Information technology is perceived as an important enabler for government entities to accomplish their goals. The proliferation of electronic government services that can provide value for citizens and residents have pushed governments all over the world to adopt and deploy these services. However, governments have realized that it is critical to build proper defense to protect the information. Implementing information security by using international or national information security frameworks helps organizations to ensure the safeguard of information assets. This chapter reviews useful information security frameworks. Also, this chapter provides a proposed information security framework implemented in the Government of Bahrain, which is called CyberTrust Program. This framework was developed based on best practices and local resources and culture.
TopIntroduction
Information is an important asset for all organizations to achieve their goals as well Information technology has become a major driving force in many organizations in order to make the functions running smoothly and faster. Consequently, protecting information is perceived as a critical function that needs to be successfully accomplished and needs devotion from the entire organization’s members.
Information security is vital to all organizations that are using Information technology to protect their information and conduct their business. Whitman and Mattord define information security as “the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information” (Whitman and Mattord, 20017). Additionally, Merkow and Breithaupt define information security as “the process of protecting the confidentiality, integrity, and availability (CIA) of data from accidental or intentional misuse” (Merkow and Breithaupt, 2014).
When implementing information security, organizations and enterprises have an opportunity to follow proven standards or frameworks, that include guidelines and best practices to be followed in order to successfully achieve information security. Two examples of these standards/frameworks are United States National Institute of Standards and Technology (NIST)’s Special Publication 800-53r5 and International Standard Organization (ISO) 27001:2013 Standard.
These standards define certain information security controls to be implemented in multiple areas within the organization in order to protect information assets. These controls fall into three categories: preventive, detective, and responsive. Preventive controls will work to prevent the occurrence of any threat from the beginning, but if unluckily a threat occurred, it is the responsibility of detective controls to detect and identify the threat. Finally, a response to the threat will be the duty of responsive controls.
The controls will affect three areas within the organization: people, technology and process. Human resources within the organization should get enough knowledge regarding correct interaction with technology. This will minimize threats caused by human errors and mistakes. Technology itself should be designed with certain controls to participate in protecting information. Finally, process or procedures should be followed by each person in the organization. Procedures, when written clearly and followed by everybody, will further help in avoiding human errors.
The Kingdom of Bahrain has recognized the importance of information technology in its endeavor to achieve a better life for all citizens and residents in the Kingdom of Bahrain, within the principles of vision 2030, based on sustainability, competitiveness, and fairness. The Kingdom of Bahrain has witnessed substantial progress in the information technology sector to the extent that the provision of services and exchanging, storing, and using information electronically has become a fundamental means of work at all government entities. Therefore, it is imperative to uphold the confidentiality, integrity, and availability of government information for gaining the confidence of its constituents.
Therefore, it is necessitated to develop a framework aimed at assuring that information security in all government entities is conducted in a uniform manner yet appreciates the differences in environments. As such, the Information Government Authority (IGA) has designed a new framework titled ‘Cyber Trust Programme’ (CTP), which defines a framework to enable government entities within the kingdom to improve information security assurance, to have a unified, methodical, approach to information security, and to be able to determine information security maturity within the respective entities.
CTP designed to provide an information security framework of in competitive nature, which endeavours to raise the level of information security through governance and the support of human and technology elements, which results in a continuously trusted electronic environment for the government.
The research questions directing the Chapter are:
The Chapter aims at realizing the following objectives:
- 1.
Increasing knowledge in the information security frameworks
- 2.
Investigating the Bahrain government experience in Information security framework measures that institutions could use to improve the information security level in organizations.