The paper 'Management and Information Security' is a wonderful example of a Management Assignment. The definition of information security is the safeguarding of information as well as the critical characteristics inherent to that information; that is confidentiality, integrity, and availability. Information security encompasses systems as well as hardware that utilize, keep, or transmit said information (Whitman & Mattord, 2010). There is increased access to information especially that stored on computers as many people, both business and personal, store their data on the computer. A lot of this information that is stored on computers is not for public consumption (wisegeek. com).
When executing a plan as part of InfoSec management the process involves development, creation and implementation of strategies that will achieve this goal. There are three levels of planning involved, that is strategic, tactical, and operational. The planning process starts when strategic plans are incepted for the whole firm. This entails training, awareness, and education. The information security planning involves activities aimed at bolstering the design, conception, and application of strategies aimed at enhancing information security. The types of information security plans that are included are incident response, business continuity, disaster recovery, policy, personnel, technology rollout, risk management, and security program planning. Figure 1: The process of planning The policy involves packaging organizational guidelines in such a way that they give guidance on what behavior is acceptable within the organization.
There are three general classes of policy. These are enterprise information security policy (EISP), issue-specific security policy (ISSP), and system-specific policies (SysSPs). The bulls’ eye model is one that focuses on the role of policy in information security. The issues addressed by this policy progress from common to precise.
This is illustrated in figure 2 below: Figure 2: bull's eye model The policy represents the outermost layer of the bulls’ eye model (Whitman and Mattord, 2010). Programs are operations in information security that are distinctly managed entities. An example of a program is a security education training and awareness (SETA) program that supports all the programs in the army and is not specific to any regulation. The training programs entail security briefings given to new arrivals and a yearly security awareness training online. Protection is carried out through risk management processes such as risk assessment and control, protection mechanisms, tools, and technologies.
Every mechanism denotes a factor in the administration of distinct controls as laid out in the security plan. Part of protection mechanisms includes access controls which are made up of four processes; identification, authentication, authorization, and accountability. Identification involves obtaining the identity of the accessing entity. Authentication determines whether the identity of the entity is confirmed. To perform specific actions on the area, the entity must be authorized. Finally, in order to maintain security, the activities of the authorized entity within the system are logged.
Firewalls are used to prevent movement of information from within to without a network or from trusted to untrusted networks. An example of a firewall is illustrated in the figure below:
Alka, M. Why Organization Needs Information Security? Viewed 15 December 2012 from: http://www.scribd.com/doc/92829149/M07920000220104013Materi-Multimedia-LO-M0792-pert-13#download (2012)
Hueston, B. Top-Down or Bottom-Up. Viewed 15 December 2012 from: https://blogs.oracle.com/tacticalleadership/entry/top_down_or_bottom_up (2006)
Lister, J. The Difference Between Top Down and Bottom Up Strategic Management. The Houston Chronicle. Demand Media. (2012)
Lucey, K. Business Continuity Plan Development Explored. Presentation given by Kathleen at the Continuity Planning & Management 2004 West conference, May 2004. Portal Publishing Ltd. (2005)
Tomhave, B. I Am InfoSec, and So Can You. Viewed 16 December 2012 from: http://www.secureconsulting.net/2010/04/i-am-infosec-and-so-can-you.html (2010)
Whitman, Michael E, &Mattord, Herbert J. Management of information security.Course Technology. (2010)