- Defining Security Principles
- Security Management Planning
- Risk Management and Analysis
- Policies, Standards, Guidelines, and Procedures
- Examining Roles and Responsibility
- Management Responsibility
- Understanding Protection Mechanisms
- Classifying Data
- Employment Policies and Practices
- Managing Change Control
- Security Awareness Training
Security Management Planning
Understand the principles of security management.
Planning for information security includes preparation to create information security policies that will be the guidance for the entire information security program. To create the policy, management should plan to perform a risk analysis on the information assets to be protected. The risk analysis will identify the assets, determine risks to them, and assign a value to their potential loss. Using this, management can make decisions on the policies that best protect those assets by minimizing or mitigating the risks.
The final aspect of information security management is education. Management is responsible for supporting the policy not only with its backing, but also by including policies and the backing for educating users on those policies. Through security awareness training, users should know and understand their roles under the policies. This is discussed further in the "Security Awareness Training" section, later in this chapter.
Managing an information security program changes with the release of every new operating system and with every new communications enhancement. Over the years, network technology has changed how information assets are protected. In the past, data was stored and accessed through mainframes where all the controls were centralized. Networked systems change this paradigm by distributing data across the network.
It does not help that network protocols were invented to share information and not with security in mind. In the beginning, security was left up to each system's manager in a small society of network users. As technology grew, the information assets became less centralized and management had the problem of maintaining the integrity of the network and the information being used on the systems on the networks. Although there is a move to try to centralize management of servers and information security, information security management needs to take into account everywhere the information assets touch.
Network's Importance to Security Management
Network management is also important to security management. You should understand the roles of networks and some of the tools, such as virtual private networks (VPNs) and extranets.
Network computing has brought new paradigms to the sharing of information. Using technologies such as virtual private networks (VPNs) and extranets, organizations can forge new types of relationships based on sharing information assets. These partnerships have organizations connecting their networks to share information in a way that was unheard of as recently as 10 years ago. Managers planning these partnerships also should keep in mind how to maintain the security of other information assets not involved in those agreements. Both organizations should consider undergoing a risk analysis specific to the connectivity required for this partnership to provide appropriate protections.