Information Security Governance Papers

Paper Title Interpreting the Framework
The Abstract of The Paper This framework is a work in progress. It is designed to be a tool to guide and encourage senior corporate executives and managers to adopt corporate best practices for security. The framework represents a two-fold benefit to those organizations that adopt it. First, it identifies cornerstone security practices that nearly all organizations are following. Second, it makes recommendations about where in the organization the responsibility best fits so that the integration of those practices evolves into a corporate climate of security. The framework poses three sets of questions, with regard to information security:
1. What am I required to do?/What am I afraid not to do?
2. How do I accomplish my objectives?
3. How effectively do I achieve my objectives?/What adjustments do I need to make?

At each level of the organization, these questions result in different answers, yet all can yield a consistent response to information security responsibilities. The first set of questions identifies the drivers behind security objectives – drivers that will be different for different businesses and industries. For example, is adherence to regulations or legislation driving the need for security controls? Or is the driver a market condition such that a company will experience significant brand erosion in the event of a cyber attack? The second question refers to the programs and processes to be put in place to accomplish organizational security objectives. These programs are common to almost all organizations, no matter what their market. The last set of questions focuses on assessing risk, measuring the effectiveness of security controls, and making improvements as necessary. Like the first set of questions, these tend to be more company and industry specific.

Because the framework describes proactive actions that managers at various organizational levels can take to secure their information systems, it not only clarifies roles and responsibilities, but also helps management select a security practice reference (like ISO 17799) that is appropriate for their organization.
Web Link http://www.bsa.org/country/Research%20and%20Statistics/~/media/BD05BC8FF0F04CBD9D76460B4BED0E67.ashx

Back To Information Security Governance Papers List

Database Sections