I share the viewpoint in Chapter 3 that emphasizes developing positive attitudes towards users. So often, we hear the phrase “security is everyone’s responsibility,” and yet I have witnessed negative relationships occur between IT/IS departments and other business functions. It can certainly be challenging to explain technical or security concepts to non-technical folks. Still, as security professionals, we are fighting an uphill battle if we can’t support the business and empower our colleagues to adopt security habits. I believe this point is further articulated at the beginning of the chapter by stating that security management is more complicated to account for than security technology. At the end of the day, it’s people we work for and with to defend against cyber threats.
Hi Kelly, I like your points here. It is so important, as security professionals, to change the “tone” and way we communicate when we are talking with other groups. For example, IT personnel will not have the same background as someone in finance, per say. It is a common issue I see all of the time!
Great Points Kelly, Having a positive attitude as a security profession is very essential. It’s also very important to have effective communication when explaining security related terms and issues. A critical skill for any IT Profession is to have the ability to break down complicated IT Terms into a language a inexperience individual can understand
Kelly,
This is a great point! It is key to have a patience and friendly attitude in the IT department. I have coworkers who work in compliance and are not tech friendly at all. In order for the employees who are not in the IT department to understand, a walk through of the process is necessary.
One of the takeaways I had from this reading was the issues from using classic quantitative risk analysis equations. Although this sets the baseline when it comes to basic risk analyses, and understanding the use for implementing mitigation measures, the classic risk analysis equation should never be used on its own as the “end all be all”. It is absolutely impossible to predict an ARO (annual rate of occurrence) accurately, (ie predicting a tornado/earthquake), and the equation does not leave room for different attack level severities. In addition, the total cost of an incident is difficult to predict and accurately quantify. In terms of assessing the cost of mitigation measures, many security tools can be used cross-functionally, causing an uneven multilayer cash flow. Overall, organizations should rely on more in-depth risk assessment tactics before making tactical decisions.
I agree with you Lauren, the classic risk quantitative analysis equation should never be used on it own. Both Qualitative and Quantitate risk analysis should be be used when assessing the risk of an organization. Quantitative data are data about numeric variables (e.g. how many; how much; or how often). Qualitative data are measures of ‘types’ and may be represented by a name, symbol, or a number code. Using the combination of the two gives an organization a clear depiction of the risk that they face and the value of the assets they are protecting. Which enables them to provide cost effective security solution for these issues
Chapter 2 focuses on planning and policy. Security is not a one time implementation. It requires continuous monitoring and enhancing of systems, processes and people. As technology advances and becomes more robust. So does the attack surface of these tech products and the technology used to attack. It is essential for organizations to practice effective patch management of their systems and develop cyber intelligence programs to effectively and efficiently prevent a security breach from occurring.
It is a critical point you raise, Kyuande; security must be a cyclical process or it will be behind the modern threat environment rapidly. Cyber threat intelligence programs are proving to have quickly increasing value as they are aiding organizations in staying ahead of the curve, or at least not as far behind understanding the threats that a given organization may face, which also aids the cyclical process of further protecting the information assets.
I agree with you that security is not a one-time implementation and needs to be continually enhanced and monitored. Many companies have relatively good security plans, protection and response capabilities, but when administrators are unable to check system security on a daily basis, problems can go undetected for weeks or months, leading to greater threats. Real-time monitoring and follow-up is one of the necessary risk avoidance measures.
Kyuande,
As we read in our recent case study, it is extremely important to keep up with security and apply patches. Patch Management automatically searches for patches in need to keep up-to-date. Without patching, this can lead to a vulnerability.
Additionally, another risk is it may be hard to look for support for the program once the server encounters an issue.
Hello Kyuande.
While I agree with you that security is not a one-time implementation and needs to be continually enhanced and monitored, I would also add that continuous monitoring is a necessity to ensure in-depth defense. Even though several companies have relatively good security plans, when security personnel cannot check system security, problems can go undetected, leading to recurrence.
Security Planning Policy: Controls: The organization develops, disseminates, and periodically reviews/updates: a formal, documented security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and standard, established procedures to facilitate implementation of the security planning policy and associated security planning controls. Security planning policies and practices are consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidance. Security planning policies address the overall policy requirements for confidentiality, integrity, and availability and can be part of the organization’s general information security policy. Security planning procedures can be developed for available security procedures and, when required, for specific information systems.
