Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Chapter Summary

• In this chapter, we attempted to lay a strong foundation for the next few chapters. We explored four important layers of information security, namely Physical Security (which includes Hardware Security), Network Security (which includes Communications Security), Software Security (which includes Operating System Security, Applications Security and Security of Utilities/Tools), and Human Security (which is people) related. We saw how each of these layers contribute to overall information security at any organization. We also saw how the policies, procedures, and processes contribute to the overall scheme of information security. Through a context diagram, we also depicted various important controls of each of these layers.

• We explored various security threats and categorized them into external threats and internal threats based on the origin of these threats. Then we identified some of the important external and internal threats under each of the layers, including Physical Security, Network Security, Software Security, and Human Security.

• We also explored the generic multi-layered approach to information security architecture which can be used by any organization and we looked at important components of each of these layers. We also looked at additional aspects covered by “defense-of-depth” and how it can help an organization to respond to information security breaches or incidents. We touched upon some of the important frameworks/architectural models of information security like ISO/IEC 27001:2013 complemented by ISO/IEC 27002:2013, NIST SP-39 and

SP-53 and SABSA. We then explored the above frameworks/architectural models in detail and how these lead to a secure information security architecture for any organization. We also looked at the advantages and disadvantages of each of these.

• We examined the three important pillars of security: People, Policies, Procedures and Processes, and Technology. We explored how the organization has to equip itself for effective implementation of information security, the importance of independence of information security personnel, and what the typical information security roles and responsibilities are. We also stressed the need for clearly specifying the authorities related to information security. We then detailed how policies, processes, and technology effectively contribute to and support people in implementing information security.

• We discussed the CIA triad (which was the traditionally accepted model of information security) and the Parkerian Hexad which extended upon the CIA triad. We explored some of the important definitions of confidentiality, integrity and availability from the U.S.Code/NIST and other standards/forums. We went through the fact that various definitions are in variant with each other. We also looked at the variances between the definitions from NIST and those from the Parkerian Hexad. We also looked at some of the examples of each properties of information security as per CIA and as per the Parkerian Hexad.

• We suggested one approach for effectively implementing information security in any organization, that is, both a new organization and an existing organization. We elaborated upon the need for risk assessment and the various frameworks for risk assessment, importance of appropriate planning, and the need for having robust information security architecture, periodical gap analysis, and the need for execution discipline in operations, the importance of regular monitoring, the importance of legal compliance and periodic audits, and crisis management.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science