SOLUTION: CYBR 3600 UNO Comparing Different Approaches of Apple & Fitbit Discussion

C H AP TER 2
Integrate Security Into the Organization
INFORMATION IN THIS CHAPTER:
Understand the organizational security culture
Integrate information security into business processes
n Establish information security business relationship management
n
n
Copyright © 2016. Elsevier Science & Technology Books. All rights reserved.
Now that the strategy and strategic plan is established, the security leader will
need to gain adoption and embed information security into the business.
Integration of security into the business organization and operations can be
influenced through three dimensions: organizational culture, business process
structure, and business operations.
UNDERSTAND THE ORGANIZATIONAL SECURITY
CULTURE
The culture of an organization is basically its personality. It includes the goals,
assumptions, beliefs, values, norms, behaviors, customs, rites, history, and
dress of the people who work for the organization. It is what makes employees
feel like they belong and what encourages them to work collectively to achieve
organizational goals. A strong security culture is both a mindset and mode of
operation. One that is integrated into day-to-day thinking and decision making can make for a near-impenetrable operation. Conversely, a security culture
that is absent will foster uncertainty and, ultimately, lead to security incidents
that the organization likely cannot afford to incur. It might be difficult to move
an organization’s culture in a different direction or to make major changes, but
actually change is occurring all the time due to a variety of influences, internal
and external to the organization.
An organization’s culture is generally reflected in its mission or vision statement and explicitly stated core values. The core values spell out the organization’s basic beliefs and passions, i.e., what the company stands for and what
it values. The mission statement is created based on the core values. The core
35
Building a Practical Information Security Program. http://dx.doi.org/10.1016/B978-0-12-802042-5.00003-2
Andress, J., Leary, M., & Leary, M. (2016). Building a practical information security program. ProQuest Ebook Central http://ebookcentral.proquest.com
Created from unomaha on 2021-02-11 19:04:33.
36
CHAPTER 2:
Integrate Security Into the Organization
Copyright © 2016. Elsevier Science & Technology Books. All rights reserved.
values and the mission statement are used to guide the organization when
making strategic, and even ethical, decisions. There are organizations that
include the terms “secure,” “security” and “privacy” in their vision and/or mission statements, particularly those in highly regulated industries that require
data security. However, inclusion of the words “privacy” or “information security” in an organization’s list of core values does not guarantee that everyone
in the organization will value them unless management demonstrates its commitment. Many organizations periodically review their mission statements
and core values, to ensure they reflect the organization’s guiding principles.
Security executives should use that opportunity to convince top management
that information security and privacy should be included among their organization’s core values. Security executives can use these concerns, cite laws and
regulations that punish noncompliance, emphasize the positive impact on
employees and productivity, and point out the impression it will make on the
organization’s customers. This will have the effect of making security a priority
for the top leaders in the organization.
Indeed, the strongest influence comes from the top leadership position, something security professionals can use to their advantage to encourage the change
that is needed to achieve a more secure organization. Many organizations recognize the need to secure their data but do not know how to make it a priority throughout the organization. To this end, one recommendation is starting
with identifying the benefits to the business leaders so that they realize the
need for the change, then identifying the specific steps to be taken to implement the change (i.e., the information security program).1
Since the business context is already understood at the highest levels, it is
important to now “sell information security” in the appropriate levels and
with the most important partners. The natural start is with the stakeholders
identified during the validation stage of testing the strategy’s fit for purpose.
However, it is often the next level of the lines of business operations that will
have to adopt, directly or indirectly, the information security program. These
stakeholders will most likely be supportive if the value of the program is correctly communicated. You can justify information security value by centering
on four common aspects of the value proposition for information security:
compliance, risk, revenue, and reputation.
Compliance is well understood by all businesses as the foundation of good
management. The policies and standards usually come in two forms, external and internal. External regulations, legal statutes or industry mandates
will influence the security policies as a set of requirements that the business
must adopt. Examples are statutory privacy requirements when handling
1Thornbury
J. Creating a living culture: the challenges for business leaders. Corporate Governance
2003;3(2):68–79.
Andress, J., Leary, M., & Leary, M. (2016). Building a practical information security program. ProQuest Ebook Central http://ebookcentral.proquest.com
Created from unomaha on 2021-02-11 19:04:33.
Understand the Organizational Security Culture
37
Copyright © 2016. Elsevier Science & Technology Books. All rights reserved.
personal health information governed by the Health Insurance Portability and
Accountability Act, national, regional, or even local legal statues may govern
not only handling of personal identifiable information, but data breach disclosure requirements, and industry standards such as Payment Card Industry
Data Security Standards outline privacy requirements and technical standards
associated with credit card transitions. Internal policies will generally have the
same weight of external policies. Internal policies may be an interpretation or
