Managing risk is a major goal in the business world. the goal of IT professionals always seems to be to eliminate it, which is unrealistic. A more realistic approach for businesses is the reasonable risk approach; maintaining the risks associated with the information systems they process and store. The IT department is an emerging department for most companies, but the IT security department is inextricably linked to the other departments and is subject to continuous improvement. A good security management process is the Plan-Protect-Respond cycle, which allows security to continually improve so that they can achieve total security across the organization.
With the development of information technology, IT system has become an indispensable part of the enterprise operation process. However, with this comes an increasing need for IT system security. The implementation of a security plan can help enterprises effectively respond to various types of network threats and protect the security and integrity of core business data. This article will explore the development and implementation of a complete I system security plan. We need: risk assessment, development of security policies, establishment of security teams, staff training, implementation of security control measures, regular drills and assessments, emergency response, regular updates and evolution, etc.
The key thing I found is that the project protection response cycle is a formal security management process that has three steps: plan, protect, and respond. The whole cycle starts with planning, and protection is the creation and operation of countermeasures based on the plan.
In my opinion, there is no absolute security in IT network. With the progress of network development, network security system should be updated frequently and internal training of employees should be strengthened. Minimize risks.
Security Planning Policy:
The organization establishes and maintains a formal, documented security planning policy that outlines the purpose, scope, roles, responsibilities, and management commitment related to security planning. This policy is periodically reviewed and updated to ensure its effectiveness and alignment with applicable laws, regulations, and standards. The policy also addresses coordination among organizational entities and compliance with security planning controls.
Controls:
The organization develops, disseminates, and periodically reviews and updates standard procedures to support the implementation of the security planning policy and associated controls. These procedures ensure that security planning practices are consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidance. The security planning procedures are designed to address the requirements for confidentiality, integrity, and availability of information and can be incorporated into the organization’s general information security policy. Additionally, specific security planning procedures can be developed as needed for individual information systems.
Planning and Policy provides valuable insights into the strategic aspects of information security management. The chapter emphasizes the importance of comprehensive planning and well-defined policies in ensuring the effectiveness of an organization’s information security program. The chapter highlights the significance of policies in shaping the behavior and practices of individuals within an organization. It discusses the role of policies in defining acceptable use of information assets, establishing procedures for incident response, and ensuring compliance with regulatory requirements.
My area of interest lies in the fact that this chapter discusses some popular governance frameworks such as COSO, Cobit, and IOS 27002.These frameworks assist companies by providing a systematic approach to IT security planning, implementation, monitoring, and incremental improvements. COSO, for example, categorizes its control objects into eight sections, including internal environment, goal setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. One can only imagine how difficult it is to keep an organization safe in the long run without good safety management practices such as annual planning, incident handling, and planning processes.
This chapter discusses why information security planning is critical for organizations and how to develop and implement effective security policies. One of the things that struck me the most was the description of the key policy elements that should be included in an information security policy, which focuses on the goals, principles, responsibilities, management framework, compliance requirements, and training and education programs for information security.
One of my main gains is compliance with regulations. The sentence that stood out to me was: “Driving forces are what require companies to change their security planning, protection, and response.” Perhaps the most important driver for businesses today is compliance laws and regulations, which place requirements on corporate security.”
In today’s dynamic environment, you have to be agile and worry not only about threats and vulnerabilities, but also about how changes in laws and regulations will affect your organization’s current environment. Factors such as cost, resources, and redesigning processes can be time-consuming and costly for organizations. However, protecting the public is even more important, and data privacy is critical. Top management and the board of directors are accountable to stakeholders, ensuring compliance with privacy laws and regulations, and setting a good tone at the top. Another concern is that if an organization is international and there are different regulations between countries, there may be inconsistencies. In this case, the best practice is to adhere to the strictest set of laws in order to cover the entire organization and maintain consistency.
