Kamis, 10 Mei 2012

Risk is Measurable


"Risk cannot be measured," is a common scientific and mathematical phrase often applied to information security. While it's true some risk measurements are subjective, it's naive to believe measurements aren't attainable. Risk is not a number, but a measurement of risk is.
For example, you can measure:
* The percentage of vendors meeting an organization's standards,
* A percentage level of compliance to regulations, and
* The number of vulnerabilities present in an environment.
It's critical for credit unions to identify, prioritize, and manage risk. Management and technical staff must jointly define criteria for measuring information security performance. And these measurements should clearly align with business goals and strategies.
When developing measurement criteria, avoid technical, legal, and subject matter jargon. Focus on measuring the services rendered. Clearly define goals, strategies, and measurements. This facilitates open communication, prudent planning, and financial rewards.
Here are common excuses for avoiding risk measurement:
* "Management doesn't understand." Information security encompasses technical and physical security issues. Ensuring confidentiality, integrity, and availability requires deep insight into technology, risk modeling, physical security, laws, and regulations. Technical complexities often hinder communication between management and information technology (IT) staff. The challenge for IT staff: Convey complicated information simply and clearly. The challenge for management: Be willing to accept change.
* "Security measurement is for large credit unions only." Incorporating information security risk measurement into an organization's processes takes time, persistence, and often a cultural change. People often feel threatened, dislike change, or have social motivations that slow the process. But credit unions of all sizes benefit from risk measurement activities. It may take time, but persistence pays off when the measurements support budget requests and supply valuable return-on-investment data.
* "Security moves too fast." Technology continues to change at an astounding rate. Many people feel information security measurement can't keep up with technological change. But the problem actually may be poorly designed measurements. The intent of measurement is to align corporate strategies with IT. Clearly define the organization's goals and objectives. Then measure information security as it relates to those goals and objectives.
SMART measurements
Prudent decisions require simple, measurable, attainable, repeatable, and timely (SMART) information. Keep information security risk measurements:
* Simple. Each measurement's objective must be clearly understood by all intended parties. Create a list of key performance indicators. Avoid technical, legal, and other jargon. Avoid data overload and stay focused on specific performance measurements.
* Measurable. While many facets of security and risk are hard to quantify, focus on what can be measured-for example, the number of vulnerabilities or the number of incidents.
* Attainable. Some measurements are direct outputs of existing reports and systems; others may require analysis to derive the value. Make sure your measurement goals are attainable over time, since they must be continually assessed and managed with minimal cost.
* Repeatable. Since you'll want to show trends to generate useful data, make sure the measurements are easy to take over time and can be repeated.
* Timely. Outdated information can skew analysis and directly impact decisions. The timeliness of data often determines its value. Make sure measurements are easy to deliver as needed. Aim for maximum automation with minimal manual activity. Establish clear communication and access rights at the start.
Your credit union can measure information security performance. Risk models, financial measurements, key performance indicators, and other measurements can help you align information security with organizational goals and strategies.
For quality information security consulting and services please contact ComSec @ http://www.comsecinc.com or 702-866-9412
Jeromie Jackson- renowned security analyst and highly sought after consultant is the CEO of ComSec, Inc. ComSec, Inc. provides information security, regulatory compliance, and IT governance services. Mr. Jackson was previously founder and Chief Technology Officer for Garrison Technologies- a well-respected security product integrator and consulting organization. Mr. Jackson is the President and founder of the San Diego Open Web Application Security Project (OWASP) Chapter, Vice President of ISACA San Diego, a speaker at many conventions, been interviewed on several radio talk shows, and was covered on Forbes Magazine. Today Mr. Jackson continues to consult enterprise and SMBs on measuring and improving their information security and risk management postures.
Security assessment services include Governance, Risk Management, Penetration Testing, Social Engineering, Security Awareness Training, Regulatory Gap Assessment (NCUA, FFIEC, FRB, OTS, Sarbanes Oxley (SoX), and HIPAA), Balanced Scorecards, COBIT & ITIL Alignment, & Web Application Assessments


Article Source: http://EzineArticles.com/1056886
By 
Diposting oleh di Tidak ada komentar:

What Exactly Is Best Practice?


