Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Implementation of Information Security

It is not easy to implement information security. All the pillars of information security have to be given adequate thought. Proper scoping has to be done for the efforts and proper planning has to be done involving all the stakeholders. Planning has to be backed by strong execution of the same and overcoming the barriers as execution is carried out. Focus on ensuring the success of implementation is necessary with all the relevant people assigned and involved appropriately.

Figure 3-9 gives the typical information security implementation cycle. Depending upon the context of the organization there may be different models used for implementation.

Figure 3-9. The implementation cycle of information security

An effective approach to the implementation of information security is the key to its success. Organizations at different stages of their existence may approach the implementation in different ways. An organization already in existence usually drives its journey on the path to information security primarily through the initiation of risk assessment. Hence, various standards and frameworks highlight the risk assessment aspect as the important step in the overall context of implementation of information security. However, a new organization may initiate its journey on the path to information security through the determination of its business requirements, determination of infrastructural and technological requirements to facilitate/enable business, and through the determination of business requirements for information security like the one suggested by SABSA methodology.

Risk Assessment

There are various risk management methodologies available for ensuring effective risk assessment. Some of them are: Risk Management – Principles and guidelines (ISO/IEC 31000:2009); Operationally Critical Threat, Asset and Vulnerability Evaluation SM (OCTAVE®) from Software Engineering Institute, CMU, Pittsburgh;9 risk assessment methodology specified by NIST (SP 30, 39 & 53); Risk IT framework by Information Systems Audit and Control Association, US;10 and FMEA. An organization can use any methodology but the risk assessment as a process has to be carried out methodically and effectively to derive the required benefits. An understanding of the risks in the context of the entire organization, keeping in mind the vulnerabilities and threats to information assets even from the outside world, understanding the current controls that are in place and quantification of the risk to understand risk exposure normally drives the risk response including the risk mitigations to be carried out. Risk mitigations are determined based on the effective controls already implemented by other organizations, suggested by other agencies, by implementation of tools, through policies and processes, through other additional controls as required including awareness and training of the employees, contractors and suppliers, or through deterrents like legal agreements.

Employees normally include temporary workers too.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science