Comparisons of Information Security Management Frameworks - Research Paper Example

Topic: Comparisons of Information Security Management Frameworks Benefits of having frameworks for information security management Information management security frameworks are developed founded on a structured set of independent recommendations, processes as well as practices predominantly from the Information Security Management System Standard (ISO 27001). The framework seeks to make sure that information assets are safeguarded from illegal access or modification regardless of whether it is in storage, under processing or on transit. It further seeks to safeguard against any denial of service to the users with permission or provision of services to unauthorized users including the procedures needed to identify, document and deal with these threats. Frameworks are based on existing standards that have been accepted as well as guidelines and sets of practices that reflect the conduct of an initial community of organizations that perform highly(Hřebíček, Schimak&Denzer, 2011). Governments along with business organizations have an ability to implement frameworks with the practices they prefer or are supposed to use for their market sectors and the entire country. Some of the benefits of possessing frameworks for information security management include the fact that they create a secure and well-arranged working environment while at the same time protecting information and information assets. Having frameworks for information security management also assists in the reduction of internal and external breaches in security, creating confidence among the employees and customers when dealing with the operations of the business and integrating recovery from disasters in order to ensure continuity of the business(Gantz&Philpott, 2013). Further benefits include prevention of information security incidences from taking place and detection of incidences from occurring. In the event that incidences take place, the frameworks for information security management are able to measure the impact of the incidences and respond to them in order to minimize the resulting damage. Additionally, they are able to embed continuous improvement in processes associated with information security while complying with rules and regulations. Frameworks of information security management Information security frameworks are a sequence of standard procedures that are employed in defining policies and processes associated with the execution and continuous running of information security controls in an venture setting. The frameworks are essentially a plan for the creation of an information security plan with the aim of managing risks and reducing any vulnerability. Professionals in information security can employ these frameworks in their definition and prioritization of tasks that are needed to create security in an organizational setting(Layton, 2007). Frameworks are usually tailor-made to deal with particular information security issues in the same way that building plans are specifically meant to meet the needed specifications and uses. There are various frameworks including those developed for particular industries along with differing regulatory compliance objectives. They also exist in varying levels of difficulty and magnitude, but there exists a huge degree of overlap in overall security theories as every one of them continues to evolve. Frameworks examples Control Objectives for Information and Related Technology COBIT was established in the nineties by ISACA, which is an autonomous organization of experts in IT governance. Presently, ICASA offers various certifications like the Certified Information Security Manager as well as the renowned Certified Information Systems Auditor(Tashi&Ghernaouti-Helie, 2011). This framework began predominantly focusing on the reduction of methodological risks in firms but has progressed lately with COBIT 5 to encompass the integration of IT with goals that are strategic to the business. It is the most ordinarily employed framework in the endeavor to gain compliance with the guidelines set out by Sarbanes-Oxley. ISO 27000 series of standards The International Standards Organization developed ISO 27000 series that was designed to provide a very wide information security framework which could be employed to all forms and magnitudes of firms. It may be considered as the information security equal of ISO 9000 standards of quality used in the manufacturing industry while even including a comparable certification procedure (Winkler, 2011). It is categorized into various sub-standards founded in the contents, for instance, ISO 27000 is comprised of a general idea and terminology while the ISO 27001 provides a definition of the necessities for the program. The ISO 27002 evolved from BS7799, which is a British standard and provides a definition of the set steps required in an information protection setting and program. Numerous more standards as well as best practices are included in the ISO 27000 series, for instance, ISO 27799 that creates a definition of information security in healthcare that may be beneficial to the organizations that need to comply with HIPAA guidelines. There are newer ISO 27000 standards that are being created to provide particular advice in the areas of cloud computing, security storage as well as collection of digital evidence. The ISO 27000 standard is wide and can be employed in any industry; however, the providers of cloud computing services seeking to establish an vigorous security plan can use the certification. NIST SP 800 Series of standards The National Institute of Standards and Technology in the US has been creating a huge collection of standards associated with information security as well as a documentation of best practices. The Special Publication 800 series of the NIST was published for the first time in the nineties and had progressed to avail advice on almost all aspects pertaining to information security. Though it is not particularly an information security framework, the NIST 800-53 model has informed the evolution of other frameworks. Various agencies of the US government use NIST SP 800-53 in their compliance with the 200 requirements of the Federal Information Processing Standards. Regardless of the fact that it is particular to agencies of the government, the framework can be utilized in all industries and is not supposed to be unnoticed by organizations seeking to develop an information security system. Major perspectives to consider in information security management and framework Choosing a specific IT security framework can be informed by more than one dynamic with the form of industry or the requirements of compliance being some of the deciding aspects. The companies, which are publicly traded, prefer sticking with the COBIT framework so that they can more easily achieve compliance with Sarbanes Oxley. On the other hand, the ISO 27000 series is the masterpiece as far as frameworks for information security are concerned as they are applicable in any industry, however the process of implementing them is long and involving(Johnson, 2011). Nonetheless, it can be appropriately used where the organization is supposed to market information security competences through the ISO 27000 certification. Further, the NIST SP 800-53 is the standard needed by the federal agencies of the US but may also be applicable in organizations that’s seek to create an information security plan that is particular to technologies. They can assist a security expert in his or her organization and management of information security programs. References Gantz, S., &Philpott, D. (2013). FISMA and the risk management framework.Boston: Syngress. Hřebíček, J., Schimak, G., &Denzer, R. (2011). Environmental software systems.Berlin: Springer. Johnson, R. (2011). Security policies and implementation issues.Sudbury, Mass.: Jones & Bartlett Learning. Layton, T. (2007). Information security.Boca Raton: Auerbach Publications. Tashi, I., &Ghernaouti-Helie, S. (2011). Information security evaluation. Lausanne, Switzerland: EPFL Press. Winkler, J. (2011). Securing the cloud.Burlington, MA: Elsevier. Read More