Chapter004
•Download as PPT, PDF•
1 like•582 views
The document discusses building an information assurance framework with policies, procedures, and infrastructure. It defines the difference between policies, which are strategic, and procedures, which are tactical. An information assurance infrastructure establishes security practices through documentation. It should specify steps to ensure security, make the process clear, and describe how practices will be established and enforced. The infrastructure is tailored to the organization through policies, procedures, and work instructions documented in an Information Assurance Manual. Disciplined performance and establishing the right security culture are important to ensure the infrastructure functions properly.
Report
Share
Report
Share
![Objectives ,[object Object],[object Object],[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
Tips for Compliance with Safety and Environmental Regulations
Compliance management is central to Safety / Environmental Management Systems but keeping up with requirements can be overwhelming. This presentation will teach you the essential components of an effective compliance management program and provide tips and best practices to get your program on the road to success.
Recommended
Tips for Compliance with Safety and Environmental Regulations
Compliance management is central to Safety / Environmental Management Systems but keeping up with requirements can be overwhelming. This presentation will teach you the essential components of an effective compliance management program and provide tips and best practices to get your program on the road to success.
CISA Domain- 1 - InfosecTrain
Overall understanding of the domain:
Important concepts to focus on from exam point of view
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Part 9 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationPublicly traded global multi-billion services company
A portion of an internal training session at EBSL Technologies Int\'l
Principles of IT Operations, to include ISO 27001, COBIL ,ITIL,IT Security, IT Frameworks.Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Visit www.lifein01.com for more chapters and summary of each chapters.
Top management must determine the implications of the hardware and software technology changes that support information systems function and the organization. Auditors can evaluate top management by examining how well the senior management performs four major functions: Planning: Determining the goals of the information systems function and means of achieving these goals. Organizing: Gathering, allocating, coordinating the resources needed to accomplish the goals. Leading: Motivating, guiding and communicating with personnel.
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Raam risk analysis assessment and management
Risk assessment in safety at work what are you teaching staff members
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
ISACA IS Audit and Assurance Standards, Guidelines, and Tools & Techniques, Code of Professional Ethics & other applicable standard.
https://www.infosectrain.com/blog/cisa-domain-1-part-3-the-process-on-auditing-information-systems/
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Part 3 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Understanding the Risk Management Framework & (ISC)2 CAP Module 2: Introduction
Part 2 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
ISO 27004- Information Security Metrics Implementation
ISO 27004 provides guidance and describes a set of best practices for measuring the result of ISMS in an organization. The standard specifies how to set up a measurement program, what parameters to measure, when to measure, how to measure and helps organizations to decide on how to set performance targets and success criteria.
Cloud Audit and Compliance
There is an increasing trend witnessed in the cloud computing technology which has led to a lot of risks in preserving the Confidentiality, Integrity and Availability of data. The Cloud is now facing a lot of compliance requirements due to the sensitivity of the data that is being stored. View this presentation to understand the Cloud Compliance Requirements, Risks, Audit Processes and Methodologies involved in providing assurance.
This presentation was given by CA Anand Prakash Jangid at the Conference on Cloud Computing conducted by the Committee on Information Technology of the Institute of Chartered Accountants of India on 11th January 2014.
More Related Content
What's hot
CISA Domain- 1 - InfosecTrain
Overall understanding of the domain:
Important concepts to focus on from exam point of view
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Part 9 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationPublicly traded global multi-billion services company
A portion of an internal training session at EBSL Technologies Int\'l
Principles of IT Operations, to include ISO 27001, COBIL ,ITIL,IT Security, IT Frameworks.Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Visit www.lifein01.com for more chapters and summary of each chapters.
Top management must determine the implications of the hardware and software technology changes that support information systems function and the organization. Auditors can evaluate top management by examining how well the senior management performs four major functions: Planning: Determining the goals of the information systems function and means of achieving these goals. Organizing: Gathering, allocating, coordinating the resources needed to accomplish the goals. Leading: Motivating, guiding and communicating with personnel.
