Essay on security management practices - 1531 Words

Review Questions 1. What is benchmarking? Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing. Using this method you follow the recommended or existing practices of a similar organization or industry-developed standards. 2. What is the standard of due care? How does it relate to due diligence? Due care are the organizations that adopt minimum levels of security to establish a future legal defense may need to prove that they have done what any prudent organization would do in similar circumstances. Due diligence encompasses a requirement that the implemented standards continue to provide the required level of protection. Failure to establish and maintain†¦show more content†¦In information security, baseline measurements of security activities and events are used to evaluate the organizations future security performance. Used in this way, baselining can provide the foundation for internal benchmarking. Benchmarking can help to determine which controls should be considered, but it cannot determine how those controls should be implemented in your organization. 8. What are the NIST-recommended documents that support the process of baselining? Documents are available at http://csrc.nist.gov under the Special Publications link. SP 800-27 Revision A, Engineering Principles for Information Technology Security -A Baseline for Achieving Security. SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations. SP 800-53 A, Guide for Assessing the Security Controls in Federal Information Systems. 9. What is a performance measure in the context of information security management? Measures are data points or computed trends that may indicate the effectiveness of security countermeasures or controls - technical and managerial - as implemented in the organization. It is the process of designing, implementing, and managing the use of the collected data elements called measures to determine the effectiveness of the overall security program within the organization. 10. What types of measures are used forShow MoreRelatedWeaknesses Of Choicepoint Information Security Management Practices1431 Words   |  6 Pages Question 1. What weaknesses in ChoicePoint Information Security Management practices likely contributed to their data breach? Please explain how they contributed and what Choice Point could do to strengthen these areas. In the ChoicePoint case study, By the end of 2004, ChoicePoint was running a business in the personal data industry with almost $920 million annual revenues. Beside Acxiom and Lexis-Nexis, ChoicePoint was either first or second in that industry. Although ChoicePoint s focusRead MoreWeaknesses Of Choicepoint Information Security Management Practices1522 Words   |  7 PagesQuestion 1. What weaknesses in ChoicePoint Information Security Management practices likely contributed to their data breach? Please explain how they contributed and what Choice Point could do to strengthen these areas. Answer: From the beginning, ChoicePoint took steps to protect its data from risks such as theft, computer hacking, and misuse. Its facilities were outfitted with numerous security cameras, and all visitors were required to be photographed. Employees had to use ID cards, personalRead MoreCode Of Practice For Information Security Management System1090 Words   |  5 PagesThe ISO 27002 Information Technology Security Techniques, Code of Practice for Information Security Management and NIST 800-53 standards were used to make revisions to the SLA. In particular, the ISO 27002 standards are industry recognized standards for development of an information security management system. The NIST 800-53 are U.S. government security standards for federal information systems; granted, they are also used for non-governmental systems. In sum, the difference between the two frameworksRead MoreAnalysis Of Choicepoint s Information Security Management Practices1484 Words   |  6 Pages1. Some of the weaknesses in ChoicePoint’s Information Security Management practices that likely contributed to their data break are: †¢ Verification Process †¢ Access to virtually any data †¢ Recognition of Fraudulent Activity Verification Process While reading this document I realized, if ChoicePoint would have taken adequate measures to verify who their customers were some of the resulting consequences could have been mitigated. Though various checks were put into place to authenticate their customersRead MoreDirect Marketing Servicing Proposal3625 Words   |  15 Pagesï » ¿Proposal to Board of Directors Direct Marketing Servicing By Team 3 Mario Reyes- Network Architecture Senior Manager Jason Kitchens- Software Architecture Senior Manager Joshua Fox- Information Security Assurance Senior Manager Jeanine Phillips- Web Strategies Senior Manager 08 February 2013 Introduction to the Proposal’s Purpose and Content Direct Marketing Servicing Corporation is a medium-sized manufacturing company with 250 employees. It directly markets one product: uniqueRead MoreImplementation Of A Comprehensive Incident Management Policy And The Iso / Iec 27035 Compliant773 Words   |  4 PagesBLTYH’S BOOKS INCIDENT SECURITY MANAGEMENT POLICY AND THE ISO/IEC 27035 The ISO/IEC 27035 standard embodies the acceptable practice for the management of information security and ascertains the guidelines for the initiation, execution, maintenance and enhancement of information security management in organisations. The ISO 27035 standard is proposed to be a guide for emergent organisations in developing and implementing their information security policies. The implementation of this standard willRead MoreThe Information Security Team Commits Confidentiality, Integrity, And Availability Of Assets1205 Words   |  5 PagesThe Information Security team commits to the confidentiality, integrity, and availability of assets. Even more, security policies clarify how the company intends to protect company assets against similar breaches in the future. For example, the Monitoring and Logging Policy define the following procedures to review: systems logs; access reports; administrator and operator logs; fault logs. Monitoring and logging are important to any information security program. In general, monitoring ensures usersRead MorePrinciples And Practices Of Incident Management And Incident Response1379 Words   |  6 PagesCHAPTER TWO PRINCIPLES AND PRACTICES OF INCIDENT MANAGEMENT AND INCIDENT RESPONSE STRENGTHS The information security incident management policy of Blyth’s Books was created in 2010 and has been reviewed four times in five years. Those covered by its scope are clearly stated. It stresses the importance of incident management to the organisation and has the support of upper level management. This policy complies with the Computer Misuse Act (1990) which was an act made to secure computer systems andRead MoreImplementation Of A Comprehensive Incident Management Policy And The Iso / Iec 27035 Compliant1221 Words   |  5 PagesBLTYH’S BOOKS INCIDENT SECURITY MANAGEMENT POLICY AND THE ISO/IEC 27035 The ISO/IEC 27035 standard embodies the acceptable practice for the management of information security and ascertains the guidelines for the initiation, execution, maintenance and enhancement of information security management in organisations. The ISO 27035 standard is proposed to be a guide for emergent organisations in developing and implementing their information security policies. The implementation of this standard willRead MorePrinciples And Practices Of Incident Management And Incident Response1380 Words   |  6 PagesCHAPTER TWO PRINCIPLES AND PRACTICES OF INCIDENT MANAGEMENT AND INCIDENT RESPONSE STRENGTHS The information security incident management policy of Blyth’s Books was created in 2010 and has been reviewed four times in five years. Those covered by its scope are clearly stated. It stresses the importance of incident management to the organisation and has the support of upper level management. This policy complies with the Computer Misuse Act (1990) which was an act made to secure computer systems and