To ensure security, it is important to build-in security in both the planning and the design phases and adapt a security architecture which makes sure that regular and security related tasks, are deployed correctly. Security requirements must be linked to the business goals. We identified four domains that affect security at an organization namely, organization governance, organizational culture, the architecture of the systems, and service management. In order to identify and explore the strength and weaknesses of particular organization’s security, a wide range model has been developed. This model is proposed as an information security maturity model (ISMM) and it is intended as a tool to evaluate the ability of organizations to meet the objectives of security.
This whitepaper discusses some common challenges and myths about data security when outsourcing engineering and looks at some industry best practices to address these concerns.
Five principles for improving your cyber securityWGroup
Corporate assets have been shifting from physical assets to virtual assets over the past 20 years. This trend has been accompanied by a corresponding increase in the vulnerability of intangible assets, leading to a greater general awareness of corporate cyber security risks. The alteration or destruction of a company’s data can result in harm to reputation, loss of public confidence, disruption to infrastructure, and legal sanctions. The security risk can adversely impact a company’s stock price and competitive position in the marketplace. In this document, WGroup cites 5 principles that will help improve a business's cyber security. The 5 principles are risk identification, risk management, legal implications, technical expertise, and expectations.
This whitepaper discusses some common challenges and myths about data security when outsourcing engineering and looks at some industry best practices to address these concerns.
Five principles for improving your cyber securityWGroup
Corporate assets have been shifting from physical assets to virtual assets over the past 20 years. This trend has been accompanied by a corresponding increase in the vulnerability of intangible assets, leading to a greater general awareness of corporate cyber security risks. The alteration or destruction of a company’s data can result in harm to reputation, loss of public confidence, disruption to infrastructure, and legal sanctions. The security risk can adversely impact a company’s stock price and competitive position in the marketplace. In this document, WGroup cites 5 principles that will help improve a business's cyber security. The 5 principles are risk identification, risk management, legal implications, technical expertise, and expectations.
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 3: Information Security Governance and Risk Management
- Security Governance
- Security Roles and Responsibilities
- Personnel Security
- Screening and Background checks
- Employment Agreements
- Employment Termination
- Security-Awareness Training
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
How users can take advantage of the cloud computing environment’s benefits without experiencing excessive security risks or new legal or regulatory compliance challenges.
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
This submission examines the emerging need of the Chief Information Security Officer (CISO) to include the associated roles and responsibilities. One of the key artificacts associated with the CISO shall be detailed such as the security plan.
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
The goal of information security governance is to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
Management of the IT infrastructure begins at its Foundation. Better Understand how that is defined, implemented and leveraged beyond traditional IT management solutions but in an accreative way.
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 3: Information Security Governance and Risk Management
- Enterprise Architectures
- Enterprise Security Architectures
- Capability Maturity Model Integration (CMMI)
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 3: Information Security Governance and Risk Management
- Security Management
- Risk Management
- Risk Assessment
- Risk Analysis
- Information Risk Management Policy
- Risk Assessment Methodologies
- Risk Analysis Approaches
- Steps of a Quantitative Risk Analysis
- Control Selection
- Total Risk vs Residual Risk
- Risk Handling
this research was conducted to find out the level of
information security in organization to give recommendations
improvements in information security management at the
organization. This research uses the ISO 27002 by involving the
entire clause that exists in ISO 27002 check-lists. Based on the
analysis results, 13 objective controls and 43 security controls
were scattered in 3 clauses of ISO 27002. From the analysis it
was concluded that the maturity level of information system
security governance was 2.51, which means the level of security
is still at level 2 planned and tracked is planned and tracked
actively) but is approaching level 3 well defined.
Information security means protecting information (data) and informa.pdfANSAPPARELS
Information security means protecting information (data) and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction.
Information Security management is a process of defining the security controls in order to
protect the information assets.
Security Program[edit]
The first action of a management program to implement information security is to have a
security program in place. Though some argue the first act would be to gain some real \"proof of
concept\" and \"explainable thru display on the monitor screen\" security knowledge. Start with
maybe understanding where OS passwords are stored within the code inside a file within a
directory. If you don\'t understand Operating Systems at the root directory level maybe you
should seek out advice from somebody who does before even beginning to implement security
program management and objectives.
Security Program Objectives
Security Management Responsibilities
Approaches to Build a Security Program
Since advancement is directly tied to how well you can convince others, who often fall outside of
your of job duties and department, as to your higher value to the company as stated by your own
effective written communication this leads to amazing resume writers and take no blame style of
email responses that seems to definitely lead to the eventual failure of company\'s standards and
actual knowledge. It is often covered up by relationships which form at the power levels within
any group of people and those who are considered so-called experts having no real idea what is
really involved under the hood of the reports/applications they use and no proof presented in
emails written when self declared claims of their expertise is made or blame is to be put on
another.
Security Controls[edit]
Security Controls can be classified into three categories
Administrative Controls which include
Technical or Logical Controls which include
Physical Controls which include
The Elements of Security[edit]
Vulnerability
Threat
Risk
Exposure
Countermeasure or Safeguard
The Relation Between the Security Elements
Core Information Security Principles[edit]
The three fundamental principles of security are availability, integrity, and confidentiality and
are commonly referred to as CIA or AIC triad which also form the main objective of any security
program.
The level of security required to accomplish these principles differs per company, because each
has its own unique combination of business and security goals and requirements.
All security controls, mechanisms, and safeguards are implemented to provide one or more of
these principles.
All risks, threats, and vulnerabilities are measured for their potential capability to compromise
one or all of the AIC principles
Confidentiality[edit]
Integrity[edit]
Availability[edit]
Information Security Management Governance[edit]
Security Governance[edit]
Governance is the set of responsibilities and practices exercised by the board and executi.
To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest
risk to their business. This global study of Enterprise-class organizations highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companies’ IT security priorities around processes, practices and technology for 2012 and beyond.