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Raam risk analysis assessment and management
Risk assessment in safety at work what are you teaching staff members
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
ISACA IS Audit and Assurance Standards, Guidelines, and Tools & Techniques, Code of Professional Ethics & other applicable standard.
https://www.infosectrain.com/blog/cisa-domain-1-part-3-the-process-on-auditing-information-systems/
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Part 3 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Understanding the Risk Management Framework & (ISC)2 CAP Module 2: Introduction
Part 2 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
ISO 27004- Information Security Metrics Implementation
ISO 27004 provides guidance and describes a set of best practices for measuring the result of ISMS in an organization. The standard specifies how to set up a measurement program, what parameters to measure, when to measure, how to measure and helps organizations to decide on how to set performance targets and success criteria.
What's hot (20)
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal Presentation
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Ais Romney 2006 Slides 09 Auditing Computer Based Is
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 2: Introduction
Understanding the Risk Management Framework & (ISC)2 CAP Module 2: Introduction
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics Implementation
Viewers also liked
Cloud Audit and Compliance
There is an increasing trend witnessed in the cloud computing technology which has led to a lot of risks in preserving the Confidentiality, Integrity and Availability of data. The Cloud is now facing a lot of compliance requirements due to the sensitivity of the data that is being stored. View this presentation to understand the Cloud Compliance Requirements, Risks, Audit Processes and Methodologies involved in providing assurance.
This presentation was given by CA Anand Prakash Jangid at the Conference on Cloud Computing conducted by the Committee on Information Technology of the Institute of Chartered Accountants of India on 11th January 2014.
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
This presentation is my endeavor to bring to notice the new position that internal audit enjoys today in the corporate framework, expectations of the industry and emerging opportunities for the professionals.
Cloud Computing Risk Management (IIA Webinar)
Along with accessibility and convenience, cloud-based IT resources also bring risk. This webinar provides you with a brief introduction on the development of cloud computing and the related business risks. Additionally, you will learn questions to ask to determine if your company is using cloud-based IT resources along with information on the formal assurance frameworks that exist and can be effectively employed by both cloud consumers and providers without specialized training.
Establishing an Audit Framework
If you're an Internet marketer and have to do any kind of site audits, you may benefit from this presentation. It culminates in a Google Doc with 300+ audit checkpoints.
Internal Audit Plan 2015
This plan is uploaded to be use as a sample to help people to get an idea. This internal audit plan is prepared for an automotive business activity. I hope it will be useful.
Internal Audit COSO Framework
Summary of the document "COSO Internal Control Framework" (www.coso.org )
Viewers also liked (9)
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
Similar to Chapter004
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries: a database management system data dictionary and an organization-wide data dictionary. For this assignment, we are focusing on the organization-wide data dictionary. In a data dictionary, individual data elements and definitions are defined to ensure consistency and accuracy. Assume you need to collect and analyze data on patients discharged and readmitted to hospital X within 90 days of discharge. Develop the data dictionary for this study by completing the table below. Your data dictionary must include a minimum of 15 discreet data elements. Include information you would need to identify:
· the patient (Unique identifier)
· the admission(s)
· the reason for each admission (why the patient presented to the hospital emergency department)
· the principal diagnosis which is defined as the condition of the patient made after studying the patient and their admission to the hospital.
· the indicator for justified readmission or questionable readmission.
Guided response: Include at least 15 data elements and the rationale for each data element, using the format below and include:
· A title page with the following:
· Title of paper
· Student’s name
· Course name and number
· Instructor’s name
· Date submitted
· Include two scholarly references, excluding the textbook, formatted according to APA style as outlined in the Writing Center.
CHAPTER
5
Security Policies, Standards, Procedures, and
Guidelines
The four components of security documentation are policies, standards,
procedures, and guidelines. Together, these form the complete definition of a
mature security program. The Capability Maturity Model (CMM), which measures
how robust and repeatable a business process is, is often applied to security
programs. The CMM relies heavily on documentation for defining repeatable,
optimized processes. As such, any security program considered mature by CMM
standards needs to have well-defined policies, procedures, standards, and
guidelines.
