The Information Security Organization [chapter]

2011 FISMA Principles and Best Practices  
Information security is one of the most important and exciting career paths today all over the world. Information security simply referred to as InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical data, with knowledge of information security we are confident that our data is
more » ... ected and also assured of the safety of our data and ensure that the value of our organizations maintained. But this is not the only explanation experts have given, information security is the life savior of organizations all over the globe. So people in this field can be considered as the physicians of the computer system, also we can call them the pathologist or better still the cardiologist of the computer system. Let's not under-estimate the impact of security incidents, which can lead to data loss, leaks of personal information, wasting of time, and the spread of viruses. We shouldn't' think that security incidents that happen to other computers will not affect us. We should take responsibility in managing your own information. Keep alert to news regarding security threats and equip ourselves and organizations with the latest knowledge. Consult experts and advisors if you are in any doubt. Keep a contact list of assistance, e.g. public services, application support, and ISP hotlines. Keywords: Defending information from unauthorized access; Key to the future of every organization. 101 The Study of information security has so many concepts and also topics that every IT professionals should master or have some basics of, the knowledge and skills of information security are just some few that is essential for all those that are involved in the IT technology sector. E.g. Cyber-security analyst, forensics analyst, network administrators, systems administrators, application developers. Lack of knowledge in this important field of information security will be more likely to develop applications that are not secure or build networks that are insecure and easier for attackers to penetrate, this is why information security knowledge is very important in our everyday lives. Regardless of the choosing career, you find yourself in the IT technology sector. Organizational Security policy There is the need for an organization's information security policy, this should not simply convey a plan of action, for example, its purpose, goals, applicability, importance and activities; most importantly organizations should also document who is ultimately responsible for carrying out the security agenda across the enterprise [14] . All personnel within the organization should be provided in the appropriate training on information security policy and the organization's security expectations, aligned to their functional roles. As an example, the corporate internet usage policy should be communicated in a clear manner, read, understood and acknowledged by all personnel within the organization, while a role specific policy such as the enterprise software management policy, should be scoped to include all the relevant personnel, for example, the IT Systems department. It is also imperative for organizations to track dissemination of policies and procedures through employee attestation, as this helps provides a valuable input into policy enforcement and education processes. Network Security benefits The 2009 FloCon conference3, security analysts were given demonstrations of the FloVis framework for network visualization, including all three plug-ins [6] . During this demonstration, they identified a need for highly abstracted visualizations of network structures and their related communications that would assist the user with determining those subnets/hosts that should be visualized with the existing plug-ins. For instance, network analyst/systems engineers may be responsible for monitoring several departments and may be aware of outside networks, subnets, and/or individual host Internet Protocol (IP) addresses that pose a threat to the security of the departments. Thus, it would be beneficial to provide a high-level visualization of the relationship between these "organizations" before deciding what to visualize at a lower level. A common practice in IS research is to treat information systems themselves as either a dependent variable or an independent variable. Accordingly, IS frameworks usually attempt to classify information systems in one of two ways. Firstly, systems can be classified based on technical attributes. For example, characterizes information technology in terms of its capacity, quality, cost, storage, processing, and communications capabilities. It is also possible to classify computing arrangements as interactive versus batch standalone versus networked, and so on. The second approach is to focus on the functions information systems perform within their context of use and whose interests are served by information technology. For example, Markus identifies five types of information systems, each describing a dominant type of function: operations, communication, planning and decisionmaking process, monitoring, evaluate and control, and inter-organizational transactions. The Gorry and Scott Morton framework also build its classification of information systems upon functional differences rather than
doi:10.1201/b10782-7 fatcat:oxy4uhxcn5gitn4edkfiej7wgm