Based on the reading, I think it’s very important for the organization to apply action before the issue happens. The organization needs to plan ahead and be more productive activities. If a company wants to have good planning and policy, the IT department has to communicate with other departments to know the work environment of different departments.
From the contents of this chapter, I have come to realize that security is not a static product, but a dynamic evolutionary process. This means that we cannot rely on one-off security measures alone, but need to constantly review, optimize, and enhance our systems, processes, and people. With the rapid advancement of technology and the increasing sophistication and variability of cyber-attacks, it is also important to keep our defense strategies continuously updated and to disseminate this security knowledge and best practices throughout the organization.
More importantly, I recognize that comprehensive security requires strong organizational support. Reasonable allocation of human resources, clarification of each department’s responsibilities and coordination between resources are the foundation for building a solid security system. The core purpose of the security management process is to ensure that the organization remains stable in the face of a complex and changing threat environment, so as to achieve the company’s overall security objectives. And since the weak link in security is often the human factor, we need to have clear policies and processes in place to guide and educate employees to follow best security practices.
In addition to this, security management processes play the role of compliance guardians. Different industries have different legal and regulatory requirements, such as PCI-DSS, HIPAA, and other regulations such as the Sarbanes Oxley and Gamm-Leach-Bliley Act (GLBA). Involving the information security team early in the system development process ensures that our work not only meets the security requirements, but also complies with the relevant laws and regulations, thus providing the company with a robust and compliant operating environment.
In summary, security is an evolving process that requires strong organizational and compliance management to support it. By developing a clear security strategy and process, we can better protect our organization from various threats and ensure our company’s sound operation and long-term development.
With the ever-growing importance of information technology in enterprise operations, the need for robust IT system security has become paramount. A comprehensive IT system security plan is crucial to effectively address various network threats and safeguard the security and integrity of core business data. Such a plan encompasses multiple aspects, including risk assessment, the development of comprehensive security policies, the establishment of dedicated security teams, staff training, the implementation of security control measures, regular drills and assessments, emergency response mechanisms, and regular updates and evolution. These elements, when combined, form a solid foundation for an effective information security management program.
Planning and Policy play a pivotal role in guiding the strategic direction of information security. They provide valuable insights into the strategic aspects of information security management, emphasizing the importance of comprehensive planning and well-defined policies. These policies not only ensure the effectiveness of an organization’s information security program but also shape the behavior and practices of individuals within the organization. By defining acceptable use of information assets, establishing procedures for incident response, and ensuring compliance with regulatory requirements, policies play a crucial role in maintaining the integrity and security of an organization’s IT systems.
After reading Chapter 2, one thing I learned from this reading is that many organizations have the technology but lack the management to make security effective over time. When administrators fail to check system security on a daily basis, issues can go undetected for weeks or months, leading to larger threats or vulnerabilities. If the security process must be managed comprehensively, then a sound security management process is essential. It starts with an excellent plan to protect and screen for errors with good security. Finally, timely and accurate responses, both can reflect whether measures are in place when a real breach in system security occurs. On the other hand, compliance with laws and regulations is necessary as an external factor motivating companies to formalize their security processes. Many compliance regimes require companies to adopt specific formal governance frameworks to drive security planning and operational management. This has led to the company’s operations and processes becoming more legitimate.
In the business world, risk is always present, managers can not eliminate it, we can only control it in an acceptable range. With the continuous development of technology, security is not a static concept, security is a dynamic process. This chapter emphasizes the importance of comprehensive planning and a clear strategy to ensure an organization’s information security program is effective. Organization needs: risk assessment, development of security policies, establishment of security teams, personnel training, implementation of security control measures, regular drills and assessments, emergency response, regular updates and evolution, etc.
Planning and policy provide valuable insights into the strategic aspects of information security management. Comprehensive and rigorous, it would be better if the teacher could give some of the most cutting-edge knowledge in the field, or what adjustments the Federation made in this area in 2023.
