Security Controls

Question 1

EISA/information security management programs

Answer 1

Enterprise information security architecture
- refers to a group of requirements, processes, principles, and models that regulate an organization’s structure and behavior in terms of system security, processes, and employees.

An information security management program is an organization-wide initiative to develop and maintain a secure environment.

• Attempts to form a structure that’ll allow the company to operate with as little risk as feasibly possible
• It’s not possible to have a company operate with 0% risk

Question 2

Enterprise Information Security Architecture Goals

Answer 2

1st) Real time monitoring of the organization’s network

• say if an attacker breaks into the system at 3:00am and steals some data and then the admin only just sees evidence of that theft in the logs at 8:30am (when they come into work), then by that point, it may be too late to react. This is where real time monitoring comes into play. The thing being, it’s not overly practical to have someone continually monitoring the network manually. It would be expensive, and the person assigned to the task would more than likely miss quite a lot. So instead, our big brained boys w/ their big swingin’ dicks came up w/ a method of automatization for monitoring a network in real time using red and yellow flags to indicate found threats which an admin will then be notified of and have the ability of investigating.
  THIS IS THE TRUE FACE OF EFFICIENCY, YOU MONGOLOIDIAN SIMPLETONS.

2nd) Detection and recovery from security breaches
- First thing: you’ll have to assume that at some point, the system WILL be breached. No matter the amount of time and resources put into the security of a system, it is always going to be somewhat unreasonable to expect that nothing has the capability, along with the motivation to break into that system. Now, knowing this, you will have to come up w/ certain plans of action in order to be able to properly respond to breaches more easily (“recovery from security breaches”).
3rd) Ensuring cost efficiency of security provisions

• Say you have a catalog of files pertaining to a certain set of data outlining the vast intricacies and nuances w/in the overarching themes pertaining to my tiny, mangled, flaccid penis, and another set of files containing the social security numbers of all of your employees. The security of one of these files would pretty obviously take priority over the other. Point being, you need to manage your resources in such a way in which that those things that do take priority are able to have higher security, sometimes at the risk of lower-priority items having less security as a result.
  Always take hacker-value into account when thinking about these sorta things.
  Also applies to things such as training employees - Chad from accounting should be briefed on certain processes that apply to his work, but he probably doesn’t need a $40,000 company-payed education to do his job well enough.

4th) Helping the IT departments to function properly
- One of the very best ways to help the IT departments to function more efficiently would be to create a compatible environment (an environment where they have consistent access to the sort of information they need to do their jobs) and a structure for which they could follow on a consistent basis (when x happens, react with protocol y). All the items represented in this list, when put into actual practice, will help the IT departments in one way or another.
5th) Helping in the process of risk assessment of IT assets
- Sort of relating back to what was said in “Ensuring cost efficiency of security provisions”; This comes down to estimating the value of specific information/data and deciding where that particular piece of information/data lies in terms of security priority.