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 3: Information Security Governance and Risk Management
- Security Governance
- Security Roles and Responsibilities
- Personnel Security
- Screening and Background checks
- Employment Agreements
- Employment Termination
- Security-Awareness Training
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
How users can take advantage of the cloud computing environment’s benefits without experiencing excessive security risks or new legal or regulatory compliance challenges.
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
This submission examines the emerging need of the Chief Information Security Officer (CISO) to include the associated roles and responsibilities. One of the key artificacts associated with the CISO shall be detailed such as the security plan.
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
The goal of information security governance is to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
Management of the IT infrastructure begins at its Foundation. Better Understand how that is defined, implemented and leveraged beyond traditional IT management solutions but in an accreative way.
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 3: Information Security Governance and Risk Management
- Enterprise Architectures
- Enterprise Security Architectures
- Capability Maturity Model Integration (CMMI)
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 3: Information Security Governance and Risk Management
- Security Management
- Risk Management
- Risk Assessment
- Risk Analysis
- Information Risk Management Policy
- Risk Assessment Methodologies
- Risk Analysis Approaches
- Steps of a Quantitative Risk Analysis
- Control Selection
- Total Risk vs Residual Risk
- Risk Handling
this research was conducted to find out the level of
information security in organization to give recommendations
improvements in information security management at the
organization. This research uses the ISO 27002 by involving the
entire clause that exists in ISO 27002 check-lists. Based on the
analysis results, 13 objective controls and 43 security controls
were scattered in 3 clauses of ISO 27002. From the analysis it
was concluded that the maturity level of information system
security governance was 2.51, which means the level of security
is still at level 2 planned and tracked is planned and tracked
actively) but is approaching level 3 well defined.
Information security means protecting information (data) and informa.pdfANSAPPARELS
Information security means protecting information (data) and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction.
Information Security management is a process of defining the security controls in order to
protect the information assets.
Security Program[edit]
The first action of a management program to implement information security is to have a
security program in place. Though some argue the first act would be to gain some real \"proof of
concept\" and \"explainable thru display on the monitor screen\" security knowledge. Start with
maybe understanding where OS passwords are stored within the code inside a file within a
directory. If you don\'t understand Operating Systems at the root directory level maybe you
should seek out advice from somebody who does before even beginning to implement security
program management and objectives.
Security Program Objectives
Security Management Responsibilities
Approaches to Build a Security Program
Since advancement is directly tied to how well you can convince others, who often fall outside of
your of job duties and department, as to your higher value to the company as stated by your own
effective written communication this leads to amazing resume writers and take no blame style of
email responses that seems to definitely lead to the eventual failure of company\'s standards and
actual knowledge. It is often covered up by relationships which form at the power levels within
any group of people and those who are considered so-called experts having no real idea what is
really involved under the hood of the reports/applications they use and no proof presented in
emails written when self declared claims of their expertise is made or blame is to be put on
another.
Security Controls[edit]
Security Controls can be classified into three categories
Administrative Controls which include
Technical or Logical Controls which include
Physical Controls which include
The Elements of Security[edit]
Vulnerability
Threat
Risk
Exposure
Countermeasure or Safeguard
The Relation Between the Security Elements
Core Information Security Principles[edit]
The three fundamental principles of security are availability, integrity, and confidentiality and
are commonly referred to as CIA or AIC triad which also form the main objective of any security
program.
The level of security required to accomplish these principles differs per company, because each
has its own unique combination of business and security goals and requirements.
All security controls, mechanisms, and safeguards are implemented to provide one or more of
these principles.
All risks, threats, and vulnerabilities are measured for their potential capability to compromise
one or all of the AIC principles
Confidentiality[edit]
Integrity[edit]
Availability[edit]
Information Security Management Governance[edit]
Security Governance[edit]
Governance is the set of responsibilities and practices exercised by the board and executi.
To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest
risk to their business. This global study of Enterprise-class organizations highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companies’ IT security priorities around processes, practices and technology for 2012 and beyond.
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxMargenePurnell14
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be complete.
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxbagotjesusa
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be complete.
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Editor IJCATR
With the increasing use of computers in business information security has also become a key issue in organizations. Risk assessment in organizations is vital in order to identify threats and take appropriate measures. There are various risk assessment methodologies exist which organizations use for risk assessment depending the type and need of organizations. In this research OCTAVE methodology has been used following a comparative study of various methodologies due to its flexibility and simplicity. The methodology was implemented in a financial institution and results of its efficacy have been discussed.
CHAPTER
5
Security Policies, Standards, Procedures, and
Guidelines
The four components of security documentation are policies, standards,
procedures, and guidelines. Together, these form the complete definition of a
mature security program. The Capability Maturity Model (CMM), which measures
how robust and repeatable a business process is, is often applied to security
programs. The CMM relies heavily on documentation for defining repeatable,
optimized processes. As such, any security program considered mature by CMM
standards needs to have well-defined policies, procedures, standards, and
guidelines.
• Policy is a high-level statement of requirements. A security policy is the primary
way in which management’s expectations for security are provided to the
builders, installers, maintainers, and users of an organization’s information
systems.
• Standards specify how to configure devices, how to install and configure
software, and how to use computer systems and other organizational assets, to be
compliant with the intentions of the policy.
• Procedures specify the step-by-step instructions to perform various tasks in
accordance with policies and standards.
• Guidelines are advice about how to achieve the goals of the security policy, but
they are suggestions, not rules. They are an important communication tool to let
people know how to follow the policy’s guidance. They convey best practices for
using technology systems or behaving according to management’s preferences.
This chapter covers the basics of what you need to know about policies,
standards, procedures, and guidelines, and provides some examples to illustrate
the principles. Of these, security policies are the most important within the
context of a security program, because they form the basis for the decisions that
are made within the security program, and they give the security program its
“teeth.” As such, the majority of this chapter is devoted to security policies. There
are other books that cover policies in as much detail as you like. See the
References section for some recommendations. The end of this chapter provides
you with some guidance and examples for standards, procedures, and guidelines,
so you can see how they are made, and how they relate to policies.
