...Strategic planning, Tactical planning, and Operational planning. 3. A stakeholder is a person(s) who have a vested interest in the aspects of planning. It is important to consider stakeholders view/opinions, because a lot of decision making affects their stake in a company. 4. A values statement is a formal set of organizational principles. A vision statement is an expression of what an organization wishes to become. A mission statement is an organization’s identity card. 5. Strategy is a plan of action or policy designed to achieve an overall goal. 6. InfoSec Governance s the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level, supporting an organization's immediate and future regulatory, legal, risk, environmental and operational requirements. 7. Inculcating a culture that recognizes the criticality of information and infoSec to the organization. Verifying that management’s investment in InfoSec is properly aligned with organizational strategies and organization’s risk environment. Demanding reports from the various layers of management on the InfoSec program’s effectiveness and adequacy. 8. Strategic Alignment, Risk management, Resource management, Performance measurement, and Value delivery. 9. Top-down strategic planning is supported by upper management and influences organization culture, provide resources, give directions, issue policy and procedures, processes,...
Words: 543 - Pages: 3
...So You Want To Get Into INFOSEC Huh? I got a request through a friend for a friend of that friends kid to talk to him about how to get into INFOSEC the other day. Now usually I am a curmudgeon (as you all know and love) and am loathe to be some sort of big brother of INFOSEC to anyone but in this case I said ok cuz I am just that nice. After some email wrangling we finally got together today (scant minutes ago actually) and now feel an obligatory blog post on the subject of getting into the business coming on …And there it is …Feel the burn… So after agreeing to a time to meet I began to wonder just what I would say to this kid as to how to get into the business. For that matter I really wondered if I should encourage him at all to get into INFOSEC in the first place. My mind started to ponder why I was in it still and just how if at all it was rewarding given all that I have seen and still deal with on a daily basis. Often times my daily job sends me in to apoplectic fits that you all see in my blog posts and on twitter screeds of 140 characters at a clip so I imagine all of you out there might not think that I enjoy my work on average. On the whole though I would say that I do enjoy my work but I would caution anyone looking to get into this business to take a deep look at their abilities and their coping mechanisms before they took the plunge. My conversation with this guy (in his 30′s) covered a range of things but I mainly focused on just how technical he was if at all...
Words: 1490 - Pages: 6
...Gelbstein, E. (2013). Information security for non-technical managers. Retrieved on October 18, 2016 from http://my.uopeople.edu/pluginfile.php/120503/mod_page/content/23/InformationSecurityForNonTechnicalManagers.pdf 2.Computer Security (n.d.). In Wikipedia. Retrieved on October 18, 2016 from https://en.wikipedia.org/wiki/Computer_security 3. Rouse, M. (n.d.). Definition. Information Security (infosec). Retrieved on October 18, 2016 from http://searchsecurity.techtarget.com/definition/information-security-infosec 4. KasperskyLab (n.d.). System Vulnerability and Exploits. Retrieved on October 18, 2016 from https://usa.kaspersky.com/internet-security-center/threats/malware-system-vulnerability 5. WhatIs.com (n.d.). Confidentiality, integrity, and availability (CIA triad). Retrieved on October 18, 2016 from http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA 6. Siluk, S. (2016, October 12). Vulnerability Enables IoT Devices To Be Used for Massive Cyberattacks. Retrieved on October 18, 2016 from...
Words: 948 - Pages: 4
...DEVELOPMENT SECURITY)? AN OVERVIEW 9 9 10 DOMAIN 3: BUSINESS CONTINUITY & DISASTER RECOVERY WHAT’S NEW? AN OVERVIEW 12 12 13 DOMAIN 4: CRYPTOGRAPHY WHAT’S NEW? AN OVERVIEW 17 17 18 DOMAIN 5: INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT WHAT’S NEW? AN OVERVIEW 21 21 22 DOMAIN 6: LEGAL, REGULATIONS, INVESTIGATIONS, AND COMPLIANCE WHAT’S NEW? AN OVERVIEW 24 24 26 DOMAIN 7: SECURITY OPERATIONS WHAT’S NEW? AN OVERVIEW 28 28 29 DOMAIN 8: PHYSICAL & ENVIRONMENTAL SECURITY WHAT’S NEW? AN OVERVIEW 32 32 33 DOMAIN 9: SECURITY ARCHITECTURE & DESIGN WHAT’S NEW? AN OVERVIEW 36 36 38 DOMAIN 10: TELECOMMUNICATIONS & NETWORK SECURITY WHAT’S NEW? AN OVERVIEW 40 40 41 INFOSEC INSTITUTE’S CISSP BOOT CAMP COURSE OVERVIEW COURSE SCHEDULE 44 44 45 INTRODUCTION (ISC)²’s CISSP Exam covers ten domains which are: Access Control Application Development Security Business Continuity and Disaster Recovery Planning Cryptography Information Security Governance and Risk Management Legal regulations, investigations, and compliance Operations Security Physical and Environmental Security Security Architecture and Design Telecommunications and Network Security Over the course of the this eBook, we’ll take a look at each one of the domains; give you some insight into what (ISC)² is looking for in that area; give you some supplemental reading material; and by the time...
