This document discusses information security management systems (ISMS). It begins by defining ISMS as a collection of policies related to information technology risks and information security management. It notes that while many organizations have implemented ISMS frameworks focused on technology, information security also needs to be addressed at the organizational and strategic level. The document then provides an overview of common elements of ISMS, including risk assessment, policy development, and implementation. It discusses the impact of networks and the internet in driving increased focus on information security. In summary, the document outlines key concepts regarding ISMS and argues the need for holistic ISMS approaches in organizations.
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
The goal of information security governance is to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...ijcsit
Information security against hacking, altering, corrupting, and divulging data is vital and inevitable and it requires an effective management in every organization. Some of the upcoming challenges can be the study
of available frameworks in Enterprise Information Security Architecture (EISA) as well as criteria
extraction in this field. In this study a method has been adopted in order to extract and categorize
important and effective criteria in the field of information security by studying the major dimensions of
EISA including standards, policies and procedures, organization infrastructure, user awareness and
training, security base lines, risk assessment and compliance. Gartner's framework has been applied as a
fundamental model to categorize the criteria. To assess the proposed model, a questionnaire was prepared
and a group of EISA professionals completed it. The Fuzzy TOPSIS was used to quantify the data and prioritize criteria. It could be concluded that the database and database security criteria, inner software security, electronic exchange security and supervising malicious software can be high priorities.
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
The goal of information security governance is to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...ijcsit
Information security against hacking, altering, corrupting, and divulging data is vital and inevitable and it requires an effective management in every organization. Some of the upcoming challenges can be the study
of available frameworks in Enterprise Information Security Architecture (EISA) as well as criteria
extraction in this field. In this study a method has been adopted in order to extract and categorize
important and effective criteria in the field of information security by studying the major dimensions of
EISA including standards, policies and procedures, organization infrastructure, user awareness and
training, security base lines, risk assessment and compliance. Gartner's framework has been applied as a
fundamental model to categorize the criteria. To assess the proposed model, a questionnaire was prepared
and a group of EISA professionals completed it. The Fuzzy TOPSIS was used to quantify the data and prioritize criteria. It could be concluded that the database and database security criteria, inner software security, electronic exchange security and supervising malicious software can be high priorities.
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
How users can take advantage of the cloud computing environment’s benefits without experiencing excessive security risks or new legal or regulatory compliance challenges.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
The development and deployment of an enterprise Security Policy that defines the what and how of enterprise security is now mandated by numerous regulatory and industry standards, such as HIPAA and PCI-DSS. The development of a Security Policy, however, generally takes specialized skills that most organizations do not have. As a result, the process either takes a significant amount of time, or a significant amount of money.
Info-Tech’s Security Policy Solution Set will help you:
•Understand what goes into a Security Policy and why.
•Determine which specific policies are required by your organization.
•Streamline the creation of a policy set via customizable standards-based templates.
•Implement policies in an order that makes sense.
•Understand policy enforcement.
Use this material to build the Policies you need to be protected and compliant without spending a penny.
This publication covers two important aspects of information security governance: determining the security strategy approach and the strategy development process.
Electronic Healthcare Record Security and Management in Healthcare Organizationsijtsrd
"This study aim sat identifying the current countermeasures used in protecting the Electronic Healthcare Record and how employees share their knowledge about the existence Electronic Healthcare Record security as well as countermeasures used in mitigating the threats and data breaches in healthcare organizations. A case study of Aminu Kano Teaching Hospital, Nigeria was used and qualitative research method was adopted where purposive and stratified random sampling was used. This led to construction of eleven relevant questions to four categories of staff. A conceptual frame work was proposed to quid the study and the findings we reevaluated using the proposed frame work. There sults revealed that there is lack of knowledge sharing among employees and some factors were found to be the resistance factors, this include educational background, behavior, low security awareness, personality differences and lack of management commitment. On the other hand, deterrent, preventive and organizational actions were partially practiced as countermeasures used to mitigate the threats and vulnerability of data breaches of Electronic Healthcare Records in Aminu Kano Teaching Hospital in Nigeria. Attahiru Saminu, CLN ""Electronic Healthcare Record Security and Management in Healthcare Organizations"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Special Issue | International Conference on Advanced Engineering and Information Technology , November 2018, URL: https://www.ijtsrd.com/papers/ijtsrd19124.pdf
Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/19124/electronic-healthcare-record-security-and-management-in-healthcare-organizations/attahiru-saminu-cln"
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
Fluorescence quenching of 5-methyl-2-phenylindole (MPI) by carbon tetrachlori...IOSR Journals
The fluorescence quenching of 5-methyl-2-phenylindole (MPI) by carbon tetrachloride by steady state in different solvents, and by transient method in benzene has been carried out at room temperature. The Stern–Volmer (SV) plot has been found to be non-linear with a positive deviation for all the solvents studied. In order to interpret these results we have invoked the ground state complex and sphere of action static quenching models. Using these models various rate parameters have been determined. The magnitudes of these parameters imply that sphere of action static quenching model agrees well with the experimental results. Hence the positive deviation in the SV plots is attributed to the static and dynamic quenching. Further, from the studies of temperature dependence of rate parameters and lifetime measurements, it could be explained that the positive deviation is due to the presence of a small static quenching component in the overall dynamic quenching. With the use of finite sink approximation model, it was possible to check whether these bimolecular reactions as diffusion limited and to estimate independently distance parameter R′ and mutual diffusion coefficient D. Finally an effort has been made to correlate the values of R′ and D with the values of the encounter distance R and the mutual diffusion coefficient D determined using the Edward's empirical relation and Stokes–Einstein relation.
