This chapter explains the big picture on security planning and policy also the ideas about Strategic IT Security planning by assessing the current security state and the possible factors that will be driving changes to the security architecture while considering the increasingly complex and virulent threat environment, the growth of compliance laws and regulations, changes in the corporate structure, mergers, and anything else that will change security conditions in the future. Bruce Schneier’s security concern and argument is particularly centered on how the security process can be reviewed and planned with a disciplined Security management process knowing the increase in new hacking techniques. IT Security planning and policy structure should have a defense in depth security system to mitigate common threats like malware, worms, phishing emails, viruses of all kinds. Compliance laws and regulations are perhaps the driving force of changes to firms today.
In an ideal world companies would proactively seek to improve their security practices for the sake of their customers & employees. Unfortunately, we’ve seen time and time again that typically isn’t the case. Rather, we see companies buttoning up their security practices in order to meet compliance & regulatory requirements so that they can continue to sustain financial success.
This chapter focuses on how businesses can defend against cyber threats. In 2.1, IT security is likened to a bulletproof glass. At the same time, enterprises will create profits under the protection of bulletproof glass. This is the main job of IT security professionals to protect the information security of enterprises. Bruce Schneier emphasizes that security management is the focus rather than excessive focus on security technology. Also, management is also the hardest part, because management is abstract, without clear definitions and complex processes, these principles are difficult to put into practice, and the protection of information security requires many components to work together to make the plan successful.
In the case of a company’s requirements for its information system security program, the company must ensure that it describes legal compliance, such as Sarbanes-Oxley, PCI-DSS, and FISMA, which play a role in IT management, and the company must improve its security. Compliance with laws and regulations is what drives the company. Organizations need security frameworks, policies, standards, procedures, and best practices to prevent internal fraud and conduct industry risk analysis.
Something that a lot of professionals have hard time dealing with is Risk “Management”. As there a lot of components to generating what a risk actually is, and that the business side of things senior management does not like the idea that there is always a probability that you could lose money. Which is why a lot of organizations fail when trying to assess the risk and bring it down to an acceptable level. The result is that they tell their security department that the risk is “unacceptable” even if there is no feasible solution, or that the solution might be greater cost to the company. These kinds of discussions can send security professionals into rabbit holes with management, especially if there is a disconnect between senior management and their security department. At the end of the day, there is a huge difference between checking a box for compliance versus assessing the risk and managing.
Defense In Depth:
The first principle is defense in depth. With defense in depth, an attacker
must break through multiple countermeasures to succeed. For instance, to attack a server, an
attacker might have to break through a border firewall, through an internal firewall, and finally
through the defenses of a hardened application on a hardened server.
The reason for defense in depth is simple. Vulnerability reporters find problems in nearly
every security countermeasure once or more per year. While a vulnerability in one defensive
element is being fixed, others in the line of defense will remain effective, thwarting the attacker.
Principles of Defense in Depth:
• Resource is guarded by several countermeasures in series
• Attacker must breach them all, in series, to succeed
• If one countermeasure fails, the resource remains safe
• Defense in depth versus weakest links
• Defense in depth: multiple independent countermeasures that must be defeated in series
• Weakest link: a single countermeasure with multiple interdependent components that must all
• Succeed for the countermeasure to succeed
This chapter focuses on the importance of security management compared with security technology. I learned about the plan-protect-respond cycle as well as several different laws and regulations that are crucial in today’s IT security management. Some of these laws and regulations included PCI-DSS (which handles branded credit cards from the major card schemes), Sarbanes-Oxley (which mandates certain practices in financial record keeping and reporting, and FISMA (which protects government information and operations).
In section 2.6.5, Boyle and Panko provide guidance on implementing security policies. In this section they discuss separation of duties, employee collusion, and monitoring for unapproved processes. The authors provide an interesting example of job rotation and mandatory vacations for employees. The thinking for this policy is that an employee typically needs to be working in order to maintain an unapproved process. A mandatory vacation would make maintaining this process difficult and would likely bring unauthorized processes to the surface.
