A framework and methodology for information security management