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
How users can take advantage of the cloud computing environment’s benefits without experiencing excessive security risks or new legal or regulatory compliance challenges.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
The development and deployment of an enterprise Security Policy that defines the what and how of enterprise security is now mandated by numerous regulatory and industry standards, such as HIPAA and PCI-DSS. The development of a Security Policy, however, generally takes specialized skills that most organizations do not have. As a result, the process either takes a significant amount of time, or a significant amount of money.
Info-Tech’s Security Policy Solution Set will help you:
•Understand what goes into a Security Policy and why.
•Determine which specific policies are required by your organization.
•Streamline the creation of a policy set via customizable standards-based templates.
•Implement policies in an order that makes sense.
•Understand policy enforcement.
Use this material to build the Policies you need to be protected and compliant without spending a penny.
This publication covers two important aspects of information security governance: determining the security strategy approach and the strategy development process.
Electronic Healthcare Record Security and Management in Healthcare Organizationsijtsrd
"This study aim sat identifying the current countermeasures used in protecting the Electronic Healthcare Record and how employees share their knowledge about the existence Electronic Healthcare Record security as well as countermeasures used in mitigating the threats and data breaches in healthcare organizations. A case study of Aminu Kano Teaching Hospital, Nigeria was used and qualitative research method was adopted where purposive and stratified random sampling was used. This led to construction of eleven relevant questions to four categories of staff. A conceptual frame work was proposed to quid the study and the findings we reevaluated using the proposed frame work. There sults revealed that there is lack of knowledge sharing among employees and some factors were found to be the resistance factors, this include educational background, behavior, low security awareness, personality differences and lack of management commitment. On the other hand, deterrent, preventive and organizational actions were partially practiced as countermeasures used to mitigate the threats and vulnerability of data breaches of Electronic Healthcare Records in Aminu Kano Teaching Hospital in Nigeria. Attahiru Saminu, CLN ""Electronic Healthcare Record Security and Management in Healthcare Organizations"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Special Issue | International Conference on Advanced Engineering and Information Technology , November 2018, URL: https://www.ijtsrd.com/papers/ijtsrd19124.pdf
Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/19124/electronic-healthcare-record-security-and-management-in-healthcare-organizations/attahiru-saminu-cln"
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
Fluorescence quenching of 5-methyl-2-phenylindole (MPI) by carbon tetrachlori...IOSR Journals
The fluorescence quenching of 5-methyl-2-phenylindole (MPI) by carbon tetrachloride by steady state in different solvents, and by transient method in benzene has been carried out at room temperature. The Stern–Volmer (SV) plot has been found to be non-linear with a positive deviation for all the solvents studied. In order to interpret these results we have invoked the ground state complex and sphere of action static quenching models. Using these models various rate parameters have been determined. The magnitudes of these parameters imply that sphere of action static quenching model agrees well with the experimental results. Hence the positive deviation in the SV plots is attributed to the static and dynamic quenching. Further, from the studies of temperature dependence of rate parameters and lifetime measurements, it could be explained that the positive deviation is due to the presence of a small static quenching component in the overall dynamic quenching. With the use of finite sink approximation model, it was possible to check whether these bimolecular reactions as diffusion limited and to estimate independently distance parameter R′ and mutual diffusion coefficient D. Finally an effort has been made to correlate the values of R′ and D with the values of the encounter distance R and the mutual diffusion coefficient D determined using the Edward's empirical relation and Stokes–Einstein relation.
IOSR Journal of Humanities and Social Science is an International Journal edited by International Organization of Scientific Research (IOSR).The Journal provides a common forum where all aspects of humanities and social sciences are presented. IOSR-JHSS publishes original papers, review papers, conceptual framework, analytical and simulation models, case studies, empirical research, technical notes etc.
A study of serum Cadmium and lead in Iraqi postmenopausal women with osteopor...IOSR Journals
Postmenopausal status is an independent risk factor for osteoporosis. Several studies have reported that heavy metals, including lead, mercury, cadmium, and arsenic, have harmful effects on bone. The aim of this study was to evaluate the effect of heavy metals, including Cadmium and Lead on osteoporosis in postmenopausal Iraqi women. This prospective study included a total of 70 postmenopausal women divided as 40patients with osteoporosis compared to 30 apparently healthy women as controls during 2011. Serum levels of Cadmium and Lead were measured using atomic absorption while serum Calcium, Phosphorus and Alkaline phosphatase were measured by spectrophotometry.The results showed that there was no significant difference between patients and controls regarding age, Body Mass Index, Calcium, Phosphorous, and Alkaline phosphatase. Serum levels of Cadmium and Lead were higher in patients compared to controls, p < 0.001 and p< 0.01 respectively. It is concluded that increased serum levels of cadmium and lead maybe associated with higher risk of osteoporosis in postmenopausal women.
IOSR Journal of Mathematics(IOSR-JM) is an open access international journal that provides rapid publication (within a month) of articles in all areas of mathemetics and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in mathematics. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
Running Head: SECURITY AWARENESS
Security Awareness 2
Final Project Security Awareness
Terri Y. Hudson
Southern New Hampshire University – IT 552
December 20, 2016
Agency-wide security awareness Program Proposal
Introduction
For the organization to comply with the current PCT DSS requirement version 12,6, a security awareness program must be in place. The CISCO of the organization has an immediate requirement of creating an agency-wide security awareness program. As a means of implementing security awareness program the organization has conducted a security gap analysis which is one of the component of security awareness program which showed the 10 security findings. As one of the means of conducting the program, I will submit awareness program proposal.
Objective
This SOW (Statement of Work) is being done on behalf of the senior information officer. He has requested for the creation of an agency-wide security awareness program by handing over the security gap analysis which was done prior to this process. Hence the major aim of this document is to set a security awareness program which shows ten major key security findings. The document will also include a risk assessment of the current security awareness practices, processes and practices. By having this document, the organization will be able to have a well-organized maintenance plan. It is also important in maintaining and establishing an information-security awareness program (United States, 2000).
Background
The mission of the organization is to provide efficient IT services with the best security program in place with an aim of protecting organizations assets.
1. Technical infrastructure
The organization is engaged in short-term effort aiming at modernizing its information-processing infrastructure. These efforts have incorporated software enhancements, installation of firewalls and high end network systems for an improved communication. The senior information officer is the one who is responsible top oversee modernization effort. He has of late completed conducting a security awareness program and deployment of the organization’s LAN (Local area Network). The hardware being used is of CISCO products.
2. Computing Environment
The organization’s desktop computers are of Windows 2007/ 98 and 95. The servers are of Pentium with over 1 GB RAM. The current NOS (Network operating system) are window based.
3. Security Posture of the Organization
The organization has a basic network structure with only one router which acts as a firewall. It has several working stations and switches to this working stations. In addition the organization has installed Kasperky’s antivirus in of their desktop machines with a motive of reducing external threats. The data server is highly secured with Kaspersky’s antivirus. The organization physical sec ...
The Significance of IT Security Management & Risk AssessmentBradley Susser
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organization’s financial impact due to the exploitation of numerous organizational assets.
HAL Id hal-01484681httpshal.inria.frhal-01484681Sub.docxshericehewat
HAL Id: hal-01484681
https://hal.inria.fr/hal-01484681
Submitted on 7 Mar 2017
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Distributed under a Creative Commons Attribution| 4.0 International License
Enterprise Information Systems Security: A Case Study
in the Banking Sector
Peggy Chaudhry, Sohail Chaudhry, Kevin Clark, Darryl Jones
To cite this version:
Peggy Chaudhry, Sohail Chaudhry, Kevin Clark, Darryl Jones. Enterprise Information Systems Se-
curity: A Case Study in the Banking Sector. Geert Poels. 6th Conference on Research and Practical
Issues in Enterprise Information Systems (CONFENIS), Sep 2012, Ghent, Belgium. Springer, Lec-
ture Notes in Business Information Processing, LNBIP-139, pp.206-214, 2013, Enterprise Information
Systems of the Future. <10.1007/978-3-642-36611-6_18>. <hal-01484681>
https://hal.inria.fr/hal-01484681
http://creativecommons.org/licenses/by/4.0/
http://creativecommons.org/licenses/by/4.0/
https://hal.archives-ouvertes.fr
Enterprise Information Systems Security: A Case Study
in the Banking Sector
Peggy E. Chaudhry1, Sohail S. Chaudhry1, Kevin D. Clark1, and Darryl S. Jones2
1 Department of Management and Operations/International Business, Villanova School of
Business, Villanova University, Villanova, PA 19085 USA
{peggy.chaudhry, sohail.chaudhry, kevin.d.clark}@villanova.edu
2 MBA Program,Villanova School of Business, Villanova University, Villanova, PA 19085
{djones21}@villanova.edu
Abstract. One important module of Enterprise Information System (EIS) is the
development and implementation of the security component of EIS.
Furthermore, this EIS Security structure needs to be monitored through the
corporate governance of the firm. Based on a literature review and our previous
work, we identified four key pillars of a model for EIS Security. These pillars
are Security Policy (e.g., set rules for employee behavior), Security Awareness
(e.g., continued education of employees), Access Control (e.g., access linked to
employee job function), and Top Level Management Support (e.g., engrain
information security into the company’s culture). We explore the relevance of
this model using a case study approach by way of interviewing top-level
information systems mangers in the banking sector. We validate the model
through using key informant in-depth interviews and qualitative research
methods.
Keywords: Enterprise information systems, security, conceptual model,
banking sector, case st ...
IT security controls are a result of protecting information system resources against unauthorized attempts that seek to access them. In an empirical view, this establishes a logical dichotomy between protecting the inside from the outside - not too terribly different than what we do when we lock the doors in our homes at night. This inside/outside approach has matured greatly, and continues to do so in todays information systems environment. Traditionally, most of the observed research and its results have produced technical measures in the forms of controls and best practices, which act as templates to “secure” information systems from those not authorized access to it. As a natural result, many guides primarily outline technical controls that prevent external access to internal information systems.
The landscape of the information technology (IT) security controls has widened significantly over the past few decades, especially since the adoption of the public internet, and proliferation of internet service providers. Even today further fueled by the rise of connectedness via mobile means, whether smart phones or tablet devices, or even publicly available wifi frequently available any time and nearly anywhere.
This shift has transitioned the philosophical approach to IT security to information security - information being the actual asset that is being protected though IT security controls. With this understanding, we must further recognize, accept, and conclude that information has value, and within markets of competition, within and between the same or different industries, unauthorized attempts to access information systems are no longer just external configuration issues. They are also internal behavioral issues, which also drive not just technological implementations traditionally spawned by vendor configuration anomalies, but organizational structure, policies, vigilance, and training.
A DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEMIAEME Publication
Recently, information security incidents such as personal information leakage have been regarded as serious risk factors that directly affect corporate sales reduction and corporate image loss. In order to manage information security systematically, enterprises have been introducing information security systems more than ever before. This study aims to derive major items of the information security system mainly for corporate organizational management, with a focus on the technology-organizationenvironment (TOE) framework, and suggests a direction for system build-up and management. To this end, the Analytic Hierarchy Process (AHP) was conducted on 20 items derived from previous studies. A survey was conducted among 24 individuals, including 12 corporate internal administrators and 12 corporate external consultants. As a result, it turned out that environmental factors affected the information security system more significantly among technical, organizational, and environmental factors. Notably, 'compliance with legal requirements,' 'protection of information subjects' rights,' and 'increase of the information security awareness' affected the operation of the information security system or related decision-making processes. This finding suggests that although technical and organizational management is also essential when it comes to corporate information security system operation, the system needs to respond swiftly to rapid market changes and legal and administrative changes concerning information security.
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxMargenePurnell14
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be complete.
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxbagotjesusa
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,
transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,
including information technology risks. Several standards, best practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used
standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations
is put forward with further research opportunities on the subject.
Keywords- Information security; risk management; security frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be complete.
To ensure security, it is important to build-in security in both the planning and the design phases and adapt a security architecture which makes sure that regular and security related tasks, are deployed correctly. Security requirements must be linked to the business goals. We identified four domains that affect security at an organization namely, organization governance, organizational culture, the architecture of the systems, and service management. In order to identify and explore the strength and weaknesses of particular organization’s security, a wide range model has been developed. This model is proposed as an information security maturity model (ISMM) and it is intended as a tool to evaluate the ability of organizations to meet the objectives of security.
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxhealdkathaleen
Running Head: CYBERSECURITY FRAMEWORK 1
CYBERSECURITY FRAMEWORK 5
Integrating NIST CSF with IT Governance Frameworks
Nkengazong Tung
University of Maryland University College
29 AUGUST 2019
IT governance is the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. In the eCommerce industry, IT governance develop structure by characterizing hierarchical detailing lines, oversight advisory groups, standards, approaches, and procedures. A well-characterized structure viably sets the working limits for the association (Moeller, 2017). It additionally sets guidelines by making or lining up with the corporate procedure and characterizing the short and long haul objectives for the association. In the eCommerce industry, it is important to note how the regulations are followed, how standards are followed by the process managers, how planning for the capacity of servers should be done, ensure all the IT assets are tracked, etc. This internal function that is self-checking the “health status” of the various process to ensure the smoother function is Governance. Comment by Michael Baker: Recommend subtitles that match rubric
IT management is overseeing IT services or innovation in an organization. It has several elements, all of which focus on aligning IT goals with business objectives in a way that creates the most value of an organization. These components are IT strategy, IT service and IT asset. Some of IT management issues faced by an eCommerce company include ways to secure customers information, providing value to the company, as well as supporting business operations. To address IT management challenges faced in eCommerce, IT policies must be put in place to define various processes within the organization. A policy is a set of guidelines that define how things are done within an organization. With a well-defined policy, activities in the eCommerce industry are well outlined and making it easy to operate.
Risk Management is the process used to identify, evaluate and respond to possible accidental losses in situations where the only possible outcomes are losses or no change in the status. It is an overall administration function that tries to evaluate and address the circumstances and end results of vulnerability and threat to an association (Susmann & Braman, 2016). The aim of threat management is to empower an association to advance towards its objectives and goals in the most immediate, proficient, and viable way. Risk management issues faced by an eCommerce company are loss of data, unauthorized access of data as well as system failure. To address risk management in the eCommerce industry, a comprehensive risk management plan must be developed to address possible risks that might cause harm to the system. A good risk management plan provides procedures as well as guideline on how to respond to threats and also unforeseen incidents. By having a well-laid plan, the ...
Vaccine management system project report documentation..pdfKamal Acharya
The Division of Vaccine and Immunization is facing increasing difficulty monitoring vaccines and other commodities distribution once they have been distributed from the national stores. With the introduction of new vaccines, more challenges have been anticipated with this additions posing serious threat to the already over strained vaccine supply chain system in Kenya.
Forklift Classes Overview by Intella PartsIntella Parts
Discover the different forklift classes and their specific applications. Learn how to choose the right forklift for your needs to ensure safety, efficiency, and compliance in your operations.
For more technical information, visit our website https://intellaparts.com
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Event Management System Vb Net Project Report.pdfKamal Acharya
In present era, the scopes of information technology growing with a very fast .We do not see any are untouched from this industry. The scope of information technology has become wider includes: Business and industry. Household Business, Communication, Education, Entertainment, Science, Medicine, Engineering, Distance Learning, Weather Forecasting. Carrier Searching and so on.
My project named “Event Management System” is software that store and maintained all events coordinated in college. It also helpful to print related reports. My project will help to record the events coordinated by faculties with their Name, Event subject, date & details in an efficient & effective ways.
In my system we have to make a system by which a user can record all events coordinated by a particular faculty. In our proposed system some more featured are added which differs it from the existing system such as security.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Student information management system project report ii.pdf
Information Security Management System: Emerging Issues and Prospect
1. IOSR Journal of Computer Engineering (IOSR-JCE)
e-ISSN: 2278-0661, p- ISSN: 2278-8727Volume 12, Issue 3 (Jul. - Aug. 2013), PP 96-102
www.iosrjournals.org
www.iosrjournals.org 96 | Page
Information Security Management System: Emerging Issues and
Prospect
Amarachi A.A1
, Okolie S.O2
Ajaegbu C3
.
