Introduction
Preserving assets, preventing cyberattacks, storing data safely, and other valuable prospects are achieved through implementing adequate and sustainable security tools. In the e-Commerce realm, appropriate frameworks are applied, which may be based on distinctive workflows but are geared toward supporting cybersecurity in a business. According to a recent study, most organizations use cybersecurity frameworks (“Trends in security framework adoption,” 2016). An Information Security Management System, or ISMS, plays a crucial role in companies’ IT Governance, IT Management, and Risk Management activities. According to Mbanaso et al. (2019), such an algorithm helps create a sustainable infrastructure that keeps corporate data safe and, at the same time, contributes to easier monitoring. ISMS builds a model of relationships between the aforementioned activities, and, as Almuhammadi and Alsaleh (2017) argue, companies “understand their cyber security risk management approach and what are the processes in place to manage the risk” (p. 52). Each of the IT departments performs its tasks comprehensively, which eliminates challenges and threats at different levels and creates a single secure network. Therefore, analyzing appropriate frameworks, evaluating their application in e-Commerce, and identifying potential optimization measures are valuable procedures to perform.
Analysis of Standards and Frameworks
ISO/IEC 27000
To address an organization’s cybersecurity-related risks, relevant frameworks may be integrated. One of them is called ISO/IEC 27000, a family of standards with different versions. ISO/IEC 27000, 27001, and 27002 are the most common versions. The fact that organizations can implement these standards by utilizing individual frameworks makes them flexible and convenient to use. ISO/IEC 27000 is the most widely accepted standard and includes the best and most commonly applied principles for cybersecurity (Gehrmann, 2012). ISO/IEC 27001 is a standard that defines the key requirements, including contextual, leadership, planning, and other provisions, for the sustainable operation of ISMS (“ISO 27001,” 2013). This set helps involve the most effective security principles, thereby increasing the security of a particular organization. ISO/IEC 27001, in turn, describes the types of control tools available for different companies (“ISO 27002,” 2013). By looking at a list of different policies, responsible employees can choose the best protocols and implement them in their IT departments.
COBIT 5
Risk management efforts can also be supplemented by introducing the framework called the Control Objectives for Information Technology, or COBIT. This framework includes five relevant processes, and often, it is mentioned as COBIT 5. Integrating this structure into an organization can improve the effectiveness of safety control since its main purpose is to coordinate governance principles through effective management mechanisms (Ahmed, 2017). As Chatterji (2016) states, COBIT 5 addresses multiple management steps, including defining stakeholder goals, covering all IT channels, maintaining a single integrated system, and “separating governance from management” (para. 24). Thus, relevant risk management tasks are allocated adequately and timely.
NIST Cybersecurity Framework
Another valuable framework that can help organizations address risk management issues associated with cybersecurity is NIST Cybersecurity Framework that is also known as CSF. One of its main features is that it is designed specifically for the business sector, which helps it to be adjusted to the needs of a particular company (IBM Cloud Education, 2020). Moreover, this framework can be successfully integrated into both large organizations with broad partnerships and small businesses (“Path forward to support adaption and adoption of the cybersecurity framework,” 2018). As a result, companies can customize their individual structures for implementing risk management algorithms, thereby addressing various cybersecurity threats.
Application of Standards and Frameworks to e-Commerce
To address IT-related risks for e-Commerce and related business operations, the aforementioned frameworks can be utilized individually and collectively. For instance, Thomas (2017) provides an example of how COBIT 5 and NIST CFS may be combined within one organization. One of the key tasks to ensure the security of e-Commerce is to maintain the safety of assets from external threats with hassle-free and convenient internal access. By combining COBIT 5 and NIST CFS, decision-makers are able to build a step-by-step management strategy and implement effective cybersecurity-related protocols, respectively (Thomas, 2017). Another example of their cumulative implementation is the development of a set of individual defense mechanisms by using COBIT 5 and evaluating their effectiveness and impact by introducing NIST CFS, which is also a strategy to minimize risks (Thomas, 2017). These solutions are complex but, at the same time, allow creating reliable protection for e-Commerce with a large volume of IT resources.