Security Policies
A security policy is the essential foundation for an effective and comprehensive
security program. A good security policy should be a high-level, brief, formalized
statement of the security practices that management expects employees and
other stakeholders to follow. A security policy should be concise and easy to
understand so that everyone can follow the guidance set forth in it.
In its basic form, a security policy is a document that describes an
organization’s security requirements. A security policy specifies what should be
done, not how; nor does it specify technologies or specific solutions. The security
policy defines a specific set of ...
Security is an issue of generally recognized importance. Security starts with you, the user. It is well known that a formal security policy is a prerequisite of security. Having a policy and being able to enforce it is a totally different thing. This paper explains the three aspects of security that should be combined to create a well-rounded solution for securing organizations. This solution examines people, policy and enforcement as three dimensions in the world of security. This paper serves as 1) a conceptual framework for securing organization 2) the basis for formal policy-to-enforcement; 3) It raises awareness that the users should be informed of their roles and responsibilities in protecting the organization; and 4) evidence for writing policies that can be implemented and enforcement involves understanding the policies by the users
Discussion 1Recommend three countermeasures that could enhance.docxelinoraudley582231
Discussion 1
Recommend three countermeasures that could enhance the information security measures of an enterprise. Justify your recommendations.
1. Upon extensive review of existing IT EBK and what new measures needed to be taken, Homeland Security came to the conclusion that a comprehensive approach information security including the steps of manage, design, implement, and evaluate would best serve to safeguard against future threats. Manage: calls for the oversight of security programs to come from the highest levels of chains of command with constant focus on “ensuring its currency with changing risk and threat” (2007, p. 9). Design: calls for analyzing a program to assess what types of “procedures and processes” will best direct its successful execution. Implement: refers to how programs and policies are instituted within the company. Evaluate: this final step calls for a final critique of the new program or policy’s successful ability to [achieve] its purpose (2007, p. 9).
2. Homeland Security also recommended a “Competency and Functional Framework for IT Workplace Development” that placed strong emphasis on a clear chain of command and communication with clear job titles and IT employee roles being placed into a group of Executive, Functional or Corollary employees (2007, p. 17).
3. The report stressed the primary role of “the IT Security Compliance Professional is . . . overseeing, evaluating, and supporting compliance issues pertinent to the organization” (Homeland Security, 2007, p.16). Thus, the report logically concluded that IT professionals must know and be able to properly define terms such as evaluation, compliance and assessment in order to properly perform their duties (p. 14).
Propose three cybersecurity benefits that could be derived from the development of a strategic governance process. Select the benefit you find most important and explain why.
The National Computing Centre points out that there are numerous benefits to having a rigorous strategic governance process in place. Among them, increased transparency and accountability which leads to an “improved transparency of IT costs, IT process, [and] IT portfolio (2005, p. 6). This increased transparency and accountability also leads to an “improved understanding of overall IT costs and their input to ROI cases” which in turn often brings about “an increased return on investment/stakeholder value” (p. 6). Finally, the authors point to the fact that with increased transparency comes increased accountability and companies avoid “unnecessary expenditures” (p. 7).
Discussion 2
Categorize the roles described by the Information Technology Security Essential Body of Knowledge (EBK), in terms of executive, functional, and corollary competencies. Select two of these roles that you believe enhance the security countermeasures of an organization the most and justify your response.
As mentioned previously, Homeland Security’s 2007 report emphasized the importance of properly .
The development and deployment of an enterprise Security Policy that defines the what and how of enterprise security is now mandated by numerous regulatory and industry standards, such as HIPAA and PCI-DSS. The development of a Security Policy, however, generally takes specialized skills that most organizations do not have. As a result, the process either takes a significant amount of time, or a significant amount of money.
Info-Tech’s Security Policy Solution Set will help you:
•Understand what goes into a Security Policy and why.
•Determine which specific policies are required by your organization.
•Streamline the creation of a policy set via customizable standards-based templates.
•Implement policies in an order that makes sense.
•Understand policy enforcement.
Use this material to build the Policies you need to be protected and compliant without spending a penny.
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTIJNSA Journal
The philosophy of Enterprise Security Risk Management (ESRM) drives a risk-based approach to managing any security risks, physical or logical and holistically applies to every security process. There are globally established risk principles that are common among any developed risk management standard.
This model associates the relationship of risk principles to the practice of managing security risks. The ESRM processes, when successfully and consistently adapted to a security program, will define what a progressive security program looks like, drive strategic through initiatives, build the business
understanding of security’s role to develop a budgeting strategy, and initiate board-level, risk-based reporting. The management security leader's role in ESRM is to manage risks and unthinkable harm to enterprise assets and stockholder in partnership with the business leaders whose assets are exposed to those risks management. ESRM is part of educating business leaders on the realistic of impacts. These identified risks, presenting any potential strategies to mitigate those impacts, and enacting the option chosen by the business in line with acceptable levels of business risk tolerance. The present data should be used to showcase how our service helps identify, evaluate, and mitigate risks at face value that would be
detrimental to a company’s long-term prosperity. We need to show how using our security risk management will ultimately benefit the company's work by improving policies and procedures and reducing other expenses through the use of risk principles management.
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTIJNSA Journal
The philosophy of Enterprise Security Risk Management (ESRM) drives a risk-based approach to managing any security risks, physical or logical and holistically applies to every security process. There are globally established risk principles that are common among any developed risk management standard. This model associates the relationship of risk principles to the practice of managing security risks. The ESRM processes, when successfully and consistently adapted to a security program, will define what a progressive security program looks like, drive strategic through initiatives, build the business understanding of security’s role to develop a budgeting strategy, and initiate board-level, risk-based reporting. The management security leader's role in ESRM is to manage risks and unthinkable harm to enterprise assets and stockholder in partnership with the business leaders whose assets are exposed to those risks management. ESRM is part of educating business leaders on the realistic of impacts. These identified risks, presenting any potential strategies to mitigate those impacts, and enacting the option chosen by the business in line with acceptable levels of business risk tolerance. The present data should be used to showcase how our service helps identify, evaluate, and mitigate risks at face value that would be detrimental to a company’s long-term prosperity. We need to show how using our security risk management will ultimately benefit the company's work by improving policies and procedures and reducing other expenses through the use of risk principles management.