foundation from the external regulatory or industry standards that govern the
business. In other cases, internal policies are the statement of requirements—
operational or technical—that must be adhered to for the proper functioning
of business processes or systems. The value of the information security program to avoid noncompliance and possible penalties can be quite attractive.
The second aspect, risk, is one that must be tailored to the stakeholder’s perspective. Each business leader or personality may have a different perspective
on risk and the language and concepts should be slightly adapted to fit the
individual’s framework. Simply explaining the numerous threats that the business is exposed to will not convince everyone of the particular value of the
program, particularly if the company has survived without any trouble to date.
C-suite executives care less about a particular virus or how many times the
firewalls were probed for a particular port or protocol. Chief executive officers
and board members will care about reputation risk, as described later. Chief
financial officers care about financial risk; they will be much more interested
in the cost to a financial risk model that ties the return on investment of the
information security program (reduce current costs, reduce future costs, and
reduce the financial risk to the business). Business line executives are much
more interested in business risk across their portfolio than a single system or
application; they look for risks to the entire portfolio of processes or systems
could aggregate significant downside to their quarter or annual plan. For managers who rely on their business-related transactional applications, that may
be more concerned over the confidentiality, availability, or integrity of information being processed than the latest threat tactic using malicious software
against a particular vulnerability.
The connection of information security and revenue is hard to make, particularly as security is perceived as a function than as a generator of revenue.
Information security’s return on investment, or more appropriately “return
on security investment,” is difficult to calculate, but something that can be
achieved, often in terms of cost avoidance or savings. A transactional system
security incident can result in outages that subsequently impact the business of
generating cash. The financial value of information security program in getting
things back up and running quickly is something that actually can be financially appraised. In some industries, information security may be viewed as a
competitive advantage and valued by customers who may articulate the selection of one business over another based on information security capability
Andress, J., Leary, M., & Leary, M. (2016). Building a practical information security program. ProQuest Ebook Central http://ebookcentral.proquest.com
Created from unomaha on 2021-02-11 19:04:33.
38
CHAPTER 2:
Integrate Security Into the Organization
Copyright © 2016. Elsevier Science & Technology Books. All rights reserved.
as a criterion. For example, those companies that follow ISO 27000 framework and formally audit their data centers, applications, or systems against this
framework often offer these certifications as a discriminator and valued aspect
of their service delivery against others. Likewise, products that are formally
certified under ISO/IEC 15408 Common Criteria for Information Technology
Security Evaluation (commonly referred to as Common Criteria), international standard (ISO/IEC 15408) are provided preference over those products
that have not had their security model formally evaluated. For the US Federal
government, Common Criteria is used as the basis for procurement decisions
in analyzing alternatives.
The impact to a business’s reputation is not necessarily a hard story to tell. In
recent years, the media and newslines have reported that several high-profile
businesses have had their reputations dented by security incidents. Technology,
retail, and banking industry firms have had reported compromises and outages
due to internal and external threats. It is worthwhile explaining that not just
external threats can damage a business’s brand, as many companies have suffered bad media due to the improper or errant use of system, as well as fraud
and identity theft, by an internal user. These high-profile incidents are very useful for explaining the impact that security incidents can have on a company’s
reputation. If a business has spent decades building a solid brand, explaining
just how quickly and easily reputations can be harmed is an acceptable manner to emphasize the value of information security. Executives and managers
understand the value of brand and consequences of brand erosion.
Beyond business executives and managers’ adoption of information security
culture, it should be well understood as a set of day-to-day practices by the
employees. It would be a mistake to target massive change of culture at the
employee level, particularly those that are global in nature, so information
security should focus on a common understanding of information security
awareness and a standard set of employee practices. First, ensure that a common information security awareness training articulates the key information
security policies in easy–to-understand language. It should reference the documented information security policy and where it can be found on the corporate intranet. The training should outline what steps the business has taken
to maintain information security, protect information, and acceptable use of
company resources (inclusive of information). Beyond the employee-level
training, role-based targeted training is also a mechanism to change behavior. One example is manager information security training; managers need to
understand not only their obligation to maintain information security, but
also how to identify indicators of employee bad behavior and how to correct it.
In another example of role-based training, if the business is concerned about
deploying secure systems, an applications security training and secure coding
may be a manner to reinforce positive behavior with the develop community.
Andress, J., Leary, M., & Leary, M. (2016). Building a practical information security program. ProQuest Ebook Central http://ebookcentral.proquest.com
