The Information Security Framework - Essay Example

Recommended sound security control practices (e.g., people, process, technology).
A guide to help reconcile the framework to common and different aspects of generally adopted standards (e.g., COBIT, HIPAA, etc.).
An analysis of risk or implications for each component of the framework.
A guide of acceptable options or alternatives and criteria, to aid in tailoring to an organizations operating environment.
A guide for implementation and monitoring.
Toolset for organizations to test compliance against the framework (HITRUST).
A complete security framework comes down to three well-known basic components: people, technology, and procedures. When these three elements are correctly assembled such as the people, technology, and process fundamentals of an information security program work together to secure the environment and stay consistent with the organization’s objectives. Diagram 1.1 shows the idea of people, processes, and technology. Figure 1.1 The policies and the practices in any organization are established by the Information Security framework. . tics of The Sarbanes-Oxley Act are the Creation of the Public Company Accounting Oversight Board (PCAOB) It is a five-member board that is established by The Sarbanes-Oxley Act to control the auditing profession.

The PCAOB locates and imposes auditing, quality control, ethics, independence, and other related audit reports. New rules for auditors Significant information to the organization’s audit committee must be provided by the auditors. This includes critical accounting policies and practices, alternative GAAP treatments, and auditor-management disagreements. The CPA Auditors are forbidden from performing certain non-audit services for example bookkeeping, information systems design and implementation, internal audit outsourcing services, management functions, and human resource services for audit customers.

Services are not offered to publicly held companies by audit firms. New roles for audit committees Audit committee members must be listed on the organization’s board of directors and be independent of the company. However, At least one member of the audit committee must be a financial expert. The audit committee appoints, compensates, and supervises the auditors, who report directly to them. New internal control requirements Section 404 of SOX needs visibly held companies to issue a report associated with the financial statements that reveal management's responsible for establishing and maintaining enough internal control structure and appropriate control procedures.

The report must also enclose management’s assessment of internal controls. Question 3 The challenges are alarming for management in providing information security. Information system assets are substantial even for small organizations including data 

bases 5 and files related to personnel, company operation, financial matters, etc.

Question 4

After the mapping of the information security framework, it is revealed that the selected framework maps well with the Company’s information security framework. The only dissimilarity between the two frameworks is that the roles and responsibilities of the drivers are different. Even though the company has a suitable information security framework in place but there are a few suggestions as follows:

Training:

To create an invasive security environment, the significant information security to the organization must be widespread. To strengthen the behavioral changes, several approaches may be undertaken. The workforce should be trained in security awareness and suitable Security practices (Sipior & Ward, 2008). Also, consultants should be made responsive to all the policies and procedures.

Password Policy:

The ABC Company has a password policy in place but they have not implemented the Password policy. The password policy is a significant security criterion.

Confidentiality agreement:

No confidential agreements with third-party contractors are present in many cases. For instance, in a few organizations, the consultant has to sign a confidentiality agreement if he joins the client’s location.

Physical security:

Physical security is not available for computer systems. The organization must have some kind of locking system that can help to control stealing PCs or hardware.

Information is considered the core element or vital asset in any organization. A well-established information security framework is needed to protect the information in any organization. However, it is also taking into consideration that in any organization, the information security framework is an ongoing process. To ensure the adequate protection of information resources, continuous enhancements in response to environmental incidences or interviews are required (Ezingeard & Bowen-Schrire, 2007). To assess the capability of current practices, measuring and reporting risks, control issues, and vulnerabilities are compulsory (Purtell, 2007).