The need to maintain the integrity of information and protect IT assets requires a security management process. This process includes establishing and maintaining IT security roles and responsibilities, policies, standards, and procedures. Security management also includes performing security monitoring and periodic testing and implementing corrective actions for identified security weaknesses or incidents. Effective security management protects all IT assets to minimize the business impact of security vulnerabilities and incidents.
Control over the IT process of Ensure systems security that satisfies the business requirement for IT of maintaining the integrity of information and processing infrastructure and minimising the impact of security vulnerabilities and incidents by focusing on defining IT security policies, plans and procedures, and monitoring, detecting, reporting and resolving security vulnerabilities and incidents is achieved by:
- Understanding security requirements, vulnerabilities and threats
- Managing user identities and authorizations in a standardized manner
- Testing security regularly
and is measured by
- Number of incidents damaging the organisation’s reputation with the public
- Number of systems where security requirements are not met
- Number of violations in segregation of duties
Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorise access and control information flows from and to networks.
Hide value and Risk Drivers
|Value Drivers||Risk Drivers|
Hide Control Practices
- Establish, maintain, communicate and enforce a network security policy (e.g., provided services, allowed traffic, types of connections permitted) that is reviewed and updated on a regular basis (at least annually).
- Establish and regularly update the standards and procedures for administering all networking components (e.g., core routers, DMZ, VPN switches, wireless).
- Properly secure network devices with special mechanisms and tools (e.g., authentication for device management, secure communications, strong authentication mechanisms). Implement active monitoring and pattern recognition to protect devices from attack.
- Configure operating systems with minimal features enabled (e.g., features that are necessary for functionality and are hardened for security applications). Remove all unnecessary services, functionalities and interfaces (e.g., graphical user interface [GUI]). Apply all relevant security patches and major updates to the system in a timely manner.
- Plan the network security architecture (e.g., DMZ architectures, internal and external network, IDS placement and wireless) to address processing and security requirements. Ensure that documentation contains information on how traffic is exchanged through systems and how the structure of the organisation’s internal network is hidden from the outside world.
- Subject devices to reviews by experts who are independent of the implementation or maintenance of the devices.