Rhino IT Security Framework
Essential steps are being taken across the Rhino IT Solutions to identify, locate, and protect our most valuable information assets. Information security policies, such as the Institutional Data policy and the Disclosure or Exposure of Personal Information policy, are being implemented to support the Rhino IT Solution's teaching, research, and outreach missions while protecting the privacy of Rhino IT Solutions community members and clients. All of these efforts will soon be joined under the umbrella of the IT Security Framework.
What is
the IT Security Framework?
The ISO Security Framework
The Elements of the IT Security Framework
IT Security Framework Terms
The IT Security Framework Training
What is a Security Framework?
An IT Security framework is
the foundation for an effective, enterprise wide security
program. Rhino IT Solutions has adopted the International
Standards Organization' s (ISO) Information Security
Framework documented as ISO 27001 and 27002.
The ISO Security Framework
The ISO framework covers process, policy and procedures used
here at the Rhino IT Solutions that protect and govern
information security. The framework is a method of
establishing, implementing, reviewing, maintaining and
improving the security programs throughout the Rhino IT
Solutions community.
The
Elements of the Security Framework
The framework itself covers 11 elements (also called
domains) with overlap and interaction. These elements
encompass various areas of policy and procedure with an
emphasis on "BEST PRACTICE" and risk based assessments.
These domains are:
- Security Policy
- Organization of Information Security
- Asset Management
- Human Resources Security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Information Systems Acquisition, Development and
Maintenance
- Information Security Incident Management
- Business Continuity Management
- Compliance
IT
Security Framework Terms
There are certain words commonly used when developing and
discussing the IT Security Framework, for your convenience
the meanings, as they relate to this field are outlined
below.
asset: Anything that has value for an organization.
control: Means of managing risk; includes policy,
procedure, guidelines, practices or organizational
structures that can be administrative, technical, managerial
or legal in nature. Controls are synonymous with safeguard
or countermeasure.
guideline: A directive or description that clarifies
what and how something should be accomplished to achieve
objectives set forth in policy.
information security: The preservation of
confidentiality, integrity and availability of information.
policy: The overall intention and direction as
formally expressed by management.
risk: The combination of an events probability and
its consequences.
risk analysis: The systematic use of information to
identify sources and estimate the related risk.
risk assessment: The process of risk analysis and risk
evaluation.
risk evaluation: The comparative process where estimated
risk is rated and prioritized based upon its assumed
organizational impact.
threat: A potential cause of an unwanted incident,
which may result in harm to a system or organization.
vulnerability: The weakness of an asset or group of
assets that can be exploited by a threat or threats.
Above definitions are adapted from ISO/IEC 27002:2005.