Information security strategy is the most important step for an organization to solve information security problems, and it is also the foundation of the organization’s entire information security system. Information security is not a natural requirement but a requirement after experiencing information loss. Therefore, management is essential for information security.
The most important management document of an organization is the information security policy. The information security policy clearly specifies what the organization needs to protect, why it needs to be protected, and by whom; without a reasonable information security strategy, no matter how good an information security expert and security tools are, there is no value.
An organization’s information security strategy can reflect the organization’s expectations of actual security threats and future security risks and the organization’s internal business and technical personnel’s awareness and response to security risks.
Hi Zi Bai, i agree with your point of view, Information security strategy is truly important to help an organization to solve an information security problem. Information security policy is one of the most important document in the whole process, It give a guidance to users and help the IT staff to find out which policy is outdated and which one helps lower the risk.
Hi Zibai,
I agree that an information security strategy is the most important step for an organization to solve information security problems. There are compelling arguments for both lines, but I think the hybrid model gives you the best of both. The hybrid model puts the security operation part (such as a firewall) in it and puts the planning, policy, and audit governance outside. I think this approach is more logical and helps to be independent when and where needed.
The key point that I took away from this reading is that management is the hardest part and hence the need for comprehensive security. Bruce Schneier’s quote is a strong and valid statement, “Security is a process, not a product.” Organizations focus too heavily on security technology as compared to security management. I agree with this as its easier to think about technology than management and there needs to be a process involved rather than treating it like a product. What makes security management difficult is the protection of large number of resources. Companies need to identify all of their resources and develop a security program for each one. The security management process which is the plan-protect-respond cycle is an effective method to implement security management. There’s a good example in the book where one official from the U.S. federal general services administration helped a series of federal agencies reorganize their security technologies which was effective in the short term. But was it effective in the long term? Their security decayed rapidly as these
agencies had the technology but were lacking management ability to make security work.
Hi Priyanka…..your take on the reading is really interesting to me. I have watched security teams pivot based on the “next new security software” without a view toward how the security team should manage security risk over time. I spent 2 years onboarding the new software before the use cases and security outcomes that would be supported by the software were developed and a business case outlining the ROI for the use cases and security outcomes were outlined. Really backwards and definitely not in the spirit of Schneier’s quote. On the plus side we did shift our approach to more of a security management focus rather than a product focus and tool / software implementation is more focused now.
One of the key points I learned from this chapter is that safety is not a product, but a process. Security is not a one-time job, it requires continuous monitoring and enhancement of systems, processes and personnel. With the development of technology, new hacking methods have been developed, so countermeasures should be updated accordingly, and awareness of these measures should be provided within the organization, and security personnel should keep up with the development of new technology. In addition, without proper organization, comprehensive security is impossible. Organizing personnel and effectively determining the relationship between other departments and resources is the first step of comprehensive security.
Hi Wenyao,
It is very true that security is a continuous collaborative process within each organization. When measures/policies are implemented, they have to be reviewed and updated regularly since threats are always evolving as well.
Hi Wenyao,
I agree with your analysis, security is an ongoing process. No matter how secure the environment can be, as it interacts with new threats, controls and countermeasures should be continuously developed as well. Countermeasures should also be created as the control is being implemented and flaws arise.
The plan, protect, and respond process is a model of a high-level management process to create a more comprehensive security plan.
In the phase of setting up the planning and policy for the IT security architecture, viewing the users positively is important during the process. Users are usually the first line of defense, because they are also the first group of people who found out problems and unnormal behaviors when they are using the systems, instead of IT security staff. Positive treatment to users help IT staff to find out the problem more than negative one. Defense in depth is important for IT securities. When an hacker wants to attack a company’s system, it has to go through internet firewall, and then go through internal firewall. Defense in depth point the importance of many layers, because it when hacker are going through all the firewalls, the system will alert the IT staff, which can give them response time to deal with the intruder.
Hi Ting,
You bring up a good point of user’s importance when setting up the planning and policy of the IT security architecture. Users are the first ones who are aware and find unusual behaviors when they are using the systems. The users or employees are usually considered the weakest link but are they really the weakest link? I think employees could be the first line of defense and there should be proper security awareness and training provided to the employees. Some of the common threats that the employees could be trained to spot are phishing emails, spear phishing emails, ransomware, compromised search engine queries. Everyone from employees, contractors, IT staff, and others who interact with the systems should be a part of the IT security architecture.
Laws and regulations are the driving force for the organization’s safety planning and policies. Financial fraud around 2000 eventually led to SOX, and companies had to start reporting any major defects in their control environment. In the same year, FISMA was issued to enhance safety and require certification, and then to be examined and authorized by the “certification officer”. Coincidentally, publications of FIPS and NIST have been launched in the same time frame to help the risk assessment and classification process. Also, COSO expanded its framework in 2004 to help SOX’s recent compliance. It is worth noting that fraud around 2000 seems to have driven most of the changes in information system security. Resources of law, standards, and guidelines are interrelated in terms of material and time. In terms of the policy, I have also found that policies known as major policies are very interesting. The e-mail, employment/dismissal, and personal information initiative policies are the most detailed policies I have seen in my organization, which are the same as those described in the reading.