I found this point interesting, especially when many organizations are short staffed. I am curious about how often this is actually implemented. The authors also suggest job rotations, but this may not provide the same separation that a mandatory vacation provides. Companies should pay close attention to access logs when enforcing a policy like this as remote work makes it much easier for employees to maintain an unauthorized process while on “vacation.”
A mandatory vacation policy is a security best practice that helps prevent employee fraud and abuse. This practice deters fraud and other abuses because employees know that another person will soon take over their responsibilities, and the newcomer is likely to spot any patterns of bad behavior. When another employee joins the ranks of the old employee, it’s even harder for the fraudster to cover their tracks. Although you mentioned the issue of understaffing in the organization, the issue of security is more important.
In the introduction to this chapter they drive home the point that this book is about Defense, which is the main job of a IT Security professional, I thought that was a very important point. Then it went on to point out Bruce Schneier’s point that it is better to focus on Security Management, more so than Security Technology. The reading goes on to teach us that Technology is Concrete, and Management is Abstract.
What stuck out to me was the talk of planning and how the book will always come back around to planning because of how important planning is in every phase of IT Security. The single line that sticks with me in the chapter is
“Our security vision must focus on security as an enabler rather than as a preventer.”
An excellent example was given where it talks about a company with weak security will just turn off a certain feature because using it may expose them to more attacks, where as a company with strong security can use that same feature to their advantage and help the business in various ways.
These points resonated with me as well. I agree with Schneier here and I am reminded of Target’s IDS alert management during their breach. In that case, alerts were ignored and it was clear that they didn’t have a good incident response plan. The Target example also shows what happens when security does not enable trust, e.g. the ignored “false positive” alerts. A team that understands how the technology works, what’s expected behavior, and plans how to respond is better prepared to manage the threat landscape.
Chapter 2 helped me understand the importance of managing risk instead of trying to eliminate it. IT security planning’s main focus is risk and it requires “a way of thinking about risk called risk analysis” accordingly to the book. The risk analysis helps us look further to be able to compare the probable losses with protection costs. It explains that there is no chance to get rid of risk for 100%. Therefore, organizations should work on having reasonable risk remaining once appropriate controls are in place.
Finally, once the risk analysis is complete, there are four logical possible responses to risk. It might be reduction where adopted countermeasures reduce the harm, or acceptance was protecting against a loss would be too expensive and risk should be accepted losses when they occur, risk transfer lets you have insurance to deal with security-related losses, and avoidance is when you don’t take risky actions.
I felt the same way after reading Chapter 2 in regards to risk, and since everyone will agree that there can never be absolutely 0% risk, I think managing the risk is the more important task over trying to eliminate it fully.
I think eliminating risk completely is something a lot of individuals do not fully understand when it comes to managing risk of IT systems. A lot of non-IT people want their information systems completely secure and with no chance there could be any breaches. When in reality, as you’ve correctly pointed out, there is no chance to get rid of risk 100%, and this includes securing information systems. This is why companies have to do their best to take steps to reduce risk as much as they’re able to and make a reasonable attempt to secure their systems.
I found the chapter’s information on where security can sit within a firm’s organization chart very interesting. Personally, I don’t think I’ve seen or heard of a company whose security department is independent of the overall IT function.. The authors write, “Despite problems that arise in placing security outside of IT, most analysts recommend doing so. The need for independence from IT is too important to consider placing security within IT”. While I don’t fully agree that security should be independent from IT I do believe it would help in situations where business process owners simply push off their security issues because that’s “an IT problem”.
While reading the second chapter of Boyle and Panko’s textbook, I found the section on the Plan-Protect-Respond cycle to be very intriguing. Keeping this cycle in mind when developing security plans will help companies understand what it takes to be on top of security. Like it is mentioned earlier in the chapter, “security is a process, not a product”. Using this cycle for the top-level security management process will help accomplish this goal and manage the process comprehensively.