The core of continuous management in IT security management is continuous monitoring, evaluation, and improvement. Continuous monitoring can help identify potential security vulnerabilities and threats, and take timely measures to address them. Continuous evaluation can ensure the effectiveness and compliance of security measures, and timely adjust and improve security strategies. Continuous improvement can be achieved through learning and feedback mechanisms to continuously enhance the effectiveness and adaptability of security management, in response to constantly changing threat environments. The core of continuous management is to establish a cyclical process, constantly iterating and optimizing security management measures to ensure the security and reliability of information systems.
Policy development and implementation: How policy is developed, what factors influence policy development, and how policy is implemented in practice.
Planning Framework and policy: The relationship between a planning framework (such as a zoning, transportation, or land use plan) and the policies that guide its creation and implementation.
Stakeholder engagement: The importance of involving different stakeholders in the planning and decision-making process and the impact of their input on the final outcome.
Sustainable development and planning: how planning and policy contribute to sustainable development, environmental protection and social well-being.
Evaluation and monitoring: Ways to assess the effectiveness of programme and policy interventions and how to modify them based on feedback and evaluation results.
Case studies and applications: practical programming and policy implementation cases, including successes, failures and lessons learned.
A key concept of this chapter is safety management and how difficult it is to keep an organization long-term safe without good safety management practices in annual planning, incident events, planning processes, etc. Ultimately, the organization needs to try to close all possible attack paths for a system, which can be difficult because some security components need to work together seamlessly to successfully mitigate attacks. A good safety management process is the planning-protection-response cycle, which allows continuous security improvements and overall security throughout the organization.
This chapter emphasizes the importance of continuous monitoring and evaluation of governance frameworks to ensure their effectiveness and adaptability in rapidly changing network security environments.
Under the premise of complying with information security policies, an organization effectively applies the “Information and Information System Security Classification Standards,” “Mapping Information Types to Security Classification,” “Security Control Baseline Review,” and “Plan Control,” standardizes information classification, security classification, and reasonably selects security controls, and determines the risk management framework according to the security lifecycle.
1.IT planning
is the strategic planning process I defines the business strategy on which the TT strategy is based. The strategic plan involves documenting and establishing the direction for the IT organisation and ensuring that it is aligned with the business objectives. It is therefore critical that one should be familiar with the concept of strategic planning. Understanding the strategic planning process and techniques will drive the development of an I strategy that is defined and executed based on business requirements.
Each business operates in a different environment; this environment is determined by external factors (market, industry, geopolitics, etc.) and internal factors (culture, organisation, risk appetite, etc.) and therefore requires customised governance and management systems. Stakeholder needs have to be translated into executable strategies for the enterprise. They should help the enterprise in its strategic planning.
2.Policies
Policies are effective and their content must be concise and clear. Management must be responsible for policies being summary documents that reflect the organisation’s corporate philosophy. A positive control environment is created to ensure that policies are in place. In addition to defining the overall vision of the organisation, develop, document, publish and control policies that cover the overall objectives and references. In order to achieve strategic consistency, these divisional and departmental policies are in addition to the corporate policies for the direction of the division, and each division should also develop policies at the appropriate level that must be consistent with the corporate level.
Policy is one of the elements of governance. Principles are the communication mechanisms that are put in place to convey the directives and instructions from the governance team and management policies as well as management. Policies provide additional guidance on putting principles into practice. Good policies are effective, efficient and non-intrusive.
From this chapter, I learned a core idea: security is not a static product, but a continuous evolution process. Far from being an overnight task, it requires constant monitoring and optimization of system architecture, operational processes, and human behavior. The rapid change of technology has brought about the constant renovation of the means of attack by hackers, so our defense strategy must be updated with The Times. At the same time, there must be a deep understanding and awareness of these new security measures within the organization, and the security team needs to closely track the development of new technologies to ensure the effectiveness of defenses. More importantly, without an orderly organizational structure, comprehensive security is impossible. Therefore, reasonable deployment of personnel and clear definition of the relationship between departments and resources are the cornerstone of building a comprehensive security protection system.
