Comparisons of Information Security Management Frameworks
Today’s economy depends on the secure flow of information within and across organizations. Thus, making information security is an issue of vital importance. A secure and trusted environment for stored and shared information greatly enhances consumer benefits, business performance and productivity, and national security. Conversely, an insecure environment creates the potential for serious damage to governments and corporations that could significantly undermine consumers and citizens. The stakes are particularly high for businesses engaged in critical activities, such as electrical power generation, banking and finance, or healthcare.
It can be very overwhelming for a business when faced with the challenges of running an information security program. How can security professionals organize and prioritize their efforts in order to build and maintain an information security program when they are so many areas to address (i.e.: encryption, application security, and disaster recovery). Then there is the complication of compliance with regulatory requirements such as HIPPA, PCI DSS and Sarbanes-Oxley, just to name a few.
An information security framework is a series of documented processes that are used to define policies and procedures around the implementation and ongoing management of information security controls in an enterprise environment. These frameworks are basically a "blueprint" for building an information security program to manage risk and reduce vulnerabilities. Information security pros can utilize these frameworks to define and prioritize the tasks required to build security into an organization (Granneman, J.).
The Information Security Management Framework has been derived from a structured collection of independent guidelines, processes and practices, and primarily from the Information Security Management System Standard (ISO 27001). It is part of the overall Information Technology Authority (ITA) standards framework that ensures the protection of information assets from unauthorized access to or modification information. It protects against the denial of service to authorized users or the provision of service to unauthorized users. Therefore, it reflects the behavior of an initial community of high performing organizations. Thus, both business and government organizations can implement the framework with practices they choose or are required to use for their market sector and country.
Project Benefits (ita.gov.om):
Creates a secure and organized working environment
Protects information and information assets
Reduces internal and external security breaches
Creates confidence among staff and clients when running business operations Integrates disaster recovery / business continuity
Prevents an information security incident from occurring
Detects an incident occurring and measure its effects
Responds to an incident and minimize business damage
Embeds continuous improvement in information security processes Complies with rules, laws and regulations
Frameworks are often customized to solve specific information security problems, just like building blueprints are customized to meet their required specifications and use. There are frameworks that were developed for specific industries as well as different regulatory compliance goals. They also come in varying degrees of complexity and scale. However, you will find that there is a large amount of overlap in general security concepts as each one evolves (Granneman, J.).
Some of the most popular frameworks are (Granneman, J.):
* ISO 27000 Series
* NIST SP 800 Series
Control Objectives for Information and Related Technology (COBIT) is a framework for developing, implementing, monitoring and improving information technology (IT) governance and management practices. This framework started out reducing technical risks in organizations, but has evolved recently...
References: Goetz, E. and Johnson, M. E. Embedding Information Security in to the Organization. Retrieved from www.tuck.dartmouth.edu/cds-uploads/publications/pdf/SecurityOrg.pdf
Granneman, J. IT Security Frameworks and Standards: Choosing the Right One. Retrieved from http://searchsecurity.techtarget.com/tip/IT-security-frameworks-and-standards-Choosing-the-right-one
Information Security Governance: Toward a Framework for Action. Retrieved from https://www.cccure.org/Documents/Governance/governance.pdf
Information Security Management Framework. Retrieved from http://www.ita.gov.om/ITAPortal/Government/Government_Projects.aspx?NID=2
Please join StudyMode to read the full document