Module- Case

INFORMATION SECURITY MANAGEMENT FRAMEWORKS

Case Assignment

In the world of information security management, it is important to have a proper mindset and a handy roadmap that help you cruise through the maze of the ever-changing technology and its security issues. The following presentation suggests a simple framework for information security management.

Wang, W. PowerPoint Presentation. Information Security Management Framework.

Some of you may have been exposed to the OSI (Open System Interconnection) reference model and the TCP/IP stack for the Internet communications. Please see Fig. 3 in the OSI Reference Model for Network Protocol. Dissecting a big, complicated problem into smaller components helps solve the problem systematically. IS security is complicated. The suggested framework above follows the similar line of reasoning and provides a way of thinking to approach the problem.

Engineering, such as the design of a communication protocol, requires the clarification of a specific layer's boundaries so that the design is precise. In management or relevant behavioral studies, the context is more fluid than an engineering task. It is required to work hand-in-hand from all of the perspectives. The layered approach provides only one way of thinking, there are many alternatives how to bring pieces together. Now let us look briefly at some alternative frameworks. You only need to scan through and become familiar with some key figures/tables and get some understanding. You will revisit these articles in much details in later module(s) (e.g., mod 3) or course(s) (e.g., ITM527).

For instance, the following NIST publication introduces a tiered/layered approach for risk management. Please mainly focus on Figure 2 and 3.
NIST. (2011). Managing Information Security Risk-Organization, Mission and Information System View. National Institute of Standards and Technology Special Publication 800-39.

The framework for organization-wide Information Security Continuous Monitoring in Figure 2-1 in the following article echoes the benefit of look at the issue in tiers/layers. Its Risk Management Framework in Figure 2-2 proposes a process overview that emphasizes a dynamic process flow and values both organizational inputs (e.g., laws, policy, objectives, etc.) and architecture of business processes and information systems. Please mainly focus on these two main figures.

NIST. (2011). Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. National Institute of Standards and Technology Special Publication 800-137.

However, Business Software Alliance introduces a framework for action on Information Security Governance that asks for who, what, and how with regards to governance. You only need to focus on Table 4 to get an overview of it. It also emphasizes that "Information security is often treated solely as a technology issue, when it should also be treated as a governance issue," which is in sync with the other framework where technology issue is only one of the several perspectives that need to be considered.

Business Software Alliance. (2016). Seizing opportunity through license compliance. Retrieved from http://globalstudy.bsa.org/2016/downloads/studies/BSA_GSS_US.pdf

The following article also covers the perspectives mentioned in the presented framework, although it doesn't use a layered approach. Please scan it through to get the main points. You should come back to this article throughout the course for the focused perspective in respective module. For this module, you only need to know what perspectives are considered.

Johnson, E., & Goetz, E., (2007). Embedding Information Security into the Organization. IEEE Security & Privacy, May/June 2007.

After you have "strategically" read the above materials, and, more importantly, thought about them critically and interconnectively, compose a 4- to 6-page paper on the topic:

Comparisons of Information Security Management Frameworks

In preparing your paper, you need to discuss the following issues, and support with arguments and examples:

• What are the benefits of having frameworks for information security management?
• What are the frameworks of information security management? Their pros and cons?
• What are the major perspectives to consider in information security management and framework choice?
• What organizational factors should be considered in the framework choice?
• You may even expand what you learned here and come up with a better framework. Give it a try, although it is not required.

Assignment Expectations

Length: Minimum 4-6 pages excluding cover page and references (since a page is about 300 words, this is approximately 1,200-1,800 words).

Attachment:- Module_Information.rar