Choosing The Right Security Framework For Your Organization The many challenges related to building and running an information security program can be overwhelming. The chief information security officer (CISO) is responsible for running Identity And Access Management (IAM), Data Loss Prevention (DLP) and many other security programs. On top of those daunting considerations are the complex areas of governance, risk and regulatory compliance. One of the most effective ways to build and maintain these programs is to use a hybrid security framework that is customized to meet business objectives, and to define policies and procedures for implementing and managing controls in the organization. It should be tailored to outline specific security controls and regulatory requirements that impact the business. Common Security Frameworks To better understand security frameworks, let’s take a look at some of the most common and how they are constructed. NIST SP 800-53 First published in 1990, National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53) provides guidance to help U.S. federal government agencies comply with Federal Information Processing Standards (FIPS). Although the framework establishes security standards and guidelines for government agencies and federa information systems, it is also widely followed in the private sector. It is considered to generally represent industry best practices. COBIT The Information Security Audit and Control Association (ISACA) produced the Control Objectives for Information Related Technology (COBIT) framework in 1996 to focus on risk reduction in financial organizations. It is also commonly used to comply with the Sarbanes-Oxley Act (SOX). With the latest revision, COBIT has evolved to address best practices for aligning information technology functions and processes, and linking them to business strategy. ISO 27000 Series International Organization of Standardization (ISO) 27000 is a set of broad standards covering an array of privacy, confidentiality and IT security best practices published jointly with the International Electrotechnical Commission (IEC). These standards are designed to help organizations address their risks with appropriate controls. The series includes several subset frameworks specific to various industry types. For example, ISO 27799 defines standards and best practices for the healthcare industry. CISQ The Consortium for IT Software Quality (CISQ) developed standards for automating the measurement of software size and structural quality. These standards, which are based on exploits identified by the SANS [SysAdmin, Audit, Network and Security] Institute, the Open Web Application Security Project (OWASP) and Common Weakness Enumeration (CWE), are commonly used to manage risks such as application security. Building a Hybrid Security Framework organizations can also leverage a hybrid framework by choosing specific controls from other frameworks to meet their compliance requirements and business needs. Typically, hybrid models consist of cherry-picked controls from other standards that are driven by industry compliance requirements. There is no such thing as a one-size-fits-all approach to security, and each framework has its pros and cons. Organizations vary in their complexity and maturity, from small, niche industries to global conglomerates and governments. For this reason, it’s important to research the available security frameworks and balance the benefits and drawbacks of each approach. A hybrid framework can help organizations meet their unique business objectives and compliance requirements. This approach enables flexibility and ensures continued functionality as the technology and threat landscapes shift. Organizations with more basic needs might opt to become certified in an individual standard such as ISO 27000 or PCI DSS. Whichever framework or combination of frameworks your organization selects, a comprehensive strategy to defend against potential threats while keeping data secure is more crucial than ever. QUESTION 1 The Detailed Security Risk Analysis approach is believed to provide the most accurate evaluation, (Stallings & Brown 2018: 490) of an organization’s IT system’s security risks, even though it comes at the highest cost. This approach has evolved with the development of trusted computer systems, initially focused on protecting the confidentiality of information and reflecting the military concern with information classification. Provide a detailed exposition of the steps that must be followed in carrying out a Detailed Security Risk Analysis.

Database System Concepts
7th Edition
ISBN:9780078022159
Author:Abraham Silberschatz Professor, Henry F. Korth, S. Sudarshan
Publisher:Abraham Silberschatz Professor, Henry F. Korth, S. Sudarshan
Chapter1: Introduction
Section: Chapter Questions
Problem 1PE
icon
Related questions
Question

