Running head: [SHORTENED TITLE UP TO 50 CHARACTERS] 1

1. How can a security framework assist in the design and implementation of a security

infrastructure?

A security framework helps in the design and implementation of security infrastructure in

an organization. It acts as a starting point for the development of organization-specific security

guidance. It also offers guidelines and directions for implementing standard information security

management.

A security framework is meant to provide a high level, general description of the

important security areas in the process of initiating, implementing, or maintaining information

security in an organization.

It provides information on how to implement security infrastructure and set up an

information security management system. It can also provide a means of assessing and building

an information security program to ensure that it is of standard.

2. What is information security governance? Why it is important for the organization?

Information security governance is the application of the principles of corporate

governance to the information security function in an organization.

The term governance describes the entire controlling function on the processes used by a

group to achieve a certain aim or objective, while corporate governance is the responsibility that

Executive management has to provide strategic decisions, the achievement of business

objectives, manage risks and ensure the appropriate use of resources.

Information security governance is important for the organization as it helps the board of

directors and executive management in the following areas;

Strategic direction
[SHORTENED TITLE UP TO 50 CHARACTERS] 2

Information security governance helps to align the information security strategy with

business strategy to support the achievement of organizational objectives.

Risk management

This involves Verifying that risk management practices are appropriate by executing

appropriate measures to manage and mitigate threats to information resources.

Resource management

It ensures that an organization’s assets are used efficiently and effectively by using

information security knowledge.

Performance measurement

This is the measuring, monitoring, and reporting of information security governance

metrics to ensure progress toward set organization objectives.

Value delivery

It helps in organizational value delivery by optimizing information security investments

in support of the achievement of organizational objectives.

3. Who in the organization should plan for it?

The governance of information security is a strategic planning responsibility, and

strategic planning is the responsibility of the executive team.

Since information security governance involves the application of the principles of

corporate governance to the information security function, the executive management should

plan for information security governance in the organization.

The executive team is sometimes referred to as the organization’s C-level, as in CEO

(Chief Executive Officer), CFO (Chief Financial Officer), COO (Chief Operating Officer), CIO

(Chief Information Officer), and so on.

The objectives of Information security must be addressed at the highest levels of an

organization’s management to be successful. Therefore, executive management must integrate

information security process into corporate governance policies and controls.

4. What is risk management? Why is the identification of risks and vulnerabilities to assets

so important in risk management?

Risk management involves the process of risk identification, risk assessment, and risk

control. An organization must first identify and understand the risks facing it, especially risks to

information assets. Once the risks have been identified, these risks must be assessed, measured,

and evaluated to determine whether these risks exceed an organization’s comfort or acceptable

level called risk appetite. If the risks do not exceed the risk appetite, the organization is satisfied

with the risk management process. Otherwise, the organization needs to find control strategies to

reduce risk to an acceptable level.

The identification of risks and vulnerabilities to assets is so important in risk management

since each threat must be examined to assess its potential to endanger the organization (this is

called threat assessment). And by answering the below questions, an organization can establish a

framework for discussing threat assessment.

Which threats apply?

Not all threats will potentially affect every organization. Threats are identified and

examined to determine whether they apply to the organization. For example, a company with

offices in Oklahoma City should not be concerned with landslides.

Which threats present the most danger to the organization?

Danger could be quantified by the amount of damage the threat could cause. It can also

be the probability or the frequency with which an attack could occur.

How much would it cost to recover from a successful attack?

This is the cost of recovery in the event of a successful attack. This helps to guide

corporate spending on controls.

How much would it cost to prevent?

This is the cost of protecting against some threats. A business may be unwilling to spend

more than an asset is worth towards protecting such an asset.

5. Discuss the IT asset lifecycle? What are the stages in the lifecycle?

IT asset lifecycle could be described as the useful life of an IT resource from acquisition

to disposal. Every asset has a lifecycle. To realize maximum value from assets, they must be

managed properly through their life cycle.

Asset management is the process of coordinating activities in order to realize value from

those assets. Asset management involves not only the maintenance but also the replacement of

these assets when due to be disposed.

The effective management of the IT asset lifecycle yields; good knowledge of the asset

requirements for a planned purchase, informed purchasing decisions, Ensures proper

maintenance of assets, timely replacement of these assets when due, and a better picture of the

total cost of ownership of a particular asset.

What are the stages in the lifecycle?

The lifecycle stages are planning, acquisition, operation and maintenance, and disposal.

Planning state

This is the first stage of the asset lifecycle where asset requirements are establishing and

verified to analyze the need for the asset and that it adds value to the business.

Acquisition stage

This includes all activities involved with purchasing an asset with the aim of making the

acquisition as cost-efficient as possible. Effort is made to find the best supplier and the best

possible deal is negotiated.

Operation and Maintenance stage

In this stage, the asset is being used as indicated. This stage may also be referred to as

the useful life of the asset. Asset operation and maintenance activities are performed in this stage.