Words: 11687 - Pages: 47
...Cyber Security in Business Organizations Robin P. McCollin CIS 500 Information Systems – Decision Making Constance Blanson Fall 2014 The terms information security, computer security, and cyber security are all terms that are sometimes used interchangeably. To better understand the similarities and differences between the terms, one must first understand what exactly is being secured. For example, Information security is generally regarded as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. Computer security consists of measures and controls that ensure confidentiality, integrity, and availability of information system assets including hardware, software, firmware, and information being processed, stored, and communicated. Cyber security focuses on protecting computers, networks, programs and data from unintended or unauthorized access, change or destruction. Although each of the terms above are very specific in their security objectives, all three have a central theme, the protection of valuable information; data. Regardless of how the data is stored, why it is stored, where it is stored, or for how long it is stored, the protection of data is paramount and a major concern for governments, military, corporations, and financial institutions. As such, executives and industry professionals are consistently faced...
Words: 1513 - Pages: 7
...MIS 671 CASE STUDY 2 AN INFORMATION SYSTEM SECURITY BREACH AT FIRST FREEDOM CREDIT UNION Introduction The case is about an information system security breach at First Freedom Credit Union, a financial institution in the Southern part of the United States. First Choice Credit Union (FFCU has seven branches located throughout the metropolitan area. One branch is located at the FFFCU headquarters. Most employees at the FFCU has at least 5 years of service. The credit card information of 200,000 members has been stolen. This is highly sensitive information and it puts the members at critical risk. The security breach might cause loss of finances and other disturbances. Frank Sanders, the CEO of FFCU called a conference with all the executives of the FFCU. The nature of the conference was to discuss a security breach. A security breach that affected card member credit card numbers and personal information. Frank was uncertain if the breach had affected all members’ information or a portion. However, Frank was aware that fraudulent activity had already taken place on some accounts. Due to the fraudulent activity that had transpired Frank had canceled all current credit cards and was sending out replacement cards. Jaime O’ Dell, the chief information officer (CIO) was appalled because nothing had ever happened like this since his tenure with the company. Jaime felt the firewall being used was the top of the line, virus protested was updated daily and an intrusion detection...
Words: 2842 - Pages: 12
...its initial definition of the problem that could be solved through automation. Also during this early phase, the organization starts to define the security requirements for the planned system. Management approval of decisions reached is important at this stage. During this initiation phase, the organization establishes the security categorization and conducts a preliminary risk assessment for the planned information system. Categorization of the information system using federal standards and guidelines aids system security planners in defining information system security according to levels of impact, and in selecting a baseline of initial security controls for those impact levels. Security categories are then used in conjunction with vulnerability and threat information in assessing risk to an organization. Risk assessment Should be performed to develop a...
Words: 1328 - Pages: 6
...Wireless Vulnerabilities DUE DATE: 01/10/2016 ISSC 680 BY: TAMMY BATTLE PROFESSOR: Dr. Louay Karadsheh Introduction What is vulnerability? Vulnerabilities are shortcomings in the physical design, association, strategies, work force, administration, organization, equipment, or programming that might be misused to make hurt framework. The objective of the preparatory helplessness evaluation is to add to a rundown of framework vulnerabilities (defects or shortcomings) that could be misused by a potential danger. For new frameworks, the quest for vulnerabilities ought to concentrate on security arrangements, arranged methodology, framework necessities definitions, and security item examination. For operational frameworks, break down specialized and procedural security highlights and controls used to ensure the framework. Weakness investigation includes the accompanying five security control territories: (FAA) * Technical – the computer hardware and software, modes of communication, and the system architecture. * Operational - methods that individuals perform as for as information system * Administrative - feeble countermeasures in the authoritative methodology that influence the information systems. * Physical - frail countermeasures in the physical design of, and access to, offices and fenced in areas where computerized data frameworks are house. * Personnel - feeble countermeasures in approach, procedure, and methods utilized for security screening...
