Assignment:
Discussion
A. Justify the importance of strategic planning to an organization's information security.
Strategic Security Planning is critical to any organization. It typically starts with the CISO. The CISO should be strategically placed within the organization to ensure proper visibility of security issues and manage risk in a way that aligns with business objectives.
A strategic plan is a document used to communicate the organizations goals, tasks needing to be completed to achieve these goals and any other items identified in the assessment.
B. Identify and describe the topics to be included in strategic planning for information security.
The topics that should be included in a strategic security plan are below.
• Defining consistent and integrated methodologies for design, development and implementation;
• Detecting and resolving problems;
• Reducing time to delivery from solution concept through implementation;
• Provisioning flexible and adaptable architectures;
• Proactively making decisions to more efficiently deliver results;
• Eliminating redundancy to better support achievement of objectives;
• Planning and managing human resources, relying on external expertise when required to augment internal staff;
• Evolving into an organization where security is integrated as seamlessly as possible with applications, data, processes and workflows into a unified environment.
C. Specifically describe the security threats associated with virtualization.
To better answer this question, let me first define the 2 virtualization types.
• Type 1 virtual environments are considered "full virtualization" environments and have VMs running on a hypervisor that interacts with the hardware. Examples are VMware ESXi, Citrix/Xen Server and Microsoft Kyper-V.
• Type 2 virtual environments are also considered "full virtualization" but work with a host OS instead of a hypervisor. With this type of hypervisor, the guest host is installed on top of an underlying OS such as Windows 10, Linux, etc.
The threats associated with virtualization can be different depending on the type of hypervisor used. Some examples are: Shared clipboard, keystock logging, VM monitoring from the host, VM monitoring from another VM, and VM backdoors
D. Explain how strategic planning can help to mitigate the security threats associated with virtualization.
A good strategic security plan can have a tremendous impact on the organization's security posture. It defines the areas needing to be secured and the tools/processes required to secure them. For example, is the organization using a Next Gen firewall to protect them from the internet or are they still using an old packet filtering firewall.
1. Brian Evans, July 8, 2015, The Importance of Building an Information Security Strategic Plan (securityintelligence.com),
2. William Stallings. 2019. Effective Cybersecurity: A Guide to Using Best Practices and Standards.
3. Dave Shackleford. Virtualization Security?: Protecting Virtualized Environments. Sybex; 2012. Accessed April 25, 2022.