SlideShare a Scribd company logo

For our discussion question, we focus on recent trends in security t.pdf

A
alokkesh

For our discussion question, we focus on recent trends in security technologies and security operations. Staying current with various security tools is an important characteristic of a proficient security manager. One method to discover new technologies is to attend security related conferences and network with other security professionals about current and trending best practices. For your discussion question, choose two relevant and recent physical security technologies and describe them. As part of your detailed description, provide: 1) Specific information about the technology\'s function and application; 2) The type of facilities that the technology would be best suited for; 3) The assets that the technology would best be used to protect; 4) The likely vulnerabilities that the technology would best address; 5) Methods in which the technology would be integrated with other technologies; 6) The number and type of personnel that will need to be committed to the operation of the technology; 7) Special considerations for policies and procedures to fully implement the technology; and 8) A likely budget needed to implement the technology. If you are impressed with a particular security technology that your organization uses, share it. Include any relevant hyperlinks and attach any pictures if applicable. Here are some security categories of technologies that you may select. Please make sure your posting covers a specific technology rather than a broad category: Intrusion Detection Screening Technologies Access Control Technologies Assessment/Surveillance Technologies Communications Technologies Central Control Technologies Security Lighting Make certain that you do not duplicate another student\'s contribution. You can select a “different” technology from the same category. Solution Information Security management is a process of defining the security controls in order to protect the information assets. Security Program The first action of a management program to implement information security is to have a security program in place. Though some argue the first act would be to gain some real \"proof of concept\" \"explainable thru display on the monitor screen\" security knowledge. Start with maybe understanding where OS passwords are stored within the code inside a file within a directory. If you don\'t understand Operating Systems at the root directory level maybe you should seek out advice from somebody who does before even beginning to implement security program management and objectives. Security Program Objectives Protect the company and its assets. Manage Risks by Identifying assets, discovering threats and estimating the risk Provide direction for security activities by framing of information security policies, procedures, standards, guidelines and baselines Information Classification Security Organization and Security Education Security Management Responsibilities Determining objectives, scope, policies,re expected to be accomplished fr.

