Information assurance is a continuous crisis in the digital world. The attackers are winning and efforts to create and maintain a secure environment are proving not very effective. Information assurance is challenged by the application of information security management which is the framework for ensuring the effectiveness of information security controls over information resources. Information security management should “begin with the creation and validation of a security framework, followed by the development of an information security blueprint” (Whitman & Mattord, 2004, p. 210). The framework is the result of the design and validation of a working security plan which is then implemented and maintained using a management model. The framework serves as the basis for the design, selection, and implementation of all subsequent security controls, including information security policies, security education and training programs, and technological controls. A blueprint can be designed using established security models and practices. The model could be proprietary or based on open standards. The most popular security management model is based on the British Standard 7999 which addresses areas of security management practice. The recent standards, called ISO/IEC 27000 family, include documents such as 27001 IMS Requirements (replaces BS7799:2); 27002, Code of Practice for Information Security Management (new standard number for ISO 17799); and 27006, Guidelines for the accreditation of organizations offering ISMS certification, and several more in development. Similar security models are supported by organizations such as NIST, IETF, and VISA. From one point of view, information security management evolved on an application of published standards, using various security technologies promoted by the security industry. Quite often, these guidelines conflict with each other or they target only a specific type of organization (e.g., NIST standards are better suited to government organizations). However, building a security control framework focused only on compliance to standards does not allow an organization “to achieve the appropriate security controls to manage risk” (ISM-Community, 2007, p. 27). Besides technical security controls (firewalls, passwords, intrusion detection systems, disaster recovery plans, encryption, virtual private networks, etc.), security of an organization includes other issues that are typically process and people issues such as policies, training, habits, awareness, procedures, and a variety of other less technical and nontechnical issues (Heimerl & Voight, 2005; Tassabehji, 2005). All these factors make security a complex system (Volonino & Robinson, 2004) and a process which is based on interdisciplinary techniques (Maiwald, 2004; Mena, 2004). While some aspects of information security management changed since the first edition of the chapter (Hentea, 2005), the emerging trends became more prevalent. Therefore, the content of this chapter is organized on providing an update of the security threats and impacts on users and organizations, followed by a discussion on global challenges and standardization impacts, continued with information security management infrastructure needs in another section, followed with a discussion of emerging trends and future research needs for the information security management in the 21st century. The conclusion section is a perspective on the future of the information security management.
Improving Forensic Triage Efficiency through Cyber Threat Intelligence