The key point for me from this chapter was management of information security in an organization and why it is the hardest part. As per Bruce Schneier, “Security is a process, not a product”. For an organization to maintain a robust security posture as well as oversee continuous improvement, competent personnel need to be resourced who can think about the long term. The primary purpose of infosec department is the secure the IT resources without being an obstruction to the workflows in an organization. It is critical for the management think tank to come up with solutions to no be obstructive at the same time give reasonable assurance to stake holders regarding the safeguarding of IT assets. Even though selecting appropriate security technologies might provide tangible benefits, the management must ensure these technologies are in sync with the existing IT assets as well as can be malleable to provide infosec solutions even for the future. With the ever-increasing rise in information assets and their use, managing security solutions is a very complex topic as it must provide comprehensive security to rapidly changing technological components as well as meet security needs of the future.
Akshay,
You mentioned very important points. One of them is that security is not a product, it is a process. You’re right, security is not a one-time job. It requires continuous monitoring and enhancing of systems, process and people. As technology evolving, new hacking methods are developed, so countermeasures should be updated accordingly and awareness regarding them should be provided within organizations. Also, as you mentioned, security personnel should be able to keep abreast with new technology.
One key point that I took from this chapter is about the governance frameworks which organizations can apply into security planning and implementation. There are various governance frameworks such as COSO, CobiT, ITIL, and ISO/IEC 27000. It is beneficial to use these frameworks but company should understand well the objective of each framework and what is differences between each standard. For example, COSO is used for a general control planning while CobiT focuses more on controlling for entire IT function.
You have very well highlighted the importance of security frameworks. Many organizations, especially small to medium scale, might not have specialist security personnel at their disposal. These frameworks provide a good starting point such organizations to evaluate their current standing of information security as well as highlight the gaps that need to be filled to be compliant to regulatory standards.
One of the key points that I took from this chapter is comprehensive security is impossible without proper organization. Organizing the staff, determining relations between other departments and resources effectively is the first step of comprehensive security. Also, I liked the analogy given in the book which is between building a house and building security countermeasures. A house cannot be built without having a broad design made by architect, in the same way, organizations can not apply technical controls without having overall security plans or architecture.
Hi Zeynep, I agree that proper security has to start with proper planning and organization. That starts with organizing and deploying duties to the systems and the people. By deploying controls, security specifications, and security policies on the people and the systems — leads to the most secure environment.
The key point I took from this chapter is the caution for companies that make the mistake of focusing heavily on security technology compared to security management, thus security management is far more important than security technology as mentioned in the book.
For example, in the book its mentioned that an official from US GSA tried to help agencies recognize their security technologies, in a sense they enjoyed security immediately with advanced technology but later their security decayed rapidly over time because they lacked the management ability to make security work for the long term. Broadly speaking, I have been looking at security in the aspect of technology rather than management however, this topic on planning and policy has further enlightened my thoughts on technology versus it’s management.
I think a key takeaway from this chapter was to view security as an enabler. I think in many organizations security is viewed as another hoop to jump through on the way to getting your work done. I think this mindset often comes from a disconnect between users and the security group and poor communication between the two groups. Ultimately your incredible security plan on paper can fail because if there is no user adoption or it slows the user down then people will circumvent the plan. Security professionals need to engage with the users and justify in clear terms why we have controls in place and make sure users understand. The book talks about security as mother meaning you make sure your users are safe and spend time explain to them the limits.
After reading through Chapter 2 of the Corporate Computer Security textbook, which primarily focused on the planning and policies that go into and influence security and governance frameworks, I found myself infatuated with the section that covered exceptions from policies and implementation guidance. As this is a topic I don’t remember covering very much of, I read through this short but informative section thrice just to make sure I understood the expectations of exception handling. Among the more interesting expectations is the need for the “IT security department and authorizer’s direct manager” to be informed of exceptions that hover above an acceptable threshold of danger.
Hi, Kharabsheh
You are right that a good governance framework can effectively maintain the threshold of acceptable risk. In addition, acceptable risk should be in a reasonable position. For example, a person who is very willing to take risks may waive some of the minimum security requirements for FIPS. This requires auditors to ensure these risks are communicated to investors.
One key takeaway from this was the mention of how security control is a continuous effort. It’s a consistent process that is repeated as time goes on and technology advances. Personally, as I watch technology advance around me, I see the increase in need of protection. It is so important for organizations to continue to stay up to date and ensure their systems are readily prepared.