Hi, Haozhe. You have a great point about how companies emphasize the importance of employee awareness. The employees most often use emails to communicate with internal users and external users. If they do not know how to recognize the phishing email, the hackers will very easily hack into the company system. Otherwise, if an employee is able to log in to his or her account while he or she is on the vacation, the employee may steal the information to sell it somewhere, such as the black-market or the competitor.
For many firms, driving forces are things that require a firm to change its security planning, protections, and response. According to different laws and regulations, firms must substantially improve their security to be in compliance.
Such as Sarbanes–Oxley, privacy protection laws, data breach notification laws and so on. Under Sarbanes–Oxley, companies must report whether they have any material control deficiencies in their financial reporting process. The sections of the bill cover responsibilities of a public corporation’s board of directors, add criminal penalties for certain misconduct, and require the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law. The European Union (EU) Data Protection Directive, The U.S. Gramm–Leach–Bliley Act (GLBA), and The U.S. Health Insurance Portability and Accountability Act (HIPAA), these laws forced firms should protect personal information by laws. These compliance laws and regulations can promote a company’s compliance and safety, although the cost may be expensive.
Hi Xinyi,
Thank you for your sharing, I agree with your points. Safety and compliance go hand in hand, with improvements in safety leading to better compliance, and the Compliance Act supervising organizations to improve safety.
Security management process is designed to protect an organization from the threat environment with the goal to achieve comprehensive security for the company. Security is only as strong as its weakest link and the weakest link will always be humans. It is important to have policies, processes, and procedures in place to guide and inform the average system users on best practices to keep security as tight as possible. Additionally, it can protect the organization from non-compliance by laws and regulations. Different industries have different compliance requirements such as PCI-DSS and HIPPA, but may also be required to comply other regulations like Sarbanes Oxley and Gamm-Leach-Bliley Act (GLBA). At the start of the system development life cycle, engaging the information security team can help ensure all requirements are met from a security and compliance perspective.
Anthony,
You make a great point about the weakest link being humans. I feel like this is often overlooked as everyone’s immediate thought when it comes to security is the system and protection put in place. Staying on top of the info security team from the beginning can be the difference in your system being safe and your system being attacked successfully.
This chapter focused heavily on the management aspect of information security. It emphasizes that it is a mistake to focus too heavily on security technology compared to security management. One take-away from this chapter was the importance of following a formal processes. Some of these processes might include a process for annual security planning, processes for planning and developing individual countermeasures, and a process for handling incidents. The technical security architecture section of this chapter jumped out at me. One key note was the mention of securing legacy technologies, which are systems implemented in the past and are rarely used. This can be easily exploitable if left unchecked. This issue is whether the company wants to invest in securing a dated technology that is hardly used as this could mean a complete overhaul which could end with an expensive bill.
Hi Anthony,
You bring forth a very good point especially about where legacy systems are in use. It often comes down to management to make the decisions to approve an upgrade, and in cases where they have to overhaul the entire production system, the immediate answer will likely be not now given the costs.
This leaves a very delicate attack surface within the organization especially when the technology running the legacy system is obsolete or almost all the vulnerabilities are public knowledge.
Hi Anthony! Great response! I do agree that this chapter has the target focus on the information security management. For a successful information security program, it is critical to keep equal focus and allocate resources towards both the technology and the management aspect. The formal processes mentioned in this process really helps get a strong Information security management focus. These activities includes planning, developing controls, establishing standards and procedures to face the incidents.
Planning and policy are extremely important in the IT security process. The C-suite and management needs to be involved in the security planning process. Laws and regulations often drive the configuration requirements for the business.
It will be impossible to eliminate all risk in the company. With risk in mind, the business has a responsibility to keep the data confidential, make it have good integrity and have it available to users when they need it. The security department must consider all the risk in the business processes and find a method to mitigate the risk as best as possible.
The risk analysis can help ID where the company is most at risk. The company can perform calculations and plan where to and how to mitigate the risk. They can also look at methods to respond to risk and develop more security practices which can help mitigate the losses when incidents occur. Typical responses to risk are reduction, acceptance, transference, and avoidance.
Once the risk analysis is complete, the company needs to find the best technical security architecture and find the principles which best apply. The defense in depth approach is the principle which is most often adopted. This principle ensures multiple independent countermeasures are placed in series. If one countermeasure fails, the others remain in place.
The policies the company adopts are often what sets the tone for the department and organization. The policies include the steps what need to be done when something occurs. It can help create clarity on what is expected during certain situations.
Governance frameworks include policies companies can use. Some of these frameworks are required for the business in order to perform business with government entities. When this happens, the company must be certified so they can prove they are compliant with the framework requirements. This can help the company’s customers have confidence the company has security measures in place and highly values security in their organization. However, it doesn’t guarantee the company will be risk free from breaches or security incidents. The companies must be diligent and update their processes constantly to make sure they are up to date in their security practices.
