While information security plays an important role in protecting the data and assets of an organization, we often hear news about security incidents, such as defacement of websites, server hacking and data leakage. Organizations need to be fully aware of the need to devote more resources to the protection of information assets, and information security must become a top concern in both government and business.
To address the situation, a number of governments and organizations have set up benchmarks, standards and in some cases, legal regulations on information security to help ensure an adequate level of security is maintained, resources are used in the right way, and the best security practices are adopted. Some industries, such as banking, are regulated, and the guidelines or best practices put together as part of those regulations often become a standard among members of these industries by information security laws and legislation such as Sarbanes-Oxley, Gramm-Leach-Bliley Act (GLBA), HIPAA, the Digital Millenium Copyright Act (DMCA), PATRIOT Act and more (Bono, Rubin, Stubblefield, and Green, 2006).
Information Security Standards
ISM is defined as “a systematic approach to encompassing people, process and Information Technology (IT) systems that safeguards critical systems and information protecting them from internal and external threats” (Barlas, Queen, Randowiz, Shillam, & Williams, 2007). ISM is increasingly important within organizations, becoming a strategic imperative as security threats continue to escalate. Security and privacy is among the top ten management concerns, according to a 2005 survey of executive IT managers (SIM, 2006).
Navigating the multitude of existing security standards, including dedicated standards for information security and frameworks for controlling the implementation on IT, presents a challenge to organizations. The framework is intended to promote a cohesive approach, which considers a process...