Information Security Management Framework Research Articles

Holistic Information Security Management and Compliance Framework

The growing complexity of cybersecurity threats demands a robust framework that integrates various security domains, addressing the issue of disjointed security practices that fail to comply with evolving regulations. This paper introduces a novel information security management and compliance framework that integrates operational, technical, human, and physical security domains. The aim of this framework is to enable organizations to identify the requisite information security controls and legislative compliance needs effectively. Unlike traditional approaches, this framework systematically aligns with both current and emerging security legislation, including GDPR, NIS2 Directive, and the Artificial Intelligence Act, offering a unified approach to comprehensive security management. The experimental methodology involves evaluating the framework against five distinct risk scenarios to test its effectiveness and adaptability. Each scenario assesses the framework’s capability to manage and ensure compliance with specific security controls and regulations. The results demonstrate that the proposed framework not only meets compliance requirements across multiple security domains but also provides a scalable solution for adapting to new threats and regulations efficiently. These findings represent a significant step forward in holistic security management, indicating that organizations can enhance their security posture and legislative compliance simultaneously through this integrated framework.

Regulatory frameworks for securing electoral processes in Ukraine: managing information security challenges

The administrative and legal framework for managing the information security of electoral processes in Ukraine includes regulations, various measures and procedures that are primarily aimed at ensuring the reliability and security of the electoral process due to the negative impact of external information, manipulation and illegal interference. Cyberattacks, media manipulations, and imperfect legal frameworks in the electoral sphere can lead to the invalidation of election results and the loss of confidential information. The main purpose of the domestic legislation is to strengthen the relevant protection of information from cyber threats. The relevance of studying this issue is primarily related to the administrative and legal framework for managing the information security of electoral processes in the spectrum of modern technological capabilities and external influences connected with the digital sphere. The purpose of the academic paper is to determine the administrative and legal framework for managing the information security of electoral processes in Ukraine. The academic paper the problems caused by the violation of information security in the process of electoral activity have been revealed. The features of the administrative and legal framework for managing the information security of electoral processes have been established. The legal and regulatory framework for information security management during elections has been studied. The academic paper also emphasizes the inexpediency of holding elections during the period of martial law and identifies the causes and consequences.

Information Security and Privacy Management in Intelligent Transportation Systems

With the global digitalization of services, passenger Intelligent Transportation Systems (ITSs) have emerged as transformative components, yet the practical implementation of state-of-the-art measures to ensure information security and privacy presents substantial challenges. In this article, we propose a framework for information security and privacy management. The framework is validated through two empirical studies. First, the framework is used to extract data during the literature review defining state-of-the-art aspects and measures. Second, a survey-based analysis of running passenger ITSs in selected regions of the European Union provides insights into real-life ITS implementations, enabling a thorough comparison with the proposed state-of-the-art measures. The study also showed that the proposed framework depicts some dependencies between measures, and, thus, using its matrix structure for the state of information security and privacy management in the organization helps to cross-check the usage of policies or methodologies by the organization departments. Our findings resulted in recommendations for organizations developing ITSs to enhance their information security and privacy management systems and bridge the gap between research proposals and practical implementation.

Business Process Outsourcing 14 Cybersecurity KPIs Towards a Strategic Information Security

In today’s rapidly evolving digital landscape, the Business Process Outsourcing (BPO) industry faces an ever-increasing threat of cyber-attacks and data breaches, underscoring the critical importance of robust information security practices. To address these challenges, organizations must develop effective strategic information security, supported by reliable performance measurement tools such as Key Performance Indicators (KPIs). This research aims to investigate the information security implemented by BPO companies and their utilization of the 14 cybersecurity KPIs to track and enhance their information security measures. A mixed-methods strategy is used in the study, integrating qualitative and quantitative techniques. The qualitative component involves thematic analysis of key informant interviews, while the quantitative component entails the analysis of Likert-scale questionnaires and numerical data. The findings of this research provide valuable insights into the significance of strategic information security in achieving effective information security management within the BPO industry. The study reveals the specific elements incorporated in these plans, such as risk assessment methodologies, security controls implementation, employee training, incident response strategies, and compliance measures. The implications of this study offer valuable insights for BPO organizations to develop robust strategic information security tailored to their specific context, ensuring effective alignment with organizational objectives and risk management strategies. Moreover, the research contributes to the existing literature on information security management frameworks, emphasizing the role of cybersecurity KPIs in evaluating security performance. Keywords: cybersecurity, information security, KPI, business process outsourcing industry, information security management