Planning and policy is often a top-down approach. The management and C-suite of an organization must buy in to the principles, frameworks, policies, and processes required to mitigate the risk. The top-down approach ensures the company has an overall vision towards managing security.
Relating to information in this chapter, I do find the need to implement a disciplined security management process key to ensuring comprehensive protection of information assets. Eliminating Complacency, -not so easy of a task-, is one way to ensure a company reduces the amount of “human weak links” so to say. Management from the business side often contribute largely to the technological aspect of weak links, since upgrading technology will often require some spending. If they do not see/understand what the immediate need to upgrade technology is, there is a chance of such requests being turned down.
Another concept from the reading is ensuring policies are well understood, -practically in some cases. Security Education Training and Awareness program is one good way to ensure the entire organization is moving along well in terms of planning and preparing for security threats.
I agree having the policies understood by the “human weak links” is a very important part of the reading. The people of the organization constantly need education about the policies in the company. The policies contain the steps to take or not take when working with company assets. Having the people fully understand their limitations can help make sure the company is moving along with the planning and preparing for security threats.
One of the points that I found really interesting this week is the Fraud triangle that is used to understand fraudulent behavior. This triangle model is also applicable to general security misbehavior. The triangle shows three aspects of human motivation that usually are in place before misbehavior occurs. By tracing and being sensitive to these three aspects of motivation, an organization can spot a problem before it occurs and prevent it. They can also learn the rationale and get a realistic understanding of why security abusers commit fraud. The three motivators are as follows.
Opportunity: This motivator is the first tip of the triangle. Of Course if there is less opportunity to commit the abuse, or if the perpetrator is likely to be caught, the abuse is unlikely to occur. Reducing the opportunities to successfully commit fraud or abuse by increasing detection are the typical paths toward achieving better information security.
Pressure: Opportunity is not enough to be the only factor. Another critical factor is pressure. Pressure is when a person is pushed to commit abuse. Examples of pressure are personal financial problems, greed, or the desire to hide poor performance that would jeopardize the employee’s job. Perhaps the most common form of pressure is unreasonable performance expectations.
Rationalization. With pressure and opportunity, employees are not likely to act unless they can truly rationalize their actions and intentions in their own minds. They could believe that an act is justified because the company has unrealistic performance expectations or that they will pay back embezzled money. The goal of rationalization is to allow perpetrators to think of themselves as good people and have a valid reason to commit the fraud.
One important point in Chapter 2 of the Corporate Computer Security textbook is the Plan-Protect-Respond cycle. This cycle is a top-level security management process which helps protect against many threats. While there are three steps in this process, each step is more or less done simultaneously as each step benefits from one another. In the planning stage, the organization needs vision, which is understanding one’s role in the company, employees, and the outside world. With this in mind, it’s much easier to narrow down and make a plan that can benefit all three aspects of the vision. Step 2 is the protecting step, where you implement ideas from the planning stage to best protect from threats. As threats evolve and new threats emerge, that information can be added back to the planning stage to better protect in the long run. The last stage is the response step. This is in the event that the planning and protecting stage are not enough to prevent a threat from occurring. In this step, one must make sure that the response is carefully crafted and response is quick and accurate to help mitigate the threat at large. Once you can effectively respond, that in turn will affect both the planning and protecting steps to increase their effectiveness.
An important piece from chapter 2 is the elements of vision. The two elements that make up the “vision” are enabler and viewing users positively. Seeing security as an enabler rather than a source of frustration was emphasized and the more you look at it, the more sense it makes. Often times non IT/security professionals will get frustrated or annoyed with security as they view it as a restriction in their ability to do things. The key is to look at it as helpful. Poor security will lead to many innovations being closed or rejected because they would be too dangerous. With strong security, it allows the organization to engage in more business processes and avenues. An example is with stronger security an organization can engage in inter-organizational systems with other firms that in turn would open up new markets and better information flows as well as lower operational costs.
The second element is viewing users positively. It is common for IT pros to speak down or badly to those who are not familiar with the subject. By nipping negative dialogue in the bud, it allows for more to be taught to the novice users. In addition, if someone does not understand and they’re referred to as dumb, that could mean they are simply poorly trained which would end up being security’s fault.
Security management is very significant and complicated. As this chapter mention, one reason why people tend to focus on technology is that it is easier to think about technology than about management. When people discuss security technology, they can talk about hardware or software, and show you a diagram to explain things. In contrast, people need to combine security technology and management concept to implement security management. For example, an external IT auditor needs to understand the business before he or she assigns to audit the business system. If the IT auditors have lacked knowledge of the company, they will work inefficiently to identify and solve the problems, or sometimes, they may not realize that there is an issue that will affect the company operation. Although the IT professionals have a strong background in technology, they are not familiar with each different department. When they need to thoroughly implement the security management strategy, this may have some irrelevant parts that are ineffective to some departments. Thus, I think the person or the department who want to implement the security management strategy effectively, need to have the knowledge of security technology and management.
