Information Security Management: Learning from Leading Organizations

Jack L. Brock, Jr.

DIANE Publishing, 2000 - 68 páginas

With the dramatic increase in computer interconnectivity & the popularity of the Internet, the ultimate success of many of these efforts depends on an organization's ability to protect the integrity, privacy, & availability of data & systems. The information must be readily available with few disruptions in the operation of computer & telecommunications systems. While many factors contribute to information security deficiencies at federal agencies, the problem is that senior officials have not established a framework for reducing security risks associated with their operations. This report studies organizations that have superior security programs to identify practices that could be adopted by federal agencies.

Vista previa de este libro »

Contenido

Federal Information Security Is A Growing Concern	5

Leading Organizations Apply Fundamental Risk Management Principles	14

Assess Risk and Determine Needs	20

Recognize Information Resources as Essential Organizational Assets That Must Be Protected	21

Develop Practical Risk Assessment Procedures That Link Security to Business Needs	23

Hold Program and Business Managers Accountable	26

A Practical Method for Involving Business Managers in Risk Assessment	27

Manage Risk on a Continuing Basis	28

Support Policies Through the Central Security Group	47

Getting StartedImplementing Appropriate Policies and Related Controls	48

Promote Awareness	49

Continually Educate Users and Others on Risks and Related Policies	50

Use AttentionGetting and UserFriendly Techniques	51

Coordinating Policy Development and Awareness Activities	52

Monitor and Evaluate Policy and Control Effectiveness	53

Monitor Factors that Affect Risk and Indicate Security Effectiveness	54

Getting StartedAssessing Risk and Determining Needs	30

Establish A Central Management Focal Point	31

Transforming an Organizations Central Security Focal Point	32

Designate a Central Group to Carry Out Key Activities	33

Provide the Central Group Ready and Independent Access to Senior Executives	35

Designate Dedicated Funding and Staff	36

Enhance Staff Professionalism and Technical Skills	38

Getting StartedEstablishing a Central Focal Point	41

Implement Appropriate Policies and Related Controls	42

Link Policies To Business Risks	43

Distinguish Between Policies and Guidelines	45

Developing an Incident Database	56

Use Results to Direct Future Efforts and Hold Managers Accountable	58

Measuring Control Effectiveness and Management Awareness	59

Be Alert to New Monitoring Tools and Techniques	60

Getting StartedMonitoring and Evaluating Policy and Control Effectiveness	61

Conclusion	62

GAO Guides on Information Technology Management	63

NISTs Generally Accepted Principles and Practices for Securing Information Technology Systems	64

Major Contributors to This Executive Guide	65

GAO Reports and Testimonies on Information Security	66

Términos y frases comunes

Assess Risk automated systems business managers business operations business risks business units central group central security group central security management Chief Information Officer CISSP Clinger-Cohen Act compliance Computer Security Control Effectiveness Determine Needs developed discussed efforts electronic employees Evaluate Point Promote example expertise federal agencies federal information security Financial Audit financial services corporation helped ensure identify important Information Management information protection information resources information security policies information security programs information security risks Internet levels below CIO monitoring tools NIST organization's information security organizational policies organizations we studied Paperwork Reduction Act Point Promote Awareness policies and controls policies and guidelines Policies and Related related controls relied reported Risk & Determine risk assessment Risk Management Principles risks associated security administrators security incidents security management groups security specialists security weaknesses senior executives senior security staff system administrators techniques university we studied users vulnerabilities

Pasajes populares

Página 45 - Information is a corporate asset .... Information must be protected according to its sensitivity, criticality and value, regardless of the media on which it is stored, the manual or automated systems that process it, or the methods by which it is distributed, " (2) outlined the responsibilities of information owners, custodians, and users, (3) defined the organization's three data classification categories, and (4) stated that each business unit should develop an information protection program to...‎