I found “Security is a process, not a product”, statement to be profound as well. The Plan protect respond Cycle where the initial phase evaluates the security, weakest links are highlighted, new processes are developed. In the protect phase, protection is enforced using firewalls etc., and more time and resources are utilized in this phase. In the final respond phase organization respond to attacks, and vulnerabilities are secured if any breach occurs. This method definitely works in my experience.
Some key points that I took away from chapter 2 of Boyle and Panko:
What is a policy: policies are statements of what should be done under specific circumstances. When writing policies, IT can not act alone, IT policy writing teams that help create policies.
Every company has their major policies, such as email policies, acceptable use policy and MFA.
Segregation of duties is an essential internal control in any organization designed to prevent fraud and error. An example would be one person taking an order and another recording the transaction of the order.
USA Freedom act was passed in 2015 to replace the Protect America Act of 2007. PAA allowed federal agencies to monitor US citizens international communications without a warrant. The USA Freedom Act was set up to stop the collection of metadata by the NSA but it still allowed for collection of this data by phone companies and the NSA then accessed the phone companies information.
Under Chapter 2 for planning and policy I was very interested in the Sarbanes-Oxley act that was implemented in 2002. It is noted that it had taken place to prevent fraud due to the stock market crash in 2000 also known as the dot com bubble. The Sarbanes-Oxley act of 2002 is there to help revise any control deficiencies which ultimately led to uncovering security weaknesses in companies and helped start the regulation and compliance for tech companies. A few other examples of regulatory compliance laws are general data protection regulation, Gramm-Leach-Bliley Act, HIPPA, These compliance laws are very important to keeping everything under the CIA triad as the information contained within the data is valuable and confidential information that needs to be protected for the good of everyone.
During Chapter 2 I immediately noticed my favorite criticism of The Federal Information Security Modernization Act (FISMA). As FISMA focuses more on documentation then actual protection of the information system. Something that I have noticed with a lot of federal organizations is their overbearing tendency to write policy and ensure it’s in compliance with every NIST principle without comprehending the best practice and implementation. This is not to say that ensuring that best cybersecurity principles are policy isn’t necessarily a bad thing – but rather organizations should also take in account of the scope of the policy they are writing to and the environment they are implanting in.
For example; the Risk Management Framework process is a part of the FISMA accreditation that chapter 2 discusses. At some point the Security Control Assessor (SCA) has to make a determination ff the system risk is at an acceptable level for an Authorization to Operate (ATO). There is an issue when an organization has spent all of their resources documenting the information and provide no resources for implementing the scope of their categorization. The result is that the administrative policy looks good on paper; but the actual execution of protections leaves the system “non-compliant” and often obfuscates the actual severity of compromised security because of the exceedingly large scope. To me, policy is just as important as the execution. Both have to be properly managed.
Bruce Schneier an expert in Information Security states that security is a process, and not a product. He talks about the management process and reasons why it is difficult. Due to the abstract nature of the management process, it is more drawn out, involves a lot more than few diagrams/algorithms. Comprehensive security is needed instead of just security management. Weakest-link failures are often why security management is difficult as all the moving parts need to work as clockwork without any interruption. Companies need security management to protect and identify all their resources and develop a security program by understanding the basis of the management process. Driving firms need to use formal governance frameworks to process their security process.
It was really interesting to learn about the different types of implementation guidance. I was not expecting to see ethics be considered as a standard or guideline to implement policies since individuals typically have different systems of value which can complicate things. Ethics is used in complex situations where hard-and-fast guidance is impossible. In a group-setting, it is very possible that not everyone would agree with a decision based on their moral standards. To make ethical decision making more predictable, most corporations have some sort of “codes of ethics” that provide additional guidance. An example of these statements include “An employee must never take bribes or kickbacks, including any nontrivial ‘gift’ …” (128).
Hi Elizabeth, this is a great takeaway as the ethics are important to impose policies and guidelines to prevent fraud or any breach of security. As the code of ethics are outlined it helps clarify and differentiate right from wrong.
