In this paper I will be discussing some of the benefits of having frameworks for information security management. What each of the frameworks of information security are, their pros and their cons. Which major perspectives to consider in information security management and framework choice. What organizational factors should be considered in framework choice? I will also attempt to come up with a better framework for information security. Some of the benefits of having frameworks for information security management are, that they serve as a common ground for integrating all types of information security functions. It also helps answer question of how to react to information security issues. As well as, helping identify what the important components involved in establishing and maintaining information security initiatives. Since our information faces more potential security breaches than ever before (Ma, Schmidt, Pearson, 2009 p. 58). The information security frameworks are the following:
-Risk management and risk assessment frameworks
-Audit and assurance frameworks
-Legal and regulatory frameworks
The governance framework is very important because it gives us a road map for the application, evaluation and improvement of information security practices (Information Security Governance: Toward a Framework for Action). This frame work includes legislation, regulations, corporate structure, corporate culture and the importance of information security to the organization. It also acts as a mechanism to deliver value, mange performance and also mitigates risk. Another important fact about this framework is that it gives us a way to assign accountability for each decision and performance. It ensures that policies, procedures, management and other related management techniques are all working hand in hand to achieve the organization’s goals. There aren’t many documents that define the roles, tasks and responsibilities of different senior members of an organization, just like in any other successful practice the need of support from senior management is needed.
FISMA clarifies how that support has to be given. Some of the pros that governance frameworks bring to the table are as follows: It helps technology with business goals, it provided a framework for measuring and managing IS performance. It also facilitates compliance with external legislation and regulations. And last but not least, it helps ensure valuable technology solutions are delivered on time and on budget. Security standard framework consists of various guidelines, standards and regulations FISMA, NIST 800-39, HIPAA stand out to me. Each of these cover a wide range of needs that need to be followed in order to achieve a successful security framework. While FISMA is a more broad regulation that covers many government related issues, it still provides a good understanding of the division of responsibilities. NIST 800-39 delves into different risk management issues, which will be highlighted as I continue this research.
Information security planning or strategy should be aligned with business objectives (Peltier, 2003 p.22) According to NIST 800-39 Risk management is a comprehensive process that requires organizations to: frame risk i.e. establish the context for risk-based decisions, assess risk and responds to risk once determined, and to monitor risk on an ongoing basis. This frame work is a fundamental requirement in which senior leaders and executives need to be committed to. There are many organizational risks, some of these are: i.e. program management risk, investment risks, legal liability risk and security. Information systems is also critical to the success of organizations achieving their objectives and strategic goals (NIST 800-39 p. 2). Some of the pros for Risk Management frame works are a) reducing the risk to an acceptable level if the risk cannot be eliminated, with which the organization it is still able to function safely. b) Risk can be transferred by using insurance policies by insuring that the company’s assets are protected for theft or destruction. Audit and assurance frameworks includes assessing and comparing what is actually happening in an organization against what is actually supposed to be happening.
Auditors can also be called to assess compliance with corporate security policies, standards, procedures and guidelines. Some times as contractual commitments, either as a specific audit or solely in the course of routine audit assignment. Legal and regulatory frameworks, ensure that organizations are abiding by the requirements given by the different regulations like, FISMA, HIPPA and others. Failure to comply with the standards listed on these and other regulations can affect organizations in various ways; ranging from fines to jail time depending of the severity of the violation and the state where the violation is being committed. The some of the pros to this framework are that organizations will be more apt to follow what is required of them all the while protecting not only the customers’ sensitive informations but also the employee’s vital information. Some of the cons to these frameworks “A secure system is one that does what it’s supposed to” (Eugene Spafford). There is no way to ensure that all systems have the same state of security. Because not all systems do the same things.
Therefore each individual organization or user must choose what type of security is important. In some cases security clashes with itself. Controls that might enhance confidentiality doesn’t necessarily support integrity. With all the time it takes to control integrity and confidentiality and how complex they each are, the availability is impacted. It does not come as a surprise that it is impossible to create a universal checklist of the items once implemented, will guarantee security. Security risks aren’t necessarily measurable, since the frequencies and impacts of future incidents are dependent on many different things that tend to be out of our control. If we don’t know what skills whoever is attempting to intrude or hack our systems is working with, it would be difficult to fight it, let alone predict it. Opposite to what some might believe, according to BOA’s Smith, “senior management is not the biggest hindrance to better security. Rather, the middle management might represent one of the largest challenges because they impact the organization daily.”
Many organizations find it difficult to stay in compliance with different government laws and regulations like Sarbanes-Oxley Act and HIPAA in addition to Payment card industry Data security Standards. It does not help the fact that there is a scarcity in security professionals who have the technical and engineering skills that know how to explain the risks/rewards and the trade-off and can sell solutions within the organization. When choosing a framework in information security management we have to keep in mind different factors in order to have a successful framework. Some of these factors are, the goals of the organization; we have to establish the information security objectives, these should be strategic, organizational focus and made by executive-level management, since they have a better grasp of the whole business goals and limitations.
We also have to be aware of the fact that organizational goals, structure and information security management strategy has to change as different environmental factors like, technology business and legislation frequently evolve. Another important factor is the culture of the organization need to be the same for everyone involve, from the CISO to the administrative assistant. After all the extensive reading, my framework would have a continuous risk management and risk assessment frame work, security controls that align perfectly with the goals of the business and the culture of not only the organization but the entire workforce.
I would achieve this by implementing quarterly training on the importance of ISM and how it affects everyone involved. I believe that everyone should be kept informed as to what our IS goals are by showing them how we have failed or succeeded. On the chance that we have failed we can have the employees propose how we can make it better. When we involve everyone affected they will take it more seriously. There are different types of frameworks that make up the information security management framework. Which address the needs for a functional ISM framework and details the obligations of those in an organization while providing the standards, guidelines, legislations and regulations the all have to abide by. And how the lack of a proper framework can affect those in the organization.
Ma, Q., Schmidt, M., & Pearson, J. (2009). An integrated framework for information security managemtn. doi: Review of Business Dempsey, K., Chawla, N., Johnston, R., Jones, A., Orebaugh, A., Scholl, M., Stine, K., & Johnson, A. U.S Department of Commerce, National Institute of Standards and Technology. (2001). Information security continuous monitoring for federal information systems and organizations (800-137). Gaithersburg, MD D. Smith
(Jonson, M., & Goetz, E. (2007). Embedding information security into the organization. 17.) Eugene Spafford. (I’m sorry, but I lost the article where I got his quote from)