This document outlines key areas of focus for information security based on ISO 27002 standards and relevant NIST publications. It discusses 14 areas of focus including information security policy, HR security management, asset management, access control, cryptography, physical and environmental security, operations security, communications security, information systems acquisition and more. For each area it provides high-level goals and references relevant standards and guidelines.

1. Adel J.Shtayyeh
IT-NIS

2. TABLE OF CONTENTS
01
Organization of Information
Security.
02
HR Security Management.
03
Asset Management.
04 05 06
Information Security
Policies.
07
Cryptography.
08
Access Control.
Physical and
Environmental Security.
Operations Security.
09
Communications Security.
Information Systems
Acquisition, Development
and Maintenance.
10 11
Supplier Relationships.
12
Information Security
Incident Management.
13
Business Continuity.
14
Compliance Management.

3. • Information security policy is a set of policies issued by an organization to
ensure that all information technology users within the domain of the
organization or its networks comply with rules and guidelines related to the
security of the information stored digitally at any point in the network or
within the organization's boundaries of authority.
• Focus on:
• information security requirements.
• Laws and regulations.
• and the need to align policy with organization objectives.

4. • Focus on establishing a management framework,
to initiate and control the implementation and
operation of information security within the
organization.
• Ensure the security of teleworking and use of
mobile devices.

5. • Focus on integrating security into employee lifecycle, agreements and
training.
“ In the article on Security Organization Management, we discussed the
importance of assigning the responsibility of day-to-day information security
tasks to a person (or ideally, to a team of people). But how do you know when
you’ve found the right person for the job? An important first step is to document
your information security job descriptions”.
In my experience, there are three (3) types of information security
professionals:
People-oriented
Process-oriented
Technology-oriented

6. • Identify organizational assets and define appropriate protection
responsibilities.
• Ensure that information receives an appropriate level of protection in
accordance with its importance to the organization.
• Prevent unauthorized disclosure, modification, removal or destruction of
information stored on media.

7. ● Focus on managing authorized access and preventing
unauthorized access to information systems.
ISO 27002:2013 Section 9
NIST:
SP 800-41 : Guidelines on Firewalls and Firewall policy
SP 800-46 : Guide to enterprise telework and remote access Security
SP 800-77 : Guide to IPSec VPNs
SP 800-113 : Guide to SSL VPN
SP 880-114 : User’s guide to securing External Devices for Telework and remote Access
SP 800-153: Guidelines for Securing Wireless Local area Networks (WLANs)

8. ● Focus on proper and effective use of cryptography to protect
confidentiality, authenticity and/or integrity of information.
● ISO 27002:2013 Section 10
● NIST:
○ 800-57: Recommendation for key management- Parts 1,2,3
○ 800-64: security consideration in the System Development Life cycle
○ 800-111: Guide to Storage encryption Technologies for end user devices

9. ● Focus on designing and maintaining a
secure physical environment to prevent
damage and unauthorized access.
● ISO 27002:2013 Section 11
NIST:
SP 800-12, SP 800-14, SP 800-88, SP 800-100

10. Focus on data center operations, integrity of operations,
vulnerability management, data loss and evidence based logging.
ISO 27002:2013 Section 12
NIST:
SP 800-40: Creating a Patch and Vulnerability
SP 800-42/115: Guideline on Network Security Testing
SP 800-83: Guide to Malware Incident Prevention
SP 800-92: Guide to Computer Security Log Management
SP 800-100

11. - Focus on the protection of information in transit.
- It incorporates with internal, external transmission and internet-
bases communication.
ISO 27002:2013 Section 13
NIST:
SP 800-45: Guidelines on Electronic Mail Security
SP 800-92 , SP 800-14

12. ● Ensure that information security is an integral part of information
systems across the entire lifecycle.
● ISO 27002:2013 Section 14
● NIST:
○ SP 800-23: Guideline to federal Organizations on Security Assurance and
Acquisition/ Use of Tested/ Evaluated Products

13. ● Focus of services delivery, third-party security
requirements.
● ISO 27002:2013 Section 15, added in 2013.
● There is corresponding NIST Special Publication
for it.

14. ● Focus on a consistent and effective approach to the management
of information security incidents , including detection, reporting,
response, escalation and forensic practices.
● ISO 27002:2013 Section 16
○ NIST:
■ SP 800-61 : Computer Security Incident Handling Guide
■ SP 800-83
■ SP 800-86 : Guide to Integrating Forensic Techniques

15. • Information security continuity should be embedded in the
organization’s business continuity management systems to
ensure availability of information processing facilities.
• ISO 27002:2013 Section 17
• NIST :
• SP 800-34: Contingency Planning Guide for Information Technology System
• SP 800-84 : Guide to Test, Training and Exercise Programs for Information
Technology Plans and Capabilities

16. ● Focus on avoiding breaches of legal, statutory, regulatory or contractual
obligations related to information security and of any security
requirements.
● ISO 27002:2013
● NIST
■ SP 800-60
■ SP Categories : Volume 1 & 2
■ SP 800-66 : An Introductory Resources Guide for Implementing the Health Insurance Portability
and Accountability
■ SP 800-22: Guide to protecting confidentiality of personally identifiable information