Please enable JavaScript.
Coggle requires JavaScript to display documents.
Intro Management Information Security, Screenshot 2022-11-02 210203, image…
Intro Management Information Security
What is Security
means being free from danger
be protected from the risk of loss, damage,
unwanted modification, or other hazards
achieved by means of several strategies
NSTISSI (or CNSS) Security Model
known as McCumber Cube
provides a more detailed perspective on
security
covers the three dimensions of
information security
weakness - too limited an
approach is to view it from a single perspective
C.I.A. Triad
integrity
availability
confidentiality
Management
is the process of achieving objectives
using a given set of resources
manager
a member of the organization assigned
to marshal and administer resources
, coordinate the completion of tasks
handle the many roles necessary to complete the desired
roles
• Informational
• Interpersonal
• Decisional
Approaches
Traditional - POSDC
organizing
staffing
directing
controlling
planning
Popular - POLC
organizing
management function dedicated to the structuring
of resources to support the accomplishment of objectives
leading
management function dedicated to the structuring
of resources to support the accomplishment of objectives
supervising employee behavior,
performance, attendance, and attitude
ensuring completion of the
assigned tasks, goals, and objectives
planning
process of developing, creating, and implementing
strategies for the accomplishment of objectives
level
tactical
strategic
operational
controlling
ensures the validity
of the organization’s plan
impediments to the completion
of the task are resolved
no additional resources are
required
sufficient progress is made
Governance
“the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly”
emphasizes escalating the importance of InfoSec to
the uppermost levels of the organization providing it with an
appropriate level of management
Solving Problems
Step 1: Recognize and Define the Problem
Step 2: Gather Facts and Make Assumptions
Step 3: Develop Possible Solutions
Step 4: Analyze and Compare
Possible Solutions (Feasibility Analyses)
Step 5: Select, Implement, and Evaluate a Solution
Characteristics of Information
Confidentiality
• Integrity
• Availability
• Privacy
• Identification
• Authentication
• Authorization
• Accountability
Key Concepts of
Information Security
threat
represents a potential risk
to an information asset
Threat agents damage or steal an organization’s information or
physical assets by using exploits to take advantage of a
vulnerability where controls are not present or no longer effective
Attack:
“an intentional or unintentional
act that can damage or otherwise compromise
information and the systems that support it”
Exploit:
“a technique used to compromise a system…
Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain”
Vulnerability:
“a potential weakness in an asset or its defensive control
system(s)”
attack
represents an ongoing act
against the asset that
could result in a loss
Principles (six Ps)
• Planning
part of InfoSec management
types of InfoSec plans
• Incident response planning
• Business continuity planning
• Disaster recovery planning
• Policy planning
• Personnel planning
• Technology rollout planning
• Risk management planning
• Security program planning
including education, training and awareness
• Policy
“a set of organizational guidelines that dictate certain
behavior within the organization”
general categories
• Enterprise information security policy (EISP)
• Issue-specific security policy (ISSP)
• System-specific policies (SysSPs)
• Programs
• InfoSec operations are specifically managed as separate entities
• A security education training and awareness (SETA) program is one such entity
• Other programs that may emerge include a physical security program, complete with fire, physical access, gates, guards and etc
• Protection
protection function is executed via
a set of risk management
activities
risk assessment and control,
protection mechanisms, technologies, and tools
Each mechanisms represents aspect of the
management of specific controls in the
overall information security plan
• People
security personnel and the security of
personnel
aspects of the SETA program
most critical link in the information security
program
• Project management
final component is the application of thorough
project management discipline to all elements of the
information security program
involves
identifying and controlling the resources applied to the project
measuring progress
adjusting the process as
progress is made toward the goal