My key takeaway from Chapter 2: Planning and Policy is centered on how actually implementing security architecture works; it is a process that should begin with a carefully designed plan which takes into consideration all of the real factors that will contribute to finally implementing the architecture after the plan is established. There will be costs involved, and an organization cannot just simply afford to replace any large amounts of important legacy infrastructure, and so they often must devise a defense-in-depth strategy centered around maintaining that system, unless it is past the point of critically vulnerable in which case it must be replaced. Defense in depth will ensure that the plan eliminates SPOFs.
After reading Chapter 2, one of the things I took away from this reading is that many organizations have the technology, but lack the management to make security effective over time. When administrators are unable to check system security on a daily basis, problems can go undetected for weeks or months, leading to larger threats or vulnerabilities. If security processes must be managed comprehensively, a sound security management process is essential. It starts with an excellent plan to protect and screen for errors through good security. Finally, a timely and accurate response, both of which can reflect whether the measures are in place when a real vulnerability occurs in the system security.
On the other hand, compliance laws and regulations are necessary as an external factor to motivate companies to formalize their security processes. Many compliance regimes require companies to adopt a specific formal governance framework to drive security planning and operational management. This leads to a company’s operations and processes becoming more legitimate.
One major takeaway from the Chapter 2 of the Corporate Computer Security textbook talks about security policy dictates management’s commitment to the use, operation, and security of information systems and assets. It specifies the role security plays within the organization. Security policy should be driven by business objectives and should meet all applicable laws and regulations. The security policy should also act as a basis to integrate security into all business functions. It serves as a high-level guide to develop lower-level documentation, such as procedures. The security policy must be balanced, in the sense that all organizations are looking for ways to implement adequate security without hindering productivity. The issue also arises that the cost of security cannot be greater than the value of the asset. I am also impressed about the Plan-Protect-Respond cycle. that was explained in the chapter. This is so because cycle is primarily a top-level security management process which assist prevent against numerous threats. In that regard, three methods were being mentioned in this process, each categorization basically seem to be more or less performed at the same time as each process in the categorization is being designed to benefits from one another. As regards planning stage, the organization simply requires systematic vision, that explains one’s role in the organization and as well as employees within the organization. And that being said, it is becoming increasingly possible to narrow down and design a suitable plan that is meant to benefit all three aspects of the vision. Again, the chapter talks about step 2 as being regarded as the protecting step, whereby one is supposed to implement ideas from the planning stage that are bound to prevent any threats whatsoever. Hence, as threats continuously changing its shape and form in 21st century, then information can be added back to the planning stage at all times to monitor changes in the pattern of threats and its behavior so that better measures would be designed to protect in the long run perspectives.
Finally, the last stage in the categorization is being regarded as the response step. This is done in the manner that the planning and protecting stage are not appeared to proffer a suitable measure to fend off threat from occurring. And this means that one needs to make sure that the response is carefully designed and must be quick and accurate, and precise to monitor and mitigate the threat. In so far as the organization measures can effectively respond within the shortest possible time, then it will affect both the planning and protecting steps to boost their effectiveness and efficiency in planning security issues within the organization.
Determining your regulatory compliance can be complicated for large companies that touch many different jurisdictions. If you’re operating in all 50 states and overseas in Europe, already that means 50 different state legislation, US federal legislation, and GDPR applies. Some companies will opt to apply the most stringent regulatory requirements across their entire network, to ascertain compliance with all laws that apply. Other companies may break out compliance requirements by region. For example, when a European citizen in which GDPR applies, they have a right to access a copy of the data you have on them. The turnaround for providing this data is within one month. This means if you have a both a Europe-based citizen and US citizen request access to their data on the same day, you may prioritize the European request due to the GDPR requirement to have that data in their hands within a month.
It is extremely important on how an organization will react when it comes to responding to a risk. There are 4 ways a company can respond: risk reduction, risk acceptance, risk transference, and risk avoidance.
An example of a risk reduction is when a mom and pop’s shop installs cameras to reduce the amount of crime. Another example would be if a hotel received a lot of complaints, the company can choose to put their employees through training or can address the complaint right away.
Risk acceptance- most companies will accept the risk if it is out of the organization’s budget. For example, a company may turn down MFA because it is expensive to put in.
Risk transference- A business agreement which states a company will pay a party to take a risk of a loss that may or may not occur. For example, an employee who is in general pain or suffered an injury on the business’s property, may choose to sue the company.
