140 likes | 149 Views
The 10 Deadly Sins of Information Security Management. Basie von Solms & Rossouw von Solms, Computers & Security (23), 371-376 , 2004 Presented by Bhavana Reshaboina. Introduction.
E N D
The 10 Deadly Sins of Information Security Management Basie von Solms & Rossouw von Solms,Computers & Security (23), 371-376, 2004 Presented by Bhavana Reshaboina
Introduction • The authors talk about 10 essential aspects to be taken into account when implementing/planning for an information security plan
Information Security Is A Corporate Governance Responsibility • Laws and legal requirements emphasize the integration of information security with corporate governance • Compromised informational assets can lead to financial and legal implications • Top management has to be involved in ensuring the protection of sensitive information
Information Protection Is Not A Technical Issue Alone • Securing informational assets is a business issue as much as it is a technical one • Information protection is an investment • Investment decisions are business decisions
Information Security Governance Is A Multi-dimensional Discipline • Various dimensions collectively contribute towards a secure environment • Some examples are • legal, personnel, technical, ethical, organizational etc • Single dimension, product or tool results in lopsided solutions • All the important dimensions must be should be taken into account
Information Security Plan Must Be Based On Identified Risks • Know what assets need protection • Know what are the potential threats • If security planning is not based on risk analysis, spends time and money on unclear objectives
Adopting Best Practices For Information Security Governance • Learn from the success and failure experiences of others • The ‘bread & butter’ aspects of information security are the same in most IT environments • Challenge is to ‘Do the right thing at the right time’ • Use of documented ‘Standards and Guidelines’ should be the starting point
A Corporate Information Security Policy Is Absolutely Essential • Security policy is the heart of any security management plan • Starting point and reference on which all other security related sub-policies or standards are based on • Must be signed by the top executives of the company
Information Security Compliance Enforcement, Management Essential • No use of a perfect security policy if it is not enforced to effect • Continuous monitoring is needed to ensure proper compliance • ‘That which can be measured can be managed’ • Technical and non-technical tools must be used to monitor the policy at real time
Proper Information Security Governance Structure Is Essential • Governance structure refers to organizational structure, job responsibilities, communication flow etc • Structured chaos is good • It brings clarity and accountability in the security management plan
Information Security Awareness Among Users Is Important • Users unaware of the security policies and potential risks arising due to their activities render the best security planning ineffective • User’s should not be made the weakest link • Money spent on user awareness is some of the best money spent on information security
Empower Managers To Support Information Security • Information security manager cant run a one man show • Necessary infrastructure, tools and supporting mechanisms need to be provided
Conclusions • Creating and implementing a proper information security program is based on the understanding of the essential issues unique to IT security • Any plan that addresses these core issues would serve to protect the IT assets suitably
Thank You! • Questions and comments are welcome