Answer the following questions:
1. As an executive of an organization, what would you implement to solve and enforce GRC (governance, risk management, and compliance), standards, security, and continuity issues?
2. Thinking of your organization, describe what needs to be built and how it should be enforced throughout the organization over time.
a. Note: If you are currently not working, use your last employer as your example.
b. If you have never worked, choose a company you are familiar with as the company for your assignment.
3. Please specifically list and describe what is needed for all this to occur in relation to the industry your organization is in.
Need 6-8 pages in APA format with introduction and conclusion. Use a company from Tech Industry – software engineer role where required. Need minimum of 5 peer-reviewed citations.
7
Mobile devices
Mobile devices and teleworking
Control objective A.6.2 of ISO27002 is to ensure information security when
mobile or when working remotely. The protection required should, of
course, be proportional to the risks identified (through a risk assessment).
Many of the issues related to both mobile working and teleworking have
been touched on elsewhere in this book. These include issues around infor-
mation classification (Chapter 9), equipment security (Chapter 16), virus
control (Chapter 18) and access control (Chapter 11). The two sub-clauses
deal, respectively, with mobile computing and teleworking.
Mobile computing
Control 6.2.1 of ISO27002 says the organization should have in place a
formal policy and appropriate controls to protect against the risks of work-
ing with mobile computing facilities, particularly in unprotected locations.
If the organization has a BYOD (??Bring Your Own Device??) policy, this is
where it would primarily occur within the ISMS.
Any organization that operates a mobile computer network ?? and a
Blackberry or smartphone network would count ?? should take specific steps
to protect itself. These controls may also be relevant in respect of staff
accessing organizational assets from their own private mobile devices. If it
also has teleworkers, this policy for mobile computers could be integrated
with that for the teleworkers. The first step is to design and adopt, within the
ISMS, a mobile computing policy, which must be accepted in writing by
those who wish to use mobile facilities before they are allowed to. The sensi-
ble organization will also ensure that users receive appropriate training
before they are issued with mobile computing equipment (notebooks, smart-
phones).
IT GOVERNANCE116
This policy should consolidate all the procedures discussed elsewhere in
this manual in respect of mobile computing and handheld usage. It should
set out clearly the requirements for physical protection, access controls,
cryptography, back-ups and malware protection. It should include clear
guidance on how to connect to the organizational network and how mobile
tools should be used in public places. ??Public places?? include meeting rooms
outside the organization??s own secure premises and wherever notebooks
and handhelds remain tempting targets for hackers and thieves, who can
have as much impact on the availability of data as a particularly virulent
virus. Guidance on where mobile devices may be used, and for what
purposes, should also be provided, with due consideration being given to
who may be able to see or hear what is being ??processed??.
The organization will need to develop an effective method of ensuring
that anti-malware protection is completely up to date on mobile computers
(which are also known as ??endpoints??, reflecting the reality that for many
4
Organizing information security
It is both practical and sensible to consider the organization??s information
security management structure at an early stage in the implementation
process. This does, in fact, need to be thought through at the same time as
the information security policy is being drawn up, as set out in Chapter 5.
An effective information security management structure also enables the
risk assessment (to be discussed in Chapter 6) to be carried out effectively.
The second control category in Annex A to the standard, in clause A.6.1,
is ??Internal organization??. Controls are selected to meet business, regulatory
or contractual requirements (the baseline security criteria), or in response to
the risk analysis (see Chapter 6); there is a business requirement to put an
information security management structure in place from the start of the
ISO27001 project. The control objective of control A.6.1 is to ??establish a
management framework to initiate and control the implementation and
operation of information security within the organization??.
This objective encourages the creation of the management information
security forum identified in earlier versions of the standard. More impor-
tantly, it no longer prescribes any specific management structure; the key
requirement is management??s active support for and commitment through-
out the organization to the ISMS project. Without this, neither certification
nor the project itself will be successful. Clause A.6.1.1 of ISO27002, says
that information security responsibilities should be defined and allocated
(which reflects also the requirement of ISO27001 clause 5.3) and explains,
what best practice expects in terms of the allocation of roles and responsi-
bilities. At the same time, the competence requirements of Clause 7.2 should
also be considered.
IT GOVERNANCE56
Internal organization
ISO27002 echoes the requirement that managers should actively support
security within the organization through ??clear direction, demonstrated
commitment, explicit assignment and acknowledgement of information
security responsibilities??. In practical terms, this means that managers should
set up a top-level forum or steering group to ensure that there is clear direc-
tion and visible management support for security initiatives within the
organization. It could be part of an existing management body, which might
be appropriate in a smaller organization where the members of the top
management team will also, broadly, be the members of an information
security forum. More usually, it will be a separate cross-functional body,
adequately resourced for its responsibility, reporting to a member of the top
management team and reflecting top management support and commit-
ment. In this book, we will usually refer to this management group as ??the
forum??. The effecti
We offer the bestcustom writing paper services. We have done this question before, we can also do it for you.
Why Choose Us
- 100% non-plagiarized Papers
- 24/7 /365 Service Available
- Affordable Prices
- Any Paper, Urgency, and Subject
- Will complete your papers in 6 hours
- On-time Delivery
- Money-back and Privacy guarantees
- Unlimited Amendments upon request
- Satisfaction guarantee
How it Works
- Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
- Fill in your paper’s requirements in the "PAPER DETAILS" section.
- Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
- Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
- From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.
