(1) Information Security Standards and Models
Examples of the evolution of information security activities date back to coded messages in ancient times. The modern information security and assurance industry did not begin to establish uniform practices and standards until the late 1980s. One example of an early effort is the creation of ISC2, which involved a group of information security practitioners coming together to establish certification criteria for security professionals. The federal government and a number of standards organizations such as NIST and ISO have developed examples of information security standards. Those reviewing the available standards will find that there is significant agreement among them as to approaches and models that support the work of information security.
Use the study materials and engage in any additional research needed to fill in knowledge gaps. Then discuss the following:
Identify an example of information security standards that appears to have taken a leadership position in setting standards for the industry.
Outline the framework and objectives of a security standards organization, including whether the standards are intended for a particular sector within information security.
Describe how security professionals who work in the private sector might determine which information security standards and models are most appropriate for implementation in the context of a specific organization.
(2) Infosec Policies and Standards in the Private Sector
Application of information security standards and policies can be better defined in industries and organizations that must comply with specific regulations. As more industries become regulated, and as the regulations themselves become more standardized into common practice, this puts pressure on nonregulated industries to conform their practices too. Legal theory in the United States is heavily tilted towards establishing what is "reasonable," making the practice of all organizations best aligned in common practice where possible.
Use the study materials and engage in any additional research needed to fill in knowledge gaps. Then discuss the following:
Describe the relationship between information security standards organizations and the creation of internal information security policy within private sector organizations.
Identify how the adoption of standard and the creation of policy must be adopted within the context of the core business goals and objectives of an organization.
Explain how the information security professional can ensure that there is adequate consideration and approval for diverging from common practice in situations where that is necessary.