Strategic Information Security Plan
VerifiedAdded on  2019/09/26
|18
|4064
|65
Report
AI Summary
This report details a comprehensive strategic information security plan designed to protect an organization's information assets. The plan addresses key areas including risk management (outlined in five phases: business approach, strategy definition, strategy development, metrics and benchmarking, and implementation and operation), protection mechanisms (perception, structure, content, and behavior), personnel security (covering recruitment, training at management, staff, and technical levels, and program evaluation), legal and ethical considerations (professional ethics, cyber law, copyright law, export and espionage laws, and privacy), and network monitoring using PRTG. The report emphasizes the importance of aligning security strategies with business objectives, creating a competitive advantage, and ensuring compliance with relevant laws and regulations. It highlights the need for a multi-faceted approach encompassing technical security measures, personnel training, and adherence to ethical standards.
Running head: STRATEGIC INFORMATION SECURITY
Strategic Information Security
Student Name:
Course work:
University:
Strategic Information Security
Student Name:
Course work:
University:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
STRATEGIC INFORMATION SECURITY 1
Abstract
The strategic information security plan is used to secure the information technology of the
company which creates a competitive advantage for the company. The plan protects the security
of information technology from damages. The consistent and integrated methodologies are used
in the plans which help in develop, design and implement the plan in an organization. The risk
management is done by the company through five phases. The protection mechanism is used to
protect the information technology from threats and contents. The personnel security is used at
three levels of the organization namely, management, staff and technical department. The laws
and ethics include professional ethics and laws related to other laws such as cyber laws. The PRT
network monitors report is used by the company for protecting the networks from various threats
which help to run the business successfully.
Abstract
The strategic information security plan is used to secure the information technology of the
company which creates a competitive advantage for the company. The plan protects the security
of information technology from damages. The consistent and integrated methodologies are used
in the plans which help in develop, design and implement the plan in an organization. The risk
management is done by the company through five phases. The protection mechanism is used to
protect the information technology from threats and contents. The personnel security is used at
three levels of the organization namely, management, staff and technical department. The laws
and ethics include professional ethics and laws related to other laws such as cyber laws. The PRT
network monitors report is used by the company for protecting the networks from various threats
which help to run the business successfully.
STRATEGIC INFORMATION SECURITY 2
Table of Contents
Abstract............................................................................................................................................1
Introduction......................................................................................................................................3
Controlling Risk...............................................................................................................................3
Protection Mechanism.....................................................................................................................5
Personnel and Security....................................................................................................................6
Law and Ethics................................................................................................................................7
PRT Network Monitor Report.........................................................................................................8
Conclusion.......................................................................................................................................9
References......................................................................................................................................11
Table of Contents
Abstract............................................................................................................................................1
Introduction......................................................................................................................................3
Controlling Risk...............................................................................................................................3
Protection Mechanism.....................................................................................................................5
Personnel and Security....................................................................................................................6
Law and Ethics................................................................................................................................7
PRT Network Monitor Report.........................................................................................................8
Conclusion.......................................................................................................................................9
References......................................................................................................................................11
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
STRATEGIC INFORMATION SECURITY 3
Introduction
In this present paper, we will discuss the strategic information security which a strategic plan
used by the organization to mitigate the information risk which is related to processes, people,
and technologies. The paper also describes the controlling risk, protection mechanism, personal
and security, law and ethics and PRT network monitor report on the basis of which conclusion
has been made.
The strategic information security plan helps to protect the integrity, confidentiality, and
information of the organization. The effective strategic information plan helps to create a
competitive advantage for the company which comprises of complying with the standards of the
industry, damage security incident avoidance, business reputation sustainment, and supporting
commitments to the consumers, stakeholders, shareholders, suppliers and others (LeVeque et al.,
2005). The plan includes the briefing of consistent and integrated methodologies which is used to
design, develop and implement in the organization. It also includes the detection of information
and criteria to resolve the problem, decreasing the time of delivery by solution concept through
implementation, for the delivering of efficient results the proactive decision approach, is used,
removal of redundancy which helps to achieve the objectives of an organization, managing of
human resource in a most efficient and effective manner and evolving into the company in which
security is integrated with application, workflows, data, process into a unified environment
(Lederer et al., 1992).
