Common Security Framework Overview, Research Paper Example

IT Security Framework

The IT Security framework is considered as the most wide-ranging framework model that guarantees entire security solutions of information by reducing business risks. In addition, information security does not only focus on technological aspects, but also pointing out other core elements in an organization. For instance people, procedures, business methodologies etc. this is also considered as mandatory for information security.

The complete information security framework should include the following main characteristics (HITRUST):

• Recommended sound security governance practices (e.g., organization, policies, etc.).
• Recommended sound security controls practices (e.g., people, process, technology).
• A guide to help reconcile the framework to common and different aspects of generally adopted standards (e.g., COBIT, HIPAA, etc.).
• An analysis of risk or implications for each component of the framework.
• A guide of acceptable options or alternatives and criteria, to aid in tailoring to an organizations operating environment.
• A guide for implementation and monitoring.
• Toolset for organizations to test compliance against the framework (HITRUST).

A complete security framework comes down to three well-known basic components: people, technology, and procedures. When these three elements are correctly assembles such as, the people, technology, and process fundamentals of information security program that works together in order to secure the environment and stay consistent with organization’s objectives.

The policies and the practices in any organization is established by the Information Security framework. This framework is utilized for assessing the organization’s current information security framework that offers a roadmap for the estimation and enhancement related to the information security policies and practices. Moreover, many information securities related frameworks are studied for this paper. However, the chosen information security framework is considered as the representative of the entire information security framework in the literature.

IT Security Policy

1. An External Storage is assigned to the employee based on the role and nature of assigned work. This decision shall be made by Director and other Department Heads in accordance with the policy.
2. Before assigning the External Storage, Department Head shall discuss the prescribed data security controls with the employees that are essential to keep the data safe. Department Head may involve Information Security Officer for reinforcement of the intent and purpose of the security controls.
3. ISO shall develop the department wise IT controls list department wise that must be applied on each external storage device. Other than this, more controls can also be applied (if required).
4. All websites will be restricted by default and only specific websites will be allowed as per the job description of the Employees. However, policy exception can be granted to specific websites by the approval of head of departments.
5. IT team shall apply the controls and ISO shall verify the configuration. For exceptions, the employee shall email Policy Suspension and with the Department Head approval, IT will suspend the controls for specified time duration.
6. The Department Head ensures that the IT team has applied the data security controls before handing over the laptop to the employee.

The challenges are alarming for management in providing IT security. In fact, information system assets are substantial even for small organizations including data bases and files related to personnel, company operation, financial matters and etc.

After the mapping of IT security framework, it is revealed that the selected framework maps well with the Company’s information security framework. The only dissimilarity among the two frameworks is that the roles and responsibilities of the drivers are different. Even though, the company has suitable information security framework in place but there are few suggestions as follows:

Training

In order to create invasive security environment, the significant information security to the organization must be widespread. To strengthen the behavioral changes, several approaches may be undertaken. Workforce should be trained in security awareness and suitable Security practices (Sipior & Ward, 2008). Also, consultants should be made responsive of all the policies and procedures.

Password Policy

The ABC Company has password policy in place but they have not implemented the Password policy. The password policy is significant security criteria.

Confidentiality agreement

No confidential agreements with the third party contractors are present in many cases. For instance, in few organizations the consultant has to sign the confidentiality agreement if he joins the client’s location.

Physical security

Physical security is not available for computer systems. The organization must have some kind of locking system that can help to control stealing PCs or hardware.

Information is considered as the core element or vital asset in any organization. A well-established IT security framework is needed in order to protect information in any organization. However, it is also making into consideration that in any organization, IT security framework is an ongoing process. In order to ensure the adequate protection of information resources, continuous enhancements in response to environmental incidences or interviews are required (Ezingeard & Bowen-Schrire, 2007). To assess the capability of current practices, measuring and reporting of risks, control issues, and vulnerabilities are compulsory (Purtell, 2007). In modern days, cyber-attacks and information security breaches are common and are increasing day by day. Therefore, it is important for all the organizations to focus on information security. To make sure information security, the organization must understand that information security is not solely a technological issue. The organization should also consider the non-technical aspect related to information security while developing the information security framework in organization.

References

HITRUST Common Security Framework Overview from http://www.hitrustalliance.org

Ezingeard, J., & Bowen-Schrire, M. (2007). Triggers of change in information security management practices. Journal of General Management, 32(4), 53-72.

Purtell, T. (2007). A new view on it risk. Risk Management (00355593), 54(10), 28-33.

Sipior, J. C., & Ward, B. T. (2008). A framework for information security management based on guiding standards: A united states perspective. Issues in Informing Science & Information Technology, 5, 51-60.