1 / 14

The 10 Deadly Sins of Information Security Management

The 10 Deadly Sins of Information Security Management. Basie von Solms & Rossouw von Solms, Computers & Security (23), 371-376 , 2004 Presented by Bhavana Reshaboina. Introduction.

jmikesell
Download Presentation

The 10 Deadly Sins of Information Security Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The 10 Deadly Sins of Information Security Management Basie von Solms & Rossouw von Solms,Computers & Security (23), 371-376, 2004 Presented by Bhavana Reshaboina

  2. Introduction • The authors talk about 10 essential aspects to be taken into account when implementing/planning for an information security plan

  3. Information Security Is A Corporate Governance Responsibility • Laws and legal requirements emphasize the integration of information security with corporate governance • Compromised informational assets can lead to financial and legal implications • Top management has to be involved in ensuring the protection of sensitive information

  4. Information Protection Is Not A Technical Issue Alone • Securing informational assets is a business issue as much as it is a technical one • Information protection is an investment • Investment decisions are business decisions

  5. Information Security Governance Is A Multi-dimensional Discipline • Various dimensions collectively contribute towards a secure environment • Some examples are • legal, personnel, technical, ethical, organizational etc • Single dimension, product or tool results in lopsided solutions • All the important dimensions must be should be taken into account

  6. Information Security Plan Must Be Based On Identified Risks • Know what assets need protection • Know what are the potential threats • If security planning is not based on risk analysis, spends time and money on unclear objectives

  7. Adopting Best Practices For Information Security Governance • Learn from the success and failure experiences of others • The ‘bread & butter’ aspects of information security are the same in most IT environments • Challenge is to ‘Do the right thing at the right time’ • Use of documented ‘Standards and Guidelines’ should be the starting point

  8. A Corporate Information Security Policy Is Absolutely Essential • Security policy is the heart of any security management plan • Starting point and reference on which all other security related sub-policies or standards are based on • Must be signed by the top executives of the company

  9. Information Security Compliance Enforcement, Management Essential • No use of a perfect security policy if it is not enforced to effect • Continuous monitoring is needed to ensure proper compliance • ‘That which can be measured can be managed’ • Technical and non-technical tools must be used to monitor the policy at real time

  10. Proper Information Security Governance Structure Is Essential • Governance structure refers to organizational structure, job responsibilities, communication flow etc • Structured chaos is good • It brings clarity and accountability in the security management plan

  11. Information Security Awareness Among Users Is Important • Users unaware of the security policies and potential risks arising due to their activities render the best security planning ineffective • User’s should not be made the weakest link • Money spent on user awareness is some of the best money spent on information security

  12. Empower Managers To Support Information Security • Information security manager cant run a one man show • Necessary infrastructure, tools and supporting mechanisms need to be provided

  13. Conclusions • Creating and implementing a proper information security program is based on the understanding of the essential issues unique to IT security • Any plan that addresses these core issues would serve to protect the IT assets suitably

  14. Thank You! • Questions and comments are welcome

More Related