Bletchley Park is great historical evidence that women do well as contributors to national security, intelligence and technology development. At its peak, Bletchley Park, the British government’s Code and Cipher School, employed about 7,000 women in its 10,000-person code-breaking operations of the German Enigma machine during World War II. The age and education of the women in this intelligence operation varied, ranging from high school graduates at 17 years old to linguists, mathematicians and talented crossword puzzle solvers. Diversity in gender and skills were integrated successfully in cryptanalysis and some of the world’s most critical security operations.
It is not a trivial job to deploy a large-scale, open-source security monitoring infrastructure. Although you can use an easy-to-install open source solution, e.g., Security Onion, planning and knowing what to do is still an essential part of the project.
There are several considerations that need to go into this planning:
With all of these considerations, monitoring efforts should be carefully planned and executed. For example, all traffic will be visible to the security operations center. If background checks of these personnel are not carefully done this may be a risk for the company. Also all changes done on the monitoring system should be audited and recorded.
Most of the time, IT and IS security governance practices fail because of poor decision making on and between the different levels of the organization. Research shows that formal structures within the governance of IT and IS do not explicitly support and address the necessity of good decision making. Often, a decision is a result that just happened because the process of decision making was not properly substantiated.
Decision making is an important topic within governance practices. Our recent Journal article describes how knowledge concerning information security can be shared in an effective way and how this knowledge can facilitate the decision-making process. We have performed multiple sessions with the use of group support system (GSS) software technology to facilitate groups in making adequate decisions. Most of the time, these group meetings are held under a time constraint and require a thorough analysis, proper interpretation and a swift decision.
After the experience of creating a security document package for the commercial product installed in our network, I was fortunate enough to have subsequent work assisting with security audits of organizations outside our company.
Only one of the several organizations I worked with was in the process of developing a system security plan based on the US National Institute of Standards and Technology (NIST) 800-53 controls. They were not ready to share that documentation at the time. The other organizations I worked with all had plans that addressed the highlights of NIST 800-53 but did not delve into the individual controls. Having a plan that addresses all of the controls is a great roadmap to help a company make sure that they have adequate data security protections in place and can be a great artifact to hand to auditors when they arrive.
Technology is evolving at an amazing pace and offering a vital benefit for businesses. On the other hand, it has also brought ever-increasing security threats. There is no agreed upon and well-suited security audit framework for tackling IT security challenges, and there is also no holistic approach for the audit process. Because of this lack of agreement, it is getting more challenging to monitor assets; confidentiality, integrity and availability (CIA); threats; vulnerability; risk; and control.
My recent Journal article proposed 8 audit processes in 1 hierarchical framework to understand and design visualizations on the previously mentioned security concepts.