After reading, I ‘d like to share my opinion about the Plan-Protect-Respond cycle.
Plan-Protect-Respond cycle is a formal top-level security management process which has 3 steps, they are planning, protection, and respond. This whole cycle begins with the planning, Protection is the plan-based creation and operation of countermeasures, and this steps are most of the security professionals will be focus on. Response is complex because incidents vary in severity and because different levels of attack severity require different response approaches. Because the speed and accuracy of response are of the essence, the rehearse the incident response plan is necessary. All three steps take place simultaneously and constantly feed into one another.
I’m agree with you. And I think in the Plan-Protect-Respond Cycle, plan is the fundamental of whole cycle. Plan is the process to develop a simple plan and risk analysis. Planning process need to make risk analysis, comprehensive security, defense in depth, policy based planning, and minimum permissions.
Hi Zhen, I agree with your point of view that All three steps take place simultaneously and constantly feed into one another. I also want to point out that a complete and effective security management process is essential to the company’s daily operations. Especially for larger companies, they attach great importance to the construction of the system, and their daily work is modeled, so a good security management process is extremely important to the operation of the company.
I think how to place the IT security department is a very interesting topic. If the IT security department is established within the IT department, CIO’s responsibility will become greater, which will also force CIO to change and maintain the company’s internal IT system framework. The disadvantage is that this will lead to lack of supervision, and a lot of company information leakage comes from internal IT personnel. If the company’s IT security department is set up outside the company’s IT department. This will give IT security more independence to the IT department and facilitate supervision. The disadvantage is that it is difficult for the company’s management to listen to the suggestions of departments that are separated from the company’s normal business. I think the IT security department should be set up outside the corporate IT department. Companies can set up regular meetings, not limited to regular meetings dedicated to security, because corporate leaders and staff understand that security is an inherent part of daily business operations. Employees working in companies with a genuine safety culture play an active role in implementing safety protection measures.
From Chapter 2, the plan-protect-respond cycle does a great job of defining a high-level security management process. It starts with planning and creating a cycle of activities that will take place and constantly feed into one another. Every time a new threat or business condition comes along and changes the day to day business operations, The company can return to the planning phase to come up with the process of handling the new situation. In protection, the plan is created and countermeasures are defined. This is also the most time-consuming phase. It is also required that there are ongoing monitoring and improvements of these controls through the systems life cycle. The book explains different types of protections that can be used such as cryptographic protections, dealing with wired/wireless network protections, and even access controls. Most countermeasures are created after the development phase and require ongoing management after being created. The response phase is how the organization can recover after an incident occurs. The response has to be carefully defined and planned so it will help the organization return to its operations in a reasonable amount of time and recover as much as possible.
HI, Mei, thank you for sharing your points, I totally agree with your points of the Plan-Protect-respond. I also think all three steps take place simultaneously and constantly feed into one another. Also, the ongoing monitoring and the relative rehearse the incident response plan is necessary in this system life cycle.
An interesting point I found in Chapter 2 Planning and Policy was the fraud triangle. The fraud triangle is a framework commonly used in auditing to explain the reason behind an individual’s decision to commit fraud. The main components of the fraud triangle is Opportunity, Incentive and Rationalization. Opportunity refers to circumstances that allow fraud to occur. In the fraud triangle, it is the only component that a company exercises complete control over. Incentive, alternatively called pressure, refers to an employee’s mindset towards committing fraud. Rationalization refers to an individual’s justification for committing fraud. The Fraud Triangle described by criminologists provides a useful lens for identifying security threats and understanding how to deal with them effectively.
Being a BA in high scale implementations of software I completely align with the Vision and Planning section of this chapter. Using security to enable the business, drives the business to react better to their environment. Onboarding users in a positive way and avoiding derogatory techniques is absolutely critical. After all the biggest asset of a business is not their product.. it is their people. If people are encouraged, well trained and the expectations are made fair and clear then the response can only benefit. Security technology can be implement, taught and used but it cannot beat the security that people provided when that group is aware.
The reading looks at risk analysis, technical security architecture and policy as three components of planning and policy making that are needed for an effective security function. What I found most interesting about the reading is how technical security architecture principles should be used to help drive standardization in the border, site , remote connection, inter-organizational shared systems and device management domains. This standardization is mandatory and creates consistency in security, lowers the cost of security and allows for a security organization to affect devices immediately. I never really thought of policy as driving security standardization and the impact that it can have to lowering monitoring cost and allowing immediate response to vulnerabilities.
Zibai Yang says
Information security strategy is the most important step for an organization to solve information security problems, and it is also the foundation of the organization’s entire information security system. Information security is not a natural requirement but a requirement after experiencing information loss. Therefore, management is essential for information security.
The most important management document of an organization is the information security policy. The information security policy clearly specifies what the organization needs to protect, why it needs to be protected, and by whom; without a reasonable information security strategy, no matter how good an information security expert and security tools are, there is no value.