Hi Natalie,
its true, the continuous effort is extremely important as you mention. Companies need to keep track of activities that happen on the network. Having a list of all malware attacks, and looking out for new attacks would be a good way to continuously monitor risk.
Information management framework is a modern enterprise need to consider carefully.After reading the second chapter of planing and policy, I realized the importance of information security management framework.The book says that the plan-protect-respond Cycle represents a Plan that is constantly changing.In the rapid development of modern IT technology, companies need to accurately and quickly formulate plans and frameworks, in order to quickly solve the company’s IT problems so as to make the business smooth and safe. MSSP can provide log data to help IT analyze events.To improve the company’s information management problems.
Security is a process, not a product. The chapter describes how complex and difficult to have a comprehensive security management practice, which is essential for every process, which requires discipline, planification, resources and successive series of actions. In the long run, security management is more important than security technology.
Various governance frameworks were mentioned such as COBIT, ISO 2700, COSO but NIST. Each of them providing a systematic way of approaching IT security planning.
– FISMA is focusing on documentation
– COSO focuses broadly on corporate internal and financial controls,
– COBIT focuses more specifically on controlling the entire IT function.
– ISO 27000 family (originally called ISO 17799) of standards specifically address IT security.
Hi Joe, One of the frameworks you mentioned is the COBIT framework. This framework is so important because it helps enterprise maintain high-quality information to support business decisions, achieve strategic goals through effective and innovative use of IT, obtain operational excellence through efficient application of technology and also maintain IT-related risk to an acceptable level.
Chapter 2, “Planning and Policy” by Boyle and Panko highlights key points that we’ve seen throughout the ITACS programs and in Industry. One of these points is the boundless impact that the alphabet of frameworks truly provides to an organization. From COBIT, NIST, ISO, COSO and the countless number of handbooks, these frameworks help senior leadership govern and organize their information assets and people accordingly. Since data is the most important asset in an organization (besides the people) keeping this safe and ordered is with done with utmost importance and diligence. Where everything comes full-circle and has the most impact is when the day-to-day employees and managers truly adopt the practices as their own; and in-turn, ensure that all stakeholders and safe and accounted for.
Hi Alex, I agree with you. Organizations should utilizes the benefits of compliance baseline or security guideline such as COBIT, COSO, or ISO in order to improve internal controls, IT governance, management, and security safeguards. However, organization should know ho many standards or which one is suite for them.
Chapter 2 of this book focuses on planning and policy. One interesting point that I found was concerning the utilization of policy-writing teams and the importance of having different viewpoints when creating a policy. Having a policy that can be communicated clearly to a wide variety of people should be the goal for most organizations, and one of the main ways to reach this goal is by including individuals from departments other than IT. This point made me think of Chapter 8 of NIST SP 800-100 – every person that is a user of the system should be familiar with the system security plan, not just program managers, system owners, etc. because it is an important deliverable in the SDLC. With this in mind, we can assume that a policy will gain more exposure/carry more weight if the users feel as though they were “included” when the policy was written.
A key takeaway from this chapter is that management of information security in an organization requires a robust approach that will enable firms to manage both internal and external threats and as well comply with industry and government regulatory requirements. According to Boyle and Panko’s book ( chapter two – planning and policy), IT security planning and management is a continuous process, and organizations can become more proactive through consistent training of its employees and vendors, and by re-aligning its security policies to address current challenges and/or proper deployment of IT resources.
The key point I want to point out from the chapter 2 of the book is that law plays an important row in IT security, especially laws like Sarbanes-Oxley. Before the Sarbanes-Oxley Act, companies are less focused on their financial reporting processes. Therefore lots of hidden problems and weaknesses won’t be found. With those weaknesses not being found, the risk could be passed to other parts of the company, which will maximize the hidden weakness, resulting in a bigger problem. With the Sarbanes-Oxley Act, the problems can be found earlier, so that the bigger problem will be prevented.