If you have problem of not knowing how to build a foundation for information security, if you are faced with questions such as where to start and how to start then this white paper may have the solutions and answers for you. In this paper you learn how to build the foundation step by step. It is written by the expert but in a simple language that is easy to understand. I have seen many papers that addressed this issue but none in the style of this paper.
Improving Cyber Readiness with the NIST Cybersecurity FrameworkWilliam McBorrough
Still need a prime on the CSF? Check out my article for the Access Business Team January 2017 Newsletter on how business can improve their cyber readiness with the NIST Cybersecurity Framework.
Similar to Information Security Maturity Model (20)
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
1. Malik F. Saleh
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (3) : 2011 316
Information Security Maturity Model
Dr. Malik F. Saleh msaleh@pmu.edu.sa
Management Information Systems, Chair
Prince Mohammad Bin Fahd University
Al Khobar, 31952, Saudi Arabia
Abstract
To ensure security, it is important to build-in security in both the planning and the design phases and
adapt a security architecture which makes sure that regular and security related tasks, are deployed
correctly. Security requirements must be linked to the business goals. We identified four domains that
affect security at an organization namely, organization governance, organizational culture, the
architecture of the systems, and service management. In order to identify and explore the strength and
weaknesses of particular organization’s security, a wide range model has been developed. This model is
proposed as an information security maturity model (ISMM) and it is intended as a tool to evaluate the
ability of organizations to meet the objectives of security.
Keywords: Maturity Model, Security Maturity Model, Security Measure, Security self study.
1. INTRODUCTION
The traditional information security objectives are confidentiality, integrity, and availability. Achieving
these three objectives does not mean achieving security. Security is achieved by the prevention of
attacks against information systems and from achieving the organization’s mission despite attacks and
accidents. One problem with organizations’ security is that it is often viewed in isolation and organizations
do not link the security requirements to the business goals. The rationale for these organizational
problems is linked to the financial obligations that organizations face for unnecessary expenditure on
security and control. Some of the information security efforts may not achieve the intended business
benefit, resulting in lack of security and financial investments in systems that do not represent the core
systems of an organization. For example managers can justify the need for a system that manages the
resources at an organization. It is a relatively simple task to identify a system that adds value to an
organization but to justify a second system to protect the first one might result in cancelling the
investment of both systems. Any additional security investments are thought of as future projects that can
wait until the business prospective is improved. Then, organizations are faced with the challenging task of
recovering from an attack that disrupts the business process.
To ensure security, it is important to build-in security in both the planning and the design phases and
adapt a security architecture which makes sure that regular and security related tasks, are deployed
correctly [1]. Security requirements must be linked to the business goals through a process-oriented
approach. The process must take into consideration many of the factors that affect the goals of an
organization. We identified four domains that affect security at an organization. First, organization
governance is one factor that affects the security of an organization. Second, the organizational culture
affects the implementation of security changes in the organization. Third, the architecture of the systems
may represent challenges to the implementation of security requirements. Finally, service management is
viewed as a challenging process in the implementation.
2. Malik F. Saleh
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (3) : 2011 317
FIGURE 1: Domains mapped to implementation standards
This research narrows the gap between theory and practice for information security management by
following the process of a security maturity model and by identifying the benefits of implementing a
standard for organization security needs. We stress the fact of using a domain based approach to
develop a model that can be widely used by organizations. This approach, if developed without an
understanding of the organizational culture, will impact the effectiveness of the implementation and the
human reaction to the use of new technologies. The organization culture often hinders the success of this
approach and the delivery of the intended benefits of the implemented security model or standard.
2. BACKGROUND AND RELATED WORK
The motivation for this paper was due to challenges of assessing the implementation of security at
organizations. In addition to implementation challenges, accomplishing best practices in the
implementation of security is needed and it was undertaking in this research in the form of a self study
that organizations would use to measure their information security practices.
Some attempt were undertaken to establish information security management maturity model. The ISM3
system was introduced to prevent and mitigate attacks, errors, and accidents that jeopardize security [2].
While this attempt recognized three levels of management responsibility, it did not provide best practices
for the implementation of security.
An information assurance model was introduced based on none risk assessment model. It is based on
diligence model where assurance is achieved by using threat and vulnerability reviews and
countermeasures based on tangible best practices. The model did benchmarking, risk assessment and
followed a diligence model [3]. This model introduces benchmarking but it did not provide best practices
for security.
A certification and accreditation model through the identification of operational risks and the determination
of conformance with established security standards and best practices was introduced by [4]. Its idea was
to effectively establish trustworthiness for security services. While an organization policy and defined
processes will introduced by [5] with appropriate accountability standards to facilitate compliance,
monitoring and enforcement of security guidelines.
2.1 Domain-Oriented Approach
Senior management at organizations must become more IT literate to effectively synergize business
strategy. In security, people, information, systems, and networks affect each others. These four domains
3. Malik F. Saleh
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (3) : 2011 318
provide a vital link to all of the dynamic interconnections at an organization. Inside each domain, there are
processes that identify, measure, manage and control risk.
Connecting different domains together requires securing each domain and securing the interconnection
between the different parts. For the purposes of creating a widely used model that has good practices,
security is looked at as domains, were each particular category of security represents knowledge in the
organization. According to [6] there is no one-size-fits-all approach for maximizing the alignment of IT with
the business and all of its components. Much depends upon the nature of the business, its size, markets,
culture, and leadership style. Additional factors that help dictate the organization’s alignment components
and structure include the in-house IT capabilities and the dependence upon outsourcing.