• Policy is a high-level statement of requirements. A security policy is the primary
way in which management’s expectations for security are provided to the
builders, installers, maintainers, and users of an organization’s information
systems.
• Standards specify how to configure devices, how to install and configure
software, and how to use computer systems and other organizational assets, to be
compliant with the intentions of the policy.
• Procedures specify the step-by-step instructions to perform various tasks in
accordance with policies and standards.
• Guidelines are advice about how to achieve the goals of the security policy, but
they are suggestions, not rules. They are an important communication tool to let
people know how to follow the policy’s guidance. They convey best practices for
using technology systems or behaving according to management’s preferences.
This chapter covers the basics of what you need to know a ...
1chapter42BaseTech Principles of Computer Securit.docx
1
chapter
42
BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3
3
chapter
Organizations achieve operational security through policies and
procedures that guide user’s interactions with data and data processing
systems. Developing and aligning these efforts with the goals of the business
is a crucial part of developing a successful security program. One method
of ensuring coverage is to align efforts with the operational security model
described in the last chapter. This breaks efforts into groups; prevention,
detection, and response elements.
Prevention technologies are designed to keep individuals from being able
to gain access to systems or data they are not authorized to use. Originally,
this was the sole approach to security. Eventually we learned that in an
operational environment, prevention is extremely difficult and relying
on prevention technologies alone is not sufficient. This led to the rise of
technologies to detect and respond to events that occur when prevention
fails. Together, the prevention technologies and the detection and response
technologies form the operational model for computer security.
In this chapter, you will learn
how to
■■ Identify various operational aspects
to security in your organization
■■ Identify various policies and
procedures in your organization
■■ Identify the security awareness and
training needs of an organization
■■ Understand the different types of
agreements employed in negotiating
security requirements
■■ Describe the physical security
components that can protect your
computers and network
■■ Identify environmental factors that
can affect security
■■ Identify factors that affect the
security of the growing number of
wireless technologies used for data
transmission
■■ Prevent disclosure through
electronic emanations
We will bankrupt ourselves in the
vain search for absolute security.
—Dwight David Eisenhower
Operational and
Organizational Security
03-ch03.indd 42 03/11/15 5:20 pm
Chapter 3: Operational and Organizational SecurityPrinciples of Computer Security
PB 43
BaseTech / Principles of Computer Security, Fourth Edition / Conklin / 597-0 / Chapter 3
■■ Policies, Procedures, Standards,
and Guidelines
An important part of any organization’s approach to implementing security
are the policies, procedures, standards, and guidelines that are established
to detail what users and administrators should be doing to maintain the
security of the systems and network. Collectively, these documents provide
the guidance needed to determine how security will be implemented in
the organization. Given this guidance, the specific technology and security
mechanisms required can be planned for.
Policies are high-level, broad statements of what the organization wants
to accomplish. They are made by management when laying out the organi-
zation’s position on some issue. Procedures are the .
Ch14 Policies and Legislation
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security technologies and security
operations. Staying current with various security tools is an important characteristic of a
proficient security manager. One method to discover new technologies is to attend security
related conferences and network with other security professionals about current and trending best
practices. For your discussion question, choose two relevant and recent physical security
technologies and describe them. As part of your detailed description, provide: 1) Specific
information about the technology\'s function and application; 2) The type of facilities that the
technology would be best suited for; 3) The assets that the technology would best be used to
protect; 4) The likely vulnerabilities that the technology would best address; 5) Methods in
which the technology would be integrated with other technologies; 6) The number and type of
personnel that will need to be committed to the operation of the technology; 7) Special
considerations for policies and procedures to fully implement the technology; and 8) A likely
budget needed to implement the technology. If you are impressed with a particular security
technology that your organization uses, share it. Include any relevant hyperlinks and attach any
pictures if applicable. Here are some security categories of technologies that you may select.
Please make sure your posting covers a specific technology rather than a broad category:
Intrusion Detection Screening Technologies Access Control Technologies
Assessment/Surveillance Technologies Communications Technologies Central Control
Technologies Security Lighting Make certain that you do not duplicate another student\'s
contribution. You can select a “different” technology from the same category.