Education
1 of 11
Download to read offline
For our discussion question, we focus on recent trends in security technologies and security operations. Staying current with various security tools is an important characteristic of a proficient security manager. One method to discover new technologies is to attend security related conferences and network with other security professionals about current and trending best practices. For your discussion question, choose two relevant and recent physical security technologies and describe them. As part of your detailed description, provide: 1) Specific information about the technology's function and application; 2) The type of facilities that the technology would be best suited for; 3) The assets that the technology would best be used to protect; 4) The likely vulnerabilities that the technology would best address; 5) Methods in which the technology would be integrated with other technologies; 6) The number and type of personnel that will need to be committed to the operation of the technology; 7) Special considerations for policies and procedures to fully implement the technology; and 8) A likely budget needed to implement the technology. If you are impressed with a particular security technology that your organization uses, share it. Include any relevant hyperlinks and attach any pictures if applicable. Here are some security categories of technologies that you may select. Please make sure your posting covers a specific technology rather than a broad category: Intrusion Detection Screening Technologies Access Control Technologies Assessment/Surveillance Technologies Communications Technologies Central Control Technologies Security Lighting Make certain that you do not duplicate another student's contribution. You can select a “different” technology from the same category. Solution Information Security management is a process of defining the security controls in order to protect the information assets. Security Program The first action of a management program to implement information security is to have a security program in place. Though some argue the first act would be to gain some real "proof of concept" "explainable thru display on the monitor screen" security knowledge. Start with maybe understanding where OS passwords are stored within the code inside a file within a directory. If you don't understand Operating Systems at the root directory level maybe you should seek out advice from somebody who does before even beginning to implement security program management and objectives.
Security Program Objectives Protect the company and its assets. Manage Risks by Identifying assets, discovering threats and estimating the risk Provide direction for security activities by framing of information security policies, procedures, standards, guidelines and baselines Information Classification Security Organization and Security Education Security Management Responsibilities Determining objectives, scope, policies,re expected to be accomplished from a security program Evaluate business objectives, security risks, user productivity, and functionality requirements. Define steps to ensure that all the above are accounted for and properly addressed Approaches to Build a Security Program Top-Down Approach The initiation, support, and direction comes from the top management and work their way through middle management and then to staff members. Treated as the best approach but seems to based on the I get paid more therefor I must know more about everything type of mentality. Ensures that the senior management who are ultimately responsible for protecting the company assets is driving the program.
Bottom-Up Approach The lower-end team comes up with a security control or a program without proper management support and direction. It is oft considered less effective and doomed to fail for the same flaw in thinking as above; I get paid more therefor I must know more about everything. Since advancement is directly tied to how well you can convince others, who often fall outside of your of job duties and department, as to your higher value to the company as stated by your own effective written communication this leads to amazing resume writers and take no blame style of email responses that seems to definitely lead to the eventual failure of company's standards and actual knowledge. It is often covered up by relationships which form at the power levels within any group of people and those who are considered so-called experts having no real idea what is really involved under the hood of the reports/applications they use and no proof presented in emails written when self declared claims of their expertise is made or blame is to be put on another. Security Controls Security Controls can be classified into three categories Administrative Controls which include Developing and publishing of policies, standards, procedures, and guidelines. Screening of personnel. Conducting security-awareness training and Implementing change control procedures. Technical or Logical Controls which include Implementing and maintaining access control mechanisms.
Password and resource management. Identification and authentication methods Security devices and Configuration of the infrastructure. Physical Controls which include Controlling individual access into the facility and different departments Locking systems and removing unnecessary floppy or CD-ROM drives Protecting the perimeter of the facility Monitoring for intrusion and Environmental controls. Security Note: It is the responsibility of the information owner (usually a Sr. executive within the management group or head of a specific dept) to protect the data and is the due care (liable by the court of law) for any kind of negligence The Elements of Security Vulnerability It is a software, hardware, or procedural weakness that may provide Security Policies, Procedures, Standards, Guidelines, and Baselines Policies A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization.
A well designed policy addresses: . What is being secured? - Typically an asset. . Who is expected to comply with the policy? - Typically employees. . Where is the vulnerability, threat or risk? - Typically an issue of integrity or responsibility. Types of Policies Regulatory: This type of policy ensures that the organization is following standards set by specific industry regulations. This policy type is very detailed and specific to a type of industry. This is used in financial institutions, health care facilities, public utilities, and other government- regulated industries. E.g.: TRAI. Advisory: This type of policy strongly advises employees regarding which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical information, handle financial transactions, or process confidential information. Informative: This type of policy informs employees of certain topics. It is not an enforceable policy, but rather one to teach individuals about specific issues relevant to the company. It could explain how the company interacts with partners, the company's goals and mission, and a general reporting structure in different situations. Types of Security Policies Organizational Management establishes how a security program will be set up, lays out the program's goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. Provides scope and direction for all future security activities within the organization.
This policy must address relative laws, regulations, and liability issues and how they are to be satisfied. It also describes the amount of risk senior management is willing to accept. Characteristics Business objectives should drive the policy's creation, implementation, and enforcement. The policy should not dictate business objectives. It should be an easily understood document that is used as a reference point for all employees and management. It should be developed and used to integrate security into all business functions and processes. It should be derived from and support all legislation and regulation applicable to the company. It should be reviewed and modified as a company changes, such as through adoption of a new business model, merger with another company, or change of ownership. Each iteration of the policy should be dated and under version control. The units and individuals who are governed by the policy must have access to the applicable portions and not be expected to have to read all policy material to find direction and answers Issue-specific Addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues E.g.: An e-mail policy might state that management can read any employee's e-mail messages that reside on the mail server, but not when they reside on the user's workstation System-specific
Presents the management's decisions that are specific to the actual computers, networks, applications, and data. This type of policy may provide an approved software list, which contains a list of applications that may be installed on individual workstations. E.g.: This policy may describe how databases are to be used and protected, how computers are to be locked down, and how firewalls, IDSs, and scanners are to be employed. Standards Standards refer to mandatory activities, actions, rules, or regulations. Standards can give a policy its support and reinforcement in direction Standards could be internal, or externally mandated (government laws and regulations). Procedures Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. E.g.: we can write procedures on how to install operating systems, configure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, report incidents, and much more. Procedures are considered the lowest level in the policy chain because they are closest to the computers and users (compared to policies) and provide detailed steps for configuration and installation issues. Procedures spell out how the policy, standards, and guidelines will actually be implemented in an operating environment. If a policy states that all individuals who access confidential information must be properly authenticated, the supporting procedures will explain the steps for this to happen by defining the access criteria for authorization, how access control mechanisms are implemented and configured, and how access activities are audited
Baselines A baseline can refer to a point in time that is used as a comparison for future changes. Once risks have been mitigated, and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. A baseline results in a consistent reference point. Baselines are also used to define the minimum level of protection that is required. In security, specific baselines can be defined per system type, which indicates the necessary settings and the level of protection that is being provided. For example, a company may stipulate that all accounting systems must meet an Evaluation Assurance Level (EAL) 4 baseline. Security Note : Baselines that are not technology-oriented should be created and enforced within organizations as well. For example, a company can mandate that all employees must have a badge with a picture ID in view while in the facility at all times. It can also state that visitors must sign in at a front desk and be escorted while in the facility. If these are followed, then this creates a baseline of protection. Guidelines Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply. Guidelines can deal with the methodologies of technology, personnel, or physical security. Putting It All Together A policy might state that access to confidential data must be audited. A supporting guideline could further explain that audits should contain sufficient information to allow for reconciliation with prior reviews. Supporting procedures would outline the necessary steps to configure, implement, and maintain this type of auditing. policies are strategical(long term) while standards, guidelines and procedures are
tactical(medium term).Organizational Security Models Some of the best practices that facilitate the implementation of security controls include Control Objectives for Information and Related Technology (COBIT), ISO/IEC 17799/BS 7799, Information Technology Infrastructure Library (ITIL), and Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE). COSO Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems. Key concepts of the COSO framework Internal control is a process. It is a means to an end, not an end in itself. Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories. The COSO framework defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency ofoperations Reliability of financial reporting
Compliance with applicable laws and regulations. COSO Internal Control Framework: the five components According to the COSO framework, internal control consists of five interrelated components. These components provide an effective framework for describing and analyzing the internal control system implemented in an organization. The five components are the following: Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management's operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization. Risk assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed. Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and Separation of duties/segregation of duties. Information and communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders. Monitoring: Internal control systems need to be monitored—a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these moniw
Overview and Benefits ITIL provides a systematic and professional approach to the management of IT service provision. Adopting its guidance offers users a huge range of benefits that include: reduced costs; improved IT services through the use of proven best practice processes; improved customer satisfaction through a more professional approach to service delivery; standards and guidance; improved productivity; improved use of skills and experience; and improved delivery of third party services through the specification of ITIL or ISO 20000 as the standard for service delivery in services procurements.