Words: 2588 - Pages: 11
...outside, viruses, malware, and hacking was unheard of, however, with the introduction of the Internet things have now changed. The term cyber security is getting more and more mixed usage lately, so much so that it is almost as ambiguous as the term "cloud". Cyber security, referred to as information technology security, is the focus on protecting computers, networks, programs, and data from unintended or unauthorized access, change, or destruction. Cyber security also encompasses ten different security domains. The following domains provide a foundation for security practices and principles: • Access Control - to maintain information confidentiality, integrity, and availability, it is important to control access to information. Access controls prevent unauthorized users from retrieving, using, or altering information. They are determined by an organization's risks, threats, and vulnerabilities. • Telecommunications and Network Security - Telecommunication and Network Security is one of the most technical of the domains, because it addresses the various structures for a network, methods of communication, formats for transporting data, and measures taken to secure the network and transmission • Information Security...
Words: 1611 - Pages: 7
...Management of Information Security Third Edition This page intentionally left blank Management of Information Security Third Edition Michael Whitman, Ph.D., CISM, CISSP Herbert Mattord, M.B.A., CISM, CISSP Kennesaw State University ———————————————————————— Australia • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United States Management of Information Security, Third Edition Michael E. Whitman and Herbert J. Mattord Vice President, Career and Professional Editorial: Dave Garza Executive Editor: Stephen Helba Managing Editor: Marah Bellegarde Product Manager: Natalie Pashoukos Developmental Editor: Lynne Raughley Editorial Assistant: Meghan Orvis Vice President, Career and Professional Marketing: Jennifer McAvey Marketing Director: Deborah S. Yarnell Senior Marketing Manager: Erin Coffin Marketing Coordinator: Shanna Gibbs Production Director: Carolyn Miller Production Manager: Andrew Crouth Senior Content Project Manager: Andrea Majot Senior Art Director: Jack Pendleton Cover illustration: Image copyright 2009. Used under license from Shutterstock.com Production Technology Analyst: Tom Stover © 2010 Course Technology, Cengage Learning ALL RIGHTS RESERVED. No part of this work covered by the copyright herein may be reproduced, transmitted, stored, or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information...
Words: 229697 - Pages: 919
...Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Case Study: Critical Controls that Could Have Prevented Target Breach In December 2013 over 40 million credit cards were stolen from nearly 2000 Target stores by accessing data on point of sale (POS) systems. This paper will explore known issues in the Target breach and consider some of the Critical Controls that could have been used to both prevent this breach and mitigate losses. AD Copyright SANS Institute Author Retains Full Rights Case Study: Critical Controls that Could Have Prevented Target Breach GIAC (GSEC) Gold Certification Author: Teri Radichel, teri@radicalsoftware.com Advisor: Stephen Northcutt Accepted: August 5th 2014 Abstract In December 2013 over 40 million credit cards were stolen from nearly 2000 Target stores by accessing data on point of sale (POS) systems. This paper will explore known issues in the Target breach and consider some of the Critical Controls that could have been used to both prevent this breach and mitigate losses. From what is known about the Target breach, there were multiple factors that led to data loss: vendors were subject to phishing attacks, network segregation was lacking, point of sale systems were vulnerable to memory scraping malware and detection strategies employed by Target failed. A possible...