One key topic that I enjoyed learning about in this chapter was the “Problems with Classic Risk Analysis Calculations”. Classic risk analysis calculations are a great baseline but in many circumstances, additional factors must be taken into account. For example, classic risk analysis considers single loss expectancy (asset value times the exposure factor) to be the total losses in one single incident. If a breach results in PII exposure, there is no loss in the value of that PII but the company will likely face fines, losses in future sales, etc. The fix for this is to replace the single loss expectancy with total cost of incident (TCI). Classic risk analysis calculations also don’t consider that one countermeasure (such as a firewall) may protect many different assets, thus justifying a higher cost than would be justifiable if only one asset were being protected.
This chapter talks about security management in the organization. It also mentioned that we may have all the sophisticated technologies to protect our system against hackers but if we don’t have a good security management in place, then it’s nothing.
I believe this is definitely right because the simple thing we neglect will be the one big thing causing all the issues. We need great technologies but we also need the right people to control or monitor what we implement in the system. Sometimes people hack the system just because they are bored and want to develop their IT skills. To prevent those situations from happening, we need a good security management with strong policies and procedures in place to help users follow them and know the do’s and don’t related to information systems.
One key point is that in the real world, when you think about IT or want to exert in IT, you need to think about “Defense”.
I agree with your post. As Information Technology Auditors, or Cyber Security experts we should understand that there is no such thing as 100% security. This is why we assess risks, and determine the best way to move forward in the given scenario. Another thing that is ideal to do is mitigate the potential harm that an organization is susceptible to. & like you said in this post, security management is very important!
This chapter mentions that an IT security professional’s main job is defense because he/she should protect the firm while not obstructing its primary objective that is to generate profits like bullet-resistant glass.. Therefore, he/she can’t be too secure. Moreover, IT security professionals need to understand that ” Security is a process, not product.” To understand this quote from Bruce Schneier, IT security professionals should focus on security management instead of security technology because security management is more important than security technology. Security technology will change rapidly, but security management can make security work for the long term. To have security management, entities must to develop and follow formal processes. including security planning, To draft a security plan, the IT security professionals should look at the plan-protect-response cycle.
According to this chapter “many companies have relatively good security plans, protections, and response capabilities”. Nevertheless there are driving forces that require the company to change it’s security planning, protections, and response. For instance; it is ESSENTIAL for the company or firm to continually improve their security to be in compliance with laws and regulations. Furthermore, these improvements are undoubtedly expensive, and there are an ample amount of compliance laws and regulations.
I agree with you that it is essential for the company to continually improve their security to be in compliance with regulations. Some of these laws and regulations included PCI-DSS, Sarbanes-Oxley, and FISMA. PCI-DSS handles branded credit cards from the major card schemes. Sarbanes-Oxley mandates certain practices in financial record keeping and reporting. FISMA protects government information and operations.
A critical takeaway I experienced in regards to Chapter 2 “Planning & Policy” was the information provided on The Plan-Protect-Respond cycle that’s highlighted in section 2.1.4. Defined as a “top level security management process”, the cycle consists of three phases: planning, protecting, & responding to breaches. I feel as if this cycle is central to not only the chapter, but to the overall message the text sets out to make. Planning is obviously essential if an organization ever hopes to achieve comprehensive security, and it is the key focus of the chapter. Protection is the next component, the phase a security professional spends most of there time in dealing with the creation & operation of controls. Response, the final component is “recovery according to plan” but even with solid planning & protection, attacks will still get through. Although this chapter deals primarily in planning, I thought learning about the cycle sets up a great foundation for the rest of the text.
Oluwaseun Soyomokun says
This chapter explains the big picture on security planning and policy also the ideas about Strategic IT Security planning by assessing the current security state and the possible factors that will be driving changes to the security architecture while considering the increasingly complex and virulent threat environment, the growth of compliance laws and regulations, changes in the corporate structure, mergers, and anything else that will change security conditions in the future. Bruce Schneier’s security concern and argument is particularly centered on how the security process can be reviewed and planned with a disciplined Security management process knowing the increase in new hacking techniques. IT Security planning and policy structure should have a defense in depth security system to mitigate common threats like malware, worms, phishing emails, viruses of all kinds. Compliance laws and regulations are perhaps the driving force of changes to firms today.
