Security Architecture - 001
MIS 5214 - Section 001 - David Lanter
January 23, 2020 by David Lanter 19 Comments
Akshay Shendarkar says
January 24, 2020 at 3:18 pm
The key point for me from this chapter was management of information security in an organization and why it is the hardest part. As per Bruce Schneier, “Security is a process, not a product”. For an organization to maintain a robust security posture as well as oversee continuous improvement, competent personnel need to be resourced who can think about the long term. The primary purpose of infosec department is the secure the IT resources without being an obstruction to the workflows in an organization. It is critical for the management think tank to come up with solutions to no be obstructive at the same time give reasonable assurance to stake holders regarding the safeguarding of IT assets. Even though selecting appropriate security technologies might provide tangible benefits, the management must ensure these technologies are in sync with the existing IT assets as well as can be malleable to provide infosec solutions even for the future. With the ever-increasing rise in information assets and their use, managing security solutions is a very complex topic as it must provide comprehensive security to rapidly changing technological components as well as meet security needs of the future.
Zeynep Sahin says
January 27, 2020 at 2:34 am
You mentioned very important points. One of them is that security is not a product, it is a process. You’re right, security is not a one-time job. It requires continuous monitoring and enhancing of systems, process and people. As technology evolving, new hacking methods are developed, so countermeasures should be updated accordingly and awareness regarding them should be provided within organizations. Also, as you mentioned, security personnel should be able to keep abreast with new technology.
Numneung Koedkietpong says
January 24, 2020 at 8:17 pm
One key point that I took from this chapter is about the governance frameworks which organizations can apply into security planning and implementation. There are various governance frameworks such as COSO, CobiT, ITIL, and ISO/IEC 27000. It is beneficial to use these frameworks but company should understand well the objective of each framework and what is differences between each standard. For example, COSO is used for a general control planning while CobiT focuses more on controlling for entire IT function.
January 28, 2020 at 2:12 pm
You have very well highlighted the importance of security frameworks. Many organizations, especially small to medium scale, might not have specialist security personnel at their disposal. These frameworks provide a good starting point such organizations to evaluate their current standing of information security as well as highlight the gaps that need to be filled to be compliant to regulatory standards.
January 24, 2020 at 10:55 pm
One of the key points that I took from this chapter is comprehensive security is impossible without proper organization. Organizing the staff, determining relations between other departments and resources effectively is the first step of comprehensive security. Also, I liked the analogy given in the book which is between building a house and building security countermeasures. A house cannot be built without having a broad design made by architect, in the same way, organizations can not apply technical controls without having overall security plans or architecture.
Alexander Reichart-Anderson says
January 28, 2020 at 9:13 am
Hi Zeynep, I agree that proper security has to start with proper planning and organization. That starts with organizing and deploying duties to the systems and the people. By deploying controls, security specifications, and security policies on the people and the systems — leads to the most secure environment.
Percy Jacob Rwandarugali says
January 26, 2020 at 10:39 am
The key point I took from this chapter is the caution for companies that make the mistake of focusing heavily on security technology compared to security management, thus security management is far more important than security technology as mentioned in the book.
For example, in the book its mentioned that an official from US GSA tried to help agencies recognize their security technologies, in a sense they enjoyed security immediately with advanced technology but later their security decayed rapidly over time because they lacked the management ability to make security work for the long term. Broadly speaking, I have been looking at security in the aspect of technology rather than management however, this topic on planning and policy has further enlightened my thoughts on technology versus it’s management.
Christopher James Lukens says
January 26, 2020 at 1:21 pm
I think a key takeaway from this chapter was to view security as an enabler. I think in many organizations security is viewed as another hoop to jump through on the way to getting your work done. I think this mindset often comes from a disconnect between users and the security group and poor communication between the two groups. Ultimately your incredible security plan on paper can fail because if there is no user adoption or it slows the user down then people will circumvent the plan. Security professionals need to engage with the users and justify in clear terms why we have controls in place and make sure users understand. The book talks about security as mother meaning you make sure your users are safe and spend time explain to them the limits.
Imran Jordan Kharabsheh says
January 26, 2020 at 6:57 pm
After reading through Chapter 2 of the Corporate Computer Security textbook, which primarily focused on the planning and policies that go into and influence security and governance frameworks, I found myself infatuated with the section that covered exceptions from policies and implementation guidance. As this is a topic I don’t remember covering very much of, I read through this short but informative section thrice just to make sure I understood the expectations of exception handling. Among the more interesting expectations is the need for the “IT security department and authorizer’s direct manager” to be informed of exceptions that hover above an acceptable threshold of danger.
