¶ … eighty articles from seven top-tier IS Journals and found no comprehensive framework. (Cannoy, 2006). All the research that had been done was largely fragmented and focused on policy and infracture issues. There were few proposals of formal variables and/or hypothesis and the ones that were there were ill-defined and too narrow or broad in scope. Most of the organizations were reluctant to participate in the studies. It is surprising that there has been little research done for IT issues, but the media has had a lot of issues where IT was concerned. Intentional attacks on IT systems are costing businesses and estimated $15 billion a year and rising. (Myler, 2006). New bills are pending in legislature, including S1408 Identity Theft Protection Act and H.R. 4127 The Data Accountability and Trust Act. There is a greater need to address IT from legal, operational, and compliance perspectives. The Federal Government is working for tighter IT control and accountability on organizations to protect sensitive data and hold them accountable.

ISO 17799 is a standard framework for IT security. It entails nine steps to build a framework, including risk assessment, security policy, asset inventory, accountability, physical security, operating procedure documentation, access controls, coordination of business continuity, and compliance. It also has clauses, such as Clause 10.9 that establishes e-commerce counter measures and Clause 13.1 providing methodology for reporting incidents. Is it not being enforced? Are companies feeling that information should have low security? Do they look at its importance...

There is a greater need for senior management to take a greater hold of monitoring and enforcing information security than ever before. Even though there has been little research to develop more effective frameworks and methods, information security systems need constant monitoring and evaluation for continual improvement and accountability. Implementing security policies and training employees alone does not cut it. Organizations cannot rely strictly on policies, training, and software to strongly secure an information system. There must be enforcement and continued monitoring for improvement and to spot incidences as they occur.
This course covered a lot of territory where the protection of information systems is concerned, but with little research being done, organizations reluctant to participate in studies where research can be done, and the media being filled with more and more information security issues, there is still more to learn about securing the networks of organizations. Organizations still need more guidance in improving the information systems on a case by case basis. Because businesses are unique in their own way, the…