The term Best Practice is a commonly used buzzword particularly in the consulting community. I am often asked by clients to advise them on the best practice in a particular area of their IT operation and delivery, however there is rarely a clear understanding of what this actually entails.
My favourite definition is that a best practice is a technique or methodology that, through experience and research, has proven to reliably lead to a desired result. An organisation which commits to using the best practices in any field is a committing to using all the available knowledge and technology to ensure success.
However, the challenges to using Best Practice are significant.
In my experience there is rarely a single best way to undertake any given process and the effectiveness and efficiency of any solution depends on multiple factors which may be different for each organisation. In addition, the fact that a way of doing things is widely adopted or accepted may not make it the best solution, but rather it may be a commonly adopted compromise in terms of cost-benefit.
In some cases the use of best practice can be detrimental to an organisation. Another company's way of operating may be a failure in a different cultural or organisational environment. Rigorous adherence to best practice standards can serve to limit organisational improvement and innovation.
Furthermore, it is important that current processes and procedures are not simply discarded in a search for a better way since these often represent significant investment in intellectual capital and have developed over time in a way that may best suit the organisation in question.
When looking to identify best practices, we therefore look for commonly accepted standards (where they exist) and also at comparable organisations to determine how a process can be performed.
Some examples of relevant and potentially useful standards in the Information Technology world include PMBOK and PRINCE2 (Project management), TSP/PSP, Agile, RUP, UML and BPMN (Software development), ITIL and COBIT (Information technology governance), SOA, J2EE, Web Services and TOGAF (Enterprise architecture), Six Sigma and CMMI (Process improvement) and ADKAR (Change management).
Once we have selected a proposed process, in agreement with the relevant staff from within the organisation, we recommend that the new process be piloted with a small group or project to validate its operation within the target business and to begin creating organisational learning and experience which can be leveraged to support the wider adoption.
Finally, for any process regardless of whether it is existing or new, the most important step is to commit to ongoing evolution and improvement using tools such as Six Sigma to guide the future development. Ultimately, the very best practices are simply those which operate efficiently and effectively and add value to your specific business operations.
Chris Young is the founder of White Water Consulting (http://www.whitewater.com.au) and is a senior consultant with a broad knowledge and experience in financial services, change management and information technology. His areas of focus include delivering business-aligned IT strategy and implementing best practices in process improvement, project management and software development process. White Water Consulting provides practical solutions to designing and implementing information technology strategy. By remaining independent of solutions and solution providers White Water Consulting can concentrate on your actual business needs and recommend strategies that are pragmatic and cost effective.


Article Source: http://EzineArticles.com/958805


By 
Diposting oleh di Tidak ada komentar:

Capability Maturity and Process Assessment


Introduction
Many organizations depend on IT for their core and critical business services. Being confident in a service provider's capability to deliver IT services is therefore important for a range of strategic, tactical and operational activities. Higher levels of capability provide give greater confidence that an organization can deliver the desired business and IT services. Lower levels of capability may indicate potential sources of risk.
Benchmarking and comparison with best practice
Benchmarking and assessment tools help senior managers to understand areas of weakness, risk and what can be done more efficiently. Comparing the current situation with international standards and best practices is a good starting point for assessing current capability and planning improvement.
In addition to performance and customer satisfaction benchmarks, many organizations assess their service management capability and IT processes using:
- ISO/IEC 20000 IT Service Management series
- ITIL service management best practices
- COBIT
- ISO/IEC 15504 series
A capability maturity model (CMM) or process assessment model (PAM) can be used by an organisation as the framework for benchmarking, internal assessment and planning improvement.
Using COBIT maturity models
COBIT 4.1 (published by ITGI and ISACA, 2007) provides guidance on maturity modelling for management and control over IT processes that is based on a method of evaluating an organization's processes from a maturity level of non-existent (0) to optimised (5).
The COBIT generic maturity attribute model is useful for performing a high level assessment for a range of processes. It provides a useful model to identify where issues are and how to set priorities. There is also a specific model based on the generic scale for each of COBIT's 34 IT processes.
ISO/IEC 20000 series
ISO/IEC 20000-1, published in April 2011, is the core of the 20000 series, providing the basis for establishing a Service Management System (SMS), service improvements, management reviews, internal and certification audits. Part 1 is set of requirements which are compulsory for a certification audit, considered often as the destination that is reached.
ISO/IEC 20000-4, published in 2010, defines service management process reference model, aligned to Part 1. The process reference model defines each Part 1 process using inputs, outputs and activities. Although it can assist with process design it was developed as the basis of five-level process assessment model (PAM)..
Using ISO/IEC 15504 and process assessment models (PAM)
The 15504 series sets out the requirements for performing a process assessment and writing a process assessment model (PAM) that is conformant. There are general requirements that apply to all types of assessments and specific requirements that apply to assessments of process capability and organizational maturity.
A process assessment model is composed of a set of indicators of process performance and process capability. The indicators are used as a basis for collecting the objective evidence that enables an assessor to assign ratings for each process. Using 15504 helps to ensure that the assessment output is self-consistent and provides evidence to substantiate the ratings.
Work is currently under development to produce ISO/IEC 15504-8, an Exemplar IT Service Management Process Assessment Model. Several pilots are underway using the draft PAM.
This article was submitted on behalf of Connectsphere by Jo Da Silva.
ConnectSphere provides consulting and professional development services to help organizations to adopt ITIL® service management best practices and use ISO/IEC 20000. Managing Director Shirley is UK Principle Expert on the ISO and BSI committees that develop IT, IT service management and process assessment standards. If you want to find out more about using the IT service Process Assessment Model and ISO/IEC 20000, contact ConnectSphere at http://www.connectsphere.com - They are specialists in IT Governance and ITIL Training Courses.
ITIL ® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.


