Calendar

August 2007
S M T W T F S
« Mar   Sep »
 1234
567891011
12131415161718
19202122232425
262728293031  

Most Recent Posts

Search Blog:

First class: Survey of Information Security

August 24th, 2007 by Chuck Sharp

This will be a fun class. I’m taking it for my M.S. in Info Management program. Here are the salient points from today’s intro:

  1. Security is a management issue, not simply a technology issue: it involves people (education, hr, etc), policies, procedures, and products (hardware, software, tools for IS purposes)
  2. Security is about enabling trust: it removes hindrances for achieving things (eg. car brakes enable us to drive faster, locking up your office allows more freedom in what you keep in your office and how you keep it)
  3. Security is foundational to system reliability: criminals can bring down your network, steal your financial data, etc
  4. Security is an ongoing process: it never ends, like an arms race

There are 3 key questions that management must get answers to in any security breach:

  1. How easy was it?
  2. What was exposed?
  3. How can we make it harder to repeat this incident?

Information security (and breaches thereof) impacts data (yours or your company’s) in 3 ways:

  1. Availability
  2. Integrity
  3. Confidentiality

CoBiT

We looked briefly at CoBiT, an IT governance framework that we’ll be studying in depth. CoBiT is fascinating because it describes al of the things that IT (information technology) does, how all those fit together, and what needs to happen for each of the 34 processes that it defines for IT. It’s basically a giant checklist that also relates all the parts to each other. CoBiT describes what IT does in some detail, but it doesn’t describe how to do those things. It leaves that to other best practices groups like ITIL and ISO. CoBiT gives metrics, measurements, and models to gauge how mature an IT organization’s processes actually are.

My Take

Class tonight reminded to look more in depth at security practices at work and with regards to my Linux systems, in particular. I’ve had many security and disaster recovery projects in my Someday/Maybe bucket for some time. Maybe it’s time to start auditing systems again in a structured way. I need to read up on current security best practices for Linux and the applications that I manage. I need to define some procedures for auditing, monitoring, detecting, and responding to incidents.

I also got thinking about the relationship between information security practices and psychological well-being. If I can stay on top of the security of my systems and influence higher level information security practices in the organization, it should help me sleep better at night. We’ll see. :-)

Technorati Tags: ,

Share this post:
  • Digg
  • del.icio.us
  • BlogMemes
  • Furl
  • Slashdot
  • Spurl
  • StumbleUpon
  • Technorati
  • YahooMyWeb

Entry Filed under: Information Technology

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

Copyright © 2006 by Charles Sharp, chuckthegeek.com. All rights reserved.