Bryan Garrahan says
In an ideal world companies would proactively seek to improve their security practices for the sake of their customers & employees. Unfortunately, we’ve seen time and time again that typically isn’t the case. Rather, we see companies buttoning up their security practices in order to meet compliance & regulatory requirements so that they can continue to sustain financial success.
Yangyuan Lin says
This chapter focuses on how businesses can defend against cyber threats. In 2.1, IT security is likened to a bulletproof glass. At the same time, enterprises will create profits under the protection of bulletproof glass. This is the main job of IT security professionals to protect the information security of enterprises. Bruce Schneier emphasizes that security management is the focus rather than excessive focus on security technology. Also, management is also the hardest part, because management is abstract, without clear definitions and complex processes, these principles are difficult to put into practice, and the protection of information security requires many components to work together to make the plan successful.
In the case of a company’s requirements for its information system security program, the company must ensure that it describes legal compliance, such as Sarbanes-Oxley, PCI-DSS, and FISMA, which play a role in IT management, and the company must improve its security. Compliance with laws and regulations is what drives the company. Organizations need security frameworks, policies, standards, procedures, and best practices to prevent internal fraud and conduct industry risk analysis.
Michael Duffy says
Yangyuan,
Something that a lot of professionals have hard time dealing with is Risk “Management”. As there a lot of components to generating what a risk actually is, and that the business side of things senior management does not like the idea that there is always a probability that you could lose money. Which is why a lot of organizations fail when trying to assess the risk and bring it down to an acceptable level. The result is that they tell their security department that the risk is “unacceptable” even if there is no feasible solution, or that the solution might be greater cost to the company. These kinds of discussions can send security professionals into rabbit holes with management, especially if there is a disconnect between senior management and their security department. At the end of the day, there is a huge difference between checking a box for compliance versus assessing the risk and managing.
Shubham Patil says
The one key point I took from this chapter is –
Defense In Depth:
The first principle is defense in depth. With defense in depth, an attacker
must break through multiple countermeasures to succeed. For instance, to attack a server, an
attacker might have to break through a border firewall, through an internal firewall, and finally
through the defenses of a hardened application on a hardened server.
The reason for defense in depth is simple. Vulnerability reporters find problems in nearly
every security countermeasure once or more per year. While a vulnerability in one defensive
element is being fixed, others in the line of defense will remain effective, thwarting the attacker.
Principles of Defense in Depth:
• Resource is guarded by several countermeasures in series
• Attacker must breach them all, in series, to succeed
• If one countermeasure fails, the resource remains safe
• Defense in depth versus weakest links
• Defense in depth: multiple independent countermeasures that must be defeated in series
• Weakest link: a single countermeasure with multiple interdependent components that must all
• Succeed for the countermeasure to succeed
Michael Galdo says
This chapter focuses on the importance of security management compared with security technology. I learned about the plan-protect-respond cycle as well as several different laws and regulations that are crucial in today’s IT security management. Some of these laws and regulations included PCI-DSS (which handles branded credit cards from the major card schemes), Sarbanes-Oxley (which mandates certain practices in financial record keeping and reporting, and FISMA (which protects government information and operations).
Matthew Bryan says
In section 2.6.5, Boyle and Panko provide guidance on implementing security policies. In this section they discuss separation of duties, employee collusion, and monitoring for unapproved processes. The authors provide an interesting example of job rotation and mandatory vacations for employees. The thinking for this policy is that an employee typically needs to be working in order to maintain an unapproved process. A mandatory vacation would make maintaining this process difficult and would likely bring unauthorized processes to the surface.
I found this point interesting, especially when many organizations are short staffed. I am curious about how often this is actually implemented. The authors also suggest job rotations, but this may not provide the same separation that a mandatory vacation provides. Companies should pay close attention to access logs when enforcing a policy like this as remote work makes it much easier for employees to maintain an unauthorized process while on “vacation.”
