Assessment of Technology centric Strategies for information security Essay

estimate of technology centric Strategies for information certification in an organization - Essay ExampleIt is a shell practices strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy recommends a balance in the midst of the protection capability and cost, performance, and operational considerations. National Security AgencyFahey (2004) graduated from the SANS GSEC course and uses their systematic get down to addressing risk by means of defense in depth. The SANS approach promulgates an efficient and cost effective methodology for improving guarantor. The organization for which he works already had a number of policies, each designed to address a multi-layered approach to IT security such(prenominal) as operations security, physical security and contingency and disaster recovery. Furthermore external security personnel routinely came to the organization to perform security audits. He was concerned that one are a which had not been addressed wasa systematic procedure designed to protect against electronic besets from hackers. This was due in fiber to the false sense of security which comes from being behind a firewall and partly from a lack of obtain in the information security field. (Fahey, 2004, p3)In putting together a Defense in prescience security policy one must consider the characteristics of ones obstructer, the motivation behind an attack and the class of attack. An adversary may be anyone from a competitor to a hacker. They may be motivated by thievery of intellectual property, denial of service or simply pride in bringing down a target. Classes of attack include passive or active monitoring of communications, identity theft or close-in attacks. to a fault deliberate attacks there may also be inadvertent attacks on the system, such as fire, flood, precedent outages - and most frequently - user error.Information Assurance is achieved when information and information system s are protected against such attacks through the application of security services such asAvailability, Integrity, Authentication, Confidentiality, and Non-Repudiation. The application of these services should be ground on the Protect, Detect, and React paradigm. This means that in addition to incorporating protection mechanisms, organizations need to expect attacks and include attack detection tools and procedures that allow them to react to and recover from these attacks. No system is perfectly secure, and it has been argued that no system call for to be. To achieve Information Assurance focus must be balanced on three elements People, Technology and Operations.Security goals have their own contradictions because confidentiality, integrity, privacy, accountability, and recovery often conflict fundamentally. For example, accountability requires a strong audit trail and end-user authentication, which conflicts with privacy needs for user anonymity. (Sandhu 2004, page 3)Faheys metho dology for evaluating risk used the confidentiality, integrity, and availability (CIA) approach which emphasizes the importance to the organization of a particular information asset. This approach focuses budget managers on the real threats to disposition and therefore the business ability to survive against its competitors.Fahey focuses on 3 security risks in his article passwords, policies and patches. Faheys risk sound judgement relies heavily on SANS assessment of the top 20 risks for networks in 2003/4. This brings to light the