Article Source: http://EzineArticles.com/6241568
By 
Diposting oleh di Tidak ada komentar:

What IT Service Management Training Is Available?


he variety and depth of IT Service Management training has changed over the years.
Way back we all 'knew' our qualifications, first there was ITIL and the Managers certificate, and then came the Foundation. Then for a long time during the reign of ITIL V2, we had the familiar Foundation, Practioner and Managers certificates.
Foundation providing the entry prerequisite for further qualifications, prepared you with a brief exploration of some key processes from the framework, which you could cover in greater depth at Practioner level, with the final hurdle of the Managers Certificate, widely recognised as a tough exam which demonstrated a wide knowledge of IT Service Management, not just what was captured in the core ITIL publications.
Now we have the renewed framework and qualification structure for ITIL V3, which specialises in the Service Lifecycle as described in the ITIL publications.
We still have the Foundation, the entry-level, required for any further progression in the qualification structure as before. But as the ITIL examination structure now covers considerably more information than previously, the level and depth of understanding at Foundation level is considerably reduced.
The next layer of qualification is the Intermediate level. Here the qualifications split into two distinct streams Lifecycle and Capability. Both streams focus on the content of the ITIL publications, the Lifecycle stream looking at the management challenges for the Lifecycle stages, the Capability stream looking at the process management in grouped segments of the Lifecycle. These take the understanding of the framework as captured in the publications to much greater depth, so much so, that it is recommended that students complete some preparation between Foundation and Intermediate, to ensure they have studied the framework in more detail than is delivered at Foundation.
Unlike the previous Practioner courses, which were 'stand alone', these qualifications are not only recognised individually, but also build credits towards the Intermediate Expert qualification. A mix of disciplines is recommended to attain the required number of credits to achieve the higher qualification.
Expert status can only be granted once the required number of credits has been achieved, and the qualification of 'Managing Across the Lifecycle' has been passed. This last examination tests the candidates' knowledge of the complete management of the Service Lifecycle, as descried in the ITIL publications.
Once the required number of credits is achieved, (described on the Official ITIL website http://www.itil-officialsite.com/Qualifications/ITILV3QualificationScheme.asp) the qualification of ITIL Expert can be applied for and is awarded.
All of the qualifications are based on multiple choice examinations (of varying complexity), so they are specific to the framework publication, allowing no variation or originality of IT Service Management thinking, as could previously be achieved in the written examinations for both Practioner and Managers certificate in V2.
The final level of qualification - the ITIL Master, has not yet been formally released, although there is a pilot scheme currently in operation (article date October 2010).
In the IT Service Management arena we also have the qualification schemes that have arisen around ISO/IEC 20000, the IT Service Management standard. Some of the qualifications have been linked to specific certification schemes, but they provide education relating to the standard and its attainment.
As with the ITIL qualification structure, ISO/IEC 20000 begins with a Foundation qualification, introducing the standard at an entry level. Beyond this, the qualification structure splits according to requirement, for Auditors (those who will be involved in the governance and audit against the standard) and for Consultants (those who will be involved in the guidance for implementing the requirements of the standard).
These qualifications are applicable to those who wish or need to know more about the ISO/IEC 20000 standard. They are extremely helpful to those who are intending to attain the standard in their organisation.
Then we have COBIT - the framework for IT Governance and Control. Process driven, and providing guidance on the governance and audit of IT services. This also has a Foundation qualification, to introduce the concepts and provide a basic understanding of the framework.
These are the main frameworks that have recognised qualifications applying to IT Service Management. There are many more individual qualifications being developed by the various Examination Institutes, but these are too numerous to mention. This article does not cover the qualifications provided by the HelpDesk Institute for the development and improvement of service desks and customer service.
The choices are many and varied, and continue to increase as more qualifications are developed. Your Accredited Training Organisation will be able to help you identify the best programme to meet your needs.
"ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries"
Helen Morris, director of Henry Gale Associates Ltd., co-founder of Helix SMS Ltd., specialises in IT Service Management and Best Practice implementation in global organisations. Helen is a skilled and highly qualified consultant working in private and public sectors. With over 25 years of IT experience, she has valuable perception and insight into the issues facing businesses today.


