2.1 Intro to Security Within the Organization Flashcards
GRC
Governance, Risk, Compliance
Governance
-provides management frameworks for implementing security practices in the organization
-helps a business decide how to enforce its security practices by developing policies, standards, processes, and procedures.
Risk Management
identifies which assets are most important and determines how they are most likely to be compromised. The business then uses this information to decide how to protect its most important and at-risk assets. This decision then informs the business’s security practices.
Compliance
ensures that internal security policies are followed and verifies that the business is following relevant security laws.
Chief Executive Officer (CEO)
responsible for plotting the overall direction of the company and conceiving and communicating a corporate mission or ultimate goal, determining what the business should focus on in order to meet those goals, assessing risks, and setting standards of social responsibility for the organization.
departmental executive leadership team
actively engaged in managing the day-to-day operations within their departments and report directly to the CEO.
Chief Information Officer (CIO)
responsible for developing IT systems that support the business including setting up corporate networks, provisioning services like VPN, setting up and recycling employee devices, and ceasing servers for data storage and internal application development.
Chief Information Security Officer (CISO)
-responsible for managing risk to an organization’s data throughout its lifecycle.
-responsible for ensuring that the company’s data is safe from the time it’s collected, stored, and retrieved to when it’s destroyed, purged, and wiped.
-supervising a security operations organization, which identifies, contains, and responds to threats, developing and disseminating information security policies, developing and disseminating training to personnel, working with the CIO to coordinate implementation of security policies by IT teams.
Network Security
Roles: Director of Networking or Director of Network Security
Responsibilities: Securing networks and implementing network security policies. This group also manages services like the corporate VPN. They are responsible for purchasing or leasing, configuring, maintaining, and troubleshooting the organization’s network infrastructure.
Incident Response
Roles: Incident Response (IR) Manager or a Security Operation Center (SOC) Manager
Responsibilities: Identifying and responding to security breaches. IR is responsible for security operations centers (SOCs), which monitor the organization’s devices for incidents. IR is also responsible for escalating serious breaches to the executive team for handling.
Application Security
Role: Security Architect
Responsibilities: Ensuring that internally developed applications meet security standards. This means minimizing the number of breaches due to the application, ensuring these applications pass security audits, and teaching developers to follow best practices of secure development.
security culture
the way members of an organization think about and approach security issues
healthy security culture
When employees are invested in the organization’s security and understand how to “behave securely,”
steps for developing a security culture framework:
Step One: Measure and Set Goals
Step Two: Involve the Right People
Step Three: Create an Action Plan
Step Four: Execute the Plan
Step Five: Measure Changes
defense in depth.
a concept in which multiple defenses are used to secure a resource.
Layering security controls in the security design framework