Dynamic Risk Assessment in Cybersecurity: A Systematic Literature Review

Traditional information security risk assessment (RA) methodologies and standards, adopted by information security management systems and frameworks as a foundation stone towards robust environments, face many difficulties in modern environments where the threat landscape changes rapidly and new vulnerabilities are being discovered. In order to overcome this problem, dynamic risk assessment (DRA) models have been proposed to continuously and dynamically assess risks to organisational operations in (near) real time. The aim of this work is to analyse the current state of DRA models that have been proposed for cybersecurity, through a systematic literature review. The screening process led us to study 50 DRA models, categorised based on the respective primary analysis methods they used. The study provides insights into the key characteristics of these models, including the maturity level of the examined models, the domain or application area in which these models flourish, and the information they utilise in order to produce results. The aim of this work is to answer critical research questions regarding the development of dynamic risk assessment methodologies and provide insights on the already developed methods as well as future research directions.

Information Security Management Framework for Cloud Computing Environments

Cloud computing has become a popular paradigm for delivering computing resources and services over the internet. However, the adoption of cloud computing also brings new security challenges and risks, including data breaches, insider attacks, and unauthorized access. Therefore, it is critical to have a comprehensive information security management framework to address these challenges and ensure the security and privacy of cloud computing environments. This paper proposes a machine learning (ML) based information security management (ISM) framework for cloud computing environments that integrates best practices and standards from various domains, including cloud computing, information security, and risk management. The proposed framework includes residual recurrent network to effectively discriminate different patterns of cloud security attacks. The proposed framework emphasizes the importance of threat detection, security controls, and continuous monitoring and improvement. The framework is designed to be flexible and scalable, allowing organizations to tailor it to their specific needs and requirements.

A process framework for information security management

Securing sensitive organizational data has become increasingly vital to organizations. An Information Security Management System (ISMS) is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security. Key elements of the operation of an ISMS are ISMS processes. However, and in spite of its importance, an ISMS process framework with a description of ISMS processes and their interaction as well as the interaction with other management processes is not available in the literature. Cost benefit analysis of information security investments regarding single measures protecting information and ISMS processes are not in the focus of current research, mostly focused on economics. This article aims to fill this research gap by proposing such an ISMS process framework as the main contribution. It is based on a set of agreed upon ISMS processes in existing standards like ISO 27000 series, COBIT and ITIL. Within the framework, identified processes are described and their interaction and interfaces are specified. This framework helps to focus on the operation of the ISMS, instead of focusing on measures and controls. By this, as a main finding, the systemic character of the ISMS consisting of processes and the perception of relevant roles of the ISMS is strengthened.

Information security management frameworks and strategies in higher education institutions: a systematic review

Effective information security management (ISM) practices to protect the information assets of organizations from security intrusions and attacks is imperative. In that sense, a systematic literature review of academic articles focused on ISM in higher education institutions (HEIs) is conducted. For this purpose, an empirical study was performed. Studies carried out from 2012 onward reporting results from HEIs data that perform the ISM through various means, such as a set of framework functions, implementation phases, infrastructure services, and securities to their assets, have been explored. The articles found were then analyzed following a methodological procedure consisting of a systematic mapping study with their research questions, inclusion and exclusion criteria, selection of digital libraries, and analysis of the respective search strings. A set of competencies, resources, directives, and strategies that contribute to designing and to developing an ISM framework (ISMF) for HEIs is identified based on standards such as ISO 27000, COBIT, ITIL, NIST, and EDUCAUSE. This study introduces a strategic reference that guides HEIs on the development of an ISMF and provides recommendations that should be considered for its implementation in an era of ever-evolving security threats.

