As organizations grow, and rely more on information systems as the primary means of

conducting operations, keeping those systems and its information secure has become one of the
biggest priorities ever. In order to ensure information security, the organization must take
appropriate security measures to make sure that no information is put in the hands of
unauthorized personnel. Having a comprehensive information security framework in place along
with sound standard operations procedure (SOP), and policies and regulations can help any
organization keep its systems and information secure.
When developing a framework for any organization you must choose what will be best for that
organization, although the NIST (SP 800-53), ISO/IEC 27000, and COBIT all are frameworks
that offer many different security programs, there is no wrong framework to choose, but
choosing the one that works for your organization can be a tough decision for any manager to
make. With the insurance organization I would choose to implement the ISO/IEC (27000)
framework. That way we can concentrate on establishing and managing an IT security program.
The ISO/IEC covers information security standards that are published by the International
Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)
that develop and publish international standards. By using this framework we can provide all
necessary best practices that have been recommended on information security management, risks
and controls, and security concerns that may occur. This framework can be implemented to any
size organization so even if the company expands our framework will allow us to maintain all
HIPPA guidelines and will allow the organization to grow as the security needs do also. With
designing the security policy for the organization I will use the main approaches of designing the
framework. The managerial, operation and technical aspects of the organization are all important
and making sure that all the needs of the company are met will be top priority. Ensuring that all

business goals such as: keeping business continuity, minimizing business damage, and of course
still maximizing on all monies as well as protecting all information.
With data you must always think of ways to help ensure that it is being kept secure, gets to the
correct recipient, and keeps its integrity. There are so many different ways that we can make this
happen. Security policies being set on the network by administrators, setting group polices that
restricts what someone will be allowed to do on the network, or by implementing input controls,
data input controls ensure the accuracy, completeness, and timeliness of data during its
conversion from its original source into computer data, or entry into a computer application.
Input controls are very important at every step in implementing or designing a network project
such as ours. Having controls and frameworks working together helps them be interchangeable,
this means we stay within our HIPPA standards and our security controls that have been set we
will be governed by them both. To help the organization stay aligned with policies and controls
by applying compliance testing, to ensure training and awareness testing for all users within the
company.
There are seven domains within a security policy framework are; user, workstation, LAN, LANto WAN, WAN, System/Application, and the Remote Access Domain that all require different
security requirements. Trying to ensure that all domain securities are met, there will be many
challenges that may be faced with trying to ensure that all domains of the framework are secure.
Many people think that as long as you have one security item then it covers everything which is
not true. So making sure that we touch all seven domains is essential. The user domain can be the
toughest because it may become a challenge with keeping up with all employees, coming and
going. There will be procedures in place to control the allocation of access rights to the

information systems and services. The policy will capture the users coming in and the users that
are leaving the organization, we will give high attention to the user access controls and user
rights making sure that the correct user has the right access to information on the network. There
is also a user responsibility that needs to be met also. Users will be required to sign user
agreement and adhere to all AUPs that are set, this will clearly set out where security
responsibilities lie and the consequences of those actions. The workstation domain can be
another challenge with keeping up with inventories, making sure that they all stay within
compliance, having unauthorized workstation access, viruses, and malicious codes so to help
reduce that challenge we will push patches on the network to ensure that will help all
workstations stay updated, making sure all workstations are signed for by employees so no
workstations are easily unaccounted for, accountability will be key in this domain. The LAN
challenge is making sure that the users are not abusing the use network, the unauthorized access
to system applications and data, and system vulnerabilities. Overcoming this challenge we will
implement group policies, and input controls that will set what and who has access to different
data on the network. The LAN to WAN has its challenges also like; probing and port scanning,
making sure all firewalls, and routers are in compliance. We will ensure accountability is set on
all network pieces, push all patches over networks to ensure they stay updated, and make sure all
virus protections are up to date also. The WAN has its own challenges also, safeguarding the
domain from malicious attacks is one of the biggest challenges we will face. To help overcome
that challenge we will have the virus protections updated, and ensuring that all protocols are set
for the proper situations. The System/application domain faces many tests also with having
corrupt or lost data, and trying to prevent authorized users in server rooms or to applications.
This one will be alleviated by making sure that all of the other domain challenges are met then

this one will help also, having a disaster recovery plan in place, and by setting and performing
normal backups of our network. The last challenge in the remote access domains can be data
leakage, brute force attacks, and unauthorized remote access to systems. Making sure that those
group policies are set and the proper controls are on the network can help with some problems
that we may face on the network.
With the growing need for security of our information having the different security policy
frameworks available to help your organizations implement and maintain a secure network for
any organization. Also, having the input controls included ensured that data was correct,
complete and secure, and the input control reviewer should determine the adequacy of both
manual and automated controls over data input to ensure that data is input accurately with
optimum use of computerized validation and editing and that error handling procedures facilitate
the timely and accurate resubmission of all corrected data. Also that with the lack of proper
security on the network it can be determined that a severe network breach could occur, and some
of the types of breaches that could occur. It is always a best practice measure to never get
complacent when it comes to technology with its rapid growth the need to keep information
secure will be just as important.
Reference:
Bucker, A., & International Business Machines Corporation (2010). IT security compliance
management design guide with IBM Tivoli security information and event manager. S.l.:
Vervante.
Gantz, S. (n.d.). Security management frameworks. Retrieved February 1, 2014, from
http://securityarchitecture.com/docs/Security_Management_Frameworks.pdf
Humphreys, E. (2007). Implementing the ISO/IEC 27001 information security management
system standard. Boston: Artech House.

Raval, V. H., & Fichadia, A. (2007). Risks, controls, and security: Concepts and applications.
Hoboken, NJ: Wiley.