1) Planning for cyber security involves methods for preventing attacks, detecting attacks before damage occurs, and responding to incidents through recovery or correction.
2) The people, process, technology triad acknowledges that cyber security requires coordinated human and technological elements, as security cannot be ensured through technology alone. Processes must be established to guide how people collectively act to achieve security objectives.
3) Cyber security policy aims to balance cyber functionality and productivity goals with security requirements by establishing directives to maintain security amid demands for increased system access and capabilities. Policy refers to a variety of rules and guidelines concerning information protection and technology management.
1) Planning for cyber security involves methods for preventing attacks, detecting attacks before damage occurs, and responding to incidents through recovery or correction.
2) The people, process, technology triad acknowledges that cyber security requires coordinated human and technological elements, as security cannot be ensured through technology alone. Processes must be established to guide how people collectively act to achieve security objectives.
3) Cyber security policy aims to balance cyber functionality and productivity goals with security requirements by establishing directives to maintain security amid demands for increased system access and capabilities. Policy refers to a variety of rules and guidelines concerning information protection and technology management.
1) Planning for cyber security involves methods for preventing attacks, detecting attacks before damage occurs, and responding to incidents through recovery or correction.
2) The people, process, technology triad acknowledges that cyber security requires coordinated human and technological elements, as security cannot be ensured through technology alone. Processes must be established to guide how people collectively act to achieve security objectives.
3) Cyber security policy aims to balance cyber functionality and productivity goals with security requirements by establishing directives to maintain security amid demands for increased system access and capabilities. Policy refers to a variety of rules and guidelines concerning information protection and technology management.
1) Planning for cyber security involves methods for preventing attacks, detecting attacks before damage occurs, and responding to incidents through recovery or correction.
2) The people, process, technology triad acknowledges that cyber security requires coordinated human and technological elements, as security cannot be ensured through technology alone. Processes must be established to guide how people collectively act to achieve security objectives.
3) Cyber security policy aims to balance cyber functionality and productivity goals with security requirements by establishing directives to maintain security amid demands for increased system access and capabilities. Policy refers to a variety of rules and guidelines concerning information protection and technology management.
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 2
planning has been to prevent a successful adversary attack.
However, all security professionals are aware that
it is simply not possible to prevent all attacks, and so planning and preparation must also include methods to detect attacks in progress, preferably before they cause damage. However, whether or not detection processes are effective, once it becomes obvious that a system is threatened, security includes the ability to respond to such incidents. In physical security, the term “first responders” refers to the heroic individuals in policy, fire, and emergency medical professions. Response typically includes repelling the attack, treating human survivors, and safeguarding damaged assets. In cyber security, the third element of the triad is often stated in slightly more optimistic form. Rather than “respond” it is “recover” or “correct.” This more positive expectation on the outcome of the third triad activity, to recover rather than simply respond, reflects the literature of information security planning, wherein security management is recommended to include complete reconstitution and recovery of any business critical system. Because information technology allows diversity, redundancy, and reconstitution for the data and programs required to operate systems, information security professionals expect that damage can be completely allayed. In either case, the lessons learned in response are expected to inform prevention planning, creating a loop of continuous security improvement. People, process, technology addresses methods common to both technology managements in general and to cyber security management as a specialized field. This triad observes that systems require operators, and operators must follow established routines in order for systems to accomplish their missions. When applied to security, this triad highlights the fact that security is not achieved by security professionals alone, and also that cyber security cannot be accomplished with technology alone. The system or organization to be secured is acknowledged to include other human elements whose decisions and actions play a vital role in the success of security programs. Even if all these people had motivation and interest to behave securely, they would individually not know how to collectively act to prevent, detect, and recover from harm without preplanned process. So security professionals are expected to weave security programs into existing organizational processes and make strategic use of technology in support of cyber security goals. Confidentiality, integrity, and availability addresses the security objectives that are specific to information. Confidentiality refers to a system’s capability to limit dissemination of information to authorized use. Integrity refers to ability to maintain the authenticity, accuracy, and provenance of recorded and reported information. Availability refers to the timely delivery of functional capability. These information security goals applied to information even before they were on computers, but the advent of cyberspace has changed the methods by which the goals are achieved, as well as the relative difficulty of goal achievement. Technologies to support confidentiality, integrity, and availability are often at odds with each other. For example, efforts to achieve a high level of availability for information in cyberspace often make it harder to maintain information confidentiality. Sorting out just what confidentiality, integrity, and availability means for each type of information in a given system is the specialty of the cyber security professional. Cyber security refers in general to methods of using people, process, and technology to prevent, detect, and recover from damage to confidentiality, integrity, and availability of information in cyberspace. 1.2 What Is Cyber Security Policy? Cyber has created productivity enhancements throughout society, effectively distributing information on a just-in-time basis. No matter what industry or application in which cyber is introduced, increased productivity has been in the focus. The rapid delivery of information to cyberspace often reduces overall system security. To technologists engaged in productivity enhancements, security measures often seem in direct opposition to progress due to prevention measures that reduce, inhibit, or delay user access, detection measures that consume vital system resources, and response requirements that divert management attention from system features that provide more immediately satisfying system capabilities. The tension between demand for cyber functionality and requirements for security is addressed through cyber security policy. www.it-ebooks.info 4 Introduction The word “policy” is applied to a variety of situations that concern cyber security. It has been used to refer to laws and regulations concerning information distribution, private enterprise objectives for information protection, computer operations methods for controlling technology, and configuration variables in electronic devices (Gallaher, Link et al. 2008). But there is a myriad of other ways in which literature uses the phrase cyber security policy. As with the term “cyberspace,” there is not one definition, but there is a common theme when the term cyber security is applied to a policy statement as an adjective. The objective of this guidebook is to provide the reader with enough background to understand and appreciate the theme and its derivatives. Those who read it should be able to confidently decipher the numerous varieties of cyber security policy. Generally, the term “cyber security policy” refers to directives designed to maintain cyber security. Cyber security policy is illustrated in Figure 1.1 using a modeling tool that is used to make sense of complex topics called a systemigram (Boardman and Sauser 2008). A systemigram creates an illustrative definition succinctly by way of introducing components of the thing to be defined (all nouns) and associating them with the activity they generate (all verbs). The tool requires that all major components be connected via a “mainstay” that links the concept to be defined (top left) to its
