With so many aspects to consider for IT security, this framework is a very useful approach to analyze how well an organization is addressing overall IT security.  This framework breaks security into people, data, applications, and infrastructure.

PEOPLE- The focus on people looks at controlling and monitoring what information people can and do access.  User provisioning is one of the big considerations.  Does a user have appropriate access to the systems he or she need, and only the system he or she need?  In smaller organizations this is often handled without automation.  Requests come often through a service desk ticket by management or HR for a person in a particular role to be granted access to a specific set of applications.  The challenge with this method is human error.  With movement in an organization, it is easy to end up with a user who has access to systems to which he or she should not be authorized because changing their access was overlooked.  A more thorough method of managing this and more cost effective method in larger organizations is to use an identity and access management system.  This is a centralized engine that manages the user’s privileges rather than administrators changing access application by application.  SIEM (Security Information and Event Management) tools provide another key aspect of people security, because they can detect targeted attacks in early stages and minimize any damage by monitoring user activity and data access. Read more