CIS 377 Mid Term (Towson)
Security Awareness
Security Awareness -- One of the least frequently implemented, but most beneficial programs is the security awareness program. A security awareness program is designed to keep information security at the forefront of the users'
Security Education
Security Education -- Everyone in an organization needs to be trained and aware of information security, but not every member of the organization needs a formal degree or certificate in information security.
Security as ...
Security as Art Security as Science Security as a Social Science
Security Training
Security training -- involves providing members of the organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely.
Standards
Standards - are more detailed statements of what must be done to comply with policy. They have the same requirement for compliance as policy. The level of acceptance of standards may be informal, as in de facto standards. Or standards may be published, scrutinized, and ratified by a group, as in formal or de jure standards.
Team members:
Team members: Managers or their representatives from the various communities of interest: business, IT, and information security.
in some systems, capability tables are called user profiles or user policies.
Who can use the system • What authorized users can access • When authorized users can access the system • Where authorized users can access the system from
National Institute of Standards and Technology's Special Publication 800-14, management must define three types of security policy:
• Enterprise information security policies • Issue-specific security policies • Systems-specific security policies
Components of IS
•Hardware • Software • Data • Procedures • Telecommunication • People
International Information Systems Security Certification Consortium, Inc. (ISC)2
(ISC)2 (www.isc2.org) is a nonprofit organization that focuses on the development and implementation of information security certifications and credentials.
Policy versus Law
...
Access control lists (ACLs)
ACLS ... consist of the user access lists, matrices, and capability tables that govern the rights and privileges of users. A capability table specifies which subjects and objects users or groups can access
Association of Computing Machinery (ACM)
ACM (www.acm.org) is a respected professional society, originally established in 1947, as "the world's first educational and scientific computing society."
Contingency planning (CP) is conducted by the organization to
CP is to prepare for, react to, and recover from events that threaten the security of information and information assets in the organization. Contingency planning team members:
Champion:
Champion: A high-level manager who supports, promotes, and endorses the findings of the project
Civil law
Civil law represents a wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organizational entities and people.
Communications
Communications: security to protect an organization's communications media, technology, and content
Criminal law
Criminal Law addresses violations harmful to society and is actively enforced by the state.
Ethics,
Ethics in turn, are based on cultural mores, which are the fixed moral attitudes or customs of a particular group. Some ethics are recognized as universal among cultures.
ISACA (www.isaca.org) is a professional association with a focus on auditing, control, and security. Although it does not focus exclusively on information security, the Certified Information Systems Auditor (CISA) certification does contain many information security components.
ISACA is a professional association with a focus on auditing, control, and security. Although it does not focus exclusively on information security, the Certified Information Systems Auditor (CISA) certification does contain many information security components.
ISSA (www.issa.org)
ISSA is a nonprofit society of information security professionals. As a professional association, its primary mission is to bring together qualified practitioners of information security for information exchange and educational development.
Plans for events of this type include: (a bad event)
Incident response plans (IRPs) • Disaster recovery plans (DRPs) • Business continuity plans (BCPs)
Laws
Laws are rules that mandate or prohibit certain behavior in society. They are drawn from ethics, which define socially acceptable behaviors.
Managers in the IT ...
Managers IT -- and information security communities are called on to provide strategic planning to assure the continuous availability of information systems.
Mission (of an organization)
Mission (of an organization) - is a written statement of an organization's purpose. The vision of an organization is a written statement about the organization's goals. Strategic planning is the process of moving the organization towards its vision.
Network security
Network security: to protect networking components, connections, and contents Information security to protect information assets
Operations security
Operations security: to protect the details of a particular operation or series of activities
Personal security
Personal security: to protect the individual or group of individuals who are authorized to access the organization and its operations
Physical security
Physical security: to protect the physical items, objects, or areas of an organization from unauthorized access and misuse
For a policy to be effective and legally enforceable, it must be ...
Policy ... properly disseminated, read, understood, agreed to, and enforced equally upon all members of the organization.
Private law
Private law regulates the relationship between the individual and the organization, and encompasses family law, commercial law, and labor law. Principles of Information Security, 3rd Edition 3-5
Project manager:
Project manager: Leads the project and makes sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed
Public law
Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments, providing careful checks and balances. Examples of public law include criminal, administrative, and constitutional law.
SANS (www.sans.org)
SANS is a professional organization with a large membership dedicated to the protection of information and systems. SANS offers a set of certifications called the Global Information Assurance Certification or GIAC. Information Systems Audit and Control Association (ISACA)
Policy
A plan or course of action used to convey instructions from an organization's senior-most management to those who make decisions, take actions, and perform other duties. Policies are organizational laws in that they dictate acceptable and unacceptable behavior within the context of the organization's culture. Like laws, policies must contain information on what is right and wrong, what the penalties are for violating policy, and what the appeal process is.