Introduction
Our organization prides in partnering with the Department of Defense in bringing policy framework solutions. The management and control of information security risks is an integral part of good corporate governance and the DoD is no exception. Information security activities should be coordinated throughout the department to ensure consistent application of the security principles, axioms and policy statements. Effective IT security policies are the backbone to any enterprise security program, as they provide a framework and support mechanism for managing technologies, maintaining order and achieving organizational goals. They also help minimize threats, prevent security breaches and can assist employees in effectively managing risks.
| DoD Security Policy | Business considerations | |
| 1 | Organization of Information Security | Set up DoD IT security policies |
| 2 | Information Systems Acquisition, Dev and Maintenance | Integration of physical and logical aspects of security |
| 3 | Information Security Incident Management | Maintaining Confidentiality, Integrity and Availability of sensitive information |
Setting up DoD IT security policies
Policies and procedures establish guidelines to behavior and business processes in accordance with the DoD’s strategic objectives. While typically developed in response to legal and regulatory requirements, their primary purpose should be to convey accumulated wisdom on how best to get things done in a risk-free, efficient and compliant way. Within the DoD, policy non-compliance arises from;
- Poorly worded policies
- Badly structured policies
- Out-of-date policies
- Inadequately communicated policies
- Unenforced policies
External factors that affect policies are evolving all the time. For example, technological advances may lead to information security policies and procedures becoming obsolete. Additionally, changes in the law require operational policies to be frequently adjusted. Typically, most “policy” documents are lengthy, onerous, and largely unreadable. Many are written using complex jargon, and most contain extraneous content that would be better classed as procedures, standards, guidelines, and forms.
Integration of physical and logical aspects of security
Currently security initiatives involve guarding buildings and equipment as well as protecting networks, dealing with privacy issues, and managing risk. Given the interrelated aspects of these initiatives it is important to bring a convergence between physical and logical systems. For most organizations, physical access systems and logical access system have operated as two independent structures and have been run by completely separate departments. Logical access, which grants admission to the IT infrastructure such as the intranet/internet, mail servers, web servers, and database applications was run by the IT department. The facilities department controlled physical access systems, which includes the employee badging process, door access to the buildings, and life support systems. Therefore, our business considerations will focus on the convergence of logical and physical security bringing in significant benefits, specifically identifying areas where the two can interconnect to the greatest positive effect for the DoD.
Maintaining Confidentiality, Integrity and Availability of sensitive information
The CIA triad is a very fundamental concept in security. Often, ensuring that the three facets of the CIA triad are protected is an important step in designing any secure system. A very key component of protecting information confidentiality would be encryption. Encryption ensures that only the right people (people who know the key) can read the information. As with data confidentiality, cryptography plays a very major role in ensuring data integrity. Commonly used methods to protect data integrity includes hashing the data received and comparing it with the hash of the original message. Information only has value if the right people can access it at the right times. Denying access to information has become a very common attack nowadays.
Conclusion
Our organization is continuously innovating to provide the next-generation information security services that can protect the DoD and its entire value chain, end-to-end. Our proven approaches to diagnosis and our roadmaps will help the DoD gain confidence in their plans to reduce risks and enhance digital trust. Our business-centric, enterprise-wide security strategies, and operating models will help the DoD to define a security program that covers governance, processes, technologies, and crisis management.
