Enterprise Security Management
Process of controlling config, deployment and monitoring of security policy
Security Governance
Ensure compliance with its policies, processes, standards and guidelines
Goal/Focus of Security Governance
Goal: Meet business requirements
Focus: Ensure all are following rules
Security Management vs Security Governance
Sec man is about decisions to mitigate risks but governance determines who can make decisions
Before ESM deployment can begin:
(3 things)
- Identify critical resources
- Perform risk assessment
- Develop security policy
Policy
A doc that states how the org is to perform and conduct business functions and transactions with a desired outcome
Security Policy should cover …
every threat to the system, people and information
Security policy guides..
the day-to-day security operations, processes and procedures in orgs.
Security policy discusses the types of control but not…
how to build a control
Examples of security policy topics
- Network access
- Password
- Policy enforcement
- Support
policy vs standards
Policy implement controls on a system to make it compliant
Standards influence the creation of policies
Procedures
The how to of a task
including responding to an incident
Developing a security policy
(7 steps)
DOADDDE
- Define problem
- Obtain stakeholder support
- analyse problem
- define policy content
- define evaluation criteria, monitoring, review and update procedures
- develop implementation plan
- evaluate policy impact
3 business drivers for security policies
- Cost
- Customer satisfaction
- Compliance
Why do we need a security policy?
To ensure the consistent protection of info flowing through the entire system.
Dangers of not having security policies
- Lack of regulatory compliance
- Higher cost
- Customer dissatisfaction
Should you write a policy to manage tech that is not yet in your org?
No need
You have a process that all your employees know, it is undocumented.
The key employee is leaving next month, what myust you do?
Document the process
Enforcing and winning acceptance of policies is challenging because:
- All levels of org must support
- Employees must be motivated
- Employees must understand the policies
CISO
Chief Information Security Officer
CISO is responsible for
org’s entire security
coordinating security/compliance
communication/contact
3rd party compliance
audits
-
Week 1 - Intro23
-
Lecture 2 - Network Security29
-
2 - IDS9
-
2 - Firewall/DMZ21
-
3 - VPN11
-
3 - Secure data management28
-
4 - Security Measure6
-
4 - Secure Software Design18
-
5 - Human Aspects in Cyber Security13
-
6 - Ethical Hacking30
-
7 - emerging tech8
-
7 - Cloud Computing Security Challenges19
-
10 - Risk Management29
-
10 - Incident Management23
-
11 - Enterprise21