Created from unomaha on 2021-02-11 19:04:33.
Integrate Information Security Into Business Processes
39
At a common employee level, antiphishing training is an example of proactive
training to test their behavior in protecting data against clever social engineering attacks. Training should be constant to ensure an enduring effect.
INTEGRATE INFORMATION SECURITY INTO BUSINESS
PROCESSES
Copyright © 2016. Elsevier Science & Technology Books. All rights reserved.
There is a distinct difference between a business function and a business process. There may literally be any number of functional organizations in an
enterprise—human resources, finance, legal, sales, marketing, and communications to name but a few common business functions. Business processes are
less numerous. Business processes are generally a set of repeated activities that
produce something of value for the business, stakeholders, and customers. The
business process represents a stream of activities, their inputs, and their results.
Processes have names like product development, supply chain, order handling,
distribution, logistics, and market development. Processes can pass through
many different organizational business functions. For example, a new product may have been originally designed through the combined efforts of the
research and development, engineering, and marketing functions, then passed
through many of the business’s other functions on its way to market and customer hands. Functions tend to reflect how a business is organized, whereas
processes reflect how a business behaves.
In integrating information security practices, it is extremely important to
understand information security issues in the context of business processes.
From a process perspective, information flows between activities, people, functions, and organizations as a process component. Information, as an asset, may
have a process owner who creates or originates the information. Information
users, or stewards, carry out the process owner’s requirements in their part of
the process flow. Basic information protection requirements such as classification, authorization, authentication, and accountability that are imposed on
the information in the process-based view that may not reflect a pure “systems
view” due to the information flows between organizations and individuals.
Nevertheless, they come closer to a true reflection of the business needs of
protection throughout the process. Therefore information security is affected
directly in real time through process arrangements, tools, and people in those
activities that are process based.
This poses a challenge to the business process owner who will need assistance
from information security. The business process owners will need the guidance
and advices on translating the information security policy in a meaningful
way to impose protection requirements end to end. Information security must
also develop an understanding of the major processes in the organization.
Information security will need to understand the business process architecture
Andress, J., Leary, M., & Leary, M. (2016). Building a practical information security program. ProQuest Ebook Central http://ebookcentral.proquest.com
Created from unomaha on 2021-02-11 19:04:33.
40
CHAPTER 2:
Integrate Security Into the Organization
that defines the processes, interrelationships (“interprocesses”), and information that flow through the business to its suppliers, partners, and customers. It
is also essential to educate the appropriate management and business process
owners the value of implementing controls, such as enhancing predictability,
stability, repetition, and overall quality. Information security should not be
perceived as inhibiting or throttling the business process; information security should support the overall business process objectives without creating a
bottleneck. A further benefit is the cost avoidance of reengineering processes
or supporting technology for remediating failures that may or have led to security incidents. The cost of reengineering may be more than the insertion of
information security well before the design and development of a solution,
product, or service. By participating in the business process creation or reengineering process, information security can be embedded in the business processes as a value-add partner.
Copyright © 2016. Elsevier Science & Technology Books. All rights reserved.
ESTABLISH INFORMATION SECURITY BUSINESS
RELATIONSHIP MANAGEMENT
The third key point of integration is establishing a partnership with the business. The classic integration is the placement, or alignment, of an information
security representative or officer with the business entity in a direct support
role. An information security officer plays a critical role in informing, advising, and alerting the general management on matters relating to the enterprise
information security policy and program. The duties of the information security officer are typically managerial; the information security officer may be a
single representative of the enterprise program to the business or may direct a
team of analysts, engineers, and operations staff that are in direct support to
the business unit. Some of the key responsibilities of the information security
officer are:
Reviews internal processes, standards, guidelines, requirements, and
practices, both at the enterprise and local levels
n Updates internal control structures and standard operating procedures
n Conducts annual reviews for security compliance
n Provides security impact assessments and feedback
n Identifies security training needs and completing training requirements
n Protects identifying information collected in accordance with policies
n Reports proven or suspected exposure or disclosure of personal
information
n Supports communication of security information to the unit
n Provides input and feedback on current and future security standards
and initiatives
n Reports unit concerns and considerations related to security
n
Andress, J., Leary, M., & Leary, M. (2016). Building a practical information security program. ProQuest Ebook Central http://ebookcentral.proquest.com
Created from unomaha o …
Purchase answer to see full
attachment

