This paper describes how a continuous improvement IT Security Governance process provides effective planning and decision making capabilities for a cybersecurity program. Governance can be thought of “doing the right things” while management is “doing things right”. IT Security Governance focuses on doing the right things to protect organizations and agencies.
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
How users can take advantage of the cloud computing environment’s benefits without experiencing excessive security risks or new legal or regulatory compliance challenges.
Enterprise Architecture and Information SecurityJohn Macasio
A thinking tool to ask and describe the alignment requirements of business, information, technology and security to improve and secure the management of process, data, application and infrastructure of performance.
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
How users can take advantage of the cloud computing environment’s benefits without experiencing excessive security risks or new legal or regulatory compliance challenges.
Enterprise Architecture and Information SecurityJohn Macasio
A thinking tool to ask and describe the alignment requirements of business, information, technology and security to improve and secure the management of process, data, application and infrastructure of performance.
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
It does not have an ISO standard. NIST barely mentions it. Despite hundreds of publications, no dedicated book is in sight. Enterprise Risk Management frameworks barely touch on it - if they even do. A chapter in Tipton's book dating 2007, proprietary solutions and sparse articles is all we have. In 2007 there was no Cloud yet - and that can be both a big help or a major issue in the process. Mergers & Acquisition is a matter left to Business Administration professionals, who don't like thinking about Information Security risks anyway. Information Security for Mergers & Acquisition is often an afterthought and rarely a deciding factor in due diligence exercises - but when your company acquires a new firm every quarter, you need to start thinking about something. This session will propose a simple framework and you will walk away with an actionable material you can start using tomorrow.
Learning Objectives:
- Understand information security risks and threats connected with merger and acquisition activities, which include months of often precarious IT migrations, a Cloud mess, and legacy services left exposed for months or years.
- Understand how Cloud Computing affects information security risks and threats during a merger and acquisition activities, as well as the positive opportunities they can offer.
- Why it is important that Information Security is involved in the early phases of due diligence, including during the phases in which the deal is structured and evaluated, and the acquisition model is defined.
- Walk home with a simple framework and actionable material they can start using the day after.
Developing Metrics for Information Security Governancedigitallibrary
Information security has become a critical issue within organizations, and a key success factor for businesses. To effectively maintain the integrity and security of an organization's information infrastructure effective security metrics and measures must be developed, implemented and monitored. Learn about enterprise security metrics and the concepts that must be considered when developing, implementing, and monitoring them. Understand how to identify measurable points and activities, develop meaningful metrics and measures and monitor concepts. Case studies and scenarios demonstrate operational scenarios for the benefits and challenges of securing information.
Solutions.Information Security During Mergers & Acquisitions:
Issues, Safety Measures, and Need-to-Know Solutions.
Information security risks and threats connected with mergers and acquisitions, which can include months of often precarious IT migrations and legacy services left exposed; how Cloud computing affects information security risks and threats during merger and acquisition activities, as well as the positive opportunities that they can offer; why Information Security should be involved in the early phases of due diligence, including the phases during which the deal is structured and the acquisition model is defined; a simple framework and actionable material.
To ensure security, it is important to build-in security in both the planning and the design phases and adapt a security architecture which makes sure that regular and security related tasks, are deployed correctly. Security requirements must be linked to the business goals. We identified four domains that affect security at an organization namely, organization governance, organizational culture, the architecture of the systems, and service management. In order to identify and explore the strength and weaknesses of particular organization’s security, a wide range model has been developed. This model is proposed as an information security maturity model (ISMM) and it is intended as a tool to evaluate the ability of organizations to meet the objectives of security.
Management of the IT infrastructure begins at its Foundation. Better Understand how that is defined, implemented and leveraged beyond traditional IT management solutions but in an accreative way.
This publication covers two important aspects of information security governance: determining the security strategy approach and the strategy development process.
This whitepaper discusses some common challenges and myths about data security when outsourcing engineering and looks at some industry best practices to address these concerns.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
Discussion 1Recommend three countermeasures that could enhance.docxelinoraudley582231
Discussion 1
Recommend three countermeasures that could enhance the information security measures of an enterprise. Justify your recommendations.
1. Upon extensive review of existing IT EBK and what new measures needed to be taken, Homeland Security came to the conclusion that a comprehensive approach information security including the steps of manage, design, implement, and evaluate would best serve to safeguard against future threats. Manage: calls for the oversight of security programs to come from the highest levels of chains of command with constant focus on “ensuring its currency with changing risk and threat” (2007, p. 9). Design: calls for analyzing a program to assess what types of “procedures and processes” will best direct its successful execution. Implement: refers to how programs and policies are instituted within the company. Evaluate: this final step calls for a final critique of the new program or policy’s successful ability to [achieve] its purpose (2007, p. 9).
2. Homeland Security also recommended a “Competency and Functional Framework for IT Workplace Development” that placed strong emphasis on a clear chain of command and communication with clear job titles and IT employee roles being placed into a group of Executive, Functional or Corollary employees (2007, p. 17).
