Assessment of information technology (IT) services and development of issue-specific security policies of a government agency using ISO/IEC 27001:2013 standard

The 21st century has seen data emerge as the new oil. The significance of information in making management decisions has increased, making it essential to ensure that it retains the fundamental features of confidentiality, integrity, and availability. Most organizations believe that information secu...

Full description

Saved in:
Bibliographic Details
Main Author: Buenaventura, Justin J.
Format: text
Language:English
Published: Animo Repository 2023
Subjects:
Online Access:https://animorepository.dlsu.edu.ph/etdm_comtech/18
https://animorepository.dlsu.edu.ph/context/etdm_comtech/article/1022/viewcontent/Assessment_of_Information_Technology__IT__Services_and_Developmen_Redacted.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: De La Salle University
Language: English
Description
Summary:The 21st century has seen data emerge as the new oil. The significance of information in making management decisions has increased, making it essential to ensure that it retains the fundamental features of confidentiality, integrity, and availability. Most organizations believe that information security is a technological issue that can be resolved through technology alone. However, it is a comprehensive process that requires risk management, and developing an information security policy is the primary step toward mitigating such risks. This study aims to help a government agency protect its IT services against cyber attacks by developing Issue-specific policies (ISSPs) and a compliance roadmap based on the ISO 27001:2013 standard. The study used the Capability Maturity Model for Integration (CMMI) to conduct a gap analysis and a high-level risk assessment to identify the risks that are the basis of the policies developed. Data triangulation validated the conducted interviews, observations, and analysis of presented documents. The project developed twelve (12) ISSPs to mitigate the seven (7) high risks identified, and the policies' applicability, scope, purpose, penalties, effectiveness, coherence, and completeness were assessed through an expert review. The project concludes by providing the compliance roadmap of the agency to ISO 27001:2013 certification based on the standard's Plan-Do-Check-Act (PDCA) cycle. The author recommends completing policies for medium and low risks, implementing policies, and following the compliance roadmap for future work. It also recommends conducting a detailed risk assessment, creating an enterprise information security policy (EISP), and engaging with an accredited certification body for an external audit to achieve ISO 27001 certification. Keywords: Information Security, ISO 27001:2013, Issue-specific security policies, gap analysis, high-level risk assessment, compliance roadmap