Security Management

security management is the core of a company’s business and information security structure.

 

Security management includes risk management, information security policies, procedures,
standards, guidelines, baselines, information classification, security organization,
and security education. These core components serve as the foundation of a corporation’s
security program. The objective of security, and a security program, is to
protect the company and its assets. A risk analysis identifies these assets, discovers the
threats that put them at risk, and estimates the possible damage and potential loss a
company could endure if any of these threats becomes real. The results of the risk
analysis help management construct a budget with the necessary funds to protect the
recognized assets from their identified threats and develop applicable security policies
that provide direction for security activities. Security education takes this information
to each and every employee within the company so everyone is properly informed and
can more easily work toward the same security goals.

 

安全管理：风险管理、信息安全策略、流程、标准、指导方针、基线、信息分类、安全组织、安全教育。

 

安全管理的原则：

Top－down※bottom－up？？？

A security program should use a top-down approach, meaning that the initiation,
support, and direction come from top management, work their way through middle
management, and then reach staff members. In contrast, a bottom-up approach refers to
a situation in which the IT department tries to develop a security program without getting
proper management support and direction. A bottom-up approach is usually less
effective, not broad enough, and doomed to fail. A top-down approach makes sure the
people actually responsible for protecting the company’s assets (senior management)
are driving the program.