In this chapter, the focus is on prioritizing security management over security technology. I’m particularly interested in sharing the perspective of comprehensive security which combines the efforts of security management and security technology through risk analysis that informs the technical security architecture driving the implementation of the security technologies. The goal of comprehensive security is defence- defending the organisation and its assets from the risks of cyberattacks and malicious intrusions thereby, enabling the organisation to achieve its mission and goals.
Under security management, some factors like corporate security policy, laws and regulations, and governance frameworks are the drivers while for security technology, the plan-protect-respond cycle informs the implementation, operations, monitoring and continual improvement of the technologies.
The plan-protect-respond cycle encapsulates the lifecycle of security technology implementation and management. By adhering to this cycle, organizations can maintain a proactive stance against evolving cyber threats and minimize potential damage in the event of a breach.
In Chapter 2, I found the Sarbanes-Oxley Act of 2002, enacted after the 2000 dot-com bubble crash to prevent fraud, particularly interesting. This act helped identify and fix control flaws, revealing security weaknesses in companies and initiating regulation and compliance in the tech sector. Other important compliance laws include the General Data Protection Regulation, Gramm-Leach-Bliley Act, and HIPAA. These laws are crucial for maintaining the CIA triad, as they protect valuable and confidential data.
The place of standards and compliance laws aims towards regulating and protecting information and the information systems they reside in however, security, privacy, legal and compliance professionals need to leverage the requirements stated as baselines and not take the standards and regulations as the endpoint for the security and privacy of information systems.
Boyle and Panko: Chapter 2,Planning and policy, stresses the importance of security management compared to security technology. The reading highlights the value of an organized security management procedure in businesses. It promotes ongoing security measure monitoring and updating, emphasizing the human factor and the necessity of frequent training to address weaknesses. The Fraud Triangle is introduced in this chapter to clarify actions that compromise security, highlighting the Plan-Protect-Respond cycle as a crucial framework. Along with discussing governance frameworks like COSO, Cobit, and ISO 27002 for efficient IT security management, it also emphasizes that security should be seen as a business enabler. The chapter emphasizes the importance of matching security objectives with business goals and that security is a multifaceted process encompassing more than just technology.
For effectiveness, the place of aligning organisational goals with security management cannot over over-emphasised. While the tools, principles, frameworks, standards, laws, guidelines and other resources available to achieve optimal security governance that works practically should be explored, I like the part of the human factor you have mentioned and the importance of frequent user security awareness and education to address the weaknesses in the people factor in security.
what I took in Chapter 2 is the significance of security management and processes goes beyond implementing security technology. As Schneier emphasizes security should be perceived as a process, than a static product. Regardless of the level of advancement effective security requires the implementation of supporting management practices, policies, training programs and governance structures.
I agree with you. Security is not solely about implementing technological solutions but rather about establishing robust management practices and processes.
I completely agree with your interpretation of Chapter 2. In today’s rapidly changing technological environment, relying solely on security technologies is insufficient. Instead, a comprehensive strategy that encompasses various elements such as well-defined policies, continuous training programs, and robust governance structures is essential.
Risk management and government policies complement each other, and risk management needs to be continuously improved. New policies will be implemented constantly in the future, and the company should also change and improve its risk control policies according tolaw requirements.
We have come to understand that risk management and policies work together to achieve the expected level of security for an organisation. With the formulation of new policies, there should be a system for the review, update and communication of these policies for adoption and implementation of these policies in the organisations and scope of application to ensure the policies are achieved according to the intended purpose.
I agree that risk management needs to be continuously improved and with risk management constantly being improved. It can only have good benefits being the outcome for the organization such as a reduction in incidents that could cause damage to organization or people. It can improve security management as well.
In chapter 2 the technical security architecture includes all the security measures that a company or organization has to protect its networks and their client’s data. It also has countermeasures for an attack that does happen in case of such an event. The organization must consider its older system securities so they can update them whenever possible because the older the system can potentially have more vulnerabilities. Some things to consider about technical security architecture are its principles, defense in depth, and management of remote connections. These things all play a part in technical security architecture.
The technical security architecture adopted by any organisation should be deeply rooted in the organisational goals and security strategy hence, the inclusion of relevant stakeholders to ensure adequacy and sufficiency. The defined and approved acceptable level of risk should inform the security architecture implemented in an organisation, it is also important to closely monitor the implementation of the approved security architecture maintaining flexibility as the digital space evolves.
I believe the key point made in this chapter is that managing security poses a challenge due to its abstract nature. While discussing security technologies is straightforward, the implementation of security management involves intricate processes. The significance of security management lies in its role in ensuring long-term success and closing all potential routes of attack. Failures in the security chain will often occur when multiple components need to collaborate for countermeasures to be effective, and therefore constant monitoring and adaptation is of upmost importance.
Yes I agree with you. Security management involves intricate processes, policies, and frameworks that can be challenging to implement and maintain. Unlike security technologies, which often have tangible features and functionalities.
Ooreofeoluwa Koyejo says
In this chapter, the focus is on prioritizing security management over security technology. I’m particularly interested in sharing the perspective of comprehensive security which combines the efforts of security management and security technology through risk analysis that informs the technical security architecture driving the implementation of the security technologies. The goal of comprehensive security is defence- defending the organisation and its assets from the risks of cyberattacks and malicious intrusions thereby, enabling the organisation to achieve its mission and goals.
