start-up or
shutdown, and the use of privileged accounts. Other logging items include anomalies
in the firewalls, activity over routers and switches, and devices added or removed from
the network. The company should log details of the activity such as the date, time, and
origin of the activity.
 The policy must state applicable actions taken during an auditable event and who is
responsible for what. For example, IT will fix a problem and then report it to the ISO.

5. Change Management Policy

The company’s change management policy ensures that changes to an information
system are managed, approved, and tracked. The organization must make sure that all
changes are made in a thoughtful way that minimizes the negative impact on services
and customers. The change management policy includes methods for planning,
evaluation, review, approval, communication, implementation, documentation, and
post-change review. Change management relies on accurate and timely documentation,
continuous oversight, and a formal and defined approval process. The change
management policy covers SDLC, hardware, software, database, and application
changes to system configurations including moves, adds, and deletes.