3. The report stressed the primary role of “the IT Security Compliance Professional is . . . overseeing, evaluating, and supporting compliance issues pertinent to the organization” (Homeland Security, 2007, p.16). Thus, the report logically concluded that IT professionals must know and be able to properly define terms such as evaluation, compliance and assessment in order to properly perform their duties (p. 14).
Propose three cybersecurity benefits that could be derived from the development of a strategic governance process. Select the benefit you find most important and explain why.
The National Computing Centre points out that there are numerous benefits to having a rigorous strategic governance process in place. Among them, increased transparency and accountability which leads to an “improved transparency of IT costs, IT process, [and] IT portfolio (2005, p. 6). This increased transparency and accountability also leads to an “improved understanding of overall IT costs and their input to ROI cases” which in turn often brings about “an increased return on investment/stakeholder value” (p. 6). Finally, the authors point to the fact that with increased transparency comes increased accountability and companies avoid “unnecessary expenditures” (p. 7).
Discussion 2
Categorize the roles described by the Information Technology Security Essential Body of Knowledge (EBK), in terms of executive, functional, and corollary competencies. Select two of these roles that you believe enhance the security countermeasures of an organization the most and justify your response.
As mentioned previously, Homeland Security’s 2007 report emphasized the importance of properly .
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
It does not have an ISO standard. NIST barely mentions it. Despite hundreds of publications, no dedicated book is in sight. Enterprise Risk Management frameworks barely touch on it - if they even do. A chapter in Tipton's book dating 2007, proprietary solutions and sparse articles is all we have. In 2007 there was no Cloud yet - and that can be both a big help or a major issue in the process. Mergers & Acquisition is a matter left to Business Administration professionals, who don't like thinking about Information Security risks anyway. Information Security for Mergers & Acquisition is often an afterthought and rarely a deciding factor in due diligence exercises - but when your company acquires a new firm every quarter, you need to start thinking about something. This session will propose a simple framework and you will walk away with an actionable material you can start using tomorrow.
Learning Objectives:
- Understand information security risks and threats connected with merger and acquisition activities, which include months of often precarious IT migrations, a Cloud mess, and legacy services left exposed for months or years.
- Understand how Cloud Computing affects information security risks and threats during a merger and acquisition activities, as well as the positive opportunities they can offer.
- Why it is important that Information Security is involved in the early phases of due diligence, including during the phases in which the deal is structured and evaluated, and the acquisition model is defined.
- Walk home with a simple framework and actionable material they can start using the day after.
Developing Metrics for Information Security Governancedigitallibrary
Information security has become a critical issue within organizations, and a key success factor for businesses. To effectively maintain the integrity and security of an organization's information infrastructure effective security metrics and measures must be developed, implemented and monitored. Learn about enterprise security metrics and the concepts that must be considered when developing, implementing, and monitoring them. Understand how to identify measurable points and activities, develop meaningful metrics and measures and monitor concepts. Case studies and scenarios demonstrate operational scenarios for the benefits and challenges of securing information.
Solutions.Information Security During Mergers & Acquisitions:
Issues, Safety Measures, and Need-to-Know Solutions.
Information security risks and threats connected with mergers and acquisitions, which can include months of often precarious IT migrations and legacy services left exposed; how Cloud computing affects information security risks and threats during merger and acquisition activities, as well as the positive opportunities that they can offer; why Information Security should be involved in the early phases of due diligence, including the phases during which the deal is structured and the acquisition model is defined; a simple framework and actionable material.
To ensure security, it is important to build-in security in both the planning and the design phases and adapt a security architecture which makes sure that regular and security related tasks, are deployed correctly. Security requirements must be linked to the business goals. We identified four domains that affect security at an organization namely, organization governance, organizational culture, the architecture of the systems, and service management. In order to identify and explore the strength and weaknesses of particular organization’s security, a wide range model has been developed. This model is proposed as an information security maturity model (ISMM) and it is intended as a tool to evaluate the ability of organizations to meet the objectives of security.
Management of the IT infrastructure begins at its Foundation. Better Understand how that is defined, implemented and leveraged beyond traditional IT management solutions but in an accreative way.
This publication covers two important aspects of information security governance: determining the security strategy approach and the strategy development process.
This whitepaper discusses some common challenges and myths about data security when outsourcing engineering and looks at some industry best practices to address these concerns.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
Discussion 1Recommend three countermeasures that could enhance.docxelinoraudley582231
Discussion 1
Recommend three countermeasures that could enhance the information security measures of an enterprise. Justify your recommendations.
1. Upon extensive review of existing IT EBK and what new measures needed to be taken, Homeland Security came to the conclusion that a comprehensive approach information security including the steps of manage, design, implement, and evaluate would best serve to safeguard against future threats. Manage: calls for the oversight of security programs to come from the highest levels of chains of command with constant focus on “ensuring its currency with changing risk and threat” (2007, p. 9). Design: calls for analyzing a program to assess what types of “procedures and processes” will best direct its successful execution. Implement: refers to how programs and policies are instituted within the company. Evaluate: this final step calls for a final critique of the new program or policy’s successful ability to [achieve] its purpose (2007, p. 9).