Maturity Framework Analysis ISO 27001: 2013 on Indonesian Higher Education

Information Security Management System (ISMS) implementation in Institution is an effort to minimize information security risks and threats such as information leakage, application damage, data loss and declining IT network performance. The several incidents related to information security have occurred in the implementation of the Academic System application in Indonesian higher education. This research was conducted to determine the maturity level of information security practices in Academic Information Systems at universities in Indonesia. The number of universities used as research samples were 35 institutions. Compliance with the application of ISO 27001:2013 standard is used as a reference to determine the maturity level of information system security practices. Meanwhile, to measure and calculate the level of maturity using the SSE-CMM model. In this research, the Information System Security Index obtained from the analysis results can be used as a tool to measure the maturity of information security that has been applied. There are six key areas examined in this study, namely the role and importance of ICT, information security governance, information security risk management, information security management framework, information asset management, and information security technology. The results showed the level of information security maturity at 35 universities was at level 2 Managed Process and level 3 Established Process. The composition is that 40% of universities are at level 3, and 60% are out of level 3. The value of the gap between the value of the current maturity level and the expected level of maturity is varied for each clause (domain). The smallest gap (1 level) is in clause A5: Information Security Policy, clause A9: Access Control, and clause A11: Physical and environmental security. The biggest gap (4 levels) is in clause A14: System acquisition, development and maintenance and clause A18: compliance.  Â

INFORMATION SECURITY MANAGEMENT FRAMEWORK SUITABILITY ESTIMATION FOR SMALL AND MEDIUM ENTERPRISE

Information security is one of the key concerns of an enterprise or organization. To assure suitable management of information security a list of information security management frameworks has been developed by a number of institutions and authors. A condensed information in information security management framework is very important to a small and medium enterprise as this type of enterprise usually lacks resources for information security expertise and deep analysis. Despite the fact, the information security management process and its frameworks, on the other hand, are very complex and require a big number of different elements. At the moment the comparison it is very shallow, as all properties of the comparison are treated equally important. In real life, the importance of different criteria of information security management framework and their suitability for small and medium enterprise vary. Therefore we use the Analytic Hierarchy Process to construct a hierarchy of information security management frameworks quality and applicability in small and medium enterprise and define the weights for each of the criteria. Weighted criteria express the importance of the criteria and executed the final comparison of alternatives (five information security management frameworks) is more realistic (similar to experts opinion) comparing to existing comparisons.

An ISO 27001 compliance project for a cyber security service team

The ISO 270011 standard from the ISO/IEC 27000 family is a well-known reference framework for information security management. It defines and details controls and processes required for compliance with security practices. It provides companies with guidance and tools to adequately protect their technological environment and their information against security breaches, thereby simultaneously increasing the trust of their customers. Being ISO 27001 compliant provides a real competitive advantage and is even a requirement for some RFP tenders. Being ISO 27001 compliant or other equivalent governance frameworks, such as COBIT,2 is not a luxury for certain companies, especially those offering cyber security services. This framework has become a must to work with certain companies who have specific regulatory and legal constraints, such as PCI and SOX for banking environments, SOC I & II or NERC for companies operating in operational technology (OT) (SCADA/ICS) environments in North America. This paper puts forth a practical use case inspired by a real project initiated to reinforce the security governance framework of a major IT company offering cyber security (Bell Multi Services [Bell MS]) to financial firms and OT (SCADA/ICS) companies. To avoid advertising or unintentionally revealing confidential information, some information which is too specific and not relevant to this paper has been removed. The security and compliance programme executed for this company will be identified by a fictive name: SecurePhoenix programme. The objective of this programme was clearly to enhance the level of security services (risk management, logging and monitoring management, incident management, vulnerability management, identity and access management, etc.) offered by Bell Canada3 Multi Services security team for multi clients (here referred to by the fictive name Bell Security Operational Center [Bell SOC]). A year after SecurePhoenix launched all projects, the triad parameters (budget, time, quality) were all in the red. Bell Canada — or, more specifically, Bell MS — therefore hired the current author’s company, project management, audit and cyber security expertise to bring it the programme back on track.

ANALISIS TINGKAT KESIAPAN PENGAMANAN SISTEM INFORMASI

The University has a number of data relating to Academic and Higher Education Governance. The large amount of data that requires security, especially in terms of readiness to secure information systems. Maintaining information system security in the university environment aims to maintain confidentiality, fulfill the availability of the system for those who have authority for those who use it and the integrity of the system. The University of National Development "Veteran" Jakarta has work units such as the Faculty, UPT and Bureau where each has the task and function to manage data. The problem is the need to measure the level of information system security to see the maturity of an information system at UPN Veteran Jakarta. OUR Index stands for Information Security Index which is used as a tool to analyze and measure and evaluate the maturity level of information security with the application of SNI ISO / IEC 27001: 2009 standards that can be applied within government agencies. As for the KAMi index version used, namely version 3.1. The method used to solve the problems in OUR index is through six stages, namely the first stage of electronic systems, both information security governance, third information security risk management, the four information security management frameworks, the five asset information management and the six information security technologies. The results obtained after taking measurements using the US Index need improvement in system security in managing information security risks and governance.