Computer Science Dept, Computer Science Dept, Computer Science Dept,
Babcock University,Nigeria Babcock University,Nigeria Babcock University,Nigeria
Abstract: Information Security Management System (ISMS) can be defined as a collection of policies concerned
with Information Technology (IT) related risks or Information Security Management (ISM). Majority of ISMS
frameworks that have been implemented and adopted by organizations, centre on the use of technology as a
medium for securing information systems. However, information security needs to become an organisation-wide
and strategic issue, taking it out of the IT domain and aligning it with the corporate governance approach. The
aim of this paper is to highlight the available ISMS frameworks, the basic concept of ISMS, the impact of ISMS
on computer networks and internet, the chronological developement of ISMS frameworks and IT Security
Management/IT Security Organization. These were accomplished through the review of existing literatures on
ISMS frameworks. In essence, it was observed that there is need for every organisation to have an information
security management system that can adequately provide reasonable assurance and support for IT applications
and business processes.
I. Introduction
A management system describes the processes, technologies and people used to emphasize and manage
the activities of an organization. Each organization builds a unique system that supports the goals of that
organization. The system will reflect different disciplines depending on the values and culture of the
organization. So, we see systems defined with very different areas of focus such as health, safety, quality,
enterprise management, environment, web content, personnel, risk and many other topics; and with different
emphasis on security factors such as confidentiality, integrity, availability, or on topics such as privacy or
product assurance.
Information Security Management System (ISMS) is a documented system that provides security
for information and data in an organization. Every organization is faced with the task of providing a
comprehensive plan for information security. Caralli & Wilson (2004), opined that “modern organizations have
a huge challenge on their hands as they must secure the organization in the face of increasing complexity,
uncertainty, and interconnection brought about by an unprecedented reliance on technology vis-à-vis legislative
policies on security”.
Today‟s information systems are complex collections of technology (i.e., hardware, software, and
firmware), processes, and people, working together to provide organizations with the capability to process,
store, and transmit information in a timely manner to support various missions and business functions.
Information needs to be available, accurate and up-to-date to enable an organization make good business
decisions. While various ISMS frameworks have been implemented and adopted by organizations, the focus has
been more on the use of technology as a means of securing information systems. However, information security
needs to become an organisation-wide and strategic issue, taking it out of the information technology (IT)
domain and aligning it with the corporate governance approach. Furthermore, an algorithm-based ISMS model
demonstrating ITGC concepts, is proposed with a more human-centred approach, in order to achieve a more
efficient guide to information security management.
Despite the fact that each organization builds a unique system, the management systems have several
common elements, and are based around an improvement cycle. One frequently used is the popular “Plan-Do-
Check-Act” (PDCA) cycle lectured in Japan (Deming, 1950). This cycle is used as a guide in planning the
action of what needs to be done and how best to go about it, establish the controls needed, monitor progression,
and improve the system - taking preventive and corrective actions and pointing out areas for improvement. The
analysis of management systems has shown that there are various common elements including policy, planning,
implementation and operation, performance assessment, improvement, and management review.
This paper will present a near exhaustive review of management systems for information security using
resources provided by various researchers in the field of ISMS. It will also provide an introductory motivation;
showing where security risks arise and how they can be managed in organizations.
Submitted date 20 June 2013 Accepted Date: 25 June 2013
2. Information Security Management System: Emerging Issues And Prospect
www.iosrjournals.org 97 | Page
II. Basic Concepts Of Isms
An Information Security Management System (ISMS) can be defined as a collection of policies
concerned with Information Technology (IT) related risks or Information Security Management (ISM). The
phrasal idioms arose primarily out of ISO 27001, which is the standard used to scrutinize the security
framework and thus ensures a functional solution is created. The ISMS must have access into all systems and
information in organizations. Without strong security controls, businesses risk the possibility of financial loss,
legal liability, and reputation harm. The insecurity of the Internet further exposes institutions to undetected,
global, and virtually instantaneous attacks on internal systems and proprietary information. See fig 1
Figure 1: The Concept Of ISMS
Source: Carlson, T. (2008). Understanding Information Security Management Systems. New
York: Auerbach Publications.
All employees, whether in the private or public organizations possess information. Most of this
information exists in many forms, and different types of information have different values to an organization.
With a wide range of information threats organizations face, it is important to enforce ISMS which Brykczynski
& Small (2003), opined that “the life-cycle approach to implement, maintain, and improve the interrelated set of
policies, controls, and procedures that ensure the security of an organization‟s information assets need to be in a
manner appropriate for its strategic objectives”.
With the ever-increasing number of people connecting to the Internet, security has become increasingly
more important. “The number of computers connected to the Internet is still increasing dramatically from
roughly ninety-seven million in the year 2000 to more than one hundred and thirty-seven million in the year
2001” (Parenty, 2003). As much as web services offer many benefits, its new advancements also pose many
new threats to ISMS. Security systems used by organizations presently include: firewalls, virus protection
programs, encryption, etc., while the future systems will need new Extensible Markup Language (XML)
standard formats like XML Encryption, XML Digital Signature, XML Key Management Systems to structure
the security data . Although XML solves some problems, it has also created security questions that need to be
answered. The chief objective of ISMS is to implement the appropriate measurements in order to eliminate or
minimize the impact that various security related threats and vulnerabilities might have on an organization. By
so doing, Information Security Management will enable implementing the desirable qualitative characteristics of
the services (such as; availability of services, preservation of data confidentiality and integrity) offered by the
organization.
