Information Security Governance - Assignment Example

Information Security Governance Question 1 Identify three information security governance models currently in use in industry. Explain each model. Information Security Governance is the subset for the enterprise governance, which is aimed to provide the strategic directions, and manages the risk. It also ensures the objectives by using the organizational resources and monitoring the failure or success of the organizational security programs. The information security is the complex process due to technology and governance considerations. Need of selection of appropriate standards and a requirement from diverse information security standard is essential. Following are the most important information security governance models. 1. COBIT (Control Objectives For Information And Related Technology) This is the “Control Objectives for information and related technology” model created by the ISACA. This model provides the accepted measures, processes, indicators, and best use of information technology and its control for the enterprises. There are 34 processes of the information and technology defined in the COBIT. Four divisions of the processes include as the following i. Plan and organize, ii. Acquire and implementation. iii. Delivery and support. iv. Monitoring and evaluation. Focus has been made on the elements related to information security (Brotby, 2009). 2. SABSA (Sherwood Applied Business Security Architecture) The “Sherwood Applied Business Security Architecture” SABSA is a business focus and business driven methodology. Relationships, objectives, risks, constraints, and business strategy all inform about the some sort of the security architecture and organizational needs (Sherwood, Clark and Lynas, 2009). 3. CMM (Capability Maturity Mode) Capability Maturity Model CMM is applied to organizational processes. This model was initially defined for the development processes of the software. There are different maturity levels of the CMM. The capability maturity model determines maturity of the enterprises for the risk management strategy and information security (Zia, 2010). Question 2 Describe at the least three advantages and disadvantages of each model. Advantages and Disadvantages of COBIT The COBIT as an information security governance model assures the compliance to the regulatory needs and efficiency of the organization as a whole. COBIT model provides the important management tools for the control of IT activities. COBIT model also provides the environment very conducive for management in audit functions (Mataracioglu and Ozkan 2011). COBIT as an information security governance model determines the right things accepted by the organization as best practices described in the model (Solms and Solms, 2008). One of the biggest disadvantages of the COBIT is that it requires a lot of knowledge for its applications for the IT assessment and support the IT governance. There is no specification of the reflections from the process and activities. No two analysts would give the same conclusion in the context of the maturity of the IT organization (Clark, 2008). Advantages and Disadvantages of SABSA Model SABSA approaches the security issues of the organization through different levels. SABSA model has been emphasized on duality of risk as it keeps a balance between threat and opportunity. SABSA Model also provides the risk management for all stages of lifecycle of SABSA. This model is compliance with standards like ITIL, ISO 27002, and COBIT. SABSA Model is advantageous as it is a robust supported by different tools and framework. These supportive tools and framework are created from the practical experience (Brobty, 2009). Sometimes, it cannot meet the business expectations in the information system industry. This SABSA model is complex, and not all people can understand this architecture. This SABSA model is not successful until senior management does not sponsor it (Sherwood, Clark and Lynas, 2009). Advantages and Disadvantages Capability Maturity Model CMM: CMM is the process improvement model. This model is used to assess the organization against the maturity levels. Each maturity level is subjected to the diverse areas such as risk management, system engineering, and personal management. This model is easy to use, intuitive, and has a subjective approach. Maturity level of different security processes is measured to check whether these measures meet the objectives. This process is advantageous as it continues stages and methods as organizations prefer it (Brotby, 2009). Using the CMM maturity level 1, an ad-hoc IT risk management is achieved. Flexibility is not found in the CMM because different factors are involved for the success of an organization. Organizations differ in factors for their success. The CMM is also a complex model like other models. This model also lacks the addressing of the process improvement of people in an organization (Zia, 2010). Question 3 If you were CISO of large enterprise, which security governance model will you recommend to follow in your organization? Why? The COSO “Committee of Sponsoring Organizations” framework has been considered as the broad framework for all functions across the companies. However, this framework does not address the security issues and does not detail the control. A Chief Information Security Officer is involved in the processes of risk management and determines the strength of controls. A CISO must know the monitoring under the actions and strategy plans, and level of success for the information security. On the identification and prioritization of resources and protection needs results into the development of information security baselines. In the enterprise, the baseline can be personal, procedural and technical standards. The global and acceptable standards for the baseline development are as COBIT, NIST, FIPS Publication 2000, ands ISO/IEC 27002. COBIT is most important standard for the baseline development (Brotby, 2009). CISO will use the COBIT governance model because it is geared for management in an enterprise and enables the IT sponsors and responsible persons to manage and control the IT governance. CISO also recommends the COBIT governance model because it gives necessary elements for the development of the information security planning. It also allows the adjustment of the best practices for the business. It allows the framing of the information security for the understanding of security and IT requirements in order to design the procedures and policies for the risk management and information security as an asset of the enterprises. COBIT is the creation of the “IT Governance Institute” which is also an important part of the “Information System Audit and Control Association”, and COBIT is used to control the entire IT function in an enterprise. CISO also suggests the use of the COBIT as a reference and combines it with another framework ISO 17799 to get the detailed information on the security governance (Zia, 2010). References: Brobty, K. (2009).Information Security Governance, John Wiley & Sons. Clark, L.T. (2008). “Information Security Governance Standardizing the practice of information security”, EDUCAUSE Issue 17. Mataracioglu, T. and Ozkan, S. (2011). “Governing information security in conjunction with COBIT AND ISO 27001” Available from http://arxiv.org/ftp/arxiv/papers/1108/1108.2150.pdf Accessed on 14/02/2013. Sherwood, J., Clark, A., and Lynas, D. (2009). “Enterprise Security Architecture”, White Paper SABSA Limited. Solms, V.S., and Solms, V.R. (2008). Information Security Governance, Springer. Zia, T. (2010). “An analytical study of IT Security Governance and its adoption on Australian organization”, Proceedings of the 8th Australian Information Security Management Conference. Read More