2. Homeland Security also recommended a “Competency and Functional Framework for IT Workplace Development” that placed strong emphasis on a clear chain of command and communication with clear job titles and IT employee roles being placed into a group of Executive, Functional or Corollary employees (2007, p. 17).
3. The report stressed the primary role of “the IT Security Compliance Professional is . . . overseeing, evaluating, and supporting compliance issues pertinent to the organization” (Homeland Security, 2007, p.16). Thus, the report logically concluded that IT professionals must know and be able to properly define terms such as evaluation, compliance and assessment in order to properly perform their duties (p. 14).
Propose three cybersecurity benefits that could be derived from the development of a strategic governance process. Select the benefit you find most important and explain why.
The National Computing Centre points out that there are numerous benefits to having a rigorous strategic governance process in place. Among them, increased transparency and accountability which leads to an “improved transparency of IT costs, IT process, [and] IT portfolio (2005, p. 6). This increased transparency and accountability also leads to an “improved understanding of overall IT costs and their input to ROI cases” which in turn often brings about “an increased return on investment/stakeholder value” (p. 6). Finally, the authors point to the fact that with increased transparency comes increased accountability and companies avoid “unnecessary expenditures” (p. 7).
Discussion 2
Categorize the roles described by the Information Technology Security Essential Body of Knowledge (EBK), in terms of executive, functional, and corollary competencies. Select two of these roles that you believe enhance the security countermeasures of an organization the most and justify your response.
As mentioned previously, Homeland Security’s 2007 report emphasized the importance of properly .
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docxlorainedeserre
2 days ago
Shravani Kasturi
Discussion
COLLAPSE
Top of Form
IT governance refers to the procedures implemented to manage information technology and the increasing value obtained from investing in information and technology (Joshi, Bollen, Hassink, Haes & Grembergen, (2018). It is made up of frameworks whose aim is to increase the management of risks arising due to the use of information technology. It aims at ensuring that information technology is used to increase the likelihood of achieving objectives for the business. IT governance is essential in allowing companies to be compliant with legal guidelines; for instance, those contained in companies act. It provides a likelihood of an increase in the investments made by a company regarding information technology.
Many factors fueled the need for adoption of IT governance. The first factor is the increase in the number of risks facing information technology. The increased legal risks due to the lack of compliance of guidelines is another critical factor that contributed to a need for IT governance. The ability of IT governance to reduce the costs used in coming up with new inventions increased its adoption. Many companies make use of a lot of resources for discovery.
ISO provides guidelines meant to increase security (Santi, 2018). Its primary role is the provision of guidance concerning aspects of security. It offers advice on how to operate manage and make use of the networks effectively. It also provides guidelines on how the systems can be used effectively to increase security. The ISO also provides guidelines regulating the implementation of controls. Therefore, ISO has dramatically affected the standards of network security by increasing the protection of the networks. It is through the guidelines it provides that aims at expanding the manner at which the network security is designed. It also provides an outline of how the implementation should be carried out to increase network security. It increased standards by developing secure communications interconnecting networks. It is through the provision of very secure gateways.
References
Joshi, A., Bollen, L., Hassink, H., Haes, S. D., Grembergen, W. V., (2018). Explaining IT Governance disclosure through the constraints of IT governance maturity and IT strategic role. Information & Management, 55(3), 368-380
Santi, P. (2018). A design network model for information security management standards depends on ISO 27001. GSTF Journal on Computing, 5(4), 1-11
Bottom of Form
19 hours ago
Rahul Reddy Kallu
Discussion 6
COLLAPSE
Top of Form
IT governance and data governance are subset of Information Governance (IG), which defines set of policies and procedures to concentrate more on how to effectively manage information. These policies include managing structured (records) and unstructured data (e-mails, e-documents). IT governance policies are aimed towards protecting sensitive data such as Protected Health Information (PHI), ensuring privac ...
2 days agoShravani Kasturi DiscussionCOLLAPSETop of Form.docxRAJU852744
2 days ago
Shravani Kasturi
Discussion
COLLAPSE
Top of Form
IT governance refers to the procedures implemented to manage information technology and the increasing value obtained from investing in information and technology (Joshi, Bollen, Hassink, Haes & Grembergen, (2018). It is made up of frameworks whose aim is to increase the management of risks arising due to the use of information technology. It aims at ensuring that information technology is used to increase the likelihood of achieving objectives for the business. IT governance is essential in allowing companies to be compliant with legal guidelines; for instance, those contained in companies act. It provides a likelihood of an increase in the investments made by a company regarding information technology.
Many factors fueled the need for adoption of IT governance. The first factor is the increase in the number of risks facing information technology. The increased legal risks due to the lack of compliance of guidelines is another critical factor that contributed to a need for IT governance. The ability of IT governance to reduce the costs used in coming up with new inventions increased its adoption. Many companies make use of a lot of resources for discovery.