Configuration processes within e-commerce companies are different from those of traditional businesses, and combining security frameworks is an adequate solution to strengthen cybersecurity. Gehrmann (2012) considers the combination of ISO/IEC 27002 algorithms with COBIT 5 to customize the management structure with a wide range of safety protocols (ISO/IEC 27002) and create an audit program to minimize risks (COBIT 5). In case the IT team is highly qualified, ISO/IEC 27002 may be sufficient to carry out all risk management activities and choose the approach that most closely matches the direction of an e-Commerce organization (Gehrmann, 2012). Finally, according to Ahmed (2017), COBIT 5 may be sufficient to address potential risks through an available scheme for dividing work into risk management and risk function perspectives for the efficient use of resources. All these examples of the ways the frameworks under consideration can be utilized prove their relevance to cybersecurity in e-Commerce.
Recommendations for Integrating Multiple Standards or Frameworks
When implementing the aforementioned cybersecurity frameworks into the risk management programs of e-Commerce organizations, this is essential to consider the conditions of these standards’ intersection and the range of problems coverage. For instance, NIST CF adapts to specific conditions, but COBIT 5 does not, which requires building an interaction structure between them (Thomas, 2017). Another valuable tip for aligning these two frames is the ability to address “a gap between enterprise governance and operations,” which the author also calls “middleware” (Thomas, 2017, para. 4). Due to their peculiarities, ISO 27000/1/2 works well with COBIT 5 because the former’s flexibility complements the latter’s functionality and helps build a coherent defense structure (Gehrmann, 2012). ISO 27000/1/2 focuses exclusively on information security, which is beneficial for the e-Commerce sector, while NIST CF can address broader aspects (Mbanaso et al., 2019). Finally, ISO 27000/1/2 and COBIT 5 can complement each other by addressing privacy considerations while providing access to flexible risk management strategies (Gehrmann, 2012). These recommendations reflect the variability in the application of cybersecurity frameworks in e-Commerce organizations.
Conclusions
The considered cybersecurity frameworks used in traditional businesses and e-Commerce organizations are valuable tools to secure assets and prevent the leakage of valuable information. ISO 27000/1/2, COBIT 5, and NIST CF address similar risk management tasks, but their functionality and specifics differ. All frameworks allow for effective security audits without the extra cost of additional digital resources (Almuhammadi & Alsaleh, 2017). Another advantage is flexibility and adaptability to specific business conditions, which, first of all, concerns NIST CF (“Path forward to support adaption and adoption of the cybersecurity framework,” 2018). Moreover, all these standards can be combined to address multiple cybersecurity objectives and reinforce risk management strategies. Therefore, the application of such frameworks is relevant to the e-Commerce sector due to the coverage of a wide range of tasks related to asset defense.
References
Ahmed, H. S. A. (2017). COBIT 5 for risk – A powerful tool for risk management. ISACA. Web.
Almuhammadi, S., & Alsaleh, M. (2017). Information security maturity model for NIST cyber security framework. Computer Science & Information Technology (CS & IT), 7(3), 51-62. Web.
Chatterji, S. (2016). Improving business with COBIT 5. ISACA. Web.
Gehrmann, M. (2012). Combining ITIL, COBIT and ISO/IEC 27002 for structuring comprehensive information technology for management in organizations. Navus-Revista de Gestão e Tecnologia, 2(2), 66-77.
IBM Cloud Education. (2020). NIST cybersecurity framework. IBM. Web.
ISO 27001: Translated into plain English. (2013). Praxiom. Web.
ISO 27002: Translated into plain English. (2013). Praxiom. Web.
Mbanaso, U. M., Abrahams, L., & Apene, O. Z. (2019). Conceptual design of a cybersecurity resilience maturity measurement (CRMM) framework. The African Journal of Information and Communication, 23, 1-26. Web.
Path forward to support adaption and adoption of cybersecurity framework: The framework for improving critical infrastructure cybersecurity. (2018). National Institute of Standards and Technology. Web.
Thomas, M. (2017). COBIT 5 and the NIST cybersecurity framework – A simplified framework solution. ISACA. Web.
Trends in security framework adoption: A survey of it and security professionals. (2016). Dimensional Research. Web.