Article Source: http://EzineArticles.com/5253486
By 
Diposting oleh di Tidak ada komentar:

ITIL - Understanding and Using IT Service Management


'ITIL' is a term that is fast gaining currency around the IT world. It is often wrongly described as 'IT governance' - in fact, on its own, it certainly isn't this. ITIL is a collection of best practices that helps companies implement an IT Service Management culture. However, its growing popularity reflects the substantial impact it can make on a company's IT and business performance and the fact that, in combination with other frameworks, it is a vital ingredient in creating true IT governance.
What is IT Service Management?
Today's businesses are increasingly delivered or enabled using information technology. Business and IT management need guidance and support on how to manage the IT infrastructure in order to cost-effectively improve functionality and quality. IT Service Management is a concept that deals with how to define and deliver that guidance and support. In common with other modern management practice, it views things from the customer's perspective, i.e. IT is a service that the customer or consumer receives. It can be made up of hardware, software and communications facilities, but the customer perceives it as a self-contained, coherent entity.
So what is ITIL?
Standing for 'IT Infrastructure Library', ITIL is a set of best practices that are at the heart of the IT Service Management approach. It provides guidance on how to manage IT infrastructure so as to streamline IT services in line with business expectations. ITIL is a best practice framework, presenting the consolidated experience of organisations worldwide on how best to manage IT services to meet business expectations.
ITIL was originally developed during the 1980s by the UK's Central Computer and Technology Agency (CCTA), a government body, which created ITIL version 1 as an approach to incorporating various vendor technologies and serving organisations with differing technical and business needs. CCTA has now become part of the Office of Government Commerce (OGC), which, as official publisher of the ITIL library, updated it, published version 2 and continues to develop and support it.
ITIL has since become widely adopted across the world in both public and private sectors and is recognised as best practice, being deployed in organisations of all shapes and sizes.
What makes up the ITIL Library?
ITIL documentation consists of seven 'sets' or 'volumes': Service Support, Service Delivery, ICT Infrastructure Management, Security Management, Planning to Implement Service Management, The Business Perspective and Applications Management.
Of these, Service Support, Service Delivery and Security Management are considered the central components of the ITIL framework, covering vital issues such as Incident Management, Configuration Management, Change Management, IT Service Continuity Management, Availability Management and IT Security Management.
Learning about ITIL
The seven ITIL volumes are published by The Stationery Office, the official publisher of the UK government. In addition, to gain an overview and a sense of how to navigate these, it is helpful to consult one of several recommended introductory texts. 'Foundations of IT Service Management Based on ITIL - An Introduction' is widely accepted as the best starting point and self-study guide. 'Implementing Service and Support Management Processes - A Practical Guide' is a thorough and comprehensive handbook on the subject, while the 'itSMF Pocket Guides' provide a good overview of each of the ITIL components.
Getting certified
Part of the reason for the recent growth in ITIL awareness is the publication in December 2005 of a new global standard to which businesses can become certified. ISO 20000 (or ISO/IEC 20000:2005, to give it its correct name) is closely based upon the pre-existing British standard BS15000 - in fact, it is virtually indistinguishable. The standard comprises two parts: ISO/IEC 20000-1 is the specification for IT Service Management against which an organisation's practices can be certified; ISO/IEC 20000-2 is the 'code of practice' that describes best practices and the requirements of Part 1.
BS15000 has become widely used around the world since it was published in 2003 and was adopted virtually unchanged as the national standard in Australia and South Africa. A number of companies across the USA, Europe and Asia have already become certified as BS 15000 compliant. We also recommend several excellent books that provide guidance on achieving BS15000/ISO 20000 compliance.
Upon the publication of ISO 20000, BS15000 was withdrawn and individual standards and certification bodies are drawing up their own formal transition programmes for conversion to the new standard. Companies already holding BS15000 should encounter no difficulty in converting their certification to the new standard, as this should be one of the considerations addressed by the individual certifying bodies.
Practitioners can also pursue a structured programme of ITIL examination and certification, comprising the ITIL Foundation Certificate, ITIL Practitioners Certificate and ITIL Managers Certificate. Examinations and certification in Europe are managed through two independent bodies: EXIN, the European Examination Institute for Information Science; and ISEB, the Information Systems Examination Board. Between them, these two organisations control the entire certification scheme. In the United States, HDI is a principal organiser of examination and certification, and it and similar organisations provide coverage elsewhere around the world. These organisations ensure that personal certification is fair, honest and independent of the organisations that provide the training, and accredit training suppliers to bring about a consistent quality of course delivery.
ITIL and IT Governance
When combined with certain other frameworks, ITIL makes a major contribution to the creation of effective IT governance. ITIL processes can be mapped to CobiT (Control Objectives for Information and Related Technology) processes, and the two frameworks complement each other nicely: if the CobiT control framework tells the organisation 'what' to do in the delivery and support areas, ITIL best practices help the organisation define 'how' to deliver these requirements. Similarly, ITIL works very effectively with ISO 17799, the international code of best practice for information security, providing guidance on how to manage the various processes that ISO 17799 prescribes.
By drawing upon these three complementary frameworks as appropriate to its needs, an organisation can establish an IT governance regime that delivers real and lasting competitive advantage to its business.
Alan Calder is CEO of IT Governance Limited, an authorised international distributor of ITIL books (published by TSO on behalf of the Office of Government Commerce) and of British and international standards published by BSI. The seven ITIL volumes are available at http://www.itgovernance.co.uk/catalog/23, while introductory books may be accessed at http://www.itgovernance.co.uk/catalog/7. All items may be purchased online for worldwide delivery. For more information visit http://www.itgovernance.co.uk/itil.aspx