ISO provides guidelines meant to increase security (Santi, 2018). Its primary role is the provision of guidance concerning aspects of security. It offers advice on how to operate manage and make use of the networks effectively. It also provides guidelines on how the systems can be used effectively to increase security. The ISO also provides guidelines regulating the implementation of controls. Therefore, ISO has dramatically affected the standards of network security by increasing the protection of the networks. It is through the guidelines it provides that aims at expanding the manner at which the network security is designed. It also provides an outline of how the implementation should be carried out to increase network security. It increased standards by developing secure communications interconnecting networks. It is through the provision of very secure gateways.
References
Joshi, A., Bollen, L., Hassink, H., Haes, S. D., Grembergen, W. V., (2018). Explaining IT Governance disclosure through the constraints of IT governance maturity and IT strategic role. Information & Management, 55(3), 368-380
Santi, P. (2018). A design network model for information security management standards depends on ISO 27001. GSTF Journal on Computing, 5(4), 1-11
Bottom of Form
19 hours ago
Rahul Reddy Kallu
Discussion 6
COLLAPSE
Top of Form
IT governance and data governance are subset of Information Governance (IG), which defines set of policies and procedures to concentrate more on how to effectively manage information. These policies include managing structured (records) and unstructured data (e-mails, e-documents). IT governance policies are aimed towards protecting sensitive data such as Protected Health Information (PHI), ensuring privac.
Cyber capability brochureCybersecurity Today A fresh l.docxfaithxdunce63732
Cyber capability brochure
Cybersecurity Today:
A fresh look at a changing
paradigm for government agencies
The cyber domain presents endless opportunities to
Federal agencies looking for new ways to deliver on their
mission and serve citizens, while reducing operational
risk. Government is investing in new and innovative
technologies that will empower our nation to achieve
more. Next-generation identification systems will
reduce terrorist and criminal activities by improving and
expanding biometric identification and criminal history
information services. “Smart” electric grids will make the
country more energy independent and increase the use
of renewable energies. Intelligent travel systems will make
air travel quicker and safer. Electronic medical records are
improving access to health care and reducing costs. These
investments require up-front planning and preemptive
cybersecurity practices to mitigate the inherit risks
associated with the advance persistent threat.
However, operating in the cyber domain is not without
increased risk. Our cybersecurity efforts are matched — if
not outpaced — by the sophistication on the part of
nimble opponents from other nations, cyber terrorists,
cyber criminal syndicates, malicious insiders, cyber
espionage — not to mention the inadvertent breach.
For better or worse, our cybersecurity efforts are
increasingly interconnected with agency mission
and programs, inextricably linking daily decisions on
performance, workforce management, and information
sharing with threat deterrence at every level of the
organization. By adopting a proactive, performance-
focused, and risk-intelligent approach to cyber initiatives,
leaders can help shape their organizations into more
proactive, agile, and resilient organizations to protect their
people, programs, and mission.
Cyber: The new normal
Cyber is not just a new domain, it is the new normal.
Agency leaders have a critical task ahead of them to
take a fresh look at their personnel, policies, processes,
and systems to synchronize their cyber initiatives and
empower collaboration across departments to protect
people, programs, and mission. To strengthen their cyber
efforts, today’s leaders are helping drive coordination
across functions, agencies, and the private sector toward
a shared cyber competence that enables the mission while
assigning accountability. Here are some actions agencies
should consider:
Treat data like a monetary asset. • Understand the
value of all your agency’s assets and protect what
matters most to the mission and preserve the public’s
trust.
Follow the flow of information• inside and outside of
your agency to identify vulnerabilities; strengthen every
link in the chain.
Do more with identity management.• Identity,
Credentialing, and Access Management (ICAM) offers
new opportunities to expand partnerships and add
services quickly and cost-efficiently.
Make cyber a performance goal.• .
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
Running Head: SECURITY AWARENESS
Security Awareness 2
Final Project Security Awareness
Terri Y. Hudson
Southern New Hampshire University – IT 552
December 20, 2016
Agency-wide security awareness Program Proposal
Introduction
For the organization to comply with the current PCT DSS requirement version 12,6, a security awareness program must be in place. The CISCO of the organization has an immediate requirement of creating an agency-wide security awareness program. As a means of implementing security awareness program the organization has conducted a security gap analysis which is one of the component of security awareness program which showed the 10 security findings. As one of the means of conducting the program, I will submit awareness program proposal.
Objective
This SOW (Statement of Work) is being done on behalf of the senior information officer. He has requested for the creation of an agency-wide security awareness program by handing over the security gap analysis which was done prior to this process. Hence the major aim of this document is to set a security awareness program which shows ten major key security findings. The document will also include a risk assessment of the current security awareness practices, processes and practices. By having this document, the organization will be able to have a well-organized maintenance plan. It is also important in maintaining and establishing an information-security awareness program (United States, 2000).