Yangyuan Lin says
Hi Matthew,
A mandatory vacation policy is a security best practice that helps prevent employee fraud and abuse. This practice deters fraud and other abuses because employees know that another person will soon take over their responsibilities, and the newcomer is likely to spot any patterns of bad behavior. When another employee joins the ranks of the old employee, it’s even harder for the fraudster to cover their tracks. Although you mentioned the issue of understaffing in the organization, the issue of security is more important.
Jason Burwell says
Boyle and Panko: Chapter 2 Planning and Policy
In the introduction to this chapter they drive home the point that this book is about Defense, which is the main job of a IT Security professional, I thought that was a very important point. Then it went on to point out Bruce Schneier’s point that it is better to focus on Security Management, more so than Security Technology. The reading goes on to teach us that Technology is Concrete, and Management is Abstract.
What stuck out to me was the talk of planning and how the book will always come back around to planning because of how important planning is in every phase of IT Security. The single line that sticks with me in the chapter is
“Our security vision must focus on security as an enabler rather than as a preventer.”
An excellent example was given where it talks about a company with weak security will just turn off a certain feature because using it may expose them to more attacks, where as a company with strong security can use that same feature to their advantage and help the business in various ways.
Matthew Bryan says
These points resonated with me as well. I agree with Schneier here and I am reminded of Target’s IDS alert management during their breach. In that case, alerts were ignored and it was clear that they didn’t have a good incident response plan. The Target example also shows what happens when security does not enable trust, e.g. the ignored “false positive” alerts. A team that understands how the technology works, what’s expected behavior, and plans how to respond is better prepared to manage the threat landscape.
Miray Bolukbasi says
Chapter 2 helped me understand the importance of managing risk instead of trying to eliminate it. IT security planning’s main focus is risk and it requires “a way of thinking about risk called risk analysis” accordingly to the book. The risk analysis helps us look further to be able to compare the probable losses with protection costs. It explains that there is no chance to get rid of risk for 100%. Therefore, organizations should work on having reasonable risk remaining once appropriate controls are in place.
Finally, once the risk analysis is complete, there are four logical possible responses to risk. It might be reduction where adopted countermeasures reduce the harm, or acceptance was protecting against a loss would be too expensive and risk should be accepted losses when they occur, risk transfer lets you have insurance to deal with security-related losses, and avoidance is when you don’t take risky actions.
Jason Burwell says
Hey Miray,
I felt the same way after reading Chapter 2 in regards to risk, and since everyone will agree that there can never be absolutely 0% risk, I think managing the risk is the more important task over trying to eliminate it fully.
Ryan Trapp says
Hi Miray,
I think eliminating risk completely is something a lot of individuals do not fully understand when it comes to managing risk of IT systems. A lot of non-IT people want their information systems completely secure and with no chance there could be any breaches. When in reality, as you’ve correctly pointed out, there is no chance to get rid of risk 100%, and this includes securing information systems. This is why companies have to do their best to take steps to reduce risk as much as they’re able to and make a reasonable attempt to secure their systems.
Bryan Garrahan says
I found the chapter’s information on where security can sit within a firm’s organization chart very interesting. Personally, I don’t think I’ve seen or heard of a company whose security department is independent of the overall IT function.. The authors write, “Despite problems that arise in placing security outside of IT, most analysts recommend doing so. The need for independence from IT is too important to consider placing security within IT”. While I don’t fully agree that security should be independent from IT I do believe it would help in situations where business process owners simply push off their security issues because that’s “an IT problem”.
Ryan Trapp says
While reading the second chapter of Boyle and Panko’s textbook, I found the section on the Plan-Protect-Respond cycle to be very intriguing. Keeping this cycle in mind when developing security plans will help companies understand what it takes to be on top of security. Like it is mentioned earlier in the chapter, “security is a process, not a product”. Using this cycle for the top-level security management process will help accomplish this goal and manage the process comprehensively.
