Whitman, in his book,
(Management of Information Security), sees Security best practice as
"efforts that seek to provide a superior level of performance in the
protection of information”. The Federal agency best security practices
recommend a high-level procedure for Audit trails to track user activity also, the Sample Generic Policy. The NIST
further recommended controls to protect against viruses (Data Integrity) and
how the incidents are responded to using for instance the Agency Computer
Incident Response Guide or Computer Virus Incident Response form.
In real life application
of these Best Security Practice (BSP), an article on Znet by Ken Hess
recommended these Best Security practice which full in line with the NIST BSP.
In the article, he listed 10 security best practices, which includes: Data
Encryption, Data certification, Data Auditing, Removable Media Policy, Malware
Security, Spam filter, end point security solution, Security patches
maintenance and User Education. When compared to the NIST BSP, there are a lot
of similarities. The NIST Best Security Practice can be seen as a "Rule of
Thumb" to an information security expert looking to setup a good security
policy for his/her firm.
Five
drawbacks to adopting the recommended practices for a typical business.
Some of the disadvantages of FASPs
include
1. Data loss occasioned by frequent
editing of data during Audit trail
2. Most analysis and data on Data
security in the Data integrity section of the FASPs are old and needs update as
new viruses are popping up.
3. The FASPs documents are too
complex for a layman to understand.
4. Under the Logical Access
control, unauthorized access can cause a devastating effects as the systems can
become subjected to malicious activities.
5. There’s potential for conflict
of interest occasioned with the signing on of a risk analysis to perform a risk
assessment and lastly, Security Awareness, Training and Education is less
effective when the organization is less security aware.
References
NIST Web Archive, (2015). FASP
archive. Retrieved from: http://csrc.nist.gov/groups/SMA/fasp/archive.html
No comments:
Post a Comment