This chapter starts very confusingly, defining terms with other terms that have not been defined. Let's examine the first two pages, and try to make some sense of them.A security management model is meant to be a generic description of what an organization should do to provide a secure environment for itself. It is generic in that it describes what should be done, but not how to do it, which makes it flexible enough to be used by many kinds of organizations. The text states on page 213, that you should choose a model for your organization to follow that is "flexible, scalable, robust, and sufficiently detailed". Many security management models exist, some of which are discussed in detail in the chapter.
Once your organization chooses a security management model, it should create a custom version of it that applies to your organization. The text refers to this as your security blueprint. In the course of developing your security blueprint, you may need to create an outline to follow, which the text calls your security framework. This
is confusing because the text explains these words in terms of each
other, and also refers to some standards as frameworks. Close your
eyes, shake your head, and let's try again.
To put those terms in perspective, imagine three phases of a project to develop your security management standards:
So, that means you need to create the framework and the blueprint, but your first goal is to select a model that makes sense. How do you select a model? Sometimes, a model has been selected for you by another part of the organization (upper management) and you simply have to use it. The good news is that whichever model was chosen, it will probably work after being customized into the blueprint for your organization.
Sometimes you are not
handed a decision, and you must make one. Even though many of the
models will yield good results in most cases, you should examine some
of the major models available to make a choice that fits well with your
organization. Starting on page 224, the text finally begins a discussion of several security management models.
This section is confusing as well, this time because the text starts
discussing a new standard before it finishes showing us tables and
figures for the last one.
Last week I asked you to look at the Krebs on Security
website article from February 12, 2014 about the security problems at
Target and other retail stores. If you have not read this article yet,
do so now.
Mr. Krebs discusses a believable theory that Target's security
was breached by an attacker who first attacked a contractor who had
been given an email account at Target. For our purposes, this article
can be considered as a post-mortem security audit of the situation,
except that it is missing what a paid analyst would typically be
expected to provide: a list of recommendations to the client on how to
avoid this situation in the future.