The third chapter, as the title implies, deals with the management of risk that a company may come in contact with through the use of information security. This is not the most technical area in itself, but it is the starting point for the rest of the security domains. Without a valid security plan, the other security measures become nothing more than very expensive squirt guns. You may be able to use them to handle small problems, but one large issue or security exploitation can cause major problems, as opposed to a well developed security program, which provides greater protection against more dangerous issues.
As hinted at in the previous post, the key to a successful security program is the involvement of management in a top-down approach. In a well formed company, the information owners, generally senior executives, are responsible for establishing resource access guidelines and the security administration is responsible for making sure these guidelines are implemented correctly. Basically the guys at the top need to lay out who gets what access and the security administration should just be responsible for the technical part of it. One important reason for this approach is the validation of due care. This legal term implies that management made an effort to protect their assets and prevents them from being legally responsible for any claims of negligence. Having a top-down security structure is one way of helping to prove due care was taken if a situation ever arises.
In order to implement a program, three levels of controls are utilized: administrative, technical, and physical. The first layer protecting sensitive information is made up of the administrative controls. These include personnel screening, policy development, general risk-management, etc. The second layer is formed by the technical or logical controls. This is what is traditionally thought of when one talks about security work; access control mechanisms, password management, infrastructure configuration, authentication methods, etc. The final layer consists of the physical controls. These would include anything from security guards to fences to intrusion monitoring.
No comments:
Post a Comment