Akshay Shendarkar says
The key point for me from this chapter was management of information security in an organization and why it is the hardest part. As per Bruce Schneier, “Security is a process, not a product”. For an organization to maintain a robust security posture as well as oversee continuous improvement, competent personnel need to be resourced who can think about the long term. The primary purpose of infosec department is the secure the IT resources without being an obstruction to the workflows in an organization. It is critical for the management think tank to come up with solutions to no be obstructive at the same time give reasonable assurance to stake holders regarding the safeguarding of IT assets. Even though selecting appropriate security technologies might provide tangible benefits, the management must ensure these technologies are in sync with the existing IT assets as well as can be malleable to provide infosec solutions even for the future. With the ever-increasing rise in information assets and their use, managing security solutions is a very complex topic as it must provide comprehensive security to rapidly changing technological components as well as meet security needs of the future.
Zeynep Sahin says
Akshay,
You mentioned very important points. One of them is that security is not a product, it is a process. You’re right, security is not a one-time job. It requires continuous monitoring and enhancing of systems, process and people. As technology evolving, new hacking methods are developed, so countermeasures should be updated accordingly and awareness regarding them should be provided within organizations. Also, as you mentioned, security personnel should be able to keep abreast with new technology.
Numneung Koedkietpong says
One key point that I took from this chapter is about the governance frameworks which organizations can apply into security planning and implementation. There are various governance frameworks such as COSO, CobiT, ITIL, and ISO/IEC 27000. It is beneficial to use these frameworks but company should understand well the objective of each framework and what is differences between each standard. For example, COSO is used for a general control planning while CobiT focuses more on controlling for entire IT function.
Akshay Shendarkar says
Hello Num,
You have very well highlighted the importance of security frameworks. Many organizations, especially small to medium scale, might not have specialist security personnel at their disposal. These frameworks provide a good starting point such organizations to evaluate their current standing of information security as well as highlight the gaps that need to be filled to be compliant to regulatory standards.
Zeynep Sahin says
One of the key points that I took from this chapter is comprehensive security is impossible without proper organization. Organizing the staff, determining relations between other departments and resources effectively is the first step of comprehensive security. Also, I liked the analogy given in the book which is between building a house and building security countermeasures. A house cannot be built without having a broad design made by architect, in the same way, organizations can not apply technical controls without having overall security plans or architecture.
Alexander Reichart-Anderson says
Hi Zeynep, I agree that proper security has to start with proper planning and organization. That starts with organizing and deploying duties to the systems and the people. By deploying controls, security specifications, and security policies on the people and the systems — leads to the most secure environment.
Percy Jacob Rwandarugali says
The key point I took from this chapter is the caution for companies that make the mistake of focusing heavily on security technology compared to security management, thus security management is far more important than security technology as mentioned in the book.
For example, in the book its mentioned that an official from US GSA tried to help agencies recognize their security technologies, in a sense they enjoyed security immediately with advanced technology but later their security decayed rapidly over time because they lacked the management ability to make security work for the long term. Broadly speaking, I have been looking at security in the aspect of technology rather than management however, this topic on planning and policy has further enlightened my thoughts on technology versus it’s management.
Christopher James Lukens says
I think a key takeaway from this chapter was to view security as an enabler. I think in many organizations security is viewed as another hoop to jump through on the way to getting your work done. I think this mindset often comes from a disconnect between users and the security group and poor communication between the two groups. Ultimately your incredible security plan on paper can fail because if there is no user adoption or it slows the user down then people will circumvent the plan. Security professionals need to engage with the users and justify in clear terms why we have controls in place and make sure users understand. The book talks about security as mother meaning you make sure your users are safe and spend time explain to them the limits.
Imran Jordan Kharabsheh says
After reading through Chapter 2 of the Corporate Computer Security textbook, which primarily focused on the planning and policies that go into and influence security and governance frameworks, I found myself infatuated with the section that covered exceptions from policies and implementation guidance. As this is a topic I don’t remember covering very much of, I read through this short but informative section thrice just to make sure I understood the expectations of exception handling. Among the more interesting expectations is the need for the “IT security department and authorizer’s direct manager” to be informed of exceptions that hover above an acceptable threshold of danger.
Junjie Han says
Hi, Kharabsheh
You are right that a good governance framework can effectively maintain the threshold of acceptable risk. In addition, acceptable risk should be in a reasonable position. For example, a person who is very willing to take risks may waive some of the minimum security requirements for FIPS. This requires auditors to ensure these risks are communicated to investors.
Natalie Dorely says
One key takeaway from this was the mention of how security control is a continuous effort. It’s a consistent process that is repeated as time goes on and technology advances. Personally, as I watch technology advance around me, I see the increase in need of protection. It is so important for organizations to continue to stay up to date and ensure their systems are readily prepared.