Recommended

1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
durantheseldine
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
MaximaSheffield592
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
Md. Sajjat Hossain
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
charlesgarrett
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
Infosectrain3
 
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Bonagiri Rajitha
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
GrazynaBroyles24
 
Testing
TestingTesting
Testing
lorenceman
 

Recommended

1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
durantheseldine
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
MaximaSheffield592
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
Md. Sajjat Hossain
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
charlesgarrett
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
Infosectrain3
 
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Bonagiri Rajitha
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
GrazynaBroyles24
 
Testing
TestingTesting
Testing
lorenceman
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
amiable_indian
 
CISSPills #3.06
CISSPills #3.06CISSPills #3.06
CISSPills #3.06
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
phanleson
 
SDET UNIT 5.pptx
SDET UNIT 5.pptxSDET UNIT 5.pptx
SDET UNIT 5.pptx
PallawiBulakh1
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
Laurie Mosca-Cocca
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
amit657720
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
mccormicknadine86
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writing
PasangdolmoTamang
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
wacasr
 
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptx
ManushiKhatri
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
codka
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
codka
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
ImXaib
 
Employee management-security-controls
Employee management-security-controlsEmployee management-security-controls
Employee management-security-controls
Rebecca Jones
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
jenkinsmandie
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
Ben Rothke
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
Vskills
 
develop security policy
develop security policydevelop security policy
develop security policy
Info-Tech Research Group
 
most extra cellular environments contain a high concentration of sod.pdf
most extra cellular environments contain a high concentration of sod.pdfmost extra cellular environments contain a high concentration of sod.pdf
most extra cellular environments contain a high concentration of sod.pdf
alokkesh
 
