Preview

Comparisons of Information Security Management Frameworks

Satisfactory Essays
Open Document
Open Document
721 Words
Grammar
Grammar
Plagiarism
Plagiarism
Writing
Writing
Score
Score
Comparisons of Information Security Management Frameworks
Trident University
Comparisons of Information Security Management Frameworks
Module 1 Case Assignment

ITM517: Information Security Overview for Managers and Policy Makers
Dr. Kiet Tuan Tran
October 20, 2012

Introduction For businesses to keep pace with the latest technology, threats and to remain in compliance with current and future regulations or policies need to have effective management of information security in their organization. Information Security Management Frameworks are based on existing accepted standards, guidelines, and collections of practices that should be implemented in an IT department. I will discuss some frameworks of information security management, their pros and cons, some major perspectives to consider in information security management and the benefits of information security management frameworks.
Information Security Management Frameworks NIST SP 800-137 and 800-39 introduces an organization-wide Information Security Continuous Monitoring (ISCM) and Risk Management framework. ISCM is a strategy that uses a three-tiered approach (organization level, mission / business level and information system level). ISCM helps maintain ongoing awareness of information security and ensures that organizational security practice reflects the organization’s risk tolerance and helps ensure that accurate, up-to-date information is available to enable timely risk management decisions through the use of automation. ISCM strategy might not take into account all the controls thus presenting an incomplete picture of an organization's security status and risk. Automation may not take all controls into account that cannot be automated still need to be monitored and assessed. These controls that cannot be automated still need to be considered in making the right risk / security decision. Another disadvantage is that risk scores may not be comprehensive due to having no information on certain risks. Also, automated


References: NIST (2011), Managing Information Security Risk -- Organization, Mission and Information System View, National Institute of Standards and Technology Special Publication 800-39. NIST (2011), Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. National Institute of Standards and Technology Special Publication 800-39. Johnson, L. A. (14 December 2010) Information Security Continuous Monitoring (Ongoing Monitoring in Support of Organizational Risk Management. http://csrc.nist.gov/groups/SMA/forum/documents/Forum-121410-Continuous-Monitoring-AJohnson.pdf Business Software Alliance (BSA). Information Security Governance: Toward a Framework for Action. ISACA. Defining Information Security Management Position Requirements. http://raw.rutgers.edu/docs/wcars/20wcars/ISACA/CONTECSI/Defining%20Info%20Sec%20Management.pdf
Continue Reading
View Writing Issues

You May Also Find These Documents Helpful

  • Better Essays

    Kudler Fine Foods IT Security Report FINAL WEEK 5
    • 2101 Words
    • 8 Pages

    Kudler Fine Foods IT Security Report FINAL WEEK 5

    Whitman, M., & Mattord, H. (2004). Information Security Policy. In Management of information security(Fourth ed., p. 154). Boston, Mass.: Thomson Course…

    • 2101 Words
    • 8 Pages
    Better Essays
    Read More
  • Good Essays

    Nt1330 Unit 6 Paper
    • 853 Words
    • 4 Pages

    Nt1330 Unit 6 Paper

    and detailed work strategies, monitoring progress, and determining issues solutions. Finally, organizations should dedicate a team of security analysts directed by the expertise of a Chief information security office (CISO) that reports to the Chief information office (CIO) and provides detailed security information to management for assessment and further expansion opportunities to the security infrastructure. Thus, management and a team of dedicated security experts measure system goals, develop strategies towards a more secure organization environment that prevents risks of any magnitude by safeguarding every corner.…

    • 853 Words
    • 4 Pages
    Good Essays
    Read More
  • Powerful Essays

    IS3550 Final Project
    • 4998 Words
    • 19 Pages

    IS3550 Final Project

    The purpose of this paper is to develop an information security policy that defines the requirements to make our organization's computer network compliant with National Institute of Standards and Technology (NIST) Security Standards. NIST regulations and instructions were reviewed in order to develop the requirements that are stated in this policy. The source documents used can be found in the references section.…

    • 4998 Words
    • 19 Pages
    Powerful Essays
    Read More
  • Powerful Essays

    Riordan Security Issues
    • 1371 Words
    • 6 Pages

    Riordan Security Issues

    Whitman, M. E., & Mattord, H. (2004). Principles of Information Security. [University of Phoenix Custom Edition e-Text]. , : Course Technology. Retrieved September 15, 2009, from University of Phoenix, CMGT440.…

    • 1371 Words
    • 6 Pages
    Powerful Essays
    Read More
  • Powerful Essays

    Kudler Security Report
    • 8349 Words
    • 34 Pages

    Kudler Security Report

    References: Whitman, M., & Mattord, H. (2010). Management of Information Security (3rd ed.). Retrieved from https://ecampus.phoenix.edu/content/eBookLibrary2/content/eReader.aspx?…

    • 8349 Words
    • 34 Pages
    Powerful Essays
    Read More
  • Good Essays

    Inf/325 Week 3 Information Security Management
    • 801 Words
    • 4 Pages

    Inf/325 Week 3 Information Security Management

    Often Information Technology Directors overlook that information security is more of a people issue rather than a technology issue. We rely heavily on people’s awareness, ethics and behavior, and an understanding of what they want to achieve is essential to accomplish the goals of business. This includes the employees that deliver services and the customers that take advantage of them, as well as the senior executives that outline the budgets.…

    • 801 Words
    • 4 Pages
    Good Essays
    Read More
  • Powerful Essays

    Sr-Rm-013: Network, Data, and Web Security
    • 2582 Words
    • 11 Pages

    Sr-Rm-013: Network, Data, and Web Security

    Kim, D. & Solomon, M. G. (2012). Fundamentals of information systems security . Sudbury, MA: Jones & Bartlett Learning, LLC.…