Background
The mission of the organization is to provide efficient IT services with the best security program in place with an aim of protecting organizations assets.
1. Technical infrastructure
The organization is engaged in short-term effort aiming at modernizing its information-processing infrastructure. These efforts have incorporated software enhancements, installation of firewalls and high end network systems for an improved communication. The senior information officer is the one who is responsible top oversee modernization effort. He has of late completed conducting a security awareness program and deployment of the organization’s LAN (Local area Network). The hardware being used is of CISCO products.
2. Computing Environment
The organization’s desktop computers are of Windows 2007/ 98 and 95. The servers are of Pentium with over 1 GB RAM. The current NOS (Network operating system) are window based.
3. Security Posture of the Organization
The organization has a basic network structure with only one router which acts as a firewall. It has several working stations and switches to this working stations. In addition the organization has installed Kasperky’s antivirus in of their desktop machines with a motive of reducing external threats. The data server is highly secured with Kaspersky’s antivirus. The organization physical sec ...
Presentation for March 2017 webcast by NIST.
www.nist.gov/cyberframework
Webcast video: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
This presentation introduces the audience to the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It provides a brief history about why and how the Framework was developed, and an understanding of each of the three primary Framework components (the Core, Implementation Tiers, and Profiles). It covers potential benefits of Framework, and how the Framework can be used. It highlights industry resources, progress in Roadmap areas, and future direction of the Framework program.
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking
IBM automation systems, such as e-discovery and auto-classification, help financial firms achieve transparency and meet compliance requirements while maximizing the value of your existing content management architecture.
Getting Real About Security Management and “Big Data” EMC
It’s an exciting yet daunting time to be a security professional. Security threats are becoming more aggressive and voracious. Governments and industry bodies are getting more prescriptive around compliance. Combined with exponentially more complex IT environments, security management is increasingly challenging. Moreover, new “Big Data” technologies purport bringing advanced analytic techniques like predictive analysis and advanced statistical techniques close to the security professional.
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Cyber-attacks are an alarming threat to all types of businesses & organizations.The risk of a cyber-attack is not just a risk to your company but also to your privacy.Hence, cybersecurity is crucial for every business. Cybersecurity protects critical data from cyber attackers. This includes sensitive data, governmental and industry information, personal information, personally identifiable information (PII), intellectual property, and protected health information (PHI). If you are looking for tools to fight against cyber threats, then Techwave’s tools & technologies with adequate controls will help your organization stay protected.
Cyber-attacks are an alarming threat to all types of businesses & organizations.The risk of a cyber-attack is not just a risk to your company but also to your privacy.Hence, cybersecurity is crucial for every business. Cybersecurity protects critical data from cyber attackers. This includes sensitive data, governmental and industry information, personal information, personally identifiable information (PII), intellectual property, and protected health information (PHI). If you are looking for tools to fight against cyber threats, then Techwave’s tools & technologies with adequate controls will help your organization stay protected.
The Significance of IT Security Management & Risk AssessmentBradley Susser
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organization’s financial impact due to the exploitation of numerous organizational assets.
Canadian Red Cross Tainted Blood ScandalLeo de Sousa
The Canadian Red Cross Tainted Blood Scandal spanned decades and to this day, individuals, families, groups and the nation feel its deadly impacts. The Canadian national blood supply was contaminated with two infectious viruses, Hepatitis-C and HIV during the late 1970s, 1980s and the early 1990s. This was the worst tragedy in Canadian medical history with over 20,000 Canadians infected after receiving blood or blood factors to treat their illnesses or during surgery.
This paper describes the risks and impacts to be considered when planning a secure partner portal. Research organizations looking for efficiencies and cost savings seek to build trusted, collaborative relationships with other organizations. This approach introduces new IT security risks that do not exist in a closed business technology platform. As organizations choose to provide access to their internal systems, they need to consider how to manage risks from authentication, authorization and information security.
This paper describes the interaction between the IT Infrastructure Library (ITIL<sup>®</sup>) and IT Security Architecture (ITSA) within the overall context of Enterprise Architecture (EA). Enterprise Architecture provides a holistic approach to the integration and management of an organization’s strategy, business and technology.
This paper takes an enterprise architecture approach to describe the IT Security Architecture impacts of migrating from an employer supplied “use what you’re told” (UWYT) model to an employee purchased “bring your own device” (BYOD) model. More and more employees and executives demand the option to use their consumer IT devices to do their work. This blend of work and life, combined with flexible work hours also contributes to an atmosphere where people want to be able to work with the tools of their choice.
Motivating Strategic Practice Development Using CMMLeo de Sousa
This paper describes the use of a motivational information model (Capability Maturity Model - CMM) as an innovative way to help plan, mature, assess and motivate the creation of a process.
This paper explores an approach to build intrinsic motivation in High TechnologyWorkers which motivates them to work on their personal learning plans to earn rewards in their personal, educational and career objectives in a work environment governed by a Collective Bargaining Agreement.
