Friday, September 20, 2019
Dsdm and information security management standards iso 27001
Dsdm and information security management standards iso 27001 Abstract This report presented two different topics related to information technology, specifically Dynamic Systems Dynamic Modelling and the ISO 27001. The first part of this paper discussed advantages and disadvantages, relevant case histories and potential issues of the two topics. This section included reflection on issues of social responsible computing. The second part reflected the relevance of the content of the assignment and unit while the last part will conclude the topics presented. Both of these systems have their own purposes and implementation of these standards and methods often provides benefits to the organizations involved. DSDM focuses on how software is developed while the ISO27001 ensures that protection against security is ensured within the organization. On the other hand, computer professionals as well as organizations that focus on information technology must also consider the disadvantages presented by these methods and standards before incorporating it within the o rganizational processes. 1. Introduction This report will present two different topics related to information technology, specifically Dynamic Systems Dynamic Modelling and the ISO 27001. The first part of this paper will discuss the advantages and disadvantages, relevant case histories and potential issues of the two topics. This section will also include reflection on issues of social responsible computing. The second part reflects the relevance of the content of the assignment and unit while the last part will conclude the topics presented. 2. DSDM 2.1 Advantages and disadvantages The DSDM or the Dynamic System Dynamic Modelling method serves as an effort to define an industrial standard for IT systems development. This approach provides an iterative product-centred procedure model that is employed to establish incrementally the target. This method is also a user-centred technique which is mainly based on the combination of the user input on its entire software development process (Lind 2001). However, DSDM is not created as a general purpose technique; but rather as a specialized process for specific business applications in which most of the functionality of the system can be accessed through its user interface. In addition, the functions of the target system must be decomposable into several sub-functions and the technique can only be applied when the groups of designated users are already identified and when these users are available to the development team (Lind 2001). The advantages of DSDM are that it is more formal than usual prototyping techniques and it is also independent of specific tools and techniques. This method provides a technique-independent process and adaptable in terms of changing requirements. It also implements strict time and budget adherence and often considers stakeholders during the development process (University of Ottawa 2008). In addition, the DSDM supports institutional learning, an aspect often disregarded by other approaches (Lind 2001). One of the disadvantages of DSDM is that it is only appropriate to particular classification of applications and because of its heavy reliance on its user interactions; it needs a specific institutional framework for the software development process (Lind 2001). DSDM also involves progressive development of requirements and its emphasis of RAD may result to decline in code robustness. This method also needs full commitment to the process and considerable user involvement. DSDM also needs skilled development group in both technical and business areas (University of Ottawa 2008). 2.2 Relevant case histories During the early 1990s, a new phrase ââ¬ËRapid Application Development was introduced within the IT industry. RAD is designed differently from the Waterfall techniques for development of application. Clearly, RAD emerged because of the users frustrations and people involved in the IT alike with approaches that were considered unsuitable for a rapid moving business environment. On the other hand, RAD developed as a movement in an unstructured manner since people involved did not created a generally accepted definition of a RAD process and various vendors and consultants created their own interpretation and approach (The History of DSDM Consortium). In 1993, a momentum in the market place has been increasing with expanding number of instruments for RAD and vendors repositioning their products to satisfy a growing demand for customers of RAD. However, each customer has their own specific needs in terms of development process. These forecasted requirements gave rise to the development of DSDM Version 1. The group improves DSDM through releasing different versions (The History of DSDM Consortium). DSDM has been providing solutions for those companies who have been experiencing problems with software delivery. One good example is an Online Computer Library Centre (OCLC). When they employed the DSDM, the operation of OCLC has improved. Their teams have tailored to work better for the organizations needs and implemented additional tools and techniques (DSDM Case Study nd.). 2.3 Reflection on issues of social responsible computing. Even though IT developers are aware with the issues regarding the disabilities, only few of them have made a step in supporting disadvantaged people. If an organization is supporting employees and customers who are disadvantaged, being service providers, the software developers should create programs that cater to their respective needs (Shneiderman 1992). They could also develop software intended for community communications and improve softwares intended to support entrepreneurs. Software development, whether for personal computers, mobile phones or for any relevant electronic devices, should also focus in satisfying the needs of the minorities, the elderly and other disadvantaged communities (Shneiderman 1992). 2.4 Potential issues in the future (five years ahead) Given the constant emergence of new IT programs and changing needs of customers and organizations, five years ahead, DSDM might either become an obsolete system or it may decrease its value for the organizations that use the system. Other systems might emerged which is more effective than DSDM (Guidelines for Introducing DSDM to the Organization 1998). However, assuming that the DSDM will not become obsolete since it will adopt to the changing trends of its industry, the potential issues that the company will face is the training and education of their existing development team. Since DSDM should undergo necessary changes, it would be necessary for the organization to give training and education to their development team (Guidelines for Introducing DSDM to the Organization 1998). 