Information is often considered the most important asset of a corporation. Secur
ID: 3843743 • Letter: I
Question
Information is often considered the most important asset of a corporation. Security of data and systems provides a critical foundation for the successful operation of an enterprise. Your project for this course is to investigate potential security technologies, policies and practices which can play an important role in addressing security issues experienced by organizations. It will be completed in two parts. You need to submit the project at the end of Week 10. Part 1 of the project: You will first identify an organization, an important IT system or application used within the organization, and potential security risks and threats to the system.
At a minimum, your project report shall include the following elements:
1. Description of the Organization 2. Business and Systems Overview of Selected IT System (purpose and benefits of system) 3. Detailed System Description (including flow charts, diagrams and input and output descriptions) 4. Summary of Potential Threats and Security Risks to the System 5. Implications for the confidentiality, integrity and availability of the system or application.
Explanation / Answer
A good security program provides the big picture for how you will keep your company’s data secure. It takes a holistic approach that describes how every part of your company is involved in the program. A security program is not an incident handling guide that details what happens if a security breach is detected
Your security program defines what data is covered and what is not. It assesses the risks your company faces, and how you plan to mitigate them. It indicates how often the program will be re-evaluated and updated, and when you will assess compliance with the program. The key components of a good security program are outlined in the following sections.
1. Designated security officer
For most security regulations and standards, having a Designated Security Officer (DSO) is not optional — it’s a requirement. Your security officer is the one responsible for coordinating and executing your security program. The officer is your internal check and balance. This person or role should report to someone outside of the IT organization to maintain independence.
2. Risk assessment
This component identifies and assesses the risks that your security program intends to manage. This is perhaps the most important section because it makes you think about the risks your organization faces so that you can then decide on appropriate, cost-effective ways to manage them. Remember that we can only minimize, not eliminate, risk, so this assessment helps us to prioritize them and choose cost-effective countermeasures. The risks that are covered in your assessment might include one or more of the following:
3. Policies and Procedures
Preparing your risk assessment hopefully gave you lots to worry about. The policies and procedures component is the place where you get to decide what to do about them. Areas that your program should cover include the following:
Authentication, authorization, and accountability establishes procedures for issuing and revoking accounts. It specifies how users authenticate, password creation and aging requirements, and audit trail maintenance.
Security awareness makes sure that all users have a copy of your acceptable use policy and know their responsibilities; it also makes sure that your IT employees are engaged in implementing your IT-specific policies.
Risk assessment states how often you will reassess the potential threats to your IT security and update your security program.
Incident response defines how you will respond to security threats, including potential (such as unauthorized port scanning) and actual incidents (where security has been compromised). We discussed the importance of having an incident-handling guide in the Q1 2006 issue of The Barking Seal.
Virus protection outlines how you protect against viruses. This might include maintaining workstation-based products and scanning email, Web content, and file transfers for malicious content.
Business continuity planning includes how you will respond to various man-made and natural disaster scenarios. This includes setting up appropriate backup sites, systems, and data, as well as keeping them up-to-date and ready to take over within the recovery time you have defined.
Relationships with vendors and partners defines who these organizations are, what kind of data you might exchange with them, and what provisions must be in your contracts to protect your data. This is an often-overlooked aspect of data security because your IT organization probably has not had a lot of interaction with your legal organization over vendor contracts. You may need to take measures such as evaluating your partners’ ability to safeguard your data and insisting on having reasonable security practices in place