Order a unique copy of this paper
(550 words)

Approximate price: $22

Our Basic features
  • Free title page and bibliography
  • Plagiarism-free guarantee
  • Unlimited revisions
  • Money-back guarantee
  • 24/7 support
Our Options
  • Writer’s samples
  • Expert Proofreading
  • Overnight delivery
  • Part-by-part delivery
  • Copies of used sources
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

AcademicWritingCompany guarantees

Our customer is the center of what we do and thus we offer 100% original essays..
By ordering our essays, you are guaranteed the best quality through our qualified experts.All your information and everything that you do on our website is kept completely confidential.

Money-back guarantee

Academicwritingcompany.com always strives to give you the best of its services. As a custom essay writing service, we are 100% sure of our services. That is why we ensure that our guarantee of money-back stands, always

Read more

Zero-plagiarism tolerance guarantee

The paper that you order at academicwritingcompany.com is 100% original. We ensure that regardless of the position you are, be it with urgent deadlines or hard essays, we give you a paper that is free of plagiarism. We even check our orders with the most advanced anti-plagiarism software in the industry.

Read more

Free-revision guarantee

The Academicwritingcompany.com thrives on excellence and thus we help ensure the Customer’s total satisfaction with the completed Order.To do so, we provide a Free Revision policy as a courtesy service. To receive free revision the Academic writing Company requires that the you provide the request within Fifteen (14) days since the completion date and within a period of thirty (30) days for dissertations and research papers.

Read more

Privacy and Security policy

With Academicwritingcompan.com, your privacy is the most important aspect. First, the academic writing company will never resell your personal information, which include credit cards, to any third party. Not even your lecturer on institution will know that you bought an essay from our academic writing company.

Read more

Adherence to requirements guarantee

The academic writing company writers know that following essay instructions is the most important part of academic writing. The expert writers will, therefore, work extra hard to ensure that they cooperate with all the requirements without fail. We also count on you to help us provide a better academic paper.

Read more

Calculate the price of your order

550 words
We'll send you the first draft for approval by September 11, 2020 at 10:52 AM
Total price:
$26
The price is based on these factors:
Customer Academic level
Number of pages required
Urgency of paper