Reply To: OCU ISSO Week 1 Lesson 02 Discussion
Information Security management plays a key role in the success of a business because it is that security that keeps the company’s assets safe and secure. Information security must align with the mission, goals, and objectives of the business it is working with. Information security must also be business-enabled, meaning information security can not impede the business. Lastly, information security must have good process enhancement- information security facilitates good productivity by protecting against any and all risks.
Key factors of security management include policy, budget, resources, and authority. Good security management has in place the correct policies to make sure everyone is following the same policies and procedures and that everyone involved has the same goals and end plan in mind. A good security management team or firm makes sure that they understand what the budget is and make sure they follow that budget. If problems arise they need to make sure they inform the correct management team members about over-costs or under-costs on the budget. Making sure that all the available and current resources are available and in place to make sure the security management has what they need to secure the company assets. It is difficult to protect a company and ensure that the company is successful if you don’t have the right resources to perform the job. A good security management team makes sure that not only the correct authority is in place in their team but also in the company they are protecting. They need to make sure that the correct authority chain of command is followed and that all involved know their specific role.
There are several types of controls used in security management. One is administrative controls which include policies, procedures, and guidelines, employee management, testing and drilling, risk management and analysis, and awareness training. A second security management control used is technical or logical controls. These include firewalls, IDS/IPS, encryption, access control techniques, and various system protocols. The third control is physical control. These include things like doors, windows, walls, locks, security guards, fencing, and lighting.
The ownership chain consists of four categories. The first includes the senior management and the board of directors who are ultimately responsible for the information security program. The security manager is responsible for leading the security program and is trusted and familiar with the system. The security officer works under the security manager and is a certified professional who can design and implement the program. Physical security personnel are responsible for protecting buildings and managing access to the physical buildings.
The second category includes the information (data) owner who is responsible for the protection of the organization’s information. The system owner is responsible for specific computers on behalf of the business unit. The data custodian is required to implement and maintain controls to provide the protection level dictated by the data owner. The user is responsible for protecting the information to which they have been entrusted.
The third category includes local managers who are responsible for day-to-day security awareness and the auditors who are responsible for independent, objective, and systematic evaluation of protection.