Information Technology for Management: Digital Strategies for Insight, Action, a
ID: 3772711 • Letter: I
Question
Information Technology for Management: Digital Strategies for Insight, Action, and Sustainable Performance (10th Edition)
(10 pts) In the implementation of improved cyber-security, and organization is focusing on implementing the ______________ model. Of the four (4) general steps of the model, the organization has obtained senior management commitment and support. What are the next two (2) steps of the process, in order, should the organization be now focusing on implementing? At which of these steps are the notification procedures implemented?
Explanation / Answer
It is called the cyber security model(NIST)
The following are the remaining steps along with when when they have to be implemented:
1)Cybersecurity must be ‘business back’ rather than ‘technology forward’
Increasingly, companies will have to reverse their thinking to address cyberrisks. Rather than starting with technological vulnerabilities (say, the insufficient patching of servers or routers), they should first protect the most critical business assets or processes (such as customer credit card information)—what we call a “business-back” approach. Already, many large institutions have implemented multiyear programs to classify corporate data so they can focus cybersecurity efforts and policies on their most critical information assets. Corporations have begun to evaluate their cyberrisk profile across the full value chain, clarifying expectations with vendors and enhancing collaboration with key business partners. Some institutions have made cybersecurity a core part of the customer value proposition, establishing an ongoing dialogue on the right balance between collecting enough data to verify identity without forcing customers to spend too much time setting up or signing on to their online accounts. For these companies, cybersecurity could represent a business opportunity, as they create end-to-end customer experiences that are both convenient and secure.
2)Move from protecting the perimeter to protecting data
Most organizations have approached cybersecurity by trying to put increasingly sophisticated defenses around their perimeter. The reality is that a motivated attacker will likely find a vulnerability—or an employee may inadvertently create an opening (for example, by accidentally e-mailing sensitive customer information).
Progressive corporations are reorienting security architectures from devices and locations to roles and data. Ultimately, plugging your laptop into the network at a corporate location may enable you to do no more than reach publicly available Web sites. Accessing corporate data or applications, however, would require authentication of your identity.
Security will soon become a fundamental design decision in underlying technology architectures. If customer credit card information resides in a single database, for example, a cybercriminal would only have to breach security once to engage in fraudulent transactions. Separating credit card numbers and expiration dates vastly complicates the task. Since a malicious systems or database administrator can be much more dangerous than even the most careless end user, some IT organizations have started to limit the number of people who can access production systems and data, preventing not only application developers but also infrastructure architects and engineers from touching “live machinery.”
3)Refresh cybersecurity strategies to address rapidly evolving business needs and threats
We heard many respondents say that CEOs and other senior executives inquire how to “solve” cybersecurity. Corporations need to acknowledge that it is an ongoing battle. New digital assets and mechanisms for accessing them simply mean new types of attacks.
Already, many corporations are conducting simulated cyberattacks to identify unexpected vulnerabilities and develop organizational muscles for managing breaches. Some have built sophisticated capabilities to aggregate and analyze massive amounts of operational data (such as e-mail headers and IP traffic) to uncover emerging threats. In addition, corporations must make cybersecurity, such as the information security measures that need to be implemented before entering new geographies, a key part of the business case for major initiatives or new-product introductions.