The Cyprus Shipping Chamber wanted to address the security requirements of smart shipping. Having digital records, interconnected ships, and electronic data exchange increased the efficiency of shipping, but also increased risk.¹

In order to facilitate addressing these new security challenges, the company employed a case study approach. It took a case study of a specific subset of the company and used that as a template to study security. This can be an effective way to examine security policies. The approach includes:

• Framing specific organizational concerns so they could be examined effectively
• Examining each organization security concern using a scenario
• Taking that information to facilitate development of security policies

During an internal review, American Imaging Management (AIM) decided it needed to improve its due diligence practices. AIM decided to expand its corporate security program. The company began by performing a risk assessment on its current security program.

The assessment used the ISO 27001 gap assessment methods. When complete, AIM delivered a recommended course of action. These activities were intended to address and remediate areas that were either under- or overcontrolled.

Using the Plan-Do-Act-Check cycle from the ISO standards, AIM’s activities included:

• Defining more detailed roles and responsibilities
• Identifying all relevant security requirements (legislative, regulatory, and contractual)
• Defining all supporting policies, standards, and procedures
• Defining and establishing a security awareness program
• Expanding the organization’s vulnerability management program
• Collaborating with the business continuity/disaster recovery (BC/DR) team to integrate security program objectives
• Improving the incident response program
• Implementing an internal security control audit program

By the end of the project, AIM was able to create a road map for building a security program that could be registered to the ISO 27001 standard.

To improve security in California’s IT infrastructure, the Office of the State Chief Information Officer (OCIO) issued a new policy that includes employee remote access security standards for working from home or off-site. The policy also requires that state agencies complete a compliance form.

The policy was issued to help state agencies develop secure remote access for employees and minimize security risks. The corresponding standard highlights important measures that IT agencies must adopt to certify their remote access programs. It includes controls related to the use of up-to-date operating system software and security software for every remote connection.

The standard also requires that all computing equipment connected to the state’s IT infrastructure network for remote access purposes be state-owned and securely configured. Remote access users can only connect through secure encrypted channels—virtual private networks—authorized by agency management. The security measures also apply to paper files and mobile devices like tablets and smart phones.

According to the information policy letter, agency heads must comply with the following:

• Make sure authorized users permitted to use remote access are trained for their roles and responsibilities, security risks, and the requirements in the standard
• Adopt and implement the requirements in the standard and certify their agency’s compliance
• Annually complete and submit the Agency Telework and Remote Access Security Compliance Certification form to the Office of Information Security

California was among the first governments in the country to establish enterprise-wide policies for remote access, joining states such as Virginia and Arizona, and the federal government.