Percy Jacob Rwandarugali says
Hi Natalie,
its true, the continuous effort is extremely important as you mention. Companies need to keep track of activities that happen on the network. Having a list of all malware attacks, and looking out for new attacks would be a good way to continuously monitor risk.
Junjie Han says
Information management framework is a modern enterprise need to consider carefully.After reading the second chapter of planing and policy, I realized the importance of information security management framework.The book says that the plan-protect-respond Cycle represents a Plan that is constantly changing.In the rapid development of modern IT technology, companies need to accurately and quickly formulate plans and frameworks, in order to quickly solve the company’s IT problems so as to make the business smooth and safe. MSSP can provide log data to help IT analyze events.To improve the company’s information management problems.
Peiran Liu says
Hi Junjie,
Pointing out that plans are changing but not frameworks is very good. With a good framework, people will know what to do to plan.
Joseph Nguyen says
Security is a process, not a product. The chapter describes how complex and difficult to have a comprehensive security management practice, which is essential for every process, which requires discipline, planification, resources and successive series of actions. In the long run, security management is more important than security technology.
Various governance frameworks were mentioned such as COBIT, ISO 2700, COSO but NIST. Each of them providing a systematic way of approaching IT security planning.
– FISMA is focusing on documentation
– COSO focuses broadly on corporate internal and financial controls,
– COBIT focuses more specifically on controlling the entire IT function.
– ISO 27000 family (originally called ISO 17799) of standards specifically address IT security.
Innocent says
Hi Joe, One of the frameworks you mentioned is the COBIT framework. This framework is so important because it helps enterprise maintain high-quality information to support business decisions, achieve strategic goals through effective and innovative use of IT, obtain operational excellence through efficient application of technology and also maintain IT-related risk to an acceptable level.
Alexander Reichart-Anderson says
Chapter 2, “Planning and Policy” by Boyle and Panko highlights key points that we’ve seen throughout the ITACS programs and in Industry. One of these points is the boundless impact that the alphabet of frameworks truly provides to an organization. From COBIT, NIST, ISO, COSO and the countless number of handbooks, these frameworks help senior leadership govern and organize their information assets and people accordingly. Since data is the most important asset in an organization (besides the people) keeping this safe and ordered is with done with utmost importance and diligence. Where everything comes full-circle and has the most impact is when the day-to-day employees and managers truly adopt the practices as their own; and in-turn, ensure that all stakeholders and safe and accounted for.
Numneung Koedkietpong says
Hi Alex, I agree with you. Organizations should utilizes the benefits of compliance baseline or security guideline such as COBIT, COSO, or ISO in order to improve internal controls, IT governance, management, and security safeguards. However, organization should know ho many standards or which one is suite for them.
Sarah Puffen says
Chapter 2 of this book focuses on planning and policy. One interesting point that I found was concerning the utilization of policy-writing teams and the importance of having different viewpoints when creating a policy. Having a policy that can be communicated clearly to a wide variety of people should be the goal for most organizations, and one of the main ways to reach this goal is by including individuals from departments other than IT. This point made me think of Chapter 8 of NIST SP 800-100 – every person that is a user of the system should be familiar with the system security plan, not just program managers, system owners, etc. because it is an important deliverable in the SDLC. With this in mind, we can assume that a policy will gain more exposure/carry more weight if the users feel as though they were “included” when the policy was written.
Innocent says
A key takeaway from this chapter is that management of information security in an organization requires a robust approach that will enable firms to manage both internal and external threats and as well comply with industry and government regulatory requirements. According to Boyle and Panko’s book ( chapter two – planning and policy), IT security planning and management is a continuous process, and organizations can become more proactive through consistent training of its employees and vendors, and by re-aligning its security policies to address current challenges and/or proper deployment of IT resources.
Peiran Liu says
The key point I want to point out from the chapter 2 of the book is that law plays an important row in IT security, especially laws like Sarbanes-Oxley. Before the Sarbanes-Oxley Act, companies are less focused on their financial reporting processes. Therefore lots of hidden problems and weaknesses won’t be found. With those weaknesses not being found, the risk could be passed to other parts of the company, which will maximize the hidden weakness, resulting in a bigger problem. With the Sarbanes-Oxley Act, the problems can be found earlier, so that the bigger problem will be prevented.