Acct 521 - Information Systems
Essay by Natasha Pendleton • June 25, 2017 • Research Paper • 2,079 Words (9 Pages) • 990 Views
[pic 1][pic 2][pic 3][pic 4]
Management Information Security
6/23/2016
Acct 531
Natasha Pendleton
ABSTRACT
The evaluation of information systems security is a process in which the evidence for assurance is gathered, identified and analyzed against criteria for security functionality and assurance levels. Security metrics are important indicators of how well security services are present in the information systems and can be used to measure organization’s security maturity levels. Security measures help to improve an organization’s performance and understanding. These are important aspects to be understood by users of information systems since normally they face problems that are not only related to technology but also are related their environments.
INTRODUCTION
There is a growing recognition of the role of management in protecting organizational information from a range of security risks. Those risks include the leaking of trade secrets and intellectual property, disruption of critical systems and malicious attack from both insiders and outsiders. Policy is a critical formal control in which management provides strategic and tactical guidance on a range of issues. Issues can include acceptable use of information technologies, security structures, roles and processes to be instituted. Security researchers have consistently debated that the effectiveness of managerial practices associated with security of policy is critical to a successful organization.
Deficiencies of IS
In order to discuss information security we must first point of the deficiencies from a management perspective which includes four main deficiencies:
- Lacks a holistic view of the policy lifestyle
- Lacks consistency in terminology and explanation
- Includes varying levels of granularity in describing policy management activities
- Makes it difficult to extricate guidance on policy management from that of other practice areas such as risk management and security education, training and awareness.
The first deficiency, the lack of holistic view of the policy lifestyle can be identified in the existing policy development lifestyles. Bayuk (1997) presents a process with a narrow view that focuses on the development of policy documents and does not include any practices related to the implementation and the maintenance of the policy. It consists of several steps starting with identifying assets and then forming a team to develop the policy. Then the draft policy is created. Then the policy goes through a review process leading to approval and publishing.
The second deficiency, existing policy and lifestyle lack consistency in terminology and explanation. It has a more holistic view of the policy development process; it suggests that there are overlapping concepts such as monitoring, compliance and enforcement. These three concepts are shown in the approach as three different activities that represent the management efforts to ensure that the policy is being adhered to by employees. Referring to three concepts as one or as different terms may cause confusion among security practitioners embarking on the process of policy development (Whitman 2008).
The third deficiency uses varying levels of granularity in describing policy management activities. Policy lifestyle differs in the level of detail and emphasis on policy development aspects. Hare (2002) presents the development process of security in a systematic way, however, details are lacking about how the policy will be published and how it will be communicated and enforced. The development process did not discuss the issue of user compliance with the policy and user awareness and training in communicating and enforcing security policy in organizations.
The fourth deficiency is the difficulty to extricate guidance on policy management from that of other practices areas. There is a great importance to having risk assessment as an input of the policy development process, as well as a need for security awareness and training to communicate and enforce policy. It can be argued that conducting risk assessment and developing security awareness and training programs are not part of the security policy lifestyle. Policy development lifestyle goes beyond the development of security program in an organization; they address security policy, risk assessment, technical controls and incident y. response (Olnes, 1994).
Development Stage
Information security managers in an organization must participate in the process of developing the information securities policy to help establish a policy development team. This would include two main activities, identifying key stakeholders who should be involved in the development of policy and to help define roles and responsibilities.
It is important to involve key stakeholders in the security development process to help ensure a success for the stages of development, implementation and evaluation. A team of representative stakeholders from across the organization at all levels should be assembled. Those representatives in the organization may include technical personnel, process owners, decision makers, managers, legal department, the human resource department, users, plus other function area personnel affected by the new policy (Maynard, 2011). A security policy developed for a specific department in the organization may involve people in the development process than the policy developed for the entire organization.
It is important to clearly define the roles and responsibilities of the development team members to avoid delays in the development process due to interpersonal challenges and political objections that may occur. Maynard (2010) asserts that while many authors emphasize the importance of involving different stakeholders in the development process; the roles of these stakeholders remain unclear. He also points out that authors simply mention the name of the stakeholder that needs to be involved in the development process without specifying what this group of people should do in the process.
After establishing a development team, the organization should next determine its security needs. A good understanding of the current situation of the organization and a sufficient understanding of the organization’s security objectives and goals should be required. This can be done by conducting a thorough investigation of the problem facing the organization (Whitman 2008). This consists of two activities, identifying security requirements and assessing the organization’s current policies and procedures.
...
...