2.1 Maturity Model
The concept of maturity models is increasingly being applied within the field of Information Systems as an
approach for organizational development or as means of organizational assessment [7-9]. Any systematic
framework for carrying out benchmarking and performance improvement can be considered as a model
and if it has continuous improvement processes it can be considered a maturity model. Maturity implies a
complete system. Generally, in the constituent literature maturity implies perfect or explicitly defined,
managed, measured, and controlled system [10]. It is also a progress in the demonstration of a specific
ability or in the accomplishment of a target from an initial to a desired end stage.
The Total Quality Management (TQM) maturity models is a structured system for meeting and exceeding
customer needs and expectations by creating organization-wide participation in the planning and
implementation of breakthrough and continuous improvement processes. It integrates with the business plan
of the organization and can positively influence customer satisfaction and market share growth [11]. This
structured system encompasses the entire organization and the goal is communicated on a regular bases
while practicing what is being breached [12]. Quality can take many forms but its perception is dependant on
the beholder. However, the emphasis is on things being done right the first time.
In order to identify and explore the strength and weaknesses of particular organization’s security, a wide
range model has been developed. The purpose is to identify a gap between the practice and theory which
then can be closed by following a process-oriented approach. We introduce a maturity model that provides a
starting point for security implementation, a common and shared vision of security, and a framework for
prioritizing actions. Moreover, this information security model has five compliance levels and four core
indicators to benchmark the implementation of security in organizations.
3. INFORMATION SECURITY MATURITY MODEL (ISMM)
This proposed information security maturity model (ISMM) is intended as a tool to evaluate the ability of
organizations to meet the objectives of security, namely, confidentiality, integrity, and availability while
preventing attacks and achieving the organization’s mission despite attacks and accidents. The proposed
model defines a process that manages, measures, and controls all aspect of security. It relies on four core
indicators for benchmarking and as an aid to understanding the security needs in the organization. These
indicators are goal-driven to achieve the security needs.
3.1 Levels of Compliance
It is hard for security practitioners and decision makers to know what level of protection they are getting from
their investments in security. It is even harder to estimate how well these investments can be expected to
protect their organizations in the future as security policies, regulations and the threat environment are
constantly changing [13]. An information system would transition between several distinct vulnerability states.
The first state is hardened and it occurs when all security-related corrections, usually patches, have been
installed. The second is vulnerable and it occurs when at least one security-related correction has not been
installed. The final state is compromised and it occurs when it has been successfully exploited [14]. Within
these states, metrics need to indicate how secure the organization is so that the window of exposure can be
minimized by the security operations teams in an organization by following a standard patching process to
eliminate vulnerability and any associated risks. The security team either deploys patches after vulnerability
was first disclosed or updates signatures that are associated with attacks.
4. Malik F. Saleh
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (3) : 2011 319
The longer the window of exposure, the more the organization is exposed to attacks and exploits. The
magnitude of risks is minimized if organizations are conscious about their security needs. Therefore the
proposed ISMM considers five levels of compliance. Security is believed to improve as the organization
moves up these five levels:
FIGURE 2: Levels of Compliance
3.2 None Compliance
This state is characterized by none existence of policies and procedures to secure the business.
Management does not consider investing in security related systems necessary for the overall business
strategies. In addition, the organization does not assess the business impact of its vulnerabilities and it does
not understand the risks involved due to these vulnerabilities.
3.3 Initial Compliance
This state is the starting point for any organization. As long as an organization is conscious about the threats
that their information systems face then that organization is considered in the initial state of compliance. This
state is characterized by being chaotic, inconsistent, ad hoc, and in response to attacks and possibly because
of losing resources due to an attack. Organizations recognize the business risks due to vulnerabilities but
have no defined policies or procedures to protect the organization. In addition, the organization would have
little practical implementation in security systems. Most implemented control will be reactive and not planned.
The goals at the initial state are usually centered on the business activities of the organization and little
attention is focused on securing the organization. The goals will change in response to attacks by
implementing some kind of protection but it will not be continuous.
3.4 Basic Compliance
This state is the starting point for any organization that wants to protect its investment and ensure continuity.
Application and network security is implemented but changes are not centrally managed and ad hoc security
requests are common. In this state, organizations trust the interaction between the user and the systems.
Security awareness programs are being considered for key resources only. IT security procedures are
informally defined and some risk assessments taking place. In addition, responsibilities for IT security have
been assigned but enforcement is inconsistent. Some intrusion and detection testing can also be performed.
A fundamental process to most systems is the interaction between the system and the user. According to
[15], this interaction is the greatest risk. Organizations don’t classify their users as threats to their systems.
The user does not always cause a threat in isolation; rather, the actions of users are the starting point for
some attacks, and in some cases, the users themselves may launch the attacks. Weak passwords,
susceptibility to social engineering attacks, and failure to install security updates are some examples of why
the user is classified as the weak human factor and the user's interaction with the systems create threats [16].
5. Malik F. Saleh
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (3) : 2011 320
The goals at this level are usually centered on the business activities of the organization and the protection of
core systems. Usually, an organization will consider the security of a system after the system’s
implementation. Two restrictions are faced at this stage: First, financial restriction and spending on systems
that don’t add value to the income of the business. Second, organizations classify their initial investments in
security as completed. Organization will have a perception that their systems are protected and they become
unaware of the threats and vulnerabilities.
3.5 Acceptable Compliance
This state is characterized by central management of all security related issues and policies. Users are
trusted but their interactions with the systems are viewed as vulnerability. No ad hoc changes and central
configuration models, from which all configurations are derived, are implemented. Security policies and
procedures are now in place together with adequate delivery mechanisms to aid awareness and compliance.
Access controls are mandatory and are closely monitored. Security measures are introduced on a
cost/benefit basis and ownership concept is in place.
There is a school of thought that maintains that it is not the users’ fault that they perform the easiest action;
rather, it is the designers fault to have made the most insecure operation the easiest operation [16]. Since the
actions of users are the starting point for some attacks, there is a need to inculcate a “culture of security” in
users. Many users have to remember multiple passwords. They use different passwords for different
applications and have frequent password changes, which reduces the users’ ability to remember passwords
and increases insecure work practices, such as writing passwords down [17]. For organizations to secure the
interactions with their systems, communication between the security team and the users must take place to
keep the users informed of possible threats. In addition, the users do not understand security issues, while
the security team lacks an understanding of users' perceptions, tasks, and needs. The result according to [16]
is that the security team typecast the users as threats that need to be controlled and managed, at worst, they
are the enemy within. Users, on the other hand, perceive many security mechanisms as an overhead that
gets in the way of their real work.