Risk avoidance- an organization executes the hazards or activities that can affect a company’s asset. An example is a business is pursing a new policy. When the organization tests the new strategy and is too risky, the business decides not o purse the policy because it is at a risk.
Hi Victoria,
It is indeed true that when organization tests new strategy and it is too costly and risky to undertake then the business decides not to move forward with that policy at all, but you must understand in the same vein that the Organization’s IT systems and the information that you hold on them face a wide range of risks. If your business relies on technology for key operations and activities, you need to be aware of the range and nature of those threats facing the said organization.
One key point that stuck with me from chapter two is one that has been coming up in many of our readings recently – the importance of having written policies and procedures. In the case of an IS emergency, even the CERT team would have trouble executing a proper response without pre-written procedures, and non IT employees would be even more lost, especially with the CERT/IT team not even knowing how to respond. This concept seems basic and maybe even non-IS related, but it is critical to establishing a foundation for the security architecture of any organization, which is why (I believe) it keeps coming up in discussion in our readings and classes.
An organizational security policy is a set of rules or procedures that an organization imposes on its operations to protect its sensitive data. It could also be described as the tone at the top.
A security policy identifies the rules that will be followed to maintain security in a system, while a security plan details how those rules will be implemented. A security policy is generally included within a security plan. A good security plan helps business expansion, i.e., physical expansion, through a second location or development into a new market or new products.
A security plan should include day-to-day policies, measures, and protocols for managing specific situations: security, security management, etc., detention, or disappearance. The more day-to-day policies and actions implemented, the more the case protocols will work.
The chapter begins with a broad look at security management. This section discusses
why management is difficult to think about, the need for comprehensive security,
weakest link failures, and the plan-protect-respond cycle that will dominate this book
and that also dominates practical IT security. It also talks about vision in planning and
strategic IT security planning.The chapter then discusses the most fundamental management decisions regarding how to organize the IT security function. A key theme is maintaining independence
for IT security, because it is difficult to accuse one’s boss of security violations.
The next section, on risk analysis, is absolutely central to network management. The
concept of risk management should be emphasized throughout the course.
I share the viewpoint in Chapter 3 that emphasizes developing positive attitudes towards users. So often, we hear the phrase “security is everyone’s responsibility,” and yet I have witnessed negative relationships occur between IT/IS departments and other business functions. It can certainly be challenging to explain technical or security concepts to non-technical folks. Still, as security professionals, we are fighting an uphill battle if we can’t support the business and empower our colleagues to adopt security habits. I believe this point is further articulated at the beginning of the chapter by stating that security management is more complicated to account for than security technology. At the end of the day, it’s people we work for and with to defend against cyber threats.
Hi Kelly, I like your points here. It is so important, as security professionals, to change the “tone” and way we communicate when we are talking with other groups. For example, IT personnel will not have the same background as someone in finance, per say. It is a common issue I see all of the time!
Great Points Kelly, Having a positive attitude as a security profession is very essential. It’s also very important to have effective communication when explaining security related terms and issues. A critical skill for any IT Profession is to have the ability to break down complicated IT Terms into a language a inexperience individual can understand
Kelly,
This is a great point! It is key to have a patience and friendly attitude in the IT department. I have coworkers who work in compliance and are not tech friendly at all. In order for the employees who are not in the IT department to understand, a walk through of the process is necessary.
One of the takeaways I had from this reading was the issues from using classic quantitative risk analysis equations. Although this sets the baseline when it comes to basic risk analyses, and understanding the use for implementing mitigation measures, the classic risk analysis equation should never be used on its own as the “end all be all”. It is absolutely impossible to predict an ARO (annual rate of occurrence) accurately, (ie predicting a tornado/earthquake), and the equation does not leave room for different attack level severities. In addition, the total cost of an incident is difficult to predict and accurately quantify. In terms of assessing the cost of mitigation measures, many security tools can be used cross-functionally, causing an uneven multilayer cash flow. Overall, organizations should rely on more in-depth risk assessment tactics before making tactical decisions.
