lecture 2 infosec

avatar
Created by
ayla rusdhy

Cards (24)

  • Key Components of Planning: 
    • Involves various communities of interest both internally and externally such as employees, managers and stakeholders. 
    • Steps of actions aimed at achieving specific goals over a period of time, followed by monitoring and controlling their implementation. 
  • Values statements
    Principles and standards guiding behavior and performance
  • Mission
    The organization's business and target audience, gives an idea of what they do and for whom
  • Vision
    Future goals of the organisation, where it aims to go
  • Strategic Planning Overview: 
    • the long-term direction and taking resources to pursue this direction. 
    • Aligns resources with specific goals and how to achieve them. 
  • Role of Information Security: 
    • must align with and support strategic plans of all business units. 
    • Conflict could arise with IT as it focuses on efficient information delivery. 
  • Planning Levels: 
    • Strategic Planning: 
    • Sets long-term goals. 
    • Translates into tactical plans. 
    • Tactical Planning: 
    • Short-term focus on goals (1-3 years). 
    • Breaks down strategic goals into achievable objectives. 
    • Operational Planning: 
    • Manages day-to-day tasks. 
    • Coordinates activities across departments. 
  • Components of a Strategic Plan: 
    • Executive Summary 
    • Mission, Vision, and Values Statements 
    • Organizational Profile and History 
    • Strategic Issues and Challenges 
    • Organizational Goals and Objectives 
    • Major Business Units (or Product/Service) Goals and Objectives 
    • Appendices (market analyses, budgets, etc.) 
  • Understanding Information Security Governance: 
    • Responsibilities and practices of the board and executive management. 
    • Provides strategic direction, ensuring goal achievement risk management, and ensuring responsible resource utilization. 
  •  Benefits of Information Security Governance: 
    • Increased share value 
    • Reduced uncertainty 
    • Legal protection 
    • Resource optimization 
    • Policy compliance 
    • Effective risk management 
    • Accountability 
    • Information accuracy 
  • ISO/IEC 27014: Governance of Information Security:
      1. Establish organization-wide information security. 
      2. Adopt a risk-based approach. 
      3. Guide investment decisions. 
      4. Ensure compliance with internal and external requirements. 
      5. Promote a security-positive environment. 
      6. Evaluate performance in relation to business outcomes. 
  • SecSDLC
    Security Systems Development Life Cycle
  • CISO
    • Creating strategic InfoSec plans
    • Suggests security solutions
    • Develops action plans, budgets, and reports for top management
  • Maintenance

    • Requires constant monitoring, testing, and updating of InfoSec systems
  • Implementation
    Combining SDLC with project management
  • SDLC
    Systems Development Life Cycle
  • Translation Process:  
    • General strategy is transformed into specific strategies/ plans.  
    • Strategic planning is further translated into lower-level tactical and operational plans.  
  • Operational planning—Clearly identified coordination activitiesacross department boundaries, communications requirements,weekly meetings, summaries, progress reports, and associated tasks.
  • SDLC: a tried-and-true approach that combines sound projectmanagement practices to develop key project milestones, allocateresources, select personnel, and perform the tasks needed toaccomplish a development project’s objectives. SDLC involves thegeneral methodology for design and implementation of aninformation system in an organization
  • SecSDLC: aligned with risk management practices. Involvesidentifying specific threats and risks, and the subsequent design andimplementation of specific controls to counter those threats andassist in management of the risk. SDLC involves the generalmethodology for design and implementation of an informationsystem in an organization.
  • major objectives of SecSDLC
    • investigation
    • analysis
    • Logical Design
    • physical design
    • implimentation
    • maintenance
  • Magerial control address the design and implimentation of the security planning process and the security program management 
  • operational security control deals with operation functionalityof security in the organisation. They cover management functions and lower level planning such as disaster recovery and incidenceresponse planning (IRP). 
  • technical control addresses technical approaches used to implement security in the organisation