During the span of one’s college career, a select number of courses become something more than a simple requirement to be satisfied to assure graduation; these are moments in a student’s educational process which make the most lasting impacts. In my personal case, the lessons I have learned as part of my studies in ISSC680 will likely be remembered in those terms, as my eventual career will find me utilizing much of the foundational knowledge I gained in this course on a daily basis. As an aspiring information security officer, who hopes to apply the skills imparted throughout my time in ISSC680 during my professional career, I am sure that when I reflect on my college experience this class will stand out above the rest in terms of significance. The two textbooks which have provided detailed instruction on the field of information security, Information Security Fundamentals and Information Security: Design, Implementation, Measurement, and Compliance, have become essential resources both in and out of the classroom setting, as the wealth of experiential data contained within has enabled me to comprehend both the requirements of my future career, and the great responsibility my duties as an information security officer will entail. From the theoretical underpinnings of data protection and access control methods, to the moral and ethical ramifications of protecting a firm’s invaluable data by any means necessary, the course material I have been exposed to during my time in ISSC680 ranks among the most influential of my college career. Through a thorough review of the course itself, including the crucial concepts that form the foundation of an information security officer’s daily duties, I hope to examine the multitude of ways that this course has improved my base of knowledge, expanded my skill set, and enhanced my capabilities as a defender of digital data.
Throughout the entire course I have been continually exposed to new sources of knowledge regarding the field I aspire to work within, from the textbook material, instructors, and even fellow students. The process of reading individual chapters from the textbooks, which covered such diverse topics as risk assessment models, risk analysis and management, and access control methods, and writing detailed essays on the relevant material proved to be a highly informative process. By approaching the various methodologies and procedures used by information security analysts in the field, and contemplating how I may apply them within my own career, I found my confidence increasing as my base of knowledge continued to expand. As the authors of Information Security Fundamentals state in the introduction to their expansive volume, the book “was designed to give the information security professional a solid understanding of the fundamentals of security and the entire range of issues the practitioner must address” (Peltier, Peltier & Blackley, 2005). It was through this course that I was first exposed to the network of organizations working to serve information security professionals, including the Computer Security Institute (CSI), “the original and leading educational membership organization for information security professionals” whose mission is “to provide high quality products that focus on practical, cost-effective strategies, solutions and methodologies that will help you to protect your organization’s greatest asset: Information” (Computer Security Institute, 2012). Having come to the conclusion of my experience in the ISSC680 course, I firmly believe that I am more fully prepared to accomplish my duties as a professional information security analyst, because today I am equipped with both the theoretical foundations of the industry’s fundamental tenets, and the ability to discern when, where and how to most properly deploy those skills.
One of the core concepts within the field of information security and data protection is that of risk assessment, and considering Timothy P. Layton states in the preface to Information Security: Design, Implementation, Measurement, and Compliance that “the heart of every information security program is always risk assessment” (2007), it is useful to begin any discussion of ISSC680 with this critical component. While the idea of assessing the litany of risk factors, both from external threats and internal misconduct, may appear to an obvious step in securing an organization’s data delivery networks, I soon discovered through our readings and lectures that a true information security professional must be capable of seeing beneath the proverbial surface of every security issue they confront. After becoming familiarized with the Information Security Risk Assessment Model (ISRAM), as well as other assessment types such as the Global Information Security Assessment Methodology (GISAM), I now feel extremely prepared to assist the organization that hires me by identifying threats through anticipatory means. Whether the risks are generated by the malicious intrusion of anonymous hackers, the prying eyes of competing organizations, or simply the negligence or incompetence of office workers during the often chaotic daily exchange of data, I know now that I must remain vigilant in my efforts to conduct effective and efficient risk assessment processes on a routine and regular basis.
As the sheer scope and reach of modern computing technology continues to expand at a seemingly exponential pace, part of my responsibility as an aspiring information security officer is to develop a level of proficiency with the tools of my trade. From the complexities of the massive server farms used by major corporations to store the endless stream of data produced by their global business operations, to the “initial sign-on screen that is the first indication there are controls in place” (Peltier, Peltier & Blackley, 2005), the lessons imparted throughout this eight-week course have equipped me to utilize the full spectrum of data protection tools currently available. One of the most interesting aspects of information security I encountered during my time in ISSC680 is the concept that, even within a world increasingly dominated by computing technology and digitized data, “to be an effective program, information security must move beyond the narrow scope of IT and address the issues of enterprisewide information protection because the bulk of all of the information available to employees and others is still found in the printed form” (Peltier, Peltier & Blackley, 2005). While my primary objective as a professional information security analyst will always concentrate on securing the storage of, and restricting access to, my firm’s digital data, being reminded of the importance that paper-based files and memoranda still play was a refreshing recalibration of my priorities.
Another extremely important aspect of the modern information security field that I was exposed to during this course is the synergy which must exist between an organization’s IT department and its overall management structure. As Layton states emphatically in his Information Security: Design, Implementation, Measurement, and Compliance, “the information security battle is won in the boardroom and not at the firewall & #8230; because executive and management support is one of the most important elements for successful information security programs next to users accepting and acting properly on the information security policies and guidelines” (2007). Discovering that my own abilities as an information security officer will always be somewhat limited by the executive strategies put in place by my superiors was an enlightening, and yet humbling, revelation that will surely inform my decision making in the future. When one considers the recent advisement issued by the Information Systems Security Association that “no matter how much technology is applied to an issue, it only takes one human mistake or action to defeat the technology and open an organization up to attacks” (Anderson, 2013), it becomes readily apparent that protecting an organization’s invaluable collection of data requires a true commitment to cooperation and collaboration. In order to ensure that all aspects of an organizational structure, from the temporary employees tapping away in their cubicles to the senior managers tasked with guiding corporate strategies, are unified by a shared sense of responsibility within the realm of information security, a comprehensive Information Security Policy Document should be instituted immediately and updated regularly.
While the broader conceptual goals of information security practices are indeed quite informative, I constantly found myself reviewing the proverbial nuts and bolts of the industry, including the rigorous access control methods used to regulate and restrict the unending flow of data within an organizational structure. Simple log-on screens and personalized passwords, user access and privilege management, authentication requirements for external connections, and even the construction of complex cryptographic algorithms are among the most widely applied access control methods, and my time in ISSC680 has left me with a far greater understanding of these tools than I previously possessed. The observation made by the authors of Information Security Fundamentals that “over the years, the computer security group responsible for access control and disaster recovery planning has evolved into the enterprisewide information protection group” (Peltier, Peltier & Blackley, 2005) was especially intriguing to me, because this trend suggests that merely erecting secure access control methods does not fully fulfill the duties of a modern information security professional. While it is within my ability to develop and implement a full spectrum of access control methods which would reduce the risk of…