An organization’s information security strategy can reflect the organization’s expectations of actual security threats and future security risks and the organization’s internal business and technical personnel’s awareness and response to security risks.
Ting-Yen Huang says
Hi Zi Bai, i agree with your point of view, Information security strategy is truly important to help an organization to solve an information security problem. Information security policy is one of the most important document in the whole process, It give a guidance to users and help the IT staff to find out which policy is outdated and which one helps lower the risk.
Haozhe Lin says
Hi Zibai,
I agree that an information security strategy is the most important step for an organization to solve information security problems. There are compelling arguments for both lines, but I think the hybrid model gives you the best of both. The hybrid model puts the security operation part (such as a firewall) in it and puts the planning, policy, and audit governance outside. I think this approach is more logical and helps to be independent when and where needed.
Priyanka Ranu says
The key point that I took away from this reading is that management is the hardest part and hence the need for comprehensive security. Bruce Schneier’s quote is a strong and valid statement, “Security is a process, not a product.” Organizations focus too heavily on security technology as compared to security management. I agree with this as its easier to think about technology than management and there needs to be a process involved rather than treating it like a product. What makes security management difficult is the protection of large number of resources. Companies need to identify all of their resources and develop a security program for each one. The security management process which is the plan-protect-respond cycle is an effective method to implement security management. There’s a good example in the book where one official from the U.S. federal general services administration helped a series of federal agencies reorganize their security technologies which was effective in the short term. But was it effective in the long term? Their security decayed rapidly as these
agencies had the technology but were lacking management ability to make security work.
Heather Ergler says
Hi Priyanka…..your take on the reading is really interesting to me. I have watched security teams pivot based on the “next new security software” without a view toward how the security team should manage security risk over time. I spent 2 years onboarding the new software before the use cases and security outcomes that would be supported by the software were developed and a business case outlining the ROI for the use cases and security outcomes were outlined. Really backwards and definitely not in the spirit of Schneier’s quote. On the plus side we did shift our approach to more of a security management focus rather than a product focus and tool / software implementation is more focused now.
Wenyao Ma says
One of the key points I learned from this chapter is that safety is not a product, but a process. Security is not a one-time job, it requires continuous monitoring and enhancement of systems, processes and personnel. With the development of technology, new hacking methods have been developed, so countermeasures should be updated accordingly, and awareness of these measures should be provided within the organization, and security personnel should keep up with the development of new technology. In addition, without proper organization, comprehensive security is impossible. Organizing personnel and effectively determining the relationship between other departments and resources is the first step of comprehensive security.
Humbert Amiani says
Hi Wenyao,
It is very true that security is a continuous collaborative process within each organization. When measures/policies are implemented, they have to be reviewed and updated regularly since threats are always evolving as well.
Mei X Wang says
Hi Wenyao,
I agree with your analysis, security is an ongoing process. No matter how secure the environment can be, as it interacts with new threats, controls and countermeasures should be continuously developed as well. Countermeasures should also be created as the control is being implemented and flaws arise.
The plan, protect, and respond process is a model of a high-level management process to create a more comprehensive security plan.
Ting-Yen Huang says
In the phase of setting up the planning and policy for the IT security architecture, viewing the users positively is important during the process. Users are usually the first line of defense, because they are also the first group of people who found out problems and unnormal behaviors when they are using the systems, instead of IT security staff. Positive treatment to users help IT staff to find out the problem more than negative one. Defense in depth is important for IT securities. When an hacker wants to attack a company’s system, it has to go through internet firewall, and then go through internal firewall. Defense in depth point the importance of many layers, because it when hacker are going through all the firewalls, the system will alert the IT staff, which can give them response time to deal with the intruder.
Priyanka Ranu says
Hi Ting,
You bring up a good point of user’s importance when setting up the planning and policy of the IT security architecture. Users are the first ones who are aware and find unusual behaviors when they are using the systems. The users or employees are usually considered the weakest link but are they really the weakest link? I think employees could be the first line of defense and there should be proper security awareness and training provided to the employees. Some of the common threats that the employees could be trained to spot are phishing emails, spear phishing emails, ransomware, compromised search engine queries. Everyone from employees, contractors, IT staff, and others who interact with the systems should be a part of the IT security architecture.
Haozhe Lin says
Laws and regulations are the driving force for the organization’s safety planning and policies. Financial fraud around 2000 eventually led to SOX, and companies had to start reporting any major defects in their control environment. In the same year, FISMA was issued to enhance safety and require certification, and then to be examined and authorized by the “certification officer”. Coincidentally, publications of FIPS and NIST have been launched in the same time frame to help the risk assessment and classification process. Also, COSO expanded its framework in 2004 to help SOX’s recent compliance. It is worth noting that fraud around 2000 seems to have driven most of the changes in information system security. Resources of law, standards, and guidelines are interrelated in terms of material and time. In terms of the policy, I have also found that policies known as major policies are very interesting. The e-mail, employment/dismissal, and personal information initiative policies are the most detailed policies I have seen in my organization, which are the same as those described in the reading.
