[Jessica Jagerson]

Explain how information security management plays a key role in the success of a company.  Be sure to discuss at least 3 of the following:  challenges, key factors, goals, expectations, components, controls, the ownership chain, policy, maintenance, human resources, and the Triad. Use at least 3 terms from this chapter making sure to present the definition as well.  Use the text and video in this discussion response.

[Kelly Crooks]

Information Security management plays a key role in the success of a business because it is that security that keeps the company’s assets safe and secure. Information security must align with the mission, goals, and objectives of the business it is working with. Information security must also be business-enabled, meaning information security can not impede the business. Lastly, information security must have good process enhancement- information security facilitates good productivity by protecting against any and all risks.

Key factors of security management include policy, budget, resources, and authority. Good security management has in place the correct policies to make sure everyone is following the same policies and procedures and that everyone involved has the same goals and end plan in mind. A good security management team or firm makes sure that they understand what the budget is and make sure they follow that budget. If problems arise they need to make sure they inform the correct management team members about over-costs or under-costs on the budget. Making sure that all the available and current resources are available and in place to make sure the security management has what they need to secure the company assets. It is difficult to protect a company and ensure that the company is successful if you don’t have the right resources to perform the job. A good security management team makes sure that not only the correct authority is in place in their team but also in the company they are protecting. They need to make sure that the correct authority chain of command is followed and that all involved know their specific role.

There are several types of controls used in security management. One is administrative controls which include policies, procedures, and guidelines, employee management, testing and drilling, risk management and analysis, and awareness training. A second security management control used is technical or logical controls. These include firewalls, IDS/IPS, encryption, access control techniques, and various system protocols. The third control is physical control. These include things like doors, windows, walls, locks, security guards, fencing, and lighting.

The ownership chain consists of four categories. The first includes the senior management and the board of directors who are ultimately responsible for the information security program. The security manager is responsible for leading the security program and is trusted and familiar with the system. The security officer works under the security manager and is a certified professional who can design and implement the program. Physical security personnel are responsible for protecting buildings and managing access to the physical buildings.

The second category includes the information (data) owner who is responsible for the protection of the organization’s information. The system owner is responsible for specific computers on behalf of the business unit. The data custodian is required to implement and maintain controls to provide the protection level dictated by the data owner. The user is responsible for protecting the information to which they have been entrusted.

The third category includes local managers who are responsible for day-to-day security awareness and the auditors who are responsible for independent, objective, and systematic evaluation of protection.

[Marcena Davis]

I completely agree that identity management, authentication techniques, single sign-on, and access control monitoring are crucial components of ensuring data security. It’s amazing how much technology has advanced to enable these processes, from biometric markers to RFID.
In my own experience, I’ve seen the benefits of single sign-on firsthand. It’s so convenient to be able to move between tasks without having to continually enter your credentials. However, I can definitely understand the potential security risks involved. It’s essential to be diligent about logging out and taking precautions to protect your data.
I think the points you’ve made about the importance of identification, authentication, and access control are spot on. It’s essential for security information officers to stay up-to-date on the latest technologies and best practices to ensure that their organization’s data is safe and secure.

[Marcena Davis]

Information security management is crucial to a company’s success because it ensures the confidentiality, integrity, and accessibility of valuable information assets. This is especially crucial in the current digital age, where organizations face a variety of challenges in protecting their data from threats such as cybercrime, data breaches, and other forms of attack.

The ever-evolving nature of threats and attacks is a significant difficulty in information security management. As new technologies emerge and threats evolve, it can be difficult for businesses to stay ahead of the curve and implement effective security controls. This is where crucial factors such as risk assessment and vulnerability management come into play, aiding organizations in identifying potential threats and taking proactive measures to mitigate them.

Meeting the expectations of stakeholders, such as customers, investors, and regulators, is also an important objective of information security management. This may entail implementing policies and controls to ensure compliance with applicable laws and regulations, as well as maintaining a high level of security to inspire confidence and trust among stakeholders.

Information security management includes a variety of components and controls to protect against threats, such as firewalls, antivirus software, intrusion detection systems, and access controls. It also involves the ownership chain, which refers to the assignment of responsibility for various aspects of information security management across various organizational levels.

Policy is also an essential aspect of information security management, as it provides a framework for how organizations should approach security and outlines specific requirements and procedures for protecting valuable assets. Maintenance is also essential, as it entails updating and enhancing security measures on a regular basis to keep up with evolving threats and technologies.

Human resources are an essential component of information security management because they are responsible for implementing policies and controls, providing training and awareness initiatives, and ensuring that security best practices are adhered to throughout an organization.

The Triad of information security – confidentiality, integrity, and availability – is a fundamental concept that supports effective information security management. Companies can protect their valuable assets and maintain the trust and confidence of their stakeholders by adhering to these fundamental principles, which contributes to their long-term success.

[Kelly Crooks]

Marcena, great post. There are certain things I never really considered with IT, like the human resource side of the field. I guess when I think about IT and systems security officers I don’t necessarily consider the policies and procedures and who implements and designs them. I should have considered that since that is what my brother does now. He writes and implements security protocols, policies, and procedures for an underground lab. I agree with what you said about the Triad of information security is a fundamental concept. Making sure that a company’s data is protected is crucial and it is important to have the confidence of the stakeholders.

[Kevin Mehok]

Kelly,

Great post. I think we tend to not include the Stakeholders enough. Sure, they are involved at a high level, but do they know who implements or does the designing? Most likely not. This is critical in the three keys of protocols, policies, and procedures. Not Poor, prior, planning…. Or maybe it is, lol. The key is knowing what is being secured, how, the why, and the plan in doing so.

God Bless,

Kevin

[Author]

Posts