Discuss how a successful organization should have the following layers of security in place for the protection of its operations: information security management, data security, and network security.
Multiple Layers of Security
Marlowe Rooks posted Mar 13, 2020 9:54 AM
Looking at Vacca”s book chapter 1, “Information security management as a field is ever increasing in demand and responsibility because most organizations spend increasingly larger percentages of their IT budgets in attempting to manage risk and mitigate intrusions, not to mention the trend in many enterprises of moving all IT operations to an Internet-connected infrastructure, known as enterprise cloud computing (John R. Vacca, 2014)”. It is the organization responsibility to protect its business and its client information at all times. With that said I’m going to break down why companies need to have multiple layers of security and what types they should implement below.
The first layer is Information security management which can be from Physical Security, or Personnel Security. Physical Security can range from physical items, objects, or areas from unauthorized access and misuse. Personnel Security is to protect the individual or group of individuals who are authorized to access the organization and its operations. Some of the reason to implement Information Security is as follow:
· Decrease in downtime of IT systems
· Decrease in security related incidents
· Increase in meeting an organization’s compliance requirements and standards
· Increase in customer satisfaction, demonstrating that security issues are tackled in the most appropriate manner
· Increase in quality of service
· Process approach adoption, which helps account for all legal and regulatory requirements
· More easily identifiable and managed risks
· Also covers information security (IS) (in addition to IT information security)
· Provides a competitive edge to an organization with the help of tackling risks and managing resources/processes
The second layer would be Data Security which can be refers to the process of protecting data from unauthorized access and data corruption throughout its lifecycle. Data security includes data encryption, tokenization, and key management practices that protect data across all applications and platforms. Some of the reason to implement Data Security is as follow:
· Cloud access security – Protection platform that allows you to move to the cloud securely while protecting data in cloud applications.
· Data encryption – Data-centric and tokenization security solutions that protect data across enterprise, cloud, mobile and big data environments.
· Web Browser Security – Protects sensitive data captured at the browser, from the point the customer enters cardholder or personal data, and keeps it protected through the ecosystem to the trusted host destination.
· Mobile App Security – Protecting sensitive data in native mobile apps while safeguarding the data end-to-end.
· eMail Security – Solution that provides end-to-end encryption for email and mobile messaging, keeping Personally Identifiable Information and Personal Health Information secure and private.
The third layer would be network security which is to protect networking components, connection, and contents. Access to networks is gained by authorized users, whereas, malicious actors are indeed blocked due to the fact that they do not have authorized access to the system. Some of the things that can be used to stop hackers from breaking into your company Network Security is as follow:
· Antivirus and Antimalware Software
· Application Security
· Behavioral Analytics
· Data Loss Prevention (DLP)
· Email Security
· Mobile Device Security
· Network Segmentation
· Security Information and Event Management (SIEM)
· Virtual Private Network (VPN)
· Web Security
· Wireless Security
· Endpoint Security
· Network Access Control (NAC)
Inclusion it is the reasonability of companies and its personnel to do everything they can to protect its client’s information from being exploited. Also to protect the systems that they work on from malicious attacks do to human mistakes.
John R. Vacca (2014). Information Security Essentials for IT Managers-Protecting Mission-Critical Systems Managing Information Security, Second Edition chapter 1. Retrieved from Syngress Publishing
Multi-Layers of Security
Glenn Pablo posted Mar 11, 2020 1:33 PM
In order for organizations to protect assets vital to business implementing multiple layers of security would be paramount. How is that done though? Based on our background material there are quite a bit of items to consider ranging from cost benefit analysis, risk assessments, physical security, and access control. Chappel, Ballad, & Binks, stipulate that an organization cannot secure everything, so prioritization is needed to protect what is valued the most, (2014).
I would gather physical security should be a start. This can relate to access control points with actual security personnel present, or a secure door in which a common access card is needed for entry. Maybe an organization implements both, but this will depend on the assets within that need safeguarding. From that point personnel identification badges and common access cards would be another layer of security required. Chappel, et al., suggest for organizations to use a multi-layered approach to access control in order to mitigate budget and staff limitations and risk, (2014). As stated earlier, an organization cannot secure everything, so by layering security measures an organization allow for the covering of gaps within their security protocols. While a business implements a secured layer approach they will need to ensure the se domains of the IT infrastructure are considered when developing a multi-layered access control system. The domains are explained below.
Domains of IT Infrastructure
1. User: this is the primary layer, in which users have to be trained to understand infiltrator tactics and the importance of strong passwords.
2. Workstation: This is the computer an individual operates on a daily basis which has virus scanning, operating system patches/updates, and a host firewall. This security will enable for incoming emails, attachments, and downloads to be scanned in order to protect the workstation from infection and possibly impacting other systems connected to the network.
3. Local Area Network, (LAN): layer allows for intrusion detection and prevention for all systems connected to the network as well as performs email and server scanning. If you have a workstation at work, you may have experienced the scanning of your workstation although you are not doing anything with it at the time. This relates to the LAN scanning your system or I believe that is what it relates to.
4. Local Area Network to Wide Area Network (LAN to WAN): This is what they call the intersection between the LAN and the WAN in which a firewall will be the security layer. The firewall will allow for authorized data to move freely between the WAN and the LAN while preventing malicious data to come to halt between the two networks.
5. Remote Access: (Virtual Private Network & IP Tunneling). VPN passes data through a public network utilizing IP tunneling. IP tunneling encapsulates (condenses) packets then sends those IP packets securely across the internet. Data passed through IP tunneling is said to be more secure than using a private network based on advance encryption capabilities. Usually when personnel work from home or are offsite from the actual office will VPN and IP tunneling take effect.
6. System/Application: This layer is the continuous update of software or hardware updates involving patches. From what I can ascertain this is similar to all the software updates that take place with a personnel device such as a laptop or desktop. In the workplace this more than likely is controlled by the personnel that manage the organizations network. Normally these updates contain security or operational patches to keep you workstation as well as the entire network updated with security features protecting against newly founded malicious data or viruses.
Chappel, et al., sums it up by stating that no access control system is one hundred percent secure. With time, resources, and determination a hacker will be able to penetrate the network, (2014). This more like keeping the honest people honest when you add the physical security measure to your home or vehicle. The thief will more than likely choose the house that leaves their windows open on a daily basis versus trying to break into your house that is secure and has a security monitoring system. As thieves usually case a house looking for an easy target, hackers constantly look for those organizations or individuals that are easy targets. The key is not to be that easy of a target.
Chappel, M. Ballad, B., Balad, T. and Binks, E.K. (2014). Access control, authentication, and public key infrastructure. Jones and Barlett Learning, 2nd Edition