Professional Documents
Culture Documents
CH 2 Security Planning
CH 2 Security Planning
CH 2 Security Planning
MANAGEMENT
LECTURE 2:
PLANNING FOR SECURITY
You got to be careful if you don’t know where you’re going,
because you might not get there. – Yogi Berra
Outline and Review
http://csrc.nist.gov/publications/PubsTC.html
Information Security Planning
• Planning involves
– Employees
– Management
– Stockholders
– Other outside stakeholders
– The physical and technological environment
– The political and legal environment
– The competitive environment
The Role of Planning (cont’d.)
• Values Statement
• Establishes organizational principles
• Vision Statement
• What the organization wants to become
• Mission Statement
• what the organization does and for whom
Strategic Planning
Tactical Planning
Operational Planning
Planning and the CISO
Strategic alignment
Risk management
Resource management
Performance measurement
Value delivery
Implementing Information Security Governance
• Lines of Defense
• Methods of implementation
– Bottom-up
– Top-down
Planning For Information Security Implementation
(cont’d.)
Feasibility analysis
• Determines whether the organization has the resources and
commitment to conduct a successful security analysis and
design
SecSDLC: Analysis
Prepare analysis of existing security policies and programs, along
with known threats and current controls
Analyze relevant legal issues that could affect the design of the
security solution
SecSDLC: Analysis
Prepare analysis of existing security policies and programs, along
with known threats and current controls
Analyze relevant legal issues that could affect the design of the
security solution
Exploit
Vulnerability Attack
• Challenges
• Suggestions