Aparece en 7 libros desde 1998-2004

Página 27 - ... predetermined control requirements, as was the case at the financial services corporation and the manufacturing company discussed previously or (2) provided the results of risk assessments, as was the case of the utility company described in the following case example. According to the security managers, such sign-off requirements helped ensure that business managers carefully considered their decisions before finalizing them. A major electric utility company has developed an efficient and disciplined...‎

Aparece en 6 libros desde 1998-2005

Página 9 - ... individual agencies. Although many of these recommendations have been implemented, similar weaknesses continue to surface because agencies have not implemented a management framework for overseeing information security on an agencywide and ongoing basis. A list of our previous reports and testimonies on information security is provided at the end of this guide. Requirements Are Outlined in Laws and Guidance The need for federal agencies to protect sensitive and critical, but unclassified, federal...‎

Aparece en 11 libros desde 1998-2001

Página 19 - Establish a central management focal point 5. Designate a central group to carry out key activities 6. Provide the central group ready and independent access to senior executives 7. Designate dedicated funding and staff 8. Enhance staff professionalism and technical skills Implement appropriate policies and related controls 9.‎

Aparece en 12 libros desde 1998-2006

Página 62 - We are on the verge of a revolution that is just as profound as the change in the economy that came with the industrial revolution. Soon electronic networks will allow people to transcend the barriers of time and distance and take advantage of global markets and business opportunities not even imaginable today, opening up a new world of economic possibility and progress." Vice President Albert Gore, Jr., in the Administration's July 1997 report, A Framework For Global Electronic Commerce To achieve...‎

Aparece en 6 libros desde 1998-2004

Página 38 - The CISSP certification was established by the International Information Systems Security Certification Consortium. The consortium was established as a joint effort of several information security-related organizations, including the Information Systems Security Association and the Computer Security Institute, to develop a certification program for information security professionals.‎

Aparece en 5 libros desde 1998-2007

Página 11 - ... programs in order to identify practices that could be applied at federal agencies. We focused primarily on the management framework that these organizations had established rather than on the specific controls that they had chosen, because previous audit work had identified security management as an underlying problem at federal agencies. Although powerful technical controls, such as those involving encryption, are becoming increasingly available to facilitate information security, effective...‎

Aparece en 10 libros desde 1998-2002

Página 26 - ... Security manager at a major equipment manufacturer The organizations we studied were unanimous in their conviction that business managers must bear the primary responsibility for determining the level of protection needed for information resources that support business operations. In this regard, most held the view that business managers should be held accountable for managing the information security risks associated with their operations, much as they would for any other type of business risk....‎

Aparece en 8 libros desde 1998-2000

Página 34 - Assessing risks and identifying needed policies and controls for general support systems, such as organizationwide networks or central data processing centers, that supported multiple business units. For example, some central groups controlled all new connections to the organization's main network, ensuring that the connecting network met minimum security requirements. Similarly, one organization's central group was instrumental in acquiring a strong user authentication system to help ensure that...‎

Aparece en 5 libros desde 1998-2000

Página 15 - Maintain customer, constituent, stockholder, or taxpayer confidence in the organization's products, services, efficiency, and trustworthiness Protect the confidentiality of sensitive personal and financial data on employees, clients, customers, and beneficiaries Protect sensitive operational data from inappropriate disclosure Avoid third-party liability for illegal or malicious acts committed with the organization's computer or network resources • Ensure that organizational computer, network, and...‎

Aparece en 6 libros desde 1998-2001

Información bibliográfica

Título	Information Security Management: Learning from Leading Organizations
Editor	Jack L. Brock, Jr.
Colaborador	Gene L. Dodaro
Edición	ilustrada
Editor	DIANE Publishing, 2000
ISBN	0788189980, 9780788189982
Largo	68 páginas

Exportar cita	BiBTeX EndNote RefMan

Acerca de Google Libros - Política de Privacidad - Condiciones de uso - Información para editores - Informar un problema - Ayuda - Página principal de Google