Junjie Han says
January 28, 2020 at 6:46 pm
You are right that a good governance framework can effectively maintain the threshold of acceptable risk. In addition, acceptable risk should be in a reasonable position. For example, a person who is very willing to take risks may waive some of the minimum security requirements for FIPS. This requires auditors to ensure these risks are communicated to investors.
Natalie Dorely says
January 26, 2020 at 10:03 pm
One key takeaway from this was the mention of how security control is a continuous effort. It’s a consistent process that is repeated as time goes on and technology advances. Personally, as I watch technology advance around me, I see the increase in need of protection. It is so important for organizations to continue to stay up to date and ensure their systems are readily prepared.
January 26, 2020 at 10:25 pm
Information management framework is a modern enterprise need to consider carefully.After reading the second chapter of planing and policy, I realized the importance of information security management framework.The book says that the plan-protect-respond Cycle represents a Plan that is constantly changing.In the rapid development of modern IT technology, companies need to accurately and quickly formulate plans and frameworks, in order to quickly solve the company’s IT problems so as to make the business smooth and safe. MSSP can provide log data to help IT analyze events.To improve the company’s information management problems.
Peiran Liu says
January 29, 2020 at 8:28 am
Pointing out that plans are changing but not frameworks is very good. With a good framework, people will know what to do to plan.
Joseph Nguyen says
January 26, 2020 at 10:52 pm
Security is a process, not a product. The chapter describes how complex and difficult to have a comprehensive security management practice, which is essential for every process, which requires discipline, planification, resources and successive series of actions. In the long run, security management is more important than security technology.
Various governance frameworks were mentioned such as COBIT, ISO 2700, COSO but NIST. Each of them providing a systematic way of approaching IT security planning.
– FISMA is focusing on documentation
– COSO focuses broadly on corporate internal and financial controls,
– COBIT focuses more specifically on controlling the entire IT function.
– ISO 27000 family (originally called ISO 17799) of standards specifically address IT security.
January 26, 2020 at 11:30 pm
Chapter 2, “Planning and Policy” by Boyle and Panko highlights key points that we’ve seen throughout the ITACS programs and in Industry. One of these points is the boundless impact that the alphabet of frameworks truly provides to an organization. From COBIT, NIST, ISO, COSO and the countless number of handbooks, these frameworks help senior leadership govern and organize their information assets and people accordingly. Since data is the most important asset in an organization (besides the people) keeping this safe and ordered is with done with utmost importance and diligence. Where everything comes full-circle and has the most impact is when the day-to-day employees and managers truly adopt the practices as their own; and in-turn, ensure that all stakeholders and safe and accounted for.
January 27, 2020 at 12:54 pm
Hi Alex, I agree with you. Organizations should utilizes the benefits of compliance baseline or security guideline such as COBIT, COSO, or ISO in order to improve internal controls, IT governance, management, and security safeguards. However, organization should know ho many standards or which one is suite for them.
Sarah Puffen says
January 26, 2020 at 11:37 pm
Chapter 2 of this book focuses on planning and policy. One interesting point that I found was concerning the utilization of policy-writing teams and the importance of having different viewpoints when creating a policy. Having a policy that can be communicated clearly to a wide variety of people should be the goal for most organizations, and one of the main ways to reach this goal is by including individuals from departments other than IT. This point made me think of Chapter 8 of NIST SP 800-100 – every person that is a user of the system should be familiar with the system security plan, not just program managers, system owners, etc. because it is an important deliverable in the SDLC. With this in mind, we can assume that a policy will gain more exposure/carry more weight if the users feel as though they were “included” when the policy was written.
January 29, 2020 at 1:58 am
A key takeaway from this chapter is that management of information security in an organization requires a robust approach that will enable firms to manage both internal and external threats and as well comply with industry and government regulatory requirements. According to Boyle and Panko’s book ( chapter two – planning and policy), IT security planning and management is a continuous process, and organizations can become more proactive through consistent training of its employees and vendors, and by re-aligning its security policies to address current challenges and/or proper deployment of IT resources.
January 29, 2020 at 8:25 am
The key point I want to point out from the chapter 2 of the book is that law plays an important row in IT security, especially laws like Sarbanes-Oxley. Before the Sarbanes-Oxley Act, companies are less focused on their financial reporting processes. Therefore lots of hidden problems and weaknesses won’t be found. With those weaknesses not being found, the risk could be passed to other parts of the company, which will maximize the hidden weakness, resulting in a bigger problem. With the Sarbanes-Oxley Act, the problems can be found earlier, so that the bigger problem will be prevented.
You must be logged in to post a comment.