The development of security strategic plan requires an initial step to find the gap between the
current position and existing efforts. The standards will be explained by the assessment of
information security program. The more steps for the development of strategy includes a briefing
Introduction
In this present paper, we will discuss the strategic information security which a strategic plan
used by the organization to mitigate the information risk which is related to processes, people,
and technologies. The paper also describes the controlling risk, protection mechanism, personal
and security, law and ethics and PRT network monitor report on the basis of which conclusion
has been made.
The strategic information security plan helps to protect the integrity, confidentiality, and
information of the organization. The effective strategic information plan helps to create a
competitive advantage for the company which comprises of complying with the standards of the
industry, damage security incident avoidance, business reputation sustainment, and supporting
commitments to the consumers, stakeholders, shareholders, suppliers and others (LeVeque et al.,
2005). The plan includes the briefing of consistent and integrated methodologies which is used to
design, develop and implement in the organization. It also includes the detection of information
and criteria to resolve the problem, decreasing the time of delivery by solution concept through
implementation, for the delivering of efficient results the proactive decision approach, is used,
removal of redundancy which helps to achieve the objectives of an organization, managing of
human resource in a most efficient and effective manner and evolving into the company in which
security is integrated with application, workflows, data, process into a unified environment
(Lederer et al., 1992).
The development of security strategic plan requires an initial step to find the gap between the
current position and existing efforts. The standards will be explained by the assessment of
information security program. The more steps for the development of strategy includes a briefing
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
STRATEGIC INFORMATION SECURITY 4
of mission, vision, strategy, tasks, initiatives to be completed for the enhancement of present
information security program. The execution of a strategic plan is the critical success factor for
the company which is required to maximize the information risk management capability (Wylder
et al., 2003).
Controlling Risk
The risk management strategy gives a road map to the company which helps in protecting the
environment and enables to achieve the organizational goals and objectives. It is considered as
an information technology approach which supports business activities to achieve the
organizational goals. It is the multiphase approach which is used to develop the information
security and risk management strategy. Following are the five phases:
1. Business approach-Phase I
In the first phase, the clear understanding of organization present condition is developed
which includes the risk profile and appetite of an organization. The understanding also
includes the identification of organizations capability for the implementation of the strategy.
If the organization is not capable, then the strategy must reflect the situation. The effective
capabilities are applied by the companies for reducing the capital and another day to day
expenses. The budget of implementing the strategy must not be more than ten percent of the
overall information technology budget.
2. Strategy definition-Phase II
In this phase, the annual perspective plan is followed by the rolling plan of three years. The
point of arrival is clearly defined which is based on the management input. It also includes
the ensuring of required human resource capital for the implementation of a strategy. The
of mission, vision, strategy, tasks, initiatives to be completed for the enhancement of present
information security program. The execution of a strategic plan is the critical success factor for
the company which is required to maximize the information risk management capability (Wylder
et al., 2003).
Controlling Risk
The risk management strategy gives a road map to the company which helps in protecting the
environment and enables to achieve the organizational goals and objectives. It is considered as
an information technology approach which supports business activities to achieve the
organizational goals. It is the multiphase approach which is used to develop the information
security and risk management strategy. Following are the five phases:
1. Business approach-Phase I
In the first phase, the clear understanding of organization present condition is developed
which includes the risk profile and appetite of an organization. The understanding also
includes the identification of organizations capability for the implementation of the strategy.
If the organization is not capable, then the strategy must reflect the situation. The effective
capabilities are applied by the companies for reducing the capital and another day to day
expenses. The budget of implementing the strategy must not be more than ten percent of the
overall information technology budget.
