It Systems Security Guidelines Several

it Systems Security Guidelines several insights emerge from an analysis of its intent, structure and definition of best practices. In completing an assessment of this document it is imperative to realize that it must change over time in response to increasingly more sophisticated and malicious security threats. Taken together, the many processes and strategies in the document, presented without tight integration to a broader strategy, highlight the need for an information security governance framework (Veiga, Eloff, 2007). The systemic strategies of system hardening, interoperability security strategies, a process-centric view of malicious code detection and System Development Lifecycle (SDLC) illustrate why a framework is required that takes into account a systems theory based approach to security (Hong, Chi, Chao, Tang, 2003). The it Systems Security Guidelines function then as components of a broader and more enterprise-wide security framework (Posthumus, Solms, 2004). Organizations who adopt these frameworks initiate and pursue parallel initiatives that include the defining Governance, Risk and Compliance (GRC) initiatives as well (Doughty, 2003) which are by definition more strategic and policy-based. The existing it Systems Security Guidelines represent a subset of the components of a broader security framework and GRC initiative. In constructing a security framework and defining a GRC strategy, each of these areas in the it Systems Security Guidelines will need to be re-evaluated from a value-at-risk approach to information security (Wang, Chaudhury, Rao, 2008). Commendable as the initial efforts of these Guidelines are, they also lack any means of evaluating their progress and effectiveness over time. What is needed is a scorecard approach (Huang, Lee, Kao, 2006) that captures real-time performance of the organization relative to system hardening procedures, level and extent of systems integration testing, the process-centric recommendations made in the Malicious Code Protection, and systems development lifecycle (SDLC) implementation and refinement. The existing Guidelines do not provide any means to synchronize all these diverse areas of the systems security considerations in the document. A framework is needed, at a minimum, to synchronize the many efforts an organization would make to be in compliance to the Guidelines. The most critical issue outside of the need for a framework and GRC-based strategic plan is the need for addressing how to educate system users, administrators and managers to ensure a high degree of compliance to this plan (Chang, Lin, 2007). The cultural implications of a security framework, GRC initiative must be made relevant to the day-to-day activities of each member of the organization to be effective (Knapp, Marshall, Rainer, Ford, 2006). The highly process-centric nature of the Malicious Code Protection Best practices for example requires extensive training to the individual contributor level of an organization to be effective. The more critical need of initiating and maintaining the SDLC Security as defined requires organization-wide change management, one of the most daunting aspects of getting any company-wide initiative to become part of the ongoing workflows of any organization (Beer, Nohria, 2000). The definition of security baselines (Huang, Lee, Kao, 2006) which arguably is more concerned with analytics than changing how people do their work, is often used within organizations as a barometer of how effective the security strategies are in attaining Guideline-based measures of security performance. In evaluating Guidelines such as these it is imperative to take a systemic view and evaluate their contents, procedures and processes in isolate, yet as part of a larger framework which can be measured and improved on over time through the use of continuous monitoring.