Let X be the prive of a meal at a local diner( X = $8,$10,and $12) a.pdf
Let X be the prive of a meal at a local diner( X = $8,$10,and $12) a.pdfLet X be the prive of a meal at a local diner( X = $8,$10,and $12) a.pdf
Let X be the prive of a meal at a local diner( X = $8,$10,and $12) a.pdf
alokkesh
 

More Related Content

Similar to For our discussion question, we focus on recent trends in security t.pdf

GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
Laurie Mosca-Cocca
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
amit657720
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
mccormicknadine86
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writing
PasangdolmoTamang
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
wacasr
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
ImXaib
 
Employee management-security-controls
Employee management-security-controlsEmployee management-security-controls
Employee management-security-controls
Rebecca Jones
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
jenkinsmandie
 
develop security policy
develop security policydevelop security policy
develop security policy
Info-Tech Research Group
 

Similar to For our discussion question, we focus on recent trends in security t.pdf (20)

Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
CISSPills #3.06
CISSPills #3.06CISSPills #3.06
CISSPills #3.06
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
 
SDET UNIT 5.pptx
SDET UNIT 5.pptxSDET UNIT 5.pptx
SDET UNIT 5.pptx
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writing
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
 
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptx
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
 
Employee management-security-controls
Employee management-security-controlsEmployee management-security-controls
Employee management-security-controls
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
develop security policy
develop security policydevelop security policy
develop security policy
 

More from alokkesh

most extra cellular environments contain a high concentration of sod.pdf
most extra cellular environments contain a high concentration of sod.pdfmost extra cellular environments contain a high concentration of sod.pdf
most extra cellular environments contain a high concentration of sod.pdf
alokkesh
 
LinearPerson.javaPlease help me the JAVA programPlease provide t.pdf
LinearPerson.javaPlease help me the JAVA programPlease provide t.pdfLinearPerson.javaPlease help me the JAVA programPlease provide t.pdf
LinearPerson.javaPlease help me the JAVA programPlease provide t.pdf
alokkesh
 
In “Intellectual Property and the Information Age,” Richard T. De Ge.pdf
In “Intellectual Property and the Information Age,” Richard T. De Ge.pdfIn “Intellectual Property and the Information Age,” Richard T. De Ge.pdf
In “Intellectual Property and the Information Age,” Richard T. De Ge.pdf
alokkesh
 
How does horizontal transfer affect the evolution of anti-biotic res.pdf
How does horizontal transfer affect the evolution of anti-biotic res.pdfHow does horizontal transfer affect the evolution of anti-biotic res.pdf
How does horizontal transfer affect the evolution of anti-biotic res.pdf
alokkesh
 
Flag this QuestionQuestion 12 1 ptsPolytene chromosomes arise fr.pdf
Flag this QuestionQuestion 12 1 ptsPolytene chromosomes arise fr.pdfFlag this QuestionQuestion 12 1 ptsPolytene chromosomes arise fr.pdf
Flag this QuestionQuestion 12 1 ptsPolytene chromosomes arise fr.pdf
alokkesh
 
Fill in the blanksMicronutrients this refers to a sub-category o.pdf
Fill in the blanksMicronutrients this refers to a sub-category o.pdfFill in the blanksMicronutrients this refers to a sub-category o.pdf
Fill in the blanksMicronutrients this refers to a sub-category o.pdf
alokkesh
 
ecourses.pvamu.edu Help English United States en us) Question4 Ma.pdf
ecourses.pvamu.edu Help English United States en us) Question4 Ma.pdfecourses.pvamu.edu Help English United States en us) Question4 Ma.pdf
ecourses.pvamu.edu Help English United States en us) Question4 Ma.pdf
alokkesh
 
Explain How Culture influences the way mangers perform their four ma.pdf
Explain How Culture influences the way mangers perform their four ma.pdfExplain How Culture influences the way mangers perform their four ma.pdf
Explain How Culture influences the way mangers perform their four ma.pdf
alokkesh
 