Article Source: http://EzineArticles.com/245168


By 
Diposting oleh di Tidak ada komentar:

The Top Five Sources of Best Practices Used in IT Auditing


The top five sources of IT security best practices consist of standards, frameworks and guidelines. The sources listed below are international organizations and governmental entities. The perspectives on IT security, risk and controls vary considerably.
IT auditors working in different technology environments know that the selection of best practice standards and frameworks is a critical task. There are invariably differences between the concepts in best practice documents and the implementation in real world technology environments.
This 'Top Five' list is intended to be used as a reference for IT auditors, security practitioners, risk managers, compliance professionals, IT administrators, software developers and the broad range of IT professionals. We hope to add value to the overall IT professional community.
1. Control Objectives for Information and related Technology (COBIT). Published by ISACA.
The latest version is COBIT 4.1 which consists of generally accepted best practices, processes, measures and indicators for IT governance and control. The formal mission is to "to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors". COBIT 4.1 contains 34 high-level processes which cover 318 control objectives and are categorized in the four domains below: -Planning and Organization -Acquisition and Implementation -Delivery and Support -Monitoring and Evaluation
2. ISO/IEC 27001 IT Security Techniques -- Information Security Management Systems. Published by the International Organization for Standardization.
This is an Information Security Management System (ISMS) standard which is part of the ISO/IEC 27000 family of standards. The official name is ISO/IEC 27001:2005 - Information Technology -- Security Techniques -- Information Security Management Systems -- Requirements. The standard was created in 2005 by the International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC). The objective is a management system for information security.
The standard emphasizes a risk management approach in which an organization identifies, analyzes and evaluates risks. The focus is on reducing risk in a range of areas where information security could be compromised. There are over 130 controls defined as part of the standard.
3. Center for Internet Security (CIS) Benchmarks
The Center for Internet Security (CIS) Benchmarking and Metrics Division publishes consensus best practice standards for security configurations. Information security metrics and other resources are also published to measure security status and to make decisions about security investments. The official objective is to 'reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.'
The Benchmarks are detailed recommendations for technical control rules and values in operating systems, middleware and software applications and network devices. There are 53 different benchmarks including Unix and Microsoft Windows operating systems, Oracle and Sybase databases, Cisco and Juniper network routers and more. These benchmarks were created through a consensus of hundreds of security professionals in business, industry, government and academia worldwide.
4. US Department of Defense, Security Technical Implementation Guides (STIGs)
Security Technical Implementation Guides or 'STIGs' contain guidelines for the standardized installation and maintenance of computer software and hardware. The US Defense Information Systems Agency (DISA) created these best practices as a series of configuration documents in support of the US Department of Defense (DoD).
The STIGs are standards to configure systems and devices. These standards are intended to be used in conjunction with security checklists which are also known as lockdown or hardening guides. There are also Security Readiness Review Scripts (SRRs) for testing systems for compliance with the STIG configuration.
The STIGS cover most operating systems, databases and web servers.
5. US National Institute of Standards and Technology (NIST), Computer Security Division, Special Publications (SPs).
These 'special publications' are designed to help secure our nation's information and information systems. There are over 300 NIST information security documents including Federal Information Processing Standards (FIPS), NIST Interagency Reports (NIST IR), the Special Publication (SP) 800 series and the Information Technology Laboratory (ITL) Bulletins.
The SP 800-series is based on ITL research, guidelines and outreach efforts with industry, academic and government organizations.
The 'special publications' are organized into 'families' focused on a specific aspect of IT security and control such as risk assessment, access controls, audit and accountability, system and information integrity and contingency planning. Some examples of specific guides are the Guide to General Server Security, Guide to Secure Web Services, Guidelines on Electronic Mail Security and Security Considerations in the System Development Life Cycle.
Looking for certified IT auditors at reasonable rates. Continental Audit Services, is your provider to control risks, improve security and comply with regulations. IT best practices applied to all major operating systems, databases and other technology. Visit http://www.continentalaudit.com.


