Comparisons of Information Security Management Frameworks
Today’s economy depends on the secure flow of information within and across organizations. Thus, making information security is an issue of vital importance. A secure and trusted environment for stored and shared information greatly enhances consumer benefits, business performance and productivity, and national security. Conversely, an insecure environment creates the potential for serious damage to governments and corporations that could significantly undermine consumers and citizens. The stakes are particularly high for businesses engaged in critical activities, such as electrical power generation, banking and finance, or healthcare.
It can be very overwhelming for a …show more content…
What makes these frameworks so amazing is that there is an overlap between them so “crosswalks” can be built to show compliance with different regulatory standards. For example, ISO 27002 defines information security policy in section 5; COBIT defines it in the section "Plan and Organize"; Sarbanes Oxley defines it as "Internal Environment"; HIPAA defines it as "Assigned Security Responsibility"; and PCI DSS defines it as "Maintain an Information Security Policy." By using a common framework like ISO 27000, a company can then use this crosswalk process to show compliance with multiple regulations such as HIPAA, Sarbanes Oxley, PCI DSS and GLBA, to name a few (Granneman, J.).
The decision made to use a particular IT security framework is driven by multiple factors. The type of industry or compliance requirements can be the deciding factors. COBIT is known to be used by publicly traded companies in order to comply with Sarbanes Oxley. The magnum opus of information security frameworks is the ISO 27000 series, because it has applicability in any industry. However, it is best used where the company needs to market information security capabilities through the ISO 27000 certification. The standard required by the United States federal agencies is the NIST SP 800-53. The beauty of this framework is that it could also be used by any company to build technology specific information security plan.
Effective IT security