any steps are involved in building an ISMS. While performing each step, inputs from all stakeholders in the
organization should be included and results discussed to reach an agreed upon path. A security manual serves as
the central repository for ISMS. This manual, usually considered a confidential document, will be maintained by
the Chief Security Officer. The various steps involved in building an ISMS are:
i. Step1 - Risk Assessment: An organization-accepted security risk assessment should be done. The goal is to
identify assets, threats, vulnerabilities and controls to mitigate risks. Some risks will be accepted and
management approval should be attained on this.
ii. Step 2 - Top-down approach: Security is a management issue and not just an IT issue. Hence it is critical
that top management plays an important role in building an ISMS. Management should have the overall
ownership of ISMS. Management should encourage a culture within the enterprise to follow security
principles.
iii. Step 3 - Functional roles: Once the management‟s approval is attained, functional roles will have to be
identified. Depending on the type and size of the enterprise, the roles can vary in type and number. A chief
information security officer should be identified who solely owns the ISMS. Other functional roles could
include Data stewards, Security awareness trainers etc.
3. Information Security Management System: Emerging Issues And Prospect
www.iosrjournals.org 98 | Page
iv. Step 4 - Write the policy: The security policy is a document that states the organization‟s information
security strategy at a high level. The language in the policy is derived from the risk assessment. Details
should be avoided in a policy. In order to make the policy acceptable to all stakeholders, the manner in
which the policy is expressed should be at a high level and align nicely with the organization‟s business
priorities and goals.
v. Step 5 - Write the standards: Standards are definite requirements that an organization should put forth for
everybody to follow. The standards should support the security policy and be measurable. It is good
practice to document what the penalties are when standards are not met.
vi. Step 6 - Write the guidelines and procedures: Guidelines are recommended ideas for an organization.
They can also be termed as „nice to haves‟. It should be noted that the effectiveness of an organization‟s
security management will not be measured by the guidelines present. There, usually, are no penalties for not
following the guidelines. However, there can be some incentives if the organization follows the guidelines.
Procedures are step by step description on how to meet the standards or guidelines so that the policy is
supported. Procedures are usually targeted at the system level people who actually implement the control.
According to National Institute of Standards and Technology (NIST) Computer Security Division (2010),
“today‟s participants of ISMS include complex assemblages of technology (i.e., hardware, software, and
firmware), processes, and people, working together to provide organizations with the capability to process,
store, and transmit information in a timely manner to support various missions and business functions” as shown
in Figure 2 .
Figure 2: Isms Participants
III. Review
Pattinson (2007) noted that “an information security management system (ISMS) focuses on
managing information security within an organization, a subject that is of developing concern to many
organizations as they deal with the challenges presented in the information society. These challenges include:
evolving information security and privacy legislation, published guidelines (Organization for Economic Co-
operation and Development (OECD), Cyber security), and natural threats (fire, flood, earthquake, tornados) or
human threats (viruses, spam, privacy, hacking, industrial espionage)”. In Information Security Management
Systems (ISMS), the information protected goes beyond that residing in electronic formats on computers or
networks, but includes paper-based information and extends to intellectual property.
Peltier (2005) provided key qualitative insights with a systems approach toward the humanistic side
of information security. The research firmly presents two realms of information security: one lies in the
humanistic communication of individuals and the other in information transactions over the computer (virtual).
Peltier urges that an effective information security program cannot be implemented without the implementation
of an employee awareness and training program that addresses the policy, procedures, and tools, so that each
individual may understand and utilize.
Pattinson (2007) has written a paper to thoroughly investigate the pith of ISMS. He notes thus, “by
using an ISMS an organization can be sure that they are measuring and managing their information security
processes in a structured manner and that they can control and hone their system to meet their business needs”.
If they draw from a standardized ISMS framework they can be sure that they are drawing from the experience of
many others and that the system has been reviewed and reflects best practices. Such a framework is a tried and
tested tool that helps management ensure that security-resource is spent on the most effective areas for the
business (Pattinson, 2007).
Carlson (2008) characterizes information security management systems as “coordinated activities to
direct and control the preservation of confidentiality, integrity, and availability of information”. He notes the
concept of ISMS thus: “ISMS is an example of applying the management system conceptual model to the
discipline of Information Security”. Unique attributes of this instance of a management system include:
a. Risk management applied to information and based upon metrics of confidentiality, integrity, and
availability
b. Total Quality Management (TQM) applied to information security processes and based upon metrics of
efficiency and effectiveness.
4. Information Security Management System: Emerging Issues And Prospect
www.iosrjournals.org 99 | Page
c. A monitoring and reporting model based upon abstraction layers that filter and aggregate operational details
for management presentation.
d. A structured approach towards integrating people, process, and technology to furnish enterprise information
security services.
e. An extensible framework from which to manage information security compliance.
ENISA (2010) notes that the chief target of Information Security Management is to implement the appropriate
measurements in order to eliminate or minimize the impact that various security related threats and
vulnerabilities might have on an organization. In doing so, Information Security Management will enable
implementing the desirable qualitative characteristics of the services offered by the organization (i.e. availability
of services, preservation of data confidentiality and integrity etc.). The framework of ISMS is illustrated in
Figure 3.