Describe the factors that contribute to a membrane potential. What i.pdf
Describe the factors that contribute to a membrane potential. What i.pdfDescribe the factors that contribute to a membrane potential. What i.pdf
Describe the factors that contribute to a membrane potential. What i.pdf
alokkesh
 
DiARTHROIDAL joints can be classified based on their characteristics.pdf
DiARTHROIDAL joints can be classified based on their characteristics.pdfDiARTHROIDAL joints can be classified based on their characteristics.pdf
DiARTHROIDAL joints can be classified based on their characteristics.pdf
alokkesh
 
Define and explain chemical equilibrium Include the defenition o.pdf
Define and explain chemical equilibrium Include the defenition o.pdfDefine and explain chemical equilibrium Include the defenition o.pdf
Define and explain chemical equilibrium Include the defenition o.pdf
alokkesh
 
Cite the distinction between graphite and carbon. Carbon and graphit.pdf
Cite the distinction between graphite and carbon. Carbon and graphit.pdfCite the distinction between graphite and carbon. Carbon and graphit.pdf
Cite the distinction between graphite and carbon. Carbon and graphit.pdf
alokkesh
 
C Language ProblemPlease Explain If int n1 = 5, and int d1 = 2, wh.pdf
C Language ProblemPlease Explain If int n1 = 5, and int d1 = 2, wh.pdfC Language ProblemPlease Explain If int n1 = 5, and int d1 = 2, wh.pdf
C Language ProblemPlease Explain If int n1 = 5, and int d1 = 2, wh.pdf
alokkesh
 

More from alokkesh (20)

most extra cellular environments contain a high concentration of sod.pdf
most extra cellular environments contain a high concentration of sod.pdfmost extra cellular environments contain a high concentration of sod.pdf
most extra cellular environments contain a high concentration of sod.pdf
 
Let X be the prive of a meal at a local diner( X = $8,$10,and $12) a.pdf
Let X be the prive of a meal at a local diner( X = $8,$10,and $12) a.pdfLet X be the prive of a meal at a local diner( X = $8,$10,and $12) a.pdf
Let X be the prive of a meal at a local diner( X = $8,$10,and $12) a.pdf
 
LinearPerson.javaPlease help me the JAVA programPlease provide t.pdf
LinearPerson.javaPlease help me the JAVA programPlease provide t.pdfLinearPerson.javaPlease help me the JAVA programPlease provide t.pdf
LinearPerson.javaPlease help me the JAVA programPlease provide t.pdf
 
is acute or chronic exposure to heptachlor more of a danger to human.pdf
is acute or chronic exposure to heptachlor more of a danger to human.pdfis acute or chronic exposure to heptachlor more of a danger to human.pdf
is acute or chronic exposure to heptachlor more of a danger to human.pdf
 
In “Intellectual Property and the Information Age,” Richard T. De Ge.pdf
In “Intellectual Property and the Information Age,” Richard T. De Ge.pdfIn “Intellectual Property and the Information Age,” Richard T. De Ge.pdf
In “Intellectual Property and the Information Age,” Richard T. De Ge.pdf
 
How does horizontal transfer affect the evolution of anti-biotic res.pdf
How does horizontal transfer affect the evolution of anti-biotic res.pdfHow does horizontal transfer affect the evolution of anti-biotic res.pdf
How does horizontal transfer affect the evolution of anti-biotic res.pdf
 
Flag this QuestionQuestion 12 1 ptsPolytene chromosomes arise fr.pdf
Flag this QuestionQuestion 12 1 ptsPolytene chromosomes arise fr.pdfFlag this QuestionQuestion 12 1 ptsPolytene chromosomes arise fr.pdf
Flag this QuestionQuestion 12 1 ptsPolytene chromosomes arise fr.pdf
 
Genetic drift tends to genetic variation wITHIN small populations, an.pdf
Genetic drift tends to genetic variation wITHIN small populations, an.pdfGenetic drift tends to genetic variation wITHIN small populations, an.pdf
Genetic drift tends to genetic variation wITHIN small populations, an.pdf
 
Fill in the blanksMicronutrients this refers to a sub-category o.pdf
Fill in the blanksMicronutrients this refers to a sub-category o.pdfFill in the blanksMicronutrients this refers to a sub-category o.pdf
Fill in the blanksMicronutrients this refers to a sub-category o.pdf
 
ecourses.pvamu.edu Help English United States en us) Question4 Ma.pdf
ecourses.pvamu.edu Help English United States en us) Question4 Ma.pdfecourses.pvamu.edu Help English United States en us) Question4 Ma.pdf
ecourses.pvamu.edu Help English United States en us) Question4 Ma.pdf
 
Explain why several versions of nMOS transistor models and pMOS trans.pdf
Explain why several versions of nMOS transistor models and pMOS trans.pdfExplain why several versions of nMOS transistor models and pMOS trans.pdf
Explain why several versions of nMOS transistor models and pMOS trans.pdf
 
Explain How Culture influences the way mangers perform their four ma.pdf
Explain How Culture influences the way mangers perform their four ma.pdfExplain How Culture influences the way mangers perform their four ma.pdf
Explain How Culture influences the way mangers perform their four ma.pdf
 
Describeillustrate the construction used by the ancient Indians to s.pdf
Describeillustrate the construction used by the ancient Indians to s.pdfDescribeillustrate the construction used by the ancient Indians to s.pdf
Describeillustrate the construction used by the ancient Indians to s.pdf
 
Describe the factors that contribute to a membrane potential. What i.pdf
Describe the factors that contribute to a membrane potential. What i.pdfDescribe the factors that contribute to a membrane potential. What i.pdf
Describe the factors that contribute to a membrane potential. What i.pdf
 
DiARTHROIDAL joints can be classified based on their characteristics.pdf
DiARTHROIDAL joints can be classified based on their characteristics.pdfDiARTHROIDAL joints can be classified based on their characteristics.pdf
DiARTHROIDAL joints can be classified based on their characteristics.pdf
 
Define and explain chemical equilibrium Include the defenition o.pdf
Define and explain chemical equilibrium Include the defenition o.pdfDefine and explain chemical equilibrium Include the defenition o.pdf
Define and explain chemical equilibrium Include the defenition o.pdf
 
Cite the distinction between graphite and carbon. Carbon and graphit.pdf
Cite the distinction between graphite and carbon. Carbon and graphit.pdfCite the distinction between graphite and carbon. Carbon and graphit.pdf
Cite the distinction between graphite and carbon. Carbon and graphit.pdf
 
C Language ProblemPlease Explain If int n1 = 5, and int d1 = 2, wh.pdf
C Language ProblemPlease Explain If int n1 = 5, and int d1 = 2, wh.pdfC Language ProblemPlease Explain If int n1 = 5, and int d1 = 2, wh.pdf
C Language ProblemPlease Explain If int n1 = 5, and int d1 = 2, wh.pdf
 
According to Cisco design theory for a fully switched network, hosts.pdf
According to Cisco design theory for a fully switched network, hosts.pdfAccording to Cisco design theory for a fully switched network, hosts.pdf
According to Cisco design theory for a fully switched network, hosts.pdf
 
A saturated sample has a mass 0.69 kilograms when wet and 0.5 kg whe.pdf
A saturated sample has a mass 0.69 kilograms when wet and 0.5 kg whe.pdfA saturated sample has a mass 0.69 kilograms when wet and 0.5 kg whe.pdf
A saturated sample has a mass 0.69 kilograms when wet and 0.5 kg whe.pdf
 

Recently uploaded

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 

Recently uploaded (20)

Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Basic Intentional Injuries Health Education
Basic Intentional Injuries Health EducationBasic Intentional Injuries Health Education
Basic Intentional Injuries Health Education
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 

