Project Part 6
2
Project 2 Protect
Protect 2
Program Control Design, Control Selection, and Implementation
One of the most important aspects of protecting the assets identified in the Plan section is implementing a program control design, control selection, and implementation plan. This plan will ensure proper technical and non-technical controls to provide a defense-in-depth strategy.
The first step in this process is identifying the specific controls necessary to protect the assets. To do this, the risk assessment should be reviewed, and all potential risks should be identified. Once the risks have been identified, the necessary controls should be determined. For example, if the risk is related to an unauthorized user accessing the system, a technical control such as a firewall or a password would be implemented (Aleksandra Miljus et al., 2018). On the other hand, if the risk is related to an employee disclosing confidential information, then a non-technical control such as a code of conduct policy or an employee awareness program would be implemented. Once the controls have been identified, they should be implemented. Such includes ensuring that the necessary hardware and software are in place, policies and procedures are in place to guide the use of the assets, and training users on how to use the controls. The controls should be monitored and tested regularly to ensure that they are still effective and up to date.
Once the necessary controls have been identified, the next step is selecting the appropriate ones. For example, a strong password policy may be sufficient if the risk is related to an unauthorized user accessing the system. However, a more robust code of conduct policy or employee awareness program may be needed if the risk is related to an employee disclosing confidential information. Once the appropriate controls have been identified, the next step is to implement the controls. This may include implementing software or hardware solutions, such as firewalls or authentication systems, or developing policies and procedures, such as user access or data handling policies. The controls should be monitored and tested to ensure that they are effective and up to date. After the appropriate controls have been selected, the next step is to implement them, including ensuring that the controls are in place, properly configured, and regularly tested and monitored. It is a critical step, as it ensures that the controls function properly and the assets are adequately protected.
Training
In addition to program control design, control selection, and implementation, it is also important to provide training to employees. Such training should focus on the security policies and procedures in place, as well as the risks associated with the assets. For example, employees should be trained on the proper use of passwords and the risks associated with sharing confidential information (Maslow, 2005). Employees should be trained on the proper use of the system and the risks associated with accessing unauthorized resources. Training should also be provided on the proper use of the system and the risks associated with downloading malicious software. Staff should be trained on the processes and procedures that are in place to report any security incidents or breaches. Training should also be provided on the proper response to security incidents. It includes the procedures to be followed in the event of a security incident and the steps to be taken to protect the assets. Employees should be trained on the proper use of the system and the risks associated with accessing unauthorized resources.
Maintenance
It is also important to regularly maintain and update the security controls that have been implemented. For example, it is important to regularly update the system's operating system and software and apply security patches as needed. It is important to regularly review the security policies and procedures that have been implemented and monitor the system for any signs of security breaches. It is also important to educate users about security policies and procedures and to ensure that they know the risks associated with their activities. It is important to regularly run security scans and tests to identify and address any vulnerabilities in the system.
Security Metrics
Security metrics are important for measuring the effectiveness of the security controls that have been implemented. These metrics should be monitored regularly to ensure that the security controls function properly and the assets are adequately protected. For example, metrics such as the number of successful and unsuccessful login attempts, the number of suspicious activities detected, and the number of successful and unsuccessful security incidents should all be monitored (Fitzgerald, 2005). Metrics such as the number of successful and unsuccessful patch installations, unauthorized user access attempts, and successful and unsuccessful security awareness campaigns should all be monitored. By monitoring these security metrics, it is possible to determine the effectiveness of the security controls that have been implemented and to identify areas for improvement. Metrics such as the number of changes made to security settings and the number of security alerts should also be monitored to ensure that the security controls remain effective. Metrics such as successful and unsuccessful security audits should be monitored to ensure security controls are evaluated regularly.
Conclusion
The Protect section of the security plan should describe the program control design, control selection, and implementation, as well as the training and maintenance plans that have been implemented. Security metrics should be monitored regularly in order to measure the effectiveness of the security controls that have been implemented. Following these steps makes it possible to ensure that the assets are adequately protected and that the security controls are functioning properly.
References
Aleksandra Miljus, Perkowski, M., Perlman, A., & New. (2018). Navigating the digital age : the definitive cybersecurity guide for directors and officers. Palo Alto Networks.
Fitzgerald, T. (2005). Chapter 10 Operational Controls: Practical Security Considerations - Information Security Governance Simplified [Book]. Www.oreilly.com. https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml
Maslow, A. H. (2005). Chapter 8 Managerial Controls: Practical Security Considerations - Information Security Governance Simplified [Book]. Www.oreilly.com. https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188