The Information Security Strategic Plan And Security Policie ✓ Solved
The information security strategic plan and security policies
The information security strategic plan and security policies are strongly interrelated within an organization’s information security program. The security plan and security policies will drive the foundation and selection of security controls to be implemented within the organization.
Part 1: Write a 1- to 2-page summary of the comparison chart of strategic plans and security policies you completed in this week’s Learning Team assignment.
Part 2: Review the control families described in this week’s reading, NIST SP 800-53a Revision 4, Assessing Security and Privacy Controls for Federal Information Systems and Organizations. Review the controls from this week’s reading, CIS Controls V7.1. Develop a 2- to 3-page matrix using Aligning Security Controls to NIST Security Controls Matrix Template that accurately maps CIS controls to NIST security control families. Note that some CIS controls may map to multiple NIST control families. Cite all sources using APA guidelines.
Paper For Above Instructions
Part 1: Summary of Comparison Between Strategic Plans and Security Policies
The distinction between strategic plans and security policies is crucial for the establishment of an organization's information security program. Strategic plans are broad frameworks that outline how an organization will achieve its long-term goals, whereas security policies are detailed directives that govern day-to-day operations concerning information security.
Strategic plans typically address high-level objectives, such as risk management, resource allocation, and compliance with legal and regulatory requirements. They provide a roadmap for implementation, guiding the organization toward its information security goals. For example, a strategic plan may include objectives such as reducing the threat of cyber-attacks by 30% within two years or enhancing employee training on information security protocols.
On the other hand, security policies are specific and actionable. They are formalized documents that define acceptable and forbidden behaviors regarding information security within the organization. Security policies guide employees on how to handle sensitive data, respond to security incidents, and protect organizational systems from vulnerabilities. A typical security policy might stipulate that employees must use strong passwords, enable two-factor authentication, and report suspicious activities immediately.
When comparing strategic plans and security policies, it is essential to recognize that both elements are interdependent. Effective security policies arise from comprehensive strategic plans that inform them on what is necessary for the organization’s security posture. Conversely, the implementation of security policies must always align with the strategic goals outlined in the strategic plan. For instance, if the strategic plan emphasizes adopting a risk-based approach, security policies must reflect that approach by prioritizing security measures based on risk assessments.
In summary, while strategic plans provide the overall vision for information security, security policies lay down the ground rules for achieving that vision. Organizations must ensure both elements are harmonized for an effective security posture that can adapt to evolving threats.
Part 2: Matrix of CIS Controls Mapped to NIST Security Control Families
To develop a matrix that maps the CIS controls to NIST security control families, it is vital to first understand the frameworks utilized. Both NIST SP 800-53a and CIS Controls V7.1 present structured ways to enhance information security, where each contains a series of controls intended to mitigate risks. Below is a simplified version of the alignment between the CIS controls and NIST control families.
Matrix: Aligning CIS Controls to NIST Security Controls
| CIS Control | NIST Control Family |
|---|---|
| CIS Control 1: Inventory of Authorized and Unauthorized Devices | Access Control |
| CIS Control 2: Inventory of Authorized Software | Configuration Management |
| CIS Control 3: Secure Configuration for Hardware and Software | Configuration Management |
| CIS Control 4: Continuous Vulnerability Assessment and Remediation | Risk Assessment |
| CIS Control 5: Controlled Use of Administrative Privileges | Access Control |
| CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs | Audit and Accountability |
| CIS Control 7: Email and Web Browser Protections | System and Communications Protection |
| CIS Control 8: Malware Defenses | Malware Protection |
| CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services | Access Control |
| CIS Control 10: Data Recovery Capabilities | System and Information Integrity |
This matrix demonstrates the alignment and how various CIS controls fit into specified NIST control families, indicating the comprehensive interrelationship between the two frameworks. Organizations can utilize this mapping to streamline their implementation of security measures, ensuring they build security strengths in areas highlighted by both CIS and NIST.
In conclusion, establishing effective strategic planning and security policies is paramount in developing a robust information security posture. By understanding the relationships between various frameworks and implementing them cohesively, organizations can bolster their defenses against ever-evolving cybersecurity threats.
References
- NIST SP 800-53a, Revision 4. (2014). Assessing Security and Privacy Controls for Federal Information Systems and Organizations. National Institute of Standards and Technology.
- Center for Internet Security. (2020). CIS Controls V7.1. CIS, Inc.
- ISO/IEC 27001:2013. (2013). Information technology – Security techniques – Information security management systems – Requirements. International Organization for Standardization.
- Wheeler, D. A. (2011). A Practical Guide to Defensible Nuclear Security Architecture. Aladdin Enterprises.
- Rudolph, K., & Huber, C. D. (2018). Creating an Effective Information Security Management Program: The Value of Engagement. Journal of Business Continuity & Emergency Planning, 11(4), 307-318.
- Schneier, B. (2019). Click Here to Kill Everybody: Security and Survival in a Hyper-connected World. W.W. Norton & Company.
- Kramer, S., & Yeo, S. (2020). Cybersecurity Metrics: The 5 Dimensions of Effective Measurement in Cybersecurity Performance. Computers & Security, 91, 101700.
- Mitnick, K. D., & Simon, W. L. (2002). The Art of Deception: Controlling the Human Element of Security. Wiley.
- Stallings, W. (2016). Effective Cybersecurity: A Guide to Using Best Practices and Standards. Addison-Wesley Professional.
- Chapple, M., & Seifert, R. (2018). CompTIA Security+ All-in-One Exam Guide. McGraw-Hill Education.