GOVERNANCE AND STRATEGIC PLANNING FOR SECURITY 1

Governance and Strategic Planning for Security

Lila Rajabion
Empire State University, INFT 6147
1/28/2024
GOVERNANCE AND STRATEGIC PLANNING FOR SECURITY 2

Describe top-down strategic planning. How does it differ from bottom-up strategic planning?
Which is usually more effective in implementing security in a large, diverse organization.

The top-down approach features upper management support and setting organizational goals at
the top level. These leaders set the vision, mission, and overall objective, which flow to the
lower levels (middle management, support staff, etc). The lower levels begin to focus their plan
of action, coordinate the strategy set forth by upper management, and work holistically on
implementing the necessary security (Whitman & Mattord, 2018).
The bottom-up approach begins when lower levels look at their systems and areas to improve
security. The individuals use their expertise to understand the threat mechanisms that are in
place. This empowers the staff to work together for a common cause and look at what
innovative practices they could use to put into place the resources they have. This creates a
shared decision-making process that instills inclusivity around balanced solutions (Whitman &
Mattord, 2018).

What is a systems development life cycle methodology? What is the primary objective of the
SecSDLC? What are its major steps, and what are the major objectives of each step?
Systems development life cycle (SDLC) methodology is the design and implementation of an
information system in an organization (Whitman & Mattord, 2018, p. 124). The primary
objective of the security systems development life cycle (SecSDLC) is the identification of
specific threats and the risks that they represent as well as the subsequent design and
implementation of specific controls to counter threats and manage risk (Whitman & Mattord,
2018, p. 124). Its major steps and objectives are:

 Investigation- directive from upper management specific process, goals, and outcomes
of the project and its budget constraints.
 Analysis- the team studies the documents from the investigation.
 Design (logical/physical)-
o Logical design, the team creates a blueprint for security and examine and
implement key policies that influence later decisions.
o Physical design, the team evaluates the technology needed to support the
security blueprint, generate other solutions, and agree on final design.
 Implementation- security solutions are acquired, tested, implemented, and retested.
 Maintenance- constant monitoring, testing, modifying, updating, and repairing.
(Whitman & Mattord, 2018, p. 125-131)
GOVERNANCE AND STRATEGIC PLANNING FOR SECURITY 3

What is an operational security control? What is a technical security control?

Operational security controls are steps executed to defend data systems by managing threats.
The operational controls look at aspects such as encryption, incident response and supervision.
This ensures the integrity of sensitive information in an organization.
Technical security controls are similar to operational security controls, but more along the lines
of programs that create the security. Technical security controls are protocols put in place in
information systems to defend against cyber threats. The types of controls in place include
antivirus software, penetration detection, encryption, and firewalls. These are proactive
measures to secure and reinforce the overall infrastructure of an organization against
unauthorized attacks.

Reference

Whitman, M. E., & Mattord, H. J. (2018). Management of Information Security. Cengage

Learning, Inc.