An abundance of information security and risk management theories are prevalent; however, it can be difficult to identify valid and applicable theories. In the reading to follow, several information security and risk management theories are evaluated. These theories are presented and employed via various frameworks, models, and best practice guidelines. An assessment of sufficient research pertaining to these theories is addressed, along with a consideration of the challenges that arise from a lack of research.
Theories
The evolution and understanding of the importance of information security and risk management originates from the awareness for the potential of IT in business functions and as a business enabler. This was then
…show more content…
Control Objectives for Information and Related Technology (COBIT). Originally published in 1996, COBIT is a globally recognized framework centered on controls pertaining to IT governance (Burch, 2008). The Information Systems Audit and Control Association (ISACA) established the framework in conjunction with the IT Governance Institute. As the framework has evolved to encompass the management of IT in addition to IT governance, COBIT 5 was unveiled in April of 2012 and declared by ISACA to be “…the only business framework for the governance and management of enterprise IT” (ISACA, 2012c). COBIT 5 for Information Security has also been developed by ISACA and is intended to be an encompassing framework to link together with other frameworks and information security best practices. Such frameworks and standards that COBIT 5 for Information Security is complemented by include ISACA’s Business Model for Information Security (BMIS), the Information Security Forum’s (ISF) Standard of Good Practice, the ISO/IEC 27000 series, NIST SP 800-53a, and PCI-DSS (ISACA, 2012a; ISACA, 2012b).
International Organization for Standardization (ISO). ISO has developed countless internationally recognized standards in conjunction with the International Electric Commission (IEC). As declared by Burch (2008):
ISO has developed more than 16,000 international standards for stakeholders such as industry and
Because technology is consistently growing and changing, preventative measures must include flexibility to allow for change and growth. Without these considerations, a business could jeopardize themselves by restricting the ability to expand or even update the systems with necessary security patches. Preventative measures should include future growth. As technology grows, risks increase. Protection mechanisms will change as new threats are introduced to business as well as new legislations. Many security standards are based on data protection regulations and as laws change or new laws are introduced, information technology is the most costly element in ensuring compliance. There could be costly ramifications with poor planning.
Risk management can be defined as the process of discovering, identifying, and assessing the risks facing an organization’s operations, as well as determining how said risks can be either controlled or mitigated (Whitman & Mattord, 2013). Moreover, a significant component of risk management is risk analysis, which is the identification and assessment of the various levels of risk in the organization. Due to this fact, risk management must remain an ongoing process, and the safeguards and controls that are devised and implemented cannot be viewed as “install and forget” devices. Additionally, this comprehensive process requires an organization to frame risk, assess risk, respond to risk once determined, and most importantly, monitor risk on an ongoing basis through the use of active organizational communications and continuous improvement feedback loops. Furthermore, the fact that most businesses identify and implement new information technology systems in response to changes in the market on a regular basis justifies the need for an ongoing risk management process.
Risk management includes the “overall decision-making process of identifying threats and vulnerabilities and their potential impacts, determining the costs to mitigate such events, and deciding what actions are cost effective to take to control these risks” (Conklin et al, 2012, pg. 678). For the proper development of risk management techniques, every person at every level of the organization, especially those involved in the Information Security (IS) department “must be actively involved in the following activities:
In this paper I will be discussing some of the benefits of having frameworks for information security management. What each of the frameworks of information security are, their pros and their cons. Which major perspectives to consider in information security management and framework choice. What organizational factors should be considered in framework choice? I will also attempt to come up with a better framework for information security.
Assess the adequacy and effectiveness of the organization’s IS security policy. In addition, assess whether the control requirements specified in the organization’s IS security standards adequately protect the information assets of the organization. At a minimum, the standards should specify the following controls and require them to be applicable to all information systems:
In the academic world, numerous information security (InfoSec) and risk management (RM) models are present. The value of these models differs, particularly in respect to internal and external soundness. Appropriately, countless security researchers and specialists seek increased understanding on the convolutedness of information assurance (IA). To a degree, this need may be motivated by industry demand and application. InfoSec is an enduring matter for many businesses. Therefore, the aim of this research is to offer an assessment of InfoSec and RM theories and to identify the areas in need of further research.
An abundance of organizations started their adoption process of COBIT as an IT governance framework on version 4, however the new version 5 brings added components that strengthen the value of governance and differentiates between governance and management. This differentiation provides value to each one.
After the information system is installed, the IS security controls must be monitored and assessed on a continuous basis. Continuous monitoring ensures the security controls in place are effective. In this step, there are five tasks. The first task requires managers to determine the security impact based on the threat environment. The second task is conducting assessments on certain security controls as outlined in their Continuous Monitoring Strategy. The third task is correcting discrepancies found in the assessment. The fourth task requires updating the Security Authorization package based on the previous results. The fifth task requires the appropriate officials to make a risk determination and acceptance by reviewing the reported security
The senior management of the company is committed to achieving a superior security governance by treating INFOSEC as a crucial business component. The aim of the policy is to create a security conscious environment and to exhibit to all parties, internal and external, the application of fundamental security principles notably taking responsibility for information security, applying security controls in relation to the risks and individual accountability.
Whitman, M. E. & Mattord, H. J. (2013). Management of information security. (4th. ed). Retrieved from https://www.betheluniversityonline.net/
The international community is directly and indirectly connected through information systems and as such, instructions or frameworks are developed and under constant revisions in efforts to improve information security techniques. The first framework discussed that assists in improving information security techniques is that of the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) 27002. The aforementioned framework is an internationally accepted standard that provides instructions for entities to map security protocols to regulatory and legal statutes (Wangwe, Eloff, & Venter, 2012). The ISO/IEC 27002 provides an entity with guidelines and recommendations to enhance security controls for the implementation of security controls. Although ISO/IEC 27002 only provides security control recommendations, it is only a subset of mandatory requirements set forth by ISO/IEC 27001, which summarizes controls for implementation. The recommended control measures of ISO/IEC 27002 cover topics such as information security policies, access control, asset management, business continuity, and information security incident management. The full list
Information security professional’s job is to deploy the right safeguards, evaluating risks against critical assets and to mitigate those threats and vulnerabilities. Management can ensure their company’s assets, such as data, remain intact by finding the latest technology and implementing the right policies. Risk management focuses on analyzing risk and mitigating actions to reduce that risk. Successful implementation of security safeguards depends on the knowledge and experience of information security staff. This paper addresses the methods and fundamentals on how to systematically conduct risk assessments on the security risks of information systems.
Security risk management is “the culture, processes and structures that are directed towards maximizing benefits and minimizing disbenefits in security, consistent with achieving business objectives”. (Australia, 2006) And where
There are many areas within the Information Security Policy one of the most important areas is Risk Management. Risk Management is what company’s use to mitigate the risks to their company and its assets. Risk management is a living document in the fact that it must be constantly reviewed and updated to stay current with the changing threats. The document should also be reviewed in the event that a significant breech or accident causes information loss.
Minimizing the negative impact on an organization is a need in decision-making which are fundamental reasons in an organizations to implement (Unuakhalu, 2014) a risk management process for their IT