Mohammed Syed says
I found “Security is a process, not a product”, statement to be profound as well. The Plan protect respond Cycle where the initial phase evaluates the security, weakest links are highlighted, new processes are developed. In the protect phase, protection is enforced using firewalls etc., and more time and resources are utilized in this phase. In the final respond phase organization respond to attacks, and vulnerabilities are secured if any breach occurs. This method definitely works in my experience.
Corey Arana says
Some key points that I took away from chapter 2 of Boyle and Panko:
What is a policy: policies are statements of what should be done under specific circumstances. When writing policies, IT can not act alone, IT policy writing teams that help create policies.
Every company has their major policies, such as email policies, acceptable use policy and MFA.
Segregation of duties is an essential internal control in any organization designed to prevent fraud and error. An example would be one person taking an order and another recording the transaction of the order.
USA Freedom act was passed in 2015 to replace the Protect America Act of 2007. PAA allowed federal agencies to monitor US citizens international communications without a warrant. The USA Freedom Act was set up to stop the collection of metadata by the NSA but it still allowed for collection of this data by phone companies and the NSA then accessed the phone companies information.
Wilmer Monsalve says
Under Chapter 2 for planning and policy I was very interested in the Sarbanes-Oxley act that was implemented in 2002. It is noted that it had taken place to prevent fraud due to the stock market crash in 2000 also known as the dot com bubble. The Sarbanes-Oxley act of 2002 is there to help revise any control deficiencies which ultimately led to uncovering security weaknesses in companies and helped start the regulation and compliance for tech companies. A few other examples of regulatory compliance laws are general data protection regulation, Gramm-Leach-Bliley Act, HIPPA, These compliance laws are very important to keeping everything under the CIA triad as the information contained within the data is valuable and confidential information that needs to be protected for the good of everyone.
Michael Duffy says
During Chapter 2 I immediately noticed my favorite criticism of The Federal Information Security Modernization Act (FISMA). As FISMA focuses more on documentation then actual protection of the information system. Something that I have noticed with a lot of federal organizations is their overbearing tendency to write policy and ensure it’s in compliance with every NIST principle without comprehending the best practice and implementation. This is not to say that ensuring that best cybersecurity principles are policy isn’t necessarily a bad thing – but rather organizations should also take in account of the scope of the policy they are writing to and the environment they are implanting in.
For example; the Risk Management Framework process is a part of the FISMA accreditation that chapter 2 discusses. At some point the Security Control Assessor (SCA) has to make a determination ff the system risk is at an acceptable level for an Authorization to Operate (ATO). There is an issue when an organization has spent all of their resources documenting the information and provide no resources for implementing the scope of their categorization. The result is that the administrative policy looks good on paper; but the actual execution of protections leaves the system “non-compliant” and often obfuscates the actual severity of compromised security because of the exceedingly large scope. To me, policy is just as important as the execution. Both have to be properly managed.
Mohammed Syed says
Bruce Schneier an expert in Information Security states that security is a process, and not a product. He talks about the management process and reasons why it is difficult. Due to the abstract nature of the management process, it is more drawn out, involves a lot more than few diagrams/algorithms. Comprehensive security is needed instead of just security management. Weakest-link failures are often why security management is difficult as all the moving parts need to work as clockwork without any interruption. Companies need security management to protect and identify all their resources and develop a security program by understanding the basis of the management process. Driving firms need to use formal governance frameworks to process their security process.
Elizabeth Gutierrez says
It was really interesting to learn about the different types of implementation guidance. I was not expecting to see ethics be considered as a standard or guideline to implement policies since individuals typically have different systems of value which can complicate things. Ethics is used in complex situations where hard-and-fast guidance is impossible. In a group-setting, it is very possible that not everyone would agree with a decision based on their moral standards. To make ethical decision making more predictable, most corporations have some sort of “codes of ethics” that provide additional guidance. An example of these statements include “An employee must never take bribes or kickbacks, including any nontrivial ‘gift’ …” (128).
