Information Security and Risk Management

Gone are the days when security was less important area for organizations. But with immense growth in various attacking and fraud techniques, organizational security has become the major concern. Now days companies are spending millions of dollars each year to keep their environment secure. Still no environment can be 100% secure, as intruders too are trying the latest hacking and attack methods. This is the reason why information security area is booming up and companies are ready to pay huge money to enterprise security services providers.
Attackers are always trying to find out vulnerabilities in companies network to intrude and get access to the valuable information. According to the survey article published in Securityweek website, nearly 70 percent of the 599 respondents have reported at least one security breach that led to the loss of confidential information or disruption of operations in the past 12 months. It is no surprise that company's internal employ can be the bigger threat than the outsider attacker. The reason is that internal employ has already been given access to company resources, while the outside intruder has to use various ways to get through to company's internal network for the theft or fraud.
Below data shows some percentage wise data on security collected through a survey done by Cisco.

  • 23% of companies do not have security policies implemented
  • 77% of IT professional worldwide believes that their company need to improve security policies
  • Majority of IT professionals believe that employees do not always follow security policies because they don't understand it very well

Security Principles
Each organization needs to implement security considering three basic security principles, which are availability, integrity and confidentiality. Availability principle ensures that data and resources are available to users in secured manner and prevent any unauthorized access. If system is able to provide most accurate and reliable information to the end user, without any unauthorized modification, then integrity principle is upheld. Confidentiality ensures that the system is configured in such a way that the information is secured while it travels over network without any unauthorized disclosure.
Enterprise Architecture
An organization's information security system cannot be made secure on the go. Organizations need to spend huge amount of time on the design and development of enterprise architecture. While designing architecture, organizations need to understand the in depth security requirements of the business. There are two fundamentals involved while developing an organization's enterprise architecture- stakeholders and views. Stakeholders are categories of people who will be using the architecture. Views are how the information important to various stakeholders is effectively illustrated. In other words, any organization has mixture of various types of users having specific roles and responsibilities where each type of user views organization in different way. For example CxO is more concerned to organization's business, while an application developer's job is to understand software requirements and come up with program to be used in business. So, employees with different role see organization in different way. Enterprise architecture is a way to explore all the possible views and stakeholders that can be existed in an organization, as a result it is easy to understand the changes required in items at other levels when any change to be done in one level of organization. Business and technology group see the organization in different views. Any small business change into organization may result in big changes in technical modules, which further may lead to confusions among various teams, as a result lot of money may get wasted in unnecessary changes. So, business enterprise architecture provides tools which both business and technical employees can use to avoid these confusions.
Enterprise Security Architecture
Enterprise security architecture is sub part of enterprise architecture. As a part of it, organizations define processes, solutions and procedures of information security strategy. Information security is not only composed of technical security solutions, while it also defines management related policies which making environment more secure. Enterprise security architecture talks about security program, but no security program is useful unless it is effectively implemented and maintained in real life. So, enterprise security solution to organization is a continuous process of designing, developing, implementing and maintaining of security policies. So, the result of properly developed enterprise security architecture in an organization is that :
a) security program is properly implemented and enforced to all the levels
b) no confusion occur between technical and management staff when new changes are brought
c) any new change done is after taking security into account, senior management and security staff people do work closely for making various decisions, and so on.
Relation between Information Security Management System and Enterprise security architecture
The Information Security Management System (ISMS) defines various controls like data protection, business continuity plan, risk management, and so on. ISMS also provide life cycle management of all these controls. While enterprise security architecture dictates how these controls need to take place in different levels, like operational, strategic and tactical levels. So, ISMS takes care of information security in various departments of an organization by providing various controls, whereas enterprise security architecture is a way to integrate all these controls implemented in different layers. For example, ISMS states that organizations needs to enforce information risk management, while enterprise architecture will consider risk management's component and will define how risk management can be done in operational, strategic and tactical levels of organization.
Business and Security
The organizations need to always think that security is for business while business is not for security. Secure environment cannot be the sole purpose of an organization. It is noticed that sometimes organizations spend huge money on unplanned implementation of security programs which at the end hit the overall revenue. So, proper care and analysis is required while planning and designing security programs. How much funds to be allocated for security depends of various factors like, organization business type, revenue generation, and so on. Another issue which many times effects business is the in between changes the organizations need to do. Both technical and business teams see the change differently, as a result sometimes technical teams are not happy on new changes. Many times the change planned by company's top business leaders is not properly communicated to the technical teams, as a result huge money get wasted on improper or unwanted implementations. So, there must be an effective communication channel between the business and technical teams. Some times because of the company's business type, too many security restrictions are applied to the environment, as a result many times developers complaint to manager that they cannot go ahead because of the over secured and restricted environment. So, environments should be secured in such a way that employees are clear on what all and why the modules are restricted.
Breakdown of various Frameworks and Standards
Below list contains frameworks and standards on enterprise and security architecture:

  • Zachman framework This framework was developed by John Zachman, which states how to develop enterprise architecture.
  • ISO/IEC 27000 series This series of international standard states how to develop and maintain ISMS programs.
  • Sherwood Applied Business Security Architecture (SABSA) Model This model explains standards to develop information security enterprise architecture.
  • The Control Objectives for Information and related Technology (CobiT) CobiT defines goals to properly map IT and business needs.
  • Committee of sponsoring Organization (COSO) framework This is a corporate governance framework and it define set of controls to reduce the fraud in finance of an organization.
  • Information Technology Infrastructure Library (ITIL) ITIL define best practices for IT service management.

Information Risk Management
Information risk management (IRM) is managing various information related risks involved in an organization. These risks can be related to data misuse, application error, various physical damages, attacks and so on. Information risk management can be done effectively only if there is strong commitment from senior employees. Organizations need to have dedicated IRM team who need to continuously work on critical risks on priority basis. Addressing risks priority wise is must, because many times organizations have limited budget and many risks to work on, in this situation it is critical to check the risk which is impacting the most and address it first, this is what risk management is all about.
 - IRM Policy
Security policy is like pillar of organizational security. Effective policy results in effective security. IRM policy states all the roles and responsibilities come under IRM. It maps internal controls to possible risks. It monitors on how effective the implemented controls are and also describe the acceptance level of risk.

Rate this article: 
Average: 3.9 (41 votes)
Article category: 

There are 3 Comments

We can add TOGAF to the list of frameworks: The Open Group Architecture Framework. In addition to architecture, TOGAF provides comprehensive guidelines for secure application development.

These frameworks have been around for a long time. What is new or novel about them? How are these frameworks challenged by the cloud and mobility?