Under security management, some factors like corporate security policy, laws and regulations, and governance frameworks are the drivers while for security technology, the plan-protect-respond cycle informs the implementation, operations, monitoring and continual improvement of the technologies.
Celinemary Turner says
The plan-protect-respond cycle encapsulates the lifecycle of security technology implementation and management. By adhering to this cycle, organizations can maintain a proactive stance against evolving cyber threats and minimize potential damage in the event of a breach.
Eyup Aslanbay says
In Chapter 2, I found the Sarbanes-Oxley Act of 2002, enacted after the 2000 dot-com bubble crash to prevent fraud, particularly interesting. This act helped identify and fix control flaws, revealing security weaknesses in companies and initiating regulation and compliance in the tech sector. Other important compliance laws include the General Data Protection Regulation, Gramm-Leach-Bliley Act, and HIPAA. These laws are crucial for maintaining the CIA triad, as they protect valuable and confidential data.
Ooreofeoluwa Koyejo says
The place of standards and compliance laws aims towards regulating and protecting information and the information systems they reside in however, security, privacy, legal and compliance professionals need to leverage the requirements stated as baselines and not take the standards and regulations as the endpoint for the security and privacy of information systems.
Bo Wang says
I appreciate the importance of the law in sustaining the CIA triad
Celinemary Turner says
Boyle and Panko: Chapter 2,Planning and policy, stresses the importance of security management compared to security technology. The reading highlights the value of an organized security management procedure in businesses. It promotes ongoing security measure monitoring and updating, emphasizing the human factor and the necessity of frequent training to address weaknesses. The Fraud Triangle is introduced in this chapter to clarify actions that compromise security, highlighting the Plan-Protect-Respond cycle as a crucial framework. Along with discussing governance frameworks like COSO, Cobit, and ISO 27002 for efficient IT security management, it also emphasizes that security should be seen as a business enabler. The chapter emphasizes the importance of matching security objectives with business goals and that security is a multifaceted process encompassing more than just technology.
Ooreofeoluwa Koyejo says
For effectiveness, the place of aligning organisational goals with security management cannot over over-emphasised. While the tools, principles, frameworks, standards, laws, guidelines and other resources available to achieve optimal security governance that works practically should be explored, I like the part of the human factor you have mentioned and the importance of frequent user security awareness and education to address the weaknesses in the people factor in security.
Yannick Rugamba says
what I took in Chapter 2 is the significance of security management and processes goes beyond implementing security technology. As Schneier emphasizes security should be perceived as a process, than a static product. Regardless of the level of advancement effective security requires the implementation of supporting management practices, policies, training programs and governance structures.
Celinemary Turner says
I agree with you. Security is not solely about implementing technological solutions but rather about establishing robust management practices and processes.
Edge Kroll says
I completely agree with your interpretation of Chapter 2. In today’s rapidly changing technological environment, relying solely on security technologies is insufficient. Instead, a comprehensive strategy that encompasses various elements such as well-defined policies, continuous training programs, and robust governance structures is essential.
Bo Wang says
Risk management and government policies complement each other, and risk management needs to be continuously improved. New policies will be implemented constantly in the future, and the company should also change and improve its risk control policies according tolaw requirements.
Ooreofeoluwa Koyejo says
We have come to understand that risk management and policies work together to achieve the expected level of security for an organisation. With the formulation of new policies, there should be a system for the review, update and communication of these policies for adoption and implementation of these policies in the organisations and scope of application to ensure the policies are achieved according to the intended purpose.
Jon Stillwagon says
I agree that risk management needs to be continuously improved and with risk management constantly being improved. It can only have good benefits being the outcome for the organization such as a reduction in incidents that could cause damage to organization or people. It can improve security management as well.
Jon Stillwagon says
In chapter 2 the technical security architecture includes all the security measures that a company or organization has to protect its networks and their client’s data. It also has countermeasures for an attack that does happen in case of such an event. The organization must consider its older system securities so they can update them whenever possible because the older the system can potentially have more vulnerabilities. Some things to consider about technical security architecture are its principles, defense in depth, and management of remote connections. These things all play a part in technical security architecture.
Ooreofeoluwa Koyejo says
The technical security architecture adopted by any organisation should be deeply rooted in the organisational goals and security strategy hence, the inclusion of relevant stakeholders to ensure adequacy and sufficiency. The defined and approved acceptable level of risk should inform the security architecture implemented in an organisation, it is also important to closely monitor the implementation of the approved security architecture maintaining flexibility as the digital space evolves.
Edge Kroll says
I believe the key point made in this chapter is that managing security poses a challenge due to its abstract nature. While discussing security technologies is straightforward, the implementation of security management involves intricate processes. The significance of security management lies in its role in ensuring long-term success and closing all potential routes of attack. Failures in the security chain will often occur when multiple components need to collaborate for countermeasures to be effective, and therefore constant monitoring and adaptation is of upmost importance.
Celinemary Turner says
Yes I agree with you. Security management involves intricate processes, policies, and frameworks that can be challenging to implement and maintain. Unlike security technologies, which often have tangible features and functionalities.