Information security is a pseudo-proposition, there can be no absolute information security, but only to reduce the risk, to control the risk within an acceptable range. Even if security will reduce the risk of harm, but security will at the same time increase the cost and inefficiency. For risk assessment, there is a risk assessment method, but we don’t apply this method in real life, for example, if personal information is leaked and causes loss to the company, but the company’s assets are still there. So for risk response we usually consider three aspects: 1. risk reduction 2. risk transfer 3. risk avoidance.
In short, we need to correctly understand the risk, the risk can not be eliminated, we can not completely avoid the risk, nor can we give priority to safety in everything, we need to assess the cost of maintaining the risk and the loss caused by the risk, and make a reasonable judgment.
Management, in contrast, is abstract. You cannot show pictures of devices or talk in terms of detailed diagrams or software algorithms. There are fewer general principles to discuss, and most of these principles cannot be put into practice without well-defined and complex processes.
I got to know a few well-known governance frameworks including COSO, CobiT, and ISO 27002. Frameworks help companies by providing a systematic way of approaching IT security planning, implementation, monitoring, and progressive improvement.
There is no absolute IT security protection, but IT security can reduce the risk of being attacked. Most firms today protect against threats by using a highest-level security management process called the plan–protect–respond cycle.
Information security strategy is the most important step for an organization to solve information security problems, and it is also the foundation of the organization’s entire information security system. Information security is not a natural requirement but a requirement after experiencing information loss. Therefore, management is essential for information security. Plan-Protect-Respond cycle is a formal top-level security management process which has 3 steps, they are planning, protection, and respond. This whole cycle begins with the planning, Protection is the plan-based creation and operation of countermeasures, and this steps are most of the security professionals will be focus on. Response is complex because incidents vary in severity and because different levels of attack severity require different response approaches. Because the speed and accuracy of response are of the essence, the rehearse the incident response plan is necessary. All three steps take place simultaneously and constantly feed into one another.
Key Point:Defense is an IT security professional’s main job. Defending a firm and its assets can be a complex process. After you have mastered the principles and practices of defense, a detailed understanding of attacks will help you.
Analysis:The key to defence is knowing how to manage it. For one thing, attackers only need to find a single way to get into the corporation. Organizations need comprehensive security—closing all routes of attack to their systems to attackers. Comprehensive security does not come by accident. It needs perfect management.
A major part of Chapter 2 is a discussion of Information Security Policy, which is management’s commitment to the use, operation, and security of information systems and assets. I think that planning and policy are significant in the IT security process. Security policy requires continuous monitoring and enhancing of systems, processes and people, while also meeting the requirements of “laws and regulations, related policies, processes and procedures”. It is driven by business goals and continuously updated as technology advances.
I was also impressed with the plan-protect-response cycle, which is primarily a top-level security management process. This means that we need careful design and planning to ensure the precision and speed of our responses, which will also help to monitor and mitigate potential threats to keep our organization safe.
Management is abstract. You cannot display pictures or conversations of devices with detailed charts or software algorithms. There are few general principles to be discussed, and they cannot be put into practice without a clear and complex process. Many institutions can enjoy good security immediately. However, their security situation declined rapidly. These institutions possess these technologies, but they lack the capacity to manage safety work effectively in the long term
One of the key points I learned from this chapter is that security being a process and not a product. A lot of the exciting part of security is the technology and not the governance, planning, and policy aspects of it. But if you do not get those elements right, then even the best technology cannot make for an effective security program.
Management is critical to information security. The Plan-Protect-Response cycle is a formal top-level security management process that is divided into three steps: plan, protect and respond. I believe that planning and policy are very important in the IT security process. Security policy requires continuous monitoring and enhancement of systems, processes, and people, while also meeting the requirements of “laws, regulations, related policies, processes, and procedures”. It is driven by business objectives and is updated as technology advances.
