
Explore the models, frameworks, strategies, and approaches in enterprise information security management, and assess their pros and cons to design, plan, build, deploy, and operate an information security program.
Explore how approaches, frameworks, strategies, and models guide information security management, with examples like Bell-LaPadula and Clark-Wilson, and a five-points framework for evaluating effectiveness.
Explain how policy, standards, guidelines, and best practices shape information security within organizations, from need-to-know access to ISO/IEC 27001, 27002, and 27005 guidance on risk management.
Explore how programs, projects, and plans align with strategy, detailing FLAM relationships, delivery via projects, and the role of performance metrics and security metrics in information security management.
The lecture explains how information is classified by sensitivity levels, how access relies on security clearance and need-to-know, and how multi-level security enforces confidentiality.
Explain how a multi-level security system uses Top Secret, Secret, Confidential, and Public classifications, along with the need-to-know principle, to limit access by job needs and compartments.
Assess the military security approach as a national security driver prioritizing confidentiality and classification. Examine resources, performance, and outcomes through Common Criteria, costs, and expertise gaps.
Discover the commercial approach to information security, with its less rigid structure, and identify commercial data, such as PII, proprietary information, customer information, intellectual property, financial information and trade secrets.
Describe discretionary access control in business, where the information owner sets access via an access matrix and information custodian enforces it, aligned with the BLP and CIA models.
Clark and Wilson’s integrity model defines well-formed transactions with separation of duties and exclusive role authorization to prevent fraud in purchasing, receiving, and accounting.
Apply Brewer and Nash’s Chinese wall policy to enforce separation of duties and prevent conflicts of interest by restricting access across conflict classes.
Explore the weakest link principle and defense in depth as core strategies, combining layered protections with people, processes, and technology, plus incident detection, response, and recovery.
Explain how the commercial security approach blends principles to manage information security challenges, driven by legal and regulatory compliance, reputational risk, and focus on classification, baseline security, audits, attestations.
Explore the risk-based approach as an evolution from the commercial security model, addressing challenges and balancing higher baseline security with defense in depth amid rising costs and complexity.
Distinguish complex from complicated systems, highlighting emergence, autonomous agents, feedback loops, and unpredictable outcomes. Adopt a risk-based approach to security, balancing defense in depth, resource limits, and prioritized protections.
Embrace a risk-based approach to information security to prioritize high-risk areas, balance risk and opportunity, and align governance with ISO/IEC 27001 certification.
Identify risks, assess their significance and likelihood, then act from the risk assessment; plot risks on a two-dimensional chart, classify into green, yellow, red zones, and reduce red zones.
Explore the high-level risk management process from risk assessment and rating to risk treatment and response, with monitoring and audits that support the ISO/IEC 27001 six-step cycle and continuous improvement.
Assess risk as a function of threats and vulnerabilities on information and organizational assets using risk analysis and impact analysis, as threat actors deploy virus, worm, trojan, or social engineering.
Learn how quantitative risk assessment uses asset value, exposure factor, and annual rate of occurrence to compute the single loss expectancy, annual loss expectancy, and cost-benefit analysis, guiding safeguards decisions.
Qualitative risk assessment relies on judgement, historical data, informed opinions, and stakeholder input to rate risk as low, medium, or high on a five-point scale. Employ brainstorming and Delphi technique.
Explore scenario-based qualitative and quantitative risk assessments, describing threat models and safeguards, rating risk levels, and compiling diverse inputs for management-level risk treatment decisions.
Assess risk and decide to accept, transfer, mitigate, or avoid, balancing safeguards' cost with potential impact, and use compensating controls or insurance as needed.
Weigh the total cost of security controls, including program management, selection, acquisition, construction, environmental changes, operating, maintenance, and side effects, to select a cost-benefit option and implement, monitor, and audit.
Identify residual risks after countermeasures, including accepted risks and exposure factors not fully eliminated by safeguards, while noting how mitigation, outsourcing, and continuous monitoring and reassessment shift risk ratings.
Explore ISO/IEC 27001, a family of standards guiding risk management, auditing, and cloud controls, with integration to ISO 20000 and ISO 22301, and certifiable, branding-driven trust.
Explore how certification as a trust symbol affects ISMS risk focus, auditor objectivity, and scope limitations, and why full-organization certification can be costly and may dilute focus.
Adopt a risk-based approach to balance resources and security issues, prioritizing risk assessment and risk treatment within the ISO 27001 cycle of risk assessment, internal audit, and external audit.
Introduce the responsive security approach, rooted in the author’s PhD research and a book bearing the same title, addressing key issues and dilemmas in knowledge and practice domains.
Explore the circularity of information security principles, prioritizing the weakest links through defense in depth and risk management while recognizing residual risks and the potential for black swan events.
Explore social-technical issues in information security, the weak-link problem, and the measurability of outcomes under risk-based versus security-control approaches.
The lecture shows how fear, uncertainty, and doubt (FUD) are used to sell security, driving emotion-based decisions, misallocation of budgets, and public resistance to discussing failures under regulators' scrutiny.
Boards rely on audit committees and auditors to spotlight security issues, yet compliance-focused culture makes management reactive to new attacks and weakens fair security performance assessments.
