Research on Security
1. Most security plans start with infrastructure. If you were going to develop a Security plan from scratch, where would you start? Explain your answer.
To develop a security plan from scratch, there are three steps which I would consider to implement first in the plan. a) Business impact analysis (BIA) and risk assessment
The first question is to understand the impact of a loss or reduction of business functionality. I would first understand most critical assets and threats of the organization through BIA and risk assessment exercise. This will facilitate to create a plan to determine how to be most effective tactically, and achieve strategic success. b) Assess the Situation: How Will this Work?
With a snapshot business function and risk, it is time to assess the resources. This includes existing resources (personnel as well as software, etc.) and potential resources (budgeted items, management’s flexibility for unplanned spending, etc.).After identifying resources and the gaps between them, clear vision of current situation is being assessed, and company’s overall posture. As this picture develops, it becomes easy to map out how to address the gaps using those resources. In assessment phase, find out the annual business and department objectives, and ask them what they need to be successful. Then start thinking about how program can assist them in those goals. c) Get to know the family
It is important to figure out who the right people are in organization so as to approach them for executing the security system. Showing other groups how their jobs can be easier while helping to manage risk and protect the company’s assets and can effectively extend the security. For example, Human Resources department are essential because it manages the relationship between a company and its employees. So when HR department performs function such as employee misconduct, terminations, and other delicate issues will surely consider to include information security
To develop a security plan from scratch, there are three steps which I would consider to implement first in the plan. a) Business impact analysis (BIA) and risk assessment
The first question is to understand the impact of a loss or reduction of business functionality. I would first understand most critical assets and threats of the organization through BIA and risk assessment exercise. This will facilitate to create a plan to determine how to be most effective tactically, and achieve strategic success. b) Assess the Situation: How Will this Work?
With a snapshot business function and risk, it is time to assess the resources. This includes existing resources (personnel as well as software, etc.) and potential resources (budgeted items, management’s flexibility for unplanned spending, etc.).After identifying resources and the gaps between them, clear vision of current situation is being assessed, and company’s overall posture. As this picture develops, it becomes easy to map out how to address the gaps using those resources. In assessment phase, find out the annual business and department objectives, and ask them what they need to be successful. Then start thinking about how program can assist them in those goals. c) Get to know the family
It is important to figure out who the right people are in organization so as to approach them for executing the security system. Showing other groups how their jobs can be easier while helping to manage risk and protect the company’s assets and can effectively extend the security. For example, Human Resources department are essential because it manages the relationship between a company and its employees. So when HR department performs function such as employee misconduct, terminations, and other delicate issues will surely consider to include information security
References: 1. Book – Security Architecture Design, Deployment and Operation by King 2001 edition 2. Adrian McCullagh and William Caelli, “Non-Repudiation in the Digital Environment,” First Monday, volume 5, number 8, August 2000, http://firstmonday.org/issues/issue5_8/mccullagh/index.html. 3. http://en.wikipedia.org/wiki/Business_telephone_system 4. http://www.ehow.com/list_7191710_advantages-pabx.html 5. http://technet.microsoft.com/en-us/library/cc960627.aspx 6. http://www.giac.org/paper/gsec/247/non-repudiation-simple-understand-difficult-implement/100770 7. http://en.wikipedia.org/wiki/Computer_network 8. http://en.wikipedia.org/wiki/Network_security