2. Strategy definition-Phase II
In this phase, the annual perspective plan is followed by the rolling plan of three years. The
point of arrival is clearly defined which is based on the management input. It also includes
the ensuring of required human resource capital for the implementation of a strategy. The
STRATEGIC INFORMATION SECURITY 5
understanding of organizational culture is done for implementing the strategy. The minimum
time required for the implementation of the strategy is 30-36 months. The information
security and risk management strategy is continues process which is used to mitigate the risk
and meet the organizational goals and objectives. The requirement of human resource is
temporary which is mainly required for the implementation of strategy with the present
resources. The organizational culture is the key element for the successful implementation of
the strategy. The integration of people within the organization culture leads to the successful
implementation of the strategy.
3. Strategy development-Phase III
In this phase, the governance model is explained with the functional inventory of capabilities
and services. The operational components or consulted elements of an organization are
considered. Then the human resource capital requirements are identified which is used to
operate the strategy. The risk management must be overlooked by the internal staff. The
model is divided into two functional models. The information risk management framework
includes the various functions which are oriented towards the identification of information
risk. In the framework the information security is considered as a component which is having
the capability of mitigating the risk to ensure the alignment with the tolerance level and risk
profile. The framework considered operational risk, credit risk, fraud risk, market risk and
others. The information security functional framework includes the various elements such as
business resiliency, vulnerability management, vulnerability assessment, and others. The key
performance indicator for information security determines the capability of risk tolerance.
The reporting structure of the organization includes reporting to chief information officer but
understanding of organizational culture is done for implementing the strategy. The minimum
time required for the implementation of the strategy is 30-36 months. The information
security and risk management strategy is continues process which is used to mitigate the risk
and meet the organizational goals and objectives. The requirement of human resource is
temporary which is mainly required for the implementation of strategy with the present
resources. The organizational culture is the key element for the successful implementation of
the strategy. The integration of people within the organization culture leads to the successful
implementation of the strategy.
3. Strategy development-Phase III
In this phase, the governance model is explained with the functional inventory of capabilities
and services. The operational components or consulted elements of an organization are
considered. Then the human resource capital requirements are identified which is used to
operate the strategy. The risk management must be overlooked by the internal staff. The
model is divided into two functional models. The information risk management framework
includes the various functions which are oriented towards the identification of information
risk. In the framework the information security is considered as a component which is having
the capability of mitigating the risk to ensure the alignment with the tolerance level and risk
profile. The framework considered operational risk, credit risk, fraud risk, market risk and
others. The information security functional framework includes the various elements such as
business resiliency, vulnerability management, vulnerability assessment, and others. The key
performance indicator for information security determines the capability of risk tolerance.
The reporting structure of the organization includes reporting to chief information officer but
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
STRATEGIC INFORMATION SECURITY 6
the responsibility is extended from the technology to business processes (Whitman et al.,
2013).
4. Metrics and benchmarking- Phase IV
In this phase, the alignment is ensured with the standards of the industry and its guidelines.
The methodology for assessment is done through capability maturity model. The key
performance indicators are used to measure the effectiveness of developed capabilities and
functions by the information security and risk management strategy.
5. Implementation and operation-Phase V
In the last phase, global considerations are taken into account. The determination of
organizational needs protection is done, and consequences of not protecting are also done.
The major part of the operational model is used for information security and risk
management strategy. The proper communication is ensured between the business function
and information security and risk management strategy group. The cultural awareness is
ensured through changing the focus from security to the management of risk.
Protection Mechanism
The protection mechanism is defined as the elements which are directly linked to the threats and
contents. The mechanisms are present at the end of technical security while others are involved
in the overall process. Following are the four mechanisms:
1. Perception
It is defined as the defense which is comprised of profiles of system and facilities, obscurity,
deception method, and appearances. It is the component of technical protection which is
directly linked to the attacks and its agents.
the responsibility is extended from the technology to business processes (Whitman et al.,
2013).
4. Metrics and benchmarking- Phase IV
In this phase, the alignment is ensured with the standards of the industry and its guidelines.