For our discussion question, we focus on recent trends in security t.pdf

  • 1. For our discussion question, we focus on recent trends in security technologies and security operations. Staying current with various security tools is an important characteristic of a proficient security manager. One method to discover new technologies is to attend security related conferences and network with other security professionals about current and trending best practices. For your discussion question, choose two relevant and recent physical security technologies and describe them. As part of your detailed description, provide: 1) Specific information about the technology's function and application; 2) The type of facilities that the technology would be best suited for; 3) The assets that the technology would best be used to protect; 4) The likely vulnerabilities that the technology would best address; 5) Methods in which the technology would be integrated with other technologies; 6) The number and type of personnel that will need to be committed to the operation of the technology; 7) Special considerations for policies and procedures to fully implement the technology; and 8) A likely budget needed to implement the technology. If you are impressed with a particular security technology that your organization uses, share it. Include any relevant hyperlinks and attach any pictures if applicable. Here are some security categories of technologies that you may select. Please make sure your posting covers a specific technology rather than a broad category: Intrusion Detection Screening Technologies Access Control Technologies Assessment/Surveillance Technologies Communications Technologies Central Control Technologies Security Lighting Make certain that you do not duplicate another student's contribution. You can select a “different” technology from the same category. Solution Information Security management is a process of defining the security controls in order to protect the information assets. Security Program The first action of a management program to implement information security is to have a security program in place. Though some argue the first act would be to gain some real "proof of concept" "explainable thru display on the monitor screen" security knowledge. Start with maybe understanding where OS passwords are stored within the code inside a file within a directory. If you don't understand Operating Systems at the root directory level maybe you should seek out advice from somebody who does before even beginning to implement security program management and objectives.
  • 2. Security Program Objectives Protect the company and its assets. Manage Risks by Identifying assets, discovering threats and estimating the risk Provide direction for security activities by framing of information security policies, procedures, standards, guidelines and baselines Information Classification Security Organization and Security Education Security Management Responsibilities Determining objectives, scope, policies,re expected to be accomplished from a security program Evaluate business objectives, security risks, user productivity, and functionality requirements. Define steps to ensure that all the above are accounted for and properly addressed Approaches to Build a Security Program Top-Down Approach The initiation, support, and direction comes from the top management and work their way through middle management and then to staff members. Treated as the best approach but seems to based on the I get paid more therefor I must know more about everything type of mentality. Ensures that the senior management who are ultimately responsible for protecting the company assets is driving the program.
  • 3. Bottom-Up Approach The lower-end team comes up with a security control or a program without proper management support and direction. It is oft considered less effective and doomed to fail for the same flaw in thinking as above; I get paid more therefor I must know more about everything. Since advancement is directly tied to how well you can convince others, who often fall outside of your of job duties and department, as to your higher value to the company as stated by your own effective written communication this leads to amazing resume writers and take no blame style of email responses that seems to definitely lead to the eventual failure of company's standards and actual knowledge. It is often covered up by relationships which form at the power levels within any group of people and those who are considered so-called experts having no real idea what is really involved under the hood of the reports/applications they use and no proof presented in emails written when self declared claims of their expertise is made or blame is to be put on another. Security Controls Security Controls can be classified into three categories Administrative Controls which include Developing and publishing of policies, standards, procedures, and guidelines. Screening of personnel. Conducting security-awareness training and Implementing change control procedures. Technical or Logical Controls which include Implementing and maintaining access control mechanisms.
  • 4. Password and resource management. Identification and authentication methods Security devices and Configuration of the infrastructure. Physical Controls which include Controlling individual access into the facility and different departments Locking systems and removing unnecessary floppy or CD-ROM drives Protecting the perimeter of the facility Monitoring for intrusion and Environmental controls. Security Note: It is the responsibility of the information owner (usually a Sr. executive within the management group or head of a specific dept) to protect the data and is the due care (liable by the court of law) for any kind of negligence The Elements of Security Vulnerability It is a software, hardware, or procedural weakness that may provide Security Policies, Procedures, Standards, Guidelines, and Baselines Policies A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization.
  • 5. A well designed policy addresses: . What is being secured? - Typically an asset. . Who is expected to comply with the policy? - Typically employees. . Where is the vulnerability, threat or risk? - Typically an issue of integrity or responsibility. Types of Policies Regulatory: This type of policy ensures that the organization is following standards set by specific industry regulations. This policy type is very detailed and specific to a type of industry. This is used in financial institutions, health care facilities, public utilities, and other government- regulated industries. E.g.: TRAI. Advisory: This type of policy strongly advises employees regarding which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical information, handle financial transactions, or process confidential information. Informative: This type of policy informs employees of certain topics. It is not an enforceable policy, but rather one to teach individuals about specific issues relevant to the company. It could explain how the company interacts with partners, the company's goals and mission, and a general reporting structure in different situations. Types of Security Policies Organizational Management establishes how a security program will be set up, lays out the program's goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. Provides scope and direction for all future security activities within the organization.
