Page 107 - CISSO_Prep_ Guide
P. 107
requirements and systems integration. Other models that use this
same approach are Zachman (www.zachman.com), TOGAF
(www.opengroup.org ), and ITIL (www.itil.org).
The implementation of the information security strategy is
founded on the use of people, processes, and technology all
working together. It can be said that an information security
program is having the "right" people (personnel with the
necessary skills and training) using the "right" products
(products/technology that is being used correctly) in the "right"
way (with correct procedures and operational controls).
A misconfigured firewall, or a lack of change control procedures,
or an untrained administrator can all lead to a serious security
breach. Security is a fabric of several threads that must be woven
together - every thread is important, and any break in the thread
can affect the integrity and strength of the entire fabric.
A security system is based on a foundation of policy. The policy
directs the implementation of security and is the authority behind
procedures, standards, and baselines. Procedures are the
implementation of policy into practical steps that result in
consistent operations. Following a procedure, ensures that all
users will be set up correctly in a manner that would identify any
inconsistencies and alert management to potential risk. The use
of standards allows the organization to leverage the benefits of
using a standard product, which can result in savings in training,
spare parts, acquisition, and incident handling.
The use of baselines ensures that systems are configured
consistently. This ensures that all systems meet, at a minimum at
least, a defined level of security. These are all valuable tools to
take the intent and objectives of policy and develop them into a
practical and auditable security framework.