The chapter ended with a dark view of the future—threats will increase in number and will become more dangerous. The rest of this book describes how corporations can respond to threats to their resources.One key point is that strategic IT security planning first assesses the company’s current security. It then considers factors that will be driving changes—including the increasingly complex and virulent threat environment, the growth of compliance laws and regulations, changes in the corporate structure, mergers, and anything else that will change conditions in the future.And it must develop a census of all of its resources to be protected by IT security. These may be corporate databases, webservers, and even spreadsheets.
In thic chapter we looked at several compliance laws and regulations that are acting as driving forces in IT security management—Sarbanes–Oxley, privacy laws, data breach notification laws, PCI-DSS, and FISMA. The functioning, placement, general nature of interactions between the IT security department and other organizational departments, and outsourcing to managed security service providers were discussed. The chapter then looked at classic risk analysis, its problems, and ways to respond to risk. This led us to a discussion about security architecture, policies, standards, procedures, and best practices within the industry. We saw the need for oversight of existing policies, auditing, and sanctions to prevent internal fraud.
The chapter concluded with a discussion of a few well-known governance frameworks including COSO, COBIT, and ISO 27000. Frameworks help companies by providing a systematic way of approaching IT security planning, implementation, monitoring, and progressive improvement.
One key point in chapter 2 is the quote“Security is a process, not a product”at the beginning of the chapter. Before reading chapter 2, i still believe security especially cyber security may be heavily relied on technology, such as purchasing firewall、anti-virus software and so on. But if a company do not identify all of their resources and develop a security program for each one. All the technology methods will be ineffective. For instance, in Figure 2-3 An attacker only needs one unprotected avenue of attack to succeed. So companies must develop and follow formal processes which are planned series of actions and should include plan–protect–respond cycle.
The focus of Chapter 2 is on the commitment to the use, operation, and security of information systems and assets. I think planning and policy are very important in the IT security process. The policy continues and enhances systems, ongoing processes and people, while carrying out the requirements of “laws and regulations, related policies, processes and procedures”. It is driven by business goals and evolves as technology advances
One key point taken from chapter 2 of the textbook is that companies should install technical countermeasures with having an overall plan. This plan is a company’s technical security architecture, which includes all of a company’s technical countermeasures—including firewalls, hardened hosts, intrusion detection systems, and other tools—and how these counter measures are organized into a complete system of protection. Meanwhile, technical security protections are well matched to corporate asset protection needs and external threats. A major goal is to create a comprehensive wall with no holes for attackers to walk through.
Many companies struggling with security planning would like something like a baseline to guide them. The chapter two of this book tell us some governemnet framework that specify how to do security planning and implementation. These governance frameworks focus on somewhat different areas. These governance frameworks focus on somewhat different areas, so that managers should pick up some government framework which is suitable for their companies.
I found in section 2.6 ,where they discuss separation of duties, employee collusion, and monitoring for unapproved processes. The authors provide an interesting example of job rotation and mandatory vacations for employees. The authors thinking for this policy is that an employee typically needs to be working in order to maintain an unapproved process. A mandatory vacation would make maintaining this process difficult and would likely bring unauthorized processes to the surface.
This chapter mainly introduces information security policies, which are mainly classified into four categories: hierarchical protection, hierarchical protection, network isolation, and security monitoring. It is management’s commitment to the use, operation and security of information systems and assets. It is driven by business goals and continuously updated as technology advances.
For companies, security management is more important than security technology, but management is complex and abstract, and there are no concrete objects to illustrate it. So, in the process of IT security management, we can refer to some governance frameworks (e.g. COSO, Cobit, and ISO27002) to deal with IT security planning, implementation, monitoring, and some initial improvement issues.
The plan-protect-response cycle is a formal security management process that has three steps: plan, protect, and respond. The whole cycle starts with planning, and protection is the creation and operation of plan-based countermeasures
Finally, some governance frameworks, including COSO, COBIT, and ISO 27000,were discussed. The framework helps companies by providing a systematic approach to IT security planning, implementation, monitoring, and incremental improvement.
This chapter can focus on understanding the importance of security management over security technology. Including the plan-protect-response cycle and several different laws and regulations that are critical to IT security management today.