  • 6. This policy must address relative laws, regulations, and liability issues and how they are to be satisfied. It also describes the amount of risk senior management is willing to accept. Characteristics Business objectives should drive the policy's creation, implementation, and enforcement. The policy should not dictate business objectives. It should be an easily understood document that is used as a reference point for all employees and management. It should be developed and used to integrate security into all business functions and processes. It should be derived from and support all legislation and regulation applicable to the company. It should be reviewed and modified as a company changes, such as through adoption of a new business model, merger with another company, or change of ownership. Each iteration of the policy should be dated and under version control. The units and individuals who are governed by the policy must have access to the applicable portions and not be expected to have to read all policy material to find direction and answers Issue-specific Addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues E.g.: An e-mail policy might state that management can read any employee's e-mail messages that reside on the mail server, but not when they reside on the user's workstation System-specific
  • 7. Presents the management's decisions that are specific to the actual computers, networks, applications, and data. This type of policy may provide an approved software list, which contains a list of applications that may be installed on individual workstations. E.g.: This policy may describe how databases are to be used and protected, how computers are to be locked down, and how firewalls, IDSs, and scanners are to be employed. Standards Standards refer to mandatory activities, actions, rules, or regulations. Standards can give a policy its support and reinforcement in direction Standards could be internal, or externally mandated (government laws and regulations). Procedures Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. E.g.: we can write procedures on how to install operating systems, configure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, report incidents, and much more. Procedures are considered the lowest level in the policy chain because they are closest to the computers and users (compared to policies) and provide detailed steps for configuration and installation issues. Procedures spell out how the policy, standards, and guidelines will actually be implemented in an operating environment. If a policy states that all individuals who access confidential information must be properly authenticated, the supporting procedures will explain the steps for this to happen by defining the access criteria for authorization, how access control mechanisms are implemented and configured, and how access activities are audited
  • 8. Baselines A baseline can refer to a point in time that is used as a comparison for future changes. Once risks have been mitigated, and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. A baseline results in a consistent reference point. Baselines are also used to define the minimum level of protection that is required. In security, specific baselines can be defined per system type, which indicates the necessary settings and the level of protection that is being provided. For example, a company may stipulate that all accounting systems must meet an Evaluation Assurance Level (EAL) 4 baseline. Security Note : Baselines that are not technology-oriented should be created and enforced within organizations as well. For example, a company can mandate that all employees must have a badge with a picture ID in view while in the facility at all times. It can also state that visitors must sign in at a front desk and be escorted while in the facility. If these are followed, then this creates a baseline of protection. Guidelines Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply. Guidelines can deal with the methodologies of technology, personnel, or physical security. Putting It All Together A policy might state that access to confidential data must be audited. A supporting guideline could further explain that audits should contain sufficient information to allow for reconciliation with prior reviews. Supporting procedures would outline the necessary steps to configure, implement, and maintain this type of auditing. policies are strategical(long term) while standards, guidelines and procedures are
  • 9. tactical(medium term).Organizational Security Models Some of the best practices that facilitate the implementation of security controls include Control Objectives for Information and Related Technology (COBIT), ISO/IEC 17799/BS 7799, Information Technology Infrastructure Library (ITIL), and Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE). COSO Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems. Key concepts of the COSO framework Internal control is a process. It is a means to an end, not an end in itself. Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories. The COSO framework defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency ofoperations Reliability of financial reporting
  • 10. Compliance with applicable laws and regulations. COSO Internal Control Framework: the five components According to the COSO framework, internal control consists of five interrelated components. These components provide an effective framework for describing and analyzing the internal control system implemented in an organization. The five components are the following: Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management's operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization. Risk assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed. Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and Separation of duties/segregation of duties. Information and communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders. Monitoring: Internal control systems need to be monitored—a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these moniw
  • 11. Overview and Benefits ITIL provides a systematic and professional approach to the management of IT service provision. Adopting its guidance offers users a huge range of benefits that include: reduced costs; improved IT services through the use of proven best practice processes; improved customer satisfaction through a more professional approach to service delivery; standards and guidance; improved productivity; improved use of skills and experience; and improved delivery of third party services through the specification of ITIL or ISO 20000 as the standard for service delivery in services procurements.