The ENISA agency further explains that small businesses with limited information systems
infrastructure, whose operation do not demand handling, storage and processing of personal or confidential data,
usually face minor risks or risks with lower likelihood or impact. These organizations are more likely not to
maintain independent ISMS and usually deal with information security risks ad-hoc or as part of a wider Risk
Management process. Larger businesses and organizations such as banks and financial institutions,
telecommunication operators, hospital and health institutes and public or governmental bodies have many
reasons for addressing information security very seriously. Legal and regulatory requirements which aim at
protecting sensitive or personal data as well as general public security requirements impel them to devote the
utmost attention and priority to information security risks.
Figure 3: ISMS Framework
Source: European Network and Information Security Agency (ENISA). (2010). ISMS Framework.
A properly implemented ISMS can be effectively used by either small or large organizations, and can be tailored
to support the protection of information in diverse organizations including data processing centers, software
development, e-commerce, health care organizations, finance, manufacturing, service organizations, non-
governmental organizations, colleges, and not-for-profit organizations.
Effective implementation of an ISMS framework ensures that a management team, committed to
information security, provides appropriate resources to support the processes that the organization needs, in
order to achieve appropriate information security. It needs to be stressed that this commitment of senior
management is of extreme importance in the success of this - and other - management systems.
5. Information Security Management System: Emerging Issues And Prospect
www.iosrjournals.org 100 | Page
Figure 4: The Risk Management Process
Source: Pattinson, F. (2007). Certifying Information Security Management Systems.
This inevitably includes processes related to the basic management of the system, training and
awareness. It emphasizes a risk management process (see fig 4) that guides the choice of safeguards and that,
coupled with the metrics necessary to ensure that the chosen controls are implemented correctly, ensures that the
system evolves to manage the changing business and security environment, and that the resulting management
system is, and continues to be, effective.
IV. Impact Of Networks And The Internet On ISMS
Before computers, information was kept mainly as paper records, accessible only by a few authorized
individuals. As the use of computers and networks grew, more and more of this information began to be stored
electronically. This allowed a large number of people access to information enabling the improvement of the
organization‟s value. It also allowed many unauthorized people access to this information for their personal use.
Finding ways to safeguard this information in such a way that policies, processes and people are invloved,
became an important mission, and continues to be so today.
Networks and the Internet made it possible for companies to send information to almost anyone,
anywhere and at anytime. However individuals who wanted to use this confidential information for their own
personal purpose could now access this information. These individuals are commonly referred to as crackers.
Crackers can easily obtain this information by tapping into organization networks through the Internet and
impersonating authorized users. Once crackers have the private information of consumers, they can use it to
pursue their own personal interests. One such way in which crackers use this information is identity theft, in
which a person pretends to be another person in order to obtain credit cards and make unauthorized purchases,
among other things. With crackers came the need for better computer security. Security now needed to span
time and space to keep confidential information out of the hands of malicious users.
With the emergence of computers and the popularity of using the Internet, security has become its own
business. There are many people who specialize in Internet security. Viruses have also exploded onto the scene.
Over one thousand three hundred new macro viruses were detected in 1997 compared with about forty in 1996
(Burgess, 2002). Eight years ago the number of macro viruses grew to about one thousand two hundred and
sixty. One main security system used by companies is the firewall. A firewall controls the information that
passes between an organization‟s computers and the Internet. (Parenty, 2003) states that “a firewall can adopt
one of two basic policies to control access from the Internet to an internal computer”. The first is whatever is not
prohibited is allowed and the second is whatever is not allowed is prohibited”. The main protection that the
firewall does not provide is protection against attacks that originate from within the organization.
Prior information has shown us that at times information systems design were often developed with
lack of foresight, and that unknowingly allows systems to become more vulnerable (Ghosh, 2004). For example,
Web services offer so many immediate benefits; information technology departments often implement these
programs without considering security issues. It is not until later; when a security breach occurs that steps are
taken to secure their vital information. The advancement of Web services alone poses many new threats to
information systems.
6. Information Security Management System: Emerging Issues And Prospect
www.iosrjournals.org 101 | Page
V. Chronological Developement Of ISMS Standards
In the area of information security, various standards have been developed in which emphasis is placed,
in part, on other target groups or subject areas. The use of security standards in organizations or government
agencies not only improves the level of security, their use also makes it easier for organizations to agree on
which security safeguards must be implemented in what form (Bundesamt für Sicherheit in der
Informationstechnik (BSI), 2009).
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees established
by the respective organization to deal with particular fields of technical activity. ISO and IEC technical
committees collaborate in fields of mutual interest. Other international organizations, governmental and non-
governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology,
ISO and IEC have established a joint technical committee for creating and publishing ISMS standards. An ISMS
standard called IEC:ISO17799 was founded in 1987 as British Standard 7799 part 1 by the Department of Trade
Industry (DTI). As a result of its efficacy, there was growing interest to adopt the standard in many other
countries worldwide.
VI. IT Security Management And IT Security Organization
There are many standards, models and framework for information security management. Among the
first standards is called the BS7799 that was released in 1999. A paper has been written by Li. et al. (2003) to
present the BS7799 standard. They have presented this standard as a suitable model for information security.
The BS7799 is based on a standard archived by best practices in the information security management area.
Organizations have been using their own developed frameworks earlier. They have concluded that BS7799
together with organization-specific requirements, is the most effective way of providing information security.
In the paper information security management standard: problems and solutions written by Siponen
(2003), there have been critical analyses of the three widely used information security standards in 2003 and
earlier. The conclusion of this paper boils down to the fact that these normative standards are claimed to be
generally valid and not based on what is done in other organizations like in research approaches.
