Question

Explain two fundamental concepts; why information security is a management issue, and the time-based model of information security.

Answer 1

Information Security is basically the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Passwords, network and host-based firewalls, network intrusion detection systems, access control lists, and data encryption are examples of logical controls.

Information security is just a function of so many functions that work in harmony to help the company/organization achieves its goals, be it profit or any other non-profit goals. Security doesn’t stand on its own, it needs to be part of an organization, security might seem like a highly technical function – which is true in many aspects – the management fully controls it. Management sets the strategy for how the security should work, how many people will the security team have, how much money they will get, and how much authority they will have over the company operations. You can have brilliant security experts, but the management strategy and attitude can cripple them, rendering the entire security function useless. The management can be completely insensitive to the importance of security, and refuse to dedicate any resources to it.

.Every company which is incorporated has a board (also referred as executive management, senior management, or simply management) which has a due-care responsibility, under the Company Act . Now they have the liability from these cybersecurity issues, they become Accountable for these matters. That’s why it is a management problem. That is a “problem for the management”.

the time-based model of information security.- Implementing a set of preventative, detective, and corrective controls that allow an organization to recognize an attack and take steps to thwart it before any assets have been compromised

If P>(D+C), then security procedures are effective.

P= Time it takes to break through organization's preventative controls

D= Time it takes to detect that an attack in progress

C= Time to respond to the attack