Security Framework

Greene (2014) define security framework as a collective term given to guidance on topics related to information systems security, predominantly regarding the planning, implementing, managing, and auditing of overall information security practices. Security framework defines the policies, procedures and processes by encompassing all internal, external and tangential parties to manage information, systems and services within an organization (Theriault, 2017). Framework helps an organization to reduce risk and exposure to vulnerabilities (2017).

Some key frameworks are:

NIST Cybersecurity framework – National Institute of Standards and Technology is a federal agency under the United States Department of Commerce to develop and promote measurement, standards, and technology to improve quality of life, facilitate trade and enhance productivity (Theriault, 2017). Three main components of NIST cybersecurity framework are core, implementation tiers and profiles (2017).

ISO 27000 family – 27000 series of standards developed by the International Standards Organization to manage information securely and risk associated with people, processes and systems (Theriault, 2017). There are several sub-standards for varying industries, for instance 27001 has six parts, which include definition of security policy, scope of policy, risk assessment, management of risk, security controls and statement of applicability (2017).

PCI DSS – Payment card industry data security standard ensure security of businesses processing card payment and reduce card fraud through tight security controls around storage, transmission and processing (Theriault, 2017).

Hughes (2018) define procedures as methodology to accomplish things. There could be security and business procedures, for instance payroll, updates, opening/closing etc. (2018). Greene (2014) define procedures as instructions to carry out policy, standard, baseline and guidance in a given situation.

To summarize differences in standards and procedures related to encryption in an organization, standard specifies the type of encryption to be used while procedure supply the instructions to encrypt the media (Greene, 2014).

References:

Hughes, K. (2018). CS 861 Information Assurance – Introduction Week 3. Retrieved from https://studentlogin.coloradotech.edu/UnifiedPortal/app/classResourceRedirect.html?id=3899442&url=/UnifiedPortal/lms/class/164673/document/3899442/open

Greene, S. (2014). Security Program and Policies: Principles and Practices. Indianapolis, IN: Pearson.

Theriault, C. (2017). What is an information security framework and why do I need one? Retrieved from https://tbgsecurity.com/what-is-an-information-security-framework-and-why-do-i-need-one/