Information security refers to protecting information (data) and information systems from unauthorized access, disclosure, use, modification, disruption, or destruction. Security Information management is a process of defining the security controls to protect the information assets.
The first action of a management program to implement information security is to have an effective security program. Though some argue the first approach would be to gain some real "proof of concept" "explainable through a display on the monitor screen" security knowledge. Maybe start with understanding where OS passwords are stored within the code inside a file within a directory. If you do not understand Operating Systems at the root directory level, maybe you should take advice from somebody who does before beginning to implement security program management and objectives.
Security Program Objectives
Protect the company and its assets.
Manage Risks by Identifying assets, discovering threats and estimating the risk
Provide direction for security activities by framing of information security policies, procedures, standards, guidelines and baselines
Security Organization and
Security Management Responsibilities
Determining objectives, scope, policies, are expected to be accomplished from a security program
Analyse business objectives, security risks, user productivity, and functionality requirements.
Define steps to make sure that all of these are accounted for and adequately addressed
Approaches to Build a Security Program
There are two main approaches to building a security program. They are as follows.
The initiation, support, and direction starts from the top management and works their way through middle management and finally to the staff members.
This is treated as the best method but is not generally used.
It ensures that the senior management who are ultimately responsible for protecting the company assets is in charge of driving the program.
The lower-end team invents a security control or a program without right management support and direction.
It is often considered to be less effective and doomed to fail for the same flaw as in the top-to-bottom approach.
Security Controls can be broadly classified into three categories
Administrative Controls that include
Developing and publishing policies, procedures, standards, and guidelines.
Screening of personnel.
Implementing change control procedures.
Conducting security-awareness training and
Technical or Logical Controls which include
Implementing and maintaining access control mechanisms.
Identification and authentication methods
Password and resource management.
Security devices and
Configuration of the infrastructure.
Physical Controls which include
Controlling individual access into the facility and various departments
Locking systems and removal of unnecessary floppy or CD-ROM drives
Monitoring for intrusion
Protecting the perimeter of the facility
The Different Elements Of Security:
Vulnerability: It is a software, hardware, or procedural weaknesses or loopholes that may give an attacker the open door they are looking for to enter a computer or network and gain unauthorized access to resources within the environment.
There are a lot of Cyber Security Consulting Firms that offer their services to manage an organization’s security.
Threat: Threat is any potential danger to the organization’s information or security.
Risk: It is the likelihood of a threat agent taking advantage of the identified vulnerability and the corresponding impact on the business.
Exposure: An exposure is a state of being exposed to losses from the threat agent. Vulnerability exposes an organization to attacks and other possible damages.
Countermeasure or Safeguard: It is an application or a software or hardware or a process that mitigates the risk. E.g., Strong password management, access control mechanisms within an operating system, a security guard, the implementation of basic input/output system (BIOS) passwords, and security-awareness training.