An Organisational Model for Information Security Assessment

As the importance of information and the supporting technology has increased, so too has the imperative to ensure its security. Security assessment is driven by regulatory compliance and the need to provide stakeholder assurance that information assets are adequately protected. A comprehensive and effective security assessment framework is thus vital to both corporate governance and management of security spending and investment. However, there is little evidence that such a framework is either available or widely adopted. Information security practices that are based on well established practices are usually used to assess the effectiveness of the security function within an organization. Evidence indicates, however, that despite organisational alignment and compliance with standards, losses associated with security incidents continue to occur and are on the increase. Two conclusions can be drawn: that the security controls defined by standards and frameworks are necessary but insufficient to ensure security; and that the measurement tools that support the management of information security are either not implemented or not available. Recent models for information security extend the scope of existing "best practice" security frameworks to include organisational factors for security. Others have suggested the application of CSF analysis to information security management. While these extend the body of knowledge, they do not address the need for a corresponding assessment model. What is required is a comprehensive framework for security assessment that incorporates all relevant organisational capabilities and competencies. The objective of this research is to generate a model that informs the development of such a framework. This paper explores the notion of information security from an organisational perspective, and the various standards and frameworks that are currently used. The concepts of assessment and metrics are also examined in this context and, finally, a conceptual model for security assessment is presented together with an indication of its application.