Article Source: http://EzineArticles.com/5685231


By 
Diposting oleh di Tidak ada komentar:

Proposing An Information Security Awareness Program


Risks to confidentiality, integrity, and availability of organizational information assets are constant, yet evolve on a daily basis. Individuals need to be informed and prepared for information security threats directed towards them, their computers, and ultimately their way of life. These threats take on many forms, but they all fit in certain established and identifiable categories. An individual's ability to distinguish between benign incidents and an actual information security threat or risk rests on the breadth and depth of security awareness training they have received.
Proposing that an Information Security Awareness Program be developed for the employees of your organization to educate them on the information security risks they face while utilizing organizational information assets, and by extension, their personal information is a wise move for IT executives to make. The awareness program can be developed in conjunction with the implementation of an overall IT Governance methodology such as COBIT or as a standalone program depending on the IT maturity level of your organization.
Firewalls, intrusion detection, and intrusion prevention systems, although a requirement for today's network, can not completely defend an organization from current security threats. Organizations need to ensure that their employees, vendors, partners, and subcontractors will not leave the organization vulnerable to various risks such as operational disruptions, loss of valuable informational assets, public embarrassment, or legal liability due to a lack of information security awareness.
There is not only a clear need from a practical standpoint to ensure individuals receive adequate and properly funded training in the protection of organizational and personal information assets, but depending on your organization's industry there may also be regulatory requirements such as HIPAA and SOX to do so. The development and implementation of an information security awareness program should encompass a mandatory annual refresher component to ensure the promotion of a security aware culture among employees.
Information security has become a key concern among information technology professionals and that concern, when shared by management, will benefit organizations as a whole. Top-down management support is crucial for the survival of the program and its goal of creating a culture of information security awareness within the organization. The program would also be a valuable component of showing that executive management is performing due diligence in securing organizational information assets.
Written by Claudio LoCicero, M.S.
Over his career he has held several technical and management positions both in the United States and overseas within the private and government sectors.
He holds a Master of Science in Information Technology with an Information Security Specialization from a university designated as a National Security Agency Certified Center of Academic Excellence for Information Assurance. He also holds numerous professional certifications such as the Project Management Professional (PMP), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Information Technology Infrastructure Library (ITIL) Foundation, along with several other professional certifications from Cisco, Microsoft, and the National Security Agency (NSA).
He is an active member of the International Information Systems Security Certification Consortium (ISC2), Information Systems Audit and Control Association (ISACA), Information Systems Security Association (ISSA), and the Project Management Institute (PMI).


Article Source: http://EzineArticles.com/741389


By 
Diposting oleh di Tidak ada komentar:
Langganan: Postingan (Atom)