Lesson 3

Principles of Information Security,
Fifth Edition
Chapter 4
Planning for Security
Lesson 3 – Design of
Security Architecture

Learning Objectives
• Upon completion of this material, you should be
able to:
– Describe management’s role in the development,
maintenance, and enforcement of information
security policy, standards, practices, procedures,
and guidelines
– Explain what an information security blueprint is,
identify its major components, and explain how it
supports the information security program
Principles of Information Security, Fifth Edition 2

Learning Objectives (cont’d)
– Discuss how an organization institutionalizes its
policies, standards, and practices using education,
training, and awareness programs
– Describe what contingency planning is and how it
relates to incident response planning, disaster
recovery planning, and business continuity plans

Design of Security Architecture
• Spheres of security: foundation of the security
framework
• Levels of controls:
– Management controls set the direction and scope of
the security processes and provide detailed
instructions for its conduct.
– Operational controls address personnel and physical
security, and the protection of production
inputs/outputs.
– Technical controls are the tactical and technical
implementations related to designing and integrating
security in the organization.

Design of Security Architecture
(cont’d)
• Defense in depth
– Implementation of security in layers
– Requires that organization establish multiple layers
of security controls and safeguards
• Security perimeter
– Border of security protecting internal systems from
outside threats
– Does not protect against internal attacks from
employee threats or onsite physical threats

Security Education, Training, and
Awareness Program
• Once general security policy exists, implement
security education, training, and awareness (SETA)
program
• SETA is a control measure designed to reduce
accidental security breaches.
• The SETA program consists of security education,
security training, and security awareness.
• Enhances security by improving awareness,
developing skills, and knowledge, and building in-
depth knowledge

Security Education
• Everyone in an organization needs to be trained
and aware of information security; not every
member needs a formal degree or certificate in
information security.
• When formal education is deemed appropriate, an
employee can investigate courses in continuing
education from local institutions of higher learning.
• A number of universities have formal coursework in
information security.

Security Training
• Provides members of the organization with detailed
information and hands-on instruction to prepare
them to perform their duties securely
• Management of information security can develop
customized in-house training or outsource the
training program.
• Alternatives to formal training include conferences
and programs offered through professional
organizations.

Security Awareness
• One of the least frequently implemented but most
beneficial programs is the security awareness
program.
• Designed to keep information security at the
forefront of users’ minds
• Need not be complicated or expensive
• If the program is not actively implemented,
employees may begin to neglect security matters,
and risk of employee accidents and failures are
likely to increase.

Continuity Strategies
• Incident response plans (IRPs); disaster recovery plans
(DRPs); business continuity plans (BCPs)
• Primary functions of above plans:
– IRP focuses on immediate response; if attack escalates
or is disastrous, process changes to disaster recovery
and BCP.
– DRP typically focuses on restoring systems after
disasters occur; as such, it is closely associated with
BCP.
– BCP occurs concurrently with DRP when damage is
major or ongoing, requiring more than simple restoration
of information and information resources.

Continuity Strategies (cont’d)
• Before planning can actually begin, a team has to
start the process.
• Champion: high-level manager to support,
promote, and endorse findings of the project
• Project manager: leads project and ensures sound
project planning process is used, a complete and
useful project plan is developed, and project
resources are prudently managed
• Team members: should be managers, or their
representatives, from various communities of
interest: business, IT, and information security

Contingency Planning (CP) Process
• Includes the following steps:
– Develop CP policy statement
– Conduct business impact analysis
– Identify preventive controls
– Create contingency strategies
– Develop contingency plan
– Ensure plan testing, training, and exercises
– Ensure plan maintenance

CP Policy
• Should contain the following sections:
– Introductory statement of philosophical perspective
– Statement of scope/purpose
– Call for periodic risk assessment/BIA
– Specification of CP’s major components
– Call for/guidance in the selection of recovery options
– Requirement to test the various plans regularly
– Identification of key regulations and standards
– Identification of key people responsible for CP operations
– Challenge to the organization members for support
– Administrative information

Business Impact Analysis (BIA)
• Investigation and assessment of various adverse
events that can affect organization
• Assumes security controls have been bypassed, have
failed, or have proven ineffective, and attack has
succeeded
• Organization should consider scope, plan, balance,
knowledge of objectives, and follow-ups
• Three stages:
– Determine mission/business processes and recovery criticality
– Identify recovery priorities for system resources
– Identify resource requirements

Lesson 3

More Related Content

What's hot (20)

Similar to Lesson 3 (20)

More from MLG College of Learning, Inc (20)

Recently uploaded (20)

Lesson 3