A key concept of this chapter is security management and how difficult it is to keep an organization secure long term without good security management practices such as annual planning, handling incidents, process of planning, etc. Ultimately, organizations need to attempt to close all possible attack routes for a system which can be difficult because some security components need to seamlessly work together to successfully mitigate attacks and the weakest-link tends to be humans. Humans may configure security settings incorrectly or negligence of not checking logs and a single failure of security could allow an attack to be successful. A good security management process is the plan-protect-respond cycle which allows security to improve constantly so they may achieve comprehensive security across the organization.
Through the content of this chapter, I realize that drivers are the factors that require companies to change their security planning, protection, and response. Security measures are not achieved overnight, but a dynamic evolution process. We need to constantly review, optimize and enhance our systems, processes and people. Development and implementation of a complete system security plan, including risk assessment, development of security policies, establishment of support teams, training of staff, implementation of security controls, regular exercises and assessments, emergency response, regular updates and evolution, etc. Rational allocation of human resources, clear responsibilities of each department.
Various governance frameworks are mentioned in this chapter, such as COBIT, ISO 2700, COSO, and NIST. Each of them provides a systematic approach to IT security planning. I found that the COBIT framework is interested to me. This framework is so important because it helps enterprise maintain high-quality information to support business decisions, achieve strategic goals through effective and innovative use of IT, obtain operational excellence through efficient application of technology and also maintain IT-related risk to an acceptable level.
In order to have the best planning and defense in the company, the IT security department must have productive and good relationships with all other business functions (e.g., human resources, legal, audit, facilities management, ethics, compliance and privacy officers. it security professionals must learn to speak the language of other departments in order to understand their situations and communicate well with them. Compliance laws and regulations are also necessary as external factors that motivate companies to standardize their security processes. Many compliance regimes require companies to adopt specific formal governance frameworks to drive security planning and operational management. This results in the company’s operations and processes becoming more legitimate.
Managing risk is a major goal in the business world. the goal of IT professionals always seems to be to eliminate it, which is unrealistic. A more realistic approach for businesses is the reasonable risk approach; maintaining the risks associated with the information systems they process and store. The IT department is an emerging department for most companies, but the IT security department is inextricably linked to the other departments and is subject to continuous improvement. A good security management process is the Plan-Protect-Respond cycle, which allows security to continually improve so that they can achieve total security across the organization.
With the development of information technology, IT system has become an indispensable part of the enterprise operation process. However, with this comes an increasing need for IT system security. The implementation of a security plan can help enterprises effectively respond to various types of network threats and protect the security and integrity of core business data. This article will explore the development and implementation of a complete I system security plan. We need: risk assessment, development of security policies, establishment of security teams, staff training, implementation of security control measures, regular drills and assessments, emergency response, regular updates and evolution, etc.
The key thing I found is that the project protection response cycle is a formal security management process that has three steps: plan, protect, and respond. The whole cycle starts with planning, and protection is the creation and operation of countermeasures based on the plan.
In my opinion, there is no absolute security in IT network. With the progress of network development, network security system should be updated frequently and internal training of employees should be strengthened. Minimize risks.
Security Planning Policy:
The organization establishes and maintains a formal, documented security planning policy that outlines the purpose, scope, roles, responsibilities, and management commitment related to security planning. This policy is periodically reviewed and updated to ensure its effectiveness and alignment with applicable laws, regulations, and standards. The policy also addresses coordination among organizational entities and compliance with security planning controls.
Controls:
The organization develops, disseminates, and periodically reviews and updates standard procedures to support the implementation of the security planning policy and associated controls. These procedures ensure that security planning practices are consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidance. The security planning procedures are designed to address the requirements for confidentiality, integrity, and availability of information and can be incorporated into the organization’s general information security policy. Additionally, specific security planning procedures can be developed as needed for individual information systems.
