For our discussion question, we focus on recent trends in security technologies and security
operations. Staying current with various security tools is an important characteristic of a
proficient security manager. One method to discover new technologies is to attend security
related conferences and network with other security professionals about current and trending best
practices. For your discussion question, choose two relevant and recent physical security
technologies and describe them. As part of your detailed description, provide: 1) Specific
information about the technology\'s function and application; 2) The type of facilities that the
technology would be best suited for; 3) The assets that the technology would best be used to
protect; 4) The likely vulnerabilities that the technology would best address; 5) Methods in
which the technology would be integrated with other technologies; 6) The number and type of
personnel that will need to be committed to the operation of the technology; 7) Special
considerations for policies and procedures to fully implement the technology; and 8) A likely
budget needed to implement the technology. If you are impressed with a particular security
technology that your organization uses, share it. Include any relevant hyperlinks and attach any
pictures if applicable. Here are some security categories of technologies that you may select.
Please make sure your posting covers a specific technology rather than a broad category:
Intrusion Detection Screening Technologies Access Control Technologies
Assessment/Surveillance Technologies Communications Technologies Central Control
Technologies Security Lighting Make certain that you do not duplicate another student\'s
contribution. You can select a “different” technology from the same category.
Solution
Information Security management is a process of defining the security controls in order to
protect the information assets.
Security Program
The first action of a management program to implement information security is to have a
security program in place. Though some argue the first act would be to gain some real \"proof of
concept\" \"explainable thru display on the monitor screen\" security knowledge. Start with
maybe understanding where OS passwords are stored within the code inside a file within a
directory. If you don\'t understand Operating Systems at the root directory level maybe you
should seek out advice from somebody who does before even beginning to implement security
program management and objectives.
Security Program Objectives
Protect the company and its assets.
Manage Risks by Identifying assets, discovering threats and estimating the risk
Provide direction for security activities by framing of information security policies, procedures,
standards, guidelines and baselines
Information Classification
Security Organization and
Security Education
Security Management Responsibilities
Determining objectives, scope, policies,re expected to be accomplished fr.
For our discussion question, we focus on recent trends in security t.pdf
1. For our discussion question, we focus on recent trends in security technologies and security
operations. Staying current with various security tools is an important characteristic of a
proficient security manager. One method to discover new technologies is to attend security
related conferences and network with other security professionals about current and trending best
practices. For your discussion question, choose two relevant and recent physical security
technologies and describe them. As part of your detailed description, provide: 1) Specific
information about the technology's function and application; 2) The type of facilities that the
technology would be best suited for; 3) The assets that the technology would best be used to
protect; 4) The likely vulnerabilities that the technology would best address; 5) Methods in
which the technology would be integrated with other technologies; 6) The number and type of
personnel that will need to be committed to the operation of the technology; 7) Special
considerations for policies and procedures to fully implement the technology; and 8) A likely
budget needed to implement the technology. If you are impressed with a particular security
technology that your organization uses, share it. Include any relevant hyperlinks and attach any
pictures if applicable. Here are some security categories of technologies that you may select.
Please make sure your posting covers a specific technology rather than a broad category:
Intrusion Detection Screening Technologies Access Control Technologies
Assessment/Surveillance Technologies Communications Technologies Central Control
Technologies Security Lighting Make certain that you do not duplicate another student's
contribution. You can select a “different” technology from the same category.
Solution
Information Security management is a process of defining the security controls in order to
protect the information assets.
Security Program
The first action of a management program to implement information security is to have a
security program in place. Though some argue the first act would be to gain some real "proof of
concept" "explainable thru display on the monitor screen" security knowledge. Start with
maybe understanding where OS passwords are stored within the code inside a file within a
directory. If you don't understand Operating Systems at the root directory level maybe you
should seek out advice from somebody who does before even beginning to implement security
program management and objectives.
2. Security Program Objectives
Protect the company and its assets.
Manage Risks by Identifying assets, discovering threats and estimating the risk
Provide direction for security activities by framing of information security policies, procedures,
standards, guidelines and baselines
Information Classification
Security Organization and
Security Education
Security Management Responsibilities
Determining objectives, scope, policies,re expected to be accomplished from a security program
Evaluate business objectives, security risks, user productivity, and functionality requirements.
Define steps to ensure that all the above are accounted for and properly addressed
Approaches to Build a Security Program
Top-Down Approach
The initiation, support, and direction comes from the top management and work their way
through middle management and then to staff members.
Treated as the best approach but seems to based on the I get paid more therefor I must know
more about everything type of mentality.
Ensures that the senior management who are ultimately responsible for protecting the company
assets is driving the program.
3. Bottom-Up Approach
The lower-end team comes up with a security control or a program without proper management
support and direction.
It is oft considered less effective and doomed to fail for the same flaw in thinking as above; I get
paid more therefor I must know more about everything.