Leaders, who are self-aware, create personal guiding principles and are flexible in their leadership approaches, will have success navigating any situation. There are a set of leadership traits, behaviors and styles that support flexible leadership. Leaders need to develop self-awareness. Understanding what their strengths and weaknesses are and how they react to different situations is the foundation for a flexible leadership style. Next, the leader needs to create their guiding principles defining who they are and how they work. Finally, leaders need to provide structure and flexibility in their organizations.
Ford and GM A Comparison of 2 Fortune 500 CompaniesLeo de Sousa
This paper compares and contrasts two top ten Fortune 500 automotive companies: Ford Motor Company (Ford) and General Motors Corporation (GM). Through a series of strategic decisions and initiatives, Ford was able to survive the 2008-2009 global economic crisis. General Motors had similar opportunities to make strategic changes but remained entrenched in their approaches and strategy. The result was General Motors filed for bankruptcy, and had to ask the US and Canadian governments for loans in order to restart business.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Effective IT Security Governance
1. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012
Effective IT Security Governance
Leo de Sousa – IST 725
Abstract
This paper describes how a continuous improvement IT Security Governance process provides
effective planning and decision making capabilities for a cybersecurity program. Governance
can be thought of “doing the right things” while management is “doing things right”. IT Security
Governance focuses on doing the right things to protect organizations and agencies. Operational
Security focuses on doing things right and relies on IT Security Governance to direct those
actions. As organizations and agencies look to save costs, reach more customers and implement
efficiencies, they are turning more and more to digital technology solutions. While the reach and
automation capabilities of information technology solutions and architectures are vast, they also
expose organizations and agencies to risks from cybercrime, cyberattacks, and breaches of legal
regulations, loss of corporate information and protection of personal and confidential
information. Topics covered in this paper are (a) Key Definitions, (b) Introduction to IT Security
Governance, (c) IT Security Governance Capabilities, (d) Effective Approaches to Planning and
Decision Making using IT Security Governance Capabilities and (e) Conclusion. After reading
this paper, the reader should have a clear understanding of the concepts of IT Security
Governance, the capabilities of IT Security Governance, and the uses of those capabilities to
effectively plan and make decisions for an overall, continuously improving cybersecurity
program.
Key Definitions
Cyberattack – is an attempt to undermine or compromise the function of a computer-based
system, or attempt to track the online movements of individuals without their permission.
(wiseGEEK, 2011)
Cybercrime – generally defined as a criminal offence involving a computer as the object of the
crime (hacking, phishing, spamming), or as the tool used to commit a material component of the
offence (child pornography, hate crimes, computer fraud). (Foreign Affairs and International
Trade Canada, 2011)
Cybersecurity – term used by the US Federal government which requires assigning clear and
unambiguous authority and responsibility for security, holding officials accountable for fulfilling
those responsibilities and integrating security requirements into budget and capital planning
processes. (IT Governance Institute, 2006, p. 22)
Information Security Governance – is captured in the Security Architecture Framework and is
used “to define security strategies, policies, standards and guidelines for the enterprise from an
organizational viewpoint.” (Bernard & Ho, 2007, p. 11)
Leo de Sousa Page 1
2. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012
Integrated Governance Framework – is part of an integrated “governance structure that
includes strategic planning, enterprise architecture, program management, capital planning,
security and workforce planning.” (Bernard S. A., 2005, p. 33)
Introduction
IT Security Governance is one of several organizational governing processes that include
Enterprise Architecture, IT Governance, Project Governance and Corporate Governance. It has
strong alignment to enterprise risk management initiatives and programs. Successful
organizations use corporate governance to direct and guide the successful operations of the
company. IT Governance guides investments in technology that are aligned to the business’
goals and strategy. Project Governance is used to rank and prioritize project proposals, so
investments in projects are aligned to business strategy. The IT Governance Institute defines
Information Security Governance as “Security Governance is the set of responsibilities and
practices exercised by the board and executive management with the goal of providing strategic
direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately
and verifying that the enterprise’s resources are used responsibly.” (Harris, 2006) Taking a top
down approach with executive direction and support is a key success factor to establish a culture
of security into organizations and agencies.
