| Over the years, the focus of information security has evolved from the physical security of computer centers to securing information technology systems and networks, to securing business information systems. With the Internet, computers can communicate and share information with other computers outside an organization's networks and beyond their computer center. This new mode of communication meant that the existing security model was inadequate to meet the threats and challenges inherent in this new technology infrastructure. A new model of information security management is needed to meet the security challenges presented in this new environment. This model includes risk management as an important component of information security management.; The research propositions assert that information security can be managed effectively using a framework-based approach and supporting methodology, and that information security management could be a repeatable management process if a systematic approach is followed to its implementation.; Information security management in the enterprise may be viewed at three main levels, namely strategic, tactical, and operational. The motivators for security management are that it should be policy-driven (strategic level), guidelines-driven (tactical level), and measures-driven (operational level). Because information security management is cross-functional activity in the enterprise, existing enterprise business systems architectures could be used as reference models for developing an architecture framework for the information security viewpoint.; An information security management meta model was developed in this research. The conceptual model of the solution includes some meta primitives of the information security management meta model, namely information security framework, and information security management program. The information security framework includes an information security planning model. The information security management program is an aggregate of security governance, security management system, security policy, technology, infrastructure, and risk management. The security management system consists of security management process model, security management process methodology, and security process improvement model. An implementation of the conceptual model of the solution in an integrated manner is proposed, to enable integration of information security management with other enterprise life cycle processes. |