Since advancement is directly tied to how well you can convince others, who often fall outside
of your of job duties and department, as to your higher value to the company as stated by your
own effective written communication this leads to amazing resume writers and take no blame
style of email responses that seems to definitely lead to the eventual failure of company's
standards and actual knowledge. It is often covered up by relationships which form at the power
levels within any group of people and those who are considered so-called experts having no real
idea what is really involved under the hood of the reports/applications they use and no proof
presented in emails written when self declared claims of their expertise is made or blame is to be
put on another.
Security Controls
Security Controls can be classified into three categories
Administrative Controls which include
Developing and publishing of policies, standards, procedures, and guidelines.
Screening of personnel.
Conducting security-awareness training and
Implementing change control procedures.
Technical or Logical Controls which include
Implementing and maintaining access control mechanisms.
4. Password and resource management.
Identification and authentication methods
Security devices and
Configuration of the infrastructure.
Physical Controls which include
Controlling individual access into the facility and different departments
Locking systems and removing unnecessary floppy or CD-ROM drives
Protecting the perimeter of the facility
Monitoring for intrusion and
Environmental controls.
Security Note: It is the responsibility of the information owner (usually a Sr. executive within
the management group or head of a specific dept) to protect the data and is the due care (liable
by the court of law) for any kind of negligence
The Elements of Security
Vulnerability
It is a software, hardware, or procedural weakness that may provide
Security Policies, Procedures, Standards, Guidelines, and Baselines
Policies
A security policy is an overall general statement produced by senior management (or a selected
policy board or committee) that dictates what role security plays within the organization.
5. A well designed policy addresses:
. What is being secured? - Typically an asset.
. Who is expected to comply with the policy? - Typically employees.
. Where is the vulnerability, threat or risk? - Typically an issue of integrity or responsibility.
Types of Policies
Regulatory: This type of policy ensures that the organization is following standards set by
specific industry regulations. This policy type is very detailed and specific to a type of industry.
This is used in financial institutions, health care facilities, public utilities, and other government-
regulated industries. E.g.: TRAI.
Advisory: This type of policy strongly advises employees regarding which types of behaviors
and activities should and should not take place within the organization. It also outlines possible
ramifications if employees do not comply with the established behaviors and activities. This
policy type can be used, for example, to describe how to handle medical information, handle
financial transactions, or process confidential information.
Informative: This type of policy informs employees of certain topics. It is not an enforceable
policy, but rather one to teach individuals about specific issues relevant to the company. It could
explain how the company interacts with partners, the company's goals and mission, and a
general reporting structure in different situations.
Types of Security Policies
Organizational
Management establishes how a security program will be set up, lays out the program's goals,
assigns responsibilities, shows the strategic and tactical value of security, and outlines how
enforcement should be carried out.
Provides scope and direction for all future security activities within the organization.
6. This policy must address relative laws, regulations, and liability issues and how they are to be
satisfied.
It also describes the amount of risk senior management is willing to accept.
Characteristics
Business objectives should drive the policy's creation, implementation, and enforcement. The
policy should not dictate business objectives.
It should be an easily understood document that is used as a reference point for all employees
and management.
It should be developed and used to integrate security into all business functions and processes.
It should be derived from and support all legislation and regulation applicable to the company.
It should be reviewed and modified as a company changes, such as through adoption of a new
business model, merger with another company, or change of ownership.
Each iteration of the policy should be dated and under version control.
The units and individuals who are governed by the policy must have access to the applicable
portions and not be expected to have to read all policy material to find direction and answers
Issue-specific
Addresses specific security issues that management feels need more detailed explanation and
attention to make sure a comprehensive structure is built and all employees understand how they
are to comply with these security issues
E.g.: An e-mail policy might state that management can read any employee's e-mail messages
that reside on the mail server, but not when they reside on the user's workstation
System-specific
7. Presents the management's decisions that are specific to the actual computers, networks,
applications, and data.
This type of policy may provide an approved software list, which contains a list of applications
that may be installed on individual workstations.
E.g.: This policy may describe how databases are to be used and protected, how computers are
to be locked down, and how firewalls, IDSs, and scanners are to be employed.
Standards
Standards refer to mandatory activities, actions, rules, or regulations.
Standards can give a policy its support and reinforcement in direction
Standards could be internal, or externally mandated (government laws and regulations).
Procedures
Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.
E.g.: we can write procedures on how to install operating systems, configure security
mechanisms, implement access control lists, set up new user accounts, assign computer
privileges, audit activities, destroy material, report incidents, and much more.
Procedures are considered the lowest level in the policy chain because they are closest to the
computers and users (compared to policies) and provide detailed steps for configuration and
installation issues.
Procedures spell out how the policy, standards, and guidelines will actually be implemented in
an operating environment.
