Skip to main content

Perspective: Getting information security buy in?

Businesses function to provide a service, product or even experience to their customers.
The services and production of these products are supported by the implementation of information
management systems. This relationship can be seemingly simple and straightforward. However,
in a world where there is increasing competitiveness and criminal elements working to endanger
an organizations reputation (espionage) and business viability companies need to embed controls,
practices, procedures policies to protect the core functions.
Security of information systems needs to be embedded as part of the policies, procedures
and practices of an organization so that it is seamless and integrated. Organizations today would
attribute to the effects of implementing a control in terms of numbers (financial cost). (Wilson,
2008) For example, the cost of not implementing encrypting a database in an organization that
stores personally identifiable information should outweigh the encryption costs. Coupled with
costs, should be the likely-hood of any attacks occurring to steal or destroy information or services.
Both combine to give an idea of the overall costs to the organization.
(Nellis, 2003) The buy-in of upper management with respect to implementing security
awareness measures and controls is extremely important to support a top-down approach. In fact,
management should not be made to "buy-in" to the idea of security awareness measures but ideas
should be filtered down. In my opinion, senior management should be aware of the type of business
they have, their assets, the value of their assets and how to effectively deliver their business
functions with security in mind. In addition, with various laws, compliance regulations and best
practices available some security measures are unavoidable and mandatory like PCI-DSS and
HIPAA. Senior managements support for improving security awareness is crucial to ensure polices, practices and procedures and implemented from top to bottom and everyone is aware of
their role, responsibilities and consequences.

References

Nellis, R. (2003). Creating an IT Security Awareness Program for Senior Management.
Wilson, J. (2008). Selling Security to the Board. 

Labels:

Comments

Post a Comment

Popular posts from this blog

Summary: NIST SP 800-64 Rev 2

Although there may be numerous methodologies available today for developing software whether it is based on a sequential, prototyping or even iterative model, the absence of security at each phase will render applications being vulnerable and easily exploitable when deployed. NIST 800-64 Rev. 2 provides a guide that incorporates security into a sequential model of a SDLC. Currently, at my organization this type of model is preferred since there are small development teams. One of the first recommendations made by is NIST 800-64 Rev. 2 is based on policy and guidelines. It states that there should be a written SDLC policy tailored to suit whether the business develops its own software or outsources software development and even maintenance. At my organization, there is a mesh of both. Large complex enterprise systems are usually outsourced while smaller manageable applications are developed in-house where there may not be an alternative available at a low cost. For example, human re...
1 comment
Read more

Summary: NIST SP 800-61 Rev 2

On another note, with respect to incident response management, the purpose is to provide a plan for a clear path of resolving a security breach. According to the Special Publication NIST 800-61 Rev. 2, the first thing that an organization should do is establish a clear organizational meaning of the word “incident”. It provides a guide to incident handling and recommends establishing response capabilities, incident response policies, an IR plan, procedures, information sharing mechanisms, team structure and even collaboration with external groups. The team’s structure, the services they provide along with the policies and procedures are established. This team consists of: internet service providers, incident reporters, law enforcement agencies, software and support vendors, customers and media as well as other teams. The recommended incident handling procedure consists of: preparation, detection and analysis, containment, eradication and recovery. During the preparation phase, the s...
1 comment
Read more

Software Defined Networks: An Introduction

Description of the technology (Urias, Stout, & Loverro, 2015) Software defined networks (SDNs) is an emerging technology that is changing the defense and networking paradigm. (Hande, Jadhav, Patil, & Zagade, n.d.) Traditionally, network devices like switches and routers, using protocols (on the control plane) such as Open Shortest Path First(OSPF), Border Gateway Protocol(BGP) and Spanning Tree Protocol(STP) determine the best port or interface to forward packets (on the data plane). These routing protocols use static information such as hop count to determine the best path through the network. Moreover, (Ali, Sivaraman, Radford, & Jha, 2015) this decentralized method of network management is the leading cause of network faults and bugs due to errors during configuration. Not to mention, a proliferation of ’internet ossification phenomenon’ which is basically the stagnated network innovation. Additionally, there was no segregation of control and data plane which is har...
Post a Comment
Read more