Comparisons of Information Security Management Frameworks
Module 1 Case Assignment
ITM517: Information Security Overview for Managers and Policy Makers
Dr. Kiet Tuan Tran
October 20, 2012
Introduction For businesses to keep pace with the latest technology, threats and to remain in compliance with current and future regulations or policies need to have effective management of information security in their organization. Information Security Management Frameworks are based on existing accepted standards, guidelines, and collections of practices that should be implemented in an IT department. I will discuss some frameworks of information security management, their pros and cons, some major perspectives to consider in information security management and the benefits of information security management frameworks.
Information Security Management Frameworks NIST SP 800-137 and 800-39 introduces an organization-wide Information Security Continuous Monitoring (ISCM) and Risk Management framework. ISCM is a strategy that uses a three-tiered approach (organization level, mission / business level and information system level). ISCM helps maintain ongoing awareness of information security and ensures that organizational security practice reflects the organization’s risk tolerance and helps ensure that accurate, up-to-date information is available to enable timely risk management decisions through the use of automation. ISCM strategy might not take into account all the controls thus presenting an incomplete picture of an organization's security status and risk. Automation may not take all controls into account that cannot be automated still need to be monitored and assessed. These controls that cannot be automated still need to be considered in making the right risk / security decision. Another disadvantage is that risk scores may not be comprehensive due to having no information on certain risks. Also, automated
References: NIST (2011), Managing Information Security Risk -- Organization, Mission and Information System View, National Institute of Standards and Technology Special Publication 800-39. NIST (2011), Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. National Institute of Standards and Technology Special Publication 800-39. Johnson, L. A. (14 December 2010) Information Security Continuous Monitoring (Ongoing Monitoring in Support of Organizational Risk Management. http://csrc.nist.gov/groups/SMA/forum/documents/Forum-121410-Continuous-Monitoring-AJohnson.pdf Business Software Alliance (BSA). Information Security Governance: Toward a Framework for Action. ISACA. Defining Information Security Management Position Requirements. http://raw.rutgers.edu/docs/wcars/20wcars/ISACA/CONTECSI/Defining%20Info%20Sec%20Management.pdf