The goals at this state are usually centered on the business activities, the users, and monitoring security
threats and all related patches are tested and implemented. Usually, organizations at this state are conscious
about their security needs and they invest in systems that protect the organization.
3.6 Full Compliance
This state is characterized by having control over the security needs of the organization, monitoring the
systems, being aware of threats and benchmarking by comparing the organization itself to other similar
organizations and to international standards. In addition, a comprehensive security function has been
established that is both cost effective and efficient which delivers high quality implementation. This
comprehensive plan has formal policies and procedures in place to prevent, detect, and correct any security
related issues. Also, corporate governance is aligned with the security needs of an organization. Corporate
governance has policies for internal auditing which is independent and objective activity designed to add
value and improve the security of the organization. The result of any audit activity is published and actions
are implemented.
For organization to have full compliance security is managed by identifying the security concerns and security
incidents are tracked in a systematic way. The organization must have proper policies for security in a formal
sense and business plans would have items for security. The use of specific technologies throughout the
organization is in a uniform manner and the implementation came to existence out of a business plan.
Full compliance also considers the security architecture in an organization. While the business architecture
considers all external factors in an organization, the security architecture considers all users in the
implementation. Policies are created to meet the needs of the users but information in or out of the
organization is captured. A system for providing traceability through the organization is in place. Users are
also involved in architectural analysis and the organization offers training for the users in security related
issues.
6. Malik F. Saleh
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (3) : 2011 321
As for management of security, policies in the full compliance state have preventive, detective and corrective
control. The organization must have a system for reporting security incidents and for tracking the status of
each incident. Installing anti-virus software and firewall is not enough to control the threats the organizations
face. Email filters and intrusion detection systems must also be used to prevent many types of incidents.
4. MEASUREMENTS
Metrics are often used to predict future behaviors, based on historical data and trends.[13] argue that Security
metrics are created and monitored as a way to get insights about the performance of these controls and to
identify failure points or anomalies. However, the metrics are collected across organizations and they are
operational metrics without the context of the overall security processes. On the other hand, measurement of
any complex, operational system is challenging and security risks introduce another dimension of complexity.
Risk management and the availability of different measurements and their properties will vary during the
overall system lifecycle. Any measurement framework needs to be able to adapt to both the changes in the
target of measurement and in the available measurement infrastructure. Security assurance measurements
often require aggregation of several metrics, because direct measurement of the relevant properties is not
often possible in practical complex systems and aggregation strategies can change from time to time,
depending on the environment and the many risk factors [18].
4.1 ISMM Metric and Core Indicator
The principle that is followed here is what you can’t measure, you can’t manage. Therefore four core
indicators are developed to manage and measure the compliance with this maturity model. Each indicator
has its own key performance indicators that show the overall compliance with the model. These four
indicators are domain specific rather than being process specific but they measure the aspect of
structure, the management, the practices and the overall performance of the of the organization in term
of its security.
The specific practices are intended as a guide for those responsible for the activities to draw their
attention to good practices and to assist them to evaluate the practices at their organization. For each
individual item, two responses are called for, but some items may not be applicable to the organization,
therefore it should be marked with NA and ignored. The second response if applicable should be
measured in term of assigning a five points rating scale to evaluate how well the practices are carried out.
Certain activities require combining ratings to develop a broader rating. An overall rating of all domains
would reflect the compliance with this maturity model according to table 1.
5. LIMITAION, IMPLICATION, AND RECOMMENDATION
The results of this paper clearly showed that there are metrics that can assess the implementation of
security at organization. However, the use of a qualitative method incorporates various disadvantages
and it is often criticized for being subjective and it lacks criteria to judge the trustworthiness and relevance
of the results.
Much more research needs to be undertaken to accomplish best practices in the implementation of
security by using a combination qualitative and quantitative research. Quantitative work will be
undertaken to demonstrate the effectiveness of the proposed model. A survey of will be distributed to
different organization and the result will be published in the near future.
6. CONCLUSION AND CONTRIBUTION
A systematic framework for carrying out benchmarking and performance improvement was developed.
This model of best practices can be considered a maturity model which implies a complete system with
continuous improvement. The objective of the proposed solution is to provide an organization with a way
to conduct a self study of its implementation of security. The result will be measured in terms of
compliance to the model. There are five compliance levels and each level consists of goals. An
organization that continuously measure and audit its security implementation will achieve the highest level
and it will achieve the objectives of security.
7. Malik F. Saleh
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (3) : 2011 322
Full compliance to the model is characterized by having control over the security needs of the
organization, monitoring the systems, being aware of threats and benchmarking by comparing the
organization itself to other similar organizations and to international standards. Acceptable compliance is
characterized by central management of all security related issues and policies. Other levels exist to raise
a red flag for organizations that their security is weak and improvements are required.
The measurement indicators were domain specific rather than being process specific but they measure
the aspect of the structure, the management, the practices and the overall performance of the of the
organization in term of its security.
8. Malik F. Saleh
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (3) : 2011 323
Management of Security
Security must be clearly and appropriately defined in the organization.
The scales ask you to indicate whether these practices are followed in your organization and to show how well
this is done.
Evaluations should be based on valid evidence.
Good practices
Is this
true?
Yes/No
How well is
this done?
(0-5 stars)
1.1 Appropriateness of Management Practices
1.1.1 Proper policies for security exist in a formal sense . . . . . . . . . . . . . . . . . . . . . . . .
1.1.2 Management considers it necessary to have policies for security at the
organization . . . . .
