[...]... Authorization To gain access to information and the processing systems everyone needing access must be assigned a unique, individual access code AU5356_C001.fm Page 8 Friday, November 3, 2006 8:16 AM 8 Ⅲ Complete Guide to CISM Certification Typically this access code is called a userID or an account There must be procedures in place to provide the information necessary and the approvals required to grant... way to demonstrate support is to demonstrate openly their support for the program This could be as simple as wearing their employee identification badges Finally, allocating sufficient resources to information security is the third way to demonstrate support We would all like to have the budget to things Information security programs are doomed to failure without the overt support of senior management To. .. preventive, detective, containment, and recovery Dr Peter Stephenson has altered these elements to currently address assurance, avoidance, detection, and recovery Our strategy is to prevent as much as possible; then we want to able to detect when we have problems, to contain the problem, and we want to have the ability to recover from it Business continuity planning is part of our overall organization process... November 3, 2006 8:16 AM 14 Ⅲ Complete Guide to CISM Certification users, partners and employees’ sensitive information, such as wages, social security numbers, and health care information It is the ultimate responsibility of senior management to assume the fiduciary duty to protect the assets of the organization From the context of a security program, senior management needs to witness and have demonstrated... coming in and saying, “Hey, watch this.” So you have to have a recovery plan to be able to recover the information as you go through the process An effective security function requires a well-administered security and privacy policy meaning that not only do we have the written word but that you check it from time to time to make sure it continues to meet the goals and objectives of an organization and... in Figure 1.2 We go into more detail later in this chapter on policies and supporting documents When establishing an information security strategy, the goal of what must be accomplished must be present in all that we create and implement Information security’s goal is not to stop all access to all information but to provide a safe and secure process for all authorized personnel to gain access The information... Systems Security Association (ISSA®) bestowed its Individual Contribution to the Profession Award on him and in 2001 he was inducted into the ISSA® Hall of Fame Tom was also awarded the CSI Lifetime Emeritus Membership Award Currently he is the president of Thomas R Peltier Associates, LLC, which is an information security training firm Prior to this he was director of policies and administration for... need to know, you have to have a business need to have access to whatever you’re looking at An effective security strategy requires at a minimum five key elements: policies, procedures, authentication, authorization, and recovery plan because people have a tendency to wipe things out inadvertently Sixtyfive percent of information loss still comes from errors and omissions The last thing that you want to. .. has been established, it will be necessary to authenticate the individual to the system or application they need to access the information This process is termed authentication and is the process of identifying an individual, usually based on a username and password A userID and password is termed one-factor authentication The userID can be teamed up with a token card (such as a SecureID card that changes... my job There are two key elements regarding authorization and those are need to know and least privilege In authentication it is necessary to establish the parameters that verify individuals are who they present themselves to be Once authenticated, the individual must be authorized to access the resources of the organization To accomplish that, the individual must present a business need for access Once . identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Peltier, omas R. Complete guide to CISM certification / omas R. Peltier, Justin Peltier. p invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material. Fung ISBN: 0-8493-3027-0 The Practical Guide to HIPAA Privacy and Security Compliance Kevin Beaver; Rebecca Herold ISBN: 0-8493-1953-6 A Practical Guide to Security Assessments Sudhanshu Kairab ISBN: