Unit 3:

TOPIC 1: SECURITY MANAGEMENT PRACTICES

Security Management System
Security Management System (ISMS) is defined as an efficient method to managing sensitive
company information so that it remains secure. The security management system is a very
broad area that is generally include everything from the supervision of security guards at malls
and museums to the installation of high-tech security management systems is generally made
to protect an organization’s data.

Feature of Security Management System:

 Security management relates to the physical safety of buildings, people and products.
 Security management identifies the organization’s assets.
 Generally Security Management System is provided to any enterprises uses for security
management and procedures as information classification, risk assessment, and risk
analysis to identify threats, categorize assets, and rate.

Information security performs four important roles:

 Protects the organization’s ability to function.

 Enables the safe operation of applications implemented on the organization’s IT
systems.
 Protects the data the organization collects and uses.
 Safeguards the technology the organization uses.

What is security management practices?

 It defines the management practices of data classification and
risk management.
 It also addresses confidentiality, integrity, and availability by identifying
threats, classifying the organization's assets, and rating their
vulnerabilities so that effective security controls can be implemented.

TOPIC 2: INFORMATION CLASSIFICATION PROCESS-

Information classification is a process in which organizations assess the
data that they hold and the level of protection it should be given.
Organizations usually classify information in terms of confidentiality –
i.e. who is granted access to see it. A typical system will include four
levels of confidentiality:
 Confidential (only senior management have access)
 Restricted (most employees have access)
 Internal (all employees have access)
 Public information (everyone has access)

 Confidential information – is any information that is preserved as

confidential by all parties included or affected by that information.
 Sometimes the terms confidential information and classified information
are used in the same context; however classified information is actually
used more often by governmental institutions as a legal term.
 Classified Information - is sensitive information the access of which is
restricted either by law or regulation.
 When any party possesses classified information, a formal security
clearance is required to handle such information.
 Restricted Information - represents all the information that is available
to most of the employees, but not to all of them.
 Internal Information - is information that all employees have access to.
Public Information - is information that everyone in the organization
and outside has access to.
Why does Information Classification really matter?
There are four main reasons why Information Classification is important:
 Efficiency
 Security
 Culture of safety
 Compliance
 Efficiency
Organizations that have their information classified are able to deliver and execute daily
operations more efficiently. Based on their classification, the data can be easily found,
and changes can be easily traced.
 Security
 Security is from the main idea behind Information Classification.
 Having the knowledge of what kind of data you are storing, makes it easier to
ensure that sensitive data is well protected.
 All organizations these days are driven by data, and their data is valuable
whether they know it or not, because it is a very important part of their
operations, and often their very existence.
  Hence, encrypting data, storing it in safe servers with strong firewalls, complying
with different data protection standards, can be a great help to prevent outside
threats.
 Culture of Safety
The implementation of Information Classification helps to build a culture of security
awareness across the organization.
 It puts the responsibility of protecting information on everyone who handles it, and it
ensures that all employees understand the value of the information they work with on a
daily basis, and know how to treat it.
 Employees should access documents on a need-to-know basis.
 This system can map out the employees access privileges based on the sensitivity level
of a document’s data, making it easier to be traced, and to prevent any kind of wrong
usage or manipulation of the information.
 Compliance(adhering the rule)
Finally, because Information Classification helps organizations evaluate information as
sensitive, and as such protect it, it also helps organizations to comply with regulations
such as the GDPR, audits, and it makes it easier to implement standards that require
the organizations to classify its information.
TOPIC 3: Security Policy:
A security policy is a written document in an organization outlining how to protect the
Organization from threats, including computer security threats, and how to handle situations
When they do occur.
A security policy must identify all of a company's assets as well as all the potential threats to
Those assets. Company employees need to be kept updated on the company's security
Policies. The policies themselves should be updated regularly as well.
Topic 4: RISK MANAGEMENT
What is risk assessment?
Risk assessment is a term used to describe the overall process or method where you:
 Identify hazards and risk factors that have the potential to cause harm (hazard
identification).
 Analyze and evaluate the risk associated with that hazard (risk analysis, and risk
evaluation).
 Determine appropriate ways to eliminate the hazard, or control the risk when the hazard
cannot be eliminated (risk control).
TERMS:
 Risk assessment – the overall process of hazard identification, risk analysis, and risk
evaluation.
 Hazard identification – the process of finding, listing, and characterizing hazards.
 Risk analysis – a process for comprehending the nature of hazards and determining the
level of risk.
(1) Risk analysis provides a basis for risk evaluation and decisions about risk control.
(2) Information can include current and historical data, theoretical analysis, informed
opinions, and the concerns of stakeholders.
(3) Risk analysis includes risk estimation.
 Risk evaluation – the process of comparing an estimated risk against given risk criteria
to determine the significance of the risk.
 Risk control – actions implementing risk evaluation decisions.
(Risk control can involve monitoring, re-evaluation, and compliance with decisions.)
What is a hazard?
A hazard is any source of potential damage, harm or adverse health effects on
something or someone.
Basically, a hazard is the potential for harm or an adverse effect (for example, to people
as health effects, to organizations as property or equipment losses, or to the
environment).
What is risk?
Risk is the chance or probability that a person will be harmed or experience an adverse
health effect if exposed to a hazard.
It may also apply to situations with property or equipment loss, or harmful effects on the
environment.
Why is risk assessment important?
Risk assessments are very important as they form an integral part of an occupational
health and safety management plan. They help to:
 Create awareness of hazards and risk.
 Identify who may be at risk (e.g., employees, cleaners, visitors, contractors, the public,
etc.).
 Determine whether a control program is required for a particular hazard.
 Determine if existing control measures are adequate or if more should be done.
 Prevent injuries or illnesses, especially when done at the design or planning stage.
 Prioritize hazards and control measures.
 Meet legal requirements where applicable.