Information security strategy is the most important step for an organization to solve information security problems, and it is also the foundation of the organization’s entire information security system. Information security is not a natural requirement but a requirement after experiencing information loss. Therefore, management is essential for information security.
There can never be unbreakable information security. As a guarantee, the information security plan needs to be prepared in two aspects. The first aspect is policy, which requires continuous monitoring and enhancement of systems, processes and personnel. These policies will serve the company by focusing on the areas the company needs.
Complete, absolute information security does not exist, and the plan-protect-response cycle is a formal top-level security management process consisting of three steps: plan, protect, and respond. Relevant responsible persons can try their best to minimize information security risks through this process.
After reading this document, I knew that the importance of security management and security technology, meanwhile, the owner and managers of a company should pay more attention on security management rather than security technology, but this document did not give enough information to let me the objections of applying security management in a company.
The process of managing information security is plan protect response. Planning and policies should be top-level design in the process of IT security management. It cannot be a guide that cannot be put into practice. It must be designed according to the importance of information security to the enterprise and the closeness with the business. The resources planned to be used shall not exceed the resources that the enterprise can and is willing to provide. This chapter discusses many frameworks, including COSO, COBIT and ISO27000. These frameworks can provide a basis for enterprises to establish information security plans. In fact, although we can consider all aspects through the framework, very few companies can complete it in practice. Moreover, these frameworks do not provide best practices. After all, this kind of risk control is far less important than profitability. However, enterprises should at least meet the minimum safety standards.
Many companies have relatively good security plans, protections, and response capabilities. To plan for the future, however, even well-prepared companies need to understand the driving forces that will require them to change their security plan- ning, protections, and response.
In this chapter, I learnt about the importance of security management and security technology. From these severe cases that presented in the chapter, we can see that a small flaw in the policy may cause unbearable results. Security policy requires continuous monitoring and enhancement of systems, processes, and people, while also meeting the requirements of “laws, regulations, related policies, processes, and procedures”. The companies should make better plans – especially the security plan and back-up plan(in case of attacks or accidents) – for long well-being.
Information security is a pseudo-proposition, there can be no absolute information security, but only to reduce the risk, to control the risk within an acceptable range. Even if security will reduce the risk of harm, but security will at the same time increase the cost and inefficiency. For risk assessment, there is a risk assessment method, but we don’t apply this method in real life, for example, if personal information is leaked and causes loss to the company, but the company’s assets are still there. So for risk response we usually consider three aspects: 1. risk reduction 2. risk transfer 3. risk avoidance.
In short, we need to correctly understand the risk, the risk can not be eliminated, we can not completely avoid the risk, nor can we give priority to safety in everything, we need to assess the cost of maintaining the risk and the loss caused by the risk, and make a reasonable judgment.
Management, in contrast, is abstract. You cannot show pictures of devices or talk in terms of detailed diagrams or software algorithms. There are fewer general principles to discuss, and most of these principles cannot be put into practice without well-defined and complex processes.
I got to know a few well-known governance frameworks including COSO, CobiT, and ISO 27002. Frameworks help companies by providing a systematic way of approaching IT security planning, implementation, monitoring, and progressive improvement.
There is no absolute IT security protection, but IT security can reduce the risk of being attacked. Most firms today protect against threats by using a highest-level security management process called the plan–protect–respond cycle.
Information security strategy is the most important step for an organization to solve information security problems, and it is also the foundation of the organization’s entire information security system. Information security is not a natural requirement but a requirement after experiencing information loss. Therefore, management is essential for information security. Plan-Protect-Respond cycle is a formal top-level security management process which has 3 steps, they are planning, protection, and respond. This whole cycle begins with the planning, Protection is the plan-based creation and operation of countermeasures, and this steps are most of the security professionals will be focus on. Response is complex because incidents vary in severity and because different levels of attack severity require different response approaches. Because the speed and accuracy of response are of the essence, the rehearse the incident response plan is necessary. All three steps take place simultaneously and constantly feed into one another.
Key Point:Defense is an IT security professional’s main job. Defending a firm and its assets can be a complex process. After you have mastered the principles and practices of defense, a detailed understanding of attacks will help you.
