The ISO 27000 Series of information security frameworks, on the other hand, is applicable in public and private sectors.
Publicly traded companies, for example, may wish to use COBIT to comply with Sarbanes-Oxley, while the healthcare sector may consider HITRUST. The type of industry or compliance requirements could be deciding factors. The choice to use a particular IT security framework can be driven by multiple factors. Using a common framework, such as ISO 27002, an organization can establish crosswalks to demonstrate compliance with multiple regulations, including HIPAA, Sarbanes-Oxley, PCI DSS and Graham-Leach-Bliley. For example, ISO 27002 defines information security policy in Section 5 Control Objectives for Information and Related Technology ( COBIT) defines it in the "Align, Plan and Organize" section the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework defines it as "Internal Environment " HIPAA defines it as "Assigned Security Responsibility " and PCI DSS defines it in the "Maintain an Information Security Policy" section. Security requirements often overlap, which results in "crosswalks" that can be used to demonstrate compliance with different regulatory standards.
Why are frameworks important?įrameworks provide a starting point for establishing processes, policies and administrative activities for information security management. Today's frameworks often overlap, so it's important to select a framework that effectively supports operational, compliance and audit requirements. Frameworks also come in varying degrees of complexity and scale. Organizations can customize frameworks to solve specific information security problems, such as industry-specific requirements or different regulatory compliance goals.
Therefore, the framework must support specific requirements defined in the standard or regulation. Frameworks are also used to help prepare for compliance and other IT audits. Information security professionals use frameworks to define and prioritize the tasks required to manage enterprise security. These frameworks are a blueprint for managing risk and reducing vulnerabilities. What is an IT security framework?Īn IT security framework is a series of documented processes that define policies and procedures around the implementation and ongoing management of information security controls. Failure to comply with IT-focused regulations can result in financial penalties and litigation. The way they describe how something should be performed indicates government and public support for the rules and processes set forth in the regulation. Regulations, in contrast, have a legal binding impact.
0 kommentar(er)
