Information Technology Security Policy Framework

Information Technology Security Policy Framework

CIS 462

Information Technology Security Policy Framework

The technology advancement has taken the world by a wave today, creating a necessity for protection of the technology parameters like software, hardware, information, data, and computing systems, to mention a few. To ensure maximum security, firms must establish an effective Information Technology Security Policy Framework that will help put in place a comprehensive and reliable security program (Muya, 2015). An Information Security Framework (ISF) is a set of procedures, policies, and guides that direct an organization or a firm on their operations, through the provision of means in which they can protect their hardware, software, data, computing devices, network, and information.

Various security frameworks have been adapted and practiced in several organizations today, with some proofing very efficient and others being very prone to hackers. However, NIST (800-53) Cybersecurity Framework, ISO 27000 series, and COBIT are the most efficient IT security programs that most firms have used in the bid to tighten their cybersecurity. Both NIST 800-53 and ISO 27000 work hand in hand making it suitable for both of them to serve in small and large companies respectively. The ISO 27000 works best in collaboration with the fourteen sections which fit within the aligned twenty-six families of NIST 800-53 security controls.

ISO 27000 is a subset or subcategory of NIST 800-53, however, it is ISO that makes NIST work effectively because NIST Cybersecurity Framework works through utilization of some fundamental parts of ISO so that they could create a middle ground which is inclusive of NIST 800-53. This is the main reason why NIST CSF is best suitable for smaller companies, whereas the ISO 27000 is mostly utilized in larger companies, or those companies that adopt special compliance requirements (.Smith, 2003, pg. 560). The reliability of NIST in enhancing cybersecurity is on the peak in the corporate world today, with the majority of the firms in the United States incorporating Security and Privacy Controls for Federal Information Systems and Organizations. The core reason behind the implementation of this framework was to assure security upon the US Federal government.

The certification of programs in the United States relies highly on their compliance with the underplayed procedures by the National Institute of Standards and Technology (NIST). The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) and the Federal Information Security Management Act (FISMA), have adapted to the NIST 800-53 framework, and this pushes all the vendors in the United States federal government. The government contractors have ensured enough security on their systems through NIST 800-171, through Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

The International Organization for Standardization (ISO) on the other hand, is used in more considerable extent in multinational corporations and those companies that do not comply or are not meant to abide by the federal regulations. The ISO provides a framework to come up with an Information Security Management System which is likely to build up a defacto IT security framework which will work effectively outside the United States (Greene, 2006). Whereas NIST publications work at no cost to the public, the ISO publication implies some charges to its publications.

The IT Security Policy Framework is most appropriately used in a medium-sized insurance organization. Besides being less costly to manage, this framework will help address various types of risks that an organization is most likely to be facing. Among the most prone risks that an organization faces that can be addressed through IT Security Policy Framework are strategic risks, financial risks, operational risks, compliance risks among other risks.

In a medium-sized insurance firm, the most applicable framework is the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which is IT compliant. The most convenient factor about this framework is that it takes care of the internal controls of the organization. The better ways that can address the domestic issues of the organization are best handled using this framework because it provides the most effective approaches that will best suit the upcoming organizations.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO), includes five main parts that make it unique in applying it in a medium-sized organization like an insurance firm. To begin with, this framework controls the environment regarding counter checking the factors that might be compromising to the environment such as the control authority and the integrity of people. It also keeps close control over the duties that take place within an organization. The framework will also be essential in assessing the risk to help the organization recognize and estimate the extent to which the risk will affect the organization.

Also, the framework will help in controlling the activities of the organization such as ideas and strategies. The communication channels and information management about a specific organization are also enhanced through the implementation of the framework. The monitoring exercise which involves watching and evaluation of the state or the well-being of the internal control methods of a particular organization from time to time is also done effectively through the establishment of a practical framework. A medium-sized insurance firm ensures effective monitoring through such a framework like the Committee of Sponsoring Organization of the Treadway Commission.

The operations in the United States are productive after the establishment of compliance of IT security policy. The compliance will help in reporting and put together different group entities that will help the organization meet their mission and vision statements in the long run (Force, 2007). The organizations that have embraced the security measures have an easy time in accomplishing their set growth and development goals.

Various challenges face the implementation of a security framework, hence demanding for comprehensive, clear, and well-defined plans, practices, and rules that will help regulate the access of the information of the organization such as employee’s data and the organization system that a particular firm uses. A good policy is the one that showcases the commitment of the organization towards their security aspect in the outside world. Such challenges as ensuring the policy are concise, and use the straightforward message to the users is a drawback to many developers (Force, 2007). Showcasing creativity in the development and enhancing transparency is equally a challenge that many organizations must ensure the address appropriately.

To be precise, in establishing a useful security framework such as Committee of Sponsoring Organization of the Treadway Commission requires proper identification of sensitive information and critical systems, incorporating local, state and the federal laws, defining institutional security objectives and goals, and ensuring necessary mechanisms that will help accomplish goals and objectives. The operation of an organization that utilizes a useful security framework is up-to-date with the mission and vision statement and hence achieves their set goals and objectives.


Force, C. T. (2007). Committee of Sponsoring Organizations of the Treadway Commission.

Greene, S. S. (2006). Security policies and procedures: Principles and practices (Vol. 1). Pearson Prentice Hall.

Muya, A. N. (2015). Information technology security policy framework for small and Medium-sized enterprises in Nairobi (Doctoral dissertation).

Smith, M. (2003). The framing of European foreign and security policy: towards a post-modern policy framework?. Journal of European Public Policy, 10(4), 556-575.

Place an Order

Plagiarism Free!

Scroll to Top