Harry and Mae's Infrastructure Improvement Action Plan -
First Draft
This week, we were told that our Blog Assignment was to explain
what the most difficult part of developing our Action Plan for our Course
Project.
This was my Action Plan:
The
action plan to remediate Harry and Mae’s IT security issues is simple.
1. Implement a
Security Management Framework
2. Mitigate risks
associated with the threats that have already been identified
3. Continuously
monitor threats and vulnerabilities
4. Assess and
manage the risks associated with these threats and vulnerabilities
5. Apply controls
where possible to mitigate risks
6. Document
residual risks
7. Regularly
report on threats, vulnerabilities, and risks to management
8. Continually
educate all employees about threats and vulnerabilities
9. Continually
educate and equip the IT staff with the knowledge and tools they need to
mitigate the risks associated with the threats and vulnerabilities that are
identified
= = = = = = = = = = = = = =
I think the two most difficult aspects of this assignment were:
1) Structure it in a
comprehensive, understandable manner that would garner the management support
and buy-in needed to execute the plan.
2) Recommending the
adoption of a comprehensive, albeit proven, security management framework (ITIL
v3) with which to better control and management security using finite
resources. That was a bold, yet needed
move, if Harry and Mae’s is going to mature in the areas of risk management and
security management.
==================================================
References:
Anderson, R. (2008). Security
Engineering, second edition. Indianapolis, IN: John Wiley.
Bellevue University. (2012). Harry and Mae Case Study. Retrieved
from http://idcontent.bellevue.edu/content/CIT/cyber/generic/harryAndMaes/ December 14, 2012.
Cokins, G. (2009). Performance Management: Integrating Strategy
Execution,
Methodologies, Risk, and Analytics.
Hoboken, NJ: John Wiley & Sons, Inc.
HP. (2012). HP Openview download website. Retrieved from http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareIndex.jsp?lang=en&cc=us&prodNameId=427224&prodTypeId=12169&prodSeriesId=81198&swLang=13&taskId=135&swEnvOID=227 on December 16, 2012.
Landoll, D. L. (2011). The
Security Risk Assessment Handbook: A Complete Guide for Performing Security
Risk Assessments, second edition. Boca Raton, FL: CRC Press.
McCumber, J. (2008). Assessing and Managing Security Risk in IT
Systems: a Technology-independent Approach. Retrieved from the web at https://buildsecurityin.us-cert.gov/swa/downloads/McCumber.pdf on August 31, 2011.
Microsoft. (2012). Microsoft Systems Center Operations Manager
Technical Data. Retrieved from
http://technet.microsoft.com/en-us/library/hh205987.aspx on December 16, 2012.
National Institute of Standards
and Technology (NIST). (2011). NIST SP
800-39 - Managing Information Security Risk: Organization, Mission, and Information
System View. Published by the National
Institute of Standards and Technology, U.S. Department of Commerce in March
2011. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf on June 11, 2012.
National Institute of Standards
and Technology (NIST). (2011). NIST SP
800-39 - Managing Information Security Risk: Organization, Mission, and
Information System View. Published by
the National Institute of Standards and Technology, U.S. Department of Commerce
in March 2011. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf on June 11, 2012.
O’Donnell, A. (2012). What Is
SCAP? – An article published at About.com. Retrieved from http://netsecurity.about.com/od/newsandeditorial1/g/What-Is-Scap.htm December 16, 2012.
OGC. (2007). ITIL v3 Service
Operation. London, U.K.: The Stationary Office.
Olzak, T. (2006). Get Control of Vulnerability Management. An article published at Toolbox.com on Apirl
1, 2006. Retrieved from http://it.toolbox.com/blogs/adventuresinsecurity/get-control-of-vulnerability-management-8569 on February 12, 2013.
Quinn, S., et al. (2012). NIST SP
800-117 - Guide to Adopting and Using the Security Content Autommation Protocol
(SCAP) version 1.2 (Draft). Retrieved
from http://csrc.nist.gov/publications/nistpubs/800-117/sp800-117.pdf on
December 3, 2012
Senft, S., et al. (2013).
Information Technology Control and Audit, fourth edition. Boca Raton, FL: CRC
Press.
Swiderski, F. and Snyder, W.
(2004). Threat Modeling. Redmond, WA:
Microsoft Press.
Talbot, J. and Jakeman, M.
(2009). Security Risk Management Body of
Knowledge. Hoboken, NJ: John Wiley & Sons, Inc.
Waltermire, D. (2012). NIST SP
800-126 - The Technical Specification for the Security Content Autommation
Protocol (SCAP), version 1.2, revision 2.
Retrieved from
http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf on December 3, 2012.
Wheeler, E. (2011). Security Risk Management: Building an
Information Security Risk Management Program from the Ground Up. Boston, MA: Syngress.
Witte. G., et al. (2012).
Security Automation Essentials:
Streamlined Enterprise Security Management and Monitoring with
SCAP. New York, NY: McGrawHill.
Young, C. S. (2010). Metrics and Methods for Security Risk
Assessment. Boston, MA: Syngress.