Cami Chen says
Hi, Haozhe. You have a great point about how companies emphasize the importance of employee awareness. The employees most often use emails to communicate with internal users and external users. If they do not know how to recognize the phishing email, the hackers will very easily hack into the company system. Otherwise, if an employee is able to log in to his or her account while he or she is on the vacation, the employee may steal the information to sell it somewhere, such as the black-market or the competitor.
Xinyi Zheng says
For many firms, driving forces are things that require a firm to change its security planning, protections, and response. According to different laws and regulations, firms must substantially improve their security to be in compliance.
Such as Sarbanes–Oxley, privacy protection laws, data breach notification laws and so on. Under Sarbanes–Oxley, companies must report whether they have any material control deficiencies in their financial reporting process. The sections of the bill cover responsibilities of a public corporation’s board of directors, add criminal penalties for certain misconduct, and require the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law. The European Union (EU) Data Protection Directive, The U.S. Gramm–Leach–Bliley Act (GLBA), and The U.S. Health Insurance Portability and Accountability Act (HIPAA), these laws forced firms should protect personal information by laws. These compliance laws and regulations can promote a company’s compliance and safety, although the cost may be expensive.
Wenyao Ma says
Hi Xinyi,
Thank you for your sharing, I agree with your points. Safety and compliance go hand in hand, with improvements in safety leading to better compliance, and the Compliance Act supervising organizations to improve safety.
Anthony Wong says
Security management process is designed to protect an organization from the threat environment with the goal to achieve comprehensive security for the company. Security is only as strong as its weakest link and the weakest link will always be humans. It is important to have policies, processes, and procedures in place to guide and inform the average system users on best practices to keep security as tight as possible. Additionally, it can protect the organization from non-compliance by laws and regulations. Different industries have different compliance requirements such as PCI-DSS and HIPPA, but may also be required to comply other regulations like Sarbanes Oxley and Gamm-Leach-Bliley Act (GLBA). At the start of the system development life cycle, engaging the information security team can help ensure all requirements are met from a security and compliance perspective.
Austin Mecca says
Anthony,
You make a great point about the weakest link being humans. I feel like this is often overlooked as everyone’s immediate thought when it comes to security is the system and protection put in place. Staying on top of the info security team from the beginning can be the difference in your system being safe and your system being attacked successfully.
Anthony Messina says
This chapter focused heavily on the management aspect of information security. It emphasizes that it is a mistake to focus too heavily on security technology compared to security management. One take-away from this chapter was the importance of following a formal processes. Some of these processes might include a process for annual security planning, processes for planning and developing individual countermeasures, and a process for handling incidents. The technical security architecture section of this chapter jumped out at me. One key note was the mention of securing legacy technologies, which are systems implemented in the past and are rarely used. This can be easily exploitable if left unchecked. This issue is whether the company wants to invest in securing a dated technology that is hardly used as this could mean a complete overhaul which could end with an expensive bill.
Humbert Amiani says
Hi Anthony,
You bring forth a very good point especially about where legacy systems are in use. It often comes down to management to make the decisions to approve an upgrade, and in cases where they have to overhaul the entire production system, the immediate answer will likely be not now given the costs.
This leaves a very delicate attack surface within the organization especially when the technology running the legacy system is obsolete or almost all the vulnerabilities are public knowledge.
Prince Patel says
Hi Anthony! Great response! I do agree that this chapter has the target focus on the information security management. For a successful information security program, it is critical to keep equal focus and allocate resources towards both the technology and the management aspect. The formal processes mentioned in this process really helps get a strong Information security management focus. These activities includes planning, developing controls, establishing standards and procedures to face the incidents.
Jonathan Castelli says
Planning and policy are extremely important in the IT security process. The C-suite and management needs to be involved in the security planning process. Laws and regulations often drive the configuration requirements for the business.
It will be impossible to eliminate all risk in the company. With risk in mind, the business has a responsibility to keep the data confidential, make it have good integrity and have it available to users when they need it. The security department must consider all the risk in the business processes and find a method to mitigate the risk as best as possible.
The risk analysis can help ID where the company is most at risk. The company can perform calculations and plan where to and how to mitigate the risk. They can also look at methods to respond to risk and develop more security practices which can help mitigate the losses when incidents occur. Typical responses to risk are reduction, acceptance, transference, and avoidance.
Once the risk analysis is complete, the company needs to find the best technical security architecture and find the principles which best apply. The defense in depth approach is the principle which is most often adopted. This principle ensures multiple independent countermeasures are placed in series. If one countermeasure fails, the others remain in place.
The policies the company adopts are often what sets the tone for the department and organization. The policies include the steps what need to be done when something occurs. It can help create clarity on what is expected during certain situations.
Governance frameworks include policies companies can use. Some of these frameworks are required for the business in order to perform business with government entities. When this happens, the company must be certified so they can prove they are compliant with the framework requirements. This can help the company’s customers have confidence the company has security measures in place and highly values security in their organization. However, it doesn’t guarantee the company will be risk free from breaches or security incidents. The companies must be diligent and update their processes constantly to make sure they are up to date in their security practices.