    • 2582 Words
    • 11 Pages
    Powerful Essays
    Read More
  • Better Essays

    Cmgt 441 Homeland Security Research Paper
    • 1317 Words
    • 6 Pages

    Cmgt 441 Homeland Security Research Paper

    The review results were positive with a suggestion for an improvement. The team found that RedSeal product provides the intelligence necessary to improve defenses, maintain continuous compliance and mitigate real-world risks by identifying the available paths of access and exposed vulnerabilities present across a network (Stephenson, 2012). The RedSeal solution is either a hardware appliance or software product and is architected for a fast and efficient means of implementing the system (Stephenson, 2012). The design will provide the most secure, scalable, and dependable deployment possible (Stephenson, 2012). Continuous monitoring focuses on correlating IT, network, and vulnerability feeds (Stephenson, 2012). The system identifies risk associated with the business’s security effectiveness as opposed to policy and compliance driven tools (Stephenson, 2012). RedSeal provides a large library of supported vendor products, allowing security and vulnerability data to be quickly and easily imported into the system. The system automatically builds network maps and correlates the map data with configuration and vulnerability data, which creates a threat reference library. RedSeal finds and eliminates gaps in businesses security controls and prioritizes the impact of those gaps. RedSeal is not an assessment or audit tool, but it does correlate risk to various controls for compliance regulations, creating reports that show gaps in deployed configurations/controls (Stephenson, 2012). The team would have liked to have seen more integration with governance, risk, and compliance solutions (Stephenson, 2012). The product only provided a piece of the risk picture. The piece is important, and one that a number of assessment and audit driven tools do not deliver and could leverage (Stephenson,…

    • 1317 Words
    • 6 Pages
    Better Essays
    Read More
  • Satisfactory Essays

    NT2580
    • 526 Words
    • 5 Pages

    NT2580

    Common security countermeasures typically found in an IT infrastructure  Risk assessment approach to securing an IT infrastructure  Risk mitigation strategies to shrink the information security gap NT2580 Introduction to Information Security © ITT Educational Services, Inc. All rights reserved. Page 3 EXPLORE: CONCEPTS NT2580…

    • 526 Words
    • 5 Pages
    Satisfactory Essays
    Read More
  • Good Essays

    Iscm Strategic Plan
    • 1276 Words
    • 6 Pages

    Iscm Strategic Plan

    are often requested by organization officials such as the Risk Executive, CIO, CISO, and AO as well as by external Federal entities such as DHS and OMB, because they provide a holistic view of the security posture of the organization and measure the effectiveness of the program. The ISCM Program team will define metrics and security controls that align with their information security goals and identify improvements to the security posture of the systems. Metrics and controls should include security-related information from security status monitoring and security status assessments and support risk-based decision making. Moreover, the measurement and reporting schedule will need to be adjusted accordingly as the program matures and as additional requirements are identified. Current ECMO metrics as outlined in the table below will serve as a starting point. The ISCM integrated project team will continue to develop relevant and measurable metrics that support reporting through an executive level CDM dashboard. Additional information on security controls can be found in Appendix B. The dashboard will summarize security metrics and reporting while continuously providing trend analysis for the organization, and give management the ability to see the progress or regression of a given system within the cybersecurity continuous monitoring…

    • 1276 Words
    • 6 Pages
    Good Essays
    Read More
  • Good Essays

    Week 5 you decide
    • 928 Words
    • 4 Pages

    Week 5 you decide

    Security is an ever moving target that must be continually managed and refined to ensure appropriate confidentiality, integrity, and availability of services and systems that are critical to business, as well as the valuable data.…

    • 928 Words
    • 4 Pages
    Good Essays
    Read More
  • Better Essays

    WEEK TWO CMGT 400 INDIVIDUAL ASSIGNMENT
    • 1432 Words
    • 5 Pages

    WEEK TWO CMGT 400 INDIVIDUAL ASSIGNMENT

    Whitman, M. E., & Mattord, H. J. (2010). Management of information security (3rd ed.). Boston, MA: Course Technology.…

    • 1432 Words
    • 5 Pages
    Better Essays
    Read More
  • Better Essays

    Cmgt400 Week 3
    • 1752 Words
    • 8 Pages

    Cmgt400 Week 3

    Whitman, M., & Mattord, H. (2010). Management of Information Security (third ed.). Pittsburgh, PA: Cengage Learning.…

    • 1752 Words
    • 8 Pages
    Better Essays
    Read More
  • Good Essays

    ISM3321 M4A1
    • 916 Words
    • 4 Pages

    ISM3321 M4A1

    1. How can a security framework assist in the design and implementation of a security infrastructure? What is information security governance? Who in the organization should plan for it?…

    • 916 Words
    • 4 Pages
    Good Essays
    Read More
  • Satisfactory Essays

    What Are the Most Important Tools and Technologies for Safeguarding Information Resources?
    • 261 Words
    • 2 Pages

    What Are the Most Important Tools and Technologies for Safeguarding Information Resources?

    Firms need to establish a good set of both general and application controls for their information systems. A risk assessment evaluates information assets, identifies control points and control weaknesses, and determines the most cost-effective set of controls. Firms must also develop a coherent corporate security policy and plans for continuing business operations in the event of disaster or disruption. The security policy includes polices for acceptable use and identity management. Comprehensive and systematic MIS auditing helps organizations determine the effectiveness of security and controls for their information systems.…

    • 261 Words
    • 2 Pages
    Satisfactory Essays
    Read More

Related Topics