[Author’s name]
Information Management Policy and IT in Today's Corporation
With rapidly growing importance of and reliance on IT technologies in knowledge management, the vulnerability of the companies to cyber attacks and other related contingencies has increased, too. National Institute of Standards and Technology (Locke & Gallagher, 2010) offered a guide and Risk Management Framework to address the issue.
One of the important ideas stated in the guide is that managing risks related to information systems is a complex task that requires the involvement of the entire organization. The proposed division into three tiers distributes the roles among members of organization, with senior leaders providing strategic view, mid-level managers setting business missions and controlling particular projects, and, finally, individuals performing technical tasks – operating the information systems in line with core mission.
The other concept implies matching security requirements with stage of the system development life cycle; to be more precise integration of former into latter from the very beginning. This can be implemented by creation of integrated teams, with security specialists participating at every stage of development of system, ensuring compliance with pre-defined security requirements. Participation of the IT security specialists also ensures generation of security-related information, which helps improve the whole risk management process.
Finally, to offer flexibility to the process in the approach to risk management, the guide divides the security controls into three groups: system specific, common and hybrid. Common controls are suitable for multiple systems, they are less costly, but with fundamental differences in the systems may prove inefficient; specific controls are designed for particular systems, which is both more expensive and more efficient; controls that have characteristics of both specific and common controls are called hybrid – they allow to add some system-specific features to the common controls.
Reference:
Locke, G., Gallagher, P. D. (2010, February), Guide for Applying the Risk Management Framework to Federal Information Systems. A Security Life Cycle Approach. Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-37- rev1/sp800- 37-rev1-final.pdf