Planning and policy is often a top-down approach. The management and C-suite of an organization must buy in to the principles, frameworks, policies, and processes required to mitigate the risk. The top-down approach ensures the company has an overall vision towards managing security.
Humbert Amiani says
Relating to information in this chapter, I do find the need to implement a disciplined security management process key to ensuring comprehensive protection of information assets. Eliminating Complacency, -not so easy of a task-, is one way to ensure a company reduces the amount of “human weak links” so to say. Management from the business side often contribute largely to the technological aspect of weak links, since upgrading technology will often require some spending. If they do not see/understand what the immediate need to upgrade technology is, there is a chance of such requests being turned down.
Another concept from the reading is ensuring policies are well understood, -practically in some cases. Security Education Training and Awareness program is one good way to ensure the entire organization is moving along well in terms of planning and preparing for security threats.
Jonathan Castelli says
I agree having the policies understood by the “human weak links” is a very important part of the reading. The people of the organization constantly need education about the policies in the company. The policies contain the steps to take or not take when working with company assets. Having the people fully understand their limitations can help make sure the company is moving along with the planning and preparing for security threats.
Prince Patel says
One of the points that I found really interesting this week is the Fraud triangle that is used to understand fraudulent behavior. This triangle model is also applicable to general security misbehavior. The triangle shows three aspects of human motivation that usually are in place before misbehavior occurs. By tracing and being sensitive to these three aspects of motivation, an organization can spot a problem before it occurs and prevent it. They can also learn the rationale and get a realistic understanding of why security abusers commit fraud. The three motivators are as follows.
Opportunity: This motivator is the first tip of the triangle. Of Course if there is less opportunity to commit the abuse, or if the perpetrator is likely to be caught, the abuse is unlikely to occur. Reducing the opportunities to successfully commit fraud or abuse by increasing detection are the typical paths toward achieving better information security.
Pressure: Opportunity is not enough to be the only factor. Another critical factor is pressure. Pressure is when a person is pushed to commit abuse. Examples of pressure are personal financial problems, greed, or the desire to hide poor performance that would jeopardize the employee’s job. Perhaps the most common form of pressure is unreasonable performance expectations.
Rationalization. With pressure and opportunity, employees are not likely to act unless they can truly rationalize their actions and intentions in their own minds. They could believe that an act is justified because the company has unrealistic performance expectations or that they will pay back embezzled money. The goal of rationalization is to allow perpetrators to think of themselves as good people and have a valid reason to commit the fraud.
Krish Damany says
One important point in Chapter 2 of the Corporate Computer Security textbook is the Plan-Protect-Respond cycle. This cycle is a top-level security management process which helps protect against many threats. While there are three steps in this process, each step is more or less done simultaneously as each step benefits from one another. In the planning stage, the organization needs vision, which is understanding one’s role in the company, employees, and the outside world. With this in mind, it’s much easier to narrow down and make a plan that can benefit all three aspects of the vision. Step 2 is the protecting step, where you implement ideas from the planning stage to best protect from threats. As threats evolve and new threats emerge, that information can be added back to the planning stage to better protect in the long run. The last stage is the response step. This is in the event that the planning and protecting stage are not enough to prevent a threat from occurring. In this step, one must make sure that the response is carefully crafted and response is quick and accurate to help mitigate the threat at large. Once you can effectively respond, that in turn will affect both the planning and protecting steps to increase their effectiveness.
Austin Mecca says
An important piece from chapter 2 is the elements of vision. The two elements that make up the “vision” are enabler and viewing users positively. Seeing security as an enabler rather than a source of frustration was emphasized and the more you look at it, the more sense it makes. Often times non IT/security professionals will get frustrated or annoyed with security as they view it as a restriction in their ability to do things. The key is to look at it as helpful. Poor security will lead to many innovations being closed or rejected because they would be too dangerous. With strong security, it allows the organization to engage in more business processes and avenues. An example is with stronger security an organization can engage in inter-organizational systems with other firms that in turn would open up new markets and better information flows as well as lower operational costs.
The second element is viewing users positively. It is common for IT pros to speak down or badly to those who are not familiar with the subject. By nipping negative dialogue in the bud, it allows for more to be taught to the novice users. In addition, if someone does not understand and they’re referred to as dumb, that could mean they are simply poorly trained which would end up being security’s fault.
Cami Chen says
Security management is very significant and complicated. As this chapter mention, one reason why people tend to focus on technology is that it is easier to think about technology than about management. When people discuss security technology, they can talk about hardware or software, and show you a diagram to explain things. In contrast, people need to combine security technology and management concept to implement security management. For example, an external IT auditor needs to understand the business before he or she assigns to audit the business system. If the IT auditors have lacked knowledge of the company, they will work inefficiently to identify and solve the problems, or sometimes, they may not realize that there is an issue that will affect the company operation. Although the IT professionals have a strong background in technology, they are not familiar with each different department. When they need to thoroughly implement the security management strategy, this may have some irrelevant parts that are ineffective to some departments. Thus, I think the person or the department who want to implement the security management strategy effectively, need to have the knowledge of security technology and management.