Every organization and agency faces the challenge of balancing employee empowerment by
providing access to information with enterprise risk management and compliance. As more and
more organizations and agencies move their services into a digital environment, they are faced
with significant challenges dealing with new corporate risks to information, business processes
and privacy. The use of web-based applications, online payment systems and collaboration
based information management systems introduce new information technology architectures that,
if not properly protected, expose the company to the risk of cyberattacks and information
security breaches. Recently, the downturn in the global economy is forcing organizations and
agencies to cut operational costs and improve their processes. In most cases, this means cutting
their budgets and investments, which can put IT Security efforts in jeopardy due to lack of
funding. These high levels of budget cuts are rippling through companies and organizations
impacting the resources available for IT security. “The $2.1 trillion debt-cap pact that Congress
passed Tuesday could hurt economic and national security as agencies postpone plans to invest
in cybersecurity technology and hire more network specialists due to uncertainty over potential
program cuts, computer security advisers say.” (Sternstein, 2011)
There are five IT Security Governance areas that have evolved from case law and are tied to the
fiduciary duties of executives, board members and officers: 1) Govern the operations of the
organization and protect its critical assets, 2) Protect the organization’s market share and stock
price, 3) Govern the conduct of employees, 4) Protect the reputation of the organization and 5)
Ensure compliance requirements are met. (Allen & Westby, 2007, p. 1)
In this constrained environment, IT Security Governance becomes a strategic practice ensuring
that the appropriate security capabilities are available and adequately funded to maintain and
continually improve an effective cybersecurity program for organizations and agencies.
Leo de Sousa Page 2
3. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012
IT Security Governance Capabilities
IT Security Governance relies on a set of core capabilities that enable organizations to provide
oversight, authorize decisions and create and enable policy. These capabilities support
accountability, strategic planning and resource allocation for IT Security programs in an
organization. To successfully deploy IT Security Governance capabilities, organizations and
agencies need to consider organizational strategy, culture and structure as well as compliance
and risk management policies. These capabilities need to be implemented in a top down
approach with the responsibility for success sitting with the Board of Directors and the Executive
Committee.
Bernard and Ho describe IT Security Governance capabilities at a high level as “to define
security strategies, policies, standards and guidelines for the enterprise from an organizational
viewpoint.” (Bernard & Ho, 2007, p. 11) The Carnegie Mellon Software Engineering Institute
published a paper “Governing Enterprise Security Implementation Guide” which provides a
more detailed approach of IT Security Governance Capabilities including responsibilities and
artifacts. The capabilities are grouped into the following four high level categories and
subcategories: (Allen & Westby, 2007)
Governance Category Governance Sub Categories
Structure and Tone • Establish a Governance Structure
(Deming – Plan – design or revise business • Assign Roles and responsibilities,
process components to improve results) Indicating Lines of Responsibility
• Develop Top-Level Policies
Assets and Responsibilities • Inventory Digital Assets
(Deming – Do – implement the plan and • Develop and Update System
measure its performance) Descriptions
• Establish and Update Ownership and
Custody of Assets
• Designate Security Responsibilities and
Segregation of Duties
Compliance • Determine and Update Compliance
(Deming – Check – assess the measurements Requirements
and report the results to decision makers) • Map Assets to Table of Authorities
• Map and Analyze Data Flows
• Map Cybercrime and Security Breach
Notification Laws and Cross-Border
Cooperation with Law Enforcement to
Data Flows
• Conduct Privacy Impact Assessments
and Privacy Audits
Assessments and Strategy • Conduct Threat, Vulnerability, and
(Deming – Act – decide on the changes needed Risk Assessments (including System
to improve the process) C&As)
• Determine Operational Criteria
Leo de Sousa Page 3
4. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012
• Develop and Update Security Inputs to
the Risk Management Plan
• Develop and Update Enterprise
Security Strategy (ESS)
Interestingly, the implementation guide proposed by Allen and Westby follows the continuous
improvement approach of W. Edwards Deming. (Balanced Scorecard Institute, 1998) By
implementing the four major categories in the order specified, organizations and agencies
establish accountability and responsibility at the most senior levels of their organization structure
with a focus that these activities are part of a continuous improvement process.
Effective Approaches to Cybersecurity Planning and
Decision Making
IT Security Governance delivers the key capabilities to facilitate planning and decision making
for enterprise risk management and strategic planning in a cybersecurity program. This section
explores the GES major categories using a higher education example and shows how they are
essential to support the planning and decision making of a cybersecurity program with a focus on
continuous improvement.
Structure and Tone (Deming – Plan)
There are 3 main activities in this category: Establish a Governance Structure, Assign Roles and
responsibilities, Indicating Lines of Responsibility and Develop Top-Level Policies. The focus
of these three activities is to clearly establish a top down, organization-wide approach to IT
Security. At the British Columbia Institute of Technology (BCIT), our top level governance
group is the Audit and Finance Committee of the Board of Governors. The committee reports
quarterly to the Board of Governors and has overall responsibility for Enterprise Risk
Management including IT Security Governance. In 2008, we created the Information Security
Advisory Council (ISAC) to implement IT Security Governance. This governance committee
consists of the Chief Information Officer, Director of Safety and Security, Manager, Institutional
Records Management, Director of Finance and the Information Security Officer. The ISAC
sponsors audits, PCI-DSS implementation, copyright policy and compliance training. This
committee also has responsibility for the Security architecture domain in our EA practice. The
ISAC created two top level policies: 3501 – Acceptable Use of Information Technology and
3502 - Information Security. (British Columbia Institute of Technology, 2009) These policies
and the ISAC are the backplane for IT Security Governance in BCIT’s Enterprise Architecture
and fit with Deming’s Plan step. (de Sousa, 2007)
Assets and Responsibilities (Deming – Do)
There are four main activities in this category: Inventory Digital Assets, Develop and Update
System Descriptions, Establish and Update Ownership and Custody of Assets and Designate
Security Responsibilities and Segregation of Duties. There is a requirement of the BCIT 3502 –
Information Security policy to inventory systems and establish system ownership for the purpose
Leo de Sousa Page 4
5. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012
of designing security access. (British Columbia Institute of Technology, 2009) This process is
essential to determine who gets access to secure systems and defining access controls for the
BCIT community. These activities fit with Deming’s Do step for continual improvement.
