1

Implementing “Secure Systems”

Institution

Course

Name

Date
 2

Introduction

Since a security breach may result in substantial losses of income, legal status, and

reputation, it is a major operational issue for modern businesses to implement stringent measures

to prevent such occurrences. A company's security environment is the ecosystem in which its

operators, roles, systems, and networking applications coexist to provide the safest and most

profitable workflow possible. While no security system can prevent every possible attack, some

steps may be taken to keep a particular workplace safe. In order to effectively protect against

known assaults, it's essential to take a preventative stance and provide real-time, customizable

monitoring that can identify and sound the alarm on any deviations from the usual. As such, this

article will thoroughly study the steps necessary to guarantee the deployment of safety systems in

any given context. All the plans, procedures, and protocols used are part of this.

Frameworks To Foster Security Systems

ISO IEC 27001 and ISO 27002

ISO 27001 is a set of Recommendations for the Control and Audit of Information

Systems Security (Kirvan, 2021). This methodology takes a risk-based approach, which requires

organizations to implement standards for identifying security risks to their IT infrastructure. ISO

27001 is a risk management framework that suggests specific controls implement to mitigate

risks. After identifying potential security threats, a company must decide which preventative

measures to implement. Information security policies, organization controls, and human resource

security controls are only a few examples of effective controls for security management.

The ISO/27002 framework, on the other hand, is comprised of international standards

that outline the controls a company should use to effectively manage its information systems'
 3

security. Most businesses utilize both this and the ISO 27001 framework to show that they are

serious about meeting the needs of various laws and regulations. Asset inventory for managing

IT assets, access controls for diverse business needs, and operational security controls are only

some of the measures integrated within the ISO 27002 framework (Kirvan, 2021).

NIST Cybersecurity Framework

The National Institute of Standards and Technology (NIST) cybersecurity framework is

designed to strengthen defenses against inside and outside assaults on a country's most vital

assets. While governments are the primary adopters of this framework, private companies are

increasingly using it to bolster their security. Data and information security may be improved

with the help of the risks that can be managed according to the NIST framework's five main

features. These tasks include determining who you are, keeping you safe, finding threats,

reacting to them, and recovering afterward (Kirvan, 2021).

With thorough risk assessment and management procedures, companies may get help

from the identification function to spot potential security threats to asset management, the

business environment, and IT governance. The detect operation specifies safeguards for

preserving data and IT infrastructure. This category includes access management, education and

awareness campaigns, data encryption, information protection policies, and technology upkeep.

Security monitoring tools and network traffic analysis are only a few examples of what might be

uncovered by following Detect recommendations for spotting abnormalities. Recommendations

for preparing responses to security events are part of the reaction function, as are mitigation

methods, communication processes, and actions for bolstering security resilience. As the last

step, the recovery function details how a business may bounce back from assaults.
 4

Practices to be Followed

Investing in safety measures is the first option. Smaller companies may be hesitant to

invest in a robust security system when weighing the benefits and costs. This generally entails

taking standard precautions, such as using a reliable anti-virus and malware program, backing up

important data to external devices, and doing routine system checks (Romeo, 2016). The

financial and legal consequences incurred due to a breach may be avoided if the necessary

investment were made sooner rather than later. It is essential to install reliable security software

on all company-issued devices. Your organization should take data security seriously, and aware

workers should report any security concerns to the IT department or the Information Security

manager. The organization may need to provide a patch or fix to address a security issue. They

should report problems as soon as possible.

The use of external auditing or verification procedures is the next best practice. This next

bit of information may come as a shock. It's not uncommon for data breaches to have their

genesis inside an organization, which is why businesses should give thought to and restrict staff

access to sensitive client data. Companies and their workers may be required to keep tabs on

consultants or former employees with temporary access to the company's computer network.

Remember to disable access for third parties after completing their tasks (Romeo, 2016).

