Security management within the context of information systems “needs a paradigm shift in order to successfully protect information assets” (Eloff & Eloff, 2003). Due the rapid increase in information security threats, security management measures have been taken to proactively remedy the growing threat facing information security. As a result of this, security management “is becoming more complex everyday, many organization’s security systems are failing, with serious results” (Fumey-Nassah, 2007). To remedy the increase threats to information security systems, organizations are seeking alternatives to network vulnerabilities from malicious attacks. There are several management measures that organizations must take to fully understand the vulnerabilities at stake.
There are dominant security management frameworks that encompass security management models for information systems. Therefore, in order to fully analyze the topic of security management we must first understand the security management models that form the foundation of security management practices. There are several models that structure information security mechanisms in an enterprise organization. In general “information security models are standards that are used for reference or comparison and often serve as the stepping-off point for emulation and adoption” (Mattord & Whitman, 2010). If we analyze security management within the context of access controls we find that access controls are needed to regulate “the admission of users into trusted areas of the organization. Access controls in security management are needed to restrict different levels of access to things like assets, information and other resources of information systems infrastructure.
If we analyze security management within the perspective of security management models we see that an access control model clearly distinguishes between the “principles of least privilege, need to know, and separation of duties” (Mattord & Whitman, 2010). In ERP systems, security management is critical because an organization must be concerned with “establishing and maintaining a secure information environment” (Eloff & Eloff, 2003). Access controls measures must also be considered when granting access and controls to users of an organization. Furthermore, the restriction of information negates penetration of network vulnerabilities to the access of information assets. When considering a security management approach, organizations must not fail to consider the systematic structure that enables the full functionality of information systems.
Essentially, the “domain of information security management is no longer exclusively of a managerial nature, technical aspects also need to be considered on management level. Information security management can be approached from various perspectives” (Eloff & Eloff, 2003). The strategic approaches that an organization decides to pursue will be influenced by the foundational...