Words: 8983 - Pages: 36
...SSCP Study Notes 1. Access Controls 2. Administration 3. Audit and Monitoring 4. Risk, Response, and Recovery 5. Cryptography 6. Data Communications 7. Malicious Code Modified version of original study guide by Vijayanand Banahatti (SSCP) Table of Content 1.0 ACCESS CONTROLS…………………………………………………………...... 03 2.0 ADMINISTRATION ……………………………………………………………... 07 3.0 AUDIT AND MONITORING…………………………………………………...... 13 4.0 RISK, RESPONSE, AND RECOVERY………………………………………....... 18 5.0 CRYPTOGRAPHY……………………………………………………………....... 21 6.0 DATA COMMUNICATIONS…………………………………………………...... 25 7.0 MALICIOUS CODE……………………………………………………………..... 31 REFERENCES………………………………………………………………………........ 33 1.0 ACCESS CONTROLS Access control objects: Any objects that need controlled access can be considered an access control object. Access control subjects: Any users, programs, and processes that request permission to objects are access control subjects. It is these access control subjects that must be identified, authenticated and authorized. Access control systems: Interface between access control objects and access control subjects. 1.1 Identification, Authentication, Authorization, Accounting 1.1.1 Identification and Authentication Techniques Identification works with authentication, and is defined as a process through which the identity of an object is ascertained. Identification takes place by using some form of authentication. Authentication Types Example Something you know...
Words: 17808 - Pages: 72
...Security in the Smart Grid introduction Present and future battlefronts of electronic terrorism includes the state of readiness and resilience of the computer equipment protecting America's energy distribution networks and industrial control systems. According to a Pike research report [1] published March 1st of this year, it is projected that investments in smart grid cyber security will total $14 billion through 2018. First, what is a power grid? A power grid consists of several networks that carry electricity from the power plants where it is generated to consumers, and includes wires, substations, transformers, switches, software, and other hardware. The grid in the past used a centralized one-way communication distribution concept that consisted of limited automation, limited situational awareness, and did not provide the capability for consumers to manage their energy use. “Smart Grid” generally refers to a class of technology designed to upgrade the current utility grid infrastructure to improve the efficiency on the power network and in energy users’ homes and businesses. Much of the legacy power plant infrastructure is now over 30 years old with electrical transmission and distribution system components (i.e. power transformers) averaging over 40 years old and 70% of transmission lines being 25 years or older [2]. In December 2007, Title XIII of the Energy Independence and Security Act of 2007 became an official...
Words: 3081 - Pages: 13
...Cyber Security Student: Maurice Jones Class ISSC461: IT Security: Countermeasures Instructor: Professor Christopher Weppler Date: 2 August 2013 Introduction “In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home (President Barack Obama, 2012).” Technology has changed the total lifestyle of people around the world. Here in the United Stated, society’s daily lives revolve around social interaction, economic stability, job security and information dominance. Information Dominance is “the degree of information superiority that allows the possessor to use information systems and capabilities to achieve an operational advantage in a conflict or to control the situation in operations other than war while denying those capabilities to the adversary (US Cyber Command, 2012).” Corporations as well as many of the world’s governments have risen and fallen due to their degree of Information Dominance and Information Security. Cyber-attacks have increased exponentially within the last 10 years. Battlefield lines that were once drawn in the sand no longer exist. Cyber-attacks can occur from any location in the world and at any time. A Cyber-terrorist has the ability to use current communication infrastructure to launch an attack that could cripple a nation. In 2012, Defense Secretary, Leon Panetta spoke at the Business Executives for National Security (BENS) summit....
Words: 3217 - Pages: 13
..."War is no longer a lively adventure or expedition into romance,matching man to man in a test of the stout-hearted. Instead, it is aimed against the cities mankind has built. Its goal is their total destruction and devastation." - General Dwight D. Eisenhower, Edinburgh, Scotland, October 3, 1946 Discuss the key concepts and ideas of cyberwarfare INTRODUCTION Significant of Paper Methodology of Paper Cyberwar is warfare, hostile influence which is fought in cyberspace. Cyberwar is netwar by the military. It includes hackers, listeners of communications systems, van Elckradiation115 listeners and so on. Cyberwar consists of information terrorism, semantic attack, simulation warfare and Gibson warfare. Typically Cyberwar is warfare, or hostile influence between attack- and defence programs in computers, computer networks and communication systems. For many, the term cyber war conjures up images of deadly, malicious programmes causing computer systems to freeze, weapon systems to fail, thwarting vaunted technological prowess for a bloodless conquest. This picture, in which cyber war is isolated from broader conflict, operates in an altogether different realm from traditional warfare and offers a bloodless alternative to the dangers and costs of modern warfare, is attractive but unrealistic. Such a scenario is not beyond the realm of possibility, but it is unlikely. Cyber warfare will almost certainly have very real physical consequences. Computer technology differs from other...
Words: 5055 - Pages: 21