I agree with you Lauren, the classic risk quantitative analysis equation should never be used on it own. Both Qualitative and Quantitate risk analysis should be be used when assessing the risk of an organization. Quantitative data are data about numeric variables (e.g. how many; how much; or how often). Qualitative data are measures of ‘types’ and may be represented by a name, symbol, or a number code. Using the combination of the two gives an organization a clear depiction of the risk that they face and the value of the assets they are protecting. Which enables them to provide cost effective security solution for these issues
Chapter 2 focuses on planning and policy. Security is not a one time implementation. It requires continuous monitoring and enhancing of systems, processes and people. As technology advances and becomes more robust. So does the attack surface of these tech products and the technology used to attack. It is essential for organizations to practice effective patch management of their systems and develop cyber intelligence programs to effectively and efficiently prevent a security breach from occurring.
It is a critical point you raise, Kyuande; security must be a cyclical process or it will be behind the modern threat environment rapidly. Cyber threat intelligence programs are proving to have quickly increasing value as they are aiding organizations in staying ahead of the curve, or at least not as far behind understanding the threats that a given organization may face, which also aids the cyclical process of further protecting the information assets.
Hi Kyuande,
I agree with you that security is not a one-time implementation and needs to be continually enhanced and monitored. Many companies have relatively good security plans, protection and response capabilities, but when administrators are unable to check system security on a daily basis, problems can go undetected for weeks or months, leading to greater threats. Real-time monitoring and follow-up is one of the necessary risk avoidance measures.
Kyuande,
As we read in our recent case study, it is extremely important to keep up with security and apply patches. Patch Management automatically searches for patches in need to keep up-to-date. Without patching, this can lead to a vulnerability.
Additionally, another risk is it may be hard to look for support for the program once the server encounters an issue.
Hello Kyuande.
While I agree with you that security is not a one-time implementation and needs to be continually enhanced and monitored, I would also add that continuous monitoring is a necessity to ensure in-depth defense. Even though several companies have relatively good security plans, when security personnel cannot check system security, problems can go undetected, leading to recurrence.
Security Planning Policy: Controls: The organization develops, disseminates, and periodically reviews/updates: a formal, documented security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and standard, established procedures to facilitate implementation of the security planning policy and associated security planning controls. Security planning policies and practices are consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidance. Security planning policies address the overall policy requirements for confidentiality, integrity, and availability and can be part of the organization’s general information security policy. Security planning procedures can be developed for available security procedures and, when required, for specific information systems.
My key takeaway from Chapter 2: Planning and Policy is centered on how actually implementing security architecture works; it is a process that should begin with a carefully designed plan which takes into consideration all of the real factors that will contribute to finally implementing the architecture after the plan is established. There will be costs involved, and an organization cannot just simply afford to replace any large amounts of important legacy infrastructure, and so they often must devise a defense-in-depth strategy centered around maintaining that system, unless it is past the point of critically vulnerable in which case it must be replaced. Defense in depth will ensure that the plan eliminates SPOFs.
After reading Chapter 2, one of the things I took away from this reading is that many organizations have the technology, but lack the management to make security effective over time. When administrators are unable to check system security on a daily basis, problems can go undetected for weeks or months, leading to larger threats or vulnerabilities. If security processes must be managed comprehensively, a sound security management process is essential. It starts with an excellent plan to protect and screen for errors through good security. Finally, a timely and accurate response, both of which can reflect whether the measures are in place when a real vulnerability occurs in the system security.
On the other hand, compliance laws and regulations are necessary as an external factor to motivate companies to formalize their security processes. Many compliance regimes require companies to adopt a specific formal governance framework to drive security planning and operational management. This leads to a company’s operations and processes becoming more legitimate.
One major takeaway from the Chapter 2 of the Corporate Computer Security textbook talks about security policy dictates management’s commitment to the use, operation, and security of information systems and assets. It specifies the role security plays within the organization. Security policy should be driven by business objectives and should meet all applicable laws and regulations. The security policy should also act as a basis to integrate security into all business functions. It serves as a high-level guide to develop lower-level documentation, such as procedures. The security policy must be balanced, in the sense that all organizations are looking for ways to implement adequate security without hindering productivity. The issue also arises that the cost of security cannot be greater than the value of the asset. I am also impressed about the Plan-Protect-Respond cycle. that was explained in the chapter. This is so because cycle is primarily a top-level security management process which assist prevent against numerous threats. In that regard, three methods were being mentioned in this process, each categorization basically seem to be more or less performed at the same time as each process in the categorization is being designed to benefits from one another. As regards planning stage, the organization simply requires systematic vision, that explains one’s role in the organization and as well as employees within the organization. And that being said, it is becoming increasingly possible to narrow down and design a suitable plan that is meant to benefit all three aspects of the vision. Again, the chapter talks about step 2 as being regarded as the protecting step, whereby one is supposed to implement ideas from the planning stage that are bound to prevent any threats whatsoever. Hence, as threats continuously changing its shape and form in 21st century, then information can be added back to the planning stage at all times to monitor changes in the pattern of threats and its behavior so that better measures would be designed to protect in the long run perspectives.
