Thursday, September 25, 2014

Information Security Policy

Access Control Lists

Include the user access lists, matrices, and capability tables that govern the rights and privileges of users. ACLs can control access to file storage systems, object brokers, or other network communications devices. A capability table specifies which subjects and objects that users or groups can access.

ACLs enable administrators to restrict access according the users, computer, time, duration, or even a particular file.

ACL’s regulate

· Who can use the system

· What authorized users can access

· When authorized user can access the system

· Where authorized users can access the system from

· How authorized users can access system.

Accessing files and applications can be restricted with four types of privileges.

· Read

· Write

· Execute

· Delete

Configuration Rules

Configuration rules are instructional codes that guide the execution of the system when information is passing through it. Rule-based policies are more specific to the operation of a system than ACLs are, and they may or may not deal with users directly.

Guidelines for Effective Policy

An effective approach has six stages: development, distribution, review, comprehension, compliance, and uniform enforcement.

· Developed using industry-accepted practices

· Distributed using all appropriate methods

· Read by all employees

· Understood by all employees

· Formally agreed to by act or affirmation

· Uniformly applied an enforced.

Policy Compliance

Policy compliance means the employee must agree to the policy. According to Whitman, Policies must be agreed to by act r affirmation. Agreement by act occurs when the employee performs an action, which requires them to acknowledge understanding of the policy, prior to use of a technology or organizational resource.

Policy Enforcement

The final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny.

Reference: Management of Information Security by Whitman and Mattord

Saturday, September 20, 2014

Contingency Planning (CP)

The overall process of preparing for unexpected adverse events is called contingency planning. Goal of Contingency planning is to restore normal modes of operation with minimal cost and disruption to normal business activities after an unexpected adverse event.

During contingency planning, Information Security communities and respective organizational units to prepare for detect, react to , and recover from events that threaten that security of information resources and assets, which includes human, information, and capital.

Components of CP:

· Business impact analysis (BIA)

· Incident response Plane (IR Plan)

· Disaster recovery plan (DR Plan)

· Business Continuity Plan (BC Plan).

According NIST recommendation following steps required to in Developing CP

· Develop the policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan.

· Conduct BIA. The BIA helps identify and prioritize information systems and components critical to supporting the organizations mission/business process.

· Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.

· Develop a contingency plan. The contingency plan should contain detailed guidance and procedures for restoring damaged organizational facilities unique to the each business unit’s impact level and recovery requirements.

· Ensure plan, testing, training and exercises. Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation and exercising the plan identifies planning gaps; combined the activities improve plan effectiveness and overall organization preparedness.

· Ensure plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes.

Reference: Management of Information Security by Whitman and Mattord

Sunday, September 14, 2014

IT Governance and Benefits

According to the Information Technology Governance Institute (ITGI), governance includes all the accountability and methods undertaken by the board of directors. IT Governance focuses specifically on information technology systems, their performance and risk management

Benefits of Information Security Governance

An increase in share value for organizations
Increased predictability and reduced uncertainty of business operations by lowering information-security-related risks to definable and acceptable levels.
Protection from the increasing potential for civil or legal liability as result of information inaccuracy or the absence of due care.
Optimization of the allocation of limited security resources
Assurance of effective Infosec Policy and policy compliance.
A firm foundation for efficient and effective risk management, process improvement, and rapid incident response.
A level of assurance that critical decisions are not based on faulty information.
Accountability for safeguarding information during critical business activities, such as merger and acquisitions, business process recovery, and regulatory response.

Reference: Management of Information Security by Whitman and Mattord

Wednesday, September 3, 2014

Information Security Project Management Areas

Project Scope Management

Project scope management ensures that the project plan includes only those activities that are necessary to complete it. One thing that undermines many projects once they are underway is scope creep. Scope Creep occurs when the quantity or quality of project deliverables is expanded from the original project plan.

Project Scope management Includes:

· Scope Planning

· Scope definition

· Scope verification.

Project Time Management

Project time management entails ensuring that the project is finished by the identified completion date while meeting its objectives. Failure to meet deadlines is one of the most frequently cited failures in project management.

Trimming time or resources from these amounts requires reducing the quantity or quality of the deliverables.

Project Time management Includes

· Activity definition

· Activity sequencing

· Activity duration estimating

· Schedule development

· Schedule control.

Project Cost management:

Cost management includes the processes required to ensure that a project is completed within the resource constraints placed on it. Some projects are planned using financial budget which all resources – personnel, equipment, supplies and so forth.

Cost management includes

· Resource Planning

· Cost Estimating

· Cost Budgeting

· Cost Control

Project Quality Management

Includes the processes required to ensure that the project adequately meets the project specifications.

Deliverables of the project meet the requirements specified in the project plan, then that project has bet the met its quality objective.

Quality management includes

· Quality planning

· Quality Assurance

· Quality control.

Project Human Resource Management

Includes the process necessary to ensure that the personnel assigned to a project are effectively employed.

Human resource Management must address some of the following factors

· Not all workers operate at the same level of efficiency; in fact, wide variance in the productivity of individuals is the norm. Project managers must accommodate the work style of each project resource while encouraging every worker to be as efficient as possible.

· Not all workers begin the project assignment with the same degree of skill. An astute project manager attempts to evaluate the skill level of some or all of the assigned resources to better match them to the needs of the project plan.

· Skill mixtures among actual project workers seldom match the needs of the project plan. Therefore in some circumstances, workers may be asked to perform tasks for which they are not necessarily well suited, and those tasks take longer and or cost more than planned.

For information Security projects has additional complexities including

· Extended clearances may be required. Some infosec projects involve working in sensitive areas of the organization. Project managers may have restrictions placed on which resources can be used.

· Infosec project deploy technology controls that are new to the organization, and in such cases there is not a pool of skilled resources in that area from which to draw.

Human resource management includes the following processes:

· Organizational planning

· Staff acquisition

· Team Development.

Project Communications Management

Communications management includes the processes necessary to convey to all involved parties the details of activities associated with the project. Includes creation, distribution, classification, storage, ultimate destruction of documents, messages and other associated project information.

Communication management includes the following processes.

· Communication Planning

· Information Distribution

· Performance reporting

· Administrative closure

Project Risk Management

Risk management include the process necessary to assess, mitigate, manage, and reduce the impact of adverse occurrences on the project.

Risk management includes the following processes.

· Risk identification

· Risk quantification

· Risk response development

· Risk response control

Project Procurement Management

Procurement management includes the processes necessary to acquire needed resources to complete the project.

Processes that includes are follows:

· Procurement planning

· Solicitation planning

· Solicitation.

· Source selection

· Contract Administration

· Contract closeout.

Reference: Management of Information Security by Whitman and Mattord