1.1.3 Management considers the organization security when making business plans. .
1.1.4 Management support and approval is vital to success of security implementation
1.1.5 The use of specific technologies throughout the organization is in a uniform
manner
Overall Assessment (Average)
Comment____________________________________________________________
____________________________________________________________________
Priorities for improvement
____________________________________________________________________
____________________________________________________________________
Each sub-question is assigned a zero or one point. The sum of all section is assigned
to the group
1.2 Types of Computer Systems Security used by the organization
1.2.1 Anti-virus software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (0 or 1)
1.2.2 Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . (0 or 1)
1.2.3 Passwords changed every 30, 60 days, etc. . . . . . . . . . . . . . . . . (0 or 1)
1.2.4 E-mail filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (0 or 1)
1.2.5 Intrusion detection system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (0 or 1)
Overall Assessment (Sum)
9. Malik F. Saleh
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (3) : 2011 324
Comment____________________________________________________________
____________________________________________________________________
Priorities for improvement
____________________________________________________________________
____________________________________________________________________
1.3 Computer Security Concerns
1.3.1 What are the computer security concerns for your organization:
1.3.1.1 Computer viruses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (0 or 1)
1.3.1.2 Denial of service . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . .(0 or 1)
1.3.1.3 Theft of information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .(0 or 1)
1.3.1.4 Breach of computer systems . . . . . . . . . . . . . . . . . . . . . . . . . . (0 or 1)
1.3.1.5 Misuse of computers by users. . . . . . . . . . . . . . . . . . . . . . . . . .(0 or 1)
Overall Assessment (Sum)
Comment____________________________________________________________
____________________________________________________________________
Priorities for
improvement__________________________________________________________
____________________________________________________________________
1.4 Computer Security Incidents
1.4.1 Security incidents at your organization:
1.4.1.1 Computers in your organization were used to commit
fraud or embezzlement. . . . . . . . . . . . . . . . . (0 or 1)
1.4.1.2 Your organization detected viruses which infected
your computer systems. . . . . . . . . . . . . . . (0 or 1)
1.4.1.3 A number of employees lost or forgot their
passwords. . . . . . . . . . . . . . . . . . . . . . . . . . (0 or 1)
1.4.1.4 Your organization detected a noticeable interruption of its
Internet connection or e-mail service. . . . . .(0 or 1)
Overall Assessment ( 5 - Sum)
11. Malik F. Saleh
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (3) : 2011 326
Service Management
Security must be clearly and appropriately defined in the organization.
The scales ask you to indicate whether these practices are followed in your organization and to show how well
this is done.
Each sub-question is assigned a zero or one point. The sum of all section is assigned to the group
Evaluations should be based on valid evidence.
Good practices of Management
Is this
true?
Yes/No
How well is
this done?
(0-5 stars)
2.1 Appropriateness of the Service Management
2.1.1 Does your organization classify Incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.1.2 Did you organization establish a Major Incident Response Team . . . . . . . . . . . . .
2.1.3 Does you organization implement a problem management system. . . . . . . . . . . .
2.1.4 Incidents Submitted via Automated Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . .
2.1.5 Does your organization maintain inventory of software and hardware equipment
2.1.6 Implemented changes must be approved by management. . . . . . . . . . . . . . . . . .
2.1.7Change management is coordinated between the different teams . . . . . . . . . . . .
2.1.8 Annual budget proposals are submitted with detailed security requirements. . . . .
2.1.9 Financial resources are available and sufficient for security related systems. . . .
2.1.10 If performance is considered less than satisfactory clear requirements are
established. . .
2.1.11 Employees are given appropriate and fair opportunities for development. . . . . .
2.1.12 Recruitment processes ensure qualifications and verifications of candidates. . .
2.1.13 Effective systems are in place to ensure security of the property. . . . . . . . . . . . .
2.1.14 Effective systems are in place to ensure the personal security of employees . . .
Overall Assessment (Average)
Comment____________________________________________________________
____________________________________________________________________
Priorities for improvement
____________________________________________________________________
____________________________________________________________________
14. Malik F. Saleh
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (3) : 2011 329
Enterprise Architecture
Security must be clearly and appropriately defined in the organization.
The scales ask you to indicate whether these practices are followed in your organization and to show how well
this is done.
Evaluations should be based on valid evidence.
Good Practices of Management
Is this
true?
Yes/No
How well is
this done?
(0-5 stars)
4.1 Appropriateness of the Enterprise Architecture
3.1.1 Users are involved in architectural analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.1.2 Applications are upgraded to meet new architectural requirements . . . . . . . . . . .
3.1.3 The business capability (What the organization does) is known to all
stakeholders
3.1.4 The business architecture considers all external factors to an enterprise
(including its customers, suppliers, and regulators). . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.1.5 Information in or out of the organization is captured. . . . . . . . . . . . . . . . . . . . . . . .
3.1.6 Organization strategic goals that drive an organization forward are captured. . . .
3.1.7 Strategic goals are mapped to metrics that provide ongoing evaluation of how
successfully the organization in achieving its goals. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.1.8 A system for providing traceability through the organization is in place. . . . . . . . .
3.1.9 A set of strategic, core and support processes that transcend functional and
organizational boundaries as in place. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.1.10 The organization identifies and describes external entities such as customers,
suppliers, and external systems that interact with the business. . . . . . . . . . . . . . . . . . .
3.1.11 The organization describes which people, resources and controls are involved
in its processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.1.12 The organization identifies gaps between the current and target business
capabilities. . . .
3.1.13 Business Architecture is directly based on business strategy. . . . . . . . . . . . . . .
3.1.14 The business architecture derives the organizational structure. . . . . . . . . . . . . .
Overall Assessment (Average)
15. Malik F. Saleh
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (3) : 2011 330
Comment___________________________________________________________________
___________________________________________________________________________
Priorities for improvement
____________________________________________________________________
____________________________________________________________________________
3.2 Security Architecture
3.2.1 Centralized User Provisioning and Single Sign-On is implemented. . . . . . . . . .
3.2.2 New security architecture emerges as a result of security assumptions and
designs being refreshed and updated to manage emerging threats . . . . . . . . . . . . . . .