Wilmer Monsalve says
Hi Elizabeth, this is a great takeaway as the ethics are important to impose policies and guidelines to prevent fraud or any breach of security. As the code of ethics are outlined it helps clarify and differentiate right from wrong.
Amelia Safirstein says
One key topic that I enjoyed learning about in this chapter was the “Problems with Classic Risk Analysis Calculations”. Classic risk analysis calculations are a great baseline but in many circumstances, additional factors must be taken into account. For example, classic risk analysis considers single loss expectancy (asset value times the exposure factor) to be the total losses in one single incident. If a breach results in PII exposure, there is no loss in the value of that PII but the company will likely face fines, losses in future sales, etc. The fix for this is to replace the single loss expectancy with total cost of incident (TCI). Classic risk analysis calculations also don’t consider that one countermeasure (such as a firewall) may protect many different assets, thus justifying a higher cost than would be justifiable if only one asset were being protected.
Ornella Rhyne says
This chapter talks about security management in the organization. It also mentioned that we may have all the sophisticated technologies to protect our system against hackers but if we don’t have a good security management in place, then it’s nothing.
I believe this is definitely right because the simple thing we neglect will be the one big thing causing all the issues. We need great technologies but we also need the right people to control or monitor what we implement in the system. Sometimes people hack the system just because they are bored and want to develop their IT skills. To prevent those situations from happening, we need a good security management with strong policies and procedures in place to help users follow them and know the do’s and don’t related to information systems.
One key point is that in the real world, when you think about IT or want to exert in IT, you need to think about “Defense”.
Joshua Moses says
Hello Ornella,
I agree with your post. As Information Technology Auditors, or Cyber Security experts we should understand that there is no such thing as 100% security. This is why we assess risks, and determine the best way to move forward in the given scenario. Another thing that is ideal to do is mitigate the potential harm that an organization is susceptible to. & like you said in this post, security management is very important!
Hang Nu Song Nguyen says
This chapter mentions that an IT security professional’s main job is defense because he/she should protect the firm while not obstructing its primary objective that is to generate profits like bullet-resistant glass.. Therefore, he/she can’t be too secure. Moreover, IT security professionals need to understand that ” Security is a process, not product.” To understand this quote from Bruce Schneier, IT security professionals should focus on security management instead of security technology because security management is more important than security technology. Security technology will change rapidly, but security management can make security work for the long term. To have security management, entities must to develop and follow formal processes. including security planning, To draft a security plan, the IT security professionals should look at the plan-protect-response cycle.
Joshua Moses says
According to this chapter “many companies have relatively good security plans, protections, and response capabilities”. Nevertheless there are driving forces that require the company to change it’s security planning, protections, and response. For instance; it is ESSENTIAL for the company or firm to continually improve their security to be in compliance with laws and regulations. Furthermore, these improvements are undoubtedly expensive, and there are an ample amount of compliance laws and regulations.
Michael Galdo says
Hello Joshua,
I agree with you that it is essential for the company to continually improve their security to be in compliance with regulations. Some of these laws and regulations included PCI-DSS, Sarbanes-Oxley, and FISMA. PCI-DSS handles branded credit cards from the major card schemes. Sarbanes-Oxley mandates certain practices in financial record keeping and reporting. FISMA protects government information and operations.
Alexander William Knoll says
A critical takeaway I experienced in regards to Chapter 2 “Planning & Policy” was the information provided on The Plan-Protect-Respond cycle that’s highlighted in section 2.1.4. Defined as a “top level security management process”, the cycle consists of three phases: planning, protecting, & responding to breaches. I feel as if this cycle is central to not only the chapter, but to the overall message the text sets out to make. Planning is obviously essential if an organization ever hopes to achieve comprehensive security, and it is the key focus of the chapter. Protection is the next component, the phase a security professional spends most of there time in dealing with the creation & operation of controls. Response, the final component is “recovery according to plan” but even with solid planning & protection, attacks will still get through. Although this chapter deals primarily in planning, I thought learning about the cycle sets up a great foundation for the rest of the text.