If a policy states that all individuals who access confidential information must be properly
authenticated, the supporting procedures will explain the steps for this to happen by defining the
access criteria for authorization, how access control mechanisms are implemented and
configured, and how access activities are audited
8. Baselines
A baseline can refer to a point in time that is used as a comparison for future changes. Once
risks have been mitigated, and security put in place, a baseline is formally reviewed and agreed
upon, after which all further comparisons and development are measured against it.
A baseline results in a consistent reference point.
Baselines are also used to define the minimum level of protection that is required.
In security, specific baselines can be defined per system type, which indicates the necessary
settings and the level of protection that is being provided. For example, a company may stipulate
that all accounting systems must meet an Evaluation Assurance Level (EAL) 4 baseline.
Security Note : Baselines that are not technology-oriented should be created and enforced within
organizations as well. For example, a company can mandate that all employees must have a
badge with a picture ID in view while in the facility at all times. It can also state that visitors
must sign in at a front desk and be escorted while in the facility. If these are followed, then this
creates a baseline of protection.
Guidelines
Guidelines are recommended actions and operational guides to users, IT staff, operations staff,
and others when a specific standard does not apply.
Guidelines can deal with the methodologies of technology, personnel, or physical security.
Putting It All Together
A policy might state that access to confidential data must be audited. A supporting guideline
could further explain that audits should contain sufficient information to allow for reconciliation
with prior reviews. Supporting procedures would outline the necessary steps to configure,
implement, and maintain this type of auditing.
policies are strategical(long term) while standards, guidelines and procedures are
9. tactical(medium term).Organizational Security Models
Some of the best practices that facilitate the implementation of security controls include Control
Objectives for Information and Related Technology (COBIT), ISO/IEC 17799/BS 7799,
Information Technology Infrastructure Library (ITIL), and Operationally Critical Threat, Asset
and Vulnerability Evaluation (OCTAVE).
COSO
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S.
private-sector initiative, formed in 1985. Its major objective is to identify the factors that cause
fraudulent financial reporting and to make recommendations to reduce its incidence. COSO has
established a common definition of internal controls, standards, and criteria against which
companies and organizations can assess their control systems.
Key concepts of the COSO framework
Internal control is a process. It is a means to an end, not an end in itself.
Internal control is affected by people. It’s not merely policy manuals and forms, but people at
every level of an organization.
Internal control can be expected to provide only reasonable assurance, not absolute assurance, to
an entity's management and board.
Internal control is geared to the achievement of objectives in one or more separate but
overlapping categories.
The COSO framework defines internal control as a process, effected by an entity's board of
directors, management and other personnel, designed to provide reasonable assurance regarding
the achievement of objectives in the following categories:
Effectiveness and efficiency ofoperations
Reliability of financial reporting
10. Compliance with applicable laws and regulations.
COSO Internal Control Framework: the five components
According to the COSO framework, internal control consists of five interrelated components.
These components provide an effective framework for describing and analyzing the internal
control system implemented in an organization. The five components are the following:
Control Environment: The control environment sets the tone of an organization, influencing the
control consciousness of its people. It is the foundation for all other components of internal
control, providing discipline and structure. Control environment factors include the integrity,
ethical values, management's operating style, delegation of authority systems, as well as the
processes for managing and developing people in the organization.
Risk assessment: Every entity faces a variety of risks from external and internal sources that
must be assessed. A precondition to risk assessment is establishment of objectives and thus risk
assessment is the identification and analysis of relevant risks to achievement of assigned
objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
Control activities: Control activities are the policies and procedures that help ensure
management directives are carried out. They help ensure that necessary actions are taken to
address risks to achievement of the entity's objectives. Control activities occur throughout the
organization, at all levels and in all functions. They include a range of activities as diverse as
approvals, authorizations, verifications, reconciliations, reviews of operating performance,
security of assets and Separation of duties/segregation of duties.
Information and communication: Information systems play a key role in internal control systems
as they produce reports, including operational, financial and compliance-related information, that
make it possible to run and control the business. In a broader sense, effective communication
must ensure information flows down, across and up the organization. Effective communication
should also be ensured with external parties, such as customers, suppliers, regulators and
shareholders.
Monitoring: Internal control systems need to be monitored—a process that assesses the quality
of the system's performance over time. This is accomplished through ongoing monitoring
activities or separate evaluations. Internal control deficiencies detected through these moniw
11. Overview and Benefits
ITIL provides a systematic and professional approach to the management of IT service
provision. Adopting its guidance offers users a huge range of benefits that include:
reduced costs;
improved IT services through the use of proven best practice processes;
improved customer satisfaction through a more professional approach to service delivery;
standards and guidance;
improved productivity;
improved use of skills and experience; and
improved delivery of third party services through the specification of ITIL or ISO 20000 as the
standard for service delivery in services procurements.