3.2.3 Security is viewed as a service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.4 In a service oriented architecture, your organization implement none
centralized security
3.2.5 In a none service oriented architecture, your organization implement
centralized security
3.2.6 Security is built-in in both planning and design phases . . . . . . . . . . . . . . . . . . . .
3.2.7 The security architecture is capable of adapting new changes in technology,
policy, and strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.8 Security architecture implements policies, standards, and risk management
decisions . . .
3.2.9 Specialized security architecture is implemented for different security
assumptions . . . . .
3.2.10 Central authentication service is implemented . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.11 Different layers of security are implemented. . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.12 Physical security is implemented. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.13 Personal security is implemented (host based). . . . . . . . . . . . . . . . . . . . . . . . .
3.2.14 Network security is implemented. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.15 Information security is implemented. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.16 Application features are identified for security implementations. . . . . . . . . . . . .
16. Malik F. Saleh
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (3) : 2011 331
3.2.17 Software protection, that includes memory protection and proof-carrying code,
is implemented. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.18 Database security ensures integrity, confidentiality, and availability. . . . . . . . .
3.2.19 System audits are done regularly. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.20 Job descriptions include level of security risk. . . . . . . . . . . . . . . . . . . . . . . . . .
Overall Assessment (Average)
Comment____________________________________________________________
____________________________________________________________________
____________________________________________________________________
____________________________________________________________________
Priorities for improvement
____________________________________________________________________
____________________________________________________________________
____________________________________________________________________
____________________________________________________________________
____________________________________________________________________
3.3 Continuous Improvement
3.3.1 Your organization continuously identifies gaps and addresses security issues. .
3.3.2 The organization implements an incident reporting systems and the security
team learns from incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3.3 Employees are trained on Security and threat awareness. . . . . . . . . . . . . . . . . .
3.3.4 All levels of the organization understand the importance of security and
security is made into a priority. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3.5 The security processes are documented and feedback is collected . . . . . . . . . . .
3.3.6 The organization measures the effectiveness of the security processes by
tracking the number of attacks and the number of threats . . . . . . . . . . . . . . . . . . . . . . .
21. Malik F. Saleh
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (3) : 2011 336
7. REFERENCES
1. Amer, S.H. and J. John A. Hamilton, Understanding security architecture, in Proceedings of the
2008 Spring simulation multiconference. 2008, Society for Computer Simulation International:
Ottawa, Canada. p. 335-342.
2. Aceituno, V. Information Security Management Maturity Model 2007 [cited 2011 July 11];
Available from: www.ism3.com/page1.php.
3. Al-Hamdani, W.A., Non risk assessment information security assurance model, in 2009
Information Security Curriculum Development Conference. 2009, ACM: Kennesaw, Georgia. p.
84-90.
4. Lee, S.W., R.A. Gandhi, and G.-J. Ahn, Establishing trustworthiness in services of the critical
infrastructure through certification and accreditation. SIGSOFT Softw. Eng. Notes, 2005. 30(4): p.
1-7.
5. Walton, J.P., Developing an enterprise information security policy, in Proceedings of the 30th
annual ACM SIGUCCS conference on User services. 2002, ACM: Providence, Rhode Island,
USA. p. 153-156.
6. Williams, P.A. IT Alignment: Who Is in Charge. [cited 2011 May 21]; Available from:
http://www.isaca.org/Knowledge-Center/Research/Documents/IT-Alignment-Who-Is-in-
Charge.pdf.
7. Ahern, D., A. Clouse, and R. Turner, CMMI distilled: A practical introduction to integrated process
improvement. 2004, Boston, London: Addison-Wesley.
8. Chrissis, M.B., M. Konrad, and S. Shrum, CMMI: Guidelines for Process Integration and Product
Improvement. 2008, Upper Saddle River, NJ: Addison-Wesley.
9. Mettler, T. and P. Rohner. Situational Maturity Models as Instrumental Artifacts for Organizational
Design. in Proceedings of the 4th International Conference on Design Science Research in
Information Systems and Technology. 2009. Philadelphia, Pennsylvania: ACM.
10. Fraser, M.D. and V.K. Vaishnavi, A formal specifications maturity model. Commun. ACM, 1997.
40(12): p. 95-103.
11. V., P.P. Total Quality Management - A Strategic Initiative Gaining Global Compitative Advantage.
2010 May 21 [cited 2011; Available from:
http://www.indianmba.com/Faculty_Column/FC1174/fc1174.html.
12. TQM - Total Quality Management. 2003 [cited 2011 May 21]; Available from: http://www.six-
sigma-material.com/TQM.html.
13. Beres, Y., et al., Using security metrics coupled with predictive modeling and simulation to assess
security processes, in Proceedings of the 2009 3rd International Symposium on Empirical
Software Engineering and Measurement. 2009, IEEE Computer Society [download]. p. 564-573.
14. Arbaugh, W.A., W.L. Fithen, and J. McHugh, Windows of Vulnerability: A Case Study Analysis.
IEEE Computer, 2000. 33(12): p. 52 - 59
15. Schneier, B., Secrets and Lies: Digital Security in a Networked
World. 2000, New York: John Wiley & Sons, Inc.
22. Malik F. Saleh
International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (3) : 2011 337
16. Vidyaraman, S., M. Chandrasekaran, and S. Upadhyaya, Position: the user is the enemy, in
Proceedings of the 2007 Workshop on New Security Paradigms. 2008, ACM: New Hampshire. p.
75-80.
17. Brostoff, S. and M.A. Sasse, Safe and sound: a safety-critical approach to security, in
Proceedings of the 2001 workshop on New security paradigms. 2001, ACM: Cloudcroft, New
Mexico. p. 41-50.
18. Kanstrén, T., et al., Towards an abstraction layer for security assurance measurements: (invited
paper), in Proceedings of the Fourth European Conference on Software Architecture: Companion
Volume. 2010, ACM: Copenhagen, Denmark. p. 189-196.