Week -6

Information Security Policy

Information Security Policy (ISP) is designed to safeguard the confidentiality, integrity, and availability of all physical and electronic assets of the organization to ensure that regulatory, operational and contractual requirements are fulfilled. ISP should outline the overall goals of an organization such as: compliance with laws, regulations, and guidelines; comply requirements of confidentiality, integrity, and availability for organization’s employees and other users; establish necessary control for protecting information and information systems against theft, abuse and other form of harm and loss; motivate employees to maintain the responsibility for, ownership of the knowledge about information security, in order to reduce the risk of security incidents; and etc. (Whitman and Mattord)

The ISP should be address current business strategy and framework for risk management and provide guidelines for identifying assessing evaluating and controlling information related risks through establishing and maintaining the ISP. So, to secure operations at organization even after incidents, and should ensure the availability of continuity plans, backup procedures, defense against damaging code and malicious activities, system and information access control, incident management and reporting.

One of the examples of ISP is Bull’s-eye model. This is a proven mechanism for prioritizing complex changes, and a widely accepted among InfoSec practitioners. This model is focused on systematic solutions where issues are addressed by moving from the general to the specific. (Whitman and Mattord)

It is necessary that policy should directly address how issues should be addressed and technologies should be used, rather than specifying the proper operation of equipment or software. ISP should outline the consequences for unacceptable behaviors.

References:

Michael E. Whitman and Herbert J. Mattord, “ Management of Information

Security”, Published by Cengage Learning, Fourth Edition

Week -5

Contingency Planning…..Do you have Good Plan “B”?

Most of the business like to have events take place routinely without to many changes, variations or problems, but do you think that happens in your real practice? Events don’t always go routinely as planned. The entire incident and its outcome differ according to the set of circumstances, which varies every time. A contingency plan is designed to help organization respond effectively to a significant future events, or situation that may or may not happen.

So, risk management concept emerged as a part of Contingency planning, which provides a dynamic attribute to the event and circumstances. Risk management helps to reduce uncertainty, preserve assets, and identify risk to achieve organizations mission. But it seems like organization always omits the important factor on their plan, “What If?” This two critical words are the essence of risk management and provide a different perspective to Plan A. What if your Plan A does not work as planned?  So, it is important to understand that risk management practice provides the foundation for plan A and your Contingency plan provides the platform for “Plan B”.

During the various practices, risk management realized that different risk situations require different level of response and different approach to deal the situation. As a result, organizations emerged with emergency plans, crisis management plans, and disaster plans.

Emergency plan deals with contingencies, which may occur or may not, so policies and procedures to reduce, prevent, and control risk need to mentioned as the Plan A. so, Emergency Plan, or Plan B emerges to respond to situations, if Plan A doesn’t go as planned accordingly. 

A crisis occurs when the threat is not eliminated by the emergency plan and some impact occurs. As risk management and contingency plans focus on the control and manage risk per-loss, crisis management engages in controlling and managing risks post-loss. So crisis management plan will help organization to plan for after math event and will be an effective tool to find out answers for what do you do now?.

References:

Michael E. Whitman and Herbert J. Mattord, “ Management of Information

Security”, Published by Cengage Learning, Fourth Edition

Schirick. ED, 2003, “Risk Management: Contingency Planning- The Art of

Dealing Plan B”, Published in the 2003 January/February issue of Camping Magazine, Retrieved from: http://www.acacamps.org/content/risk-management-contingency-planning-art-developing-plan-b

Andrushko. Veer Galyna. “Contingency Planning –Developing a Good Plan B”,

Published on MindTools.com, Retrieved from: https://www.mindtools.com/pages/article/newLDR_51.htm

Week 4

Guidelines on Security and Privacy in Public Cloud Computing

NIST SP 800-144 provides an overview of the security and privacy challenges facing public cloud computing and presents recommendations that organizations should consider when outsourcing data, application and infrastructure to a public cloud environment. The document provides insights on threats, technology risks and safeguards related to public cloud environments to help organizations make informed decisions about this use of this technology.

Cloud system works with two parties, one is service provider and the other is subscriber. Those two parties come together and they have their own expectation, so it is important to understand, where they are coming from, what their goals are, and in case the relationship doesn’t work than business need an exit strategy. So NIST’s SP 800 documented to help organizations with some of the expectations that they must between the client and cloud provider.

Here are few recommended guidelines of successful implementation of cloud solutions from NIST’s SP 800-144 for best practice to establish secure and privacy challenges for cloud computing, threats, and risk:

Carefully plan the security and privacy aspects of cloud computing solutions before engaging them:

Organizations need to set up clear security objectives when planning for outsourcing. Organizations need to plan security based on the sensitivity of the data. Establish a clear understanding of what is the intention of provider?  Are they compliance with all relevant organizational policies and that privacy is maintained? How do they handle your customer’s data? Are they serious about the relationship? Did you take a risk-based approach in analyzing available security and privacy options and deciding about placing organizational functions into a cloud environment? 

References

Jansen. Wayne, Grance. Timothy, December 2011 “Guidelines on Security and

Privacy in Public Cloud Computing”, Published on NIST Special Publication 800-144, Retrieved From: http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf

 Banks. Erin K., (February 2012) “NIST SP800-144 Guidelines on Security and Privacy Public Cloud Computing – A Relationship Manual”, Published on EMC.com, Retrieved From: http://publicsectorblog.emc.com/erin_banks/nist-sp800-144-guidelines-on-security-and-privacy-in-public-cloud-computing-a-relationship-manual/

Week 3

Risk management and project management of hand in hand.

Managing a project never been easy when it comes to risk management. All the team player, as well as leaders, need to have a clear understanding of the issue, and goal of the organization, which will further provide the guideline. Risk management team might found themselves always dealing with the uncertainty, and unexpected events throughout the Project life cycle, which have positive (“opportunities”), or a negative impact on a project’s objective.

Every organization usually has a comprehensive guidelines and detail procedure for risk management, which are stated during the strategic planning. As far as the managing the risk, the project management institute has provided a comprehensive process to managing project risk:

-        Plan risk management

-        Identify risks

-        Perform qualitative risk analysis

-        Perform quantitative risk analysis

-        Plan risk responses

-        Monitor and control risks.

I completely agree with the article, and his considerations for risk management:

-        Risk management does affect the budget, schedule, scope, quality, communications and stakeholder engagement, as well as the success of the project’s output is implemented.

-        Risks can be positive (could create opportunity) and negative (if issues or attack happens)

-        So careful strategic planning for risks will help the team to avoid the issues and prevent from the negative impact as well as maximize the positive impact or risk.

-        Risk management should be prioritized from the initial stage of the project and constantly discussed as well as monitored, and involved all the team members throughout the project life cycle.

-        The skill of risk management could influence stakeholder’s appetite for risk.

Reference:

Hamilton, Gary. Byatt, Gareth. Hodgkinson, Jeff (03 May, 2011),  “Risk management and project management go hand in hand”. Published on CIO.com, Retrieved From: http://www.cio.com.au/article/print/385084/risk_management_project_management_go_hand_hand/