This stage focuses on keeping the asset in a good running order through proper

maintenance. The better maintained the asset is, the longer it tends to last. The asset should also

be monitored for potential improvements and adjustments when possible.

As long as an asset is still functioning correctly, it is within its useful life.

Disposal stage

This stage is the end of the useful life of an asset where the asset is not functioning and

cannot be repaired; thus should be gotten rid of.

If the asset no longer meets its intended use, it is no longer within its useful life even

though it still works and should be disposed. An outdated technology causing productivity losses,
[SHORTENED TITLE UP TO 50 CHARACTERS] 6

costing the business more money than it is bringing in, has reached the end of its lifecycle and

should be disposed.

6. What is a threat model? Why are threat models useful?

A threat model could be described as a living document prepared by systematically

identifying security threats and rating them according to severity and level of occurrence

probability in a process called threat modeling.

This helps in security threat mitigations to protect information assets, such as confidential

data or intellectual property.

Why are threat models useful?

Developing a threat model through threat modeling is a way to proactively defend against

future security incidents rather than having to be caught in reactive approaches after a security

incident has occurred.

By identifying and rating these security threats through a firm understanding of the

systems, security staff can properly address the threats, beginning with the most pressing ones,

this presents the best chance of a successful threat mitigation strategy.

7. How to prepare internally for vendors, providers, contractors and remote access – people

that access the network but are not employees?

In today’s business environment, network access may also be required by other people

other than the employees such as by vendors, providers, contractors. Remote access has also

become necessary for effective and efficient business dealings.

Information security managers now face the challenge of assuring that data and systems

remain safe not only from local access but also from those accessing them remotely.

We can prepare security measures in effect to vendors, providers, contractors and remote

access in the following ways;

Encryption

External security threats could be mitigated by encrypting data to protect the

confidentiality and integrity of communications.

Authentication

Authentication is a key requirement to secure remote access. This provides the

organization with the confidence that users are who they are claiming to be.

Anti-Malware Software and Access Control Solutions

This involves the use of anti-malware software as well as employing network access

control solutions that verify the client's security posture before granting access.

Network segmentation

A network segment could be created for non-employees to contain whatever risk they

might pose to the entire network, such as protecting against the spread of malware to every

device on other segments.

Remote Access Server

This is the use of a server as a single point of entry to the network, which enforces

security policy before any remote access traffic is permitted into the internal network.

Firewalls

A properly configured firewall could greatly help in security measures both for the

enterprise environment and an external environment.

8. How you would integrate planning and execution of risk management governance? List

3 critical requirements (you can list more, but I am interested in the key ones)

Risk management helps security managers foresee risks, estimate impacts, and define

responses to risks.

Risk management governance could be described as the set of duties and practices

exercised by the board and executive management with the aim to make certain that risks are

managed appropriately. The execution of risk management governance, just like every other

management process requires planning to ensure a successful outcome.

We can integrate planning and execution of risk management governance by creating a

Risk Management Plan as part of a Risk Planning Process. This plan has three (3) critical

requirements;

1. Risk Identification:

This helps to identify the organization’s information assets and the threats and

vulnerabilities facing them.

2. Risk Assessment:

This gives ranking and priority to identified risks which could be according to probability

or likelihood of occurrence and the impact on the organization.

3. Risk Control:

This focuses on the preventative and contingent actions on the identified risks to prevent

them from occurring and what to do when they occur respectively.

9. What is the importance of a disaster recovery model?

A Disaster recovery model involves developing a basis for the managerial or technical

decision on restoring information systems at the original site of attack after disasters occur

through a disaster recovery plan.

It helps in developing a strategy to prepare an organization to handle a disaster, both

natural or man-made and recover from it successfully.

A disaster recovery model offers a pathway to make things whole again, or as they were

before the disaster at the primary site, the location at which the organization performs its

business.

10. What is the difference between business continuity plan and disaster recovery? How

While business continuity plan and disaster recovery are both contingency planning

strategies available to an organization for responding to adverse events, they are both different in

that Business Continuity plan reestablishes or relocates critical business operations to an

alternate site during a disaster that affects operations at the primary site, while disaster

recovery typically focuses on restoring systems and operations at the original site where the

disaster occurred.

The idea of a business continuity plan is that if a disaster has rendered the current primary

location unusable, a plan must be in place to ensure that the business continues to function.

Disaster Recovery lays emphasis on getting things back to normal as they were before the

disaster at the primary site of operation.

References

Hubbard, D. (2009). The Failure of Risk Management: Why It's Broken and How to Fix It. (n.d):

John Wiley & Sons.

Michael, E. W., & Herbert, J.M. (2018). Principles of Information Security. Boston,

Massachusetts: Cengage Learning.

What is the “Asset Lifecycle”? (n.d). retrieved from

https://www.dudesolutions.com/resource/what-is-the-asset-lifecycle