3. Information Security Management standards ISO 27001 3.1 Advantages and disadvantages ISO/IEC 27001 oversees all forms of organizations including government agencies, not for profit organizations and commercial firms. It presents requirements for implementing, developing, operating, monitoring, assessing, sustaining and enhancing a documented Information Security Management System considering the organizations business risks. It presents standards for the establishing security controls tailored to the needs of individual firms or its divisions. Certifying ISMS can bring various benefits for the firms (ISO/IEC 27001 Information Security 2010). The ISO 27001 provides an independent assurance of the organizations internal controls and satisfies business community and corporate governance standards. This is also effective for firms that handle information in behalf of other parties such as IT outsourcing firms. It assures customers that their information is fully secured. ISO 27001 illustrates that applicable policies and relevant rules are adhered and give competitive edge through satisfying the requirements contractual requirements and proving to the organizations customers that their security of their information is of the highest priority (ISO/IEC 27001 Information Security 2010). These standards independently assure organizations risks are appropriate identified, evaluated, and supervised while formalizing information security procedures and documentations. Following to these standards signifies that the organization has full commitment to assure security of information. Regular assessment encourages the organization to monitor their performance and improve further (ISO/IEC 27001 Information Security 2010). One of the few disadvantages however of ISO certifications is that the organization focuses too much on the certification and giving less attention to other necessary aspects of the business; for example, creating a good working environment that intrinsically motivates people involved within the organization. Although improving systems leads to better services, organizations tend to focus on the following audits and assessments but may ignore ââ¬Ëhuman aspect of the business such as not giving incentives for the people who did the job well done since the budget concentrated on improving the systems to acquire the certification (Advantages and Disadvantages of ISO Certification 2010). 3.2 Relevant case histories ISO 27001 served as the replacement for BS7799-2, which is withdrawn. This standard for the ISMS matches with ISO 17799 and is compatible with ISO 4000 and ISO 9001 (PC History n.d.). Different organizations have implemented the ISO27001 and reaped significant number of benefits. One good example is the Cambridgeshire Fire and Rescue Service. After the implementation of guidelines and processes towards acquiring ISO 27001, the agencys security environment has improved and they have now greater transparency. The ISO 27001 also provided the agency stronger rules and operational processes. The agency also serve as a role for model for other organizations, whether for profits or not for profit. It also ensures good corporate governance within the organization (ISO 27001 Case Study n.d.). 3.3 Reflection on issues of social responsible computing. Some public agencies and non-governmental organizations as well as investment analyst function as critics and evaluators of organizations to ensure that minimum standards are implemented within the workplace and ensure that workers are equally treated. While ISO 27001 ensures transparency within the organization, public agencies, NGO and employees are increasingly assessing organizations dedication to ensure fair and equitable working environment and this trend signifies that every organization must not only adhere to ISO certification but also they should demonstrate social responsibility (SA 8000 Social Accountability 2010). An organization that implements social responsible computing enhances its brand image and reputation and becomes more effective in enticing new customers. Social accountability also attracts ethical investment, demonstrate transparency to its stakeholders and it also improves employees morale and effectiveness (SA 8000 Social Accountability 2010). Therefore, social accountability reinforces the benefits provided by the IS0 27001. 3.4 Potential issues in the future (five years ahead) Potential issues that the ISMS will clearly face are the never ending evolutions of worms, viruses, Trojan horses, spywares and malwares. No one knows how these problems may evolve and become more serious that security programs implemented might find it hard to prevent them from entering and damaging the computer systems. Even though antivirus programs are performing great jobs in protecting the computers, new viruses that have not been recognized by antivirus programs can enter and damage computer programs, similar to Melissa worms and Love Bugs (Love Bug Virus 2007). 5. Refection on the relevance of the content of the assignment and unit The content provided as well as the unit itself can serve as guidance for researchers and students if they are planning to develop potential security standards and software development methods or even software. As part of curriculum in information technology, professors require students to create thesis or projects related to software or security standards. IT professionals also engage in similar endeavours. Developing software clearly requires systematic structure while establishing security standards must rely on the existing standards and make some modifications to satisfy the needs of the clients and to adopt with the changing trends of security threats. 6. Conclusion The DSDM or the Dynamic System Dynamic Modelling method serves as an effort to define an industrial standard for IT systems development. This approach provides an iterative product-centred procedure model that is employed to establish incrementally the target. ISO/IEC 27001 oversees all forms of organizations including government agencies, not for profit organizations and commercial firms. It presents requirements for implementing, developing, operating, monitoring, assessing, sustaining and enhancing a documented Information Security Management System considering the organizations business risks. Both of these systems have their own purposes and implementation of these standards and methods often provides benefits to the organizations involved. While DSDM serves as a technique-independent process and adaptable in terms of changing requirements, the ISO 27001 independently assures organizations risks are appropriate identified, evaluated, and supervised while formalizing information security procedures and documentations. DSDM focuses on how software is developed while the ISO27001 ensures that protection against security is ensured within the organization. On the other hand, computer professional as well as organizations that focus on information technology must also consider the disadvantages presented by these methods and standards before incorporating it within the organizational processes. DSDM also involves progressive development of requirements and its emphasis of RAD may result to decline in code robustness. This method also needs full commitment to the process and considerable user involvement. DSDM also needs skilled development group in both technical and business areas; otherwise they might need to hire additional staff to fill insufficient areas. Organizations that often aim for acquiring certification sometimes ignore other important aspects of the business such as social responsibility and ââ¬Ëhuman aspects of the business.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.