Planning and Policy provides valuable insights into the strategic aspects of information security management. The chapter emphasizes the importance of comprehensive planning and well-defined policies in ensuring the effectiveness of an organization’s information security program. The chapter highlights the significance of policies in shaping the behavior and practices of individuals within an organization. It discusses the role of policies in defining acceptable use of information assets, establishing procedures for incident response, and ensuring compliance with regulatory requirements.
My area of interest lies in the fact that this chapter discusses some popular governance frameworks such as COSO, Cobit, and IOS 27002.These frameworks assist companies by providing a systematic approach to IT security planning, implementation, monitoring, and incremental improvements. COSO, for example, categorizes its control objects into eight sections, including internal environment, goal setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. One can only imagine how difficult it is to keep an organization safe in the long run without good safety management practices such as annual planning, incident handling, and planning processes.
This chapter discusses why information security planning is critical for organizations and how to develop and implement effective security policies. One of the things that struck me the most was the description of the key policy elements that should be included in an information security policy, which focuses on the goals, principles, responsibilities, management framework, compliance requirements, and training and education programs for information security.
One of my main gains is compliance with regulations. The sentence that stood out to me was: “Driving forces are what require companies to change their security planning, protection, and response.” Perhaps the most important driver for businesses today is compliance laws and regulations, which place requirements on corporate security.”
In today’s dynamic environment, you have to be agile and worry not only about threats and vulnerabilities, but also about how changes in laws and regulations will affect your organization’s current environment. Factors such as cost, resources, and redesigning processes can be time-consuming and costly for organizations. However, protecting the public is even more important, and data privacy is critical. Top management and the board of directors are accountable to stakeholders, ensuring compliance with privacy laws and regulations, and setting a good tone at the top. Another concern is that if an organization is international and there are different regulations between countries, there may be inconsistencies. In this case, the best practice is to adhere to the strictest set of laws in order to cover the entire organization and maintain consistency.
Based on the reading, I think it’s very important for the organization to apply action before the issue happens. The organization needs to plan ahead and be more productive activities. If a company wants to have good planning and policy, the IT department has to communicate with other departments to know the work environment of different departments.
From the contents of this chapter, I have come to realize that security is not a static product, but a dynamic evolutionary process. This means that we cannot rely on one-off security measures alone, but need to constantly review, optimize, and enhance our systems, processes, and people. With the rapid advancement of technology and the increasing sophistication and variability of cyber-attacks, it is also important to keep our defense strategies continuously updated and to disseminate this security knowledge and best practices throughout the organization.
More importantly, I recognize that comprehensive security requires strong organizational support. Reasonable allocation of human resources, clarification of each department’s responsibilities and coordination between resources are the foundation for building a solid security system. The core purpose of the security management process is to ensure that the organization remains stable in the face of a complex and changing threat environment, so as to achieve the company’s overall security objectives. And since the weak link in security is often the human factor, we need to have clear policies and processes in place to guide and educate employees to follow best security practices.
In addition to this, security management processes play the role of compliance guardians. Different industries have different legal and regulatory requirements, such as PCI-DSS, HIPAA, and other regulations such as the Sarbanes Oxley and Gamm-Leach-Bliley Act (GLBA). Involving the information security team early in the system development process ensures that our work not only meets the security requirements, but also complies with the relevant laws and regulations, thus providing the company with a robust and compliant operating environment.
In summary, security is an evolving process that requires strong organizational and compliance management to support it. By developing a clear security strategy and process, we can better protect our organization from various threats and ensure our company’s sound operation and long-term development.
With the ever-growing importance of information technology in enterprise operations, the need for robust IT system security has become paramount. A comprehensive IT system security plan is crucial to effectively address various network threats and safeguard the security and integrity of core business data. Such a plan encompasses multiple aspects, including risk assessment, the development of comprehensive security policies, the establishment of dedicated security teams, staff training, the implementation of security control measures, regular drills and assessments, emergency response mechanisms, and regular updates and evolution. These elements, when combined, form a solid foundation for an effective information security management program.
