Related questions
Choosing The Right Security Framework For Your Organization
The many challenges related to building and running an information security program can be overwhelming. The chief information security officer (CISO) is responsible for running Identity And Access Management (IAM), Data Loss Prevention (DLP) and many other security programs. On top of those daunting considerations are the complex areas of governance, risk and regulatory compliance. One of the most effective ways to build and maintain these programs is to use a hybrid security framework that is customized to meet business objectives, and to define policies and procedures for implementing and managing controls in the organization. It should be tailored to outline specific security controls and regulatory requirements that impact the business.
Common Security Frameworks
To better understand security frameworks, let’s take a look at some of the most common and how they are constructed.
NIST SP 800-53
First published in 1990, National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53) provides guidance to help U.S. federal government agencies comply with Federal Information Processing Standards (FIPS). Although the framework establishes security standards and guidelines for government agencies and federa information systems, it is also widely followed in the private sector. It is considered to generally represent industry best practices.
COBIT
The Information Security Audit and Control Association (ISACA) produced the Control Objectives for Information Related Technology (COBIT) framework in 1996 to focus on risk reduction in financial organizations. It is also commonly used to comply with the Sarbanes-Oxley Act (SOX). With the latest revision, COBIT has evolved to address best practices for aligning information technology functions and processes, and linking them to business strategy.
ISO 27000 Series
International Organization of Standardization (ISO) 27000 is a set of broad standards covering an array of privacy,
confidentiality and IT security best practices published jointly with the International Electrotechnical Commission (IEC).
These standards are designed to help organizations address their risks with appropriate controls. The series includes several subset frameworks specific to various industry types. For example, ISO 27799 defines standards and best practices for the healthcare industry.
CISQ
The Consortium for IT Software Quality (CISQ) developed standards for automating the measurement of software size and structural quality. These standards, which are based on exploits identified by the SANS [SysAdmin, Audit, Network and Security] Institute, the Open Web Application Security Project (OWASP) and Common Weakness Enumeration (CWE), are commonly used to manage risks such as application security. Building a Hybrid Security Framework organizations can also leverage a hybrid framework by choosing specific controls from other frameworks to meet their compliance requirements and business needs. Typically, hybrid models consist of cherry-picked controls from other standards that are driven by industry compliance requirements.
The Road Ahead
There is no such thing as a one-size-fits-all approach to security, and each framework has its pros and cons.
Organizations vary in their complexity and maturity, from small, niche industries to global conglomerates and
governments. For this reason, it’s important to research the available security frameworks and balance the benefits and drawbacks of each approach.
A hybrid framework can help organizations meet their unique business objectives and compliance requirements. This approach enables flexibility and ensures continued functionality as the technology and threat landscapes shift.
Organizations with more basic needs might opt to become certified in an individual standard such as ISO 27000 or PCI DSS.
Whichever framework or combination of frameworks your organization selects, a comprehensive strategy to defend
against potential threats while keeping data secure is more crucial than ever.
QUESTION 2
There is no such thing as a one-size-fits-all approach to security, and each framework has its pros and cons.
Critically analyze the statement given above
Step by stepSolved in 4 steps
- Examine the benefits and drawbacks of information security division of roles within an organization's information security procedures by using a plausible scenario, and compare and contrast your findings.arrow_forwardThe organization you work for in Abu Dhabi is a startup company with 2 years in business. To comply with regulations, your CISO has decided to propose implementation of Information Security Management System (ISMS). As a member of the security team, you have to analyze the business needs for ISMS. Demonstrate effective contributions to the ISMS project team relevant to an assigned task as below: Introduce the Organization Demonstrate your project team Highlight the roles and responsibilities of each team member on the project Develop the ISMS for the organization by utilizing all the steps of from the ISO Standard 27001.arrow_forwardThe majority of individuals concur that creating proper security rules and consistently implementing them are necessary actions to take. An explanation of why creating, implementing, and maintaining security rules is so important.arrow_forward
- Creating adequate security rules and ensuring that they are constantly adhered to is generally regarded to be crucial. Discuss why it is so important for your organization to create, implement, and maintain security standards.arrow_forwardThe need for appropriate Security Policies and consistent enforcement is well established. Discuss the reasons why it is important that security polices to be developed, implemented, and maintained.arrow_forwardWhat is a SIEM and a SOAR? What are their key differences and how do you see each playing a role in information security? Explain.arrow_forward
- What are the main reasons to implement security policies within an organization? How is quantitative analysis different from qualitative analysis? What are some or the early steps taken during the initial phases of the system development life cycle? How can pre-employment processing improve the security of an organization?arrow_forwardChoosing The Right Security Framework For Your Organization The many challenges related to building and running an information security program can be overwhelming. The chief information security officer (CISO) is responsible for running Identity And Access Management (IAM), Data Loss Prevention (DLP) and many other security programs. On top of those daunting considerations are the complex areas of governance, risk and regulatory compliance. One of the most effective ways to build and maintain these programs is to use a hybrid security framework that is customized to meet business objectives, and to define policies and procedures for implementing and managing controls in the organization. It should be tailored to outline specific security controls and regulatory requirements that impact the business.Common Security FrameworksTo better understand security frameworks, let’s take a look at some of the most common and how they are constructed.NIST SP 800-53First published in 1990, National…arrow_forwardPurposeThis course project is intended to assess your ability to identify, design, and organize information technology (IT) security policies.Learning Objectives and OutcomesSuccessful completion of this project will ensure that you can develop draft IT security policies for an organization and apply learning constructs from the course. By the end of this project, you will be able to do the following:Evaluate compliance laws relevant to the U.S. Department of Defense.Assess policy frameworks appropriate for an organization in a given scenario.Evaluate security controls and standards for the seven domains of a typical IT infrastructure.Develop DoD-compliant policies for an organization’s IT infrastructure.Required Source Information and ToolsWeb References: Links to Web references in this document and related materials are subject to change without prior notice. These links were last verified on January 4, 2022. The following tools and resources will be needed to complete this…arrow_forward
- what is the proper timeline for meeting cybersecurity program objectives.arrow_forwardCreating adequate security rules and ensuring that they are constantly adhered to is generally regarded to be crucial. Discuss why it is so important for your organization to create, implement, and maintain security standards.arrow_forwardAs CISO, you are responsible for creating an information security program that is supported by a framework. Discuss some of the primary components of an information security program that you believe are necessary.arrow_forward