4683451
Information Security Program
Development and Management
- Security Program
- Organization-wide
security practice in a
holistic manner
- logical, administrative and physical
protection mechanisms, procedures,
business processes and people, that all
work together to provide a protection
level for an environment
- based on a flexible and
well defined framework
- framework defines the general requirement and
structure of the security program where organizations
are free to plug in different types of technologies,
methods, and procedures to accomplish the necessary
protection level
- framework defines the general requirement and
structure of the security program where organizations
are free to plug in different types of technologies,
methods, and procedures to accomplish the necessary
protection level
- why
- security through ad-hoc manner
- firefighting. deal with security
issues after incidents have
occurred.
- firefighting. deal with security
issues after incidents have
occurred.
- security through obscurity
- Rely on confusion to provide security
- Rely on confusion to provide security
- security through framework
- Develop security program using security
principles and industry best practices
- Develop security program using security
principles and industry best practices
- security through ad-hoc manner
- Industry Standards
- British Standard 7799 (BS7799)
- 1995. UK govt department of trade and industry. Outlines how an information security
management system (ISMS) (aka a security program) should be built and maintained.
Provides guidance to organizations on how to design, implement and maintain policies,
processes and technologies to manage risk to sensitive information assets.
- 1995. UK govt department of trade and industry. Outlines how an information security
management system (ISMS) (aka a security program) should be built and maintained.
Provides guidance to organizations on how to design, implement and maintain policies,
processes and technologies to manage risk to sensitive information assets.
- ISO/IEC 27000
- ISO and IEC built on top of BS7799 to launch new global standard. Serves as industry best
practices for management of security controls in a holistic manner within orgs around the
world. It's common for orgs to seeks ISO/IEC 27001 certification by an accredited third party.
- ISO and IEC built on top of BS7799 to launch new global standard. Serves as industry best
practices for management of security controls in a holistic manner within orgs around the
world. It's common for orgs to seeks ISO/IEC 27001 certification by an accredited third party.
- British Standard 7799 (BS7799)
- vs
- Program specifies the pieces and
parts that need to be put in place to
provide a holistic security for the
organization overall and how to
properly take care of those pieces
and parts
- Architecture illustrates how these
components are to be integrated into the
different layers of the current business
environment
- e.g. security program could dictate the data that
needs to be put in place. The architecture can
show how this happens at the infrastructure,
application, component and business level.
- Program specifies the pieces and
parts that need to be put in place to
provide a holistic security for the
organization overall and how to
properly take care of those pieces
and parts
- Organization-wide
security practice in a
holistic manner
- Enterprise Security Architecture
- A subset of an enterprise architecture.
Defines the infosec security strategy that
consists of layers of solutions, processes and
procedures and the way they are linked
across an enterprise strategically, tactically,
and operationally.
- Describes the structure and behavior of all components that
make up a holistic information security management
system. Ensures that security efforts align with business
practices in a standardized and cost effective manner.
- Describes the structure and behavior of all components that
make up a holistic information security management
system. Ensures that security efforts align with business
practices in a standardized and cost effective manner.
- Industry standards
- Sherwood Applied Business Security
Architecture (SABSA)
- A framework and methodology for enterprise security architecture
- A framework and methodology for enterprise security architecture
- Sherwood Applied Business Security
Architecture (SABSA)
- Development guidlines
- Strategic alignment
- The business drivers and the regulatory and legal requirements
are being met by the security enterprise architecture.
- The business drivers and the regulatory and legal requirements
are being met by the security enterprise architecture.
- Process enhancement
- When an organization is developing its security enterprise
components, those components must be integrated into the
business processes to be effective. This can allow for process
management to be refined and calibrated.
- When an organization is developing its security enterprise
components, those components must be integrated into the
business processes to be effective. This can allow for process
management to be refined and calibrated.
- Business enablement
- Security cannot stand in the way of business processes, but should
be implemented to better enable them.
- Security cannot stand in the way of business processes, but should
be implemented to better enable them.
- Security effectiveness
- Security controls in place need to provide the necessary
level of protection with the finite funds being used.
- Security controls in place need to provide the necessary
level of protection with the finite funds being used.
- Strategic alignment
- vs
- enterprise addresses the
structure of an
organization
- System view looks at
individual pieces that
make up whole picture
- enterprise addresses the
structure of an
organization
- Security Controls Development
- CobiT
- Control Objectives for Information and related Technology (CobiT)
is a framework which contains set of control objectives developed
by the Information Systems Audit and Control Association (ISACA)
and the IT Governance Institute (ITGI)
- Control Objectives for Information and related Technology (CobiT)
is a framework which contains set of control objectives developed
by the Information Systems Audit and Control Association (ISACA)
and the IT Governance Institute (ITGI)
- NIST SP 800-55
- CobiT contains control objectives used within the private sector; the U.S.
government has its own set of requirements. The National Institute of
Standards and Technology (NIST) SP 800-53 outlines controls that agencies
need to put into place to be compliant with the Federal Information Security
Management Act of 2002.
- CobiT contains control objectives used within the private sector; the U.S.
government has its own set of requirements. The National Institute of
Standards and Technology (NIST) SP 800-53 outlines controls that agencies
need to put into place to be compliant with the Federal Information Security
Management Act of 2002.
- Process management development
- Security controls needs to be used effectively and efficiently
by proper process. The security controls can be considered
the “things,” and processes are how we use these things.
- Security controls needs to be used effectively and efficiently
by proper process. The security controls can be considered
the “things,” and processes are how we use these things.
- CobiT
- A subset of an enterprise architecture.
Defines the infosec security strategy that
consists of layers of solutions, processes and
procedures and the way they are linked
across an enterprise strategically, tactically,
and operationally.
- System architecture
- Addresses the structure of software and computing components
- vs
- Addresses the structure of software and computing components
Want to create your own Mind Maps for free with GoConqr? Learn more.