Questions On Information Security Program Essay

980 Words Nov 22nd, 2016 4 Pages
1. Information Security Program is the overall effort of the organization, which includes all projects and activities, in relation to the improvement of the information security. It can be viewed as the set of controls that an organization needs to govern. In order for program to be successful, it needs to be have a continuous lifecycle, which means that it never ends. This program has four phases, and they are: Assess, Mitigate, Validate, Sustain.
Phase one: Assess. Vulnerabilities assessment. Take a look at the network, systems, data, and processes and understand where are some weaknesses that need to be addressed. In this phase organization needs to identify the assets (Physical and logical assets, data center, desktops, network devices, remote systems, systems that process, manage, and store personal identifiable information), evaluate the importance of those assets (do a classification of those assets by impact of their potential loss due to threats and vulnerabilities), identify Vulnerabilities (vulnerabilities scanner, penetration testing, checklists), identify Threats, develop a risk profile (analyze risks and rank them in terms of impact to the environment), and finally determine the Risk reduction plan.
Phase two: Mitigate. Apply security controls to address previously assessed vulnerabilities. Controls can be technical (firewalls, anit-virus, access control, and encryption), standards and policies, or physical security. This phase is in place to make sure that…

Related Documents