Choosing The Right Security Framework For Your Organization

The many challenges related to building and running an information security program can be overwhelming. The chief information security officer (CISO) is responsible for running Identity And Access Management (IAM), Data Loss Prevention (DLP) and many other security programs. On top of those daunting considerations are the complex areas of governance, risk and regulatory compliance. One of the most effective ways to build and maintain these programs is to use a hybrid security framework that is customized to meet business objectives, and to define policies and procedures for implementing and managing controls in the organization. It should be tailored to outline specific security controls and regulatory requirements that impact the business.
Common Security Frameworks
To better understand security frameworks, let’s take a look at some of the most common and how they are constructed.
NIST SP 800-53
First published in 1990, National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53) provides guidance to help U.S. federal government agencies comply with Federal Information Processing Standards (FIPS). Although the framework establishes security standards and guidelines for government agencies and federa information systems, it is also widely followed in the private sector. It is considered to generally represent industry best practices.
COBIT
The Information Security Audit and Control Association (ISACA) produced the Control Objectives for Information Related Technology (COBIT) framework in 1996 to focus on risk reduction in financial organizations. It is also commonly used to comply with the Sarbanes-Oxley Act (SOX). With the latest revision, COBIT has evolved to address best practices for aligning information technology functions and processes, and linking them to business strategy.
ISO 27000 Series
International Organization of Standardization (ISO) 27000 is a set of broad standards covering an array of privacy,
confidentiality and IT security best practices published jointly with the International Electrotechnical Commission (IEC).
These standards are designed to help organizations address their risks with appropriate controls. The series includes several subset frameworks specific to various industry types. For example, ISO 27799 defines standards and best practices for the healthcare industry.
CISQ
The Consortium for IT Software Quality (CISQ) developed standards for automating the measurement of software size and structural quality. These standards, which are based on exploits identified by the SANS [SysAdmin, Audit, Network and Security] Institute, the Open Web Application Security Project (OWASP) and Common Weakness Enumeration (CWE), are commonly used to manage risks such as application security. Building a Hybrid Security Framework organizations can also leverage a hybrid framework by choosing specific controls from other frameworks to meet their compliance requirements and business needs. Typically, hybrid models consist of cherry-picked controls from other standards that are driven by industry compliance requirements.

There is no such thing as a one-size-fits-all approach to security, and each framework has its pros and cons.
Organizations vary in their complexity and maturity, from small, niche industries to global conglomerates and
governments. For this reason, it’s important to research the available security frameworks and balance the benefits and drawbacks of each approach.
A hybrid framework can help organizations meet their unique business objectives and compliance requirements. This approach enables flexibility and ensures continued functionality as the technology and threat landscapes shift.
Organizations with more basic needs might opt to become certified in an individual standard such as ISO 27000 or PCI DSS.
Whichever framework or combination of frameworks your organization selects, a comprehensive strategy to defend
against potential threats while keeping data secure is more crucial than ever.

QUESTION 1

The Detailed Security Risk Analysis approach is believed to provide the most accurate evaluation, (Stallings & Brown 2018: 490) of an organization’s IT system’s security risks, even though it comes at the highest cost. This approach has evolved with the development of trusted computer systems, initially focused on protecting the confidentiality of information and reflecting the military concern with information classification. Provide a detailed exposition of the steps that must be followed in carrying out a Detailed Security Risk Analysis.

Expert Solution
steps

Step by step

Solved in 3 steps

Blurred answer
Knowledge Booster
Maintenance
Learn more about
Need a deep-dive on the concept behind this application? Look no further. Learn more about this topic, computer-science and related others by exploring similar questions and additional content below.
Similar questions
Recommended textbooks for you
Database System Concepts
Database System Concepts
Computer Science
ISBN:
9780078022159
Author:
Abraham Silberschatz Professor, Henry F. Korth, S. Sudarshan
Publisher:
McGraw-Hill Education
Starting Out with Python (4th Edition)
Starting Out with Python (4th Edition)
Computer Science
ISBN:
9780134444321
Author:
Tony Gaddis
Publisher:
PEARSON
Digital Fundamentals (11th Edition)
Digital Fundamentals (11th Edition)
Computer Science
ISBN:
9780132737968
Author:
Thomas L. Floyd
Publisher:
PEARSON
C How to Program (8th Edition)
C How to Program (8th Edition)
Computer Science
ISBN:
9780133976892
Author:
Paul J. Deitel, Harvey Deitel
Publisher:
PEARSON
Database Systems: Design, Implementation, & Manag…
Database Systems: Design, Implementation, & Manag…
Computer Science
ISBN:
9781337627900
Author:
Carlos Coronel, Steven Morris
Publisher:
Cengage Learning
Programmable Logic Controllers
Programmable Logic Controllers
Computer Science
ISBN:
9780073373843
Author:
Frank D. Petruzella
Publisher:
McGraw-Hill Education