Information Security Program Development and Management

Description

Mind Map on Information Security Program Development and Management, created by Ethan W on 28/02/2016.
Ethan W
Mind Map by Ethan W, updated more than 1 year ago
Ethan W
Created by Ethan W almost 9 years ago
136
4

Resource summary

Information Security Program Development and Management
  1. Security Program
    1. Organization-wide security practice in a holistic manner
      1. logical, administrative and physical protection mechanisms, procedures, business processes and people, that all work together to provide a protection level for an environment
        1. based on a flexible and well defined framework
          1. framework defines the general requirement and structure of the security program where organizations are free to plug in different types of technologies, methods, and procedures to accomplish the necessary protection level
          2. why
            1. security through ad-hoc manner
              1. firefighting. deal with security issues after incidents have occurred.
              2. security through obscurity
                1. Rely on confusion to provide security
                2. security through framework
                  1. Develop security program using security principles and industry best practices
                3. Industry Standards
                  1. British Standard 7799 (BS7799)
                    1. 1995. UK govt department of trade and industry. Outlines how an information security management system (ISMS) (aka a security program) should be built and maintained. Provides guidance to organizations on how to design, implement and maintain policies, processes and technologies to manage risk to sensitive information assets.
                    2. ISO/IEC 27000
                      1. ISO and IEC built on top of BS7799 to launch new global standard. Serves as industry best practices for management of security controls in a holistic manner within orgs around the world. It's common for orgs to seeks ISO/IEC 27001 certification by an accredited third party.
                    3. vs
                      1. Program specifies the pieces and parts that need to be put in place to provide a holistic security for the organization overall and how to properly take care of those pieces and parts
                        1. Architecture illustrates how these components are to be integrated into the different layers of the current business environment
                          1. e.g. security program could dictate the data that needs to be put in place. The architecture can show how this happens at the infrastructure, application, component and business level.
                        2. Enterprise Security Architecture
                          1. A subset of an enterprise architecture. Defines the infosec security strategy that consists of layers of solutions, processes and procedures and the way they are linked across an enterprise strategically, tactically, and operationally.
                            1. Describes the structure and behavior of all components that make up a holistic information security management system. Ensures that security efforts align with business practices in a standardized and cost effective manner.
                              1. Industry standards
                                1. Sherwood Applied Business Security Architecture (SABSA)
                                  1. A framework and methodology for enterprise security architecture
                                2. Development guidlines
                                  1. Strategic alignment
                                    1. The business drivers and the regulatory and legal requirements are being met by the security enterprise architecture.
                                    2. Process enhancement
                                      1. When an organization is developing its security enterprise components, those components must be integrated into the business processes to be effective. This can allow for process management to be refined and calibrated.
                                      2. Business enablement
                                        1. Security cannot stand in the way of business processes, but should be implemented to better enable them.
                                        2. Security effectiveness
                                          1. Security controls in place need to provide the necessary level of protection with the finite funds being used.
                                        3. vs
                                          1. enterprise addresses the structure of an organization
                                            1. System view looks at individual pieces that make up whole picture
                                            2. Security Controls Development
                                              1. CobiT
                                                1. Control Objectives for Information and related Technology (CobiT) is a framework which contains set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)
                                                2. NIST SP 800-55
                                                  1. CobiT contains control objectives used within the private sector; the U.S. government has its own set of requirements. The National Institute of Standards and Technology (NIST) SP 800-53 outlines controls that agencies need to put into place to be compliant with the Federal Information Security Management Act of 2002.
                                                  2. Process management development
                                                    1. Security controls needs to be used effectively and efficiently by proper process. The security controls can be considered the “things,” and processes are how we use these things.
                                                3. System architecture
                                                  1. Addresses the structure of software and computing components
                                                    1. vs
                                                    Show full summary Hide full summary

                                                    Similar

                                                    Data Types
                                                    Jacob Sedore
                                                    Types and Components of Computer Systems
                                                    Jess Peason
                                                    Input Devices
                                                    Jess Peason
                                                    Output Devices
                                                    Jess Peason
                                                    Networks
                                                    Will8324
                                                    General ICT Quiz
                                                    leahshaw
                                                    ICT Revison Flash Cards
                                                    Arun Johal
                                                    FLAT FILE VS RELATIONAL DATABASE
                                                    rosiejones
                                                    Online World - Learning Aim A
                                                    andysedge
                                                    Business Aims and ICT Strategies
                                                    scrt
                                                    User Interfaces
                                                    Skeletor