Last but not least, use training and schooling. The most successful businesses invest in

staff education. Every worker must be familiar with the company's cybersecurity policy and the

conduct they expect from their colleagues. For starters, you should comply with them. When in

doubt, they should inquire about the policy. Knowing your way around a computer is also

helpful. It is beneficial to understand the steps required to provide IT access to your devices and
 5

certain fundamentals of computer hardware. Having such information handy might be helpful

when contacting assistance, as they will require fast access to the necessary data to remedy the

problem as soon as possible. Before deciding on a cloud provider for off-site data storage and

backup, check with your company's IT department. This might be incorporated with existing

security measures at businesses. As with any company policy, if this one is broken, it might lead

to termination.

Processes To Get the System in Business Environment and Keep the Systems Secure

Creating information security teams is the first step. Getting the proper individuals on

board is crucial before diving into the actual work. The same may be said about how information

security systems are designed. The first thing each company needs is a group of experts to

analyze security systems. Both the executive staff and the interdisciplinary security group are

part of this. The process's purpose, objectives, and goals are established by the executive team,

which is composed mainly of C-suite executives. The enterprise security program and the cross-

functional security team that will implement it must be funded, and the mission team must create

organizational risk thresholds. Asset management, threat analysis, vulnerability assessments, and

risk management via implementing policies, procedures, and controls are all part of the everyday

security activities that fall within the purview of the interdisciplinary team (Dattatreya, 2008).

The next step is to thoroughly inventory the organization's resources. This method lays a

vital groundwork since it is challenging to put policies designed to safeguard devices and people

without first understanding what needs safeguarding. This requires vigilant management of all

adware devices connected to the network to ensure that only authorized devices are given access

and that any unmanaged devices are located and blocked. Assets are ranked in terms of how
 6

valuable the knowledge they contain is and how much it would cost the business to recreate the

asset from scratch (Marotta, 2020).

Standards and regulatory compliance decision-making is another procedure. Regulations

are rules that everyone must follow. Security principles and rules must be implemented by

businesses to prevent legal conflicts with regulators and customers over monetary penalties. Best

practices may be found in standards like ISO 27001 and NIST. Here, the organization's top

management will call on what rules and guidelines are necessary for its success (Dattatreya,

2008).

As part of this process, we will also evaluate the dangers, weaknesses, and hazards.

Information resources are at risk from threats (Marotta, 2016). Therefore, it is essential to

compile a list of all relevant dangers, classify them, and rank them in order of priority.

Vulnerabilities are system vulnerabilities and flaws that might be exploited to compromise the

system's security. It is crucial to compile a list of relevant vulnerabilities and prioritize them

according to their potential effect on the company. Risks are situations that could lead to

unfavorable outcomes for the business. The existence of dangers and weak spots is the primary

cause of risks. By warding off potential dangers, we can keep worries at bay. Think about the

standards you would hold yourself to.

Conclusion

Information security is an issue for the whole business, not just the information

technology department (IT). The criticality of the information, the business, and the rising

number of security problems and hazards demand appropriate security management frameworks,

methods, and procedures. This is because of the information complexity of the system in which
 7

the data lives. A successful strategy for managing security is making an organization-wide effort

to address issues with the firm's safety.

 8

References

Dattatreya, Y. (2008, October 15). Building an enterprise security program in ten simple steps.

CIO. https://www.cio.com/article/276130/risk-management-building-an-enterprise-

security-program-in-ten-simple-steps.html

Kirvan, P. (2021, December 21). Top 10 IT security frameworks and standards explained.

SearchSecurity; TechTarget. https://www.techtarget.com/searchsecurity/tip/IT-security-

frameworks-and-standards-Choosing-the-right-one

Marotta, L. (2020, April 7). 8 steps to successfully implement the CIS top 20 controls in your

organization. Rapid7; Rapid7 Blog. https://www.rapid7.com/blog/post/2020/04/07/8-

steps-to-successfully-implement-the-cis-top-20-controls-in-your-organization/

Romeo, C. (2016, March 1). 6 ways to develop a security culture in your organization.

TechBeacon. https://techbeacon.com/security/6-ways-develop-security-culture-top-

bottom
 9

References