Menu
Home
Log in / Register
 
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Planning and Architecture

In an existing organization, planning may commence with the commencement of planning for effective risk assessment involving all the stakeholders as relevant. In a new organization, the planning may be carried out to effectively approach achievement of information security using relevant steps as suggested by appropriate frameworks or methodologies. Plans also identify the owners for various activities, roles, and responsibilities for the effective execution of these plans. The schedules used also clearly depicts the timelines, keeping in mind various dependencies and constraints. The steps planned depend upon the methodology or framework used. Planning needs to be carried out for an integrated, methodical, and well-coordinated approach, leading to effective information security infrastructure or architecture rather than an ad-hoc approach that can create side effects or make the implementation ineffective. Effective information security infrastructure or architecture provides ease of use and generates confidence to all the stakeholders including business users.

In an existing organization, risk assessment provides the input for the planning. The implementation of additional controls determined to mitigate are planned through the risk treatment plans. These actions are clearly assigned to the appropriate owners with clearly identified timelines. Well-implemented risk treatment plans ensure that the organization is well protected.

Gap Analysis

Things change: the business may change, the technology changes, the people change. Changes are the only constant in today's world. Also, the vulnerabilities until now unknown will have been exposed to the world or reported. Hence, we have to ensure that our protection systems continue to work even under these constant changes. In order to ensure this, a periodical gap analysis needs to be carried out which sometimes throw up significant surprises. This ensures a check on the implementation of the policies, procedures, and processes, as well as the effectiveness of the existing protective mechanisms or controls including the effectiveness of the information security architecture. This may be done through periodical risk re-assessments leading to additional controls to be implemented through new risk treatment plans.

Integration and Deployment

As discussed earlier, any implementation done in silos rather than organization-wide does not provide adequate protection. Instead, it can create an inconvenience in the usage and also expose us to more threats. Hence, an integrated view at all times in the totality of the business and the organization is required. Also, an effective deployment of all intended policies, procedures, and processes, along with the intended implementation of information security architecture and its various layers is required. All the efforts related to information security need to be thought of in an integrated manner by involving all the relevant stakeholders and need to be implemented based on their dependencies. Incomplete implementation or inadequate attention to any one of the layers may defeat the controls built in other layers. For example, there is no use in implementing a tool for the analysis of the alerts unless the persons who are required to analyze them are trained on the same. Similarly, implementation of new policies and procedures will be useless unless the persons who should understand them and follow them are not aware of them

or are not trained on using them. The implementation of new tools is of no use unless the internal people know how to configure and use them effectively. Relevant people need to be trained, and tools, if any, need to be configured appropriately. The correct working of such tools should be confirmed by testing as required and defects, if any, have to be fixed or their impact understood and only then these tools have to be used. All these steps need to definitely be a part of the planning we talked about earlier in the chapter.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel