INSTRUCTIONS:
Assignment: In the world of information security management, it is important to have a proper mindset and a handy roadmap that help you cruise through the maze of the ever-changing technology and its security issues. The following presentation suggests a simple framework for information security management. Wang, Wenli. Powerpoint Presentation. Information Security Management Framework. Some of you may have been exposed to the OSI (Open System Interconnection) reference model and the TCP/IP stack for the Internet communications. Please see Fig. 3 in the link here. Dissecting a big, complicated problem into smaller components helps solve the problem systematically. IS security is complicated. The suggested framework above follows the similar line of reasoning and provides a way of thinking to approch the problem. Engineering, such as the design of a communication protocol, requires the clarification of a specific layer`s boundaries so that the design is precise. In management or relevant behavioral studies, the context is more fluid than an engineering task. It is required to work hand-in-hand from all of the perspectives. The layered approach provides only one way of thinking, there are many alternatives how to bring pieces together. Now let us look briefly at some alternative frameworks. You only need to scan through and become familiar with some key figures/tables and get some understanding. You will revisit these articles in much details in later module(s) (e.g., mod 3) or course(s) (e.g., ITM527). For instance, the following NIST publication introduces a tiered/layered approach for risk management. Please mainly focus on Figure 2 and 3. NIST (2011), "Managing Information Security Risk -- Organization, Mission and Information System View," National Institute of Standards and Technology Special Publication 800-39. The framework for orgnization-wide Information Security Continuous Monitoring in Figure 2-1 in the following article echoes the benefit of look at the issue in tiers/layers. Its Risk Management Framework in Figure 2-2 proposes a process overview that emphasizes a dynamic process flow and values both organizational inputs (e.g., laws, policy, objectives, etc.) and arthitectures of buisness processes and information systems. Please mainly focus on these two main figures. NIST (2011), "Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations," National Institute of Standards and Technology Special Publication 800-137. However, Business Software Alliance introduces a framework for action on Information Security Governance that asks for who, what, and how with regards to governance. You only need to focus on Table 4 to get an overview of it. It also emphasizes that "Information security is often treated solely as a technology issue, when it should also be treated as a governance issue," which is in sync with the other framework where technology issue is only one of the several perspectives that need to be considered. Business Software Alliance. Information Security Governance: Toward a Framework for Action. The following article also covers the perspectives mentioned in the presented framework, although it doesn`t use a layered approach. Please scan it through to get the main points. You should come back to this article throughout the course for the focused perspective in respective module. For this module, you only need to know what perspectives are considered. Johnson, E. and Goetz, E., (2007), "Embedding Information Security into the Organization," IEEE Security & Privacy, May/June 2007. After you have read "strategically" of the above materials, and, more importantly, thought about them critically and inter-connectively, please compose a 2-3 page paper on the topic: Comparisons of Information Security Management Frameworks Expectations: In preparing your paper, you need to discuss the following issues, and support with arguments and examples: what are the benefits of have frameworks for information security management? what are the frameworks of information security management? their pros and cons? what are the major perspectives to consider in information security management? you may even expand what you learned here and come up with a better framework. you should give it a try, although it is not required. When your paper is done, send it in to CourseNet.