A Holistic Information Security Management Framework for Home Users

A Holistic Information Security Management Framework for Home Users

High-Level Self-Sustaining Information Security Management Framework

High-Level Self-Sustaining Information Security Management Framework

Developing a theory-based information security management framework for human service organizations

Purpose This paper aims to identify organizations’ information security issues and to explore dynamic, organizational culture and contingency theories to develop an implementable framework for information security systems in human service organizations (HSOs) based soundly in theory and practice. Design/methodology/approach The paper includes a critical review of global information security management issues for HSOs and relevant multi-disciplinary organizational theories to address them. Findings Effective information security management can be particularly challenging to HSO because of their use of volunteer staff in a borderless electronic environment. Organizations’ lack of recognition of the need for staff awareness of information security threats and for training in secure work practices, particularly in terms of maintaining clients’ privacy and confidentiality, is a major issue. The dynamic theory of organizational knowledge creation, organizational culture theory and contingency theory were identified as the most suitable theoretical perspectives to address this issue and underpin an effective information security management framework for HSOs. Research limitations/implications The theory-based framework presented here has not been tested in practice. Such testing will be carried out in further research. Originality/value Currently, there is no framework for information security systems in HSOs. The framework developed here provides a foundation on which HSO can build information security systems specific to their needs.

A Study on E-Taiwan Promotion Information Security Governance Programs with E-government Implementation of Information Security Management Standardization

The promotion of Information Security Governance (ISG) has become an important factor in the implementation of e-government and information security management within the \National Information and Communications Technology Security Development Program (2009~2012)＂ in continuing the \Plan for Establishment of Information and Communication Technology Infrastructure Security Mechanism (2001~2008)＂ in Taiwan; in July 2013, the working outline of the project was adjusted. And, it was asked all departments of Executive Yuan and local government to process aggressively by regulation on December 25, 2013. This study examines information security development program, and strategies for meeting e-government and information security management requirements within the implementation of information security development programs through information security management systems (ISMS). Moreover, an action program for improved ISMS performance, using an approach combining ISG and ISMS, is proposed. Based on this, this research employs history analysis and in-depth interview methodologies to develop insights into e-Taiwan information security management. Furthermore, the research objective is to examine the relevance between the execution of e-government and information security management framework and ISMS implementation by using the ISG project approach.

A Framework for Information Security Governance and Management

Daily changes in the information security landscape mean that organizations face unprecedented challenges in securing their information systems. It appears easy for organizations to adopt a tactical approach in which they respond to problems as they occur. However, when such a paradigm exists, it becomes difficult to act strategically. What is required is for organizations to be able to assess their current maturity state with respect to information security governance and management, and to proactively identify problem areas that need to be addressed. Here, the authors present a capability maturity framework to support organizations in this activity. The framework addresses the technical, process, and human aspects of information security and provides insight and guidelines for organizations to implement effective information security governance and management processes.

A process framework for information security management

A process framework for information security management

Implementing information security best practices on software lifecycle processes: The ISO/IEC 15504 Security Extension

The ISO/IEC 15504 international standard can be aligned with the ISO/IEC 27000 information security management framework. During the research conducted all the existing relations between ISO/IEC 15504-5 software development base practices and ISO/IEC 27002 security controls have been analysed and the ISO/IEC 15504 Security Extension has been developed. This extension details the changes that software companies should make in the software lifecycle processes for the successful implementation of the related security controls. To attain our research objectives, we evaluate the ISO/IEC 15504 Security Extension through case studies in a sample of software development organizations. This study follows the design science research paradigm that is based on constructive research.

Assessment and Management the Security Risk of Public Cloud Service

Cloud computing has become a very attractive paradigm because of its economic and operational benefits. However, most enterprise executives hesitate to use cloud computing system due to the security and privacy challenges. We recognize that it is very important that enterprises assess the security risk before transforming their traditional information services into the cloud. In this paper, we discuss the existing information security risk assessment solutions and approaches, analysis the security challenges of the cloud computing. We propose a useful information security risk assessment and management framework for cloud computing environments and discuss the specific implement of framework.