The methodology for assessment is done through capability maturity model. The key
performance indicators are used to measure the effectiveness of developed capabilities and
functions by the information security and risk management strategy.
5. Implementation and operation-Phase V
In the last phase, global considerations are taken into account. The determination of
organizational needs protection is done, and consequences of not protecting are also done.
The major part of the operational model is used for information security and risk
management strategy. The proper communication is ensured between the business function
and information security and risk management strategy group. The cultural awareness is
ensured through changing the focus from security to the management of risk.
Protection Mechanism
The protection mechanism is defined as the elements which are directly linked to the threats and
contents. The mechanisms are present at the end of technical security while others are involved
in the overall process. Following are the four mechanisms:
1. Perception
It is defined as the defense which is comprised of profiles of system and facilities, obscurity,
deception method, and appearances. It is the component of technical protection which is
directly linked to the attacks and its agents.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
STRATEGIC INFORMATION SECURITY 7
2. Structure
It is defined as the defense which is predominantly separation mechanism which is intended
to implement policies of control, functional units with the functions and implementation of
separation association with the control changes. It comprises of discretionary and mandatory
access which controls the various resulting communications structures for example
firewalls, partially ordered sets and others.
3. Content
It is defined as the control which is comprised of filters and separation mechanism
transforms. It is used to analyze the markings, locations, syntax, and situations which are
used to determine the information that should be transformed.
4. Behavior
It is defined as the mechanism which is having low surety but in some mechanisms; it has
high surety. It includes the limiting of alteration; fail-safe modes, time effect, anomaly
detection, a system of response, and traits of human behaviors and its patterns. The duties
are separated according to the preferences (Cassidy et al., 2016).
The data security became the major challenge for the organizations in today's world, and the
challenges are increases for data protection. The safeguard intellectual property is required
by the companies because the information technology is changing, and new business models
are introduced due to which new threats are generated. It is necessary for the companies to
think beyond the traditional models for protecting the data. The security mechanism is used
to protect the various ingredients of secure network designs. The ingredients are explained
below:
2. Structure
It is defined as the defense which is predominantly separation mechanism which is intended
to implement policies of control, functional units with the functions and implementation of
separation association with the control changes. It comprises of discretionary and mandatory
access which controls the various resulting communications structures for example
firewalls, partially ordered sets and others.
3. Content
It is defined as the control which is comprised of filters and separation mechanism
transforms. It is used to analyze the markings, locations, syntax, and situations which are
used to determine the information that should be transformed.
4. Behavior
It is defined as the mechanism which is having low surety but in some mechanisms; it has
high surety. It includes the limiting of alteration; fail-safe modes, time effect, anomaly
detection, a system of response, and traits of human behaviors and its patterns. The duties
are separated according to the preferences (Cassidy et al., 2016).
The data security became the major challenge for the organizations in today's world, and the
challenges are increases for data protection. The safeguard intellectual property is required
by the companies because the information technology is changing, and new business models
are introduced due to which new threats are generated. It is necessary for the companies to
think beyond the traditional models for protecting the data. The security mechanism is used
to protect the various ingredients of secure network designs. The ingredients are explained
below:
STRATEGIC INFORMATION SECURITY 8
1. Physical security
It is defined as the limiting access to the resources of a network through keeping the
resources behind the lockers for protecting them from manmade and natural disasters. It
is used to protect the networks from untrained employees by misusing the network
resources. It is also used to protect the networks from terrorist, hackers and others. The
terrorists can attack by biohazards events such as radioactive spills and others.
2. Authentication
It is defined as the authentication of network access which is used to protect the network
from misuse. The most common and secure policy used by the companies to secure the
networks is access through login ID and password. The security can be maximized by
using one-time password. The traditionally the authentication is based on three proofs.
Namely, anything the user knows, the user has, and the user is. Generally, the two faced
authentication is used by the companies for securing the networks.
