What are the following information security foundations? Also, what are their functions in the process? We will answer the following questions.
The Information Security Foundations
This is a blog post on what is information security foundation is. It discusses the following:
- What are they?
- Their functions in the process, and
- What is involved in their creation?
The following are the information security foundations:
1. Identity and Access Management
This is the process of managing and controlling access to an organization’s data, applications, and systems.
2. Security Architecture
Security architecture is the design of an organization’s systems and networks with security in mind. This is a functionality delivered by the IT department.
3. Security Controls
It is a set of policies, procedures, and technical actions to protect an organization from internal and external threats.
4. Risk Management
This is the process in which an organization identifies the possible loss in risk analysis and determines how much can be afforded.
5. Risk Analysis and Risk Mitigation or Risk Treatment Designation
A risk analysis is a process of identifying risks in an organization. Also, determining how severe they can be to implement a plan for managing risks.
In this case, risk mitigation is the action of reducing the probability of a threat or its potential impact. While risk treatment is the process used when a threat materializes.
The third step in this cycle is to decide on the number of risks that can be tolerated. Which will serve as a guide in making decisions when it comes to planning for security controls.
If the risks are tolerable, the next step is to choose between implementing controls or choosing to accept them.
After this, it would be decided whether controls will be implemented manually. Otherwise, it will be automated. Thus, it will depend on how much manpower will be needed to manage them.
Finally, management must choose how long security controls should be maintained based on their vulnerability over time. Which could mean that certain controls should be reevaluated once every six months.
The Next Step in the Security Process
Once the above steps are completed, it is now time to put them into action. This process is called “implementation”.
After this, it is now called “operation”. At this point, the organization should be able to use its risk analysis and risk management processes.
It is to manage its system vulnerabilities, security threats, and countermeasures. Thus, all components of its security program.
What is a Security Baseline?
A security baseline is a set of security settings that are used as a baseline for testing the effectiveness of an organization’s security measures. An organization’s security baseline can be anything from a checklist of items.
So that needs to be checked on servers or workstations to an overall policy for the entire organization. The latter of which would be used by all employees of an organization.
So to ensure that they are following policies when performing their daily tasks.
What are the different types of Security Controls?
There are several different types of security controls. Which are all used for different purposes depending on an organization’s needs.
The following are examples of some types of security controls:
- Automatic Logging and Reporting
- Authentication Controls
- Anti-Malware Software
- Disabling Unnecessary Services