Solution
Information Security management is a process of defining the security controls in order to
protect the information assets.
Security Program
The first action of a management program to implement information security is to have a
security program in place. Though some argue the first act would be to gain some real \"proof of
concept\" \"explainable thru display on the monitor screen\" security knowledge. Start with
maybe understanding where OS passwords are stored within the code inside a file within a
directory. If you don\'t understand Operating Systems at the root directory level maybe you
should seek out advice from somebody who does before even beginning to implement security
program management and objectives.
Security Program Objectives
Protect the company and its assets.
Manage Risks by Identifying assets, discovering threats and estimating the risk
Provide direction for security activities by framing of information security policies, procedures,
standards, guidelines and baselines
Information Classification
Security Organization and
Security Education
Security Management Responsibilities
Determining objectives, scope, policies,re expected to be accomplished fr.
Structured Approach To Implementing Information And Records Management (Idrm)...
Provide an overview of a structured approach to analysis, design and specification of Information, Document and Records Management (IDRM) systems
Provide introduction to generic reference models for IDRM that can assist in solution definition
Structured IDRM methodology yields benefits in ensuring appropriate analysis, design and specification is performed ensuring requirements are captured and any solution complies with them:
Consistency
Speed
Drives Delivery
Ensures Acceptance
Increases Productivity
Increases User Confidence
Speed
Accuracy
Provides Audit Trail
Maximises Cost Savings
Risk Management and Reduction
Provides for Change Management
Provides for Formal Project Closure
Standards and reference models (OAIS) provide a mechanism for designing solutions and comparing products from vendors
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER
5
Security Policies, Standards, Procedures, and
Guidelines
The four components of security documentation are policies, standards,
procedures, and guidelines. Together, these form the complete definition of a
mature security program. The Capability Maturity Model (CMM), which measures
how robust and repeatable a business process is, is often applied to security
programs. The CMM relies heavily on documentation for defining repeatable,
optimized processes. As such, any security program considered mature by CMM
standards needs to have well-defined policies, procedures, standards, and
guidelines.
• Policy is a high-level statement of requirements. A security policy is the primary
way in which management’s expectations for security are provided to the
builders, installers, maintainers, and users of an organization’s information
systems.
• Standards specify how to configure devices, how to install and configure
software, and how to use computer systems and other organizational assets, to be
compliant with the intentions of the policy.
• Procedures specify the step-by-step instructions to perform various tasks in
accordance with policies and standards.
• Guidelines are advice about how to achieve the goals of the security policy, but
they are suggestions, not rules. They are an important communication tool to let
people know how to follow the policy’s guidance. They convey best practices for
using technology systems or behaving according to management’s preferences.
This chapter covers the basics of what you need to know about policies,
standards, procedures, and guidelines, and provides some examples to illustrate
the principles. Of these, security policies are the most important within the
context of a security program, because they form the basis for the decisions that
are made within the security program, and they give the security program its
“teeth.” As such, the majority of this chapter is devoted to security policies. There
are other books that cover policies in as much detail as you like. See the
References section for some recommendations. The end of this chapter provides
you with some guidance and examples for standards, procedures, and guidelines,
so you can see how they are made, and how they relate to policies.
Security Policies
A security policy is the essential foundation for an effective and comprehensive
security program. A good security policy should be a high-level, brief, formalized
statement of the security practices that management expects employees and
other stakeholders to follow. A security policy should be concise and easy to
understand so that everyone can follow the guidance set forth in it.
In its basic form, a security policy is a document that describes an
organization’s security requirements. A security policy specifies what should be
done, not how; nor does it specify technologies or specific solutions. The security
policy defines a specific set of ...
Similar to Chapter004 (20)
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
Application of Q methodology in critical success factors of information secur...
Application of Q methodology in critical success factors of information secur...
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
Structured Approach To Implementing Information And Records Management (Idrm)...
Structured Approach To Implementing Information And Records Management (Idrm)...
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
More from Jeanie Delos Arcos (20)
Chapter004
- 1. Chapter 4 Building and Documenting an Information Assurance Framework