Planning and Policy play a pivotal role in guiding the strategic direction of information security. They provide valuable insights into the strategic aspects of information security management, emphasizing the importance of comprehensive planning and well-defined policies. These policies not only ensure the effectiveness of an organization’s information security program but also shape the behavior and practices of individuals within the organization. By defining acceptable use of information assets, establishing procedures for incident response, and ensuring compliance with regulatory requirements, policies play a crucial role in maintaining the integrity and security of an organization’s IT systems.
After reading Chapter 2, one thing I learned from this reading is that many organizations have the technology but lack the management to make security effective over time. When administrators fail to check system security on a daily basis, issues can go undetected for weeks or months, leading to larger threats or vulnerabilities. If the security process must be managed comprehensively, then a sound security management process is essential. It starts with an excellent plan to protect and screen for errors with good security. Finally, timely and accurate responses, both can reflect whether measures are in place when a real breach in system security occurs. On the other hand, compliance with laws and regulations is necessary as an external factor motivating companies to formalize their security processes. Many compliance regimes require companies to adopt specific formal governance frameworks to drive security planning and operational management. This has led to the company’s operations and processes becoming more legitimate.
In the business world, risk is always present, managers can not eliminate it, we can only control it in an acceptable range. With the continuous development of technology, security is not a static concept, security is a dynamic process. This chapter emphasizes the importance of comprehensive planning and a clear strategy to ensure an organization’s information security program is effective. Organization needs: risk assessment, development of security policies, establishment of security teams, personnel training, implementation of security control measures, regular drills and assessments, emergency response, regular updates and evolution, etc.
Planning and policy provide valuable insights into the strategic aspects of information security management. Comprehensive and rigorous, it would be better if the teacher could give some of the most cutting-edge knowledge in the field, or what adjustments the Federation made in this area in 2023.
The core of continuous management in IT security management is continuous monitoring, evaluation, and improvement. Continuous monitoring can help identify potential security vulnerabilities and threats, and take timely measures to address them. Continuous evaluation can ensure the effectiveness and compliance of security measures, and timely adjust and improve security strategies. Continuous improvement can be achieved through learning and feedback mechanisms to continuously enhance the effectiveness and adaptability of security management, in response to constantly changing threat environments. The core of continuous management is to establish a cyclical process, constantly iterating and optimizing security management measures to ensure the security and reliability of information systems.
Policy development and implementation: How policy is developed, what factors influence policy development, and how policy is implemented in practice.
Planning Framework and policy: The relationship between a planning framework (such as a zoning, transportation, or land use plan) and the policies that guide its creation and implementation.
Stakeholder engagement: The importance of involving different stakeholders in the planning and decision-making process and the impact of their input on the final outcome.
Sustainable development and planning: how planning and policy contribute to sustainable development, environmental protection and social well-being.
Evaluation and monitoring: Ways to assess the effectiveness of programme and policy interventions and how to modify them based on feedback and evaluation results.
Case studies and applications: practical programming and policy implementation cases, including successes, failures and lessons learned.
A key concept of this chapter is safety management and how difficult it is to keep an organization long-term safe without good safety management practices in annual planning, incident events, planning processes, etc. Ultimately, the organization needs to try to close all possible attack paths for a system, which can be difficult because some security components need to work together seamlessly to successfully mitigate attacks. A good safety management process is the planning-protection-response cycle, which allows continuous security improvements and overall security throughout the organization.
This chapter emphasizes the importance of continuous monitoring and evaluation of governance frameworks to ensure their effectiveness and adaptability in rapidly changing network security environments.
Under the premise of complying with information security policies, an organization effectively applies the “Information and Information System Security Classification Standards,” “Mapping Information Types to Security Classification,” “Security Control Baseline Review,” and “Plan Control,” standardizes information classification, security classification, and reasonably selects security controls, and determines the risk management framework according to the security lifecycle.