An extensive survey carried out by Stamland (2004) checks if BS7799 is worth the effort. He concluded that
organizations certified according to BS 7799-2 have higher maturity than organizations that have chosen to only
use the standard in an informal way. Those organizations that use the standard informally have higher maturity
than those organizations that do not implement any ISMS. He believes that the findings support the statement.
BS 7799 will be worth the effort for organizations which need to protect their assets.
Solms (2005) has written a paper to investigate the co-existence and complementary use of Control
Objectives for Information and related Technology (COBIT) and ISO 17799 as reference frameworks for
Information Security governance. The investigation is based on a mapping between COBIT and ISO 17799 and
provides a level of „synchronization‟ between these two frameworks. He has presented COBIT as „the tool for
information technology governance‟. COBIT is therefore not exclusive to information security. It addresses
Information Technology governance, and refers amongst many other issues, to information security. The
downside of using COBIT for Information Security governance is that it is not always very detailed in terms of
„how‟ to do certain things. ISO 17799 is exclusive to information security, and only addresses that issue. The
upside of using ISO 17799 for Information Security governance is that it is more detailed than COBIT, and
provides much more guidance on precisely „how‟ things must be done. The downside of using ISO for
information security is that it is very much like “stand alone” guidance, not integrated into a wider framework
for Information Technology governance. His suggestion is to use a mapping of the standards so it takes the best
from both standards by making the very useful content provided by COBIT and ISO 17799, much more useful
in implementing comprehensive and standardized Information Security governance environments.
Making sense of information systems security standards has been presented by Tejay (2005). This
paper concludes that there are a plethora of standards and it is not effective and economical to adopt these to
organizations. A set of security standards working coherently as an integrated model and aligned with its
business objectives is suggested. The set would integrate a minimum set of standards to cover maximum IS
security needs of an organization.
An approach for internal auditors and IS Managers to establish the extent to which their organization complies
with the international standard AS/NZS 17799 (IEC:ISO 17799) is proposed by Pattinson (2003). This approach
incorporates a set of baseline IS controls, extracted from the standard, with a Goal Attainment Scaling (GAS)-
based evaluation methodology.
Some researchers have recognized that relationship between security objectives and practices are
complicated, but important for practitioners to understand. Pearson and Ma (2005) have done a survey about
objectives and practices in information security management by a canonical analysis based on data from three
7. Information Security Management System: Emerging Issues And Prospect
www.iosrjournals.org 102 | Page
hundred and fifty-four security professionals. In the survey they have found that “Confidentiality” is the highest
correlation with information security practices. They concluded that it is important that practitioners must take
an appropriate management intervention to improve the effectiveness of information security management.
VII. Conclusion
Studies have shown that there is need for every organisation/industry to accomodate the use of an
information security management system in its operation. The currently existing frameworks for this system
have centered much on the use of technology as a means of securing information systems. There is need for
information security to become widespread so much so that strategic issues be expunged from the IT domain
and aligned with corporate governance approach. This paper took a look at the available works on ISMS and
had identified how ISMS can be developed not only to offer security but also to enhance corporate governance.
The proposed framework for this will be shown in part II of this paper.
References
[1] Brykczynski B. & Small B. (2003). Securing Your Organization's Information Assests (p. 1). Retrieved from 10.1.1.177.8675.pdf
[2] Bundesamt für Sicherheit in der Informationstechnik (BSI). (2009). BSI Standard 100-1 – Information Security Management
Systems (ISMS)
[3] Burgess, S. (2002). Managing Information Technology in Small Business: Challenges & Solutions. Victoria University, Australia.
Idea Group Publishing.
[4] Caralli, R. A. & Wilson, W. R. (2004). The Challenges of Security Management (p. 1). Retrieved from ESM White Paper v1.0
Final-2.doc
[5] Carlson, T. (2008). Understanding Information Security Management Systems. New York: Auerbach Publications.
[6] Deming, E. W. (1950). Evolution of the “Plan-Do-Check-Act” (PDCA) cycle. JUSE.
[7] Department of Trade and Industry (DTI). (2006). Information Security. Retrieved from
http://www.dti.gov.uk/industries/information_security
[8] European Network and Information Security Agency (ENISA). (2010). ISMS Framework. Retrieved from
http://www.enisa.europa.eu/activities/risk-management/current-risk/risk-management-inventory/rm-isms/framework Ghosh, S.
(2004). The Nature of Cyber-attacks in the Future: A Position Paper. Information Systems Security (p.18), 16p.
[9] Li et. al, (2003). BS7799: A Suitable Modell for Information Security Management.
[10] Parenty, T. (2003). Digital Defense. Boston, Massachusetts: Harvard Business School Press.
[11] Pattinson, F. (2007). Certifying Information Security Management Systems. Retrieved from
http://www.atsec.com/downloads/pdf/CertifyingISMS.pdf Pattinson, M. R. (2003). Americas Conference on Information Systems.
[12] Peltier, T. R. (2005). Information Security Policies, Procedures and Standards, Guidelines for Effective Information Security
Management (pp. 1-3), Boca Raton, FL: CRC Press.
[13] National Institute of Standards and Technology (NIST) Computer Security Division (2010) Siponen, M. T. (2000). A conceptual
foundation for organizational information security awareness. Information Management & Computer Security, 8 (1), 31-41.
[14] Stamland, F.A.(2004). Is BS7799 worth the effort.
[15] Tejay, G. (2005). Making Sense of Information Systems Security Standards, Americas conference on Information Systems.
[16] von Solms, B. (2005). Information Security governance: COBIT or ISO 17799 or both? Computers & Security, 24 (2), 99-104.