Page 45 - Cyber Defense eMagazine June 2020 Edition
P. 45

containing sensitive information assets. Background investigations and other personnel management
            controls are in place.

            6. Third-Party Information Security Assurance: The enterprise shares sensitive information with third
            parties only when it is assured that the 3rd-party appropriately protects that information.

            7. Periodic Independent Assessment: The enterprise has an independent assessment or review of its
            information security program, covering both technology and management, at least annually.



            Management Control Domains

            These seven critical success factors play themselves out across three fundamental management control
            domains:

            1.  IT  Infrastructure  Security:  Control  elements  in  this  domain  identify  specific  point-in-time  technical
            information  security  countermeasures.  Examples  include  the  security  architecture;  firewall  rules;
            technical access controls; backup status; use of encryption; virus, worm, Trojan horse prevention; current
            patch levels; intrusion detection capabilities; etc.

            2.  Secure  IT  Management:  This  control  domain  contains  information  security  management  controls
            specific to managing the Information Technology infrastructure. Control elements in this domain include
            documentation of IT systems, procedures, etc; management of systems development and maintenance
            processes,  including  change  control;  incident  response  and  disaster  recovery  planning;  IT  staff
            education; IT vendor security; etc.


            3. Entity Security Management: This control domain contains management controls hierarchically “above”
            and outside of the management of the Information
            Technology infrastructure. Control elements in this
            domain  include  the  chief  information  security
            officer,  information  security  policies,  employee
            education  and  awareness  training,  business
            process  security,  physical  security,  personnel
            security, etc.

            Managing an Information Security Structure

            CISO


            As an information security leader, It is expected to:


               •  Take a systematic approach to IT security
               •  Determine which risks have most impact on
                   your  organization  and  protect  the  assets
                   that matter most
               •  Proactively  mitigate  risks  and  minimize
                   damage from cyber attacks and data breaches




            Cyber Defense eMagazine –June 2020 Edition                                                                                                                                                                                                                         45
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.
   40   41   42   43   44   45   46   47   48   49   50