¶ … role of project management as it relates to managing security assessments. Also discuss each phase in project management.
Five distinct project management phases are involved in security assessments. The overall purpose of a security assessment is to reduce and redress evident threats using a systematic process of review. Phase 1: Project Definition involves understanding the scope, cost and purpose of the assessment. Phase 2: Project Preparation prepares the team for the project, as well as prepares the materials needed for completing the project itself. Phase 3: Data Gathering, is the most comprehensive of all of the phases. This phase is performed at the site and involves collecting direct information about the currently-existing security controls. The security risk assessment team will review administrative policies and procedures, and may conduct on-site observations and interviews. Physical security controls will be assessed through observation and testing. Technical security controls will be reviewed through testing, analysis and review of logs.
Phase 4: Risk Analysis reviews the data of Phase 3 and calculates the risk for the organization. Asset values (which involve placing a specific dollar value on assets), system criticality, likely threats, and existing vulnerabilities are all taken into consideration. The nature of and potential for threats -- whether from employee error or intentional threats such as viruses or sabotage -- must be defined, and the level of disclosure to outside sources must be measured. Vulnerabilities can be posed administratively (by under-trained or sloppy employees), by physical vulnerabilities (such as the geographic configuration of the site or vulnerability to power outages), and by technical vulnerabilities (a system's openness to viruses, worms, and the allowance for weak passwords). Risk Mitigation (Phase 5) involves creating strategies to mitigate or deal with the defined risk, weighing the positive and negative aspects of each solution. Phase Six involves Risk Reporting and Resolution and creates procedures for reporting observed vulnerabilities after the new procedures have been instituted, to allow for quality control, adjustments, and reconfiguration of the system when necessary at periodic intervals.
Q2.Differentiate between administrative, technical and physical security controls (safeguards) and give an example of each.
Administrative controls relate to the procedural elements of risk mitigation, including avoiding lapses in policies, procedures, or security activities and setting acceptable use terms for employees. For example, a company that does not restrict employee web-surfing may leave itself open to potential threats. Technical controls relate to the actual technology itself, such as having a secure wireless connection and passwords that are difficult to hack. Physical controls relate to physically ensuring that the premises are difficult to access, which such as having security guards posted at all exterior doors. Systems must be safeguarded on all of these various fronts -- employees must know how to ensure that their behavior enhances security, and procedures must be clearly delineated. The system itself must be technically up-to-date and protected using controls such as firewalls. Impingements from outside by potential assailants (such as a terrorist 'hacker' posing as an employee) must also be carefully guarded.
Q3. Identify and explain how to gather data on administrative, technical, and physical security controls (safeguards).
You’re 77% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.