What is the goal of risk assessment?

The aim of the risk assessment process is to evaluate hazards, then remove that
hazard or minimize the level of its risk by adding control measures, as necessary. By
doing so, you have created a safer and healthier workplace.
The goal is to try to answer the following questions:
 What can happen and under what circumstances?
 What are the possible consequences?
 How likely are the possible consequences to occur?
 Is the risk controlled effectively, or is further action required?
When should a risk assessment be done?
There may be many reasons a risk assessment is needed, including:
 Before new processes or activities are introduced.
 Before changes are introduced to existing processes or activities, including when
products, machinery, tools, equipment change or new information concerning harm
becomes available.
 When hazards are identified.
How is a risk assessment done?
 Assessments should be done by a competent person or team of individuals who have a
good working knowledge of the situation being studied.
 Include either on the team or as sources of information, the supervisors and workers who
work with the process under review as these individuals are the most familiar with the
operation.
Topic 5: SECURITY PROCEDURES AND GUIDELINES

Topic 6: BUSINESS CONTINUITY AND DISASTER RECOVERY

 Disaster recovery is an organization's method of regaining access and
functionality to its IT infrastructure after events like a natural disaster. disaster
recovery team is responsible for building your organization's disaster
recovery plan, developing the plan's processes and procedures, and
implementing the plan in the event of a crisis to ensure data recovery is possible.
What is the best method for disaster recovery?
Backup all your data: Backup is an obvious solution and the first step to recovering from
data loss. ...
Choose the Right Backup Category.
Plan Effective Backup Strategy.
Data Recovery Software.
Document Critical Information
Test and Rehearse Disaster Recovery Plan.
Business continuity differs in that it is the process of getting the entire business back to
full functionality after a crisis.
BCDR is divided into two different phases/components: Business Continuity (BC): BC deals
with the business operations side of BCDR.
 It involves designing and creating policies and procedures that ensure that essential
business functions/processes are available during and after a disaster.
 BC can include the replacement of staff, service availability issues, business impact
analysis and change management.
 Disaster Recovery (DR): DR is primarily focused on the IT side of BCDR. It defines how
an organization’s IT department will recover from a natural or artificial disaster. The
processes within this phase can include server and network restoration, copying backup
data and provisioning backup systems.
 Business Continuity Management
 Business continuity management (BCM) refers to the management of core conceptual
resources that address future threats to a business and help business leaders handle
the impacts of these threats.
 This term is in the same vein of others, like business continuity planning (BCP), where
business leaders try to identify and address potential crises before they occur.
 Disaster Recovery Plan
 A Disaster Recovery Plan (DRP) is a business plan that describes how work can be
resumed quickly and effectively after a disaster.
 Disaster recovery planning is just part of business continuity planning and applied to
aspects of an organization that rely on an IT infrastructure to function.

Topic 6: ETHICS IN SECURITY

 Cyber ethics" refers to the code of responsible behavior on the Internet.
 Just as we are taught to act responsibly in everyday life with lessons such as "Don't take what
doesn't belong to you" and "Do not harm others," we must act responsibly in the cyber world as
well.
 What are cyber security best practices?
 Protect your data. ...
 Avoid pop-ups, unknown emails, and links. ...
 Use strong password protection and authentication. ...
 Connect to secure Wi-Fi. ...