Learn how to identify and mitigate information security risk by reducing vulnerabilities and exposure, focusing on protecting assets from threat actors and vectors.
Apply three steps to reduce exposure in enterprise information security management tools: gain visibility, develop situation awareness, and align criticality across security operations.
Gain visibility and context to identify exposures, assess critical assets, and continuously realign resources to manage risk and uncertainties in the face of changing threats.
Use stakeholder analysis, dialectic model of systems inquiry, five-level action map, action learning, and Flood’s four windows of systems thinking to implement responsive security.
Deploy sensors, collectors, and scanners for security monitoring and vulnerability discovery, integrate external threat intelligence feeds, and adopt design patterns for segmentation, isolation, and containment to improve readiness.
A responsive security approach shortens notification and mitigation times to limit exposure from phishing, highlighting awareness, competent people, efficient processes, and the right tools at the right time.
Develop readiness by moving beyond awareness, building organizational capacity to understand security needs and how-tos, enabling rapid response to changes in business and risk environments.
Align criticality to incidents and changes to guide realignment actions, building competencies in people, process, and technology to achieve visibility, situational awareness, and actionable intelligence.
Explore a high-level reference architecture for a responsive security system, highlighting boundary, governing variables, internal event data, external change events, and protective, response, and assurance actions.
Adopt a responsive security approach that combines iso 27001 isms with risk-based methods to improve visibility, situation awareness, and criticality alignment through prepare-detect-respond planning, drills, and readiness measurement.
Apply the balanced security scorecard to translate security approaches into a measurable strategy, aligning the information security program with the organization's vision and enabling performance measurement.
Balancing four perspectives—financial, customer, internal business process, and learning and growth—drives the balanced security scorecard, drawing on the balanced scorecard approach to address shortcomings of traditional financial metrics.
Understand the balanced security scorecard (BSS) and its strategy map to align information security with the organization's vision, strategy, and outcomes while prioritizing and tracking initiatives across four perspectives.
Apply Kaplan and Norton’s balanced scorecard to align long-term financial objectives with customers, internal processes, asset utilization, and learning and growth, guiding security service cost recovery, efficiency, and risk reduction.
Link the reducing risk theme from the financial perspective to information security and internal business processes, driving vulnerability management with outcome and leading measures, ownership, and time-to-closure targets.
Enable CISOs to communicate security strategy to senior leaders using the balanced security scorecard. Align security values with business outcomes and drive measurable results through nine adoption benefits.
The balanced security scorecard shows program performance with outcome metrics, cause and effect linkages, and four perspectives. Leadership aligns objectives, measures, targets, and initiatives with automation and bottom-up input.
Use the balanced scorecard as a management tool to drive strategy execution with effective measurements. Limit metrics to 15 to 20 across perspectives and maintain flexible definitions to avoid ambiguity.
Develop a security strategy using a risk-based or responsive security approach and the balanced security scorecard to drive transparency, outcomes, and a living strategy map for CISOs.
Explore how security maturity models evolve from the generic capability maturity model to the SSE-CMM, emphasize continuity and assurance, align with ISO/IEC 21827, and define maturity levels with process requirements.
The SSE-CMM defines capability levels and maturity in security engineering through common practices and features, while O-ISM3 offers a related five-level model for assurance and certification.
Define and manage information security processes using ISM3, linking security objectives to business objectives, measuring process capability with metrics, and mapping to maturity levels for incremental improvement.
ISM3 reframes security measurability by using operational definitions and a dialogue between security managers and business managers to align objectives, targets, and escalation thresholds for ISMS failures.
Apply the capability maturity approach to govern an information security program at the project level, measuring 12 functional areas against targets and benchmarks, including open standards and commercial maturity models.
Explore the new school approach to information security, combining economics, psychology, and social sciences to drive changes in organizational behavior that shape security program design, implementation, and operations.
The new school of information security challenges traditional approaches by avoiding fear-based sales, vendor-driven solutions, and vendor hype. It advocates embracing scientific methods, sharing objective data through breach disclosure, and learning from economics and human behavior to justify investments and improve security programs.
ITIL guides strategy, design, transition, operation, and continual service improvement of IT services, with a security focus aligned to ISO/IEC 27001 ISMS and ISO/IEC 20000, which covers minimum security requirements.
Explore COBIT version 5, a framework by ISACA for IT governance and management that embeds security controls by design, aligning control objectives with compliance, budget considerations, and security investments.
Examine models, frameworks, and approaches for information security, from military to commercial, including risk-based and responsive strategies, hybrid approaches, balanced scorecards, and maturity models, to align with business strategy.
The purpose of this series course is to address the growing challenges of managing information security risks in enterprise and government organizations, prompted by the complexity and risks of today’s changing technological landscape, as well as increasingly demanding business aspirations. These challenges are further escalated by the inadequacies of existing risk management models and professional development approaches.
Similar to warfares,In information security, there are various strategies, frameworks, approaches, and models, that have been developed over the years, which could help practitioners design, plan, build, deploy, and operate an information security management program in organizations. In this part, we'll discuss how organizations use them.
By the end of this module, you should gain a level of understanding of the models, frameworks, strategies, and approaches applicable to enterprise information security management; discourse their pros and cons, and apply your learning to given scenarios and in your organizations.