Comparing DoD 5200.01 and ISO 27001 Standards
By: Randall Lewis
Information Security Standards are key to strengthening an organization and maintaining the Confidentiality, Integrity Availability of a system. I will identify, compare and contrast information security standards for my organization which is the Defense Intelligence Agency against the ISO-International Organization for Standards. I will start with identifying DoD 5200.01 which is the “DoD Information Security Program and Protection of Sensitive Compartmented Information”(DoD 5200.01, 2011).
The DoD 4-D primary purpose is to make sure that “National security information shall be classified, safeguarded, and declassified in accordance with national level policy issuances.” By setting up this initially, this will make sure that the proper type and amout of information will be available to those with the proper level of security to see them. Information will be declassified when it is deemed that the information is no longer classified unless there are certain situations that do not allow for the information to be. The reasons are: This information violates the law, embarrasses a person, restrains competition or is not in the interest of national Security.
Under DoD5200.01, it goes to specify that the volume of classified material will be only the minimum as necessary. This makes ensures there is not an over flux of classified papers which makes certain information gathering a challenge. Information will be released and safeguarded in accordance with DoD 5220.22.
The final part of this section states that the securing will be consistent with “applicable laws, partnerships with appropriate DoD, government, industry, professional, academic, and international organizations” (DoD 5200.01, 2011). This is done for the continual improvement of security and making the program better.
As for as responsibilities of the Director of the Defense Intelligence Agency, in Enclosure 2 of the Responsibilities section, the director will administer within the DoD SCI security policies. For example, some duties include inspecting and accrediting DoD contract facilities for all issues with the SCI(Secured compartmentalized Information). The Director will also share information within the DoD Security services. He will also monitor and maintain the SCI security awareness and educational programs within the DoD. (DoD 5200.01, 2011).
I will compare this policy with the ISO (International Security Standard). In section 6.1.2, this centers on the Information Security Coordination. It compares with the coordination of DoD policy in that the different groups are notified and coordinated with. It states that “Typically, information security coordination should involve the cooperation and collaboration of managers, users, administrators, application designers, auditors and security personnel, and specialist skills in areas such as insurance, legal issues, human resources, IT or risk management”(ISO 27001, 2011). The DIA Director in the reporting sections state that “when appropriate, the director of the DIA will share information of mutual interest with the directors of the Defense Security Service and Defense Contract Management Agency.” (DoD 5200.01, 2011). This shows a comparison in both sections that the coordination of information shall be shared and not kept with one group or organization. This policy is useful in the continuance of any organization in its growth.
In DoD policy 4-A it states “National security information shall be classified, safeguarded, and declassified in accordance with national level policy issuances” (DoD 5200.01, 2011). This is a way to protect the information and the classification of documents at levels to where certain levels can access the information. In the ISO document in 11.2 User access Management it states “Control
There should be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services”(ISO 27001, 2011). This is a comparison in the fact that the information needs to have a classification level and to have access to the information. In classified information there are different levels IE: Secret, Top Secret, and these documents are only able to be viewed by the person with the correct security level and access level. This is important in the dissemination of the information and keeps it as secured as possible.
As far as reporting incidents in the weaknesses of security, both policies have similar approaches. In DoD policy under Responsibilities, the DIA Director will “issue reports detailing any deficiencies noted and corrective action required” (DoD 5200.01, 2011). This represents the responsibility of the Director/Management of the organization and there is in effect a policy to report these weaknesses and fix them. In the ISO standard there is a similar one within respect to Management. In 13.2.1 it states that “Management responsibilities and procedures should be established to ensure a quick, effective, and orderly response to information security incidents.” Along with guidelines for information security incident management procedures”(ISO 27001, 2011). This in comparison to the DoD standard puts the burden on reporting and fixing a security weakness to the top or head of an organization. This responsibility makes sure that the incidents will be handled and only strengthens the organization that follows this standard.
In conclusion, the DoD Policy compared with the ISO Standard are similar in the way of classification of information and reporting and strengthening of weaknesses in the systems. These standards will only continually improve an organizations security standard.