Finally, the last stage in the categorization is being regarded as the response step. This is done in the manner that the planning and protecting stage are not appeared to proffer a suitable measure to fend off threat from occurring. And this means that one needs to make sure that the response is carefully designed and must be quick and accurate, and precise to monitor and mitigate the threat. In so far as the organization measures can effectively respond within the shortest possible time, then it will affect both the planning and protecting steps to boost their effectiveness and efficiency in planning security issues within the organization.
Determining your regulatory compliance can be complicated for large companies that touch many different jurisdictions. If you’re operating in all 50 states and overseas in Europe, already that means 50 different state legislation, US federal legislation, and GDPR applies. Some companies will opt to apply the most stringent regulatory requirements across their entire network, to ascertain compliance with all laws that apply. Other companies may break out compliance requirements by region. For example, when a European citizen in which GDPR applies, they have a right to access a copy of the data you have on them. The turnaround for providing this data is within one month. This means if you have a both a Europe-based citizen and US citizen request access to their data on the same day, you may prioritize the European request due to the GDPR requirement to have that data in their hands within a month.
It is extremely important on how an organization will react when it comes to responding to a risk. There are 4 ways a company can respond: risk reduction, risk acceptance, risk transference, and risk avoidance.
An example of a risk reduction is when a mom and pop’s shop installs cameras to reduce the amount of crime. Another example would be if a hotel received a lot of complaints, the company can choose to put their employees through training or can address the complaint right away.
Risk acceptance- most companies will accept the risk if it is out of the organization’s budget. For example, a company may turn down MFA because it is expensive to put in.
Risk transference- A business agreement which states a company will pay a party to take a risk of a loss that may or may not occur. For example, an employee who is in general pain or suffered an injury on the business’s property, may choose to sue the company.
Risk avoidance- an organization executes the hazards or activities that can affect a company’s asset. An example is a business is pursing a new policy. When the organization tests the new strategy and is too risky, the business decides not o purse the policy because it is at a risk.
Hi Victoria,
It is indeed true that when organization tests new strategy and it is too costly and risky to undertake then the business decides not to move forward with that policy at all, but you must understand in the same vein that the Organization’s IT systems and the information that you hold on them face a wide range of risks. If your business relies on technology for key operations and activities, you need to be aware of the range and nature of those threats facing the said organization.
One key point that stuck with me from chapter two is one that has been coming up in many of our readings recently – the importance of having written policies and procedures. In the case of an IS emergency, even the CERT team would have trouble executing a proper response without pre-written procedures, and non IT employees would be even more lost, especially with the CERT/IT team not even knowing how to respond. This concept seems basic and maybe even non-IS related, but it is critical to establishing a foundation for the security architecture of any organization, which is why (I believe) it keeps coming up in discussion in our readings and classes.
An organizational security policy is a set of rules or procedures that an organization imposes on its operations to protect its sensitive data. It could also be described as the tone at the top.
A security policy identifies the rules that will be followed to maintain security in a system, while a security plan details how those rules will be implemented. A security policy is generally included within a security plan. A good security plan helps business expansion, i.e., physical expansion, through a second location or development into a new market or new products.
A security plan should include day-to-day policies, measures, and protocols for managing specific situations: security, security management, etc., detention, or disappearance. The more day-to-day policies and actions implemented, the more the case protocols will work.
The chapter begins with a broad look at security management. This section discusses
why management is difficult to think about, the need for comprehensive security,
weakest link failures, and the plan-protect-respond cycle that will dominate this book
and that also dominates practical IT security. It also talks about vision in planning and
strategic IT security planning.The chapter then discusses the most fundamental management decisions regarding how to organize the IT security function. A key theme is maintaining independence
for IT security, because it is difficult to accuse one’s boss of security violations.
The next section, on risk analysis, is absolutely central to network management. The
concept of risk management should be emphasized throughout the course.