1.IT planning
is the strategic planning process I defines the business strategy on which the TT strategy is based. The strategic plan involves documenting and establishing the direction for the IT organisation and ensuring that it is aligned with the business objectives. It is therefore critical that one should be familiar with the concept of strategic planning. Understanding the strategic planning process and techniques will drive the development of an I strategy that is defined and executed based on business requirements.
Each business operates in a different environment; this environment is determined by external factors (market, industry, geopolitics, etc.) and internal factors (culture, organisation, risk appetite, etc.) and therefore requires customised governance and management systems. Stakeholder needs have to be translated into executable strategies for the enterprise. They should help the enterprise in its strategic planning.
2.Policies
Policies are effective and their content must be concise and clear. Management must be responsible for policies being summary documents that reflect the organisation’s corporate philosophy. A positive control environment is created to ensure that policies are in place. In addition to defining the overall vision of the organisation, develop, document, publish and control policies that cover the overall objectives and references. In order to achieve strategic consistency, these divisional and departmental policies are in addition to the corporate policies for the direction of the division, and each division should also develop policies at the appropriate level that must be consistent with the corporate level.
Policy is one of the elements of governance. Principles are the communication mechanisms that are put in place to convey the directives and instructions from the governance team and management policies as well as management. Policies provide additional guidance on putting principles into practice. Good policies are effective, efficient and non-intrusive.
From this chapter, I learned a core idea: security is not a static product, but a continuous evolution process. Far from being an overnight task, it requires constant monitoring and optimization of system architecture, operational processes, and human behavior. The rapid change of technology has brought about the constant renovation of the means of attack by hackers, so our defense strategy must be updated with The Times. At the same time, there must be a deep understanding and awareness of these new security measures within the organization, and the security team needs to closely track the development of new technologies to ensure the effectiveness of defenses. More importantly, without an orderly organizational structure, comprehensive security is impossible. Therefore, reasonable deployment of personnel and clear definition of the relationship between departments and resources are the cornerstone of building a comprehensive security protection system.
A key concept of this chapter is security management and how difficult it is to keep an organization secure long term without good security management practices such as annual planning, handling incidents, process of planning, etc. Ultimately, organizations need to attempt to close all possible attack routes for a system which can be difficult because some security components need to seamlessly work together to successfully mitigate attacks and the weakest-link tends to be humans. Humans may configure security settings incorrectly or negligence of not checking logs and a single failure of security could allow an attack to be successful. A good security management process is the plan-protect-respond cycle which allows security to improve constantly so they may achieve comprehensive security across the organization.
Through the content of this chapter, I realize that drivers are the factors that require companies to change their security planning, protection, and response. Security measures are not achieved overnight, but a dynamic evolution process. We need to constantly review, optimize and enhance our systems, processes and people. Development and implementation of a complete system security plan, including risk assessment, development of security policies, establishment of support teams, training of staff, implementation of security controls, regular exercises and assessments, emergency response, regular updates and evolution, etc. Rational allocation of human resources, clear responsibilities of each department.
Various governance frameworks are mentioned in this chapter, such as COBIT, ISO 2700, COSO, and NIST. Each of them provides a systematic approach to IT security planning. I found that the COBIT framework is interested to me. This framework is so important because it helps enterprise maintain high-quality information to support business decisions, achieve strategic goals through effective and innovative use of IT, obtain operational excellence through efficient application of technology and also maintain IT-related risk to an acceptable level.
In order to have the best planning and defense in the company, the IT security department must have productive and good relationships with all other business functions (e.g., human resources, legal, audit, facilities management, ethics, compliance and privacy officers. it security professionals must learn to speak the language of other departments in order to understand their situations and communicate well with them. Compliance laws and regulations are also necessary as external factors that motivate companies to standardize their security processes. Many compliance regimes require companies to adopt specific formal governance frameworks to drive security planning and operational management. This results in the company’s operations and processes becoming more legitimate.