Identify the three major types of controls that organizations can use to protect their information resources ? Solution 1. At secure organizations, information security is supported by senior management. Support includes making resources and budget available for information security, as well as clear statements by senior management that information security is a priority for the organization. Since senior managers establish priorities and set the tone for an organization, it is difficult to be a secure organization without their clear and consistent support. As a result of the recent spate of high-profile security breaches, most senior managers now understand the importance of information security and will support information security efforts. 2. Secure organizations regularly identify and document how sensitive data --customer and/or proprietary -- flows in, through and out of the organization. This enables an organization to focus its time, effort and money on protecting its sensitive data. Conversely, it\'s difficult for an organization to protect what it doesn\'t know about, and organizations struggle to protect their data if they don\'t perform this exercise 3. Secure organizations create and maintain a formal, documented inventory of all systems that process, transmit or store sensitive data -- including the operating system, if it\'s physical or virtualized, and what major applications have been installed. Without such an inventory, an organization can\'t fully understand what systems it must protect. Having such an inventory allows an organization to quickly determine whether a particular security vulnerability is relevant to the organization\'s systems. 4. Secure organizations segment sensitive systems from non-sensitive systems through jump servers, firewall rules, router ACLs or switch VLANs. This minimizes the attack surface for an organization\'s sensitive systems and allows access to the systems to be tightly controlled and logged. 5. Secure organizations have a strong change-control process that is rigorously enforced. Changes, including emergency changes, are fully documented then formally reviewed and approved. Unapproved changes can lead to security vulnerabilities that nobody knows about until there\'s a breach. 6. Secure organizations have a strong configuration management process. Sensitive systems are hardened and built only with necessary functionality via an automated build process or a managed configuration software tool such as Puppet or Chef. After the initial build, configuration software tools, which regularly check the configuration of systems, are used to ensure systems stay hardened or strong change control is used to maintain system configuration and prevent server creep..

1. Identify the three major types of controls that organizations can use to protect their information
resources ?
Solution
1. At secure organizations, information security is supported by senior management. Support
includes making resources and budget available for information security, as well as clear
statements by senior management that information security is a priority for the organization.
Since senior managers establish priorities and set the tone for an organization, it is difficult to be
a secure organization without their clear and consistent support. As a result of the recent spate of
high-profile security breaches, most senior managers now understand the importance of
information security and will support information security efforts.
2. Secure organizations regularly identify and document how sensitive data --customer and/or
proprietary -- flows in, through and out of the organization. This enables an organization to focus
its time, effort and money on protecting its sensitive data. Conversely, it's difficult for an
organization to protect what it doesn't know about, and organizations struggle to protect their
data if they don't perform this exercise
3. Secure organizations create and maintain a formal, documented inventory of all systems that
process, transmit or store sensitive data -- including the operating system, if it's physical or
virtualized, and what major applications have been installed. Without such an inventory, an
organization can't fully understand what systems it must protect. Having such an inventory
allows an organization to quickly determine whether a particular security vulnerability is relevant
to the organization's systems.
4. Secure organizations segment sensitive systems from non-sensitive systems through jump
servers, firewall rules, router ACLs or switch VLANs. This minimizes the attack surface for an
organization's sensitive systems and allows access to the systems to be tightly controlled and
logged.
5. Secure organizations have a strong change-control process that is rigorously enforced.
Changes, including emergency changes, are fully documented then formally reviewed and
approved. Unapproved changes can lead to security vulnerabilities that nobody knows about
until there's a breach.
6. Secure organizations have a strong configuration management process. Sensitive systems are
hardened and built only with necessary functionality via an automated build process or a
managed configuration software tool such as Puppet or Chef. After the initial build,
configuration software tools, which regularly check the configuration of systems, are used to

2. ensure systems stay hardened or strong change control is used to maintain system configuration
and prevent server creep.