Discussion Forum 4 CSIS 340. DB4-Fundamental Security Policies The fundamental security policies PCI DSS, FISMA, and COBIT are all solid frameworks that provide structure for how information security should function in the workplace. Each framework has a distinct purpose that contributes to the overall security of information and businesses should consider carefully which frameworks are necessary to utilize. For instance, if the business is going to accept credit cards they will need to implement PCI DSS which is a policy framework that provides structure to the process of accepting, storing, and processing credit cards. COBIT, on the other hand, helps to set up structure that puts into alignment business and control policy requirements. These requirements have to do with technical issues that deal with standards that assess, govern, and manage IT security and risks. Finally, the NIST (National Institute of Standards and Technology) has developed security standards that federal agencies are required to use to provide a framework for how to handle the security of federal business. To demonstrate the use of these policy frameworks, non profit organizations and retail businesses are two interesting cases where policy frameworks must be applied. Retail, as many know, is subject to PCI DSS just by the inherent expectation that they will be able to take credit or debit cards and process them for payment. In addition, COBIT is a policy framework that can work well for the retail industries policy needs, providing a balance between regular business and needed control policies. Businesses in retail do not, however, have to be compliant with FISMA, unless they were to somehow be working directly with federal offices which isn’t a common case that we know of. Non profit organizations, however, frequently have to be FISMA complaint because of federal funding. These non profit organizations rely on federal funding for research or resources that are necessary to make the difference that they wish to have. COBIT would also be an appropriate policy framework for a non profit organization, because while they are not strictly a business in the eyes of the sector they often have to be run and treated like a business in order to be successful in their goals. Finally, non profit organizations do not have to be PCI DSS compliant unless they are accepting credit card payments as a business would. Donations, fundraisers, etc., could all potentially require a non profit to be compliant with the PCI DSS policy framework.
