Information Security

Download free IT Security Governance Implementation Strategy Checklist:
1. Define and enumerate the desired outcomes for the information security program

2. Determine the objectives necessary to achieve those outcomes

3. Describe the attributes and characteristics of the desired state of security

Security by Obscurity Strategy
The basis of the first fundamental strategy is stealth. That is, if no one knows that an organization’s IA baseline and Critical Objects exist, they would not be subject to threats. The intent is that sufficient security can be achieved by hiding an organization’s automated capabilities and the access to these capabilities or at least not advertising their existence. IA does involve the use of stealth to a certain extent. However, the current and growing extent to which organizations have been using their automated capabilities to interact with customers and potential customers does make the strategy option not very practical and realistic.

The Perimeter Defense Strategy
This strategy is more of a concentrated effort of defense and is predominantly technical in nature. Also, this strategy basically focuses on threats from those that are outside the bounds of authorized users to the organization’s IA baseline and Critical Objects. The organization’s IA capabilities are primarily located within a “zone” or “border” of defense between the “insiders” and the “outsiders.” This strategy has been compared to the “Maginot Line” that existed as a defensive perimeter or border between the allied nations and Germany during World War I. An example of this concentrated strategy involves a firewall device that is connected to both the Internet (i.e., outside) side of an organizational border and what is considered to be the organization’s own trusted internal network.

Basically there are 4 basic requirement for good information security program such as:
1. Periodic assessments of risk
2. Policies and procedures that are based on risk assessments
3. Security awareness
4. Periodic testing and evaluation

Below detail checklist for FISMA (Federal Information Security Management Act of 2002) based effective information security program

The Microsoft Security Assessment Tool (MSAT) is a free tool designed to help organizations like yours assess weaknesses in your current IT security environment, reveal a prioritized list of issues, and help provide specific guidance to minimize those risks. The Microsoft Security Assessment Tool (MSAT) consists of more than 200 questions designed to help identify and address security risks in IT environments. It includes best practices, standards such as ISO 17799, 27001 and NIST-800.x, as well as recommendations from the Microsoft Trustworthy Computing Group.

1. Use an IT advisory board to oversee IT strategy and policy decisions.
2. Base IT decisions on bureau and City-wide strategic plans.
3. Position the IT director as a strategist who resolves business issues with information technology.
4. Ensure that IT customer service managers possesses excellent communication and interpersonal skills.
5. Inform bureau managers on the rationale behind IT policies and of emerging technologies.
6. Monitor and report on the progress of the IT strategic plan.
7. Focus on optimizing bureau business strategies and IT investments.
8. Wherever possible, standardize common applications across bureaus and use off-theshelf software.
9. Use consistent and methodical processes when consolidating or re-engineering systems or services.
10. Make the Help Desk’s effectiveness a priority.