An Integrated Framework for Information Security Management

Today information assets face more potential security breaches than at any time in history. To help mitigate the effect of the threats, information security management (ISM) is a very important part of a successful organization's strategic plan. Due to a significant increase in the number of threats over the past decade, organizations need to be proactive to protect their information assets. Unfortunately, there is a lack of experts qualified to address the area of IT security. We propose an integrated framework for ISM, in which it is conceptualized as a continuous decision-making process. The rationale of this framework is based on four guiding principles. 1) Have goal in mind. 2) Align security goals with business strategy. 3) ISM is a multivariate system. 4) ISM is a dynamic process. ISM is more about the operating procedures and processes in which crucial components such as organizational infrastructure, human factors and information security practices are all involved. Key components of the ISM framework include the following steps. 1. Assess the organizational environment. 2. Establish information security objectives. 3. Analyze information security requirements. 4. Develop information security controls. 5. Train/evaluate information security controls. Researchers find that despite the seriousness of the nature and scope of the security threats posed by the environment, many organizations are under-prepared or completely unprepared to mitigate the threatsystems. Further, there appears to be a lack of consensus as to how an organization should implement an information security policy, what information security objectives should be established, or how to react when the information systems are threatened. The framework described herein could be utilized in an effort to effectively implement a holistic and successful ISM plan.