“ Information Security is the pratice of protecting information resources. The importance of INFOSEC has increased dramatically since the creation of computer networks. Security professionals are constantly attempting to remain current with the new technologies, to maintain the security of networks and system.” (Principles of Network Security)
This principle link that applies the previous seven secure-design principles. For psychological acceptability to apply to a technology, the interface must be designed for ease of use, also requires minimal intrusion of technology.
“ a computer is secure if you can depend on it and its software to behave as you expect!” (Pratical unix & internet Security, Garfinkle, et al.)
IT professionals tend to think of assets in tangible terms (database, web servers and routers are assets requiring protection). Unfortunately, this myopic view of assets to recognize that what really needs protection are the business process these assets supports.
What flows throuth this equipments are the most important thing for a business: information.
Asset Value x % of loss from realized threat = SLE
ABC company has an application server whose value has been determined to be $25.000. If a hardware failure occurs and the application server is unavailable for one hour, $5.000 in productivity will be lost. The cost of the realized threat divided by the asset value, yields the percentage of loss from a realized threat. The realized threat is 20 percent. The product of the asset´s $25.000 value and the 20% loss from the threat is the SLE, in this case the SLE is $5.000.
“ Security policies are a critical part of an organisation´s network security structure Policies are used to set the direction for guidelines, standards and procedures. The generation of security policies is a top-down initiative. Management must clearly state and demonstrate their support for a culture of security.”
“ Organisation X acknowledges an obligation to ensure appropriate security for all information technology data in its domain of ownership and control. Organisation X will provide adequate protection and confidentiality of all corporate data and proprietary software systems, whether help centrally, locally or remotely. Organisation X will ensure the availability of data and programs to authorized personnel and the integrity of all data ans configuration controls. This obligations is shared to varying degrees, by every employee of Organisation X.”
BCP begins with the risk management process. Risk management define assets needgin protection, their vulnerabilitities, and the possible threats to the assets. Countermeasures are deployed to mitigate risk, however risk cannot be eliminated completely.
The BIA is a quantitative analysis of each risk, to determine how an organisation will continue to operate during a crisis, and recover afterward. Once a risk is realized, businesses must react quickly to remain open and available to customers.
A remote office/branch office (ROBO) is sometimes referred to as a satellite office. Typically have fewer employees and recources than a main office or headquarter. In most environments ROBO needs access to recources such as a file server, located at headquarters
Two or more gateways of firewalls protecting the networking entry points.
Leased Line were the connectivity solution of choice for ROBOs, but VPNs over public lines are becoming more common. If VPN solutions is chosen, encryption should be strong enough to protect the confidentiality and integrity of the data in transit.
Typically less than 100 people, have fewr that 50 hosts on their network. Networks are typically flat (no segmented with vlans, routers, firewalls,etc). One person for IT “department” and that person must wear many hats!