Overview of a Framework

An information security framework is a series of documented processes that are used to define policies and procedures around the implementation and ongoing management of information security controls in an organisation (Granneman, 2013). Granneman (2013) goes on to elaborate that frameworks are basically outlines for building an information security programme to manage risk and reduce vulnerabilities. In addition, an information security framework should not only focus on technological issues but also incorporate other mission-critical components within an organisation such as people, process, and business strategies which also dictate the need for information security (Patil, 2008:5). In security models, people, process, and technology must combine to increase security performance (Saleh, 2011), as depicted in Figure 4.1.

72

Figure 4.1: Relationship between, people, process, and technology

Source: Adapted from Kumta and Shah (2002)

Figure 4.1 is identical to the logic of Saleh, Abdulkader and Alfantookh (2011) on security, which underlines the reality that combining essential information security factors enhances standards of security practice and is fast becoming a popular trend. Saleh et.al (2011) furthermore spot the example of the strategy, technology, organisation, people, and environment (STOPE) framework, which entails combining all the aforesaid factors to create a good framework. The subsection that follows discusses the objectives of a framework.

4.2.1. Objectives of a Framework

The aim of an information security framework is to connect people, process, and technology in order to deliver practical IT guidelines for standard practice (Patil, 2008:8). However, even with the best planning and implementation, it is often impossible to obtain a perfect information security framework (Whitman & Mattord, 2008). Principally, the idea of a framework is to minimise the information security risk. This is also known as creating the operational security environment (OSE). The OSE is supplemented by all installed information security countermeasures. Figure 4.2 is a demonstration of the legacy concept of OSE which was masterminded by Von Solms,

73

van de haar, von solms and Caelli (1994). A carefully designed framework should be able to sustain or at least come close to the ideal OSE because then the prescribed countermeasures would have been met. One way of attaining OSE in an organisation is by utilising a custom framework based on combining the capabilities of other existing frameworks such as IS0/1EC 27001:2013 and COBIT.

Figure 4.2: Operating security environment

Source: Adapted from Von Solms, van de haar, von solms and Caelli (1994)

According to Arora (2011:8), standard frameworks on information systems management can be dissected into information security standards or information security governance standards. COBIT is a high-level IT governance and management framework. It focuses on broader decisions in IT management and does not dwell on technical details. On the other hand, ISO 27001:2013 implementation concentrates on security controls, centred on a risk management approach. This implies that both COBIT and ISO/IEC 27001:2013 deliver foundations that are essential towards the development of a sound information security plan (Garcia, 2015). To get the desired security level, every custom framework requires going along

74

with industry-approved characteristics applicable to the security of its business operations. The next subsection discusses framework characteristics.

4.2.2. Characteristics of a Framework

According to some authors (Patil, 2008:8; Basani, 2012), a well-designed information framework should at all costs integrate the following important components:

1) A life cycle: This contributes to ensuring that there is continuous improvement in a process by looking at its critical phases (Basani, 2012:6).

2) The next item must be a recommended and well-constructed information security governance that is complete. Patil (2008) points out that this is only realistic by, for example, putting in place properly organised and clearly outlined policies within an organisation.

3) Sound controlled access practices for, amongst others, stakeholders, processes, technology, and crucially information resources.

4) The use of popular, successful existing frameworks as guidelines. Good examples of those could include COBIT, IRSM, HIPAA, and ISO 27001:2013.

5) A guide of acceptable criteria on alternatives to helping in tailoring a framework to suit the operating information security environment in which it will be applicable.

4.2.3. Life cycle

To ensure that all aspects of information security are considered in a properly designed framework, it is essential that a framework follows an approach based on a comprehensive life cycle (Basani, 2012:108). One such example is the “Plan-Do- Check-Act-(PDCA)” process (Siponen & Willison, 2009; ISO 7799, 2002; Locke & Gallagher, 2010). It offers a good approach to be used as a guideline to develop and implement a successful framework. Table 4.1 is a summary of PCDA in combination with how the proposed ISDD framework of this study will benefit.

75

Table 4.1: The PDCA - based life cycle of a framework Activities

Plan

The first quadrant: Planning entails forming goals and having in place appropriate processes to get the desired outcome (Siponen & Willison, 2009; Basani, 2012). Planning in the context of ISDD in Figure 4.6 equates to points 1, 2, 3, and 4. The planning around how external stakeholders and busines roles according to which business functions they are attached to use technology 3 and 4 in a manner that complies with mature ISDD in the organisation.

Do

The second quadrant performs monitoring and measuring of the process performance in comparison to the objective of the improvement process. This stage incorporates point 5 in Figure 4.6 in the framework, and how people process and technology have been combined in accordance with the set performance target goals. Appraise targets according to the ISDD maturity level

Check

The third quadrant: Implementation of the appropriate processes and then assessing and measuring performance, and setting up for process improvement. Once planning of how to combine people, process, and technology is achieved to retain high ISDD as explained in the previous stage, all metrics that constitute roles, functions, and systems in point 6 in the proposed framework in Figure 4.6 need to be assessed and measured for compliance.

Act

The fourth quadrant involves actioning lessons learnt; corrective action must be performed to correct any irregularities (Mind tools, 2015). Using the outcome of the maturity level grading attained after going through all stages in the proposed framework, the organisation reflects on the wrongs identified during the entire cycle. They draw upon those mistakes and go back to the planning “table” to narrow down on faults identified and make amendments to enhance security.

76

Figure 4.3 is a graphical illustration of PDCA in accordance with the explanation offered in Table 4.1 regarding the transition of the four quadrants.

Figure 4.3: PDCA model

Source: Adapted from Humphreys (2008)

Directly or indirectly, most information security frameworks – one way or the other – incorporate the PCDA strategy discussed in Figure 4.3. One such successful and industry-approved framework is COBIT; it uses this methodology to develop the concept of capability maturity level in IT.