• Security terminology
• Protection control types
• Security frameworks, models, and best practices
• Security enterprise architecture
• Security documentation
• Information classification and protection
• Security awareness training
• Security governance
The core goals of information assurance is; Availability, Integrity, and Confidentiality.
A threat is a danger that can be exploited by a vulnerability, and a risk is the likelihood of someone exploiting that vulnerability to impact your business? You already have enough risks in running a business. If you plan and create countermeasures that safeguard your IT assets. It’s one less risk thing you will have to worry about in the future.
Controls are put into place to reduce the risk, but only if you plan for them. There are three main flavors: technical, administrative, and physical. Technical controls are the ones we will deal with here, and they relate to software or hardware components for example: firewalls, IDS, encryption, identification and authentications mechanisms….etc.
The National Institute of Science and Technology (NIST), has a number of documents put together that can help in the process. Below is put a few you could look for.
• ISO/IEC 27003 Guideline for ISMS implementation
• ISO/IEC 27004 Guideline for information security management
measurement and metrics framework
• ISO/IEC 27005 Guideline for information security risk management
• ISO/IEC 27006 Guidelines for bodies providing audit and certification of
information security management systems
• ISO/IEC 27011 Information security management guidelines for
telecommunications organizations
• ISO/IEC 27031 Guideline for information and communications technology
readiness for business continuity
• ISO/IEC 27033-1 Guideline for network security
• ISO 27799 Guideline for information security management in health
Organizations
When it comes to a security framework, don’t practice security through obscurity. If you think that hackers are not as tricky and smart as you - your wrong! You will be surprise when all you’re client’s person data shows up on the internet for the highest bidder to buy. Moreover, don’t think just because your code is compiled hackers can’t read it. There is a wide range of tools one can use to reverse-engineer your software. Another common practice is to create your own in-house cryptographic algorithm, instead of using standard tested ones. Don't try to roll your own, because you will be sorry.
A security framework is made up of many parts: logical, administrative, and procedural. It's written in a way that everyone can understand it - not just the IT department. Hackers have been known to use any means to get access to your network, from social engineering techniques to dumpster diving. Whoever has access to your network needs to be trained and know the risk of letting an authorized person access.