Chapter 10 - Information Security Program Metrics
信息安全项目度量
Building a Practical Information Security Program, 2017, Pages 169-183
Jason Andress, Mark Leary
Abstract:The common adage is“you can’t manage what you can’t measure.”In this chapter, the design, development, management, and reporting of meaningful, relevant, and contextual information security measurements and metrics are discussed. Topics such as establishing the metrics program and creating key performance indicators for security are covered.
System Integration and Security of Information Systems
信息系统整合与安全
Procedia Computer Science, Volume 104, 2017, Pages 35-42
Andrii Boiko, Vira Shendryk
Abstract:The frequency of unauthorized actions to information systems (IS) in the process of their integration is steadily increasing, which inevitably leads to huge financial and material losses. According to statistics, internal users of IS, commit more than half of all violations. All of this forms“a dangerous group of risk”. Existing approaches for IS security are mainly provided by specialized tools of differentiation of user access to information resources. At the same time each user is assigned certain rights, in accordance with which it is permitted/prohibited local access to information is stored in PC, or remote access via communication links to information available on other PC.
After analyzing we identified 2 major vulnerabilities: tools of differentiation of local access are not able to provide protection against the actions of offenders are not directly related to obtaining unauthorized access to IS resources and tools of differentiation of remote access does not provide protection from network by internal users of the system.
The results of this research will lead to an improvement of the process of ensuring effective protection against threats to information security in the IS.
Chapter 17 - Information Security
信息安全
The Manager's Handbook for Corporate Security (Second Edition), 2017, Pages 353-373
Edward P. Halibozek, Gerald L. Kovacich
Abstract:The security department of a corporation has the leadership role and responsibility for the protection of corporate assets. One of the most important categories of corporate assets is information and the information systems that transmit, store, process, and display the information.
Information systems security has been for too long the responsibility of the corporate IT department, and for too long these valuable assets have been easily and successfully attacked by corporate insiders and miscreants from around the world. The corporate security manager (CSM) must take the leadership role in the identification, classification, marking, storing, transmitting, and proper destruction of these valuable corporate assets. Because information in today’s modern information-based and information-dependent corporation is stored, transmitted, displayed, and processed by high-technology systems and devices, the CSM must take a holistic approach to the protection of these assets through their various high-technology environments.
The CSM must also take a leadership role in protecting high-technology assets, such as networks (wide area and local), internet portals, mobile computing devices, fixed computing devices, as well as telecommunications devices such as private branch exchanges and cellular telephones. To do so, the CSM established an organization under the security department. The organization should be responsible for information assurance and information protection regardless of the environment in which the information is located.
The organization, information assurance and protection services (IAPS), is also responsible for the development, implementation, and maintenance of a corporate Information Assurance and Protection Program as a subset of the Corporate Assets Protection Program.
As with any part of the assets protection processes, assets protection is a shared responsibility in a corporation. With the security department, the information assurance and information protection responsibilities are divided among several security organizations, such as physical security, administrative security, and the Security Education and Awareness Training Program.
An IAPS organization should include specialists in information classification, information systems protection, and telecommunications protection.