Question

Can someone help me with the following problems please?

1. How can a security framework assist in the design and implementation of a security infrastructure? What is information security governance? Who in the organization should plan for it?
2 What are the issues associated with adopting a formal framework or model?
3. What benefit can a private, for-profit agency derive from best practices designed for federal agencies?
4. What are the differences between a policy, a standard, and a practice? What are the three types of security policies? Where would each be used? What type of policy would be needed to guide use of the Web? E-mail? Office equipment for personal use?

Answer 1

Question:-1. How can a security framework assist in the design and implementation of a security infrastructure?
By creating or validating an existing security blueprint for the implementation of needed security controls to protect the information assets. A framework is the outline from which a more detailed blueprint evolves.

What is information security governance?
Governance is “the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”

Who in the organization should plan for it?
The board of directors or trustees, the senior organizational executive, executive team members, senior managers, and all employees and users.

Question:-2 What are the issues associated with adopting a formal framework or model?
A framework must be customized to fit the individual enterprise's needs.
Each environment is unique there for just adopting and not adapting the model or framework may not be the best solution.

Question:-3. What benefit can a private, for-profit agency derive from best practices designed for federal agencies?
They can adapt many of the same practices into its own agency. They can help them put together the desired outcome of the security process.

Question:-4. What are the differences between a policy, a standard, and a practice? What are the three types of security policies? Where would each be used? What type of policy would be needed to guide use of the Web? E-mail? Office equipment for personal use?
A policy is a plan or course of action to convey instructions from an organization’s senior-most management to those who make decisions, take actions, and preform other duties. Polices are put in place to support the mission, vision and strategic planning. Policy would be used in top-down management approach. Additionally, policies are similar to the organization’s laws.
Differing from policy is standards, more detailed statements of what must be done to comply with the policy. Standards may be informal as in de facto standards or formal as in de jure standards.
Practice is driven by standards and includes detailed steps required to meet the requirements of standards.
Three types of security policies are :-----
EISP(Enterprise Information Security policies)which is used to support the mission, vision and direction of the organization and sets the strategic direction, scope and tone for all security efforts.
ISSP(Issue-specific security policies)is used to support routine operations and instructs employees on the proper use of these technologies and processes.
SysSp(System-specific security policies)is used as a standard when configuring or maintaining systems. ISSP policy would be needed to guide the use of the web, email and use of personal use of office equipment.