Compliance (Deming – Check)
There are five main activities in this category: Determine and Update Compliance Requirements,
Map Assets to Table of Authorities, Map and Analyze Data Flows, Map Cybercrime and
Security Breach Notification Laws and Cross-Border Cooperation with Law Enforcement to
Data Flows and Conduct Privacy Impact Assessments and Privacy Audits. Each year most
organizations go through a financial audit. At BCIT, a component of the annual financial audit is
an IT security audit. The auditors look at our IT systems and particularly the protections and
security around financial transactions. With each audit there are recommendations for improving
our treatment of secure transactions and access controls. These recommendations fit with
Deming’s Check step and enable our organization to continually improve our IT Security
program.
Assessment and Strategy (Deming – Act)
There are four main activities in this category: Conduct Threat, Vulnerability, and Risk
Assessments (including System C&As), Determine Operational Criteria, Develop and Update
Security Inputs to the Risk Management Plan and Develop and Update Enterprise Security
Strategy (ESS). Each year, BCIT proactively conducts vulnerability assessments and external
penetration tests which lead to changes in our security practices. Placing emphasis on actively
testing our IT Security Governance framework fits with Deming’s Act process for continual
improvement.
Conclusion
IT Security Governance is a strategic practice that ensures appropriate security capabilities are
available and adequately funded to maintain effective cybersecurity program planning and
decision making. Organizations and agencies that invest in IT Security Governance are able to
manage the use of their assets securely, manage enterprise risk internally and externally and help
ensure the ongoing viability of their operations.
Information Security Governance is part of an integrated “governance structure that includes
strategic planning, enterprise architecture, program management, capital planning, security and
workforce planning.” (Bernard S. A., 2005, p. 33) Information Security Governance is captured
in the Security Architecture Framework and is used “to define security strategies, policies,
standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho,
2007, p. 11)
By taking W. Edwards Deming’s Plan-Do-Check-Act continuous improvement model as the
guiding principle for IT Security Governance, organizations and agencies will benefit from a
consistent cybersecurity program focusing on secure business management and operations.
Leo de Sousa Page 5
6. IST 725 Case Study 1 – Effective IT Security Governance Feb 12, 2012
References
Allen, J. H., & Westby, J. R. (2007). Governing for Enterprise Security (GES) Implementation
Guide. Pittsburgh: Software Engineering Institute, Carnegie Mellon.
Balanced Scorecard Institute. (1998). The Deming Cycle. Retrieved from Balanced Scorecard
Institute: http://www.balancedscorecard.org/TheDemingCycle/tabid/112/Default.aspx
Bernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL:
AuthorHouse.
Bernard, S., & Ho, S. M. (2007, Oct 29). Enterprise Architecture as Context and Method for
Implementing Information Security and Data Privacy. Washington, DC, USA.
British Columbia Institute of Technology. (2009). 3501 - Acceptable Use of Technology.
Retrieved from Policies: http://www.bcit.ca/files/pdf/policies/3501.pdf
British Columbia Institute of Technology. (2009). 3502 - Information Security. Retrieved from
Policies: http://www.bcit.ca/files/pdf/policies/3502.pdf
de Sousa, L. (2007, Jun 22). EA Model V.2. Retrieved Jan 18, 2012, from Enterprise Architecture
in Higher Education: http://leodesousa.ca/2007/06/ea-model-v2/
Foreign Affairs and International Trade Canada. (2011, Oct 14). Cybercrime. Retrieved 02 02,
2012, from International Security: http://www.international.gc.ca/crime/cyber_crime-
criminalite.aspx?view=d
Harris, S. (2006, Aug). Information Security Governance Guide. Retrieved Feb 1, 2012, from
TechTarget: http://searchsecurity.techtarget.com/tutorial/Information-Security-
Governance-Guide
IT Governance Institute. (2006). Information Security Governance: Guidance for Board of
Directors and Executive Management, 2nd Edition. Rolling Meadows, Illinois, USA.
Sternstein, A. (2011, Aug 02). Debt deal could be a blow for cybersecurity. Retrieved from
Nextgov: http://www.nextgov.com/nextgov/ng_20110802_1799.php?oref=topstory
wiseGEEK. (2011). What Is a Cyberattack? Retrieved from wiseGEEK:
http://www.wisegeek.com/what-is-a-cyberattack.htm
Leo de Sousa Page 6