3. Authorization
The authorization is given to the user for accessing the network resources. It is the
security administrator part of the networks. It is recommended by the experts that least
privilege must be given for the implementation of authorization.
4. Accounting
The network activity data is collected for analyzing the security of networks and respond
to the security incidents.
5. Data encryption
1. Physical security
It is defined as the limiting access to the resources of a network through keeping the
resources behind the lockers for protecting them from manmade and natural disasters. It
is used to protect the networks from untrained employees by misusing the network
resources. It is also used to protect the networks from terrorist, hackers and others. The
terrorists can attack by biohazards events such as radioactive spills and others.
2. Authentication
It is defined as the authentication of network access which is used to protect the network
from misuse. The most common and secure policy used by the companies to secure the
networks is access through login ID and password. The security can be maximized by
using one-time password. The traditionally the authentication is based on three proofs.
Namely, anything the user knows, the user has, and the user is. Generally, the two faced
authentication is used by the companies for securing the networks.
3. Authorization
The authorization is given to the user for accessing the network resources. It is the
security administrator part of the networks. It is recommended by the experts that least
privilege must be given for the implementation of authorization.
4. Accounting
The network activity data is collected for analyzing the security of networks and respond
to the security incidents.
5. Data encryption
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
STRATEGIC INFORMATION SECURITY 9
It is defined as the process in which the scramble data is protected through reading
access is provided to everyone but receives intended. The private and public key
encryption is the best example of an asymmetric key system.
6. Packet filters
It is defined as the filters which can be set on firewalls, routers, and servers for denying
the particular address. It is an authorization and authentication mechanism which is used
to protect the networks resources (Peltier et al., 2013).
Personnel and Security
The purpose of personnel security is to give a level of assurance as to the trustworthiness,
loyalty, and honesty which provide for accessing the government resources. The company must
ensure that the governmental information which is accessed by the person must be eligible to
access, must have the identity, and willing to comply with policies, standards, and requirements
of government. The management of the company has many facets of personal responsibilities,
and many of facets are directly linked to the overall security of the company. It includes
recruitment of qualified employees, background verification of the employee at the time of
recruitment, training and development program for the employees, enforcement of strict control
for accessing and terminate the employee in such a manner which protect the other employee
who is involved.
Recruiting practices
To ensure that the right employee is recruited according to the job requirements is depend on
upon the level of screening which is done by the human resource manager. The skills must be
examined according to the roles and responsibilities. The non-disclosure agreement must be
It is defined as the process in which the scramble data is protected through reading
access is provided to everyone but receives intended. The private and public key
encryption is the best example of an asymmetric key system.
6. Packet filters
It is defined as the filters which can be set on firewalls, routers, and servers for denying
the particular address. It is an authorization and authentication mechanism which is used
to protect the networks resources (Peltier et al., 2013).
Personnel and Security
The purpose of personnel security is to give a level of assurance as to the trustworthiness,
loyalty, and honesty which provide for accessing the government resources. The company must
ensure that the governmental information which is accessed by the person must be eligible to
access, must have the identity, and willing to comply with policies, standards, and requirements
of government. The management of the company has many facets of personal responsibilities,
and many of facets are directly linked to the overall security of the company. It includes
recruitment of qualified employees, background verification of the employee at the time of
recruitment, training and development program for the employees, enforcement of strict control
for accessing and terminate the employee in such a manner which protect the other employee
who is involved.
Recruiting practices
To ensure that the right employee is recruited according to the job requirements is depend on
upon the level of screening which is done by the human resource manager. The skills must be
examined according to the roles and responsibilities. The non-disclosure agreement must be
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
STRATEGIC INFORMATION SECURITY 10
signed by the new individuals which include sensitive information of the company. The
reference must be checked by the company at the time of recruitment, and criminal records must
be checked by the company (Schumacher et al., 2013).
The security awareness training must be given to the employee who helps to secure personnel.
The security training is given in the organization at three different levels. The three different
levels are explained below:
1. Management level
The security awareness orientation is given at management level in which policies,
procedures, and guidelines are given to the employees which help to protect the employees at
management level.
