Scribd
Upload
88 views14 pages

Security Management Overview and Controls

This chapter discusses security management and covers several topics: 1) It outlines 14 control groups specified in ISO/IEC 27001 including information security policies, access controls, asset management, and incident management. 2) It describes essential steps for security assessments including creating lists of network IP addresses and applications to examine and ensuring vulnerability scans don't trigger alarms. 3) It discusses the importance of security awareness training for employees and enhancing awareness through demonstrations.

Uploaded by

Nithya Nair
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
88 views14 pages

Security Management Overview and Controls

This chapter discusses security management and covers several topics: 1) It outlines 14 control groups specified in ISO/IEC 27001 including information security policies, access controls, asset management, and incident management. 2) It describes essential steps for security assessments including creating lists of network IP addresses and applications to examine and ensuring vulnerability scans don't trigger alarms. 3) It discusses the importance of security awareness training for employees and enhancing awareness through demonstrations.

Uploaded by

Nithya Nair
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

CHAPTER 2

SECURITY MANAGEMENT
Chapter Overview
• People Management
• Human Resource Security
• Security Awareness and Education
• Information Management
• Information Classification and handling
• Privacy-Documents and Record Management
• Physical Asset Management
2.1 Introduction to People Management
2.2 Types of Security Controls
2.2 Types of Security Controls
• ISO/IEC 27001 specifies 114 controls in 14 groups:
• A.5: Information security policies
• A.6: How information security is organized
• A.7: Human resources security
• A.8: Asset management
• A.9: Access controls and managing user access
• A.10: Cryptographic technology
• A.11: Physical security
• A.12: Operational security
• A.13: Secure communications and data transfer
• A.14: Secure acquisition, development, and support of information systems
• A.15: Security for suppliers and third parties
• A.16: Incident management
• A.17: Business continuity/disaster recovery
• A.18: Compliance - with internal/ external requirements, such as policies, laws, etc.
2.2.2 Security Controls Assessments
• The following are some essential steps in developing a security
assessment:
– Making a list of organization's network’s IP addresses that are filtered
to find target computers. This list should include all IP addresses of
systems and devices connected to the network.
– Making a list of web services or applications for examinations and it
can include applications, application and web servers, databases,
third-party equipment's, and technologies used.
– Vulnerability detection and reporting: The organization’s network and
IT security specialists need to be aware about vulnerability
assessments as they may cause network traffic bursts when target
servers get overloaded. Obtain unauthenticated scanner IP pass-
through through the enterprise network, and make sure the IPs are
white listed in the IPS/IDS else scanners trigger noxious activity alarm,
resulting in blocking the IP.
2.3 Security Awareness and Education
• Designing policies or procedures
• Ensuring cyber security training
• Enhancing employee awareness with demonstrations
2.4 Human Resource Security
• Establish a standard for addressing and limiting
security risks related to people.
• The procedures should cover the three key stages of
a user’s access to information or information
systems:
– Before employment, including granting access to
information or information systems.
– During employment, including active access to information
or information systems.
– At termination or change of employment, when an
employee’s requirement for access to information or
information systems ends
2.5 Asset Management
2.5 Asset Management
• Humans: These are real assets where their knowledge, and
ability considerable influences on other physical asset
performances.
• Financial: Wealth is an asset needed most for building
infrastructures, buying materials and running day to day
operations.
• Information: Organizational managements run on information
and its quality tells on progresses, optimizations, and
implementations of management plans.
• Intangible: The good will and reputation or image built by
organizations has major impacts on infrastructural
investments, operations and company related costs.
2.5.1. Level of Assets
2.5.2 The principles of asset management
2.5.3 Asset life cycle
2.6 Information classification

You might also like