Analysis:The key to defence is knowing how to manage it. For one thing, attackers only need to find a single way to get into the corporation. Organizations need comprehensive security—closing all routes of attack to their systems to attackers. Comprehensive security does not come by accident. It needs perfect management.
A major part of Chapter 2 is a discussion of Information Security Policy, which is management’s commitment to the use, operation, and security of information systems and assets. I think that planning and policy are significant in the IT security process. Security policy requires continuous monitoring and enhancing of systems, processes and people, while also meeting the requirements of “laws and regulations, related policies, processes and procedures”. It is driven by business goals and continuously updated as technology advances.
I was also impressed with the plan-protect-response cycle, which is primarily a top-level security management process. This means that we need careful design and planning to ensure the precision and speed of our responses, which will also help to monitor and mitigate potential threats to keep our organization safe.
Management is abstract. You cannot display pictures or conversations of devices with detailed charts or software algorithms. There are few general principles to be discussed, and they cannot be put into practice without a clear and complex process. Many institutions can enjoy good security immediately. However, their security situation declined rapidly. These institutions possess these technologies, but they lack the capacity to manage safety work effectively in the long term
One of the key points I learned from this chapter is that security being a process and not a product. A lot of the exciting part of security is the technology and not the governance, planning, and policy aspects of it. But if you do not get those elements right, then even the best technology cannot make for an effective security program.
Management is critical to information security. The Plan-Protect-Response cycle is a formal top-level security management process that is divided into three steps: plan, protect and respond. I believe that planning and policy are very important in the IT security process. Security policy requires continuous monitoring and enhancement of systems, processes, and people, while also meeting the requirements of “laws, regulations, related policies, processes, and procedures”. It is driven by business objectives and is updated as technology advances.
The chapter ended with a dark view of the future—threats will increase in number and will become more dangerous. The rest of this book describes how corporations can respond to threats to their resources.One key point is that strategic IT security planning first assesses the company’s current security. It then considers factors that will be driving changes—including the increasingly complex and virulent threat environment, the growth of compliance laws and regulations, changes in the corporate structure, mergers, and anything else that will change conditions in the future.And it must develop a census of all of its resources to be protected by IT security. These may be corporate databases, webservers, and even spreadsheets.
In thic chapter we looked at several compliance laws and regulations that are acting as driving forces in IT security management—Sarbanes–Oxley, privacy laws, data breach notification laws, PCI-DSS, and FISMA. The functioning, placement, general nature of interactions between the IT security department and other organizational departments, and outsourcing to managed security service providers were discussed. The chapter then looked at classic risk analysis, its problems, and ways to respond to risk. This led us to a discussion about security architecture, policies, standards, procedures, and best practices within the industry. We saw the need for oversight of existing policies, auditing, and sanctions to prevent internal fraud.
The chapter concluded with a discussion of a few well-known governance frameworks including COSO, COBIT, and ISO 27000. Frameworks help companies by providing a systematic way of approaching IT security planning, implementation, monitoring, and progressive improvement.
One key point in chapter 2 is the quote“Security is a process, not a product”at the beginning of the chapter. Before reading chapter 2, i still believe security especially cyber security may be heavily relied on technology, such as purchasing firewall、anti-virus software and so on. But if a company do not identify all of their resources and develop a security program for each one. All the technology methods will be ineffective. For instance, in Figure 2-3 An attacker only needs one unprotected avenue of attack to succeed. So companies must develop and follow formal processes which are planned series of actions and should include plan–protect–respond cycle.
The focus of Chapter 2 is on the commitment to the use, operation, and security of information systems and assets. I think planning and policy are very important in the IT security process. The policy continues and enhances systems, ongoing processes and people, while carrying out the requirements of “laws and regulations, related policies, processes and procedures”. It is driven by business goals and evolves as technology advances
One key point taken from chapter 2 of the textbook is that companies should install technical countermeasures with having an overall plan. This plan is a company’s technical security architecture, which includes all of a company’s technical countermeasures—including firewalls, hardened hosts, intrusion detection systems, and other tools—and how these counter measures are organized into a complete system of protection. Meanwhile, technical security protections are well matched to corporate asset protection needs and external threats. A major goal is to create a comprehensive wall with no holes for attackers to walk through.
Many companies struggling with security planning would like something like a baseline to guide them. The chapter two of this book tell us some governemnet framework that specify how to do security planning and implementation. These governance frameworks focus on somewhat different areas. These governance frameworks focus on somewhat different areas, so that managers should pick up some government framework which is suitable for their companies.
I found in section 2.6 ,where they discuss separation of duties, employee collusion, and monitoring for unapproved processes. The authors provide an interesting example of job rotation and mandatory vacations for employees. The authors thinking for this policy is that an employee typically needs to be working in order to maintain an unapproved process. A mandatory vacation would make maintaining this process difficult and would likely bring unauthorized processes to the surface.
This chapter mainly introduces information security policies, which are mainly classified into four categories: hierarchical protection, hierarchical protection, network isolation, and security monitoring. It is management’s commitment to the use, operation and security of information systems and assets. It is driven by business goals and continuously updated as technology advances.
For companies, security management is more important than security technology, but management is complex and abstract, and there are no concrete objects to illustrate it. So, in the process of IT security management, we can refer to some governance frameworks (e.g. COSO, Cobit, and ISO27002) to deal with IT security planning, implementation, monitoring, and some initial improvement issues.
The plan-protect-response cycle is a formal security management process that has three steps: plan, protect, and respond. The whole cycle starts with planning, and protection is the creation and operation of plan-based countermeasures
Finally, some governance frameworks, including COSO, COBIT, and ISO 27000,were discussed. The framework helps companies by providing a systematic approach to IT security planning, implementation, monitoring, and incremental improvement.
This chapter can focus on understanding the importance of security management over security technology. Including the plan-protect-response cycle and several different laws and regulations that are critical to IT security management today.
Information security strategy is the most important step for an organization to solve information security problems, and it is also the foundation of the organization’s entire information security system. Information security is not a natural requirement but a requirement after experiencing information loss. Therefore, management is essential for information security.
There can never be unbreakable information security. As a guarantee, the information security plan needs to be prepared in two aspects. The first aspect is policy, which requires continuous monitoring and enhancement of systems, processes and personnel. These policies will serve the company by focusing on the areas the company needs.
Complete, absolute information security does not exist, and the plan-protect-response cycle is a formal top-level security management process consisting of three steps: plan, protect, and respond. Relevant responsible persons can try their best to minimize information security risks through this process.
After reading this document, I knew that the importance of security management and security technology, meanwhile, the owner and managers of a company should pay more attention on security management rather than security technology, but this document did not give enough information to let me the objections of applying security management in a company.
The process of managing information security is plan protect response. Planning and policies should be top-level design in the process of IT security management. It cannot be a guide that cannot be put into practice. It must be designed according to the importance of information security to the enterprise and the closeness with the business. The resources planned to be used shall not exceed the resources that the enterprise can and is willing to provide. This chapter discusses many frameworks, including COSO, COBIT and ISO27000. These frameworks can provide a basis for enterprises to establish information security plans. In fact, although we can consider all aspects through the framework, very few companies can complete it in practice. Moreover, these frameworks do not provide best practices. After all, this kind of risk control is far less important than profitability. However, enterprises should at least meet the minimum safety standards.
Many companies have relatively good security plans, protections, and response capabilities. To plan for the future, however, even well-prepared companies need to understand the driving forces that will require them to change their security plan- ning, protections, and response.
In this chapter, I learnt about the importance of security management and security technology. From these severe cases that presented in the chapter, we can see that a small flaw in the policy may cause unbearable results. Security policy requires continuous monitoring and enhancement of systems, processes, and people, while also meeting the requirements of “laws, regulations, related policies, processes, and procedures”. The companies should make better plans – especially the security plan and back-up plan(in case of attacks or accidents) – for long well-being.