2. Staff level
The training is given to the staff members for protecting the employees from fraudulent
activities. The issues must be passed to the upper management, and the employee should bot
combat an address or other irrelevant addresses. It is the most critical component of the
company, so the staff training regarding the security is very important, but some
organizations do not spend on staff training.
3. Technical level
The highest level of in-depth training should be given to the technical department because
they receive various presentations that align more into the day to day activities. The special
training program is given to the individuals who help to use specialized technologies and
devices (Rhodes-Ousley et al., 2013).
Evaluating the program
signed by the new individuals which include sensitive information of the company. The
reference must be checked by the company at the time of recruitment, and criminal records must
be checked by the company (Schumacher et al., 2013).
The security awareness training must be given to the employee who helps to secure personnel.
The security training is given in the organization at three different levels. The three different
levels are explained below:
1. Management level
The security awareness orientation is given at management level in which policies,
procedures, and guidelines are given to the employees which help to protect the employees at
management level.
2. Staff level
The training is given to the staff members for protecting the employees from fraudulent
activities. The issues must be passed to the upper management, and the employee should bot
combat an address or other irrelevant addresses. It is the most critical component of the
company, so the staff training regarding the security is very important, but some
organizations do not spend on staff training.
3. Technical level
The highest level of in-depth training should be given to the technical department because
they receive various presentations that align more into the day to day activities. The special
training program is given to the individuals who help to use specialized technologies and
devices (Rhodes-Ousley et al., 2013).
Evaluating the program
STRATEGIC INFORMATION SECURITY 11
The program is evaluated to determine the effectiveness of a program. It is evaluated by
comparing the total security incident report before and after the training program which helps
to determine the effectiveness. The online training is given to the employee who is evaluated
within the specific period of time.
Law and Ethics
The professional ethics includes that the professionals must have the skills for executing the
security which helps to the companies in bringing the wrong doors to the justice. The cyber law
and crimes activity must be acknowledged by the professionals who help to secure them cyber
threats. The professionals must be ready to apply the prudent judgment so that the right decision
will be made.
Following are the laws and ethics that need to be followed by the company at the time of
implementing the strategic information security plan in an organization:
1. Professional ethics
The security professionals must know about the regulations and laws regarding the use of
computer and information. The ethics are defined as the rules which help to follow the law
govern by the government. At the time of becoming the CISSP, the code of ethics must be
accepted by the accepted that helps to set the standard of professional security behaviors
(Peltier et al., 2016).
2. Cyber law and crime activities
The cyber law is in the progressive stage which is not kept with the rapid progress of
technology. The investing of computer crimes has jurisdiction issues. The crimes are moved
from physical crimes to intangible crimes which are not restricted by the boundaries of state
The program is evaluated to determine the effectiveness of a program. It is evaluated by
comparing the total security incident report before and after the training program which helps
to determine the effectiveness. The online training is given to the employee who is evaluated
within the specific period of time.
Law and Ethics
The professional ethics includes that the professionals must have the skills for executing the
security which helps to the companies in bringing the wrong doors to the justice. The cyber law
and crimes activity must be acknowledged by the professionals who help to secure them cyber
threats. The professionals must be ready to apply the prudent judgment so that the right decision
will be made.
Following are the laws and ethics that need to be followed by the company at the time of
implementing the strategic information security plan in an organization:
1. Professional ethics
The security professionals must know about the regulations and laws regarding the use of
computer and information. The ethics are defined as the rules which help to follow the law
govern by the government. At the time of becoming the CISSP, the code of ethics must be
accepted by the accepted that helps to set the standard of professional security behaviors
(Peltier et al., 2016).
2. Cyber law and crime activities
The cyber law is in the progressive stage which is not kept with the rapid progress of
technology. The investing of computer crimes has jurisdiction issues. The crimes are moved
from physical crimes to intangible crimes which are not restricted by the boundaries of state
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 18
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
 +13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2026 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.