Zhen Li says
After reading, I ‘d like to share my opinion about the Plan-Protect-Respond cycle.
Plan-Protect-Respond cycle is a formal top-level security management process which has 3 steps, they are planning, protection, and respond. This whole cycle begins with the planning, Protection is the plan-based creation and operation of countermeasures, and this steps are most of the security professionals will be focus on. Response is complex because incidents vary in severity and because different levels of attack severity require different response approaches. Because the speed and accuracy of response are of the essence, the rehearse the incident response plan is necessary. All three steps take place simultaneously and constantly feed into one another.
Xinyi Zheng says
Hello Zhen,
I’m agree with you. And I think in the Plan-Protect-Respond Cycle, plan is the fundamental of whole cycle. Plan is the process to develop a simple plan and risk analysis. Planning process need to make risk analysis, comprehensive security, defense in depth, policy based planning, and minimum permissions.
Junhan Hao says
Hi Zhen, I agree with your point of view that All three steps take place simultaneously and constantly feed into one another. I also want to point out that a complete and effective security management process is essential to the company’s daily operations. Especially for larger companies, they attach great importance to the construction of the system, and their daily work is modeled, so a good security management process is extremely important to the operation of the company.
Junhan Hao says
I think how to place the IT security department is a very interesting topic. If the IT security department is established within the IT department, CIO’s responsibility will become greater, which will also force CIO to change and maintain the company’s internal IT system framework. The disadvantage is that this will lead to lack of supervision, and a lot of company information leakage comes from internal IT personnel. If the company’s IT security department is set up outside the company’s IT department. This will give IT security more independence to the IT department and facilitate supervision. The disadvantage is that it is difficult for the company’s management to listen to the suggestions of departments that are separated from the company’s normal business. I think the IT security department should be set up outside the corporate IT department. Companies can set up regular meetings, not limited to regular meetings dedicated to security, because corporate leaders and staff understand that security is an inherent part of daily business operations. Employees working in companies with a genuine safety culture play an active role in implementing safety protection measures.
Mei X Wang says
From Chapter 2, the plan-protect-respond cycle does a great job of defining a high-level security management process. It starts with planning and creating a cycle of activities that will take place and constantly feed into one another. Every time a new threat or business condition comes along and changes the day to day business operations, The company can return to the planning phase to come up with the process of handling the new situation. In protection, the plan is created and countermeasures are defined. This is also the most time-consuming phase. It is also required that there are ongoing monitoring and improvements of these controls through the systems life cycle. The book explains different types of protections that can be used such as cryptographic protections, dealing with wired/wireless network protections, and even access controls. Most countermeasures are created after the development phase and require ongoing management after being created. The response phase is how the organization can recover after an incident occurs. The response has to be carefully defined and planned so it will help the organization return to its operations in a reasonable amount of time and recover as much as possible.
Zhen Li says
HI, Mei, thank you for sharing your points, I totally agree with your points of the Plan-Protect-respond. I also think all three steps take place simultaneously and constantly feed into one another. Also, the ongoing monitoring and the relative rehearse the incident response plan is necessary in this system life cycle.
Kyuande Johnson says
An interesting point I found in Chapter 2 Planning and Policy was the fraud triangle. The fraud triangle is a framework commonly used in auditing to explain the reason behind an individual’s decision to commit fraud. The main components of the fraud triangle is Opportunity, Incentive and Rationalization. Opportunity refers to circumstances that allow fraud to occur. In the fraud triangle, it is the only component that a company exercises complete control over. Incentive, alternatively called pressure, refers to an employee’s mindset towards committing fraud. Rationalization refers to an individual’s justification for committing fraud. The Fraud Triangle described by criminologists provides a useful lens for identifying security threats and understanding how to deal with them effectively.
Vanessa Marin says
Being a BA in high scale implementations of software I completely align with the Vision and Planning section of this chapter. Using security to enable the business, drives the business to react better to their environment. Onboarding users in a positive way and avoiding derogatory techniques is absolutely critical. After all the biggest asset of a business is not their product.. it is their people. If people are encouraged, well trained and the expectations are made fair and clear then the response can only benefit. Security technology can be implement, taught and used but it cannot beat the security that people provided when that group is aware.
Heather Ergler says
The reading looks at risk analysis, technical security architecture and policy as three components of planning and policy making that are needed for an effective security function. What I found most interesting about the reading is how technical security architecture principles should be used to help drive standardization in the border, site , remote connection, inter-organizational shared systems and device management domains. This standardization is mandatory and creates consistency in security, lowers the cost of security and allows for a security organization to affect devices immediately. I never really thought of policy as driving security standardization and the impact that it can have to lowering monitoring cost and allowing immediate response to vulnerabilities.