Page 43 - Cyber Defense eMagazine June 2020 Edition
P. 43

• The risk that critical information becomes unavailable

            • The risk that critical information is changed without authorization

            Associated  with  risk  is  cost.  Security  incidents  cost  money.  So  does  preventing  them.  The  cost,  for
            example, of a computer virus is the loss in productivity of an organization’s personnel plus the time and
            expense for IT personnel to remove the virus and restore availability. The cost of a theft of a trade secret
            by a cyber-thief is the value of the trade secret. Implementing security also has costs. Firewalls and other
            security  technology  take  capital  away  from  other  uses.  Information  security  personnel  come  at  the
            expense of personnel who can directly more contribute to the bottom line. And every hour management
            spends in a security meeting, or personnel spend on security awareness training, is an hour that could
            otherwise also contribute to the bottom line.



            Requirements for an Information Security Management Program

            The  drivers  behind  an  organization’s  information  security  management  program  are  the  evolving
            landscape of laws, regulations, and competition, as well as evolving information security “best effective”
            practices.  Organizations  that  hold  personal,  financial  or  health  information  of  others  are  required  to
            adhere to various federal and state laws and regulations. These include

            •  HIPAA (electronic protected health information)

            •  Sarbanes-Oxley

            •  GDPR – General Data Protection Regulation

            Organizations may also have various contractual requirements for information or data security. Credit
            card processors, for example, must conform to the Payment Card Industry Data Security Standard.

            As organizations come to more deeply understand the competitive value of the information stored in their
            computer networks and the need to make that information securely available anytime and anywhere,
            they discern the need for a formal information security management program to assure that information
            is kept confidential, available, and correct.

            As  organizations  have  increasing  needs  to  share  information  with  suppliers,  customers,  and  other
            business relations they are increasingly becoming concerned with the information security capabilities of
            these third parties.


            An organization’s information security management program must be built upon current and emerging
            information  security  “effective  best-practices.”  As  the  information  security  industry  has  evolved,  the
            industry has tended to settle on three distinct models as to what constitutes a  set of “effective best-
            practices” for managing the security of information:

            • ISO-27001 Specification for an Information Security Management System

            • ISO-27002: Code of Practice for Information Security Management





            Cyber Defense eMagazine –June 2020 Edition                                                                                                                                                                                                                         43
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.
   38   39   40   41   42   43   44   45   46   47   48