Categories
IT Management

Components of an Information Security Framework

Description: The below graph is designed to explain the importance of different aspects of information security and their place in the information security framework. It includes the main aspects and components of security frameworks, as described by Patil: (2008) people, technology and process. It highlights the necessary steps of information security in an organization to provide a visualization of data transferred and processed by IT systems.

Support: The below visual aid is designed to help those involved in information security understand the flow of information, the different processes of securing, encoding and retrieving data within information systems. It is also useful for those who would like to know how data can be filtered in order to avoid information overload and the different stages of filtering. The flowchart model was selected in order to help the audience understand which processes are involved in transforming people’s input into readable, safe and analyzable data.

 

 

            Visual Aid Script

  1. Input/People

Input is made by employees, third party and the system itself. They can be diverse based on data quality, level of procession and data type.

  1. Technology

Technology needs to be in place to pre-filter and select categories, sub-categories automatically. The technology should be designed to reduce the use of system resources and prepare data for processing. System storage is a tool that is able to securely store information before processing. While this is not necessary, it can be a useful feature. Companies need to make an informed decision considering the use of storage, resources and the regulations regarding backing up data. Post filtering and encoding is a successful method to eliminate security risks, prevent unauthorized use of data and protect customers’ details. Encoding is the oldest and most successful method of protecting written information. Pre-filtering allows users to select which type of information they would like to see and in which form.

 

  1. Process

Processing data is important for selecting visualization methods. The methods can be determined by the graphics engine, which sets the visualization based on user preferences from the encoded data. Logging and reporting is a feature of the process that allows users to share information safely and select which part of the information would be shared. The creation of graphs and reports is a good way of monitoring network security. The IDS Rainstorm is a tool that is built into data processing systems allowing administrators to identify and eliminate risk factors in the information system. Glossing is another tool that is designed to create alarm glyphs whenever a security risk is identified based on sender, data type, security certificates and source of data. Filtering is an additional tool that can be user-defined, to determine default views, the details to be processed and displayed.

 

Results

            Following the above simple and detailed information security framework has various benefits. First, it prevents information overload within organizations and internet systems. This results in a reduced use of resources; both technological and human. Time spent to filter the information can be reduced, and this can have a positive impact on the speed of processing, answering e-mails, queries and processing data sent through servers. Secondly, it is providing advanced filters that constantly measure risks associated with information transfer through servers.

           

Audience Questions

  1. How to achieve balance among organization, people, process and technology taking into consideration the risks involved in using information security systems?

A: There is a need for advanced organizational support from the management. It is important to employ people with high competency in secure data processing and information technology. Creating and communicating a security strategy and providing adequate training for employees is essential, while enabling people to participate in the design and implementation process is also important. Eliminating technological, organizational and human risk is a complex design to achieve a higher level of information security, prevent information overload and allow safe interaction within the company.

 

  1. What is an ideal information security culture like in an organization?

A: An information security culture needs to be intentional instead of functional, according to a recent ISACA report. (2009. p. 21.) Technologies need to be based on continuous risk assessment and process improvement. Security needs to be implemented into every project from the beginning. I.e. when introducing a new system for interacting with customers online through the website, the design needs to include security measurements. Creating awareness and gaining commitment regarding security is also important on an organizational level. Potential risks need to be communicated regularly.

 

  1. Which are the best security frameworks approved by government to implement in an organization?

A: There are different frameworks approved by the government, offering the same measures as seen in the visual aid. One of the most common systems is ISO/IEC 27001 & 27002 (formerly ISO 17799) used by organizations to get security certificates for their information technology, protect their data and customer information. Another framework is the Federal Enterprise Architecture Framework (FEAF). An organization needs to decide based on the level of security the system provides, industry requirements and internal policies which applies to their business most to make an informed decision. (Security architecture, 2009, 5)

References

Abdullah, K., Lee, C. P., Conti, G., Copeland, J. A., and Stasko, J. (2005, October).IDS RainStorm: Visualizing IDS Alarms. Proc. IEEE Workshops Visualization for Computer Security (VizSEC). IEEE CS Press, pp. 1-10. Retrieved from: http://www.rumint.org/gregconti/publications/20050813_VizSec_IDS_Rainstorm.pdf

Aneja, A., Rowan, C., & Brooksby, B. (2000, January). Corporate Portal Framework for Transforming Content Chaos on Intranets. Intel Technology Journal. Intel Corporation. Retrieved from: http://download.intel.com/technology/itj/q12000/pdf/portal.pdf

Burns, J. and Madey, G. R. (2001). A Framework for Effective User Interface Design for Web-Based Electronic Commerce Applications. Informing Science, Vol. 4 No. 2, 67-75. Retrieved from: http://inform.nu/Articles/Vol4/v4n2p067-075.pdf

Conti, G., Abdullah, K., Grizzard, J., Stasko, J., Copeland, J. A., Ahamad, M., et al. (2006, April). Countering Security Information Overload through Alert and Packet Visualization. IEEE Computer Society. Retrieved from: http://www.juliangrizzard.com/pubs/2006_conti_cga.pdf

Eppler, M. J. and Mengis, J. (2004).The Concept of Information Overload: A Review of Literature from Organization Science, Accounting, Marketing, MIS, and Related Disciplines. The Information Society, 20, 325-344. Retrieved from: http://www.bul.unisi.ch/cerca/bul/pubblicazioni/com/pdf/wpca0301.pdf

ISACA (2009) An Introduction to the Business Model for Information Security. Retrieved from: http://www.isaca.org/Knowledge-Center/Research/Documents/Intro-Bus-Model-InfoSec-22Jan09-Research.pdf

Juvvadi, S. (2003, June).Requirements for Managing Security Information Overload. GIAC Security Essentials Practical Assignment Version 1.4b. SANS Institute. Retrieved from: http://www.sans.org/reading_room/whitepapers/services/requirements-managing-security-information-overload_1147

Patil, J. (2008). INFORMATION SECURITY FRAMEWORK: CASE STUDY OF A MANUFACTURING ORGANIZATION. Mercy College.

Security Architecture Website. Security Management Frameworks. Retrieved from: http://securityarchitecture.com/docs/Security_Management_Frameworks.pdf